U.S., U.K. and Australia Warn of Iranian Hackers Exploiting Microsoft, Fortinet Flaws

2021-11-17T15:44:00

Description

[![](https://thehackernews.com/new-images/img/a/AVvXsEhKbdRreQ0Go0a6_nNV2mIHF-M4tF8ltZLh-zKh9XlGWei6N3zGQptPV2EVnu-c2aHwmgFtWbz4Xq0tDXGz3Z1dpDgiPu7RVWIwM8bhdGXus6httFDg3Syq5PSXHPDJiYhDv0KxH-eo9jncYNJb4pG6nA_987ryEtxPoAJr1RlSMcy7wdD0dNr3L2mW)](<https://thehackernews.com/new-images/img/a/AVvXsEhKbdRreQ0Go0a6_nNV2mIHF-M4tF8ltZLh-zKh9XlGWei6N3zGQptPV2EVnu-c2aHwmgFtWbz4Xq0tDXGz3Z1dpDgiPu7RVWIwM8bhdGXus6httFDg3Syq5PSXHPDJiYhDv0KxH-eo9jncYNJb4pG6nA_987ryEtxPoAJr1RlSMcy7wdD0dNr3L2mW>) Cybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday [released](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware. The threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC). The agencies did not attribute the activities to a specific advanced persistent threat (APT) actor. Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below — * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) (CVSS score: 9.1) - Microsoft Exchange Server remote code execution vulnerability (aka "[ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>)") * [**CVE-2020-12812**](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>) (CVSS score: 9.8) - [FortiOS SSL VPN 2FA bypass](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) by changing username case * [**CVE-2019-5591**](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) (CVSS score: 6.5) - FortiGate [default configuration](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) does not verify the LDAP server identity * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - [FortiOS system file leak](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>) through SSL VPN via specially crafted HTTP resource requests Besides exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The next month, the APT actors "exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children," the advisory said. The development marks the second time the U.S. government has [alerted](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities. As mitigations, the agencies are recommending organizations to immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released. Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.

{"id": "THN:C3B82BB0558CF33CFDC326E596AF69C4", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "U.S., U.K. and Australia Warn of Iranian Hackers Exploiting Microsoft, Fortinet Flaws", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEhKbdRreQ0Go0a6_nNV2mIHF-M4tF8ltZLh-zKh9XlGWei6N3zGQptPV2EVnu-c2aHwmgFtWbz4Xq0tDXGz3Z1dpDgiPu7RVWIwM8bhdGXus6httFDg3Syq5PSXHPDJiYhDv0KxH-eo9jncYNJb4pG6nA_987ryEtxPoAJr1RlSMcy7wdD0dNr3L2mW)](<https://thehackernews.com/new-images/img/a/AVvXsEhKbdRreQ0Go0a6_nNV2mIHF-M4tF8ltZLh-zKh9XlGWei6N3zGQptPV2EVnu-c2aHwmgFtWbz4Xq0tDXGz3Z1dpDgiPu7RVWIwM8bhdGXus6httFDg3Syq5PSXHPDJiYhDv0KxH-eo9jncYNJb4pG6nA_987ryEtxPoAJr1RlSMcy7wdD0dNr3L2mW>)\n\nCybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday [released](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.\n\nThe threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC).\n\nThe agencies did not attribute the activities to a specific advanced persistent threat (APT) actor. Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below \u2014\n\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) (CVSS score: 9.1) - Microsoft Exchange Server remote code execution vulnerability (aka \"[ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>)\")\n * [**CVE-2020-12812**](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>) (CVSS score: 9.8) - [FortiOS SSL VPN 2FA bypass](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) by changing username case\n * [**CVE-2019-5591**](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) (CVSS score: 6.5) - FortiGate [default configuration](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) does not verify the LDAP server identity\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - [FortiOS system file leak](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>) through SSL VPN via specially crafted HTTP resource requests\n\nBesides exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The next month, the APT actors \"exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children,\" the advisory said.\n\nThe development marks the second time the U.S. government has [alerted](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.\n\nAs mitigations, the agencies are recommending organizations to immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-11-17T15:44:00", "modified": "2021-11-22T07:14:13", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-34473"], "immutableFields": [], "lastseen": "2022-05-09T12:38:05", "viewCount": 203, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "AKB:91756851-9B25-4801-B911-E3226A0656B5", "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC"]}, {"type": "avleonov", "idList": ["AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-1187", "CPAI-2021-0476"]}, {"type": "cisa", "idList": ["CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "cve", "idList": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473"]}, {"type": "dsquare", "idList": ["E-691"]}, {"type": "exploitdb", "idList": ["EDB-ID:47287", "EDB-ID:47288"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5", "EXPLOITPACK:E222442D181419B052AACE6DA4BC8485"]}, {"type": "fireeye", "idList": ["FIREEYE:FC60CAB5C936FF70E94A7C9307805695"]}, {"type": "fortinet", "idList": ["FG-IR-18-384", "FG-IR-19-037", "FG-IR-19-283", "FG-IR-20-233"]}, {"type": "githubexploit", "idList": ["0A015784-48D7-5DC1-9FB9-416A9BBEA6D5", "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "4AC49DB9-A784-561B-BF92-94209310B51B", "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "E458F533-4B97-51A1-897B-1AF58218F2BF", "F00E8BE4-12D2-5F5B-A9AA-D627780259FB", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E"]}, {"type": "hivepro", "idList": ["HIVEPRO:09525E3475AC1C5F429611A90182E82F", "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "HIVEPRO:1825C4046C6054693C41D7D5DFD7BA10", "HIVEPRO:186D6EE394314F861D57F4243E31E975", "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:F2305684A25C735549865536AA4254BF", "HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "kaspersky", "idList": ["KLA12224"]}, {"type": "kitploit", "idList": ["KITPLOIT:119877528847056004", "KITPLOIT:1244156083583318186", "KITPLOIT:2686676167278919598", "KITPLOIT:2722328714476257207", "KITPLOIT:3532211766929466258", "KITPLOIT:4425790137948714912", "KITPLOIT:5376485594298165648", "KITPLOIT:5397133847150975825", "KITPLOIT:5563730483162396602", "KITPLOIT:5829195600312197311", "KITPLOIT:6516544912632048506", "KITPLOIT:7070039119688478663", "KITPLOIT:763105754466120590", "KITPLOIT:816704453339226193", "KITPLOIT:965198862441671998"]}, {"type": "krebs", "idList": ["KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYSHELL_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:A2F131E46442125176E4853C860A816C", "MMPC:C0F4687B18D53FB9596AD4FDF77092D8"]}, {"type": "mscve", "idList": ["MS:CVE-2021-31196", "MS:CVE-2021-31206", "MS:CVE-2021-34473"]}, {"type": "mskb", "idList": ["KB5001779"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:A2F131E46442125176E4853C860A816C", "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8"]}, {"type": "nessus", "idList": ["EXCHANGE_PROXYSHELL.NBIN", "FORTIOS_FG-IR-18-384.NASL", "FORTIOS_FG-IR-18-384_DIRECT.NASL", "FORTIOS_FG-IR-19-037.NASL", "FORTIOS_FG-IR-19-283.NASL", "MACOSX_FORTIOS_FG-IR-18-384.NASL", "SMB_NT_MS21_APR_EXCHANGE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154146", "PACKETSTORM:154147", "PACKETSTORM:163895"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720"]}, {"type": "securelist", "idList": ["SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "thn", "idList": ["THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:5BE77895D84D1FB816C73BB1661CE8EB", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:8483C1B45A5D7BF5D501DE72F5898935", "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "THN:8BA951AD00E17C72D6321234DBF80D19", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:E95B6A75073DA71CEC73B2E4F0B13622", "THN:EAEDDF531EB90375B350E1580DE3DD02", "THN:F25FAD25E15EBBE4934883ABF480294D", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:FA40708E1565483D14F9A31FC019FCE1", "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "THN:FCBB400B24C7B24CD6B5136FA8BE38D3"]}, {"type": "threatpost", "idList": ["THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:52923238811C7BFD39E0529C85317249", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:83C349A256695022C2417F465CEB3BB2", "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496"]}, {"type": "zdi", "idList": ["ZDI-21-821"]}, {"type": "zdt", "idList": ["1337DAY-ID-33133", "1337DAY-ID-33134", "1337DAY-ID-36667"]}]}, "score": {"value": 9.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "AKB:91756851-9B25-4801-B911-E3226A0656B5", "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC"]}, {"type": "avleonov", "idList": ["AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-1187", "CPAI-2021-0476"]}, {"type": "cisa", "idList": ["CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "cve", "idList": ["CVE-2018-13379", "CVE-2021-34473"]}, {"type": "dsquare", "idList": ["E-691"]}, {"type": "exploitdb", "idList": ["EDB-ID:47287", "EDB-ID:47288"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5", "EXPLOITPACK:E222442D181419B052AACE6DA4BC8485"]}, {"type": "fireeye", "idList": ["FIREEYE:FC60CAB5C936FF70E94A7C9307805695"]}, {"type": "fortinet", "idList": ["FG-IR-18-384", "FG-IR-19-037", "FG-IR-19-283", "FG-IR-20-233"]}, {"type": "githubexploit", "idList": ["0A015784-48D7-5DC1-9FB9-416A9BBEA6D5", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E"]}, {"type": "hivepro", "idList": ["HIVEPRO:186D6EE394314F861D57F4243E31E975", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74"]}, {"type": "kaspersky", "idList": ["KLA12224"]}, {"type": "kitploit", "idList": ["KITPLOIT:119877528847056004", "KITPLOIT:1244156083583318186", "KITPLOIT:2686676167278919598", "KITPLOIT:2722328714476257207", "KITPLOIT:3532211766929466258", "KITPLOIT:4425790137948714912", "KITPLOIT:5376485594298165648", "KITPLOIT:5397133847150975825", "KITPLOIT:5563730483162396602", "KITPLOIT:5829195600312197311", "KITPLOIT:6516544912632048506", "KITPLOIT:7070039119688478663", "KITPLOIT:763105754466120590", "KITPLOIT:816704453339226193"]}, {"type": "krebs", "idList": ["KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_PROXYSHELL_RCE/"]}, {"type": "mmpc", "idList": ["MMPC:C0F4687B18D53FB9596AD4FDF77092D8"]}, {"type": "mscve", "idList": ["MS:CVE-2021-34473"]}, {"type": "mskb", "idList": ["KB5001779"]}, {"type": "mssecure", "idList": ["MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8"]}, {"type": "nessus", "idList": ["FORTIOS_FG-IR-18-384.NASL", "FORTIOS_FG-IR-18-384_DIRECT.NASL", "FORTIOS_FG-IR-19-037.NASL", "MACOSX_FORTIOS_FG-IR-18-384.NASL", "SMB_NT_MS21_APR_EXCHANGE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154146", "PACKETSTORM:154147", "PACKETSTORM:163895"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16"]}, {"type": "securelist", "idList": ["SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6"]}, {"type": "thn", "idList": ["THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:5BE77895D84D1FB816C73BB1661CE8EB", "THN:8483C1B45A5D7BF5D501DE72F5898935", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:FA40708E1565483D14F9A31FC019FCE1", "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "THN:FCBB400B24C7B24CD6B5136FA8BE38D3"]}, {"type": "threatpost", "idList": ["THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:83C349A256695022C2417F465CEB3BB2", "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9"]}, {"type": "zdi", "idList": ["ZDI-21-821"]}, {"type": "zdt", "idList": ["1337DAY-ID-33133", "1337DAY-ID-33134", "1337DAY-ID-36667"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-13379", "epss": "0.974950000", "percentile": "0.999520000", "modified": "2023-03-17"}, {"cve": "CVE-2019-5591", "epss": "0.002020000", "percentile": "0.564490000", "modified": "2023-03-17"}, {"cve": "CVE-2020-12812", "epss": "0.008550000", "percentile": "0.797100000", "modified": "2023-03-17"}, {"cve": "CVE-2021-34473", "epss": "0.974090000", "percentile": "0.998460000", "modified": "2023-03-17"}], "vulnersScore": 9.3}, "_state": {"dependencies": 1659988328, "score": 1684011499, "epss": 1679159933}, "_internal": {"score_hash": "1b0f1ba8590bb4d8a90ca531daf024a5"}}

{"cisa": [{"lastseen": "2023-02-09T14:01:25", "description": "The Federal Bureau of Investigation (FBI) and CISA have released a [Joint Cybersecurity Advisory](<https://www.ic3.gov/Media/News/2021/210402.pdf>) (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>), [CVE-2020-12812](<https://vulners.com/cve/CVE-2020-12812>), and [CVE-2019-5591](<https://vulners.com/cve/CVE-2019-5591>). APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks.\n\nCISA encourages users and administrators to review [Joint CSA AA21-092A: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks](<https://www.ic3.gov/Media/News/2021/210402.pdf>) and implement the recommended mitigations.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-02T00:00:00", "type": "cisa", "title": "FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812"], "modified": "2021-04-02T00:00:00", "id": "CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-22T22:07:03", "description": "Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>), and [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>). An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply [Microsoft's Security Update from May 2021](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/microsoft-releases-may-2021-security-updates>)\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks. \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-21T00:00:00", "type": "cisa", "title": "Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-21T00:00:00", "id": "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-29T18:14:37", "description": "CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a [Joint Cybersecurity Advisory (CSA)](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.\n\nSpecifically, SVR actors are targeting and exploiting the following vulnerabilities:\n\n * [CVE-2018-13379 Fortinet FortiGate VPN](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n * [CVE-2019-9670 Synacor Zimbra Collaboration Suite](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>)\n * [CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * [CVE-2019-19781 Citrix Application Delivery Controller and Gateway](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * [CVE-2020-4006 VMware Workspace ONE Access](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>)\n\nAdditionally the White House has released a [statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:\n\n * [Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>)\n * [Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)\n * [Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool](<https://us-cert.cisa.gov/ncas/alerts/aa21-077a>)\n * [Malware Analysis Report AR21-039A: MAR-10318845-1.v1 - SUNBURST](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a>)\n * [Malware Analysis Report AR21-039B: MAR-10320115-1.v1 - TEARDROP](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b>)\n * Table: SolarWinds and Active Directory/M365 Compromise - Detecting APT Activity from Known TTPs\n * [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * [Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise](<https://cyber.dhs.gov/ed/21-01/>)\n\nCISA strongly encourages users and administrators to review [Joint CSA: Russian SVR Targets U.S. and Allied Networks](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) for SVR tactics, techniques, and procedures, as well as mitigation strategies.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-15T00:00:00", "type": "cisa", "title": "NSA-CISA-FBI Joint Advisory on Russian SVR Targeting U.S. and Allied Networks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-09-28T00:00:00", "id": "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-10-22T16:50:56", "description": "An Improper Limitation of a Pathname to a Restricted Directory (\u201cPath Traversal\u201d) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.\n\n \n**Recent assessments:** \n \n**bulw4rk** at March 25, 2020 8:04pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n![LOGO](https://devco.re/assets/img/blog/20190807/4.png)\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\n**gwillcox-r7** at November 04, 2020 4:04pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n![LOGO](https://devco.re/assets/img/blog/20190807/4.png)\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\n**ccondon-r7** at November 22, 2020 6:52pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n![LOGO](https://devco.re/assets/img/blog/20190807/4.png)\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-04T00:00:00", "type": "attackerkb", "title": "CVE-2018-13379 Path Traversal in Fortinet FortiOS", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812"], "modified": "2021-07-27T00:00:00", "id": "AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "href": "https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios/rapid7-analysis", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-11T11:48:33", "description": "A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at April 05, 2021 2:16pm UTC reported:\n\nOne of three vulnerabilities CISA and the FBI [have warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) are being exploited by APTs to gain initial access to government and other services. The other two vulnerabilities in the alert are [CVE-2018-13379](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=5591>), a pre-authentication path traversal bug that has been actively and widely exploited for years now, and [CVE-2020-12812](<https://attackerkb.com/topics/8qnr47UsVL/cve-2020-12812#view-assessment-91b4f49f-9243-4d47-9084-3ef8026411c2>) (an MFA bypass).\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-5591", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812"], "modified": "2021-04-13T00:00:00", "id": "AKB:91756851-9B25-4801-B911-E3226A0656B5", "href": "https://attackerkb.com/topics/sWpteHiN5z/cve-2019-5591", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T15:01:24", "description": "An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.\n\n \n**Recent assessments:** \n \n**wvu-r7** at July 28, 2020 6:12pm UTC reported:\n\nThe advisory isn\u2019t worded very well, but it seems that logging in to the SSL VPN with a different-case username than set will allow 2FA to be bypassed, opening up the VPN to password attacks, such as password spraying.\n\nSuccessful VPN access to an internal network can open up a lot of doors for an attacker, turning an external compromise into an authorized internal one. Many corporate services are hidden behind VPN. That said, proper network segmentation and secondary access controls can mitigate some of the risk. The \u201cattacker value\u201d is \u201cmedium\u201d because this is just a 2FA bypass and also because of the listed caveats. It isn\u2019t terribly useful on its own.\n\nThe [KB article](<https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033>) is written much better.\n\n**ccondon-r7** at April 05, 2021 2:09pm UTC reported:\n\nThe advisory isn\u2019t worded very well, but it seems that logging in to the SSL VPN with a different-case username than set will allow 2FA to be bypassed, opening up the VPN to password attacks, such as password spraying.\n\nSuccessful VPN access to an internal network can open up a lot of doors for an attacker, turning an external compromise into an authorized internal one. Many corporate services are hidden behind VPN. That said, proper network segmentation and secondary access controls can mitigate some of the risk. The \u201cattacker value\u201d is \u201cmedium\u201d because this is just a 2FA bypass and also because of the listed caveats. It isn\u2019t terribly useful on its own.\n\nThe [KB article](<https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033>) is written much better.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-24T00:00:00", "type": "attackerkb", "title": "CVE-2020-12812", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-12812"], "modified": "2020-07-29T00:00:00", "id": "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A", "href": "https://attackerkb.com/topics/8qnr47UsVL/cve-2020-12812", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-07T00:04:03", "description": "ProxyShell is an exploit chain targeting on-premise installations of Microsoft Exchange Server. It was demonstrated by Orange Tsai at Pwn2Own in April 2021 and is comprised of three CVEs that, when chained, allow a remote unauthenticated attacker to execute arbitrary code on vulnerable targets. The three CVEs are CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.\n\nDetails are available in Orange Tsai\u2019s [Black Hat USA 2020 talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>) and follow-on [blog series](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>). ProxyShell is being broadly exploited in the wild as of August 12, 2021.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at August 12, 2021 9:19pm UTC reported:\n\nCheck out the [Rapid7 analysis](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>) for details on the exploit chain. Seems like a lot of the PoC implementations so far are using admin mailboxes, but I\u2019d imagine folks are going to start finding ways around that soon.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-20T00:00:00", "type": "attackerkb", "title": "ProxyShell Exploit Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T00:00:00", "id": "AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "href": "https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T23:18:13", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-34473.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at July 14, 2021 7:15pm UTC reported:\n\nThis remote code execution (RCE) vulnerability affects Microsoft Exchange Server 2013/ CU23/2016 CU20/2016 CU21/2019 CU10. \nAnd according to FireEye exploit code is available. \nI will share more information once MSFT releases more details\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2021-31206", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473"], "modified": "2021-09-21T00:00:00", "id": "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC", "href": "https://attackerkb.com/topics/oAhIZujU2O/cve-2021-31206", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T17:21:09", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 14, 2021 5:15pm UTC reported:\n\nFrom <https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html> there was a note that this vulnerability seems to have been used in some Exchange Server APT attacks detailed at <https://blog.talosintelligence.com/2021/03/hafnium-update.html> however it wasn\u2019t disclosed that this vulnerability was patched despite being patched back in April 2021. Since this was under active exploitation it is recommended to patch this vulnerability if you haven\u2019t applied April 2021\u2019s patch updates already.\n\nSuccessful exploitation will result in RCE on affected Exchange Servers, and requires no prior user privileges, so patch this soon!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2021-34473", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473"], "modified": "2021-07-20T00:00:00", "id": "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "href": "https://attackerkb.com/topics/pUK1MXLZkW/cve-2021-34473", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-11-18T02:26:11", "description": "A state-backed Iranian threat actor has been using multiple CVEs \u2013 including both serious Fortinet vulnerabilities for months and a Microsoft Exchange ProxyShell weakness for weeks \u2013 looking to gain a foothold within networks before moving laterally and launching [BitLocker](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>) ransomware and other nastiness.\n\nA joint [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) published by CISA on Wednesday was meant to highlight the ongoing, malicious cyber assault, which has been tracked by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC) and the United Kingdom\u2019s National Cyber Security Centre (NCSC). All of the security bodies have traced the attacks to an Iranian government-sponsored advanced persistent threat (APT).\n\nThe Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021, according to the alert. The weaknesses are granting the attackers initial access to systems that\u2019s then leading to follow-on operations including ransomware, data exfiltration or encryption, and extortion.\n\nThe APT has used the same Microsoft Exchange vulnerability in Australia.\n\n## CISA Warning Follows Microsoft Report on Six Iranian Threat Groups\n\nCISA\u2019s warning came on the heels of [an analysis](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) of the evolution of Iranian threat actors released by Microsoft\u2019s Threat Intelligence Center (MSTIC) on Tuesday.\n\nMSTIC researchers called out three trends they\u2019ve seen emerge since they started tracking six increasingly sophisticated Iranian APT groups in September 2020:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\nThey\u2019ve seen ransomware attacks coming in waves, averaging every six to eight weeks, as shown in the timeline below.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/17104422/Fig1b-ransomware-timeline.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/17104422/Fig1b-ransomware-timeline.jpg>)\n\nTimeline of ransomware attacks by Iranian threat actors. Source: MSTIC.\n\nIn keeping with what CISA described on Wednesday, MSTIC has seen the Iran-linked [Phosphorous group](<https://threatpost.com/apt-ta453-siphons-intel-mideast/167715/>) \u2013 aka a number of names, including Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef and Newscaster \u2013 globally target the Exchange and Fortinet flaws \u201cwith the intent of deploying ransomware on vulnerable networks.\u201d\n\nThe researchers pointed to a recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describing a similar intrusion, in which the attackers exploited vulnerabilities in on-premise Exchange Servers to compromise their targets\u2019 environments and encrypt systems via BitLocker ransomware: activity that MSTIC also attributed to Phosphorous.\n\n## No Specific Sectors Targeted\n\nThe threat actors covered in CISA\u2019s alert aren\u2019t targeting specific sectors. Rather, they\u2019re focused on exploiting those irresistible Fortinet and Exchange vulnerabilities.\n\nThe alert advised that the APT actors are \u201cactively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.\u201d\n\n## Malicious Activity\n\nSince March, the Iranian APT actors have been scanning devices on ports 4443, 8443 and 10443 for the much-exploited, serious Fortinet FortiOS vulnerability tracked as [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) \u2013 a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nIt\u2019s d\u00e9j\u00e0 vu all over again: In April, CISA had [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) about those same ports being scanned by cyberattackers looking for the Fortinet flaws. In its April alert ([PDF](<https://www.ic3.gov/media/news/2021/210402.pdf>)), CISA said that it looked like the APT actors were going after access \u201cto multiple government, commercial, and technology services networks.\u201d\n\nThat\u2019s what APT actors do, CISA said: They exploit critical vulnerabilities like the Fortinet CVEs \u201cto conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.\u201d\n\nCVE-2018-13379 was just one of three security vulnerabilities in the Fortinet SSL VPN that the security bodies had seen being used to gain a foothold within networks before moving laterally and carrying out recon, as the FBI and CISA said in the April alert.\n\nAccording to Wednesday\u2019s report, the APT actors are also enumerating devices for the remaining pair of FortiOS vulnerabilities in the trio CISA saw being exploited in March, which are:\n\n * [CVE-2020-12812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>), an improper-authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username, and\n * [CVE-2019-5591](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>): a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\n\u201cThe Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks,\u201d according to Wednesday\u2019s alert.\n\nIn May, the same Iranian actors also exploited a Fortinet FortiGate firewall to gain access to a U.S. municipal government\u2019s domain. \u201cThe actors likely created an account with the username \u201celie\u201d to further enable malicious activity,\u201d CISA said, pointing to a previous FBI flash alert ([PDF](<https://www.ic3.gov/media/news/2021/210527.pdf>)) on the incident.\n\nIn June, the same APT actors exploited another FortiGate security appliance to access environmental control networks associated with a U.S. children\u2019s hospital after likely leveraging a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20: address that the FBI and CISA have linked with Iranian government cyber activity. They did it to \u201cfurther enable malicious activity against the hospital\u2019s network,\u201d CISA explained.\n\n\u201cThe APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity,\u201d CISA said.\n\n## Yet More Exchange ProxyShell Attacks\n\nFinally, the gang turned to exploiting a Microsoft Exchange ProxyShell vulnerability \u2013 CVE-2021-34473 \u2013 last month, in order to, again, gain initial access to systems in advance of follow-on operations. ACSC believes that the group has also used [CVE-2021-34473](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>) in Australia.\n\nProxyShell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) and to snag plaintext passwords.\n\nThe attack was outlined in a presentation ([PDF](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>)) given by Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) at Black Hat in April. In it, Tsai disclosed an entirely new attack surface in Exchange, and a [barrage](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) of [attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) soon followed. August was glutted with reports of threat actors exploiting ProxyShell to launch [webshell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as well as to deliver [LockFile ransomware](<https://pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096>).\n\n## Indications of Compromise\n\n[CISA\u2019s detailed alert](<https://us-cert.cisa.gov/ncas/alerts/aa21-321a>) gives a laundry list of tactics and techniques being used by the Iran-linked APT.\n\nOne of many indicators of compromise (IOC) that\u2019s been spotted are new user accounts that may have been created by the APT on domain controllers, servers, workstations and active directories [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)].\n\n\u201cSome of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization,\u201d CISA advised.\n\nBesides unrecognized user accounts or accounts established to masquerade as existing accounts, these account usernames may be associated with the APT\u2019s activity:\n\n * Support\n * Help\n * elie\n * WADGUtilityAccount\n\nIn its Tuesday analysis, MSTIC researchers cautioned that Iranian operators are flexible, patient and adept, \u201c[having] adapted both their strategic goals and tradecraft.\u201d Over time, they said, the operators have evolved into \u201cmore competent threat actors capable of conducting a full spectrum of operations, including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, these threat actors are proved capable of all these operations, researchers said:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\n_**Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, **_[**\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d**](<https://bit.ly/3bBMX30>)_** TODAY, Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.**_\n\n[**Register NOW**](<https://bit.ly/3bBMX30>)_** for the LIVE event**__**!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-17T17:04:01", "type": "threatpost", "title": "Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-17T17:04:01", "id": "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "href": "https://threatpost.com/exchange-fortinet-exploited-iranian-apt-cisa/176395/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-05T19:26:27", "description": "The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company\u2019s SSL VPN products.\n\nAccording to an alert issued Friday by the FBI and CISA, cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are exploiting CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.\n\n\u201cIt is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,\u201d according to [the alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>). \u201cAPT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe bug tracked as [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) is a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nThe [CVE-2019-5591](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>) flaw is a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\nAnd finally, [CVE-2020-12812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>) is an improper-authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.\n\n\u201cAttackers are increasingly targeting critical external applications \u2013 VPNs have been targeted even more this last year,\u201d said Zach Hanley, senior red team engineer at Horizon3.AI, via email. \u201cThese three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials.\u201d\n\nHanley added, \u201cThe common theme here is: once they are successful, they will look just like your normal users.\u201d\n\nThe bugs are popular with cyberattackers in general, due to Fortinet\u2019s widespread footprint, researchers noted.\n\n\u201cCVE-2018-13379 is a critical vulnerability in the Fortinet FortiOS SSL VPN that has been favored by cybercriminals since exploit details became public in August 2019,\u201d Satnam Narang, staff research engineer at Tenable, said via email. \u201cIn fact, Tenable\u2019s 2020 Threat Landscape Retrospective placed it in our Top 5 Vulnerabilities of 2020 because we see threat actors continue to leverage it in the wild, well over a year after it was first disclosed.\u201d\n\nThe FBI and CISA didn\u2019t specify which APTs are mounting the recent activity.\n\n## Initial Compromise & Recon\n\nOnce exploited, the attackers are moving laterally and carrying out reconnaissance on targets, according to officials.\n\n\u201cThe APT actors may be using any or all of these CVEs to gain access to networks across multiple critical-infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,\u201d the warning explained. \u201cAPT actors may use other CVEs or common exploitation techniques\u2014such as spear-phishing\u2014to gain access to critical infrastructure networks to pre-position for follow-on attacks.\u201d\n\nThe joint cybersecurity advisory from the FBI and CISA follows last year\u2019s flurry of advisories from U.S. agencies about APT groups using unpatched vulnerabilities to target federal agencies and commercial organizations. For instance, in October [an alert went out](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) that APTs were using flaws in outdated VPN technologies from Fortinet, Palo Alto Networks and Pulse Secure to carry out cyberattacks on targets in the United States and overseas.\n\n\u201cIt\u2019s no surprise to see additional Fortinet FortiOS vulnerabilities like CVE-2019-5591 and CVE-2020-12812 added to the list of known, but unpatched flaws being leveraged by these threat actors,\u201d said Narang. \u201cOver the last few years, SSL VPN vulnerabilities have been an attractive target for APT groups and cybercriminals alike. With the shift to remote work and the increased demand for SSL VPNs like Fortinet and others, the attack surface and available targets have expanded. Organizations should take this advisory seriously and prioritize patching their Fortinet devices immediately if they haven\u2019t done so already.\u201d\n\n## **How Can I Protect My Network from Cyberattacks? **\n\nThe FBI and CISA suggest a range of best practices to help organizations thwart these and other attacks:\n\n * Immediately patch CVEs 2018-13379, 2020-12812 and 2019-5591.\n * If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization\u2019s execution-deny list. Any attempts to install or run this program and its associated files should be prevented.\n * Regularly back up data, air-gap and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.\n * Implement network segmentation.\n * Require administrator credentials to install software.\n * Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).\n * Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.\n * Use multifactor authentication where possible.\n * Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.\n * Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\n * Audit user accounts with administrative privileges and configure access controls with least privilege in mind.\n * Install and regularly update antivirus and anti-malware software on all hosts.\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails.\n * Focus on awareness and training. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>))\n\n** **\n", "cvss3": {}, "published": "2021-04-02T19:56:57", "type": "threatpost", "title": "FBI: APTs Actively Exploiting Fortinet VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-9922"], "modified": "2021-04-02T19:56:57", "id": "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "href": "https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-18T20:47:20", "description": "UPDATE\n\nAn unpatched OS command-injection security vulnerability has been disclosed in Fortinet\u2019s web application firewall (WAF) platform, known as FortiWeb. It could allow privilege escalation and full device takeover, researchers said.\n\nFortiWeb is a cybersecurity defense platform, [aimed at](<https://www.fortinet.com/products/web-application-firewall/fortiweb>) protecting business-critical web applications from attacks that target known and unknown vulnerabilities. The firewall has been to keep up with the deployment of new or updated features, or the addition of new web APIs, according to Fortinet.\n\nThe bug (CVE pending) exists in FortiWeb\u2019s management interface (version 6.3.11 and prior), and carries a CVSSv3 base score of 8.7 out of 10, making it high-severity. It can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page, according to Rapid7 researcher William Vu who discovered the bug.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\n\u201cNote that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication-bypass issue, such as [CVE-2020-29015](<https://www.fortiguard.com/psirt/FG-IR-20-124>),\u201d according to a [Tuesday writeup](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>) on the issue.\n\nOnce attackers are authenticated to the management interface of the FortiWeb device, they can smuggle commands using backticks in the \u201cName\u201d field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.\n\n\u201cAn attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,\u201d according to the writeup. \u201cThey might install a persistent shell, crypto mining software, or other malicious software.\u201d\n\nThe damage could be worse if the management interface is exposed to the internet: Rapid7 noted that attackers could pivot to the wider network in that case. However, Rapid7 researchers identified less than three hundred appliances that appeared to be doing so.\n\nIn the analysis, Vu provided a proof-of-concept exploit code, which uses an HTTP POST request and response.\n\nIn light of the disclosure, Fortinet has sped up plans to release a fix for the problem with FortiWeb 6.4.1 \u2014 originally planned for the end of August, it will now be available by the end of the week.\n\n\u201cWe are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week,\u201d it said in a statement provided to Threatpost.\n\nThe firm also noted that Rapid7\u2019s disclosure was a bit of a surprise given [vulnerability-disclosure norms](<https://threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/>) in the industry.\n\n\u201cThe security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the [Fortinet PSIRT Policy page](<https://www.fortiguard.com/psirt_policy>), which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of the our [90-day Responsible disclosure window](<https://www.fortiguard.com/zeroday/responsible-disclosure>). We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window.\u201d\n\nFor now, Rapid7 offered straightforward advice:\n\n\u201cIn the absence of a patch, users are advised to disable the FortiWeb device\u2019s management interface from untrusted networks, which would include the internet,\u201d according to Rapid7. \u201cGenerally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway \u2014 instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.\u201d\n\nThe Rapid7 researchers said that the vulnerability appears to be related to [CVE-2021-22123](<https://www.fortiguard.com/psirt/FG-IR-20-120>), which was patched in June.\n\n## **Fortinet: Popular for Exploit**\n\nThe vendor [is no stranger](<https://threatpost.com/fortigate-vpn-default-config-mitm-attacks/159586/>) to cybersecurity bugs in its platforms, and Fortinet\u2019s cybersecurity products are popular as exploitation avenues with cyberattackers, including nation-state actors. Users should prepare to patch quickly.\n\nIn April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) various advanced persistent threats (APTs) were actively exploiting three security vulnerabilities in the Fortinet SSL VPN for espionage. Exploits for CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812 were being used for to gain a foothold within networks before moving laterally and carrying out recon, they warned.\n\nOne of those bugs, a Fortinet vulnerability in FortiOS, [was also seen](<https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/>) being used to deliver a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.\n\n_**This post was updated August 18 at 1:30 p.m. ET with a statement from Fortinet.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T12:07:33", "type": "threatpost", "title": "Unpatched Fortinet Bug Allows Firewall Takeovers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-18T12:07:33", "id": "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "href": "https://threatpost.com/unpatched-fortinet-bug-firewall-takeovers/168764/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-09-10T13:33:05", "description": "Credentials pilfered from 87,000 unpatched Fortinet SSL-VPNs have been posted online, the company has [confirmed](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>).\n\nOr then again, maybe the number is far greater. On Wednesday, [BleepingComputer](<https://www.bleepingcomputer.com/news/security/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts/>) reported that it\u2019s been in touch with a threat actor who leaked a list of nearly half a million Fortinet VPN credentials, allegedly scraped from exploitable devices last summer.\n\nThe news outlet has analyzed the file and reported that it contains VPN credentials for 498,908 users over 12,856 devices. BleepingComputer didn\u2019t test the credentials but said that all of the IP addresses check out as Fortinet VPN servers.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAccording to analysis done by [Advanced Intel](<https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings>), the IP addresses are for devices worldwide. As the chart below shows, there are 22,500 victimized entities located in 74 countries, with 2,959 of them being located in the US.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09180501/distribution-1024x665.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09180501/distribution-e1631225115765.jpg>)\n\nThe geographical distribution of the Fortinet VPN SSL list. Source: Advanced Intel.\n\nUPDATE: Threatpost reached out to Fortinet for clarification on how many devices were compromised. A spokesperson\u2019s reply reiterated the statement put out on Wednesday:\n\n\u201cThe security of our customers is our first priority. Fortinet is aware that a malicious actor has disclosed on a dark web forum, SSL-VPN credentials to access FortiGate SSL-VPN devices. The credentials were obtained from systems that have not yet implemented the patch update provided in May 2019. Since May 2019, Fortinet has continuously communicated with customers urging the implementation of mitigations, including corporate blog posts in [August 2019](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_business-2Dand-2Dtechnology_fortios-2Dssl-2Dvulnerability&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=LGgVh3l8kre7r4f1ssl1_Kz9MXkRjaAznfUi1BMjzpc&e=>), [July 2020](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_business-2Dand-2Dtechnology_atp-2D29-2Dtargets-2Dssl-2Dvpn-2Dflaws&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=F9W4tauf4zFHFuZbvTYHmF2Y2b_tHI0htVTpiF6kRwM&e=>), [April 2021](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_psirt-2Dblogs_patch-2Dvulnerability-2Dmanagement&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=m_k7PDQ0L4L0_OvdKQgGF5LkRVde6Q9EjgVXWtyg7sY&e=>) and [June 2021](<https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity>) For more information, please refer to our latest [blog](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) and [PSIRT](<https://www.fortiguard.com/psirt/FG-IR-18-384>) advisory. We strongly urge customers to implement both the patch upgrade and password reset as soon as possible.\u201d\n\n## A Creaky Old Bug Was Exploited\n\nOn Wednesday, the company confirmed that the attackers exploited [FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) / [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>): a path traversal weakness in Fortinet\u2019s FortiOS that was discovered in 2018 and which has been [repeatedly](<https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/>), [persistently](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) [exploited](<https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/>) [since](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) then.\n\nUsing the leaked VPN credentials, attackers can perform data exfiltration, install malware and launch ransomware attacks.\n\nThe bug, which recently made it to the Cybersecurity and Infrastructure Security Agency\u2019s (CISA\u2019s) list of the [top 30 most-exploited flaws](<https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/>), lets an unauthenticated attacker use specially crafted HTTP resource requests in order to download system files under the SSL VPN web portal.\n\n[Fortinet fixed the glitch](<https://www.fortiguard.com/psirt/FG-IR-18-384>) in a May 2019 update (and has since then repeatedly urged customers to upgrade their devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above). But even if security teams patched their VPNs, if they didn\u2019t also reset the devices\u2019 passwords at the same time, the VPNs still might be vulnerable.\n\n## All in the Babuk Family\n\nAccording to BleepingComputer, a threat actor known as Orange \u2013 the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk ransomware operation \u2013 was behind the leak of Fortinet credentials.\n\nOrange, who reportedly split off from Babuk after gang members quarreled, is believed to now be in with the new Groove ransomware operation. On Tuesday, Orange created a post on the RAMP forum with a link to a file that allegedly contained thousands of Fortinet VPN accounts.\n\nAt the same time, a post promoting the Fortinet leak appeared on Groove\u2019s data leak site.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09181910/Screen-Shot-2021-09-09-at-6.18.51-PM-e1631225980966-1024x595.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09181910/Screen-Shot-2021-09-09-at-6.18.51-PM-e1631225999483.png>)\n\nGroove is a new ransomware gang that\u2019s been active just since last month. It favors the [double extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) model of combining data compromise with threats to publish seized data.\n\nAccording to a Wednesday[ post](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates>) co-authored by researchers from Intel471 and McAfee Enterprise Advanced Threat Research (ATR), with contributions from Coveware, McAfee Enterprise ATR said that it believes with high confidence that Groove is associated with the Babuk gang, either as a former affiliate or subgroup.\n\n## Chatting Up the Ransomware \u2018Artist\u2019\n\nOn Tuesday, one of the Groove gang\u2019s members decided to chat up [Advanced Intel researchers](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATURfcd4v3FHxX6gbihrPKiOsKVZWKogo5F6F12wmaozsXKHpRn-2BuwOKhxsw08i8Jv-2FwvO5fMxaC-2Fte96Z6WZovyPDvgaoAv118tKwZ5rO8iwUDyyIWPDHnMoXBJtaLTD2RabFZrrydZEg6RqJoehkdLk-3DUm1f_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTfxpBYaCF7SSTgcHUKKV76UPqxTA0p35WcvHO-2B-2FRJuzuH54khmPYQLlkSfPjUHNAEXmgG-2BAfkNgcNKoVR9B9stOpafLCBk3qkXifeCsD9qirBA0nFvpW7EKJZBqmyDuRJPZiat-2B-2BXYCIJyRqjlbli1cMzNiEtsWjfRjsB82fJ-2BuXkMJGLitr0yTHVhHoV-2B7vgARde73QCuABoV-2Fk8lDDaGpEQVoKiwlCAiZTq63zy5kUQ-3D>), to give them an insider\u2019s take on how the new ransomware syndicate was formed and how it recruits operators. That included \u201cthe \u2018truth\u2019 about the association of Babuk, [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) and [BlackMatter](<https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/>), and other insights on the inner relationships within the ransomware community,\u201d as researchers Yelisey Boguslavskiy and Anastasia Sentsova explained.\n\nAccording to their writeup, the Groove representative is likely a threat actor that goes by \u201cSongBird\u201d. The researchers described SongBird as a known character, being a former Babuk ransomware operator and creator of the RAMP forum \u2013 which was launched on July 11 and which caters to top ransomware operators plotting their attacks.\n\nThe screen capture below shows Advanced Intel\u2019s translation of SongBird\u2019s explanation of the platform: \u201cRAMP is the result of my year-long work of manipulation by top journalists and media such as Bloomberg and others. I spent quite some time to promote this domain and I am very proud for all of the work I did! I declare this forum is a work of art!\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09183430/kitten-brag-1024x543.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09183430/kitten-brag-e1631226887669.jpg>)\n\nAccording to Advanced Intel, RAMP was initially based on the former Babuk\u2019s data leak website domain but has since relocated to a new domain.\n\nSongBird was reportedly prompted to pull off their tell-all after the [disclosure of Babuk\u2019s source code](<https://threatpost.com/babuk-ransomware-builder-virustotal/167481/>). The source code was uploaded to VirusTotal in July, making it available to all security vendors and competitors. At the time, it wasn\u2019t clear how it happened, though Advanced Intel said on Wednesday that the code release was done by an actor using the alias DY-2.\n\nThe code release had repercussions, Advanced Intel said. \u201cThe incident caused a massive backlash from the underground community which once again provoked the release of the blog by SongBird,\u201d according to the report.\n\nSongBird told the researchers that the actor wanted to address \u201cthe issue of constant misinformation and misreporting originating from the Twitter community covering the ransomware subject.\u201d\n\nThe actor denied any associations between DarkSide and BlackMatter, with the exception of both ransomware strains sharing the same source code: a circumstance that means the code \u201cmost likely has been purchased from one of the DarkSide affiliates,\u201d SongBird wrote.\n\n## How to Protect Your VPN\n\nYou can check Fortinet\u2019s advisory for a list of versions affected by the oft-exploited vulnerability that was at the heart of this credential scraping. Fortinet had the following recommendations for organizations that may have been running an affected version \u201cat any time\u201d:\n\n 1. Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.\n 2. Immediately upgrade affected devices to the latest available release, as detailed below.\n 3. Treat all credentials as potentially compromised by performing an organization-wide password reset.\n 4. Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.\n 5. Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.\n\nRajiv Pimplaskar, Veridium chief revenue officer, told Threatpost that the breach is \u201ca stark reminder of today\u2019s dangers with password-based systems. While enterprises and users are starting to adopt passwordless authentication methods like \u2018phone as a token\u2019 and FIDO2 for customer and Single Sign On (SSO) portals and enterprise applications, vulnerabilities still exist across entire categories of cases such as, 3rd party sites, VPN (Virtual Private Network) and VDI (Virtual Desktop Infrastructure) environments, all of which are particularly vulnerable in the current WFH explosion.\n\n\u201cCompanies need to adopt a more holistic modern authentication strategy that is identity provider agnostic and can operate across all use cases in order to build true resiliency and ensure cyber defense against such actors,\u201d he concluded.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T22:49:27", "type": "threatpost", "title": "Thousands of Fortinet VPN Account Credentials Leaked", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T22:49:27", "id": "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "href": "https://threatpost.com/thousands-of-fortinet-vpn-account-credentials-leaked/169348/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-04-08T21:27:05", "description": "Threat actors are exploiting a Fortinet vulnerability flagged by the feds last week that delivers a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.\n\nResearchers say the attackers are exploiting an unpatched path-reversal flaw, tracked as [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>), in Fortinet\u2019s FortiOS. The goal is to gain access to victims enterprise networks and ultimately deliver ransomware, according to a [report by Kaspersky researchers published](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) this week.\n\n\u201cIn at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,\u201d Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nCring is relatively new to the ransomware threat landscape\u2014which already includes dominant strains [REvil](<https://threatpost.com/revil-claims-ransomware-attacks/164739/>), [Ryuk](<https://threatpost.com/ransomware-attack-spain-employment-agency/164703/>), [Maze and](<https://threatpost.com/maze-ransomware-cognizant/154957/>) [Conti](<https://threatpost.com/conti-40m-ransom-florida-school/165258/>). Cring was first [observed and reported](<https://id-ransomware.blogspot.com/2021/01/cring-ransomware.html>) by the researcher who goes by Amigo_A and Swisscom\u2019s CSIRT team in January. The ransomware is unique in that it uses two forms of encryption and destroys backup files in an effort to antagonize victims and prevent them from retrieving backup files without paying the ransom.\n\nLast week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) that nation-state advanced persistent threat (APT) groups were actively exploiting known security vulnerabilities in the Fortinet FortiOS operating system, affecting the company\u2019s SSL VPN products.\n\nOne of those bugs, is CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to system\u2019s SSL VPN web portal and allows an unauthenticated attacker to download system files of targeted systems via a specially crafted HTTP resource requests.\n\nIn its report Kaspersky echoed the feds\u2019 warning adding attackers are first scanning connections to Fortinet VPNs to see if the software used on the device is the vulnerable version. In the campaign researchers observed, threat actors follow an exploit chain, exploiting CVE-2018-13379 to launch a directory-traversal attack. The goal is to crack open affected hardware, give adversaries access to network credentials and to establish foothold in the targeted network, Kopeytsev explained.\n\n\u201cA directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,\u201d he wrote. \u201cSpecifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file \u2018sslvpn_websession,\u2019 which contains the username and password stored in cleartext.\u201d\n\nFor it\u2019s part, \u201cthe security of our customers is our first priority,\u201d according to a statement from Fortinet provided to Threatpost. \u201cFor example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a _[PSIRT advisory](<https://fortiguard.com/psirt/FG-IR-18-384> \"https://fortiguard.com/psirt/fg-ir-18-384\" )_ and communicated directly with customers and via corporate blog posts on multiple occasions in _[August 2019](<https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability> \"https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability\" )_ and _[July 2020 ](<https://www.fortinet.com/blog/business-and-technology/atp-29-targets-ssl-vpn-flaws> \"https://www.fortinet.com/blog/business-and-technology/atp-29-targets-ssl-vpn-flaws\" )_strongly recommending an upgrade. Upon resolution we have consistently communicated with customers as recently as late as 2020. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.\u201d\n\n## **Anatomy of an Attack**\n\nOnce gaining access to the first system on the enterprise network, attackers use the Mimikatz utility to steal the account credentials of Windows users who had previously logged in to the compromised system, according to Kaspersky.\n\nIn this way, attackers compromised the domain administrator account, and then used [commodity tools](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>) like Cobalt Stroke backdoor and Powershell to propagate attacks across various systems on the network, according to the report.\n\nAfter gaining complete control, attackers download a cmd script to launch Cring ransomware, naming the malicious execution script \u201cKaspersky\u201d to disguise it as a security solution, Kopeytsev said.\n\nThe report breaks down how Cring achieves encryption and destroys existing backup files once it\u2019s launched on a system. First, the ransomware stops various services of two key programs on the network\u2014Veritas NetBackup and Microsoft SQL server.\n\nCring also halts the SstpSvc service, which is used to create VPN connections, which researchers surmised was to block any remediation effort by system administrators, Kopeytsev said.\n\n\u201cIt is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN,\u201d he wrote. \u201cThis was done to prevent system administrators from providing a timely response to the information security incident.\u201d\n\nCring proceeds by terminating other application processes in Microsoft Office and Oracle Database software to facilitate encryption as well as the removal of key backup files to prevent recovery of files, according to the report.\n\nIn its final step, Cring starts to encrypt files using strong encryption algorithms so victims can\u2019t decrypt files without knowing the RSA private key held by the attackers, Kopeytsev explained. First each file is encrypted using an AES encryption key and then that key is in turn encrypted using a 8,192-bit RSA public key hard-coded into the malicious program\u2019s executable file, he wrote.\n\nOnce encryption is complete, the malware drops a ransom note from attackers asking for two bitcoins (currently the equivalent of about $114,000) in exchange for the encryption key.\n\n## **Learning from Mistakes**\n\nThe report points out key mistakes made by network administrators in the attack observed by Kaspersky researchers in the hopes that other organizations can learn from them. First the attack highlights once again the importance of keeping systems updated with the latest patches, which could have avoided the incident altogether, Kopeytsev said.\n\n\u201cThe primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network,\u201d he wrote.\n\nSystem administrators also left themselves open to attack by not only running an antivirus (AV) system that was outdated, but also by disabling some components of AV that further reduced the level of protection, according to the report.\n\nKey errors in configuring privileges for domain policies and the parameteres of RDP access also came into play in the attack, basically giving attackers free rein once they entered the network, Kopeytsev observed.\n\n\u201cThere were no restrictions on access to different systems,\u201d he wrote. \u201cIn other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-08T14:00:32", "type": "threatpost", "title": "Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2021-04-08T14:00:32", "id": "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "href": "https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-13T13:06:12", "description": "081321 08:42 UPDATE: Accenture reportedly acknowledged in an internal memo that attackers stole client information and work materials in a July 30 \u201csecurity incident.\u201d\n\n[CyberScoop](<https://www.cyberscoop.com/accenture-ransomware-lockbit/>) reports that the memo downplays the impact of the ransomware attack. The outlet quoted Accenture\u2019s internal memo: \u201cWhile the perpetrators were able to acquire certain documents that reference a small number of clients and certain work materials we had prepared for clients, none of the information is of a highly sensitive nature,\u201d it reads. Threatpost has asked Accenture to comment on CyberScoop\u2019s report.\n\nEarlier this week, the LockBit ransomware-as-a-service (RaaS) gang published the name and logo of what has now been confirmed as one of its latest victims: Accenture, a global business consulting firm with an insider track on some of the world\u2019s biggest, most powerful companies.\n\nAccenture\u2019s clients include 91 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500. According to its [2020 annual report;](<https://www.accenture.com/us-en/about/company/annual-report>) that includes e-commerce giant Alibaba, Cisco and Google. Valued at $44.3 billion, Accenture is one of the world\u2019s largest tech consultancy firms, and employs around 569,000 people across 50 countries.\n\nIn a post on its Dark Web site, LockBit offered up Accenture databases for sale, along with a requisite jab at what the gang deemed to be Accenture\u2019s pathetic security.\n\n> \u201cThese people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you are interested in buying some databases, reach us.\u201d \n\u2014LockBit site post.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11162046/LockBit-site-screengrab-300x297.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11162046/LockBit-site-screengrab.png>)\n\nLockBit dark-web site screen capture. Source: Cybereason.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAccording to [Security Affairs](<https://securityaffairs.co/wordpress/121048/data-breach/accenture-lockbit-2-0-ransomware-attack.html?utm_source=rss&utm_medium=rss&utm_campaign=accenture-lockbit-2-0-ransomware-attack>), at the end of a ransom payment clock\u2019s countdown, a leak site showed a folder named W1 that contained a collection of PDF documents allegedly stolen from the company. LockBit operators claimed to have gained access to Accenture\u2019s network and were preparing to leak files stolen from Accenture\u2019s servers at 17:30:00 GMT.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11174155/countdown-clock-300x203.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11174155/countdown-clock-e1628718131517.png>)\n\nLockBit countdown clock. Source: Cyble.\n\nThe news hit the headlines late Wednesday morning Eastern Time, after CNBC reporter Eamon Javers [tweeted](<https://twitter.com/EamonJavers/status/1425476619934838785>) about the gang\u2019s claim that it would be releasing data within coming hours and that it was offering to sell insider Accenture information to interested parties.\n\n> A hacker group using Lockbit Ransomware says they have hacked the consulting firm Accenture and will release data in several hours, CNBC has learned. They are also offering to sell insider Accenture information to interested parties.\n> \n> \u2014 Eamon Javers (@EamonJavers) [August 11, 2021](<https://twitter.com/EamonJavers/status/1425476619934838785?ref_src=twsrc%5Etfw>)\n\n## Blessed Be the Backups\n\nYes, we were hit, but we\u2019re A-OK now, Accenture confirmed: \u201cThrough our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers,\u201d it said in a statement. \u201cWe fully restored our affected systems from backup, and there was no impact on Accenture\u2019s operations, or on our clients\u2019 systems.\u201d\n\nAccording to [BleepingComputer](<https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/>), the group that threatened to publish Accenture\u2019s data \u2013 allegedly stolen during a recent cyberattack \u2013 is known as LockBit 2.0.\n\nAs explained by Cybereason\u2019s Tony Bradley in a Wednesday [post](<https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware>), the LockBit gang is similar to its ransomware-as-a-service (RaaS) brethren DarkSide and REvil: Like those other operations. LockBit uses an affiliate model to rent out its ransomware platform, taking a cut of any ransom payments that result.\n\nBradley noted that the LockBit gang is apparently on a hiring spree in the wake of [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) and [REvil](<https://threatpost.com/whats-next-revil-victims/167926/>) both shutting down operations.\n\n\u201cThe wallpaper displayed on compromised systems now includes text inviting insiders to help compromise systems \u2013 promising payouts of millions of dollars,\u201d Bradley wrote.\n\n## Insider Job?\n\nCyble researchers suggested in a [Tweet stream](<https://twitter.com/AuCyble/status/1425422006690881541>) that this could be an insider job. \u201cWe know #LockBit #threatactor has been hiring corporate employees to gain access to their targets\u2019 networks,\u201d the firm tweeted, along with a clock counting down how much time was left for Accenture to cough up the ransom.\n\n> Potential insider job? We know [#LockBit](<https://twitter.com/hashtag/LockBit?src=hash&ref_src=twsrc%5Etfw>) [#threatactor](<https://twitter.com/hashtag/threatactor?src=hash&ref_src=twsrc%5Etfw>) has been hiring corporate employees to gain access to their targets' networks.[#ransomware](<https://twitter.com/hashtag/ransomware?src=hash&ref_src=twsrc%5Etfw>) [#cyber](<https://twitter.com/hashtag/cyber?src=hash&ref_src=twsrc%5Etfw>) [#cybersecurity](<https://twitter.com/hashtag/cybersecurity?src=hash&ref_src=twsrc%5Etfw>) [#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) [#accenture](<https://twitter.com/hashtag/accenture?src=hash&ref_src=twsrc%5Etfw>) [pic.twitter.com/ZierqRVIjj](<https://t.co/ZierqRVIjj>)\n> \n> \u2014 Cyble (@AuCyble) [August 11, 2021](<https://twitter.com/AuCyble/status/1425391442248097792?ref_src=twsrc%5Etfw>)\n\nCyble said that LockBit claimed to have made off with databases of more than 6TB and that it demanded $50 million as ransom. The threat actors themselves alleged that this was an insider job, \u201cby someone who is still employed there,\u201d though Cyble called that \u201cunlikely.\u201d\n\nSources familiar with the attack told BleepingComputer that Accenture confirmed the ransomware attack to at least one computer telephony integration (CTI) vendor and that it\u2019s in the process of notifying more customers. According to a [tweet](<https://twitter.com/HRock/status/1425447533598453760?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1425447533598453760%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Faccenture-confirms-hack-after-lockbit-ransomware-data-leak-threats%2F>) from threat intelligence firm Hudson Rock, the attack compromised 2,500 computers used by employees and partners, leading the firm to suggest that \u201cthis information was certainly used by threat actors.\u201d\n\nIn a [security alert ](<https://www.cyber.gov.au/acsc/view-all-content/alerts/lockbit-20-ransomware-incidents-australia>)issued last week, the Australian Cyber Security Centre (ACSC) warned that LockBit 2.0 ransomware attacks against Australian organizations had started to rise last month, and that they were coupled with threats to publish data in what\u2019s known as [double-extortion attacks](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>).\n\n\u201cThis activity has occurred across multiple industry sectors,\u201d according to the alert. \u201cVictims have received demands for ransom payments. In addition to the encryption of data, victims have received threats that data stolen during the incidents will be published.\u201d\n\nThe ACSC noted ([PDF](<https://www.cyber.gov.au/sites/default/files/2021-08/2021-006%20ACSC%20Ransomware%20Profile%20-%20Lockbit%202.0.pdf>)) that it\u2019s recently observed LockBit threat actors actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products, identified as CVE-2018-13379, in order to gain initial access to specific victim networks. That vulnerability, a path-traversal flaw in the SSL VPN, has been exploited in multiple attacks over the years:\n\nIn April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) that advanced persistent threat (APT) nation-state actors were actively exploiting it to gain a foothold within networks before moving laterally and carrying out recon, for example.\n\n## Known Vulnerability Exploited?\n\nRon Bradley, vice president of third-party risk-management firm Shared Assessments, told Threatpost on Wednesday that the Accenture incident is \u201ca prime example of the difference between business resiliency and business continuity. Business resiliency is like being in a boxing match, you take a body blow but can continue the fight. Business continuity comes into play when operations have ceased or severely impaired and you have to make major efforts to recover.\n\n\u201cThis particular example with Accenture is interesting in the fact that it was a known/published vulnerability,\u201d Bradley continued. It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.\u201d\n\nHitesh Sheth, president and CEO at the cybersecurity firm Vectra, said that all businesses should expect attacks like this, but particularly a global consultancy firm with links to so many companies.\n\n\u201cFirst reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,\u201d he told Threatpost on Wednesday. \u201cIt\u2019s too soon for an outside observer to assess damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this \u2013 perhaps especially a global consulting firm with links to so many other companies. It\u2019s how you anticipate, plan for and recover from attacks that counts.\u201d\n\n![Threatpost Webinar Series ](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/27093135/threatpost-webinar-300x51.jpg)Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-11T21:56:00", "type": "threatpost", "title": "Accenture Confirms LockBit Ransomware Attack", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-08-11T21:56:00", "id": "THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6", "href": "https://threatpost.com/accenture-lockbit-ransomware-attack/168594/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-11-30T15:47:49", "description": "As of Friday \u2013 as in, shopping-on-steroids Black Friday \u2013 retail titan IKEA was wrestling with a then-ongoing reply-chain email phishing attack in which attackers were malspamming replies to stolen email threads.\n\n[BleepingComputer](<https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/>) got a look at internal emails \u2013 one of which is replicated below \u2013 that warned employees of the attack, which was targeting the company\u2019s internal email inboxes. The phishing emails were coming from internal IKEA email addresses, as well as from the systems compromised at the company\u2019s suppliers and partners.\n\n> \u201cThere is an ongoing cyberattack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA.\n> \n> \u201cThis means that the attack can come via email from someone that you work with, from any external organisation, and as reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious.\u201d \u2013IKEA internal email to employees.\n\nAs of Tuesday morning, the company hadn\u2019t seen any evidence of its customers\u2019 data, or business partners\u2019 data, having been compromised. \u201cWe continue to monitor to ensure that our internal defence mechanisms are sufficient,\u201d the spokesperson said, adding that \u201cActions have been taken to prevent damages\u201d and that \u201ca full-scale investigation is ongoing.\u201d____\n\nThe spokesperson said that the company\u2019s \u201chighest priority\u201d is that \u201cIKEA customers, co-workers and business partners feel certain that their data is secured and handled correctly.\u201d\n\nIKEA didn\u2019t respond to Threatpost\u2019s queries about whether the attack has been contained or if it\u2019s still ongoing.\n\n## Example Phishing Email\n\nIKEA sent its employees an example phishing email, shown below, that was received in Microsoft Outlook. The company\u2019s IT teams reportedly pointed out that the reply-chain emails contain links ending with seven digits. Employees were warned against opening the emails, regardless of who sent them, and were asked to immediately report the phishing emails to the IT department if they receive them.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/29144159/phishing-email-e1638214934826.jpeg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/29144159/phishing-email-e1638214934826.jpeg>)\n\nExample phishing email sent to IKEA employees. Source: BleepingComputer.\n\n## Exchange Server Attacks D\u00e9j\u00e0 Vu?\n\nThe attack sounds familiar: Earlier this month, Trend Micro published a [report](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) about attackers who were doing the same thing with replies to hijacked email threads. The attackers were gnawing on the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by malspamming replies to ongoing email threads and hence boosting the chance that their targets would click on malicious links that lead to malware infection.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAs security experts have noted, hijacking email replies for malspam campaigns is a good way to slip past people\u2019s spam suspicions and to avoid getting flagged or quarantined by email gateways.\n\nWhat was still under discussion at the time of the Trend Micro report: Whether the offensive was delivering SquirrelWaffle, the new email loader that [showed up](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) in September, or whether SquirrelWaffle was just one piece of malware among several that the campaigns were dropping.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\nCisco Talos researchers first [got wind](<https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) of the SquirrelWaffle malspam campaigns beginning in mid-September, when they saw boobytrapped Microsoft Office documents delivering [Qakbot malware](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>) and the penetration-testing tool [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) \u2013 two of the most common threats regularly observed targeting organizations around the world. The Office documents infected systems with SquirrelWaffle in the initial stage of the infection chain.\n\nSquirrelWaffle campaigns are known for using stolen email threads to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) malware \u2013 typically spread via malicious emails or text messages \u2013 has been known to work.\n\nTrend Micro\u2019s incident-response team had decided to look into what its researchers believed were SquirrelWaffle-related intrusions in the Middle East, to figure out whether the attacks involved the notorious, [oft-picked-apart](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) [ProxyLogon](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) and [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) Exchange server vulnerabilities.\n\nTheir conclusion: Yes, the intrusions were linked to ProxyLogon and ProxyShell attacks on unpatched Exchange servers, as evidenced by the IIS logs of three compromised servers, each compromised in a separate intrusion, all having been exploited via the ProxyShell and ProxyLogon vulnerabilities [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) and [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>).\n\nIn the Middle East campaign that Trend Micro analyzed, the phishing emails contained a malicious Microsoft Excel doc that did [what malicious Excel documents do](<https://threatpost.com/hackers-update-age-old-excel-4-0-macro-attack/154898/>): It prompted targets to choose \u201cEnable Content\u201d to view a protected file, thus launching the infection chain.\n\nSince IKEA hasn\u2019t responded to media inquiries, it\u2019s impossible to say for sure whether or not it has suffered a similar attack. However, there are yet more similarities between the IKEA attack and the Middle East attack analyzed by Trend Micro earlier this month. Specifically, as BleepingComputer reported, the IKEA reply-email attack is likewise deploying a malicious Excel document that similarly instructs recipients to \u201cEnable Content\u201d or \u201cEnable Editing\u201d to view it.\n\nTrend Micro shared a screen capture, shown below, of how the malicious Excel document looked in the Middle East campaign:\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\n## You Can\u2019t Trust Email from \u2018Someone You Know\u2019\n\nIt\u2019s easy to mistake the malicious replies as coming from legitimate senders, given that they pop up in ongoing email threads. Saryu Nayyar, CEO of Gurucul, noted that IKEA employees are learning the hard way that replies in threads aren\u2019t necessarily legitimate and can be downright malicious.\n\n\u201cIf you get an email from someone you know, or that seems to continue an ongoing conversation, you are probably inclined to treat it as legitimate,\u201d she told Threatpost via email on Monday. \u201cHowever, IKEA employees are finding out otherwise. They are being attacked by phishing emails that are often purportedly from known sources, and may be carrying the Emotet or Qbot trojans to further infect the system and network.\u201d\n\nThis attack is \u201cparticularly insidious,\u201d she commented, in that it \u201cseemingly continues a pattern of normal use.\u201d\n\n## No More Ignoring Quarantine\n\nWith such \u201cnormal use\u201d patterns lulling would-be victims into letting down their guards, it raises the possibility that employees might assume that email filters were mistaken if they quarantined the messages.\n\nThus, IKEA\u2019s internal email advised employees that its IT department was disabling the ability to release emails from quarantine. As it is, its email filters were identifying at least some of the malicious emails:\n\n> \u201cOur email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it\u2019s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine.\u201d \u2013IKEA internal email to employees.\n\n## Is Training a Waste of Time?\n\nWith such sneaky attacks as these, is training pointless? Some say yes, some say no.\n\nErich Kron, security awareness advocate at [KnowBe4](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUavSzE-2FiwjSkZ-2BMZMLjTD68bBzltWsjOj4iPYBhQEjDkwmuP_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74JadqFiCZdgYU0Y0aYb-2FD61SsSN5WSYToKPBxI2VArzhMwftrf78GbiRjwM9LzhmNBFfpMuXBsqYiKB-2B-2F-2BBM3106r2sgW-2Be451MnVYlMzEVQ43u-2Fx2JCoSpeITOcIPo6Gi3VBNSVcUaapZzArkSDh5SZ2Cih-2F-2FVdRBgHXCsqyWXs7po0-2FS83TsiYRB3U8HOgtt0HT6BGdSMjxi-2FVc6P1ZgVny6ZGKAKxbHvydLCfU5zrtFQ-3D>), is pro-training, particularly given how damaging these attacks can be.\n\n\u201cCompromised email accounts, especially those from internal email systems with access to an organization\u2019s contact lists, can be very damaging, as internal emails are considered trusted and lack the obvious signs of phishing that we are used to looking for,\u201d he told Threatpost via email on Monday. \u201cBecause it is from a legitimate account, and because cybercriminals often inject themselves into previous legitimate conversations, these can be very difficult to spot, making them very effective.\n\n\u201cThese sorts of attacks, especially if the attackers can gain access to an executive\u2019s email account, can be used to spread ransomware and other malware or to request wire transfers to cybercriminal-owned bank accounts, among other things,\u201d Kron said.\n\nHe suggested training employees not to blindly trust emails from an internal source, but to hover over links and to consider the context of the message. \u201cIf it does not make sense or seems unusual at all, it is much better to pick up the phone and quickly confirm the message with the sender, rather than to risk a malware infection or falling victim to a scam,\u201d he said.\u201d\n\nIn contrast, Christian Espinosa, managing director of [Cerberus Sentinel](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc1h7F6EeKyqQHDAzxY6FeBG4AZ1lNaZ-2Fme9HKLAKT7PeL3x_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74JadqFiCZdgYU0Y0aYb-2FD61SsSN5WSYToKPBxI2VArzhMwftrf78GbiRjwM9LzhmNBFfpMuXBsqYiKB-2B-2F-2BBM3106r8Wex0T7OFTT8vFIbMA9T-2BlDgGhDFXEelC-2FWPjZXKe9NWtbBbYafHTvkVre5k1vKi3GgofOJKSR-2F2xlpyW7kQklpPEA59unEm4rAKnCodaK-2FrXGwLA5yk9gY1MBMzuyaJeG4mVY1yL-2F3YI1d-2BMmcWiY-3D>), is a firm vote for the \u201ctraining is pointless\u201d approach.\n\n\u201cIt should be evident by now that awareness and phishing training is ineffective,\u201d he told Threatpost via email on Monday. \u201cIt\u2019s time we accept \u2018users\u2019 will continuously fall for phishing scams, despite how much \u2018awareness training\u2019 we put them through.\u201d\n\nBut what options do we have? Espinosa suggested that cybersecurity defense playbooks \u201cshould focus on items that reduce risk, such as application whitelisting, which would have stopped this attack, as the \u2018malware\u2019 would not be whitelisted.\u201d\n\nHe pointed to other industries that have compensated for human factors, such as transportation. \u201cDespite awareness campaigns, the transportation industry realized that many people did not \u2018look\u2019 before turning across traffic at a green light,\u201d Espinosa said. \u201cInstead of blaming the drivers, the industry changed the traffic lights. The newer lights prevent drivers from turning across traffic unless there is a green arrow.\u201d\n\nThis change saved thousands of lives, he said, and it\u2019s high time that the cybersecurity industry similarly \u201ctakes ownership.\u201d\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-29T21:22:12", "type": "threatpost", "title": "IKEA Hit by Email Reply-Chain Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-29T21:22:12", "id": "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "href": "https://threatpost.com/ikea-email-reply-chain-attack/176625/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-23T00:36:02", "description": "Attackers are gnawing on the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by malspamming replies to ongoing email threads, researchers say.\n\nWhat\u2019s still under discussion: whether the offensive is delivering SquirrelWaffle, the new email loader that [showed up](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) in September, or whether SquirrelWaffle is just one piece of malware among several that the campaigns are dropping.\n\nCisco Talos researchers first [got wind](<https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) of the SquirrelWaffle malspam campaigns beginning in mid-September, when they saw boobytrapped Microsoft Office documents delivering [Qakbot malware](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>) and the penetration-testing tool [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) \u2013 two of the most common threats regularly observed targeting organizations around the world. The Office documents infected systems with SquirrelWaffle in the initial stage of the infection chain.\n\nSquirrelWaffle campaigns are known for using stolen email threads to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) malware \u2013 typically spread via malicious emails or text messages \u2013 has been known to work.\n\n## Slipping Under People\u2019s Noses\n\nIn a [report](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) posted on Friday, Trend Micro researchers \u200b\u200bMohamed Fahmy, Sherif Magdy and Abdelrhman Sharshar said that hijacking email replies for malspam is a good way to slip past both people\u2019s spam suspicions and to avoid getting flagged or quarantined by email gateways.\n\n\u201cDelivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail [gateways] will not be able to filter or quarantine any of these internal emails,\u201d they wrote.\n\nThe attacker also didn\u2019t drop, or use, tools for lateral movement after gaining access to the vulnerable Exchange servers, Trend Micro said. Thus, they left no tracks, as \u201cno suspicious network activities will be detected. Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.\u201d\n\n## Middle East Campaign\n\nTrend Micro\u2019s Incident Response team had decided to look into what researchers believe are SquirrelWaffle-related intrusions in the Middle East, to figure out whether the attacks involved the notorious Exchange server vulnerabilities.\n\nThey shared a screen capture, shown below, that\u2019s representative of the malicious email replies that showed up in all of the user inboxes of one affected network, all sent as legitimate replies to existing threads, all written in English.\n\nThey found that other languages were used in different regions outside of the Middle East attack they examined. Still, in the intrusions they analyzed that were outside of the Middle East, most of the malicious emails were written in English, according to the report.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22101946/malicious-spam-received-by-targets-e1637594408162.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22101946/malicious-spam-received-by-targets-e1637594408162.png>)\n\nMalicious spam received by targets. Source: Trend Micro.\n\n\u201cWith this, the attackers would be able to hijack legitimate email chains and send their malicious spam as replies to the said chains,\u201d the researchers wrote.\n\n## Who\u2019s Behind This?\n\n[Cryptolaemus](<https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/>) researcher [TheAnalyst](<https://twitter.com/ffforward>) disagreed with Trend Micro on its premise that SquirrelWaffle is actually acting as a malware dropper for Qbot or other malwares. Rather, TheAnalyst asserted on Friday that the threat actor is dropping both SquirrelWaffle and Qbot as [discrete payloads](<https://twitter.com/ffforward/status/1461810466720825352>), and the most recent [confirmed SquirrelWaffle drop](<https://twitter.com/ffforward/status/1461810488870944768>) it has seen was actually on Oct. 26.\n\n> it makes it easy for us who tracks them to identify them. A TTP they always comes back to is links to maldocs in stolen reply chains. They are known to deliver a multitude of malware like [#QakBot](<https://twitter.com/hashtag/QakBot?src=hash&ref_src=twsrc%5Etfw>) [#Gozi](<https://twitter.com/hashtag/Gozi?src=hash&ref_src=twsrc%5Etfw>) [#IcedID](<https://twitter.com/hashtag/IcedID?src=hash&ref_src=twsrc%5Etfw>) [#CobaltStrike](<https://twitter.com/hashtag/CobaltStrike?src=hash&ref_src=twsrc%5Etfw>) and maybe others. >\n> \n> \u2014 TheAnalyst (@ffforward) [November 19, 2021](<https://twitter.com/ffforward/status/1461810468323004417?ref_src=twsrc%5Etfw>)\n\nWith regards to who\u2019s behind the activity, TheAnalyst said that the actor/activity is tracked as tr01/TR (its QakBot affiliate ID)[ TA577](<https://twitter.com/hashtag/TA577?src=hashtag_click>) by Proofpoint and as ChaserLdr by[ Cryptolaemus](<https://twitter.com/Cryptolaemus1>) and that the activity goes back to at least 2020. The actors are easy to track, TheAnalyst said, given small tweaks to their tactics, techniques and procedures (TTPs).\n\nOne such TTP that tr01 favors is adding links to malicious documents included in stolen reply chains, TheAnalyst noted. The threat actor is known to deliver \u201ca multitude of malware,\u201d they said, such as [QakBot](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>), [Gozi](<https://threatpost.com/banking-trojans-nymaim-gozi-merge-to-steal-4m/117412/>), [IcedID](<https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/>), Cobalt Strike and potentially more.\n\n## The Old \u2018Open Me\u2019 Excel Attachment Trick\n\nThe malicious emails carried links (aayomsolutions[.]co[.]in/etiste/quasnam[]-4966787 and aparnashealthfoundation[.]aayom.com/quasisuscipit/totamet[-]4966787) that dropped a .ZIP file containing a malicious Microsoft Excel sheet that downloads and executes a malicious DLL related to the [Qbot](<https://threatpost.com/ta551-tactics-sliver-red-teaming/175651/>) banking trojan.\n\nWhat\u2019s particularly notable, Trend Micro said, is that real account names from the victim\u2019s domain were used as sender and recipient, \u201cwhich raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets,\u201d according to the report.\n\nAs shown below, the Excel attachment does [what malicious Excel documents do](<https://threatpost.com/hackers-update-age-old-excel-4-0-macro-attack/154898/>): It prompts targets to choose \u201cEnable Content\u201d to view a protected file.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\nTrend Micro offered the chart below, which shows the Excel file infection chain.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22132511/Excel_file_infection_chain__Source-_Trend_Micro_-e1637605525630.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22132511/Excel_file_infection_chain__Source-_Trend_Micro_-e1637605525630.jpg>)\n\nExcel file infection chain. Source: Trend Micro.\n\n## The Exchange Tell-Tales\n\nThe researchers believe that the actors are pulling it off by targeting users who are relying on Microsoft Exchange servers that haven\u2019t yet been patched for the notorious, [oft-picked-apart](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) [ProxyLogon](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) and [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) vulnerabilities.\n\nTrend Micro found evidence in the IIS logs of three compromised Exchange servers, each compromised in a separate intrusion, all having been exploited via the vulnerabilities [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) and [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \u2013 the same CVEs used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions, according to Trend Micro.\n\nThe IIS log also showed that the threat actor is using a [publicly available](<https://github.com/Jumbo-WJB/Exchange_SSRF>) exploit in its attack. \u201cThis exploit gives a threat actor the ability to get users SID and emails,\u201d the researchers explained. \u201cThey can even search for and download a target\u2019s emails.\u201d\n\nThe researchers shared evidence from the IIS logs, replicated below, that depicts the exploit code.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22125426/Exploiting-CVE-2021-26855-as-seen-in-the-IIS-logs-e1637603679782.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22125426/Exploiting-CVE-2021-26855-as-seen-in-the-IIS-logs-e1637603679782.png>)\n\nExploiting CVE-2021-26855, as demonstrated by the IIS logs. Source: Trend Micro.\n\nMicrosoft fixed the ProxyLogon vulnerabilities in [March](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) and the ProxyShell vulnerabilities in [May](<https://threatpost.com/wormable-windows-bug-dos-rce/166057/>). Those who\u2019ve applied the [May or July](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) updates are protected from all of these. Microsoft has [reiterated](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) that those who\u2019ve applied the ProxyLogon patch released in [March](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) aren\u2019t protected from ProxyShell vulnerabilities and should install the more recent security updates.\n\n## How to Fend Off ProxyLogon/ProxyShell Attacks\n\nExploiting ProxyLogon and ProxyShell enabled the attackers to slip past checks for malicious email, which \u201chighlights how users [play] an important part in the success or failure of an attack,\u201d Trend Micro observed. These campaigns \u201cshould make users wary of the different tactics used to mask malicious emails and files,\u201d the researchers wrote.\n\nIn other words, just because email comes from a trusted contact is no guarantee that any attachment or link it contains can be trusted, they said.\n\nOf course, patching is the number one way to stay safe, but Trend Micro gave these additional tips if that\u2019s not possible:\n\n * Enable virtual patching modules on all Exchange servers to provide critical level protection for servers that have not yet been patched for these vulnerabilities.\n * Use endpoint detection and response (EDR) solutions in critical servers, as it provides visibility to machine internals and detects any suspicious behavior running on servers.\n * Use endpoint protection design for servers.\n * Apply sandbox technology on email, network and web to detect similar URLs and samples.\n\n_**There\u2019s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. **_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-22T19:26:25", "type": "threatpost", "title": "Attackers Hijack Email Using Proxy Logon/Proxyshell Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-22T19:26:25", "id": "THREATPOST:836083DB3E61D979644AE68257229776", "href": "https://threatpost.com/attackers-hijack-email-threads-proxylogon-proxyshell/176496/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-26T23:21:31", "description": "Microsoft has broken its silence on the [recent barrage of attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) on several ProxyShell vulnerabilities in that were [highlighted](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) by a researcher at Black Hat earlier this month.\n\nThe company [released an advisory](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) late Wednesday letting customers know that threat actors may use unpatched Exchange servers \u201cto deploy ransomware or conduct other post-exploitation activities\u201d and urging them to update immediately.\n\n\u201cOur recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats,\u201d the company said. \u201cPlease update now!\u201d \n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)Customers that have installed the [May 2021 security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>) or the [July 2021 security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421>) on their Exchange servers are protected from these vulnerabilities, as are Exchange Online customers so long as they ensure that all hybrid Exchange servers are updated, the company wrote.\n\n\u201cBut if you have not installed either of these security updates, then your servers and data are vulnerable,\u201d according to the advisory.\n\nThe ProxyShell bugs that Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) outlined in a presentation at Black Hat. The three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) enable an adversary to trigger remote code execution on Microsoft Exchange servers. Microsoft said the bugs can be exploited in the following cases:\n\n\u2013The server is running an older, unsupported CU;\n\n\u2013The server is running security updates for older, unsupported versions of Exchange that were [released](<https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020>) in March 2021; or\n\n\u2013The server is running an older, unsupported CU, with the [March 2021 EOMT](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) mitigations applied.\n\n\u201cIn all of the above scenarios, you _must_ install one of latest supported CUs and all applicable SUs to be protected,\u201d according to Microsoft. \u201cAny Exchange servers that are not on a supported CU _and_ the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.\u201d\n\n**Sounding the Alarm**\n\nFollowing Tsai\u2019s presentation on the bugs, the SANS Internet Storm Center\u2019s Jan Kopriva [reported](<https://isc.sans.edu/forums/diary/ProxyShell+how+many+Exchange+servers+are+affected+and+where+are+they/27732/>) that [he found more](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find exploiting then easy to execute, given how much information is available.\n\nSecurity researchers at Huntress also reported seeing [ProxyShell vulnerabilities](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) being actively exploited throughout the month of August to install backdoor access once the [ProxyShell exploit code](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>) was published on Aug. 6. But starting last Friday, Huntress reported a \u201csurge\u201d in attacks after finding 140 webshells launched against 1,900 unpatched Exchange servers.\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) joined those sounding the alarm over the weekend, issuing [an urgent alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>). They, too, urged organizations to immediately install the latest Microsoft Security Update.\n\nAt the time, researcher Kevin Beaumont expressed [criticism over Microsoft\u2019s messaging efforts](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>) surrounding the vulnerability and the urgent need for its customers to update their Exchange Server security.\n\n\u201cMicrosoft decided to downplay the importance of the patches and treat them as a standard monthly Exchange patch, which [has] been going on for \u2013 obviously \u2013 decades,\u201d Beaumont explained.\n\nBut Beaumont said these remote code execution (RCE) vulnerabilities are \u201c\u2026as serious as they come.\u201d He noted that the company did not help matters by failing to allocate CVEs for them until July \u2014 four months after the patches were issued.\n\nIn order of patching priority, according to Beaumont, the vulnerabilities are: [CVE-2021\u201334473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021\u201334523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) and [CVE-2021\u201331207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>).\n\nCVE-2021-34473, a vulnerability in which a pre-auth path confusion leads to ACL Bypass, was patched in April. CVE-2021-34523, also patched in April, is an elevation of privilege on Exchange PowerShell backend. CVE-2021-31207, a bug in which a post-auth Arbitrary-File-Write leads to remote code execution, was patched in May.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-26T12:39:54", "type": "threatpost", "title": "Microsoft Breaks Silence on Barrage of ProxyShell Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-26T12:39:54", "id": "THREATPOST:83C349A256695022C2417F465CEB3BB2", "href": "https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-16T19:56:37", "description": "The advanced threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.\n\nThat\u2019s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.\u2019s National Cyber Security Centre (NCSC) and Canada\u2019s Communications Security Establishment (CSE), [issued Thursday](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>).\n\nThe 14-page advisory details the recent activity of Russia-linked APT29 (a.k.a. CozyBear or the Dukes), including the use of custom malware called \u201cWellMess\u201d and \u201cWellMail\u201d for data exfiltration.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThroughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,\u201d the report noted.\n\nThis specific activity was seen starting in April, but security researchers noted that nation-state espionage targeted to coronavirus treatments and cures [has been a phenomenon all year](<https://threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/>).\n\n\u201cCOVID-19 is an existential threat to every government in the world, so it\u2019s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure,\u201d said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, via email. \u201cThe organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We\u2019ve also seen significant COVID-related targeting of governments that began as early as January.\u201d\n\n## **Exploits in Play**\n\nTo mount the attacks, APT29 is using exploits for known vulnerabilities to gain initial access to targets, according to the analysis, along with spearphishing to obtain authentication credentials to internet-accessible login pages for target organizations. The exploits in rotation include the recent [Citrix code-injection bug](<https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/>) (CVE-2019-19781); a publicized [Pulse Secure VPN flaw](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).\n\n\u201cThe group conducted basic vulnerability scanning against specific external IP addresses owned by the [targeted] organizations,\u201d according to the report. \u201cThe group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds.\u201d\n\nOnce a system is compromised, the group then looks to obtain additional authentication credentials to allow further access and spread laterally.\n\n## **Custom Malware**\n\nOnce established in a network, APT29 is employing homegrown malware that the NCSC is calling WellMess and WellMail, to conduct further operations on the victim\u2019s system and exfiltrate data.\n\nWellMess, first discovered in July 2018, is malware that comes in Golang or .NET versions and supports HTTP, TLS and DNS for communications.\n\nNamed after one of the function names in the malware, \u201cWellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files,\u201d according to the advisory.\n\nWellMail malware meanwhile, named after file paths containing the word \u2018mail\u2019 and the use of server port 25, is also lightweight \u2013 and is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server.\n\n\u201cThe binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,\u201d according to the NCSC. \u201cTo our knowledge, WellMail has not been previously named in the public domain.\u201d\n\nBoth malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.\n\n\u201cWellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) \u20180102030406\u2019, and used the subjects \u2018C=Tunis, O=IT\u2019 and \u2018O=GMO GlobalSign, Inc\u2019 respectively,\u201d detailed the report. \u201cThese certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications.\u201d\n\nAPT29 is also using another malware, dubbed \u2018SoreFang\u2019 by the NCSC, which is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. It\u2019s using the same C2 infrastructure as a WellMess sample, the agencies concluded.\n\nThis sample is not a custom job: \u201cIt is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including [DarkHotel](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), have also targeted SangFor devices,\u201d noted the NCSC.\n\n## **APT29: A Sporadically High-Profile Threat**\n\n[APT29](<https://attack.mitre.org/groups/G0016/>) has long been seen targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.\n\nThe group is is perhaps best-known for the [intrusion](<https://threatpost.com/dnc-hacked-research-on-trump-stolen/118656/>) at the Democratic National Committee ahead of the U.S. presidential election in 2016. It was also implicated in [a widespread phishing campaign](<https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/>) in November 2016, in attacks against the White House, State Department and Joint Chiefs of Staff.\n\nIt was next seen in November 2017 [executing a Tor backdoor](<https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/>), and then [it reemerged](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) in 2018 with a widespread espionage campaign against military, media and public-sector targets.\n\nIts history stretches back a few years though: It [was also seen](<https://threatpost.com/white-house-state-department-counted-among-cozyduke-apt-victims/112382/>) by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.\n\nResearchers from firms [like Mandiant](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html>) believe APT29 to be linked to Russian government-backed operations \u2013 an assessment that the DHS and NCSC reiterated in the latest advisory, saying that it is \u201calmost certainly part of the Russian intelligence services.\u201d\n\nWhile its publicly profiled activity tends to be sporadic, APT29 is rarely at rest, according to Mandiant\u2019s Hultquist.\n\n\u201cDespite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,\u201d he said via email. \u201cWhereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.\u201d\n\nThis latest case is no exception to that M.O., according to the advisory: \u201cAPT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,\u201d the agencies concluded.\n\nThat said, at least one researcher warned that the end-game of the activity might be more nefarious than simply getting a leg up on a cure.\n\n\u201cAPT29 (Cozy Bear, Office Monkeys) has successfully demonstrated the extension of nation-state power through cyber-action for more than a dozen years,\u201d Michael Daly, CTO at Raytheon Intelligence & Space, said via email. \u201cHowever, they are not focused on simple intellectual property theft. Instead, their focus is rooted in influence operations \u2013 the changing of hearts and minds to thwart and diminish the power of governments and organizations.\u201d\n\nHe added, \u201cIn the case of this breach of vaccine research centers, we should be most concerned not that someone else might also get a vaccine, but that the information will be used to undermine the confidence of the public in the safety or efficacy of the vaccines, slowing their adoption, or in some way cause their release to be delayed. The effect of such a delay would be both impactful to the health of Western populations, but also to the social stability and economic stability of the West.\u201d\n", "cvss3": {}, "published": "2020-07-16T18:05:20", "type": "threatpost", "title": "Hackers Look to Steal COVID-19 Vaccine Research", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670"], "modified": "2020-07-16T18:05:20", "id": "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "href": "https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-01T12:44:45", "description": "A new APT group has emerged that\u2019s specifically targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server\u2019s [ProxyShell](<https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/>) and leveraging both new and existing malware to compromise networks.\n\nResearchers at security firm [Positive Technologies](<https://www.ptsecurity.com/ww-en/>) have been tracking the group, dubbed ChamelGang for its chameleon-like capabilities, since March. Though attackers mainly have been seen targeting Russian organizations, they have attacked targets in 10 countries so far, researchers said in a [report](<https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/>) by company researchers Aleksandr Grigorian, Daniil Koloskov, Denis Kuvshinov and Stanislav Rakovsky published online Thursday.\n\nTo avoid detection, ChamelGang hides its malware and network infrastructure under legitimate services of established companies like Microsoft, TrendMicro, McAfee, IBM and Google in a couple of unique ways, researchers observed.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nOne is to acquire domains that imitate their legitimate counterparts \u2013 such as newtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com and mcafee-upgrade.com. The other is to place SSL certificates that also imitate legitimate ones \u2013 such as github.com, www.ibm.com, jquery.com, update.microsoft-support.net \u2013 on its servers, researchers said.\n\nMoreover, ChamelGang \u2013 like [Nobelium](<https://threatpost.com/solarwinds-active-directory-servers-foggyweb-backdoor/175056/>) and [REvil](<https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/>) before it \u2013 has hopped on the bandwagon of attacking the supply chain first to gain access to its ultimate target, they said. In one of the cases analyzed by Positive Technologies, \u201cthe group compromised a subsidiary and penetrated the target company\u2019s network through it,\u201d according to the writeup.\n\nThe attackers also appear malware-agnostic when it comes to tactics, using both known malicious programs such as [FRP](<https://howtofix.guide/frp-exe-virus/>), [Cobalt Strike Beacon](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), and Tiny Shell, as well as previously unknown malware ProxyT, BeaconLoader and the DoorMe backdoor, researchers said.\n\n## **Two Separate Attacks**\n\nResearchers analyzed two attacks by the novel APT: one in March and one in August. The first investigation was triggered after a Russia-based energy company\u2019s antivirus protection repeatedly reported the presence of the Cobalt Strike Beacon in RAM.\n\nAttackers gained access to the energy company\u2019s network through the supply chain, compromising a vulnerable version of a subsidiary company\u2019s web application on the JBoss Application Server. Upon investigation, researchers found that attackers exploited a critical vulnerability, [CVE-2017-12149](<https://access.redhat.com/security/cve/CVE-2017-12149>), to remotely execute commands on the host.\n\nOnce on the energy company\u2019s network, ChamelGang moved laterally, deploying a number of tools along the way. They included Tiny Shell, with which a UNIX backdoor can receive a shell from an infected host, execute a command and transfer files; an old DLL hijacking technique associated with the Microsoft Distributed Transaction Control (MSDTC) Windows service to gain persistence and escalate privileges; and the Cobalt Strike Beacon for calling back to attackers for additional commands.\n\nResearchers were successful in accessing and exfiltrating data in the attack, researchers said. \u201cAfter collecting the data, they placed it on web servers on the compromised network for further downloading \u2026 using the Wget utility,\u201d they wrote.\n\n## **Cutting Short a ProxyShell Attack **\n\nThe second attack was on an organization from the Russian aviation production sector, researchers said. They notified the company four days after the server was compromised, working with employees to eliminate the threat shortly after.\n\n\u201cIn total, the attackers remained in the victim\u2019s network for eight days,\u201d researchers wrote. \u201cAccording to our data, the APT group did not expect that its backdoors would be detected so quickly, so it did not have time to develop the attack further.\u201d\n\nIn this instance, ChamelGang used a known chain of vulnerabilities in Microsoft Exchange called ProxyShell \u2013 CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 \u2013 to compromise network nodes and gain a foothold. Indeed, a number of attackers took advantage of ProxyShell throughout August, [pummeling](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) unpatched Exchange servers with attacks after a [researcher at BlackHat revealed](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) the attack surface.\n\nOnce on the network, attackers then installed a modified version of the backdoor DoorMe v2 on two Microsoft Exchange mail servers on the victim\u2019s network. Attackers also used BeaconLoader to move inside the network and infect nodes, as well as the Cobalt Strike Beacon.\n\n## **Victims Across the Globe**\n\nFurther threat intelligence following the investigation into attacks on the Russian companies revealed that ChamelGang\u2019s activity has not been limited to that country.\n\nPositive Technologies eventually identified 13 more compromised organizations in nine other countries \u2013 the U.S., Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania and Nepal. In the last four countries mentioned, attackers targeted government servers, they added.\n\nAttackers often used ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server against victims, who were all notified by the appropriate national security authorities in their respective countries.\n\nChamelGang\u2019s tendency to reach its targets through the supply chain also is likely one that it \u2013 as well as other APTs \u2013 will continue, given the success attackers have had so far with this tactic, researchers added. \u201cNew APT groups using this method to achieve their goals will appear on stage,\u201d they said.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-10-01T12:36:25", "type": "threatpost", "title": "New APT ChamelGang Targets Russian Energy, Aviation Orgs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-01T12:36:25", "id": "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496", "href": "https://threatpost.com/apt-chamelgang-targets-russian-energy-aviation/175272/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-04T16:00:33", "description": "A new-ish threat actor sometimes known as \u201cTortilla\u201d is launching a fresh round of ProxyShell attacks on Microsoft Exchange servers, this time with the aim of inflicting vulnerable servers with variants of the Babuk ransomware.\n\nCisco Talos researchers said in a Wednesday [report](<https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) that they spotted the malicious campaign a few weeks ago, on Oct. 12.\n\nTortilla, an actor that\u2019s been operating since July, is predominantly targeting U.S. victims. It\u2019s also hurling a smaller number of infections that have hit machines in the Brazil, Finland, Germany, Honduras, Thailand, Ukraine and the U.K., as shown on the map below.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/03120718/ProxShell-Babuk-map-e1635955653968.jpeg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/03120718/ProxShell-Babuk-map-e1635955653968.jpeg>)\n\nVictim distribution map. Source: Cisco Talos.\n\nPrior to this ransomware-inflicting campaign, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone PowerCat.\n\nPowerCat has a penchant for Windows, the researchers explained, being \u201cknown to provide attackers with unauthorized access to Windows machines.\u201d\n\n## ProxyShell\u2019s New Attack Surface\n\nProxyShell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) and to snag plaintext passwords.\n\nThe attack was outlined in a presentation ([PDF](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>)) given by Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) at Black Hat in April. In it, Tsai disclosed an entirely new attack surface in Exchange, and a [barrage](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) of [attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) soon followed. August was glutted with reports of threat actors exploiting ProxyShell to launch [webshell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as well as to deliver [LockFile ransomware](<https://pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096>)..\n\nIn this latest ProxyShell campaign, Cisco Talos researchers said that the threat actor is using \u201ca somewhat unusual infection chain technique where an intermediate unpacking module is hosted on a pastebin.com clone pastebin.pl\u201d to deliver Babuk.\n\nThey continued: \u201cThe intermediate unpacking stage is downloaded and decoded in memory before the final payload embedded within the original sample is decrypted and executed.\u201d\n\n## Who\u2019s Babuk?\n\nBabuk is a ransomware that\u2019s probably best known for its starring role in a breach of the Washington D.C. police force [in April](<https://threatpost.com/babuk-ransomware-washington-dc-police/165616/>). The gang behind the malware has a short history, having only been [identified in 2021](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/>), but that history shows that it\u2019s a [double-extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) player: one that threatens to post stolen data in addition to encrypting files, as a way of applying thumbscrews so victims will pay up.\n\nThat tactic has worked. As [McAfee](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/>) described in February, Babuk the ransomware had already been lobbed at a batch of at least five big enterprises, with one score: The gang walked away with $85,000 after one of those targets ponied up the money, McAfee researchers said.\n\nIts victims have included Serco, an outsourcing firm that confirmed that it had been [slammed](<https://www.computerweekly.com/news/252495684/Serco-confirms-Babuk-ransomware-attack>) with a double-extortion ransomware attack in late January.\n\nLike many ransomware strains, Babuk is ruthless: It not only encrypts a victim\u2019s machine, it also [blows up backups](<https://threatpost.com/conti-ransomware-backups/175114/>) and deletes the volume shadow copies, Cisco Talos said.\n\n## What\u2019s Under Babuk\u2019s Hood\n\nOn the technical side, Cisco Talos described Babuk as a flexible ransomware that can be compiled, through a ransomware builder, for several hardware and software platforms.\n\nIt\u2019s mostly compiled for Windows and ARM for Linux, but researchers said that, over time, they\u2019ve also seen versions for ESX and a 32-bit, old PE executable.\n\nIn this recent October campaign though, the threat actors are specifically targeting Windows.\n\n## China Chopper Chops Again\n\nPart of the infection chain involves China Chopper: A webshell that dates back to 2010 but which has [clung to relevancy since](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>), including reportedly being used in a massive 2019 attack against telecommunications providers called [Operation Soft Cell](<https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers>). The webshell enables attackers to \u201cretain access to an infected system using a client-side application which contains all the logic required to control the target,\u201d as Cisco Talos [described](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>) the webshell in 2019.\n\nThis time around, it\u2019s being used to get to Exchange Server systems. \u201cWe assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell,\u201d according to the Cisco Talos writeup.\n\n## The Infection Chain\n\nAs shown in the infection flow chart below, the actors are using either a DLL or .NET executable to kick things off on the targeted system. \u201cThe initial .NET executable module runs as a child process of w3wp.exe and invokes the command shell to run an obfuscated PowerShell command,\u201d according to Cisco Talos\u2019 report.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/03130541/infection-flow-chart-e1635959155173.jpeg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/03130541/infection-flow-chart-e1635959155173.jpeg>)\n\nInfection flow chart. Source: Cisco Talos.\n\n\u201cThe PowerShell command invokes a web request and downloads the payload loader module using certutil.exe from a URL hosted on the domains fbi[.]fund and xxxs[.]info, or the IP address 185[.]219[.]52[.]229,\u201d researchers said.\n\n\u201cThe payload loader downloads an intermediate unpacking stage from the PasteBin clone site pastebin.pl,\u201d they continued \u2013 a site that \u201cseems to be unrelated to the popular pastebin.com.\u201d\n\nThey continued: \u201cThe unpacker concatenates the bitmap images embedded in the resource section of the trojan and decrypts the payload into the memory. The payload is injected into the process AddInProcess32 and is used to encrypt files on the victim\u2019s server and all mounted drives.\u201d\n\n## More Ingredients in Tortilla\u2019s Infrastructure\n\nBesides the pastebin.pl site that hosts Tortilla\u2019s intermediate unpacker code, Tortilla\u2019s infrastructure also includes a Unix-based download server.\n\nThe site is legitimate, but Cisco Talos has seen multiple malicious campaigns running on it, including hosting variants of the [AgentTesla trojan](<https://threatpost.com/agent-tesla-microsoft-asmi/163581/>) and the [FormBook malware dropper.](<https://threatpost.com/new-formbook-dropper-harbors-persistence/145614/>)\n\n## Babuk\u2019s Code Spill Helps Newbies\n\nIn July, Babuk gang\u2019s source code and builder were spilled: They were [uploaded to VirusTotal](<https://threatpost.com/babuk-ransomware-builder-virustotal/167481/>), making it available to all security vendors and competitors. That leak has helped the ransomware spread to even an inexperienced, green group like Tortilla, Cisco Talos said.\n\nThe leak \u201cmay have encouraged new malicious actors to manipulate and deploy the malware,\u201d researchers noted.\n\n\u201cThis actor has only been operating since early July this year and has been experimenting with different payloads, apparently in order to obtain and maintain remote access to the infected systems,\u201d according to its writeup.\n\nWith Babuk source code readily available, all the Tortilla actors have to know is how to tweak it a tad, researchers said: A scenario that observers predicted back when the code appeared.\n\n\u201cThe actor displays low to medium skills with a decent understanding of the security concepts and the ability to create minor modifications to existing malware and offensive security tools,\u201d Cisco Talos researchers said in assessing the Tortilla gang.\n\n## Decryptor Won\u2019t Work on Variant\n\nWhile a free [Babuk decryptor was released](<https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-released-to-recover-files-for-free/>) last week, it won\u2019t work on the Babuk variant seen in this campaign, according to the writeup: \u201cUnfortunately, it is only effective on files encrypted with a number of leaked keys and cannot be used to decrypt files encrypted by the variant described in this blog post.\u201d\n\n## How to Keep Exchange Safe\n\nTortilla is hosting malicious modules and conducting internet-wide scanning to exploit vulnerable hosts.\n\nThe researchers recommended staying vigilant, staying on top of any infection in its early stages and implementing a layered defense security, \u201cwith the behavioral protection enabled for endpoints and servers to detect the threats at an early stage of the infection chain.\u201d\n\nThey also recommended keeping servers and apps updated so as to squash vulnerabilities, such as the trio of CVEs exploited in the ProxyShell attacks.\n\nAlso, keep an eye out for backup demolition, as the code deletes shadow copies: \u201cBabuk ransomware is nefarious by its nature and while it encrypts the victim\u2019s machine, it interrupts the system backup process and deletes the volume shadow copies,\u201d according to Cisco Talos.\n\nOn top of all that, bolster detection: Watch out for system configuration changes, suspicious events generated by detection systems for an abrupt service termination, or abnormally high I/O rates for drives attached to servers, according to Cisco Talos.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-03T18:16:37", "type": "threatpost", "title": "\u2018Tortilla\u2019 Wraps Exchange Servers in ProxyShell Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-43267"], "modified": "2021-11-03T18:16:37", "id": "THREATPOST:52923238811C7BFD39E0529C85317249", "href": "https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T18:13:10", "description": "The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.\n\nAccording to the U.S. National Security Agency (NSA), which issued [an alert Thursday,](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/%20/#pop5008885>) the advanced persistent threat (APT) group [known as APT29](<https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/>) (a.k.a. Cozy Bear or The Dukes) is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.\u201d\n\nThe targets include U.S. and allied national-security and government networks, it added.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/16112322/AprilWebinar-300x143.png)](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)\n\nJoin experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.\n\nThe five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned.\n\n\u201cSome of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,\u201d said researchers with Cisco Talos, in a [related posting](<https://blog.talosintelligence.com/2021/04/nsa-svr-coverage.html#more>) on Thursday. \u201cPlease note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption\u2026to detect exploitation of these vulnerabilities.\u201d\n\nThe NSA has linked APT29 to Russia\u2019s Foreign Intelligence Services (SVR). The news comes as the U.S. formally attributed the recent [SolarWinds supply-chain attack](<https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/>) to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.\n\n## **The 5 Vulnerabilities Being Actively Exploited**\n\nAccording to the NSA, the following are under widespread attack in cyber-espionage efforts:\n\n * CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)\n * CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)\n * CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)\n * CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)\n * CVE-2020-4006 VMware Workspace ONE Access (command injection)\n\n\u201cVulnerabilities in two VPN systems, two virtualization platforms and one collaboration solution seem to be a mighty combo,\u201d Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. \u201cFour of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the U.S., given that all are either rated as severe or even critical in NIST\u2019s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cybersecurity control, even more so in pandemic times.\u201d\n\n## **CVE-2018-13379**\n\nA directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access and download system files, by sending specially crafted HTTP resource requests. \u201cThis can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network,\u201d according to Cisco Talos.\n\nThe NSA explained that it arises from an improper limitation of a pathname to a restricted directory. It affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.\n\nThe nation-state issue is ongoing: Earlier in April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) APTs were actively exploiting the bug.\n\n## **CVE-2019-9670**\n\nThis bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite. Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. It affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.\n\n## **CVE-2019-11510**\n\nIn Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim\u2019s networks. Attacker can send a specially crafted URI to trigger the exploit. It affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.\n\n\u201cThis can be abused by attackers to access sensitive information, including private keys and credentials,\u201d explained Cisco Talos researchers.\n\nLast April, the Department of Homeland Security (DHS) began urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN family.\n\nAt the time, DHS [warned that attackers](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) who have already exploited the flaw to snatch up victims\u2019 credentials were using those credentials to move laterally through organizations, rendering patches useless.\n\nThen September, a successful cyberattack on an unnamed federal agency [was attributed to](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>) exploitation of the bug. \u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability \u2013 CVE-2019-11510 \u2013 in Pulse Secure,\u201d according to CISA\u2019s alert at the time. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\n## **CVE-2019-19781**\n\nThis critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway that can allow remote code-execution. It was first disclosed as a zero-day in December 2019, after which Citrix [rolled out patches](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) amidst dozens of proof-of-concept exploits and skyrocketing exploitation attempts.\n\nIt affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.\n\n## **C****VE-2020-4006**\n\nAnd finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows arbitrary command execution on underlying operating systems. A successful exploit does, however, require valid credentials to the configurator admin account, so it must be chained with another bug to use it.\n\nNonetheless, in December the NSA [warned that](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) foreign adversaries were zeroing in on exploiting the flaw, despite patches rolling out just days earlier. State actors were using the bug to pilfer protected data and abuse shared authentication systems, it said.\n\nIt affects VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 \u2013 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 \u2013 3.3.3 and 19.03, VMware Cloud Foundation 4.0 \u2013 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.\n\n## **How Can I Protect Against Cyberattacks?**\n\nThe NSA recommended several best practices to protect organizations from attack:\n\n * Update systems and products as soon as possible after patches are released.\n * Assume a breach will happen; review accounts and leverage the latest eviction guidance available.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in client device configurations.\n * Adopt a mindset that compromise happens: Prepare for incident response activities.\n\n\u201cIf publicly known, patchable exploits still have gas in the tank, this is just an indictment against the status-quo disconnect between many organizations\u2019 understanding of risk and basic IT hygiene,\u201d Tim Wade, technical director on the CTO team at Vectra, told Threatpost. \u201cThe unfortunate reality is that for many organizations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organizations to fully manage.\u201d\n\nHe added, \u201cThis underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur \u2013 their imperative is to detect, respond and recover from those events to expel adversaries before material damage is realized.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-16T18:10:09", "type": "threatpost", "title": "NSA: 5 Security Bugs Under Active Nation-State Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T18:10:09", "id": "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "href": "https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-08-13T19:26:48", "description": "Researchers\u2019 Microsoft Exchange server honeypots are being actively exploited via ProxyShell: The name of an attack disclosed at Black Hat last week that chains three vulnerabilities to enable unauthenticated attackers to perform remote code execution (RCE) and snag plaintext passwords.\n\nIn his Black Hat [presentation](<https://www.blackhat.com/us-21/briefings/schedule/#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-m>) last week, Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) said that a survey shows more than 400,000 Exchange servers on the internet that are exposed to the attack via port 443. On Monday, the SANS Internet Storm Center\u2019s Jan Kopriva [reported](<https://isc.sans.edu/forums/diary/ProxyShell+how+many+Exchange+servers+are+affected+and+where+are+they/27732/>) that he found more than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find it a snap to pull off, given how much information is available.\n\nGoing by calculations tweeted by security researcher Kevin Beaumont, this means that, between ProxyLogon and ProxyShell, \u201cjust under 50 percent of internet-facing Exchange servers\u201d are currently vulnerable to exploitation, according to a Shodan search.\n\n> Breakdown of Exchange servers on Shodan vulnerable to ProxyShell or ProxyLogon, it's just under 50% of internet facing Exchange servers. [pic.twitter.com/3samyNHBpB](<https://t.co/3samyNHBpB>)\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [August 13, 2021](<https://twitter.com/GossiTheDog/status/1426207905779527682?ref_src=twsrc%5Etfw>)\n\nOn the plus side, Microsoft has already released patches for all of the vulnerabilities in question, and, cross your fingers, \u201cchances are that most organizations that take security at least somewhat seriously have already applied the patches,\u201d Kopriva wrote.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe vulnerabilities affect Exchange Server 2013, 2016 and 2019.\n\nOn Thursday, Beaumont and NCC Group\u2019s vulnerability researcher Rich Warren disclosed that threat actors have exploited their Microsoft Exchange honeypots using the ProxyShell vulnerability.\n\n\u201cStarted to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,\u201d Warren tweeted, along with a screen capture of the code for a c# aspx webshell dropped in the /aspnet_client/ directory.\n\n> Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities. This one dropped a c# aspx webshell in the /aspnet_client/ directory: [pic.twitter.com/XbZfmQQNhY](<https://t.co/XbZfmQQNhY>)\n> \n> \u2014 Rich Warren (@buffaloverflow) [August 12, 2021](<https://twitter.com/buffaloverflow/status/1425831100157349890?ref_src=twsrc%5Etfw>)\n\nBeaumont [tweeted](<https://twitter.com/GossiTheDog/status/1425844380376735746>) that he was seeing the same and connected it to Tsai\u2019s talk: \u201cExchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from @orange_8361\u2019s initial talk.\u201d\n\n> Exchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from [@orange_8361](<https://twitter.com/orange_8361?ref_src=twsrc%5Etfw>)'s initial talk.\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [August 12, 2021](<https://twitter.com/GossiTheDog/status/1425844380376735746?ref_src=twsrc%5Etfw>)\n\n## Dangerous Skating on the New Attack Surface\n\nIn [a post](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/>) on Sunday, Tsai recounted the in-the-wild ProxyLogon proof of concept that Devco reported to MSRC in late February, explaining that it made the researchers \u201cas curious as everyone after eliminating the possibility of leakage from our side through a thorough investigation.\n\n\u201cWith a clearer timeline appearing and more discussion occurring, it seems like this is not the first time that something like this happened to Microsoft,\u201d he continued. Mail server is both a highly valuable asset and a seemingly irresistible target for attackers, given that it holds businesses\u2019 confidential secrets and corporate data.\n\n\u201cIn other words, controlling a mail server means controlling the lifeline of a company,\u201d Tsai explained. \u201cAs the most common-use email solution, Exchange Server has been the top target for hackers for a long time. Based on our research, there are more than four hundred thousands Exchange Servers exposed on the Internet. Each server represents a company, and you can imagine how horrible it is while a severe vulnerability appeared in Exchange Server.\u201d\n\nDuring his Black Hat presentation, Tsai explained that the new attack surface his team discovered is based on \u201ca significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend\u201d \u2013 a change that incurred \u201cquite an amount of design\u201d and yielded eight vulnerabilities, consisting of server-side bugs, client-side bugs and crypto bugs.\n\nHe chained the bugs into three attack vectors: The now-infamous [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) that induced [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) a few months back, the ProxyShell vector that\u2019s now under active attack, and another vector called ProxyOracle.\n\n\u201cThese attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by about 400,000 Exchange Servers,\u201d according to the presentation\u2019s introduction.\n\nThe three Exchange vulnerabilities, all of which are [patched](<https://threatpost.com/microsoft-crushes-116-bugs/167764/>), that Tsai chained for the ProxyShell attack:\n\n * [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) \u2013 Pre-auth path confusion leads to ACL bypass\n * [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \u2013 Elevation of privilege on Exchange PowerShell backend\n * [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>) \u2013 Post-auth arbitrary file-write leads to RCE\n\nProxyShell earned the Devcore team a $200,000 bounty after they used the bugs to take over an Exchange server at the [Pwn2Own 2021](<https://twitter.com/thezdi/status/1379467992862449664>) contest in April.\n\nDuring his Black Hat talk, Tsai said that he discovered the Exchange vulnerabilities when targeting the Microsoft Exchange CAS attack surface. As Tsai explained, CAS is \u201ca fundamental component\u201d of Exchange.\n\nHe referred to [Microsoft\u2019s documentation](<https://docs.microsoft.com/en-us/exchange/architecture/architecture?view=exchserver-2019>), which states:\n\n\u201cMailbox servers contain the Client Access services that accept client connections for all protocols. These frontend services are responsible for routing or proxying connections to the corresponding backend services on a Mailbox server.\u201d\n\n\u201cFrom the narrative you could realize the importance of CAS, and you could imagine how critical it is when bugs are found in such infrastructure. CAS was where we focused on, and where the attack surface appeared,\u201d Tsai wrote. \u201cCAS is the fundamental component in charge of accepting all the connections from the client side, no matter if it\u2019s HTTP, POP3, IMAP or SMTP, and proxies the connections to the corresponding backend service.\u201d\n\n## ProxyShell Just the \u2018Tip of the Iceberg\u2019\n\nOut of all the bugs he found in the new attack surface, Tsai dubbed [CVE-2020-0688](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) (an RCE vulnerability that involved a hard-coded cryptographic key in Exchange) the \u201cmost surprising.\u201d\n\n\u201cWith this hard-coded key, an attacker with low privilege can take over the whole Exchange Server,\u201d he wrote. \u201cAnd as you can see, even in 2020, a silly, hard-coded cryptographic key could still be found in an essential software like Exchange. This indicated that Exchange is lacking security reviews, which also inspired me to dig more into the Exchange security.\u201d\n\nBut the \u201cmost interesting\u201d flaw is [CVE-2018-8581](<https://www.zerodayinitiative.com/blog/2018/12/19/an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange>), he said, which was disclosed by someone who cooperated with ZDI. Though it\u2019s a \u201csimple\u201d server-side request forgery (SSRF), it could be combined with NTLM Relay, enabling the attacker to \u201cturn a boring SSRF into [something really fancy,\u201d Tsai said.](<https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/>)\n\nFor example, it could \u201cdirectly control the whole Domain Controller through a low-privilege account,\u201d Tsai said.\n\n## Autodiscover Figures into ProxyShell\n\nAs [BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/>) reported, during his presentation, Tsai explained that one of the components of the ProxyShell attack chain targets the Microsoft Exchange [Autodiscover](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019>) service: a service that eases configuration and deployment by providing clients access to Exchange features with minimal user input.\n\nTsai\u2019s talk evidently triggered a wave of scanning for the vulnerabilities by attackers.\n\nAfter watching the presentation, other security researchers replicated the ProxyShell exploit. The day after Tsai\u2019s presentation, last Friday, PeterJson and Nguyen Jang [published](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>) more detailed technical information about their successful reproduction of the exploit.\n\nSoon after, Beaumont [tweeted](<https://twitter.com/GossiTheDog/status/1422178411385065476?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1422178411385065476%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fmicrosoft%2Fmicrosoft-exchange-servers-scanned-for-proxyshell-vulnerability-patch-now%2F>) about a threat actor who was probing his Exchange honeypot using the [Autodiscover service](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019>). As of yesterday, Aug. 12, those servers were being targeted using autodiscover.json, he tweeted.\n\n> Exchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from [@orange_8361](<https://twitter.com/orange_8361?ref_src=twsrc%5Etfw>)'s initial talk.\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [August 12, 2021](<https://twitter.com/GossiTheDog/status/1425844380376735746?ref_src=twsrc%5Etfw>)\n\nAs of Thursday, ProxyShell was dropping a 265K webshell \u2013 the minimum file size that can be created via ProxyShell due to its use of the Mailbox Export function of Exchange Powershell to create PST files \u2013 to the \u2018c:\\inetpub\\wwwroot\\aspnet_client\\\u2019 folder. Warren shared a sample with BleepingComputer that showed that the webshells consist of \u201ca simple authentication-protected script that the threat actors can use to upload files to the compromised Microsoft Exchange server.\u201d\n\nBad Packets told the outlet that as of Thursday, was seeing threat actors scanning for vulnerable ProxyShell devices from IP addresses in the U.S., Iran and the Netherlands, using the domains @abc.com and @1337.com, from the known addresses 3.15.221.32 and 194.147.142.0/24.\n\n![Threatpost Webinar Series ](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/27093135/threatpost-webinar-300x51.jpg)Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-13T18:56:27", "type": "threatpost", "title": "Exchange Servers Under Active Attack via ProxyShell Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8581", "CVE-2020-0688", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-13T18:56:27", "id": "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "href": "https://threatpost.com/exchange-servers-attack-proxyshell/168661/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-10T12:11:12", "description": "State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.\n\nThe National Security Agency (NSA) issued a [Cybersecurity Advisory](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>) Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August\u2013[CVE-2019-11539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11539>), [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) and [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\u2013to gain access to vulnerable VPN devices. The first two affect Pulse Secure VPNs while the third affects Fortinet technology.\n\nThe National Cyber Security Centre in the United Kingdom posted [a separate warning](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>) about the threats, which stem from vulnerabilities that allow \u201can attacker to retrieve arbitrary files, including those containing authentication credentials,\u201d according to the post.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe flaws allow an attacker to use those stolen credentials to connect to the VPN and change configuration settings or even connect to other infrastructure on the network, authorities warned. Through this unauthorized connection, an attacker could gain privileges to run secondary exploits that could allow them to access a root shell.\n\nThe U.K.\u2019s alert added two more Fortinet vulnerabilities to the list\u2013[CVE-2018-13382](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13382>) and [CVE-2018-13383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13383>)\u2014as well as a Palo Alto Networks VPN flaw, [CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>).\n\nAuthorities offered a series of mitigation techniques for the vulnerabilities, which they said should be taken very seriously by users of these products.\n\nTo mitigate attacks against all of the existing threats, officials recommend a couple of basic steps: apply any existing patches for VPNs in use that could be at risk, and update existing credentials. The NSA also recommended revoking existing VPN server keys and certificates and generating new ones.\n\nA more comprehensive list of mitigation techniques recommended by the NSA also includes discouraging the use of proprietary SSLVPN/TLSVPN protocols and self-signed and wild card certificates for public-facing VPN web applications; requiring mutual certificate-based authentication so remote clients attempting to access the public-facing VPN web application must present valid client certificates to maintain a connection; and using multi-factor authentication to prevent attackers from authenticating with compromised passwords by requiring a second authentication factor.\n\nNeither the NSA nor the National Cyber Security Centre alerts identified which groups are responsible for the attacks.\n\nThe warnings come after [reports surfaced](<https://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/>) last month that APT5 was targeting VPNs from Fortinet and Pulse Secure after code for two of the aforementioned vulnerabilities was disclosed in a presentation at the Black Hat Security Conference (The two companies have patched those flaws, and in the case of Pulse Secure, issued the fixes in April, three months before Black Hat.).\n\nAPT5, a Chinese state-sponsored group also known as Manganese, has been active since 2007 with a particular focus on technology and telecommunications companies, according to a [report](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf>) by FireEye.\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-10-08T12:44:16", "type": "threatpost", "title": "APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2018-13382", "CVE-2018-13383", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1579"], "modified": "2019-10-08T12:44:16", "id": "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "href": "https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-13T16:45:38", "description": "U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft\u2019s severe privilege-escalation flaw, dubbed \u201cZerologon,\u201d to target elections support systems.\n\nDays after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.\n\nThe advisory details how attackers are chaining together various vulnerabilities and exploits \u2013 including using VPN vulnerabilities to gain initial access and then Zerologon as a post-exploitation method \u2013 to compromise government networks.\n\n[![Threatpost Webinar Promo Retail Security](https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/07103433/webinar-promo-retail-security-1.jpg)](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial (SLTT) government networks,\u201d according [to the security advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>). \u201cAlthough it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\u201d\n\nWith the [U.S. November presidential elections](<https://threatpost.com/2020-election-secure-vote-tallies-problem/158533/>) around the corner \u2013 and cybercriminal activity subsequently ramping up to target [election infrastructure](<https://threatpost.com/black-hat-usa-2020-preview-election-security-covid-disinformation-and-more/157875/>) and [presidential campaigns](<https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/>) \u2013 election security is top of mind. While the CISA and FBI\u2019s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the \u201cintegrity of elections data has been compromised.\u201d\n\nMicrosoft released a patch for the Zerologon vulnerability as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\nDespite a patch being issued, many companies have not yet applied the patches to their systems \u2013 and cybercriminals are taking advantage of that in a recent slew of government-targeted attacks.\n\nThe CISA and FBI warned that various APT actors are commonly using [a Fortinet vulnerability](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) to gain initial access to companies. That flaw (CVE-2018-13379) is a path-traversal glitch in Fortinet\u2019s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. While the flaw was patched in April 2019, exploitation details were publicized in August 2019, opening the door for attackers to exploit the error.\n\nOther initial vulnerabilities being targeted in the attacks include ones in Citrix NetScaler ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), MobileIron ([CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)), Pulse Secure ([CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)), Palo Alto Networks ([CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)) and F5 BIG-IP ([CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)).\n\nAfter exploiting an initial flaw, attackers are then leveraging the Zerologon flaw to escalate privileges, researchers said. They then use legitimate credentials to log in via VPN or remote-access services, in order to maintain persistence.\n\n\u201cThe actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers,\u201d they said. \u201cActors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers.\u201d\n\nThe advisory comes as exploitation attempts against Zerologon spike, with Microsoft recently warned of exploits by an [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which the company calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm). [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[Earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\nCISA and the FBI stressed that organizations should ensure their systems are patched, and adopt an \u201cassume breach\u201d mentality. Satnam Narang, staff research engineer with Tenable, agreed, saying that \u201cit seems clear that Zerologon is becoming one of the most critical vulnerabilities of 2020.\u201d\n\n\u201cPatches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the FBI,\u201d said Narang [in a Monday analysis](<https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain>). \u201cMost of the vulnerabilities had patches available for them following their disclosure, with the exception of CVE-2019-19781, which received patches a month after it was originally disclosed.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:39:01", "type": "threatpost", "title": "Election Systems Under Attack via Microsoft Zerologon Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-13T16:39:01", "id": "THREATPOST:71C45E867DCD99278A38088B59938B48", "href": "https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-13T22:17:17", "description": "Three bugs under active exploit were squashed by Microsoft Tuesday, part of its [July security roundup](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul>) of fixes for Windows, Microsoft Office, SharePoint Server and Exchange Server. In all, Microsoft patched 116 bugs. Twelve bugs are rated critical, 103 rated important and one classified as moderate in severity.\n\nBugs under active attack include a critical scripting engine memory corruption ([CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>)) flaw and two additional Windows kernel elevation-of-privilege vulnerabilities ([CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>), [CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>)), both with a severity rating of important. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)The hundred-plus bug fixes add to a rough July for Microsoft, which rolled out an out-of-band fix for a Windows print spooler remote-code-execution vulnerability ([CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>)), dubbed [PrintNightmare](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>), earlier this month. The nightmare bug, first disclosed in April, was later discovered to be more serious than initially thought.\n\n## **Public, But Not Exploited **\n\nFive of the bugs patched by Microsoft ([CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-33781](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33781>), [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>), [CVE-2021-33779](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33779>), [CVE-2021-34492](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34492>)) were publicly known, albeit not exploited. Only one of those bugs (CVE-2021-34473), a Microsoft Exchange Server remote code execution (RCE) vulnerability, has a severity rating of critical, with a CVSS score of 9.1. The bug, one of the highest rated in terms of importance to fix this month, was part of Microsoft\u2019s April Patch Tuesday roundup of fixes, according to commentary by [Cisco Talos](<https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html>).\n\n\u201cThis vulnerability was already patched in Microsoft\u2019s April security update but was mistakenly not disclosed. Users who already installed the April 2021 update are already protected from this vulnerability, though it is worth noting that this issue was part of a series of zero-days in Exchange Server used in a wide-ranging APT attack,\u201d wrote Talos authors Jon Munshaw and Jaeson Schultz.\n\n## **Patching Priorities **\n\nThe most pressing of bugs is a memory corruption vulnerability (CVE-2021-34448) in Windows Server\u2019s scripting engine that is triggered when the user opens a specially crafted file, either attached to an email or a compromised website.\n\n\u201c[This bug] is the most serious vulnerability for me. It is elegant in its simplicity, letting an attacker gain remote code execution just by getting the target to visit a domain,\u201d wrote Kevin Breen, director of cyber threat research with Immersive Labs, in his Patch Tuesday commentary. \u201cWith malicious, yet professional looking, domains carrying valid TLS certificates a regular feature nowadays, seamless compromise would be a trivial matter. Victims could even be attacked by sending .js or .hta files in targeted phishing emails.\u201d\n\nCisco Talos advises system admin to prioritize a patch for a critical bug ([CVE-2021-34464](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34464>)) in Microsoft\u2019s free Defender anti-virus software. \u201cThis issue could allow an attacker to execute remote code on the victim machine. However, users do not need to take any actions to resolve this issue, as the update will automatically install. The company has listed steps in its advisory users can take to ensure the update is properly installed,\u201d wrote Munshaw and Schultz.\n\nResearchers have also identified three SharePoint Server bugs ([CVE-2021-34520](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34520>), [CVE-2021-34467](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34467>), [CVE-2021-34468](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34468>)) as priority patches. Each allow an attacker to execute remote code on the victim machine. All are rated important. However, Microsoft reports that exploitation is \u201cmore likely\u201d with these vulnerabilities, Talos said.\n\nZero Day Initiative\u2019s Dustin Childs recommends tackling ([CVE-2021-34458](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34458>)), a Windows kernel vulnerability. \u201cIt\u2019s rare to see remote code execution in a kernel bug, but this is that rare exception. This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices,\u201d [he wrote](<https://www.zerodayinitiative.com/blog/2021/7/13/the-july-2021-security-update-review>).\n\n\u201cIt\u2019s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it\u2019s not one to ignore. If you have virtual machines in your environment, test and patch quickly,\u201d Childs added.\n\nIn related news, [Adobe\u2019s July patch roundup](<https://threatpost.com/adobe-patches-critical-acrobat/167743/>), also released Tuesday, includes fixes for its ubiquitous and free PDF reader Acrobat 2020 and other software such as Illustrator and Bridge. In all, Adobe patched 20 Acrobat bugs, with nine rated important.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-13T21:26:27", "type": "threatpost", "title": "Microsoft Crushes 116 Bugs, Three Actively Exploited", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-31979", "CVE-2021-33771", "CVE-2021-33779", "CVE-2021-33781", "CVE-2021-34448", "CVE-2021-34458", "CVE-2021-34464", "CVE-2021-34467", "CVE-2021-34468", "CVE-2021-34473", "CVE-2021-34492", "CVE-2021-34520", "CVE-2021-34523", "CVE-2021-34527"], "modified": "2021-07-13T21:26:27", "id": "THREATPOST:98D815423018872E6E596DAA8131BF3F", "href": "https://threatpost.com/microsoft-crushes-116-bugs/167764/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-09-23T06:58:39", "description": "### Summary\n\n_**Actions to Take Today to Protect Against Iranian State-Sponsored Malicious Cyber Activity** \n\u2022 Immediately patch software affected by the following vulnerabilities: CVE-2021-34473, 2018-13379, 2020-12812, and 2019-5591._ \n\u2022 _Implement [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>)._ \n_\u2022 Use [strong, unique passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>).v_\n\n___**Note:** this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, version 10. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v9/techniques/enterprise/>) for all referenced threat actor tactics and techniques.___\n\nThis joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom\u2019s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.\n\nThe Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.\n\nThis advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that FBI, CISA, ACSC, and NCSC assess are likely associated with this Iranian government-sponsored APT activity.\n\nThe FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.\n\nFor a downloadable copy of IOCs, see AA21-321A.stix.\n\nFor more information on Iranian government-sponsored malicious cyber activity, see [us-cert.cisa.gov/Iran](<https://www.us-cert.cisa.gov/iran>).\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Threat Actor Activity\n\nSince at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities. Observed activity includes the following.\n\n * In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>), and enumerating devices for FortiOS vulnerabilities [CVE-2020-12812](<https://vulners.com/cve/CVE-2020-12812>) and [CVE-2019-5591](<https://vulners.com/cve/CVE-2019-5591>). The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks. **Note:** for previous FBI and CISA reporting on this activity, refer to Joint Cybersecurity Advisory: [APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks](<https://www.ic3.gov/media/news/2021/210402.pdf>).\n * In May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The actors likely created an account with the username `elie` to further enable malicious activity. **Note: **for previous FBI reporting on this activity, refer to [FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Initial Access for Malicious Activity](<https://www.ic3.gov/media/news/2021/210527.pdf>).\n * In June 2021, these APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses `91.214.124[.]143` and `162.55.137[.]20`\u2014which FBI and CISA judge are associated with Iranian government cyber activity\u2014to further enable malicious activity against the hospital\u2019s network. The APT actors accessed known user accounts at the hospital from IP address `154.16.192[.]70`, which FBI and CISA judge is associated with government of Iran offensive cyber activity.\n * As of October 2021, these APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability\u2014`CVE-2021-34473`\u2014to gain initial access to systems in advance of follow-on operations.\n\nACSC considers that this APT group has also used the same Microsoft Exchange vulnerability ([CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>)) in Australia.\n\n### MITRE ATT&CK Tactics and Techniques\n\nFBI, CISA, ACSC, and NCSC assess the following tactics and techniques are associated with this activity.\n\n#### Resource Development [[TA0042](<https://attack.mitre.org/versions/v10/tactics/TA0042>)]\n\nThe APT actors have used the following malicious and legitimate tools [[T1588.001](<https://attack.mitre.org/versions/v10/techniques/T1588/001>), [T1588.002](<https://attack.mitre.org/versions/v10/techniques/T1588/002>)] for a variety of tactics across the enterprise spectrum.\n\n * [Mimikatz](<https://attack.mitre.org/software/S0002>) for credential theft [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0042>)]\n * WinPEAS for privilege escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)]\n * SharpWMI (Windows Management Instrumentation)\n * WinRAR for archiving collected data [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009>), [T1560.001](<https://attack.mitre.org/versions/v10/techniques/T1560/001>)]\n * FileZilla for transferring files [[TA0010](<https://attack.mitre.org/versions/v10/tactics/TA0010>)]\n\n#### Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]\n\nThe Iranian government-sponsored APT actors gained initial access by exploiting vulnerabilities affecting Microsoft Exchange servers (CVE-2021-34473) and Fortinet devices (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)].\n\n#### Execution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]\n\nThe Iranian government-sponsored APT actors may have made modifications to the Task Scheduler [[T1053.005](<https://attack.mitre.org/versions/v10/techniques/T1053/005>)]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:\n\n * `SynchronizeTimeZone`\n * `GoogleChangeManagement`\n * `MicrosoftOutLookUpdater`\n * `MicrosoftOutLookUpdateSchedule`\n\n#### Persistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]\n\nThe Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)]. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:\n\n * `Support`\n * `Help`\n * `elie`\n * `WADGUtilityAccount`\n\n#### Exfiltration [[TA0010](<https://attack.mitre.org/versions/v10/tactics/TA0010/>)]\n\nThe FBI and CISA observed outbound File Transfer Protocol (FTP) transfers over port 443.\n\n#### Impact [[TA0040](<https://attack.mitre.org/versions/v10/tactics/TA0040>)]\n\nThe APT actors forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and the following contact information. \n\n * sar_addr@protonmail[.]com\n * WeAreHere@secmail[.]pro\n * nosterrmann@mail[.]com\n * nosterrmann@protonmail[.]com \n\n## Detection\n\nThe FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks. \n\n * Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. **Note: **refer to Appendix A for IOCs.\n * Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise. \n * Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access. \n * Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.\n * Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or recognized scheduled tasks for unrecognized \u201cactions\u201d (for example, review the steps each scheduled task is expected to perform).\n * Review antivirus logs for indications they were unexpectedly turned off.\n * Look for WinRAR and FileZilla in unexpected locations. \n\n**Note:** for additional approaches on uncovering malicious cyber activity, see joint advisory [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>), authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom. \n\n### Mitigations\n\nThe FBI, CISA, ACSC, and NCSC urge network defenders to apply the following mitigations to reduce the risk of compromise by this threat.\n\n#### Patch and Update Systems\n\n * Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. \n * Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.\n\n#### Evaluate and Update Blocklists and Allowlists\n\n * Regularly evaluate and update blocklists and allowlists.\n * If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization\u2019s execution blocklist. Any attempts to install or run this program and its associated files should be prevented.\n\n#### Implement and Enforce Backup and Restoration Policies and Procedures\n\n * Regularly back up data, air gap, and password protect backup copies offline.\n * Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides. \n * Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud). \n\n#### Implement Network Segmentation\n\n * Implement network segmentation to restrict adversary\u2019s lateral movement. \n\n#### Secure User Accounts\n\n * Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties. \n * Require administrator credentials to install software. \n\n#### Implement Multi-Factor Authentication\n\n * Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems. \n\n#### Use Strong Passwords\n\n * Require all accounts with password logins to have strong, unique passwords.\n\n#### Secure and Monitor RDP and other Potentially Risky Services\n\n * If you use RDP, restrict it to limit access to resources over internal networks.\n * Disable unused remote access/RDP ports.\n * Monitor remote access/RDP logs. \n\n#### Use Antivirus Programs\n\n * Install and regularly update antivirus and anti-malware software on all hosts. \n\n#### Secure Remote Access\n\n * Only use secure networks and avoid using public Wi-Fi networks. \n * Consider installing and using a VPN for remote access.\n\n#### Reduce Risk of Phishing\n\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails\n\n## Resources\n\n * For more information on Iranian government-sponsored malicious cyber activity, see [us-cert.cisa.gov/Iran](<https://www.us-cert.cisa.gov/iran>). \n * For information and resources on protecting against and responding to ransomware, refer to [StopRansomware.gov](<https://www.cisa.gov/stopransomware/>), a centralized, whole-of-government webpage providing ransomware resources and alerts.\n * The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>) provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.\n * CISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>) to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.\n * The U.S. Department of State\u2019s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the [RFJ](<https://rewardsforjustice.net/english>) website for more information and how to report information securely.\n * ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at [cyber.gov.au](<https://www.cyber.gov.au/>) and via 1300 292 371 (1300 CYBER1).\n\n### Appendix A: Indicators of Compromise\n\nIP addresses and executables files are listed below. For a downloadable copy of IOCs, see AA21-321A.stix.\n\nIP Addresses\n\n * `91.214.124[.]143 `\n * `162.55.137[.]20 `\n * `154.16.192[.]70`\n\n#### Executable Files \n\nExecutable files observed in this activity are identified in table 1.\n\nTable 1: Executable Files \n\n**Filename:** | MicrosoftOutLookUpdater[.]exe \n---|--- \nMD5: | 1444884faed804667d8c2bfa0d63ab13 \nSHA-1: | 95E045446EFB8C9983EBFD85E39B4BE5D92C7A2A \nSHA-256: | c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624 \nSHA-512: | 6451077B99C5F8ECC5C0CA88FE272156296BEB91218B39AE28A086DBA5E7E39813F044F9AF0FEDBB260941B1CD52FA237C098CBF4B2A822F08E3E98E934D0ECF \n**Filename:** | **MicrosoftOutlookUpdater.bat** \nMD5: | 1A44368EB5BF68688BA4B4357BDC874F \nSHA-1 | FA36FEBFD5A5CA0B3A1B19005B952683A7188A13 \nSHA-256 | 3A08D0CB0FF4D95ED0896F22F4DA8755525C243C457BA6273E08453E0E3AC4C4 \nSHA-512 | 70AA89449EB5DA1D84B70D114EF9D24CB74751CE12D12C783251E51775C89FDCE61B4265B43B1D613114D6A85E9C75927B706F39C576DBB036079C7E8CAF28B2 \n**Filename:** | **MicrosoftOutlookUpdater.xml** \nMD5: | AA40C49E309959FA04B7E5AC111BB770 \nSHA-1 | F1D90E10E6E3654654E0A677763C9767C913F8F0 \nSHA-256 | 5C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6 \nSHA-512 | E55A86159F2E869DCDB64FDC730DA893718E20D65A04071770BD32CAE75FF8C34704BDF9F72EF055A3B362759EDE3682B3883C4D9BCF87013076638664E8078E \n**Filename:** | **GoogleChangeManagement.xml** \nMD5: | AF2D86042602CBBDCC7F1E8EFA6423F9 \nSHA-1 | CDCD97F946B78831A9B88B0A5CD785288DC603C1 \nSHA-256 | 4C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D \nSHA-512 | 6473DAC67B75194DEEAEF37103BBA17936F6C16FFCD2A7345A5A46756996FAD748A97F36F8FD4BE4E1F264ECE313773CC5596099D68E71344D8135F50E5D8971 \n**Filename:** | **Connector3.exe** \nMD5: | e64064f76e59dea46a0768993697ef2f \n**Filename:** | **Audio.exe or frpc.exe** \nMD5: | b90f05b5e705e0b0cb47f51b985f84db \nSHA-1 | 5bd0690247dc1e446916800af169270f100d089b \nSHA-256: | 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa \nVhash: | 017067555d5d15541az28!z \nAuthentihash: | ed463da90504f3adb43ab82044cddab8922ba029511da9ad5a52b8c20bda65ee \nImphash: | 93a138801d9601e4c36e6274c8b9d111 \nSSDEEP: | 98304:MeOuFco2Aate8mjOaFEKC8KZ1F4ANWyJXf/X+g4:MeHFV2AatevjOaDC8KZ1xNWy93U \nNote: | \n\nIdentical to \u201cfrpc.exe\u201d available at:\n\nhttps://github[.]com/fatedier/frp/releases/download/v0.34.3/frp_0.34.3_windows_amd64.zip \n \n**Filename:** | **Frps.exe** \nMD5: | 26f330dadcdd717ef575aa5bfcdbe76a \nSHA-1 | c4160aa55d092cf916a98f3b3ee8b940f2755053 \nSHA-256: | d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a \nVhash: | 017057555d6d141az25!z \nAuthentihash: | 40ed1568fef4c5f9d03c370b2b9b06a3d0bd32caca1850f509223b3cee2225ea \nImphash: | 91802a615b3a5c4bcc05bc5f66a5b219 \nSSDEEP: | 196608:/qTLyGAlLrOt8enYfrhkhBnfY0NIPvoOQiE:GLHiLrSfY5voO \nNote: | \n\nIdentical to \u201cfrps.exe\u201d available at: \n\nhttps://github[.]com/fatedier/frp/releases/download/v0.33.0/frp_0.33.0_windows_amd64.zip \n \n### APPENDIX B: MITRE ATT&CK TACTICS AND TECHNIQUES\n\nTable 2 identifies MITRE ATT&CK Tactics and techniques observed in this activity.\n\nTable 2: Observed Tactics and Techniques\n\nTactic | Technique \n---|--- \nResource Development [[TA0042](<https://attack.mitre.org/versions/v10/tactics/TA0042>)] | \n\nObtain Capabilities: Malware [[T1588.001](<https://attack.mitre.org/versions/v10/techniques/T1588/001>)] \n \nObtain Capabilities: Tool [[T1588.002](<https://attack.mitre.org/versions/v10/techniques/T1588/002>)] \n \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)] | \n\nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)] \n \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]\n\n| \n\nScheduled Task/Job: Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v10/techniques/T1053/005>)] \n \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)] | \n\nCreate Account: Local Account [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>)] \n \nCreate Account: Domain Account [[T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)] \nPrivilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)] | \n \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0042>)]\n\n| \nCollection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009>)] | \n\nArchive Collected Data: Archive via Utility [[T1560.001](<https://attack.mitre.org/versions/v10/techniques/T1560/001>)] \n \nExfiltration [[TA0010](<https://attack.mitre.org/versions/v10/tactics/TA0010/>)] | \nImpact [[TA0040](<https://attack.mitre.org/versions/v10/tactics/TA0040>)] | Data Encrypted for Impact [[T1486](<https://attack.mitre.org/versions/v10/techniques/T1486>)] \n \n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <https://www.fbi.gov/contact-us/field-offices>, or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov> \"Email CISA Central\" ). Australian organizations can visit [cyber.gov.au](<https://www.cyber.gov.au/>) or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.\n\n### Revisions\n\nNovember 17, 2021: Initial Version|November 19, 2021: Added STIX files\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-19T12:00:00", "type": "ics", "title": "Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-34473", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2021-11-19T12:00:00", "id": "AA21-321A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T19:56:18", "description": "### Summary\n\nActions to take today to protect against ransom operations:\n\n\u2022 Keep systems and software updated and prioritize remediating [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Enforce MFA. \n\u2022 Make offline backups of your data.\n\nThis joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command (USCC) - Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom\u2019s National Cyber Security Centre (NCSC) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government\u2019s Islamic Revolutionary Guard Corps (IRGC). **Note**: The IRGC is an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. Hereafter, this advisory refers to all the coauthors of this advisory as \"the authoring agencies.\"\n\nThis advisory updates joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>), which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC.\n\nSince the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report [APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity](<https://www.ic3.gov/Media/News/2021/210527.pdf>) from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations.\n\nThe IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors.\n\nThis advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.\n\nFor a downloadable copy of IOCs, see [AA22-257A.stix](<https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml>).\n\nFor more information on Iranian state-sponsored malicious cyber activity, see CISA\u2019s [Iran Cyber Threat Overview and Advisories](<https://www.us-cert.cisa.gov/iran>) webpage and FBI\u2019s [Iran Threat](<https://www.fbi.gov/investigate/counterintelligence/the-iran-threat>) webpage.\n\nDownload the PDF version of this report: pdf, 836 kb\n\n### Technical Details\n\n#### Threat Actor Activity\n\nAs reported in joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>), the authoring agencies have observed Iranian government-sponsored APT actors scanning for and/or exploiting the following known Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021 to gain initial access to a broad range of targeted entities: [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>), [CVE-2020-12812](<https://vulners.com/cve/CVE-2020-12812>), [CVE-2019-5591](<https://vulners.com/cve/CVE-2019-5591>), and [CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>) (a ProxyShell vulnerability). The authoring agencies have also observed these APT actors leveraging CVE-2021-34473 against U.S. networks in combination with ProxyShell vulnerabilities [CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>) and [CVE-2021-31207](<https://vulners.com/cve/CVE-2021-31207>). The NCSC judges that Yazd, Iran-based company Afkar System Yazd Company is actively targeting UK organizations. Additionally, ACSC judges that these APT actors have used CVE-2021-34473 in Australia to gain access to systems. The APT actors can leverage this access for further malicious activities, including deployment of tools to support ransom and extortion operations, and data exfiltration.\n\nSince the activity was reported in 2021, these IRGC-affiliated actors have continued to exploit known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities [CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) (\u201cLog4Shell\u201d), [CVE-2021-45046](<https://vulners.com/cve/CVE-2021-45046>), and [CVE-2021-45105](<https://vulners.com/cve/CVE-2021-45105>) for initial access.\n\nThe IRGC-affiliated actors have used their access for ransom operations, including disk encryption and extortion efforts. After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. Depending on the perceived value, the actors may encrypt data for ransom and/or exfiltrate data. The actors may sell the data or use the exfiltrated data in extortion operations or \u201cdouble extortion\u201d ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands.\n\nIRGC-affiliated actor activity observed by the authoring agencies includes:\n\n * In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) on a Microsoft Exchange server to gain access to the network of a U.S. police department. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom.\n * In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), on a Microsoft Exchange server to gain access to the network of a U.S. regional transportation company. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom. This activity disrupted the transportation company\u2019s operations for an extended period.\n * In February 2022, the actors exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105) in a VMware Horizon application to gain access to the network of a U.S. municipal government, move laterally within the network, establish persistent access, initiate crypto-mining operations, and conduct additional malicious activity.\n * In February 2022, the actors may have exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021) to gain access to the network of a U.S. aerospace company. The actors leveraged a server that the authoring agencies assess is associated with the IRGC-affiliated actors to exfiltrate data from the company's network.\n\n#### MITRE ATT&CK\u00ae Tactics and Techniques\n\nNote: This advisory uses the MITRE [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v11/techniques/enterprise/>) framework, version 11. See Appendix B for a table of the MITRE ATT&CK tactics and techniques observed.\n\nThe authoring agencies assess the following tactics and techniques are associated with this activity.\n\n#### Resource Development [[TA0042](<https://attack.mitre.org/versions/v11/tactics/TA0042>)]\n\nThe IRGC-affiliated actors have used the following malicious and legitimate tools [[T1588.001](<https://attack.mitre.org/versions/v11/techniques/T1588/001>), [T1588.002](<https://attack.mitre.org/versions/v11/techniques/T1588/002>)] for a variety of tactics across the enterprise spectrum:\n\n * Fast Reverse Proxy (FRP) for command and control (C2)\n * Plink for C2\n * Remote Desktop Protocol (RDP) for lateral movement\n * BitLocker for data encryption\n * SoftPerfect Network Scanner for system network configuration discovery\n\nNote: For additional tools used by these IRGC-affiliated cyber actors, see joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>).\n\n#### Initial Access [[TA0001](<https://attack.mitre.org/versions/v11/tactics/TA0001/>)]\n\nAs stated in the Technical Details section previously reported in joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>), the IRGC-affiliated actors gained initial access by exploiting known vulnerabilities [[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)].\n\nThe following IOCs, observed as of March 2022, are indicative of ProxyShell vulnerability exploitation on targeted entity networks:\n\n * Web shells with naming conventions aspx_[11 randomly generated alphabetic characters].aspx, login.aspx, or default.aspx in any of the following directories: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\\n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\\n * C:\\inetpub\\wwwroot\\aspnet_client\\\n\nThe following IOCs, observed as of December 2021, are indicative of Log4j vulnerability exploitation on targeted entity networks:\n\n * ${jndi:ldap//148.251.71.182:1389/RCE} (user agent string)\n * RCE.class\n\n#### Execution [[TA0002](<https://attack.mitre.org/versions/v11/tactics/TA0002>)]\n\nThe IRGC-affiliated actors may have made modifications to the Task Scheduler [[T1053.005](<https://attack.mitre.org/versions/v11/techniques/T1053/005>)]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:\n\n * Wininet\n * Wininet\u2019\n * WinLogon\n * CacheTask\n\nNote: The potential exists that tasks associated with CacheTask or Wininet may be legitimate. For additional tasks used by these IRGC-affiliated cyber actors, see joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>).\n\n#### Persistence [[TA0003](<https://attack.mitre.org/versions/v11/tactics/TA0003>)]\n\nThe IRGC-affiliated actors established new user accounts on domain controllers, servers, workstations, and active directories [[T1136.001](<https://attack.mitre.org/versions/v11/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v11/techniques/T1136/002>)]. The actors enabled a built-in Windows account (DefaultAccount) and escalated privileges to gain administrator-level access to a network. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:\n\n * Domain Admin\n * it_admin\n * DefaultAccount\n * Default01\n\nNote: For additional account usernames associated with this activity, see joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>).\n\n#### Exfiltration [[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)]\n\nThe authoring agencies have observed the IRGC-affiliated actors dumping and subsequently exfiltrating the Local Security Authority Subsystem Service (LSASS) process memory on targeted entity networks in furtherance of credential harvesting. The following IOCs are associated with data exfiltration from targeted entity networks:\n\n * C:\\Windows\\Temp\\sassl[.]pmd\n * C:\\Windows\\Temp\\ssasl[.]zip\n * C:\\Users\\DefaultAccount\\AppData\\Local\\Temp\\lsass[.]dmp\n * C:\\Users\\DefaultAccount\\AppData\\Local\\Temp\\lsass[.]zip\n\n#### Impact [[TA0040](<https://attack.mitre.org/versions/v11/tactics/TA0040>)]\n\nThe IRGC-affiliated actors forced BitLocker activation on host networks to encrypt data [[T1486](<https://attack.mitre.org/versions/v10/techniques/T1486>)] and held the decryption keys for ransom. The corresponding ransom notes were sent to the targeted entity, left on the targeted entity network as a .txt file or printed on the targeted entity\u2019s networked printer(s). The notes included the following contact information:\n\n * @BuySafety (Telegram)\n * @WeRBits (Telegram)\n * +93794415076 (WhatsApp)\n * werbits@onionmail[.]org\n * buysafety@onionmail[.]org\n * yacashcash@rambler[.]ru\n\nNote: For additional contact information included in ransom notes, see joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>).\n\n### DETECTION\n\nThe authoring agencies recommend that organizations using Microsoft Exchange servers, Fortinet devices, and/or VMware Horizon applications investigate potential suspicious activity in their networks.\n\n * Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. \n * **Note**: Refer to Appendix A for IOCs.\n * Review Log4j vulnerabilities, including CVE-2021-44228, CVE-2021-45046, and CVE-2021- 45105.\n * Review Microsoft Exchange ProxyShell vulnerabilities, including CVE-2021-34473, CVE-2021- 34523, and CVE-2021-31207.\n * As a precaution, review additional Microsoft Exchange vulnerabilities, including CVE-2021- 31196, CVE-2021-31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470 because the authoring agencies have seen the actors broadly target Microsoft Exchange servers.\n * Investigate exposed Microsoft Exchange servers, both patched and unpatched, for compromise.\n * Review Fortinet FortiOS vulnerabilities, including CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.\n * Review VMware vulnerabilities, including any relevant vulnerabilities listed on the VMware security advisory page.\n * Investigate changes to RDP, firewall, and Windows Remote Management (WinRM) configurations that may allow malicious cyber actors to maintain persistent access.\n * Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.\n * Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system and scheduled tasks\u2014including each step these tasks perform\u2014for unrecognized \u201cactions.\u201d\n * Review antivirus logs for indications they were unexpectedly turned off.\n * Look for WinRAR and FileZilla in unexpected locations.\n * Review servers and workstations for malicious executable files masquerading as legitimate Windows processes. Malicious files may not be found in the expected directory and may have cmd.exe or powershell.exe as their parent process.\n\nNote: For additional approaches on uncovering malicious cyber activity, see joint advisory [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>), authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.\n\n### Mitigations\n\nThe authoring agencies urge network defenders to prepare for and mitigate potential cyber threats immediately by implementing the mitigations below.\n\n#### Implement and Enforce Backup and Restoration Policies and Procedures\n\n * Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. These practices safeguard an organization\u2019s continuity of operations or at least minimize potential downtime from a ransomware or other destructive data incident and protect against data losses. \n * Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization\u2019s data infrastructure.\n * Activate BitLocker on all networks and securely back up BitLocker keys with Microsoft and with an independent offline backup.\n * Create, maintain, and exercise a basic cyber incident response plan that includes response procedures for a ransom incident.\n * Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).\n\n#### Patch and Update Systems\n\n * U.S. federal, state, local, tribal, and territorial (SLTT) government and critical infrastructure organizations: Implement free [CISA Cyber Hygiene Services Vulnerability Scanning](<https://www.cisa.gov/cyber-hygiene-services>) to enable continuous scans of public, static IPs for accessible services and vulnerabilities.\n * Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. Regularly check software updates and end-of-life notifications. Consider leveraging a centralized patch management system to automate and expedite the process.\n * Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021- 34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, CVE-2021-34523, CVE-2021- 31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-31196, CVE-2021- 31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470.\n\n#### Evaluate and Update Blocklists and Allowlists\n\n * Regularly evaluate and update blocklists and allowlists.\n * If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization\u2019s execution blocklist. Prevent any attempts to install or run this program and its associated files.\n\n#### Implement Network Segmentation\n\n * Implement network segmentation to restrict a malicious threat actor\u2019s lateral movement.\n\n#### Secure User Accounts\n\n * Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties.\n * Require administrator credentials to install software.\n\n#### Implement Multifactor Authentication\n\n * Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups.\n\n#### Use Strong Passwords\n\n * Require all accounts with password logins to have strong, unique passwords. See CISA Tip [Choosing and Protecting Passwords](<https://www.cisa.gov/tips/st04-002>) and National Institute of Standards and Technology (NIST) [Special Publication 800-63B: Digital Identity Guidelines](<https://csrc.nist.gov/publications/detail/sp/800-63b/final>) for more information.\n\n#### Secure and Monitor RDP and other Potentially Risky Services\n\n * If you use RDP, restrict it to limit access to resources over internal networks. After assessing risks, if your organization deems RDP operationally necessary, restrict the originating sources, and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.\n * Disable unused remote access/RDP ports.\n * Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts (to block brute force campaigns), and log RDP login attempts.\n\n#### Use Antivirus Programs\n\n * Install and regularly update antivirus and anti-malware software on all hosts.\n\n#### Secure Remote Access\n\n * Only use secure networks.\n * Consider installing and using a VPN for remote access.\n\n### VALIDATE SECURITY CONTROLS\n\nIn addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.\n\nTo get started:\n\n 1. Select an ATT&CK technique described in this advisory (see Appendix B).\n 2. Align your security technologies against the technique.\n 3. Test your technologies against the technique.\n 4. Analyze your detection and prevention technologies performance.\n 5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\n 6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.\n\nThe authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.\n\n### RESPONDING TO RANSOMWARE OR EXTORTION INCIDENTS\n\nIf a ransomware or extortion incident occurs at your organization:\n\n * Follow the Ransomware Response Checklist on page 11 of the [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf>).\n * Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.\n * Follow the notification requirements as outlined in your cyber incident response plan. \n * **U.S. organizations**: Report incidents to FBI at a [local FBI Field Office](<https://www.fbi.gov/contact-us/field-offices>) or the FBI's 24/7 CyWatch at (855)292-3937 or cywatch@fbi.gov, CISA\u2019s 24/7 Operations Center at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870, or the U.S. Secret Service (USSS) at a [USSS Field Office](<http://www.secretservice.gov/contact/field-offices/>).\n * **Australian organizations**: Visit [cyber.gov.au](<https://www.cyber.gov.au/>) or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.\n * **Canadian organizations**: Report incidents by emailing CCCS at [contact@cyber.gc.ca](<mailto:contact@cyber.gc.ca>).\n * **United Kingdom organizations**: Report a significant cyber security incident: [ncsc.gov.uk/report-an-incident](<https://report.ncsc.gov.uk/>) (monitored 24 hours)\n * Apply incident response best practices found in the joint Cybersecurity Advisory, [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>), developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.\n\n**Note**: The authoring agencies strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.\n\n### **RESOURCES**\n\n * The U.S. Department of State\u2019s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the [RFJ](<https://rewardsforjustice.net/english>) website for more information and how to report information securely.\n * For more information on malicious cyber activity affiliated with the Iranian government- sponsored malicious cyber activity, see [us-cert.cisa.gov/Iran](<https://www.us-cert.cisa.gov/iran>) and FBI\u2019s [Iran Threat](<https://www.fbi.gov/investigate/counterintelligence/the-iran-threat>) page.\n * For information and resources on protecting against and responding to ransomware or extortion activity, refer to [StopRansomware.gov](<https://www.cisa.gov/stopransomware/>), the U.S. centralized, whole-of-government webpage providing ransomware resources and alerts.\n * The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>) provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.\n * CISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>) to help critical infrastructure organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate malicious activity.\n * ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at [cyber.gov.au](<https://www.cyber.gov.au/>) and via 1300 292 371 (1300 CYBER1).\n\n### **PURPOSE**\n\nThis advisory was developed by U.S., Australian, Canadian, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### **DISCLAIMER**\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. FBI, CISA, NSA, USCC-CNMF, DoT, ACSC, CCCS, and NCSC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### **APPENDIX A: INDICATORS OF COMPROMISE**\n\nIP addresses and executables files are listed below. For a downloadable copy of IOCs, see [AA22- 257A.stix](<https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml>).\n\n#### **IP Addresses**\n\n * 54.39.78[.]148\n * 95.217.193[.]86\n * 104.168.117[.]149\n * 107.173.231[.]114\n * 144.76.186[.]88\n * 148.251.71[.]182\n * 172.245.26[.]118\n * 185.141.212[.]131\n * 198.12.65[.]175\n * 198.144.189[.]74\n\nNote: Some of these observed IP addresses may be outdated. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.\n\n#### **Malicious Domains**\n\n * newdesk[.]top\n * symantecserver[.]co\n * msupdate[.]us\n * msupdate[.]top\n * gupdate[.]us\n * aptmirror[.]eu\n * buylap[.]top\n * winstore[.]us\n * tcp443[.]org\n * mssync[.]one\n * upmirror[.]top\n * tcp443 (subdomain)\n * kcp53 (subdomain)\n\n#### **Files**\n\nMalicious files observed in this activity are identified in Table 1. Many of the below malicious files are masquerading as legitimate Windows files; therefore, file names alone should not be treated as an indicator of compromise. Note: For additional malicious files observed, see joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>).\n\nFilename:\n\n| \n\nWininet[.]xml \n \n---|--- \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\wininet[.]xml \n \nMD5:\n\n| \n\nd2f4647a3749d30a35d5a8faff41765e \n \nSHA-1:\n\n| \n\n0f676bc786db3c44cac4d2d22070fb514b4cb64c \n \nSHA-256:\n\n| \n\n559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e \n \nFilename:\n\n| \n\nWininet\u2019[.]xml \n \nMD5:\n\n| \n\n2e1e17a443dc713f13f45a9646fc2179 \n \nSHA-1:\n\n| \n\ne75bfc0dd779d9d8ac02798b090989c2f95850dc \n \nFilename:\n\n| \n\nWinLogon[.]xml \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\WinLogon[.]xml \n \nMD5:\n\n| \n\n49c71178fa212012d710f11a0e6d1a30 \n \nSHA-1:\n\n| \n\n226f0fbb80f7a061947c982ccf33ad65ac03280f \n \nSHA-256:\n\n| \n\nbcc2e4d96e7418a85509382df6609ec9a53b3805effb7ddaed093bdaf949b6ea \n \nFilename:\n\n| \n\nWininet[.]bat \n \nPath:\n\n| \n\nC:\\Windows\\wininet[.]bat \n \nMD5:\n\n| \n\n5f098b55f94f5a448ca28904a57c0e58 \n \nSHA-1:\n\n| \n\n27102b416ef5df186bd8b35190c2a4cc4e2fbf37 \n \nSHA-256:\n\n| \n\n668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0 \n \nFilename:\n\n| \n\nWinlogon[.]bat \n \nPath:\n\n| \n\nC:\\Windows\\winlogon[.]bat \n \nMD5:\n\n| \n\n7ac4633bf064ebba9666581b776c548f \n \nSHA-1:\n\n| \n\n524443dd226173d8ba458133b0a4084a172393ef \n \nSHA-256:\n\n| \n\nd14d546070afda086a1c7166eaafd9347a15a32e6be6d5d029064bfa9ecdede7 \n \nFilename:\n\n| \n\nCacheTask[.]bat \n \nPath:\n\n| \n\nC:\\\\\\ProgramData\\Microsoft\\CacheTask[.]bat \n \nMD5:\n\n| \n\nee8fd6c565254fe55a104e67cf33eaea \n \nSHA-1:\n\n| \n\n24ed561a1ddbecd170acf1797723e5d3c51c2f5d \n \nSHA-256:\n\n| \n\nc1723fcad56a7f18562d14ff7a1f030191ad61cd4c44ea2b04ad57a7eb5e2837 \n \nFilename:\n\n| \n\nTask_update[.]exe \n \n---|--- \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\task_update[.]exe \n \nMD5:\n\n| \n\ncacb64bdf648444e66c82f5ce61caf4b \n \nSHA-1:\n\n| \n\n3a6431169073d61748829c31a9da29123dd61da8 \n \nSHA-256:\n\n| \n\n12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a \n \nFilename:\n\n| \n\nTask[.]exe \n \nMD5:\n\n| \n\n5b646edb1deb6396082b214a1d93691b \n \nSHA-1:\n\n| \n\n763ca462b2e9821697e63aa48a1734b10d3765ee \n \nSHA-256:\n\n| \n\n17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f \n \nFilename:\n\n| \n\ndllhost[.]exe \n \nPath:\n\n| \n\nC:\\Windows\\dllhost[.]exe \n \nMD5:\n\n| \n\n0f8b592126cc2be0e9967d21c40806bc\n\n| \n\n9a3703f9c532ae2ec3025840fa449d4e \n \nSHA-1:\n\n| \n\n3da45558d8098eb41ed7db5115af5a2c6 1c543af\n\n| \n\n8ece87086e8b5aba0d1cc4ec3804bf74e 0b45bee \n \nSHA-256:\n\n| \n\n724d54971c0bba8ff32aeb6044d3b3fd57 1b13a4c19cada015ea4bcab30cae26\n\n| \n\n1604e69d17c0f26182a3e3ff65694a4945\n\n0aafd56a7e8b21697a932409dfd81e \n \nFilename:\n\n| \n\nsvchost[.]exe \n \nPath:\n\n| \n\nC:\\Windows\\svchost[.]exe \n \nMD5:\n\n| \n\n68f58e442fba50b02130eedfc5fe4e5b\n\n| \n\n298d41f01009c6d6240bc2dc7b769205 \n \nSHA-1:\n\n| \n\n76dd6560782b13af3f44286483e157848\n\nefc0a4e\n\n| \n\n6ca62f4244994b5fbb8a46bdfe62aa1c95 8cebbd \n \nSHA-256:\n\n| \n\nb04b97e7431925097b3ca4841b894139 7b0b88796da512986327ff66426544ca\n\n| \n\n8aa3530540ba023fb29550643beb00c9c 29f81780056e02c5a0d02a1797b9cd9 \n \nFilename:\n\n| \n\nUser[.]exe \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\user[.]exe \n \nMD5:\n\n| \n\nbd131ebfc44025a708575587afeebbf3\n\n| \n\nf0be699c8aafc41b25a8fc0974cc4582 \n \nSHA-1:\n\n| \n\n8b23b14d8ec4712734a5f6261aed40942 c9e0f68\n\n| \n\n6bae2d45bbd8c4b0a59ba08892692fe86 e596154 \n \nSHA-256:\n\n| \n\nb8a472f219658a28556bab4d6d109fdf3 433b5233a765084c70214c973becbbd\n\n| \n\n7b5fbbd90eab5bee6f3c25aa3c2762104 e219f96501ad6a4463e25e6001eb00b \n \nFilename:\n\n| \n\nSetup[.]bat \n \n---|--- \n \nPath:\n\n| \n\nC:\\Users\\DefaultAccount\\Desktop\\New folder\\setup[.]bat \n \nMD5:\n\n| \n\n7fdc2d007ef0c1946f1f637b87f81590 \n \nFilename:\n\n| \n\nSsasl[.]pmd \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\ssasl[.]pmd \n \nFilename:\n\n| \n\nSsasl[.]zip \n \nPath:\n\n| \n\nC:\\Windows\\Temp\\ssasl[.]zip \n \nFilename:\n\n| \n\nnetscanold[.]exe \n \nPath:\n\n| \n\nC:\\Users\\DefaultAccount\\Desktop\\netscanold\\netscanold[.]exe \n \nFilename:\n\n| \n\nscan[.]csv \n \nPath:\n\n| \n\nC:\\Users\\DefaultAccount\\Desktop\\scan[.]csv \n \nFilename:\n\n| \n\nlsass[.]dmp \n \nPath:\n\n| \n\nC:\\Users\\DefaultAccount\\AppData\\Local\\Temp\\lsass[.]dmp \n \nFilename:\n\n| \n\nlsass[.]zip \n \nPath:\n\n| \n\nC:\\Users\\DefaultAccount\\AppData\\Local\\Temp\\lsass[.]zip \n \n** **\n\n### **APPENDIX B: MITRE ATT&CK TACTICS AND TECHNIQUES**\n\nTable 2 identifies MITRE ATT&CK Tactics and techniques observed in this activity.\n\n_Table 2: Observed Tactics and Techniques_\n\nTactic\n\n| \n\nTechnique \n \n---|--- \n \nResource Development []TA0042](<https://attack.mitre.org/versions/v11/tactics/TA0042>)]\n\n| \n\nObtain Capabilities: Malware [[T1588.001](<https://attack.mitre.org/versions/v11/techniques/T1588/001>)] \n \nObtain Capabilities: Tool [[T1588.002](<https://attack.mitre.org/versions/v11/techniques/T1588/002>)] \n \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v11/tactics/TA0001/>)]\n\n| \n\nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)] \n \nExecution [[TA0002](<https://attack.mitre.org/versions/v11/tactics/TA0002>)]\n\n| \n\nScheduled Task/Job: Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v11/techniques/T1053/005>)] \n \nPersistence [[TA0003](<https://attack.mitre.org/versions/v11/tactics/TA0003>)]\n\n| \n\nCreate Account: Local Account [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>)] \n \nCreate Account: Domain Account [[T1136.002](<https://attack.mitre.org/versions/v11/techniques/T1136/002>)] \n \nPrivilege Escalation [[TA0004](<https://attack.mitre.org/versions/v11/tactics/TA0004>)]\n\n| \n \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v11/tactics/TA0006>)]\n\n| \n \nCollection [[TA0009](<https://attack.mitre.org/versions/v11/tactics/TA0009>)]\n\n| \n\nArchive Collected Data: Archive via Utility [[T1560.001](<https://attack.mitre.org/versions/v11/techniques/T1560/001>)] \n \nExfiltration [[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)]\n\n| \n \nImpact [[TA0040](<https://attack.mitre.org/versions/v11/tactics/TA0040>)]\n\n| \n\nData Encrypted for Impact [[T1486](<https://attack.mitre.org/versions/v11/techniques/T1486>)] \n \n### Revisions\n\nSeptember 14, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-14T12:00:00", "type": "ics", "title": "Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31196", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-33766", "CVE-2021-33768", "CVE-2021-34470", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-09-14T12:00:00", "id": "AA22-257A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-257a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T19:48:41", "description": "### Summary\n\nActions to Take Today to Mitigate Cyber Threats from Ransomware:\n\n\u2022 Prioritize remediating [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Enable and enforce multifactor authentication with strong passwords \n\u2022 Close unused ports and remove any application not deemed necessary for day-to-day operations.\n\n_Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit [stopransomware.gov](<https://www.cisa.gov/stopransomware>) to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources._\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022.\n\nFBI, CISA, and HHS encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. Victims of ransomware operations should report the incident to their local FBI field office or CISA.\n\nDownload the PDF version of this report: pdf, 852.9 kb.\n\nFor a downloadable copy of IOCs, see AA22-321A.stix (STIX, 43.6 kb).\n\n### Technical Details\n\n_Note: This advisory uses the MITRE ATT&CK\u00ae for Enterprise framework, version 12. See [MITRE ATT&CK for Enterprise](<https://attack.mitre.org/versions/v12/matrices/enterprise/>) for all referenced tactics and techniques._\n\nAs of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information. Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).\n\nThe method of initial intrusion will depend on which affiliate targets the network. Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols [[T1133](<https://attack.mitre.org/versions/v12/techniques/T1133/>)]. In some cases, Hive actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE) [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>). This vulnerability enables a malicious cyber actor to log in without a prompt for the user\u2019s second authentication factor (FortiToken) when the actor changes the case of the username.\n\nHive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments [[T1566.001](<https://attack.mitre.org/versions/v12/techniques/T1566/001/>)] and by exploiting the following vulnerabilities against Microsoft Exchange servers [[T1190](<https://attack.mitre.org/versions/v12/techniques/T1190/>)]:\n\n * [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>) \\- Microsoft Exchange Server Security Feature Bypass Vulnerability\n * [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability\n * [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>) \\- Microsoft Exchange Server Privilege Escalation Vulnerability\n\nAfter gaining access, Hive ransomware attempts to evade detention by executing processes to:\n\n * Identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption [[T1562](<https://attack.mitre.org/versions/v12/techniques/T1562/001/>)].\n * Stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or via PowerShell [[T1059](<https://attack.mitre.org/versions/v12/techniques/T1059/>)] [[T1490](<https://attack.mitre.org/versions/v12/techniques/T1490/>)].\n * Delete Windows event logs, specifically the System, Security and Application logs [[T1070](<https://attack.mitre.org/versions/v12/techniques/T1070/>)].\n\nPrior to encryption, Hive ransomware removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry [[T1112](<https://attack.mitre.org/versions/v12/techniques/T1112/>)].\n\nHive actors exfiltrate data likely using a combination of Rclone and the cloud storage service Mega.nz [[T1537](<https://attack.mitre.org/versions/v12/techniques/T1537/>)]. In addition to its capabilities against the Microsoft Windows operating system, Hive ransomware has known variants for Linux, VMware ESXi, and FreeBSD.\n\nDuring the encryption process, a file named *.key (previously *.key.*) is created in the root directory (C:\\ or /root/). Required for decryption, this key file only exists on the machine where it was created and cannot be reproduced. The ransom note, HOW_TO_DECRYPT.txt is dropped into each affected directory and states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered [[T1486](<https://attack.mitre.org/versions/v12/techniques/T1486/>)]. The ransom note contains a \u201csales department\u201d .onion link accessible through a TOR browser, enabling victim organizations to contact the actors through a live chat panel to discuss payment for their files. However, some victims reported receiving phone calls or emails from Hive actors directly to discuss payment.\n\nThe ransom note also threatens victims that a public disclosure or leak site accessible on the TOR site, \u201cHiveLeaks\u201d, contains data exfiltrated from victim organizations who do not pay the ransom demand (see figure 1 below). Additionally, Hive actors have used anonymous file sharing sites to disclose exfiltrated data (see table 1 below).\n\n![](/sites/default/files/publications/How%20to%20Decrypt.png)\n\n_Figure 1: Sample Hive Ransom Note_\n\n_Table 1: Anonymous File Sharing Sites Used to Disclose Data_\n\nhttps://anonfiles[.]com \n \n--- \n \nhttps://mega[.]nz \n \nhttps://send.exploit[.]in \n \nhttps://ufile[.]io \n \nhttps://www.sendspace[.]com \n \nhttps://privatlab[.]net \n \nhttps://privatlab[.]com \n \nOnce the victim organization contacts Hive actors on the live chat panel, Hive actors communicate the ransom amount and the payment deadline. Hive actors negotiate ransom demands in U.S. dollars, with initial amounts ranging from several thousand to millions of dollars. Hive actors demand payment in Bitcoin.\n\nHive actors have been known to reinfect\u2014with either Hive ransomware or another ransomware variant\u2014the networks of victim organizations who have restored their network without making a ransom payment.\n\n#### **Indicators of Compromise**\n\nThreat actors have leveraged the following IOCs during Hive ransomware compromises. Note: Some of these indicators are legitimate applications that Hive threat actors used to aid in further malicious exploitation. FBI, CISA, and HHS recommend removing any application not deemed necessary for day-to-day operations. See tables 2\u20133 below for IOCs obtained from FBI threat response investigations as recently as November 2022.\n\n_Table 2: Known IOCs as of November 2022_\n\nKnown IOCs - Files \n \n--- \n \nHOW_TO_DECRYPT.txt typically in directories with encrypted files \n \n*.key typically in the root directory, i.e., C:\\ or /root \n \nhive.bat \n \nshadow.bat \n \nasq.r77vh0[.]pw - Server hosted malicious HTA file \n \nasq.d6shiiwz[.]pw - Server referenced in malicious regsvr32 execution \n \nasq.swhw71un[.]pw - Server hosted malicious HTA file \n \nasd.s7610rir[.]pw - Server hosted malicious HTA file \n \nWindows_x64_encrypt.dll \n \nWindows_x64_encrypt.exe \n \nWindows_x32_encrypt.dll \n \nWindows_x32_encrypt.exe \n \nLinux_encrypt \n \nEsxi_encrypt \n \nKnown IOCs \u2013 Events \n \nSystem, Security and Application Windows event logs wiped \n \nMicrosoft Windows Defender AntiSpyware Protection disabled \n \nMicrosoft Windows Defender AntiVirus Protection disabled \n \nVolume shadow copies deleted \n \nNormal boot process prevented \n \nKnown IOCs \u2013 Logged Processes \n \nwevtutil.exe cl system \n \nwevtutil.exe cl security \n \nwevtutil.exe cl application \n \nvssadmin.exe delete shadows /all /quiet \n \nwmic.exe SHADOWCOPY /nointeractive \n \nwmic.exe shadowcopy delete \n \nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures \n \nbcdedit.exe /set {default} recoveryenabled no \n \n_Table 3: Potential IOC IP Addresses as of November 2022_ Note: Some of these observed IP addresses are more than a year old. FBI and CISA recommend vetting or investigating these IP addresses prior to taking forward-looking action like blocking.\n\nPotential IOC IP Addresses for Compromise or Exfil: \n \n--- \n \n84.32.188[.]57\n\n| \n\n84.32.188[.]238 \n \n93.115.26[.]251\n\n| \n\n185.8.105[.]67 \n \n181.231.81[.]239\n\n| \n\n185.8.105[.]112 \n \n186.111.136[.]37\n\n| \n\n192.53.123[.]202 \n \n158.69.36[.]149\n\n| \n\n46.166.161[.]123 \n \n108.62.118[.]190\n\n| \n\n46.166.161[.]93 \n \n185.247.71[.]106\n\n| \n\n46.166.162[.]125 \n \n5.61.37[.]207\n\n| \n\n46.166.162[.]96 \n \n185.8.105[.]103\n\n| \n\n46.166.169[.]34 \n \n5.199.162[.]220\n\n| \n\n93.115.25[.]139 \n \n5.199.162[.]229\n\n| \n\n93.115.27[.]148 \n \n89.147.109[.]208\n\n| \n\n83.97.20[.]81 \n \n5.61.37[.]207\n\n| \n\n5.199.162[.]220 \n \n5.199.162[.]229;\n\n| \n\n46.166.161[.]93 \n \n46.166.161[.]123;\n\n| \n\n46.166.162[.]96 \n \n46.166.162[.]125\n\n| \n\n46.166.169[.]34 \n \n83.97.20[.]81\n\n| \n\n84.32.188[.]238 \n \n84.32.188[.]57\n\n| \n\n89.147.109[.]208 \n \n93.115.25[.]139;\n\n| \n\n93.115.26[.]251 \n \n93.115.27[.]148\n\n| \n\n108.62.118[.]190 \n \n158.69.36[.]149/span>\n\n| \n\n181.231.81[.]239 \n \n185.8.105[.]67\n\n| \n\n185.8.105[.]103 \n \n185.8.105[.]112\n\n| \n\n185.247.71[.]106 \n \n186.111.136[.]37\n\n| \n\n192.53.123[.]202 \n \n#### **MITRE ATT&CK TECHNIQUES**\n\nSee table 4 for all referenced threat actor tactics and techniques listed in this advisory.\n\nTable 4: Hive Actors ATT&CK Techniques for Enterprise\n\n_Initial Access_ \n \n--- \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nExternal Remote Services\n\n| \n\n[T1133](<https://attack.mitre.org/versions/v12/techniques/T1133/>)\n\n| \n\nHive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols. \n \nExploit Public-Facing Application\n\n| \n\n[T1190](<https://attack.mitre.org/versions/v12/techniques/T1190/>)\n\n| \n\nHive actors gain access to victim network by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-42321. \n \nPhishing\n\n| \n\n[T1566.001](<https://attack.mitre.org/versions/v12/techniques/T1566/001/>)\n\n| \n\nHive actors gain access to victim networks by distributing phishing emails with malicious attachments. \n \n_Execution_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nCommand and Scripting Interpreter\n\n| \n\n[T1059](<https://attack.mitre.org/versions/v12/techniques/T1059/>)\n\n| \n\nHive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or PowerShell. \n \n_Defense Evasion_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nIndicator Removal on Host\n\n| \n\n[T1070](<https://attack.mitre.org/versions/v12/techniques/T1070/>)\n\n| \n\nHive actors delete Windows event logs, specifically, the System, Security and Application logs. \n \nModify Registry\n\n| \n\n[T1112](<https://attack.mitre.org/versions/v12/techniques/T1112/>)\n\n| \n\nHive actors set registry values for DisableAntiSpyware and DisableAntiVirus to 1. \n \nImpair Defenses\n\n| \n\n[T1562](<https://attack.mitre.org/versions/v12/techniques/T1562/001/>)\n\n| \n\nHive actors seek processes related to backups, antivirus/anti-spyware, and file copying and terminates those processes to facilitate file encryption. \n \n_Exfiltration_ \n \nTechnique Title\n\n| \n\nID\n\n| \n\nUse \n \nTransfer Data to Cloud Account\n\n| \n\n[T1537](<https://attack.mitre.org/versions/v12/techniques/T1537/>)\n\n| \n\nHive actors exfiltrate data from victims, using a possible combination of Rclone and the cloud storage service Mega.nz. \n \n_Impact_ \n \nTechnique Title\n\n| \n\n| \n\nUse \n \nData Encrypted for Impact\n\n| \n\n[T1486](<https://attack.mitre.org/versions/v12/techniques/T1486/>)\n\n| \n\nHive actors deploy a ransom note HOW_TO_DECRYPT.txt into each affected directory which states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered. \n \nInhibit System Recovery\n\n| \n\n[T1490](<https://attack.mitre.org/versions/v12/techniques/T1490/>)\n\n| \n\nHive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin via command line or PowerShell. \n \n### Mitigations\n\nFBI, CISA, and HHS recommend organizations, particularly in the HPH sector, implement the following to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Hive ransomware:\n\n * Verify Hive actors no longer have access to the network.\n * Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching VPN servers, remote access software, virtual machine software, and [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). Consider leveraging a centralized patch management system to automate and expedite the process.\n * Require [phishing-resistant MFA](<https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf>) for as many services as possible\u2014particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.\n * If used, secure and monitor RDP. \n * Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure.\n * After assessing risks, if you deem RDP operationally necessary, restrict the originating sources and require MFA to mitigate credential theft and reuse.\n * If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.\n * Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.\n * Be sure to properly configure devices and enable security features.\n * Disable ports and protocols not used for business purposes, such as RDP Port 3389/TCP.\n * Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.\n * Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization\u2019s data infrastructure. Ensure your backup data is not already infected.,\n * Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable.\n * Install and regularly update anti-virus or anti-malware software on all hosts.\n * Enable PowerShell Logging including module logging, script block logging and transcription.\n * Install an enhanced monitoring tool such as Sysmon from Microsoft for increased logging.\n * Review the following additional resources. \n * The joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.\n * The Cybersecurity and Infrastructure Security Agency-Multi-State Information Sharing & Analysis Center [Joint Ransomware Guide](<https://www.cisa.gov/stopransomware/ransomware-guide>) covers additional best practices and ways to prevent, protect, and respond to a ransomware attack.\n * [StopRansomware.gov](<https://www.cisa.gov/stopransomware>) is the U.S. Government\u2019s official one-stop location for resources to tackle ransomware more effectively.\n\nIf your organization is impacted by a ransomware incident, FBI, CISA, and HHS recommend the following actions.\n\n * **Isolate the infected system**. Remove the infected system from all networks, and disable the computer\u2019s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected.\n * **Turn off other computers and devices**. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.\n * **Secure your backups**. Ensure that your backup data is offline and secure. If possible, scan your backup data with an antivirus program to check that it is free of malware.\n\nIn addition, FBI, CISA, and HHS urge all organizations to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.\n\n#### **Preparing for Cyber Incidents**\n\n * **Review the security posture of third-party vendors and those interconnected with your organization**. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.\n * **Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs** under an established security policy.\n * **Document and monitor external remote connections**. Organizations should document approved solutions for remote management and maintenance, and immediately investigate if an unapproved solution is installed on a workstation.\n * **Implement a recovery plan** to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\n\n#### **Identity and Access Management**\n\n * **Require all accounts** with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with [National Institute of Standards and Technology (NIST) standards](<https://pages.nist.gov/800-63-3/>) for developing and managing password policies. \n * Use longer passwords consisting of at least 8 characters and no more than 64 characters in length.\n * Store passwords in hashed format using industry-recognized password managers.\n * Add password user \u201csalts\u201d to shared login credentials.\n * Avoid reusing passwords.\n * Implement multiple failed login attempt account lockouts.\n * Disable password \u201chints.\u201d\n * Refrain from requiring password changes more frequently than once per year unless a password is known or suspected to be compromised. \nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password \u201cpatterns\u201d cyber criminals can easily decipher.\n * Require administrator credentials to install software.\n * **Require phishing-resistant multifactor authentication** for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.\n * **Review domain controllers, servers, workstations, and active directories** for new and/or unrecognized accounts.\n * **Audit user accounts** with administrative privileges and configure access controls according to the principle of least privilege.\n * **Implement time-based access for accounts set at the admin level and higher**. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. \n\n#### **Protective Controls and Architecture**\n\n * **Segment networks** to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between\u2014and access to\u2014various subnetworks and by restricting adversary lateral movement.\n * **Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool**. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.\n * Install, regularly update, and enable real time detection for antivirus software on all hosts.\n\nVulnerability and Configuration Management\n\n * **Consider adding an email banner to emails** received from outside your organization.\n * **Disable command-line and scripting activities and permissions**. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.\n * **Ensure devices are properly configured and that security features are enabled**. \n * **Restrict Server Message Block (SMB) Protocol within the network to only access necessary servers and remove or disable outdated versions of SMB** (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.\n\n#### **REFERENCES**\n\n * [Stopransomware.gov](<http://www.stopransomware.gov/>) is a whole-of-government approach that gives one central location for ransomware resources and alerts.\n * Resource to mitigate a ransomware attack: [CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide](<https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf>).\n * No-cost cyber hygiene services: [Cyber Hygiene Services](<https://www.cisa.gov/cyber-hygiene-services>) and [Ransomware Readiness Assessment](<https://github.com/cisagov/cset/>).\n\n#### **INFORMATION REQUESTED**\n\nThe FBI, CISA, and HHS do not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim\u2019s files will be recovered. However, the FBI, CISA, and HHS understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization decide to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to your [local FBI field office](<https://www.fbi.gov/contact-us/field-offices>), or to CISA at [report@cisa.gov](<mailto:report@cisa.gov>) or (888) 282-0870. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks. \n\nThe FBI may seek the following information that you determine you can legally share, including:\n\n * Recovered executable files\n * Live random access memory (RAM) capture\n * Images of infected systems\n * Malware samples\n * IP addresses identified as malicious or suspicious\n * Email addresses of the attackers\n * A copy of the ransom note\n * Ransom amount\n * Bitcoin wallets used by the attackers\n * Bitcoin wallets used to pay the ransom\n * Post-incident forensic reports\n\n#### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. FBI, CISA, and HHS do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or HHS.\n\n### Revisions\n\nInitial Version: November 17, 2022\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-25T12:00:00", "type": "ics", "title": "#StopRansomware: Hive Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-42321", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-11-25T12:00:00", "id": "AA22-321A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T06:54:29", "description": "### Summary\n\n_Actions to Help Protect Against Russian State-Sponsored Malicious Cyber Activity:_ \n\u2022 Enforce multifactor authentication. \n\u2022 Enforce strong, unique passwords. \n\u2022 Enable M365** **Unified Audit Logs. \n\u2022 Implement** **endpoint detection and response tools.\n\nFrom at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. These CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in the following areas:\n\n * Command, control, communications, and combat systems;\n * Intelligence, surveillance, reconnaissance, and targeting;\n * Weapons and missile development;\n * Vehicle and aircraft design; and\n * Software development, data analytics, computers, and logistics. \n\nHistorically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data. \n\nIn many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365) environment. The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.\n\nThese continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future. These agencies encourage all CDCs to apply the recommended mitigations in this advisory, regardless of evidence of compromise.\n\nFor additional information on Russian state-sponsored cyber activity, see CISA's webpage, [Russia Cyber Threat Overview and Advisories](<https://www.us-cert.cisa.gov/russia>).\n\nClick here for a PDF version of this report.\n\n### Threat Details\n\n#### **Targeted Industries and Assessed Motive**\n\nRussian state-sponsored cyber actors have targeted U.S. CDCs from at least January 2020, through February 2022. The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.\n\nDuring this two-year period, these actors have maintained persistent access to multiple CDC networks, in some cases for at least six months. In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company\u2019s products, relationships with other countries, and internal personnel and legal matters.\n\nThrough these intrusions, the threat actors have acquired unclassified CDC-proprietary and export-controlled information. This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military. Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses. See figures 1 and 2 for information on targeted customers, industries, and information.\n\n![](/sites/default/files/publications/AA22-046A%20Figure%201.PNG)\n\n_Figure 1. Targeted Industries_\n\n![](/sites/default/files/publications/AA22-046A%20Figure%202.PNG)\n\n_Figure 2. Exfiltrated Information_\n\n#### \n\n#### **Threat Actor Activity**\n\n_**Note:** This advisory uses the MITRE ATT&CK\u00ae for Enterprise framework, version 10. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v10/techniques/enterprise/>) for all referenced threat actor tactics and techniques. See the Tactics, Techniques, and Procedures (TTPs) section for a table of the threat actors\u2019 activity mapped to MITRE ATT&CK tactics and techniques._\n\n##### _**Initial Access **_\n\nRussian state-sponsored cyber actors use brute force methods, spearphishing, harvested credentials, and known vulnerabilities to gain initial access to CDC networks.\n\n * Threat actors use brute force techniques [[T1110](<https://attack.mitre.org/versions/v10/techniques/T1110>)] to identify valid account credentials [[T1589.001](<https://attack.mitre.org/versions/v10/techniques/T1589/001/>)] for domain and M365 accounts. After obtaining domain credentials, the actors use them to gain initial access to the networks. _**Note:** For more information, see joint NSA-FBI-CISA Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)._\n * Threat actors send spearphishing emails with links to malicious domains [[T1566.002](<https://attack.mitre.org/versions/v10/techniques/T1566/002>)] and use publicly available URL shortening services to mask the link [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>)]. Embedding shortened URLs instead of actor-controlled malicious domains is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient, increasing the probability of a victim\u2019s clicking on the link. \n * The threat actors use harvested credentials in conjunction with known vulnerabilities\u2014for example, CVE-2020-0688 and CVE-2020-17144\u2014on public-facing applications [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>), [T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)], such as virtual private networks (VPNs), to escalate privileges and gain remote code execution (RCE) on the exposed applications.[[1](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)] In addition, threat actors have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. \n * As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access. This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.\n\n##### _**Credential Access** _\n\nAfter gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrate credentials and export copies of the AD database `ntds.dit` [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]. In multiple instances, the threat actors have used Mimikatz to dump admin credentials from the domain controllers. \n\n##### _**Collection**_\n\nUsing compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources, including SharePoint pages [[T1213.002](<https://attack.mitre.org/versions/v10/techniques/T1213/002/>)], user profiles, and user emails [[T1114.002](<https://attack.mitre.org/versions/v10/techniques/T1114/002/>)].\n\n##### _**Command and Control**_\n\nThe threat actors routinely use virtual private servers (VPSs) as an encrypted proxy. The actors use VPSs, as well as small office and home office (SOHO) devices, as operational nodes to evade detection [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)].\n\n##### _**Persistence**_\n\nIn multiple instances, the threat actors maintained persistent access for at least six months. Although the actors have used a variety of malware to maintain persistence, the FBI, NSA, and CISA have also observed intrusions that did not rely on malware or other persistence mechanisms. In these cases, it is likely the threat actors relied on possession of legitimate credentials for persistence [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)], enabling them to pivot to other accounts, as needed, to maintain access to the compromised environments.\n\n#### **Tactics, Techniques, and Procedures**\n\nThe following table maps observed Russian state-sponsored cyber activity to the MITRE ATT&CK for Enterprise framework. Several of the techniques listed in the table are based on observed procedures in contextual order. Therefore, some of the tactics and techniques listed in their respective columns appear more than once. See Appendix A for a functional breakdown of TTPs. _**Note:** for specific countermeasures related to each ATT&CK technique, see the [Enterprise Mitigations](<https://attack.mitre.org/mitigations/>) section and [MITRE D3FEND](<https://d3fend.mitre.org/>)_\u2122. \n\n\n_Table 1: Observed Tactics, Techniques, and Procedures (TTPs)_\n\nTactic | Technique | Procedure \n---|---|--- \n \n**Reconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]**\n\n**Credential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006/>)]**\n\n| \n\nGather Victim Identity Information: Credentials [[T1589.001](<https://attack.mitre.org/versions/v10/techniques/T1589/001/>)] \n\nBrute Force [[T1110](<https://attack.mitre.org/versions/v10/techniques/T1110/003/>)]\n\n| Threat actors used brute force to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors used them to gain initial access. \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]** | External Remote Services [[T1133](<https://attack.mitre.org/versions/v10/techniques/T1133>)] | Threat actors continue to research vulnerabilities in Fortinet\u2019s FortiGate VPN devices, conducting brute force attacks and leveraging CVE-2018-13379 to gain credentials to access victim networks. [[2](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>)] \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)]**\n\n| \n\nValid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]\n\nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]\n\n| Threat actors used credentials in conjunction with known vulnerabilities on public-facing applications, such as virtual private networks (VPNs)\u2014CVE-2020-0688 and CVE-2020-17144\u2014to escalate privileges and gain remote code execution (RCE) on the exposed applications. [[3](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)] \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v10/tactics/TA0005>)]**\n\n| \n\nPhishing: Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v10/techniques/T1566/002>)]\n\nObfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>)]\n\n| Threat actors sent spearphishing emails using publicly available URL shortening services. Embedding shortened URLs instead of the actor-controlled malicious domain is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient and thereby increases the possibility that a victim clicks on the link. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Credential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006/>)]**\n\n| \n\nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]\n\nValid Accounts: Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v10/techniques/T1078/002/>)]\n\n| Threat actors logged into a victim\u2019s VPN server and connected to the domain controllers, from which they exfiltrated credentials and exported copies of the AD database `ntds.dit`. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)]**\n\n**Collection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009/>)]**\n\n| \n\nValid Accounts: Cloud Accounts [[T1078.004](<https://attack.mitre.org/versions/v10/techniques/T1078/004/>)]\n\nData from Information Repositories: SharePoint [[T1213.002](<https://attack.mitre.org/versions/v9/techniques/T1213/002/>)]\n\n| In one case, the actors used valid credentials of a global admin account within the M365 tenant to log into the administrative portal and change permissions of an existing enterprise application to give read access to all SharePoint pages in the environment, as well as tenant user profiles and email inboxes. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Collection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009/>)]**\n\n| \n\nValid Accounts: Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v10/techniques/T1078/002/>)]\n\nEmail Collection [[T1114](<https://attack.mitre.org/versions/v10/techniques/T1114>)]\n\n| In one case, the threat actors used legitimate credentials to exfiltrate emails from the victim's enterprise email system. \n \n**Persistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003/>)]**\n\n**Lateral Movement [[TA0008](<https://attack.mitre.org/versions/v10/tactics/TA0008>)]**\n\n| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)] | Threat actors used valid accounts for persistence. After some victims reset passwords for individually compromised accounts, the actors pivoted to other accounts, as needed, to maintain access. \n**Discovery [[TA0007](<https://attack.mitre.org/tactics/TA0007>)]** | File and Network Discovery [[T1083](<https://attack.mitre.org/versions/v10/techniques/T1083>)] | After gaining access to networks, the threat actors used BloodHound to map the Active Directory. \n**Discovery [[TA0007](<https://attack.mitre.org/versions/v10/tactics/TA0007>)]** | Domain Trust Discovery [[T1482](<https://attack.mitre.org/versions/v10/techniques/T1482/>)] | Threat actors gathered information on domain trust relationships that were used to identify lateral movement opportunities. \n**Command and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]** | Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)] | Threat actors used multiple disparate nodes, such as VPSs, to route traffic to the target. \n \n### \n\n### Detection\n\nThe FBI, NSA, and CISA urge all CDCs to investigate suspicious activity in their enterprise and cloud environments. _**Note:** for additional approaches on uncovering malicious cyber activity, see joint advisory [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>), authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom._\n\n#### **Detect Unusual Activity**\n\n**Implement robust log collection and retention.** Robust logging is critical for detecting unusual activity. Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior described in this advisory. Depending on the environment, tools and solutions include:\n\n * Cloud native solutions, such as cloud-native security incident and event management (SIEM) tools.\n * Third-party tools, such as Sparrow, to review Microsoft cloud environments and to detect unusual activity, service principals, and application activity. _**Note:** for guidance on using these and other detection tools, refer to CISA Cybersecurity Advisory [Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)._\n\n#### **Look for Evidence of Known TTPs**\n\n * **Look for behavioral evidence or network and host-based artifacts** from known TTPs associated with this activity. To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for frequent, failed authentication attempts across multiple accounts. \n * To detect use of compromised credentials in combination with a VPS, follow the steps below: \n * **Review logs for suspicious \u201cimpossible logins,\u201d** such as logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user\u2019s geographic location.\n * **Look for one IP used for multiple accounts,** excluding expected logins.\n * **Search for \u201cimpossible travel,\u201d **which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). _**Note:** this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks._\n * **Evaluate processes and program execution command-line arguments** that may indicate credential dumping, especially attempts to access or copy the `ntds.dit` file from a domain controller. \n * Identify suspicious privileged account use after resetting passwords or applying user account mitigations. \n * **Review logs for unusual activity** in typically dormant accounts.\n * **Look for unusual user agent strings,** such as strings not typically associated with normal user activity, which may indicate bot activity.\n\n### Incident Response and Remediation\n\nOrganizations with evidence of compromise should assume full identity compromise and initiate a full identity reset.\n\n * **Reset passwords for all local accounts. **These accounts should include Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. It is essential to reset the password for the krbtgt account, as this account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. _**Note:** reset the krbtgt account twice and consecutively with a 10-hour waiting period between resets (i.e., perform the first krbtgt password reset, wait 10 hours, and then follow with a second krbtgt password reset). The krbtgt password resets may take a long time to propagate fully on large AD environments. Refer to Microsoft\u2019s [AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>) guidance and automation script for additional information. [[4](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)][[5](<https://github.com/microsoft/New-KrbtgtKeys.ps1>)]_\n * **Reset all domain user, admin, and service account passwords. **\n\n_**Note:** for guidance on evicting advanced persistent threat (APT) actors from cloud and enterprise environments, refer to CISA Analysis Report [Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/Microsoft 365 (M365) Compromise](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a>). Although this guidance was drafted for federal agencies compromised by the Russian Foreign Intelligence Service (SVR) via the [SolarWinds Orion supply chain compromise](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>), the steps provided in the Eviction Phase are applicable for all organizations crafting eviction plans for suspected APT actors._\n\n### Mitigations\n\nThe FBI, NSA, and CISA encourage all CDCs, with or without evidence of compromise, to apply the following mitigations to reduce the risk of compromise by this threat actor. While these mitigations are not intended to be all-encompassing, they address common TTPs observed in these intrusions and will help to mitigate against common malicious activity. \n\n#### **Implement Credential Hardening**\n\n##### **_Enable Multifactor Authentication_**\n\n * **Enable multifactor authentication (MFA)** for all users, without exception. Subsequent authentication may not require MFA, enabling the possibility to bypass MFA by reusing single factor authentication assertions (e.g., Kerberos authentication). Reducing the lifetime of assertions will cause account re-validation of their MFA requirements.[[6](<https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf>)] Service accounts should not use MFA. Automation and platform features (e.g., Group Managed Service Accounts, gMSA) can provide automatic and periodic complex password management for service accounts, reducing the threat surface against single factor authentication assertions.[[7](<https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview>)] \n\n##### **_Enforce Strong, Unique Passwords_**\n\n * **Require accounts to have strong, unique passwords.** Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.\n * **Enable password management functions**, such as Local Administrator Password Solution (LAPS), for local administrative accounts. This will reduce the burden of users managing passwords and encourage them to have strong passwords.\n\n##### **_Introduce Account Lockout and Time-Based Access Features_**\n\n * **Implement time-out and lock-out features** in response to repeated failed login attempts.\n * **Configure time-based access for accounts set at the admin level and higher. **For example, the Just-In-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable administrator accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system but only for a set timeframe to support task completion.\n\n##### **_Reduce Credential Exposure_**\n\n * **Use virtualization solutions on modern hardware and software** to ensure credentials are securely stored, and protect credentials via capabilities, such as Windows Defender Credential Guard (CredGuard) and Trusted Platform Module (TPM).[[8](<https://media.defense.gov/2019/Sep/09/2002180345/-1/-1/0/Leverage%20Modern%20Hardware%20Security%20Features%20-%20Copy.pdf>)] Protecting domain credentials with CredGuard requires configuration and has limitations in protecting other types of credentials (e.g., WDigest and local accounts).[[9](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard>)][[10](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-protection-limits>)] CredGuard uses TPMs to protect stored credentials. TPMs function as a system integrity observer and trust anchor ensuring the integrity of the boot sequence and mechanisms (e.g., UEFI Secure Boot). Installation of Windows 11 requires TPM v2.0.[[11](<https://docs.microsoft.com/en-us/windows/whats-new/windows-11-requirements>)] Disabling WDigest and rolling expiring NTLM secrets in smartcards will further protect other credentials not protected by CredGuard.[[12](<https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-importnace-of-kb2871997-and-kb2928120-for-credential/ba-p/258478>)][[13](<https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection>)]\n\n#### **Establish Centralized Log Management**\n\n * **Create a centralized log management system. **Centralized logging applications allow network defenders to look for anomalous activity, such as out-of-place communications between devices or unaccountable login failures, in the network environment. \n * Forward all logs to a SIEM tool.\n * Ensure logs are searchable.\n * Retain critical and historic network activity logs for a minimum of 180 days. \n * **If using M365, enable Unified Audit Log (UAL)**\u2014M365\u2019s logging capability\u2014which contains events from Exchange Online, SharePoint online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other M365 services. \n * **Correlate logs, including M365 logs, from network and host security devices. **This correlation will help with detecting anomalous activity in the network environment and connecting it with potential anomalous activity in M365. \n\nIn addition to setting up centralized logging, organizations should:\n\n * **Ensure PowerShell logging is turned on. **Threat actors often use PowerShell to hide their malicious activities.[14] \n * **Update PowerShell instances to version 5.0 or later **and uninstall all earlier versions of PowerShell. Logs from prior versions are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities. \n * **Confirm PowerShell 5.0 instances have module, script block, and transcription logging** enabled.\n * **Monitor remote access/Remote Desktop Protocol (RDP) logs** and disable unused remote access/RDP ports.\n\n#### **Initiate a Software and Patch Management Program **\n\n * **Consider using a centralized patch management system.** Failure to deploy software patches in a timely manner makes an organization a target of opportunity, increasing its risk of compromise. Organizations can ensure timely patching of software vulnerabilities by implementing an enterprise-wide software and patch management program.[[15](<https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf>)] \n * If an organization is unable to update all software shortly after a patch is released, **prioritize patches for CVEs that are already known **to be exploited or that would be accessible to the largest number of potential adversaries (such as internet-facing systems). \n * **Subscribe to [CISA cybersecurity notifications and advisories](<https://us-cert.cisa.gov/ncas>)** to keep up with known exploited vulnerabilities, security updates, and threats. This will assist organizations in maintaining situational awareness of critical software vulnerabilities and, if applicable, associated exploitation. \n * **Sign up for CISA\u2019s [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>)**, including vulnerability scanning, to help reduce exposure to threats. CISA\u2019s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities.\n\n#### **Employ Antivirus Programs **\n\n * **Ensure that antivirus applications are installed on all organizations\u2019 computers** and are configured to prevent spyware, adware, and malware as part of the operating system security baseline. \n * **Keep virus definitions up to date.**\n * **Regularly monitor antivirus scans.**\n\n#### **Use Endpoint Detection and Response Tools **\n\n * **Utilize endpoint detection and response (EDR) tools.** These tools allow a high degree of visibility into the security status of endpoints and can be an effective defense against threat actors. EDR tools are particularly useful for detecting lateral movement, as they have insight into common and uncommon network connections for each host. \n\n#### **Maintain Rigorous Configuration Management Programs **\n\n * **Audit configuration management programs **to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Having a robust configuration program hinders sophisticated threat operations by limiting the effectiveness of opportunistic attacks.[[16](<https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively%20Manage%20Systems%20and%20Configurations.docx%20-%20Copy.pdf>)] \n\n#### **Enforce the Principle of Least Privilege**\n\n * **Apply the principle of least privilege. **Administrator accounts should have the minimum permissions they need to do their tasks. This can reduce the impact if an administrator account is compromised. \n * **For M365, assign administrator roles to role-based access control (RBAC)** to implement the principle of least privilege. Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Using Azure AD\u2019s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning unnecessary privileges. _**Note:** refer to the Microsoft documentation, [Azure AD built-in roles](<https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles>), for more information about Azure AD. _\n * **Remove privileges not expressly required by an account\u2019s function or role. **\n * **Ensure there are unique and distinct administrative accounts** for each set of administrative tasks. \n * **Create non-privileged accounts for privileged users, **and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).\n * **Reduce the number of domain and enterprise administrator accounts, **and remove all accounts that are unnecessary.\n * **Regularly audit administrative user accounts.**\n * **Regularly audit logs to ensure new accounts are legitimate users.**\n * **Institute a group policy that disables remote interactive logins,** and use Domain Protected Users Group.\n\nTo assist with identifying suspicious behavior with administrative accounts:\n\n * **Create privileged role tracking.**\n * **Create a change control process** for all privilege escalations and role changes on user accounts.\n * **Enable alerts on privilege escalations and role changes.**\n * **Log privileged user changes** in the network environment, and create an alert for unusual events.\n\n#### **Review Trust Relationships**\n\n * **Review existing trust relationships with IT service providers,** such as managed service providers (MSPs) and cloud service providers (CSPs). Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data. \n * **Remove unnecessary trust relationships. **\n * **Review contractual relationships **with all service providers, and ensure contracts include: \n * Security controls the customer deems appropriate. \n * Appropriate monitoring and logging of provider-managed customer systems.\n * Appropriate monitoring of the service provider\u2019s presence, activities, and connections to the customer network.\n * Notification of confirmed or suspected security events and incidents occurring on the provider\u2019s infrastructure and administrative networks.\n\n_**Note: **review CISA\u2019s page on [APTs Targeting IT Service Provider Customers](<https://www.cisa.gov/uscert/APTs-Targeting-IT-Service-Provider-Customers>) and [CISA Insights: Mitigations and Hardening Guidance for MSPs and Small and Mid-sized Businesses](<https://cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>) for additional recommendations for MSP and CSP customers._\n\n#### **Encourage Remote Work Environment Best Practices**\n\nWith the increase in remote work and use of VPN services due to COVID-19, the FBI, NSA, and CISA encourage regularly monitoring remote network traffic, along with employing the following best practices._ **Note:** for additional information, see joint NSA-CISA Cybersecurity Information Sheet: [Selecting and Hardening Remote Access VPN Solutions](<https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF>)._\n\n * **Regularly update VPNs, network infrastructure devices, and devices used for remote work environments **with the latest software patches and security configurations.\n * **When possible, require MFA on all VPN connections. **Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, mandate that employees engaging in remote work use strong passwords.\n * **Monitor network traffic for unapproved and unexpected protocols.**\n * **Reduce potential attack surfaces by discontinuing unused VPN servers** that may be used as a point of entry by adversaries.\n\n#### **Establish User Awareness Best Practices**\n\nCyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by stronger employee awareness of indicators of malicious activity. The FBI, NSA, and CISA recommend the following best practices to improve employee operational security when conducting business:\n\n * **Provide end user awareness and training. **To help prevent targeted social engineering and spearphishing scams, ensure that employees and stakeholders are aware of potential cyber threats and how they are delivered. Also, provide users with training on information security principles and techniques.\n * **Inform employees of the risks of social engineering attacks,** e.g., risks associated with posting detailed career information to social or professional networking sites.\n * **Ensure that employees are aware of what to do and whom to contact when they see suspicious activity or suspect a cyber intrusion** to help quickly and efficiently identify threats and employ mitigation strategies.\n\n#### **Apply Additional Best Practice Mitigations**\n\n * **Deny atypical inbound activity from known anonymization services, **including commercial VPN services and The Onion Router (TOR).\n * **Impose listing policies for applications and remote access** that only allow systems to execute known and permitted programs under an established security policy.\n * **Identify and create offline backups for critical assets.**\n * **Implement network segmentation.**\n * **Review CISA Alert **[AA20-120A: Microsoft Office 365 Security Recommendations](<https://us-cert.cisa.gov/ncas/alerts/aa20-120a>) for additional recommendations on hardening M365 cloud environments.\n\n### Rewards for Justice Program\n\nIf you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State\u2019s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which the Department is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact (202) 702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details, refer to [rewardsforjustice.net](<https://rewardsforjustice.net/terrorist-rewards/foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/>).\n\n### Caveats\n\nThe information you have accessed or received is being provided \u201cas is\u201d for informational purposes only. The FBI, NSA, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, NSA, or CISA. \n\n### Contact Information\n\nTo report suspicious activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field-offices](<https://www.fbi.gov/contact-us/field-offices>) or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [CyWatch@fbi.gov](<mailto:cywatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<mailto:central@cisa.gov>). For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at (410) 854-4200 or [Cybersecurity_Requests@nsa.gov](<mailto:Cybersecurity_Requests@nsa.gov>). Defense Industrial Base companies may additionally sign up for NSA\u2019s free cybersecurity services, including Protective DNS, vulnerability scanning, and threat intelligence collaboration at [dib_defense@cyber.nsa.gov](<mailto:dib_defense@cyber.nsa.gov>). \n\n### Appendix: Detailed Tactics, Techniques, and Procedures\n\n#### **Reconnaissance** [[TA0043](<https://attack.mitre.org/tactics/TA0043/>)]\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. The adversary is known for harvesting login credentials [[T1589.001](<https://attack.mitre.org/techniques/T1589/001>)].[[17](<https://attack.mitre.org/groups/G0007>)]\n\nID | **Name** | **Description** \n---|---|--- \nT1589.001 | Gather Victim Identity Information: Credentials | Adversaries may gather credentials that can be used during targeting. \n \n#### **Initial Access **[[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. For example, the adversary may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[18](<https://attack.mitre.org/groups/G0007>)] These specific actors obtained and abused credentials of domain [[T1078.002](<https://attack.mitre.org/techniques/T1078/002>)] and cloud accounts [[T1078.004](<https://attack.mitre.org/techniques/T1078/004>)].[[19](<https://attack.mitre.org/software/S0154/>)] The actors also used external remote services to gain access to systems [[T1133](<https://attack.mitre.org/techniques/T1133>)].[20] The adversary took advantage of weaknesses in internet-facing servers and conducted SQL injection attacks against organizations' external websites [[T1190](<https://attack.mitre.org/techniques/T1190>)].[[21](<https://attack.mitre.org/groups/G0007>)] Finally, they sent spearphishing emails with a malicious link in an attempt to gain access [[T1566.002](<https://attack.mitre.org/techniques/T1566/002>)].[22] \n\n\nID | Name | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. \nT1078.002 | Valid Accounts: Domain Accounts | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \nT1078.004 | Valid Accounts: Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \nT1133 | External Remote Services | Adversaries may leverage external-facing remote services to initially access and/or persist within a network. \nT1190 | Exploit Public-Facing Application | Adversaries may attempt to take advantage of a weakness in an internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. \nT1566.002 | Phishing: Spearphishing Link | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. \n \n#### **Persistence **[[TA0003](<https://attack.mitre.org/tactics/TA0003>)]\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[23](<https://attack.mitre.org/groups/G0007>)] \n\nID | **Name ** | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \n \n#### **Privilege Escalation** [[TA0004](<https://attack.mitre.org/tactics/TA0004>)]\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[24](<https://attack.mitre.org/groups/G0007>)] Specifically in this case, credentials of cloud accounts [[T1078.004](<https://attack.mitre.org/techniques/T1078/004>)] were obtained and abused.[[25](<https://attack.mitre.org/software/S0154/>)] \n\nID | Name | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. \nT1078.004 | Valid Accounts: Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \n \n#### **Defense Evasion** [[TA0005](<https://attack.mitre.org/tactics/TA0005>)]\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. The adversary made its executables and files difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit [[T1027](<https://attack.mitre.org/techniques/T1027>)].[[26](<https://attack.mitre.org/software/S0410/>)] \n\n\nID | Name | Description \n---|---|--- \nT1027 | Obfuscated Files or Information | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. \n \n#### **Credential Access **[[TA0006](<https://attack.mitre.org/tactics/TA0006>)]\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. The adversary attempted to access or create a copy of the Active Directory (AD) domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights [[T1003.003](<https://attack.mitre.org/techniques/T1003/003>)].[[27](<https://attack.mitre.org/software/S0250/>)] The adversary also used a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials [[T1110.003](<https://attack.mitre.org/techniques/T1110/003>)].[[28](<https://attack.mitre.org/groups/G0007>)] \n\nID | Name | Description \n---|---|--- \nT1003.003 | OS Credential Dumping: NTDS | Adversaries may attempt to access or create a copy of the Active Directory domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. \nT1110.003 | Brute Force: Password Spraying | Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. \n \n#### **Discovery **[[TA0007](<https://attack.mitre.org/tactics/TA0007>)]\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. The adversary enumerated files and directories or searched in specific locations of a host or network share for certain information within a file system [[T1083](<https://attack.mitre.org/techniques/T1083>)].[29] In addition, the adversary attempted to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain or forest environments [[T1482](<https://attack.mitre.org/techniques/T1482>)].[30] \n\nID | Name | Description \n---|---|--- \nT1083 | File and Directory Discovery | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. \nT1482 | Domain Trust Discovery | Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. \n \n**Collection [[TA0009](<https://attack.mitre.org/tactics/TA0009>)]**\n\nCollection consists of both the techniques adversaries may use to gather information and the sources that information is collected from that are relevant to the adversary's objectives. The adversary leverages information repositories, such as SharePoint, to mine valuable information [[T1213.002](<https://attack.mitre.org/techniques/T1213/002>)].[[31](<https://attack.mitre.org/groups/G0007>)] \n\nID | Name | Description \n---|---|--- \nT1213.002 | Data from Information Repositories: SharePoint | Adversaries may leverage the SharePoint repository as a source to mine valuable information. \n \n**Command and Control [[TA0011](<https://attack.mitre.org/tactics/TA0011>)]**\n\nCommand and Control (C2) consists of techniques that adversaries may use to communicate with systems under their control within a victim network. The adversary chained together multiple proxies to disguise the source of malicious traffic. In this case, TOR and VPN servers are used as multi-hop proxies to route C2 traffic and obfuscate their activities [[T1090.003](<https://attack.mitre.org/techniques/T1090/003>)].[[32](<https://attack.mitre.org/groups/G0007>)] \n\n\nID | Name | Description \n---|---|--- \nT1090.003 | Proxy: Multi-hop Proxy | To disguise the source of malicious traffic, adversaries may chain together multiple proxies. \n \n### Additional Resources\n\n[1] NSA, CISA, FBI, NCSC Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>), 1 July 2021. \n[2] NSA Cybersecurity Advisory: [Mitigating Recent VPN Vulnerabilities](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>), 7 October 2019. \n[3] NSA, CISA, FBI, NCSC Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>), 1 July 2021. \n[4] Microsoft Article: [AD Forest Recovery \u2013 Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>), 29 July 2021. \n[5] Microsoft GitHub: [New-KrbtgtKeys.ps1](<https://github.com/microsoft/New-KrbtgtKeys.ps1>), 14 May 2020. \n[6] NSA Cybersecurity Information: [Defend Privileges and Accounts](<https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf>), August 2019. \n[7] Microsoft Article: [Group Managed Service Accounts Overview](<https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview>), 29 July 2021. \n[8] NSA Cybersecurity Information: [Leverage Modern Hardware Security Features](<https://media.defense.gov/2019/Sep/09/2002180345/-1/-1/0/Leverage%20Modern%20Hardware%20Security%20Features%20-%20Copy.pdf>), August 2019. \n[9] Microsoft Article: [Protect derived domain credentials with Windows Defender Credential Guard](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard>), 3 December 2021. \n[10] Microsoft Article: [Windows Defender Credential Guard protection limits](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-protection-limits>), 3 December 2021. \n[11] Microsoft Article: [Windows 11 requirements](<https://docs.microsoft.com/en-us/windows/whats-new/windows-11-requirements>), 30 November 2021. \n[12] Microsoft Blog Post: [The Importance of KB2871997 and KB2928120 for Credential Protection](<https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-importnace-of-kb2871997-and-kb2928120-for-credential/ba-p/258478>), 20 September 2021. \n[13] Microsoft Article: [What\u2019s New in Credential Protection](<https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection>), 7 January 2022. \n[14] NSA Cybersecurity Factsheet: [PowerShell: Security Risks and Defenses](<https://www.iad.gov/iad/library/ia-guidance/security-tips/powershell-security-risks-and-defenses.cfm>), 1 December 2016. \n[15] NSA Cybersecurity Information: [Update and Upgrade Software Immediately](<https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf>), August 2019. \n[16] NSA Cybersecurity Information: [Actively Manage Systems and Configurations](<https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively%20Manage%20Systems%20and%20Configurations.docx%20-%20Copy.pdf>), August 2019. \n[17] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[18] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[19] MITRE Software: [Cobalt Strike](<https://attack.mitre.org/software/S0154/>), 18 October 2021. \n[20] Based on technical information shared by Mandiant. \n[21] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[22] Based on technical information shared by Mandiant. \n[23] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[24] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[25] MITRE Software: [Cobalt Strike](<https://attack.mitre.org/software/S0154/>), 18 October 2021. \n[26] MITRE Software: [Fysbis](<https://attack.mitre.org/software/S0410/>), 6 November 2020. \n[27] MITRE Software: [Koadic](<https://attack.mitre.org/software/S0250/>), 30 March 2020. \n[28] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[29] Based on technical information shared by Mandiant. \n[30] Based on technical information shared by Mandiant. \n[31] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[32] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021.\n\n### Revisions\n\nFebruary 16, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T12:00:00", "type": "ics", "title": "Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-02-16T12:00:00", "id": "AA22-047A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:27:50", "description": "### Summary\n\n_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/>) framework for all referenced threat actor tactics and techniques _\n\nThis joint cybersecurity advisory\u2014written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)\u2014provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory [AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>).\n\nSince at least September 2020, a Russian state-sponsored APT actor\u2014known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting\u2014has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.\n\nThe Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:\n\n * Sensitive network configurations and passwords.\n * Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).\n * IT instructions, such as requesting password resets.\n * Vendors and purchasing information.\n * Printing access badges.\n\nTo date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.\n\nAs this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.\n\n * Click here for a PDF version of this report.\n * Click here for a STIX package of IOCs.\n\n#### U.S. Heat Map of Activity\n\n[Click here](<https://indd.adobe.com/view/64463245-3411-49f9-b203-1c7cb8f16769>) for an interactive heat map of this activity (current as of November 17, 2020). Hovering the cursor over the map reveals the number and type of entities the Russian APT has targeted in each region. These totals include compromises, scanning, or other reconnaissance activity executed from the Russian APT actor infrastructure.\n\n**Note**: CISA is committed to providing access to our web pages and documents for individuals with disabilities, both members of the public and federal employees. If the format of any elements or content within this document interferes with your ability to access the information, as defined in the Rehabilitation Act, please email [info@us-cert.gov](<mailto:%20info@us-cert.gov>). To enable us to respond in a manner most helpful to you, please indicate the nature of your accessibility problem and the preferred format in which to receive the material.\n\n**Note**: the heat map has interactive features that may not work in your web browser. For best use, please download and save this catalog.\n\n### Technical Details\n\nThe FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government networks, as well as aviation networks. The APT actor is using Turkish IP addresses `213.74.101[.]65`, `213.74.139[.]196`, and `212.252.30[.]170` to connect to victim web servers (_Exploit Public Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)]).\n\nThe actor is using `213.74.101[.]65` and `213.74.139[.]196` to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites (_Brute Force_ [[T1110](<https://attack.mitre.org/versions/v7/techniques/T1110>)]; _Exploit Public Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)]). The APT actor also hosted malicious domains, including possible aviation sector target `columbusairports.microsoftonline[.]host`, which resolved to `108.177.235[.]92` and `[cityname].westus2.cloudapp.azure.com`; these domains are U.S. registered and are likely SLTT government targets (_Drive-By Compromise _[[T1189](<https://attack.mitre.org/versions/v7/techniques/T1189>)]).\n\nThe APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) and a Microsoft Exchange remote code execution flaw ([CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)).\n\nThe APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability ([CVE 2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>)) (_External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133>)]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability ([CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)) for Initial Access [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] and a Windows Netlogon vulnerability ([CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v7/tactics/TA0004/>)] within the network (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078>)]). These vulnerabilities can also be leveraged to compromise other devices on the network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]) and to maintain _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v7/tactics/TA0003/>)]).\n\nBetween early February and mid-September, these APT actors used `213.74.101[.]65`, `212.252.30[.]170`, `5.196.167[.]184`, `37.139.7[.]16`, `149.56.20[.]55`, `91.227.68[.]97`, and `5.45.119[.]124` to target U.S. SLTT government networks. Successful authentications\u2014including the compromise of Microsoft Office 365 (O365) accounts\u2014have been observed on at least one victim network (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078>)]).\n\n### Mitigations\n\n#### Indicators of Compromise\n\nThe APT actor used the following IP addresses and domains to carry out its objectives:\n\n * `213.74.101[.]65`\n * `213.74.139[.]196`\n * `212.252.30[.]170`\n * `5.196.167[.]184`\n * `37.139.7[.]16`\n * `149.56.20[.]55`\n * `91.227.68[.]97`\n * `138.201.186[.]43`\n * `5.45.119[.]124`\n * `193.37.212[.]43`\n * `146.0.77[.]60`\n * `51.159.28[.]101`\n * `columbusairports.microsoftonline[.]host`\n * `microsoftonline[.]host`\n * `email.microsoftonline[.]services`\n * `microsoftonline[.]services`\n * `cityname[.]westus2.cloudapp.azure.com`\n\nIP address `51.159.28[.]101` appears to have been configured to receive stolen Windows New Technology Local Area Network Manager (NTLM) credentials. FBI and CISA recommend organizations take defensive actions to mitigate the risk of leaking NTLM credentials; specifically, organizations should disable NTLM or restrict outgoing NTLM. Organizations should consider blocking IP address `51.159.28[.]101` (although this action alone may not mitigate the threat, as the APT actor has likely established, or will establish, additional infrastructure points).\n\nOrganizations should check available logs for traffic to/from IP address `51.159.28[.]101` for indications of credential-harvesting activity. As the APT actors likely have\u2014or will\u2014establish additional infrastructure points, organizations should also monitor for Server Message Block (SMB) or WebDAV activity leaving the network to other IP addresses.\n\nRefer to AA20-296A.stix for a downloadable copy of IOCs.\n\n#### Network Defense-in-Depth\n\nProper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist organizations in developing network defense procedures.\n\n * Keep all applications updated according to vendor recommendations, and especially prioritize updates for external facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to table 1 for patch information on these CVEs.\n\n_Table 1: Patch information for CVEs_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n\n| \n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n[Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) | \n\n * Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30\n * Microsoft Exchange Server 2013 Cumulative Update 23\n * Microsoft Exchange Server 2016 Cumulative Update 14\n * Microsoft Exchange Server 2016 Cumulative Update 15\n * Microsoft Exchange Server 2019 Cumulative Update 3\n * Microsoft Exchange Server 2019 Cumulative Update 4\n\n| [Microsoft Security Advisory for CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n[CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) | \n\n * Exim versions 4.87\u20134.91\n| [Exim page for CVE-2019-10149](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) | \n\n * FortiOS 6.0: 6.0.0 to 6.0.4\n * FortiOS 5.6: 5.6.3 to 5.6.7\n * FortiOS 5.4: 5.4.6 to 5.4.12\n| [Fortinet Security Advisory: FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n[Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n * Follow Microsoft\u2019s [guidance](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.\n * If appropriate for your organization\u2019s network, prevent external communication of all versions of SMB and related protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA publication on [SMB Security Best Practices](<https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices>) for more information.\n * Implement the prevention, detection, and mitigation strategies outlined in: \n * CISA Alert [TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat Awareness and Guidance](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A>).\n * National Security Agency Cybersecurity Information Sheet [U/OO/134094-20 \u2013 Detect and Prevent Web Shells Malware](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/>).\n * Isolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to malicious activity; enable robust logging, and monitor the logs for signs of compromise.\n * Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.\n * Implement application controls to only allow execution from specified application directories. System administrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from `PROGRAMFILES`, `PROGRAMFILES(X86)`, and `WINDOWS` folders. All other locations should be disallowed unless an exception is granted.\n * Block Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.\n\n#### Comprehensive Account Resets\n\nFor accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT \u201cGolden Tickets\u201d may be required, and Microsoft has released specialized [guidance](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/domain-dominance-alerts>) for this. Such a reset should be performed very carefully if needed.\n\nIf there is an observation of [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein, as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed in on-premise\u2014as well as in Azure-hosted\u2014AD instances.\n\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.\n\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.\n\n 1. Create a temporary administrator account, and use this account only for all administrative actions\n 2. Reset the Kerberos Ticket Granting Ticket `(krbtgt`) password;[[1](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)] this must be completed before any additional actions (a second reset will take place in step 5)\n 3. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned): \n\n 1. User accounts (forced reset with no legacy password reuse)\n 2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])\n 3. Service accounts\n 4. Directory Services Restore Mode (DSRM) account\n 5. Domain Controller machine account\n 6. Application passwords\n 5. Reset the` krbtgt` password again\n 6. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 7. Reboot domain controllers\n 8. Reboot all endpoints\n\nThe following accounts should be reset:\n\n * AD Kerberos Authentication Master (2x)\n * All Active Directory Accounts\n * All Active Directory Admin Accounts\n * All Active Directory Service Accounts\n * All Active Directory User Accounts\n * DSRM Account on Domain Controllers\n * Non-AD Privileged Application Accounts\n * Non-AD Unprivileged Application Accounts\n * Non-Windows Privileged Accounts\n * Non-Windows User Accounts\n * Windows Computer Accounts\n * Windows Local Admin\n\n#### VPN Vulnerabilities\n\nImplement the following recommendations to secure your organization\u2019s VPNs:\n\n * **Update VPNs, network infrastructure devices, and devices** being used to remote into work environments with the latest software patches and security configurations. See CISA Tips [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) and [Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>). Wherever possible, enable automatic updates.\n * **Implement MFA on all VPN connections to increase security**. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and [Supplementing Passwords](<https://us-cert.cisa.gov/ncas/tips/ST05-012>) for more information.\n\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\n\n * **Audit **configuration and patch management programs.\n * **Monitor **network traffic for unexpected and unapproved protocols, especially outbound to the Internet (e.g., Secure Shell [SSH], SMB, RDP).\n * **Implement** MFA, especially for privileged accounts.\n * **Use** separate administrative accounts on separate administration workstations.\n * **Keep **[software up to date](<https://us-cert.cisa.gov/ncas/tips/ST04-006>). Enable automatic updates, if available.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\n### Resources\n\n * APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations \u2013 <https://us-cert.cisa.gov/ncas/alerts/aa20-283a>\n * CISA Activity Alert CVE-2019-19781 \u2013 <https://us-cert/cisa.gov/ncas/alerts/aa20-031a>\n * CISA Vulnerability Bulletin \u2013 <https://us-cert/cisa.gov/ncas/bulletins/SB19-161>\n * CISA Current Activity \u2013 <https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>\n * Citrix Directory Traversal Bug (CVE-2019-19781) \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>\n * Microsoft Exchange remote code execution flaw (CVE-2020-0688) \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2020-0688>\n * CVE-2018-13379 \u2013 [https://nvd.nist.gov/vuln/detail/CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379%20>)\n * CVE-2020-1472 \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2020-1472>\n * CVE 2019-10149 \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2019-10149>\n * NCCIC/USCERT Alert TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat Awareness and Guidance \u2013 [https://us-cert.cisa.gov/ncas/alerts/TA15-314A](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A%20>)\n * NCCIC/US-CERT publication on SMB Security Best Practices \u2013 <https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices> \n\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Microsoft: AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)\n\n### Revisions\n\nOctober 22, 2020: Initial Version|November 17, 2020: Added U.S. Heat Map of Activity|December 1, 2020: Added \"current as of\" date to U.S. Heat Map of Activity\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-01T12:00:00", "type": "ics", "title": "Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-1472", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-12-01T12:00:00", "id": "AA20-296A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:07:27", "description": "### Summary\n\nThis Joint Cybersecurity Advisory was coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). \n\nThis advisory provides details on the top 30 vulnerabilities\u2014primarily Common Vulnerabilities and Exposures (CVEs)\u2014routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021. \n\nCyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system. \n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Key Findings\n\nIn 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.\n\n**Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. **Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organizations to conduct rigorous patch management.\n\nCISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed in table 1 to be the topmost regularly exploited CVEs by cyber actors during 2020. \n\n_Table 1:Top Routinely Exploited CVEs in 2020_\n\nVendor\n\n| \n\nCVE\n\n| \n\nType \n \n---|---|--- \n \nCitrix\n\n| \n\nCVE-2019-19781\n\n| \n\narbitrary code execution \n \nPulse\n\n| \n\nCVE 2019-11510\n\n| \n\narbitrary file reading \n \nFortinet\n\n| \n\nCVE 2018-13379\n\n| \n\npath traversal \n \nF5- Big IP\n\n| \n\nCVE 2020-5902\n\n| \n\nremote code execution (RCE) \n \nMobileIron\n\n| \n\nCVE 2020-15505\n\n| \n\nRCE \n \nMicrosoft\n\n| \n\nCVE-2017-11882\n\n| \n\nRCE \n \nAtlassian\n\n| \n\nCVE-2019-11580\n\n| \n\nRCE \n \nDrupal\n\n| \n\nCVE-2018-7600\n\n| \n\nRCE \n \nTelerik\n\n| \n\nCVE 2019-18935\n\n| \n\nRCE \n \nMicrosoft\n\n| \n\nCVE-2019-0604\n\n| \n\nRCE \n \nMicrosoft\n\n| \n\nCVE-2020-0787\n\n| \n\nelevation of privilege \n \nMicrosoft\n\n| \n\nCVE-2020-1472\n\n| \n\nelevation of privilege \n \nIn 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.\n\nCISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \n\nOrganizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities should investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans. See the Contact Information section below for how to reach CISA to report an incident or request technical assistance.\n\n### 2020 CVEs\n\nCISA, ACSC, the NCSC, and FBI have identified the following as the topmost exploited vulnerabilities by malicious cyber actors from 2020: CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2020-5902, CVE-2020-15505, CVE-2020-0688, CVE-2019-3396, CVE-2017-11882, CVE-2019-11580, CVE-2018-7600, CVE 2019-18935, CVE-2019-0604, CVE-2020-0787, CVE-2020-1472.[[1](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>)][[2](<https://media.defense.gov/2021/May/07/2002637232/-1/-1/0/ADVISORY%20FURTHER%20TTPS%20ASSOCIATED%20WITH%20SVR%20CYBER%20ACTORS.PDF>)][[3](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)] Among these vulnerabilities, CVE-2019-19781 was the most exploited flaw in 2020, according to U.S. Government technical analysis.CVE-2019-19781 is a recently disclosed critical vulnerability in Citrix\u2019s Application Delivery Controller (ADC)\u2014a load balancing application for web, application, and database servers widely use throughout the United States.[[4](<https://www.cyber.gov.au/acsc/view-all-content/advisories/2020-001-4-remediation-critical-vulnerability-citrix-application-delivery-controller-and-citrix-gateway>)][[5](<https://www.ncsc.gov.uk/news/citrix-alert>)] Nation-state and criminal cyber actors most likely favor using this vulnerability because it is easy to exploit, Citrix servers are widespread, and exploitation enables the actors to perform unauthorized RCE on a target system.[[6](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)] \n\nIdentified as emerging targets in early 2020,[[7](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)] unremediated instances of CVE-2019-19781 and CVE-2019-11510 continued to be exploited throughout the year by nation-state advanced persistent threat actors (APTs) who leveraged these and other vulnerabilities, such as CVE-2018-13379[[8](<https://www.cyber.gov.au/acsc/view-all-content/alerts/apt-exploitation-fortinet-vulnerabilities>)][[9](<https://www.ncsc.gov.uk/news/critical-risk-unpatched-fortinet-vpn-devices>)], in VPN services[[10](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating%20Recent%20VPN%20Vulnerabilities%20-%20Copy.pdf>)][[11](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)] to compromise an array of organizations, including those involved in COVID-19 vaccine development.[[12]](<https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF>)[[13](<https://www.cyber.gov.au/acsc/view-all-content/advisories/summary-tactics-techniques-and-procedures-used-target-australian-networks>)]\n\nThe CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed. Nation-state APTs also commonly exploited CVE-2020-15505 and CVE-2020-5902.[[14](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)][[15](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)][[16](<https://www.cisa.gov/blog/2020/07/16/emergency-directive-ed-20-03-windows-dns-server-vulnerability>)][[17](<https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability>)]\n\n### 2021 CVEs\n\nIn 2021, cyber actors continued to target vulnerabilities in perimeter-type devices. In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited. \n\n * **Microsoft Exchange: **CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 \n * See CISA\u2019s Alert: Mitigate Microsoft Exchange Server Vulnerabilities for more information on identifying and mitigating malicious activity concerning these vulnerabilities.\n * **Pulse Secure:** CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900 \n * See CISA\u2019s Alert: Exploitation of Pulse Connect Secure Vulnerabilities for more information on how to investigate and mitigate this malicious activity.\n * **Accellion:** CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 \n * See the Australia-New Zealand-Singapore-UK-U.S. Joint Cybersecurity Advisory: Exploitation of Accellion File Transfer Appliance for technical details and mitigations.\n * **VMware:** CVE-2021-21985 \n * See CISA\u2019s Current Activity: Unpatched VMware vCenter Software for more information and guidance. \n * **Fortinet:** CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 \n * See the CISA-FBI Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks for more details and mitigations. \n\n### Mitigations and Indicators of Compromise\n\nOne of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems). This advisory highlights vulnerabilities that should be considered as part of the prioritization process. To further assist remediation, automatic software updates should be enabled whenever possible. \n\nFocusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries\u2019 operations. For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crow, a centralized identity management and application (CVE-2019-11580) in its reported operations. A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set. \n\nAdditionally, attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n\nTables 2\u201314 provide more details about, and specific mitigations for, each of the top exploited CVEs in 2020. \n\n**Note:** The lists of associated malware corresponding to each CVE below are not meant to be exhaustive but intended to identify a malware family commonly associated with exploiting the CVE. \n\n\n_Table 2: CVE-2019-19781 Vulnerability Details_\n\n**Citrix Netscaler Directory Traversal (CVE-2019-19781)** \n \n--- \n \n_**Vulnerability Description**_ \nCitrix Netscaler Application Delivery Control (ADC) is vulnerable to RCE and full system compromise due to poor access controls, thus allowing directory traversal. \n\n| \n\n_**CVSS 3.02**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nThe lack of adequate access controls allows an attacker to enumerate system directories for vulnerable code (directory traversal). In this instance, Citrix ADC maintains a vulnerable Perl script (`newbm.pl`) that, when accessed via `HTTP POST` request (`POST https://$TARGET/vpn/../vpn/portal/scripts/newbm.pl`), allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software (webshell or reverse-shell executable) using embedded commands (e.g.,` curl`, `wget`, `Invoke-WebRequest`) and gain unauthorized access to the OS. \n\n_Multiple malware campaigns, including NOTROBIN, have taken advantage of this vulnerability._\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n**_Recommended Mitigations_**\n\n * Implement the appropriate refresh build according to the vulnerability details outlined by the vendor: Citrix: Mitigation Steps for CVE-2019-19781\n * If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list). \n \n_**Detection Methods**_\n\n * CISA has developed a free detection tool for this vulnerability: [cisagov/check-cve-2019-19781](<https://github.com/cisagov/check-cve-2019-19781>): Test a host for susceptibility to CVE-2019-19781.\n * Nmap developed a script that can be used with the port scanning engine: [CVE-2019-19781 - Citrix ADC Path Traversal #1893](<https://github.com/nmap/nmap/pull/1893/files>).\n * Citrix also developed a free tool for detecting compromises of Citrix ADC Appliances related to CVE-2019-19781: [Citrix / CVE-2019-19781: IOC Scanner for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781>).\n * CVE-2019-19781 is commonly exploited to install web shell malware. The National Security Agency (NSA) provides guidance on detecting and preventing web shell malware at <https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF> and signatures at <https://github.com/nsacyber/Mitigating-Web-Shells>. \n \n**_Vulnerable Technologies and Versions_** \nCitrix ADC and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 \n \n_**References and Additional Guidance**_\n\n * [Citrix Blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n * [National Institute for Standards and Technology (NIST) National Vulnerability Database (NVD): Vulnerability Detail CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * [Tripwire Vulnerability and Exposure Research Team (VERT) Article: Citrix NetScaler CVE-2019-19781: What You Need to Know](<https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/>)\n * [National Security Agency Cybersecurity Advisory: Critical Vulnerability In Citrix Application Delivery Controller (ADC) And Citrix Gateway](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * [CISA Alert: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n * [NCSC Alert: Actors Exploiting Citrix Products Vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n * [CISA-NCSC Joint Cybersecurity Advisory: COVID-19 Exploited by Malicious Cyber Actors](<https://us-cert.cisa.gov/ncas/alerts/aa20-099a>)\n * [CISA Alert: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)\n * [FBI-CISA Joint Cybersecurity Advisory: Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders ](<https://www.ic3.gov/Media/News/2021/210426.pdf>)\n * [DoJ: Seven International Cyber Defendants, Including \u201cApt41\u201d Actors, Charged in Connection with Computer Intrusion Campaigns Against More Than 100 Victims Globally](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>)\n * [FBI News: Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks](<https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks>)\n * [FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities](<https://www.ic3.gov/Media/News/2020/201103-2.pdf>)\n * [GitHub: nsacyber / Mitigating Web Shells](<https://github.com/nsacyber/Mitigating-Web-Shells>) \n \n_Table 3: CVE 2019-11510 Vulnerability Details_\n\nPulse Secure Connect VPN (CVE 2019-11510) \n--- \n \n_**Vulnerability Description**_ \nPulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. \n\n| \n\n**CVSS 3.0**\n\nCritical \n \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_ \nImproper access controls allow a directory traversal that an attacker can exploit to read the contents of system files. For example, the attacker could use a string such as `https://sslvpn.insecure-org.com/dana-na/../dana/html5/acc/guacmole/../../../../../../etc/passwd?/dana/html5/guacamole/` to obtain the local password file from the system. The attacker can also obtain admin session data and replay session tokens in the browser. Once compromised, an attacker can run arbitrary scripts on any host that connects to the VPN. This could lead to anyone connecting to the VPN as a potential target to compromise. \n\n_Multiple malware campaigns have taken advantage of this vulnerability, most notably REvil/Sodinokibi ransomware._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n \n \n_**Recommended Mitigations**_\n\n * Upgrade to the latest Pulse Secure VPN.\n * Stay alert to any scheduled tasks or unknown files/executables. \n * Create detection/protection mechanisms that respond on directory traversal (`/../../../`) attempts to read local system files. \n**_Detection Methods_**\n\n * CISA developed a tool to help determine if IOCs exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510: cisagov/check-your-pulse.\n * Nmap developed a script that can be used with the port scanning engine: http-vuln-cve2019-11510.nse #1708. \n \n_**Vulnerable Technologies and Versions**_ \nPulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 are vulnerable. \n \n_**References**_\n\n * [NIST NVD Vulnerability Detail: CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * [CISA Alert: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n * [Pulse Security Advisory: SA44101 \u2013 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n * [GitHub: cisagov / Check Your Pulse](<https://github.com/cisagov/check-your-pulse>)\n * [CISA Analysis Report: Federal Agency Compromised by Malicious Cyber Actor](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a>)\n * [CISA Alert: Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>)\n * [CISA-FBI Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [NCSC Alert: Vulnerabilities Exploited in VPN Products Used Worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n * [DoJ Press Release: Seven International Cyber Defendants, Including \u201cApt41\u201d Actors, Charged in Connection with Computer Intrusion Campaigns Against More Than 100 Victims Globally](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>)\n * [FBI News: Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks](<https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks>)\n * [FBI FLASH: Indicators Associated with Netwalker Ransomware](<https://www.ic3.gov/Media/News/2020/200929-2.pdf>)\n * [FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities](<https://www.ic3.gov/Media/News/2020/201103-2.pdf>) \n \n_Table 4: CVE 2018-13379 Vulnerability Details_\n\n**Fortinet FortioOS Secure Socket Layer VPN (CVE 2018-13379)** \n--- \n \n**_Vulnerability Description_** \nFortinet Secure Sockets Layer (SSL) VPN is vulnerable to unauthenticated directory traversal, which allows attackers to gain access to the `sslvpn_websession` file. An attacker is then able to exact clear-text usernames and passwords. \n\n| \n\n**_CVSS 3.0_**\n\nCritical \n \n \n**_Vulnerability Discussion, IOCs, and Malware Campaigns_** \nWeakness in user access controls and web application directory structure allows attackers to read system files without authentication. Attackers are able to perform a `HTTP GET request http://$SSLVPNTARGET?lang=/../../../..//////////dev/cmdb/sslvpn_websession`. This results the server responding with unprintable/hex characters alongside cleartext credential information. \n\n_Multiple malware campaigns have taken advantage of this vulnerability. The most notable being Cring ransomware (also known as Crypt3, Ghost, Phantom, and Vjszy1lo). _\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n \n \n**_Recommended Mitigations_**\n\n * Upgrade to the latest Fortinet SSL VPN. \n * Monitor for alerts to any unscheduled tasks or unknown files/executables. \n * Create detection/protection mechanisms that respond on directory traversal (`/../../../`) attempts to read the `sslvpn_websessions` file. \n**_Detection Methods_**\n\n * Nmap developed a script that can be used with the port scanning engine: Fortinet SSL VPN CVE-2018-13379 vuln scanner #1709. \n \n**_Vulnerable Technologies and Versions_** \nFortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 are vulnerable. \n \n_**References**_\n\n * [FortiOS System File Leak Through SSL VPN via Specialty Crafted HTTP Resource Requests](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n * [Github: Fortinet Ssl Vpn Cve-2018-13379 Vuln Scanner #1709](<https://github.com/nmap/nmap/pull/1709>)\n * [Fortinet Blog: Update Regarding CVE-2018-13379](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2018-13379>)\n * [NIST NVD Vulnerability Detail: CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n * [FBI-CISA Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [FBI-CISA Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks](<https://www.ic3.gov/Media/News/2021/210402.pdf>)\n * [NCSC Alert: Vulnerabilities Exploited in VPN Products Used Worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n * [FBI News: Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks](<https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks>)\n * [FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity](<https://www.ic3.gov/Media/News/2021/210527.pdf>) \n \n_Table 5: CVE-2020-5902 Vulnerability Details_\n\nF5 Big IP Traffic Management User Interface (CVE-2020-5902) \n--- \n \n_**Vulnerability Description**_ \nThe Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, has an RCE vulnerability in undisclosed pages. \n\n| \n\n_**CVSS 3.0**_ \nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_ \nThis vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected. \n\n| _**Fix**_ \n[Upgrade to Secure Versions Available](<https://support.f5.com/csp/article/K52145254>) \n \n \n_**Recommended Mitigations**_ \nDownload and install a fixed software version of the software from a vendor approved resource. If it is not possible to update quickly, restrict access via the following actions.\n\n * Address unauthenticated and authenticated attackers on self IPs by blocking all access.\n * Address unauthenticated attackers on management interface by restricting access. \n**_Detection Methods_**\n\n * F5 developed a free detection tool for this vulnerability: [f5devcentral / cve-2020-5902-ioc-bigip-checker](<https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/>). \n * Manually check your software version to see if it is susceptible to this vulnerability. \n \n_**Vulnerable Technologies and Versions**_ \nBIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT) 15.1.0, 15.0.0-15.0.1, 14.1.0-14.1.2, 13.1.0-13.1.3, 12.1.0-12.1.5, and 11.6.1-11.6.5 are vulnerable. \n \n**_References_**\n\n * [F5 Article: TMUI RCE Vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)\n * [NIST NVD Vulnerability Detail: CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n * [CISA Alert: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>)\n * [MITRE CVE Record: CVE-2020-5902](<https://vulners.com/cve/CVE-2020-5902>) \n \n_Table 6: CVE-2020-15505 Vulnerability Details_\n\nMobileIron Core & Connector (CVE-2020-15505) \n--- \n \n_**Vulnerability Description**_\n\nMobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nCVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.\n\nMultiple APTs have been observed exploiting this vulnerability to gain unauthorized access.\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.ivanti.com/blog/mobileiron-security-updates-available>) \n \n_**Recommended Mitigations**_\n\n * Download and install a fixed software version of the software from a vendor approved resource. \n \n_**Detection Methods**_\n\n * None. Manually check your software version to see if it is susceptible to this vulnerability. \n \n_**Vulnerable Technologies and Versions**_\n\nMobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0, and 10.6.0.0; Sentry versions 9.7.2 and earlier and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier are vulnerable. \n \n_**References**_\n\n * [Ivanti Blog: MobileIron Security Updates Available](<https://www.ivanti.com/blog/mobileiron-security-updates-available>)\n * [CISA-FBI Joint Cybersecurity Advisory: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>)\n * [NIST NVD Vulnerability Detail: CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)\n * [MITRE CVE Record: CVE-2020-15505](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15505>)\n * [NSA Cybersecurity Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) \n \n_Table 7: CVE-2020-0688 Vulnerability Details_\n\nMicrosoft Exchange Memory Corruption (CVE-2020-0688) \n--- \n \n_**Vulnerability Description**_\n\nAn RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.\n\n| \n\n_**CVSS 3.0**_\n\nHigh \n \nVulnerability Discussion, IOCs, and Malware Campaigns \nCVE-2020-0688 exists in the Microsoft Exchange Server when the server fails to properly create unique keys at install time. An authenticated user with knowledge of the validation key and a mailbox may pass arbitrary objects for deserialization by the web application that runs as `SYSTEM`. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install. \n\nA nation-state _APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>) \n \n_**Recommended Mitigations**_\n\n * Download and install a fixed software version of the software from a vendor approved resource. \n \n_**Detection Methods**_\n\n * Manually check your software version to see if it is susceptible to this vulnerability.\n * CVE-2020-0688 is commonly exploited to install web shell malware. NSA provides guidance on detecting and preventing web shell malware at [https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF%20>) and signatures at <https://github.com/nsacyber/Mitigating-Web-Shells>. \n \n_**Vulnerable Technologies and Versions**_\n\nMicrosoft Exchange Server 2019 Cumulative Update 3 and 4, 2016 Cumulative Update 14 and 15, 2013 Cumulative Update 23, and 2010 Service Pack 3 Update Rollup 30 are vulnerable. \n \n_**References**_\n\n * [Microsoft Security Update Guide: CVE-2020-0688](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>)\n * [NIST NVD Vulnerability Detail: CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n * [Microsoft Security Update: Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-february-11-2020-94ac1ebb-fb8a-b536-9240-a1cab0fd1c9f>)\n * [CISA-FBI Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [ACSC Alert: Active Exploitation of Vulnerability in Microsoft Internet Information Services](<https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerability-microsoft-internet-information-services>)\n * [NSA-CISA-FBI-NCSC Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>) \n \n_Table 8: CVE-2019-3396 Vulnerability Details_\n\nMicrosoft Office Memory Corruption (CVE 2017-11882) \n--- \n \n_**Vulnerability Description**_\n\nAtlassian Confluence Server and Data Center Widget Connector is vulnerable to a server-side template injection attack.\n\n| \n\n_**CVSS**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nConfluence Server and Data Center versions released before June 18, 2018, are vulnerable to this issue. A remote attacker is able to exploit a server-side request forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance. A successful attack is able to exploit this issue to achieve server-side template injection, path traversal, and RCE on vulnerable systems.\n\n_Multiple malware campaigns have taken advantage of this vulnerability; the most notable being GandCrab ransomware._\n\n| \n\n_**Fix**_\n\n[Patch Available](<Patch%20Available>) \n \n_**Recommended Mitigations**_\n\n * Download and install a fixed software version of the software from a vendor-approved resource. \n \n_**Detection Methods**_\n\n * Manually check the software version to see if it is susceptible to this vulnerability.\n\n * CVE-2019-3396 is commonly exploited to install web shell malware. NSA provides guidance on detecting and preventing web shell malware at <https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF> and signatures at [https://github.com/nsacyber/Mitigating-Web-Shells.](<https://github.com/nsacyber/Mitigating-Web-Shells>) \n \n_**Vulnerable Technologies and Versions**_\n\nAll versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are vulnerable. \n \n_**References**_\n\n * [NIST NVD Vulnerability Detail: CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>)\n * [MITRE CVE Record: CVE-2019-3396](<https://vulners.com/cve/CVE-2019-3396>)\n * [Confluence Security Advisory: Confluence Data Center and Server 7.12](<https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html>)\n * [Confluence Server and Data Center CONFSERVER-57974: Remote Code Execution via Widget Connector Macro - CVE-2019-3396](<https://jira.atlassian.com/browse/CONFSERVER-57974>)\n * [TrendMicro Research Article: CVE-2019-3396: Exploiting the Confluence Vulnerability](<https://www.trendmicro.com/en_us/research/19/e/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit.html>) \n \n_Table 9: CVE 2017-11882 Vulnerability Details_\n\nMicrosoft Office Memory Corruption (CVE 2017-11882) \n--- \n \n_**Vulnerability Description**_\n\nMicrosoft Office is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code, in the context of the current user, by failing to properly handle objects in memory. It is also known as the \"Microsoft Office Memory Corruption Vulnerability.\" \n\nCyber actors continued to exploit this four-year-old vulnerability in Microsoft Office that the U.S. Government publicly assessed last year was the most frequently targeted. Cyber actors most likely continue to exploit this vulnerability because Microsoft Office use is ubiquitous worldwide, the vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.\n\n| \n\n_**CVSS 3.0**_\n\nHigh \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nMicrosoft Equation Editor, a component of Microsoft Office, contains a stack buffer overflow vulnerability that enables RCE on a vulnerable system. The component was compiled on November 9, 2000. Without any further recompilation, it was used in all currently supported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by `eqnedt32.exe`, meaning it runs as its own process and can accept commands from other processes.\n\nData execution prevention (DEP) and address space layout randomization (ASLR) should protect against such attacks. However, because of the manner in which `eqnedt32.exe` was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to `eqnedt32.exe`, unless applied system-wide. This provides the attacker with an avenue to lure targets into opening specially crafted documents, resulting in the ability to execute an embedded attacker commands.\n\n_Multiple cyber espionage campaigns have taken advantage of this vulnerability. CISA has noted CVE-2017-11882 being exploited to [deliver LokiBot malware](<https://us-cert.cisa.gov/ncas/alerts/aa20-266a>)._\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882>) \n \n_**Recommended Mitigations**_\n\n * To remediate this issue, administrators should deploy Microsoft\u2019s patch for this vulnerability: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>.\n * Those who cannot deploy the patch should consider disabling the Equation Editor as discussed in [Microsoft Knowledge Base Article 4055535](<https://support.microsoft.com/en-us/topic/how-to-disable-equation-editor-3-0-7e000f58-cbf4-e805-b4b1-fde0243c9a92>). \n \n_**Detection Methods**_\n\n * Microsoft Defender Antivirus, Windows Defender, Microsoft Security Essentials, and the Microsoft Safety Scanner will all detect and patch this vulnerability. \n \n_**Vulnerable Technologies and Versions**_\n\n * Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 are vulnerable. \n \n_**References**_\n\n * [NIST NVD Vulnerability Detail: CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)\n * [CISA Malware Analysis Report: MAR-10211350-1.v2](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133e>)\n * [Palo Alto Networks Analysis: Analysis of CVE-2017-11882 Exploit in the Wild](<https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/>)\n * [CERT Coordination Center Vulnerability Note: Microsoft Office Equation Editor stack buffer overflow](<https://www.kb.cert.org/vuls/id/421280>) \n \n_Table 10: CVE 2019-11580 Vulnerability Details_\n\nAtlassian Crowd and Crowd Data Center Remote Code Execution (CVE 2019-11580) \n--- \n \n_**Vulnerability Description**_\n\nAtlassian Crowd and Crowd Data Center had the `pdkinstall` development plugin incorrectly enabled in release builds.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nAttackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits RCE on systems running a vulnerable version of Crowd or Crowd Data Center.\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html>) \n \n_**Recommended Mitigations**_\n\n * Atlassian recommends customers running a version of Crowd below version 3.3.0 to upgrade to version 3.2.8. For customers running a version above or equal to 3.3.0, Atlassian recommends upgrading to the latest version.\n * Released Crowd and Crowd Data Center version 3.4.4 contains a fix for this issue and is available at <https://www.atlassian.com/software/crowd/download>.\n * Released Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 contain a fix for this issue and are available at <https://www.atlassian.com/software/crowd/download-archive>. \n \n_**Detection Methods**_\n\n * Manually check your software version to see if it is susceptible to this vulnerability.\n * CVE-2019-11580 is commonly exploited to install web shell malware. NSA provides guidance on detecting and preventing web shell malware at [https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PD](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>)F and signatures at <https://github.com/nsacyber/Mitigating-Web-Shells> \n \n_**Vulnerable Technologies and Versions**_\n\nAll versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. \n \n**_References_**\n\n * [NIST NVD Vulnerability Detail: CVE-2019-11580](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>)\n * [Crowd CWD-5388: Crowd \u2013 pdkinstall Development Plugin Incorrectly Enabled \u2013 CVE-2019-11580](<https://jira.atlassian.com/browse/CWD-5388>)\n * [Crowd Security Advisory: Crowd Data Center and Server 4.3](<https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html>) \n \n_Table 11: CVE 2018-7600 Vulnerability Details_\n\nDrupal Core Multiple Remote Code Execution (CVE 2018-7600) \n--- \n \n_**Vulnerability Description**_\n\nDrupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nAn RCE vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Failed exploit attempts may result in a denial-of-service condition. A remote user can send specially crafted data to trigger a flaw in the processing of renderable arrays in the Form Application Programming Interface, or API, and cause the target system to render the user-supplied data and execute arbitrary code on the target system.\n\n_Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining._\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.drupal.org/sa-core-2018-002>) \n \n_**Recommended Mitigations**_\n\n * Upgrade to the most recent version of Drupal 7 or 8 core. If running 7.x, upgrade to Drupal 7.58. If running 8.5.x, upgrade to Drupal 8.5.1. \n \n_**Detection Methods**_\n\n * Dan Sharvit developed a tool to check for the CVE-2018-7600 vulnerability on several URLs: [https://github.com/sl4cky/CVE-2018-7600-Masschecker/blob/master/Drupalgeddon-mass.py.](<https://github.com/sl4cky/CVE-2018-7600-Masschecker/blob/master/Drupalgeddon-mass.py>) \n \n_**Vulnerable Technologies and Versions**_\n\n * Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are affected. \n \n_**References**_\n\n * [Drupal Security Advisory: Drupal Core - Highly Critical - Remote Code Execution - SA-CORE-2018-002](<https://www.drupal.org/sa-core-2018-002>)\n * [NIST NVD Vulnerability Detail: CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>)\n * [Drupal Groups: FAQ about SA-CORE-2018-002](<https://groups.drupal.org/security/faq-2018-002>) \n \n_Table 12: CVE 2019-18935 Vulnerability Details_\n\nTelerik UI for ASP.NET AJAX Insecure Deserialization (CVE 2019-18935) \n--- \n \n_**Vulnerability Description**_\n\nTelerik User Interface (UI) for ASP.NET does not properly filter serialized input for malicious content. Versions prior to R1 2020 (2020.1.114) are susceptible to remote code execution attacks on affected web servers due to a deserialization vulnerability.\n\n| \n\n**_CVS 3.0_**\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nThe Telerik UI does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise. A vulnerable `HTTP POST` parameter `rauPostData` makes use of a vulnerable function/object `AsyncUploadHandler`. The object/function uses the `JavaScriptSerializer.Deserialize()` method, which not not properly sanitize the serialized data during the deserialization process. This issue is attacked by:\n\n 1. Determining the vulnerable function is available/registered: ` http://<HOST>/Telerik.Web.UI.WebResource.axd?type=rau`,\n 2. Determining if the version running is vulnerable by querying the UI, and\n 3. Creating an object (e.g., malicious mixed-mode DLL with native OS commands or Reverse Shell) and uploading the object via rauPostData parameter along with the proper encryption key.\n\n_There were two malware campaigns associated with this vulnerability:_\n\n * _Netwalker Ransomware and_\n * _Blue Mockbird Monero Cryptocurrency-mining._\n| \n\n_**Fix**_\n\n[Patch Available](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>) \n \n_**Recommended Mitigations**_\n\n * Update to the most recent version of Telerik UI for ASP.NET AJAX (at least 2020.1.114 or later). \n \n_**Detection Methods**_\n\n * ACSC has an example PowerShell script that can be used to identify vulnerable Telerik UI DLLs on Windows web server hosts.\n * Vulnerable hosts should be reviewed for evidence of exploitation. Indicators of exploitation can be found in IIS HTTP request logs and within the Application Windows event log. Details of the above PowerShell script and exploitation detection recommendations are available in [ACSC Advisory 2020-004](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-004-remote-code-execution-vulnerability-being-actively-exploited-vulnerable-versions-telerik-ui-sophisticated-actors>).\n * Exploitation of this and previous Telerik UI vulnerabilities commonly resulted in the installation of web shell malware. NSA provides guidance on [detecting and preventing web shell malware](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>). \n \n**_Vulnerable Technologies and Versions_**\n\nTelerik UI for ASP.NET AJAX versions prior to R1 2020 (2020.1.114) are affected. \n \n**_References_**\n\n * [Telerik UI for ASP.NET AJAX security advisory \u2013 Allows JavaScriptSerializer Deserialization](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>)\n * [NIST NVD Vulnerability Detail: CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>)\n * [ACSC Advisory 2020-004: Remote Code Execution Vulnerability Being Actively Exploited in Vulnerable Versions of Telerik UI by Sophisticated Actors](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-004-remote-code-execution-vulnerability-being-actively-exploited-vulnerable-versions-telerik-ui-sophisticated-actors>)\n * [Bishop Fox \u2013 CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI](<https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui>)\n * [FBI FLASH: Indicators Associated with Netwalker Ransomware](<https://www.ic3.gov/Media/News/2020/200929-2.pdf>) \n \n_Table 13: CVE-2019-0604 Vulnerability Details_\n\nMicrosoft SharePoint Remote Code Execution (CVE-2019-0604) \n--- \n \n_**Vulnerability Description**_\n\nA vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers.\n\n| \n\n**_CVSS 3.0_**\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nThis vulnerability was typically exploited to install webshell malware to vulnerable hosts. A webshell could be placed in any location served by the associated Internet Information Services (IIS) web server and did not require authentication. These web shells would commonly be installed in the Layouts folder within the Microsoft SharePoint installation directory, for example:\n\n`C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\<version_number>\\Template\\Layouts`\n\nThe `xmlSerializer.Deserialize()` method does not adequately sanitize user input that is received from the PickerEnitity/ValidateEnity (`picker.aspx`) functions in the serialized XML payloads. Once the serialized XML payload is deserialized, the XML code is evaulated for relevant XML commands and stings. A user can attack .Net based XML parsers with XMLNS payloads using the <`system:string`> tag and embedding malicious operating system commands. \n\n_The exploit was used in malware phishing and the WickrMe/Hello Ransomware campaigns._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604>) \n \n_**Recommended Mitigations**_\n\n * Upgrade on-premise installations of Microsoft Sharepoint to the latest available version (Microsoft SharePoint 2019) and patch level.\n * On-premise Microsoft SharePoint installations with a requirement to be accessed by internet-based remote staff should be moved behind an appropriate authentication mechanism such as a VPN, if possible. \n \n_**Detection Methods**_\n\n * The patch level of on-premise Microsoft SharePoint installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft SharePoint security advisory.\n * Vulnerable SharePoint servers should be reviewed for evidence of attempted exploitation. [ACSC Advisory 2019-125](<https://www.cyber.gov.au/acsc/view-all-content/advisories/acsc-advisory-2019-125-targeting-microsoft-sharepoint-cve-2019-0604>) contains advice on reviewing IIS HTTP request logs for evidence of potential exploitation.\n * NSA provides guidance on [detecting and preventing web shell malware](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>). \n \n_**Vulnerable Technologies and Versions**_\n\nAt the time of the vulnerability release, the following Microsoft SharePoint versions were affected: Microsoft Sharepoint 2019, Microsoft SharePoint 2016, Microsoft SharePoint 2013 SP1, and Microsoft SharePoint 2010 SP2. \n \n_**References**_\n\n * [Microsoft \u2013 SharePoint Remote Code Execution Vulnerability Security Advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604>)\n * [NIST NVD Vulnerability Detail: CVE-2019-0604](<https://nvd.nist.gov/vuln/detail/cve-2019-0604>)\n * [ACSC Advisory 2019-125: Targeting of Microsoft SharePoint CVE-2019-0604](<https://www.cyber.gov.au/acsc/view-all-content/advisories/acsc-advisory-2019-125-targeting-microsoft-sharepoint-cve-2019-0604>)\n * [NSCS Alert: Microsoft SharePoint Remote Code Vulnerability](<https://www.ncsc.gov.uk/news/alert-microsoft-sharepoint-remote-code-vulnerability>) \n \n_Table 14: CVE-2020-0787 Vulnerability Details_\n\nWindows Background Intelligent Transfer Service Elevation of Privilege (CVE-2020-0787) \n--- \n \n_**Vulnerability Description**_\n\nThe Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.\n\n| \n\n_**CVSS 3.0**_\n\nHigh \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nTo exploit this vulnerability, an actor would first need to have the ability to execute arbitrary code on a vulnerable Windows host.\n\nActors exploiting this vulnerability commonly used the proof of concept code released by the security researcher who discovered the vulnerability. If an actor left the proof of concept exploit\u2019s working directories unchanged, then the presence of the following folders could be used as an indicator of exploitation:\n\n`C:\\Users\\<username>\\AppData\\Local\\Temp\\workspace \nC:\\Users\\<username>\\AppData\\Local\\Temp\\workspace\\mountpoint \nC:\\Users\\<username>\\AppData\\Local\\Temp\\workspace\\bait`\n\n_The exploit was used in Maze and Egregor ransomware campaigns._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0787>) \n \n_**Recommended Mitigations**_\n\n * Apply the security updates as recommended in the Microsoft Netlogon security advisory. \n \n_**Detection Methods**_\n\n * The patch level of all Microsoft Windows installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft BITS security advisory. \n \n_**Vulnerable Technologies and Versions**_\n\nWindows 7 for 32-bit and x64-based Systems Service Pack 1, 8.1 for 32-bit and x64-based systems, RT 8.1, 10 for 32-bit and x64-based Systems, 10 1607 for 32-bit and x64-based Systems, 10 1709 for 32-bit and x64-based and ARM64-based Systems, 10 1803 for 32-bit and ARM64-based and x64-based Systems, 10 1809 for 32-bit and ARM64-based and x64-based Systems, 10 1903 for 32-bit and ARM64-based and x64-based Systems, 10 1909 for 32-bit, and ARM64-based and x64-based Systems are vulnerable.\n\nWindows Server 2008 R2 for x64-based Systems Service Pack 1, 2008 R2 for x64-based Systems Service Pack 1 (Server Core Installation), 2008 for 32-bit Systems Service Pack 2, 2008 for 32-bit Systems Service Pack 2 (Server Core Installation), 2012, 2012 (Server Core Installation), 2012 R2, 2012 R2 (Server Core Installation), 2016, 2016 (Server Core Installation), 2019, 2019 (Server Core Installation), 1803 (Server Core Installation), 1903 (Server Core Installation), and 1909 (Server Core Installation) are also vulnerable. \n \n_**References**_\n\n * [Microsoft \u2013 Windows Background Intelligent Transfer Service Elevation of Privilege Security Advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0787>)\n * [NIST NVD Vulnerability Detail: CVE-2020-0787](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>)\n * [Security Researcher \u2013 Proof of Concept Exploit Code](<https://itm4n.github.io/cve-2020-0787-windows-bits-eop/>) \n \n_Table 15: CVE-2020-1472 Vulnerability Details_\n\nMicrosoft Netlogon Elevation of Privilege (CVE-2020-1472) \n--- \n \n_**Vulnerability Description**_\n\nThe Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (VI) in AES-CFB8 mode, which could allow an unauthenticated attacker to impersonate a domain-joined computer including a domain controller, and potentially obtain domain administrator privileges.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nTo exploit this vulnerability, an actor would first need to have an existing presence on an internal network with network connectivity to a vulnerable Domain Controller, assuming that Domain Controllers are not exposed to the internet.\n\nThe immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.\n\nThreat actors were seen combining the MobileIron CVE-2020-15505 vulnerability for initial access, then using the Netlogon vulnerability to facilitate lateral movement and further compromise of target networks.\n\n_A nation-state APT group has been observed exploiting this vulnerability_.[[18](<https://www.cyber.nj.gov/alerts-advisories/apt10-adds-zerologon-exploitation-to-ttps>)]\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>) \n \n_**Recommended Mitigations**_\n\n * Apply the security updates as recommended in the Microsoft Netlogon security advisory. \n \n_**Detection Methods**_\n\n * The patch level of Domain Controllers should be reviewed for the presence of relevant security updates as outlined in the Microsoft Netlogon security advisory.\n * Reviewing and monitoring Windows Event Logs can identify potential exploitation attempts. However, further investigation would still be required to eliminate legitimate activity. Further information on these event logs is available in the [ACSC 2020-016 Advisory](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472>). \n \n_**Vulnerable Technologies and Versions**_\n\nAt the time of the vulnerability release, the following Microsoft Windows Server versions were vulnerable: all versions of Windows Server 2019; all versions of Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; and Windows Server versions 1909/1903/1809. \n \n_**References**_\n\n * [Microsoft \u2013 Netlogon Elevation of Privilege Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>)\n * [NIST NVD Vulnerability Detail: CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/cve-2020-1472>)\n * [ACSC 2020-016 Netlogon Advisory](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472>)\n * [CISA-FBI Joint Cybersecurity Advisory: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>)\n * [CISA-FBI Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [ACSC Advisory 2020-016: \"Zerologon\" \u2013 Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472>)\n * [NCSC Alert: UK Organisations Should Patch Netlogon Vulnerability (Zerologon)](<https://www.ncsc.gov.uk/news/alert-organisations-should-patch-netlogon-vulnerability>) \n \nFor additional general best practices for mitigating cyber threats, see the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) and ACSC\u2019s [Essential Eight](<https://www.cyber.gov.au/acsc/view-all-content/essential-eight>) mitigation strategies.\n\n### Additional Resources\n\n#### Free Cybersecurity Services\n\nCISA offers several free cyber hygiene vulnerability scanning and web application services to help U.S. federal agencies, state and local governments, critical infrastructure, and private organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. For more information about [CISA\u2019s free services](<https://www.cisa.gov/cyber-hygiene-services>), or to sign up, email [vulnerability_info@cisa.dhs.gov](<mailto:vulnerability_info@cisa.dhs.gov>).\n\n#### Cyber Essentials\n\n[CISA\u2019s Cyber Essentials](<https://www.cisa.gov/cyber-essentials>) is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.\n\n#### Cyber.gov.au \n\n[ACSC\u2019s website](<https://www.cyber.gov.au/>) provides advice and information about how to protect individuals and families, small- and medium-sized businesses, large organizations and infrastructure, and government organizations from cyber threats.\n\n#### ACSC Partnership Program\n\nThe ACSC Partnership Program enables Australian organizations and individuals to engage with ACSC and fellow partners, drawing on collective understanding, experience, skills, and capability to lift cyber resilience across the Australian economy.\n\nAustralian organizations, including government and those in the private sector as well individuals, are welcome to sign up at [Become an ACSC partner](<https://www.cyber.gov.au/partner-hub/become-a-partner>) to join.\n\n#### NCSC 10 Steps\n\nThe NCSC offers [10 Steps to Cyber Security](<https://urldefense.us/v3/__https:/www.ncsc.gov.uk/collection/10-steps__;!!BClRuOV5cvtbuNI!T8Z-cMwGes9PcbBL1utGkQdFFUBjxNk7elZg1ioCK-eU1tUQokVWKONDFlwSGb1kHLNs74-CWWI8Rbcz%24>), providing detailed guidance on how medium and large organizations can manage their security.\n\nOn vulnerabilities specifically, the NCSC has [guidance to organizations on establishing an effective vulnerability management process](<https://urldefense.us/v3/__https:/www.ncsc.gov.uk/guidance/vulnerability-management__;!!BClRuOV5cvtbuNI!T8Z-cMwGes9PcbBL1utGkQdFFUBjxNk7elZg1ioCK-eU1tUQokVWKONDFlwSGb1kHLNs74-CWfrZnnW4%24>), focusing on the management of widely available software and hardware.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at[ www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<mailto:Central@cisa.gov>).\n\n### References\n\n[[1] NSA-CISA-FBI Cybersecurity Advisory: Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>)\n\n[[2] CISA-FBI-NSA-NCSC Advisory: Further TTPs Associated with SVR Cyber Actors](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>)\n\n[[3] NSA Cybersecurity Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)\n\n[[4] ACSC Advisory 2020-001-4: Remediation for Critical Vulnerability in Citrix Application Delivery Controller and Citrix Gateway](<https://www.cyber.gov.au/acsc/view-all-content/advisories/2020-001-4-remediation-critical-vulnerability-citrix-application-delivery-controller-and-citrix-gateway>)\n\n[[5] NCSC Alert: Actors Exploiting Citrix Products Vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[6] Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n\n[[7] CISA-FBI Joint Cybersecurity Advisory: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[8] ACSC Alert: APT Exploitation of Fortinet Vulnerabilities](<https://www.cyber.gov.au/acsc/view-all-content/alerts/apt-exploitation-fortinet-vulnerabilities>)\n\n[[9] NCSC Alert: Alert: Critical Risk to Unpatched Fortinet VPN Devices](<https://www.ncsc.gov.uk/news/critical-risk-unpatched-fortinet-vpn-devices>)\n\n[[10] NSA Cybersecurity Advisory: Mitigating Recent VPN Vulnerabilities](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating%20Recent%20VPN%20Vulnerabilities%20-%20Copy.pdf>)\n\n[[11] NCSC Alert: Vulnerabilities Exploited in VPN Products Used Worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n[[12] NCSC-Canada\u2019s Communications Security Establishment-NSA-CISA Advisory: APT29 Targets COVID-19 Vaccine Development (CSE)](<https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF>)\n\n[[13] ACSC Advisory: Summary of Tactics, Techniques and Procedures Used to Target Australian Networks](<https://www.cyber.gov.au/acsc/view-all-content/advisories/summary-tactics-techniques-and-procedures-used-target-australian-networks>)\n\n[[14] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)\n\n[[15] CISA Alert: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n\n[[16] CISA Emergency Directive (ED 20-03): Windows DNS Server Vulnerability](<https://www.cisa.gov/blog/2020/07/16/emergency-directive-ed-20-03-windows-dns-server-vulnerability>)\n\n[[17] NCSC Alert: Alert: Multiple Actors are Attempting to Exploit MobileIron Vulnerability CVE 2020-15505](<https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability>)\n\n[[18] NJCCIC Alert: APT10 Adds ZeroLogon Exploitation to TTPs](<https://www.cyber.nj.gov/alerts-advisories/apt10-adds-zerologon-exploitation-to-ttps>)\n\n### Revisions\n\nInitial Version: July 28, 2021|August 4, 2021: Fixed typo|August 20, 2021: Adjusted vendor name for CVE-2020-1472\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-20T12:00:00", "type": "ics", "title": "Top Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2021-08-20T12:00:00", "id": "AA21-209A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-15T19:12:38", "description": "### **SUMMARY**\n\nIn 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the following international partners, hereafter referred to as \u201cauthoring organizations,\u201d are releasing this Cybersecurity Advisory (CSA) detailing observed activity in LockBit ransomware incidents and providing recommended mitigations to enable network defenders to proactively improve their organization\u2019s defenses against this ransomware operation. \n\n * Australian Cyber Security Centre (ACSC)\n * Canadian Centre for Cyber Security (CCCS)\n * United Kingdom\u2019s National Cyber Security Centre (NCSC-UK)\n * National Cybersecurity Agency of France (ANSSI)\n * Germany\u2019s Federal Office for Information Security (BSI)\n * New Zealand\u2019s Computer Emergency Response Team (CERT NZ) and National Cyber Security Centre (NCSC NZ) \n\nThe authoring organizations encourage the implementation of the recommendations found in this CSA to reduce the likelihood and impact of future ransomware incidents.\n\nUnderstanding Ransomware Threat Actors: LockBit (PDF, 1.24 MB )\n\n### **TECHNICAL DETAILS**\n\n**Note:** This advisory uses the [MITRE ATT&CK for Enterprise](<https://attack.mitre.org/versions/v13/matrices/enterprise/>) framework, version 13.1. See the MITRE ATT&CK Tactics and Techniques section for tables of LockBit\u2019s activity mapped to MITRE ATT&CK\u00ae tactics and techniques.\n\n#### Introduction\n\nThe LockBit RaaS and its affiliates have negatively impacted organizations, both large and small, across the world. In 2022, LockBit was the most active global ransomware group and RaaS provider in terms of the number of victims claimed on their data leak site. [[1](<https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-blackcat-and-royal-dominate-the-ransomware-scene-ransomware-in-q4-2022>)] A RaaS cybercrime group maintains the functionality of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often referred to as \u201caffiliates\u201d), and supports affiliates\u2019 deployment of their ransomware in exchange for upfront payment, subscription fees, a cut of profits, or a combination of upfront payment, subscription fees, and a cut of profits. Some of the methods LockBit has used to successfully attract affiliates include, but are not limited to:\n\n * Assuring payment by allowing affiliates to receive ransom payments before sending a cut to the core group; this practice stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates\u2019 cut.\n * Disparaging other RaaS groups in online forums.\n * Engaging in publicity-generating activities stunts, such as paying people to get LockBit tattoos and putting a $1 million bounty on information related to the real-world identity of LockBit\u2019s lead who goes by the persona \u201cLockBitSupp.\u201d\n * Developing and maintaining a simplified, point-and-click interface for its ransomware, making it accessible to those with a lower degree of technical skill. [[2](<https://analyst1.com/ransomware-diaries-volume-1/>), [3](<https://www.theguardian.com/business/2023/jan/13/what-is-lockbit-ransomware-and-how-does-it-operate-malware-royal-mail>)]\n\nLockBit has been successful through innovation and ongoing development of the group\u2019s administrative panel and the RaaS supporting functions. In parallel, affiliates that work with LockBit and other notable variants are constantly revising the TTPs used for deploying and executing ransomware.\n\nTable 1 shows LockBit RaaS\u2019s innovation and development.\n\n_Table 1: Evolution of LockBit RaaS_\n\n**Date**\n\n| \n\n**Event** \n \n---|--- \n \nSeptember 2019\n\n| \n\nFirst observed activity of **ABCD ransomware**, the predecessor to LockBit. [[4](<https://documents.trendmicro.com/images/TEx/articles/LockBit-Infographic-ZgjRJ0Y.jpg>)] \n \nJanuary 2020\n\n| \n\n**LockBit-named ransomware** first seen on Russian-language based cybercrime forums. \n \nJune 2021\n\n| \n\nAppearance of **LockBit version 2 (LockBit 2.0)**, also known as LockBit Red including StealBit, a built-in information-stealing tool. \n \nOctober 2021\n\n| \n\nIntroduction of **LockBit Linux-ESXi Locker version 1.0** expanding capabilities to target systems to Linux and VMware ESXi. [[5](<https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html>)] \n \nMarch 2022\n\n| \n\nEmergence of **LockBit 3.0**, also known as LockBit Black, that shares similarities with BlackMatter and Alphv (also known as BlackCat) ransomware. \n \nSeptember 2022\n\n| \n\nNon-LockBit affiliates able to use **LockBit 3.0** after its builder was leaked. [[2](<https://analyst1.com/ransomware-diaries-volume-1/>), [6](<https://www.malwarebytes.com/blog/news/2022/09/lockbit-builder-leaked-by-disgruntled-developer>)] \n \nJanuary 2023\n\n| \n\nArrival of **LockBit Green** incorporating source code from Conti ransomware. [[7](<https://cybernews.com/security/lockbit-ransomware-gang-releases-lockbit-green-version/>)] \n \nApril 2023\n\n| \n\nLockBit ransomware encryptors targeting **macOS** seen on VirusTotal [[8](<https://thehackernews.com/2023/04/lockbit-ransomware-now-targeting-apple.html>), [9](<https://www.wired.com/story/apple-mac-lockbit-ransomware-samples/>)] \n \nLockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker are still available for affiliates\u2019 use on LockBit\u2019s panel.\n\n#### LockBit Statistics\n\n##### _Percentage of ransomware incidents attributed to LockBit:_\n\n * Australia: From April 1, 2022, to March 31, 2023, LockBit made up 18% of total reported Australian ransomware incidents. This figure includes all variants of LockBit ransomware, not solely LockBit 3.0.\n * Canada: In 2022, LockBit was responsible for 22% of attributed ransomware incidents in Canada.[[10](<https://www.cbc.ca/news/politics/cse-lockbit-threat-1.6734996>)]\n * New Zealand: In 2022, CERT NZ received 15 reports of LockBit ransomware, representing 23% of 2022 ransomware reports.\n * United States: In 2022, 16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC were identified as LockBit attacks. This included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement).\n\n##### _Number of LockBit ransomware attacks in the U.S. since 2020:_\n\n * About 1,700 attacks according to the FBI.\n\n##### _Total of U.S. ransoms paid to LockBit:_\n\n * Approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.\n\n##### _Earliest observed LockBit activity:_\n\n * Australia: The earliest documented occurrence of LockBit 3.0 was in early August 2022.\n * Canada: The first recorded instance of LockBit activity in Canada was in March 2020.\n * New Zealand: The first recorded incident involving LockBit ransomware was in March 2021.\n * United States: LockBit activity was first observed on January 5, 2020.\n\n##### _Most recently observed LockBit activity:_\n\n * Australia: April 21, 2023.\n * New Zealand: February 2023.\n * United States: As recently as May 25, 2023.\n\n##### _Operational activity related to LockBit in France_\n\nSince the first case in July 2020 to present, ANSSI has handled 80 alerts linked to the LockBit ransomware, which accounts for 11% of all ransomware cases handled by ANSSI in that period. In about 13% of those cases, ANSSI was not able to confirm nor deny the breach of its constituents\u2019 networks \u2013 as the alerts were related to the threat actor\u2019s online claims. So far, 69 confirmed incidents have been handled by ANSSI. Table 2 shows the LockBit activity observed by ANSSI versus overall ransomware activity tracked by the Computer Emergency Response Team-France (CERT-FR).\n\n_Table 2: ANSSI-Observed LockBit vs. Overall Ransomware Activity_\n\n**Year**\n\n| \n\n**Number of Incidents**\n\n| \n\n**Percentage of CERT-FR\u2019s Ransomware-Related Activity** \n \n---|---|--- \n \n2020 (from July)\n\n| \n\n4\n\n| \n\n2% \n \n2021\n\n| \n\n20\n\n| \n\n10% \n \n2022\n\n| \n\n30\n\n| \n\n27% \n \n2023\n\n| \n\n15\n\n| \n\n27% \n \n**Total (2020-2023)**\n\n| \n\n**69**\n\n| \n\n**11%** \n \nTable 3 shows the number of instances different LockBit strains were observed by ANSSI from July 2020 to present.\n\n_Table 3: ANSSI-Observed LockBit Strain and Number of Instances_\n\n**Name of the Strain***\n\n| \n\n**Number of Instances** \n \n---|--- \n \nLockBit 2.0 (LockBit Red)\n\n| \n\n26 \n \nLockBit 3.0 (LockBit Black)\n\n| \n\n23 \n \nLockBit\n\n| \n\n21 \n \nLockBit Green\n\n| \n\n1 \n \nLockBit (pre-encryption)\n\n| \n\n1 \n \n**Total**\n\n| \n\n**72**** \n \n###### _* Name either obtained from ANSSI\u2019s or the victim\u2019s investigations \n** Includes incidents with multiple strains_\n\n![Figure 1: ANSSI-Observed LockBit Strains by Year](/sites/default/files/styles/large/public/2023-06/figure_1_-_anssi-observed_lockbit_strains_by_year.png?itok=1jx2JRjy)\n\n_Figure 1: ANSSI-Observed LockBit Strains by Year_\n\nFrom the incidents handled, ANSSI can infer that LockBit 3.0 widely took over from LockBit 2.0 and the original LockBit strain from 2022. In two cases, victims were infected with as many as three different strains of LockBit (LockBit 2.0/Red, LockBit 3.0/Black, and LockBit Green).\n\n##### _Leak Sites_\n\nThe authoring agencies observe data leak sites, where attackers publish the names and captured data of victims if they do not pay ransom or hush money. Additionally, these sites can be used to record alleged victims who have been threatened with a data leak. The term 'victims' may include those who have been attacked, or those who have been threatened or blackmailed (with the attack having taken place).\n\nThe leak sites only show the portion of LockBit affiliates\u2019 victims subjected to secondary extortion. Since 2021, LockBit affiliates have employed double extortion by first encrypting victim data and then exfiltrating that data while threatening to post that stolen data on leak sites. Because LockBit only reveals the names and leaked data of victims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or have their exfiltrated data posted on leak sites. As a result, the leak sites reveal a portion of LockBit affiliates\u2019 total victims. For these reasons, the leak sites are not a reliable indicator of when LockBit ransomware attacks occurred. The date of data publication on the leak sites may be months after LockBit affiliates actually executed ransomware attacks.\n\nUp to the Q1 2023, a total of 1,653 alleged victims were observed on LockBit leak sites. With the introduction of LockBit 2.0 and LockBit 3.0, the leak sites have changed, with some sources choosing to differentiate leak sites by LockBit versions and others ignoring any differentiation. Over time, and through different evolutions of LockBit, the address and layout of LockBit leak sites have changed and are aggregated under the common denominator of the LockBit name. The introduction of LockBit 2.0 at the end of the Q2 2021 had an immediate impact on the cybercriminal market due to multiple RaaS operations shutting down in May and June 2021 (e.g., DarkSide and Avaddon). LockBit competed with other RaaS operations, like Hive RaaS, to fill the gap in the cybercriminal market leading to an influx of LockBit affiliates. Figure 2 shows the alleged number of victims worldwide on LockBit leak sites starting in Q3 2020. Figure 2 shows the alleged number of victims worldwide on LockBit leak sites starting in Q3 2020.\n\n![Figure 2: Alleged Number of Victims Worldwide on LockBit Leak Sites](/sites/default/files/styles/large/public/2023-06/figure_2_-_alleged_number_of_victims_worldwide_on_lockbit_leak_sites.png?itok=p4xMUE1D)\n\n_Figure 2: Alleged Number of Victims Worldwide on LockBit Leak Sites_\n\n##### Tools\n\nDuring their intrusions, LockBit affiliates have been observed using various freeware and open-source tools that are intended for legal use. When repurposed by LockBit, these tools are then used for a range of malicious cyber activity, such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and batch scripts are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.\n\nTable 4 shows a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for ransomware operations. The legitimate freeware and open-source tools mentioned in this product are all publicly available and legal. The use of these tools by a threat actor should not be attributed to the freeware and open-source tools, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.\n\n**_Table 4: Freeware and Open-Source Tools Used by LockBit Affiliates_**\n\n**Tool**\n\n| \n\n**Intended Use**\n\n| \n\n**Repurposed Use by LockBit Affiliates**\n\n| \n\n**MITRE ATT&CK ID** \n \n---|---|---|--- \n \n7-zip\n\n| \n\nCompresses files into an archive.\n\n| \n\nCompresses data to avoid detection before exfiltration.\n\n| \n\n[T1562](<https://attack.mitre.org/versions/v13/techniques/T1562/001/>)\n\nImpair Defenses \n \nAdFind\n\n| \n\nSearches Active Directory (AD) and gathers information.\n\n| \n\nGathers AD information used to exploit a victim\u2019s network, escalate privileges, and facilitate lateral movement.\n\n| \n\n[S0552](<https://attack.mitre.org/versions/v13/software/S0552/>)\n\nAdFind \n \nAdvanced Internet Protocol (IP) Scanner\n\n| \n\nPerforms network scans and shows network devices.\n\n| \n\nMaps a victim\u2019s network to identify potential access vectors.\n\n| \n\n[T1046](<https://attack.mitre.org/versions/v13/techniques/T1046/>)\n\nNetwork Service Discovery \n \nAdvanced Port Scanner\n\n| \n\nPerforms network scans.\n\n| \n\nFinds open Transmission Control Protocol (TCP) and User Data Protocol (UDP) ports for exploitation.\n\n| \n\n[T1046](<https://attack.mitre.org/versions/v13/techniques/T1046/>)\n\nNetwork Service Discovery \n \nAdvancedRun\n\n| \n\nAllows software to be run with different settings.\n\n| \n\nEnables escalation of privileges by changing settings before running software.\n\n| \n\n[TA0004](<https://attack.mitre.org/versions/v13/tactics/TA0004/>)\n\nPrivilege Escalation \n \nAnyDesk\n\n| \n\nEnables remote connections to network devices.\n\n| \n\nEnables remote control of victim\u2019s network devices.\n\n| \n\n[T1219](<https://attack.mitre.org/versions/v13/techniques/T1219/>)\n\nRemote Access Software \n \nAtera Remote Monitoring & Management (RMM)\n\n| \n\nEnables remote connections to network devices.\n\n| \n\nEnables remote control of victim\u2019s network devices.\n\n| \n\n[T1219](<https://attack.mitre.org/versions/v13/techniques/T1219/>)\n\nRemote Access Software \n \nBackstab\n\n| \n\nTerminates antimalware-protected processes.\n\n| \n\nTerminates endpoint detection and response (EDR)- protected processes.\n\n| \n\n[T1562.001](<https://attack.mitre.org/versions/v13/techniques/T1562/001/>)\n\nImpair Defenses: Disable or Modify Tools \n \nBat Armor\n\n| \n\nGenerates .bat files using PowerShell scripts.\n\n| \n\nBypasses PowerShell execution policy.\n\n| \n\n[T1562.001](<https://attack.mitre.org/versions/v13/techniques/T1562/001/>)\n\nImpair Defenses: Disable or Modify Tools \n \nBloodhound\n\n| \n\nPerforms reconnaissance of AD for attack path management.\n\n| \n\nEnables identification of AD relationships that can be exploited to gain access onto a victim\u2019s network.\n\n| \n\n[T1482](<https://attack.mitre.org/versions/v13/techniques/T1482/>)\n\nDomain Trust Discovery \n \nChocolatey\n\n| \n\nHandles command-line package management on Microsoft Windows.\n\n| \n\nFacilitates installation of LockBit affiliate actors\u2019 tools.\n\n| \n\n[T1072](<https://attack.mitre.org/versions/v13/techniques/T1072/>)\n\nSoftware Deployment Tools \n \nDefender Control\n\n| \n\nDisables Microsoft Defender.\n\n| \n\nEnables LockBit affiliate actors to bypass Microsoft Defender.\n\n| \n\n[T1562.001](<https://attack.mitre.org/versions/v13/techniques/T1562/001/>)\n\nImpair Defenses: Disable or Modify Tools \n \nExtPassword\n\n| \n\nRecovers passwords from Windows systems.\n\n| \n\nObtains credentials for network access and exploitation.\n\n| \n\n[T1003](<https://attack.mitre.org/versions/v13/techniques/T1003/>)\n\nOperating System (OS) Credential Dumping \n \nFileZilla\n\n| \n\nPerforms cross-platform File Transfer Protocol (FTP) to a site, server, or host.\n\n| \n\nEnables data exfiltration over FTP to the LockBit affiliate actors\u2019 site, server, or host.\n\n| \n\n[T1071.002](<https://attack.mitre.org/versions/v13/techniques/T1071/002/>)\n\nApplication Layer Protocol: File Transfer Protocols \n \nFreeFileSync\n\n| \n\nFacilitates cloud-based file synchronization.\n\n| \n\nFacilitates cloud-based file synchronization for data exfiltration.\n\n| \n\n[T1567.002](<https://attack.mitre.org/versions/v13/techniques/T1567/002/>)\n\nExfiltration Over Web Service: Exfiltration to Cloud Storage \n \nGMER\n\n| \n\nRemoves rootkits.\n\n| \n\nTerminates and removes EDR software.\n\n| \n\n[T1562.001](<https://attack.mitre.org/versions/v13/techniques/T1562/001/>)\n\nImpair Defenses: Disable or Modify Tools \n \nImpacket\n\n| \n\nCollection of Python classes for working with network protocols.\n\n| \n\nEnables lateral movement on a victim\u2019s network.\n\n| \n\n[S0357](<https://attack.mitre.org/versions/v13/software/S0357/>)\n\nImpacket \n \nLaZagne\n\n| \n\nRecovers system passwords across multiple platforms.\n\n| \n\nCollect credentials for accessing a victim\u2019s systems and network.\n\n| \n\n[S0349](<https://attack.mitre.org/versions/v13/software/S0349/>)\n\nLaZagne \n \nLigolo\n\n| \n\nEstablishes SOCKS5 or TCP tunnels from a reverse connection for pen testing.\n\n| \n\nEnables connections to systems within the victim\u2019s network via reverse tunneling.\n\n| \n\n[T1095](<https://attack.mitre.org/versions/v13/techniques/T1095/>)\n\nNon-Application Layer Protocol \n \nLostMyPassword\n\n| \n\nRecovers passwords from Windows systems.\n\n| \n\nObtains credentials for network access and exploitation.\n\n| \n\n[T1003](<https://attack.mitre.org/versions/v13/techniques/T1003/>)\n\nOS Credential Dumping \n \nMEGA Ltd MegaSync\n\n| \n\nFacilitates cloud-based file synchronization.\n\n| \n\nFacilitates cloud-based file synchronization for data exfiltration.\n\n| \n\n[T1567.002](<https://attack.mitre.org/versions/v13/techniques/T1567/002/>)\n\nExfiltration Over Web Service: Exfiltration to Cloud Storage \n \nMicrosoft Sysinternals ProcDump\n\n| \n\nMonitors applications for central processing unit (CPU) spikes and generates crash dumps during a spike.\n\n| \n\nObtains credentials by dumping the contents of Local Security Authority Subsystem Service (LSASS).\n\n| \n\n[T1003.001](<https://attack.mitre.org/versions/v13/techniques/T1003/001/>)\n\nOS Credential Dumping: LSASS Memory \n \nMicrosoft Sysinternals PsExec\n\n| \n\nExecutes a command-line process on a remote machine.\n\n| \n\nEnables LockBit affiliate actors to control victim\u2019s systems.\n\n| \n\n[S0029](<https://attack.mitre.org/versions/v13/software/S0029/>)\n\nPsExec \n \nMimikatz\n\n| \n\nExtracts credentials from a system.\n\n| \n\nExtracts credentials from a system for gaining network access and exploiting systems.\n\n| \n\n[S0002](<https://attack.mitre.org/versions/v13/software/S0002/>)\n\nMimikatz \n \nNgrok\n\n| \n\nEnables remote access to a local web server by tunnelling over the internet.\n\n| \n\nEnables victim network protections to be bypassed by tunnelling to a system over the internet.\n\n| \n\n[S0508](<https://attack.mitre.org/versions/v13/software/S0508/>)\n\nNgrok \n \nPasswordFox\n\n| \n\nRecovers passwords from Firefox Browser.\n\n| \n\nObtains credentials for network access and exploitation.\n\n| \n\n[T1555.003](<https://attack.mitre.org/versions/v13/techniques/T1555/003/>)\n\nCredentials from Web Browsers \n \nPCHunter\n\n| \n\nEnables advanced task management including system processes and kernels.\n\n| \n\nTerminates and circumvents EDR processes and services.\n\n| \n\n[T1562.001](<https://attack.mitre.org/versions/v13/techniques/T1562/001/>)\n\nImpair Defenses: Disable or Modify Tools \n \nPowerTool\n\n| \n\nRemoves rootkits, as well as detecting, analyzing, and fixing kernel structure modifications.\n\n| \n\nTerminates and removes EDR software.\n\n| \n\n[T1562.001](<https://attack.mitre.org/versions/v13/techniques/T1562/001/>)\n\nImpair Defenses: Disable or Modify Tools \n \nProcess Hacker\n\n| \n\nRemoves rootkits.\n\n| \n\nTerminates and removes EDR software.\n\n| \n\n[T1562.001](<https://attack.mitre.org/versions/v13/techniques/T1562/001/>)\n\nImpair Defenses: Disable or Modify Tools \n \nPuTTY Link (Plink)\n\n| \n\nAutomates Secure Shell (SSH) actions on Windows.\n\n| \n\nEnables LockBit affiliate actors to avoid detection.\n\n| \n\n[T1572](<https://attack.mitre.org/versions/v13/techniques/T1572/>)\n\nProtocol Tunneling \n \nRclone\n\n| \n\nManages cloud storage files using a command-line program.\n\n| \n\nFacilitates data exfiltration over cloud storage.\n\n| \n\n[S1040](<https://attack.mitre.org/versions/v13/software/S1040/>)\n\nRclone \n \nSeatbelt\n\n| \n\nPerforms numerous security-oriented checks.\n\n| \n\nPerforms numerous security-oriented checks to enumerate system information.\n\n| \n\n[T1082](<https://attack.mitre.org/versions/v13/techniques/T1082/>)\n\nSystem Information Discovery \n \nScreenConnect (also known as ConnectWise)\n\n| \n\nEnables remote connections to network devices for management.\n\n| \n\nEnables LockBit affiliate actors to remotely connect to a victim\u2019s systems.\n\n| \n\n[T1219](<https://attack.mitre.org/versions/v13/techniques/T1219/>)\n\nRemote Access Software \n \nSoftPerfect Network Scanner\n\n| \n\nPerforms network scans for systems management.\n\n| \n\nEnables LockBit affiliate actors to obtain information about a victim\u2019s systems and network.\n\n| \n\n[T1046](<https://attack.mitre.org/versions/v13/techniques/T1046/>)\n\nNetwork Service Discovery \n \nSplashtop\n\n| \n\nEnables remote connections to network devices for management.\n\n| \n\nEnables LockBit affiliate actors to remotely connect to systems over Remote Desktop Protocol (RDP).\n\n| \n\n[T1021.001](<https://attack.mitre.org/versions/v13/techniques/T1021/001/>)\n\nRemote Services: Remote Desktop Protocol \n \nTDSSKiller\n\n| \n\nRemoves rootkits.\n\n| \n\nTerminates and removes EDR software.\n\n| \n\n[T1562.001](<https://attack.mitre.org/versions/v13/techniques/T1562/001/>)\n\nImpair Defenses: Disable or Modify Tools \n \nTeamViewer\n\n| \n\nEnables remote connections to network devices for management.\n\n| \n\nEnables LockBit affiliate actors to remotely connect to a victim\u2019s systems.\n\n| \n\n[T1219](<https://attack.mitre.org/versions/v13/techniques/T1219/>)\n\nRemote Access Software \n \nThunderShell\n\n| \n\nFacilitates remote access via Hypertext Transfer Protocol (HTTP) requests.\n\n| \n\nEnables LockBit affiliate actors to remotely access systems while encrypting network traffic.\n\n| \n\n[T1071.001](<https://attack.mitre.org/versions/v13/techniques/T1071/001/>)\n\nApplication Layer Protocol: Web Protocols \n \nWinSCP\n\n| \n\nFacilitates file transfer using SSH File Transfer Protocol for Microsoft Windows.\n\n| \n\nEnables data exfiltration via the SSH File Transfer Protocol.\n\n| \n\n[T1048](<https://attack.mitre.org/versions/v13/techniques/T1048/>)\n\nExfiltration Over Alternative Protocol \n \n#### Common Vulnerabilities and Exposures (CVEs) Exploited\n\nBased on secondary sources, it was noted that affiliates exploit older vulnerabilities like [CVE-2021-22986](<https://nvd.nist.gov/vuln/detail/CVE-2021-22986>), F5 iControl REST unauthenticated Remote Code Execution Vulnerability, as well as newer vulnerabilities such as:\n\n * [CVE-2023-0669](<https://nvd.nist.gov/vuln/detail/CVE-2023-0669>): Fortra GoAnyhwere Managed File Transfer (MFT) Remote Code Execution Vulnerability\n * [CVE-2023-27350](<https://nvd.nist.gov/vuln/detail/CVE-2023-27350>): PaperCut MF/NG Improper Access Control Vulnerability\n\nLockBit affiliates have been documented exploiting numerous CVEs, including:\n\n * [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>): Apache Log4j2 Remote Code Execution Vulnerability,\n * [CVE-2021-22986](<https://nvd.nist.gov/vuln/detail/CVE-2021-22986>): F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability,\n * [CVE-2020-1472: NetLogon Privilege Escalation Vulnerability,](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\n * [CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708>): Microsoft Remote Desktop Services Remote Code Execution Vulnerability, and\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>): Fortinet FortiOS Secure Sockets Layer (SSL) Virtual Private Network (VPN) Path Traversal Vulnerability.\n\nFor further information on these CVEs, see CISA\u2019s [Known Exploited Vulnerabilities (KEV) Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### Post Detonation TTPs\n\nWhen LockBit affiliates target an organization responsible for managing other organizations\u2019 networks, CERT NZ has observed LockBit affiliates attempt secondary ransomware extortion after detonation of the LockBit variant on the primary target. Once the primary target is hit, LockBit affiliates then attempt to extort the companies that are customers of the primary target. This extortion is in the form of secondary ransomware that locks down services those customers consume. Additionally, the primary target\u2019s customers may be extorted by LockBit affiliates threatening to release those customers\u2019 sensitive information.\n\n### MITRE ATT&CK Tactics and Techniques\n\nTables 5-16 show the LockBit affiliate tactics and techniques referenced in this advisory.\n\n_Table 5: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Initial Access_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nDrive-by Compromise\n\n| \n\n[T1189](<https://attack.mitre.org/versions/v13/techniques/T1189/>)\n\n| \n\nLockBit affiliates gain access to a system through a user visiting a website over the normal course of browsing. \n \nExploit Public-Facing Application\n\n| \n\n[T1190](<https://attack.mitre.org/versions/v13/techniques/T1190/>)\n\n| \n\nLockBit affiliates may exploit vulnerabilities (e.g., Log4Shell) in internet-facing systems to gain access to victims\u2019 systems. \n \nExternal Remote Services\n\n| \n\n[T1133](<https://attack.mitre.org/versions/v13/techniques/T1133/>)\n\n| \n\nLockBit affiliates exploit RDP to gain access to victims\u2019 networks. \n \nPhishing\n\n| \n\n[T1566](<https://attack.mitre.org/versions/v13/techniques/T1566/>)\n\n| \n\nLockBit affiliates use phishing and spearphishing to gain access to victims' networks. \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v13/techniques/T1078/>)\n\n| \n\nLockBit affiliates obtain and abuse credentials of existing accounts as a means of gaining initial access. \n \n_Table 6: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Execution_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nExecution\n\n| \n\n[TA0002](<https://attack.mitre.org/versions/v13/tactics/TA0002/>)\n\n| \n\nLockBit 3.0 launches commands during its execution. \n \nCommand and Scripting Interpreter: Windows Command Shell\n\n| \n\n[T1059.003](<https://attack.mitre.org/versions/v13/techniques/T1059/003/>)\n\n| \n\nLockBit affiliates use batch scripts to execute malicious commands. \n \nSoftware Deployment Tools\n\n| \n\n[T1072](<https://attack.mitre.org/versions/v13/techniques/T1072/>)\n\n| \n\nLockBit affiliates may use Chocolatey, a command-line package manager for Windows. \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nSystem Services: Service Execution\n\n| \n\n[T1569.002](<https://attack.mitre.org/versions/v13/techniques/T1569/002/>)\n\n| \n\nLockBit 3.0 uses PsExec to execute commands or payloads. \n \n_Table 7: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Persistence_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nBoot or Logon Autostart Execution\n\n| \n\n[T1547](<https://attack.mitre.org/versions/v13/techniques/T1547/>)\n\n| \n\nLockBit affiliates enables automatic logon for persistence. \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v13/techniques/T1078/>)\n\n| \n\nLockBit affiliates may use a compromised user account to maintain persistence on the target network. \n \n_Table 8: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Privilege Escalation_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nPrivilege Escalation\n\n| \n\n[TA0004](<https://attack.mitre.org/versions/v13/tactics/TA0004/>)\n\n| \n\nLockBit affiliates will attempt to escalate to the required privileges if current account privileges are insufficient. \n \nAbuse Elevation Control Mechanism\n\n| \n\n[T1548](<https://attack.mitre.org/versions/v13/techniques/T1548/>)\n\n| \n\nLockBit affiliates may use ucmDccwCOM Method in UACMe, a GitHub collection of User Account Control (UAC) bypass techniques. \n \nBoot or Logon Autostart Execution\n\n| \n\n[T1547](<https://attack.mitre.org/versions/v13/techniques/T1547/>)\n\n| \n\nLockBit affiliates enable automatic logon for privilege escalation. \n \nDomain Policy Modification: Group Policy Modification\n\n| \n\n[T1484.001](<https://attack.mitre.org/versions/v13/techniques/T1484/001/>)\n\n| \n\nLockBit affiliates may create Group Policy for lateral movement and can force group policy updates. \n \nValid Accounts\n\n| \n\n[T1078](<https://attack.mitre.org/versions/v13/techniques/T1078/>)\n\n| \n\nLockBit affiliates may use a compromised user account to escalate privileges on a victim\u2019s network. \n \n_Table 9: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Defense Evasion_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nExecution Guardrails: Environmental Keying\n\n| \n\n[T1480.001](<https://attack.mitre.org/versions/v13/techniques/T1480/001/>)\n\n| \n\nLockBit 3.0 will only decrypt the main component or continue to decrypt and/or decompress data if the correct password is entered. \n \nImpair Defenses: Disable or Modify Tools\n\n| \n\n[T1562.001](<https://attack.mitre.org/versions/v13/techniques/T1562/001/>)\n\n| \n\nLockBit 3.0 affiliates use Backstab, Defender Control, GMER, PCHunter, PowerTool, Process Hacker or TDSSKiller to disable EDR processes and services.\n\nLockBit 3.0 affiliates use Bat Armor to bypass the PowerShell execution Policy.\n\nLockBit affiliates may deploy a batch script, 123.bat, to disable and uninstall antivirus software.\n\nLockbit 3.0 may modify and/or disable security tools including EDR and antivirus to avoid possible detection of malware, tools, and activities. \n \nIndicator Removal: Clear Windows Event Logs\n\n| \n\n[T1070.001](<https://attack.mitre.org/versions/v13/techniques/T1070/001/>)\n\n| \n\nLockBit executable clears the Windows Event Logs files. \n \nIndicator Removal: File Deletion\n\n| \n\n[T1070.004](<https://attack.mitre.org/versions/v13/techniques/T1070/004/>)\n\n| \n\nLockBit 3.0 will delete itself from the disk. \n \nObfuscated Files or Information\n\n| \n\n[T1027](<https://attack.mitre.org/versions/v13/techniques/T1027/>)\n\n| \n\nLockBit 3.0 will send encrypted host and bot information to its command and control (C2) servers. \n \nObfuscated Files or Information: Software Packing\n\n| \n\n[T1027.002](<https://attack.mitre.org/versions/v13/techniques/T1027/002/>)\n\n| \n\nLockBit affiliates may perform software packing or virtual machine software protection to conceal their code. Blister Loader has been used for such purpose. \n \n_Table 10: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Credential Access_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nBrute Force\n\n| \n\n[T1110](<https://attack.mitre.org/versions/v13/techniques/T1110/>)\n\n| \n\nLockBit affiliates may leverage VPN or RDP brute force credentials as an initial access. \n \nCredentials from Password Stores: Credentials from Web Browsers\n\n| \n\n[T1555.003](<https://attack.mitre.org/versions/v13/techniques/T1555/003/>)\n\n| \n\nLockBit 3.0 actors use PasswordFox to recover passwords from Firefox Browser. \n \nOS Credential Dumping\n\n| \n\n[T1003](<https://attack.mitre.org/versions/v13/techniques/T1003/001/>)\n\n| \n\nLockBit 3.0 actors use ExtPassword or LostMyPassword to recover passwords from Windows systems. \n \nOS Credential Dumping: LSASS Memory\n\n| \n\n[T1003.001](<https://attack.mitre.org/versions/v13/techniques/T1003/001/>)\n\n| \n\nLockBit affiliates may use Microsoft Sysinternals ProDump to dump the contents of lsass.exe.\n\nLockBit affiliates have used Mimikatz to dump credentials. \n \n_Table 11: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Discovery_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nNetwork Service Discovery\n\n| \n\n[T1046](<https://attack.mitre.org/versions/v13/techniques/T1046/>)\n\n| \n\nLockBit affiliates use SoftPerfect Network Scanner, Advanced IP Scanner, or Advanced Port Scanner to scan target networks.\n\nLockBit affiliates may use SoftPerfect Network Scanner, Advanced Port Scanner, and AdFind to enumerate connected machines in the network. \n \nSystem Information Discovery\n\n| \n\n[T1082](<https://attack.mitre.org/versions/v13/techniques/T1082/>)\n\n| \n\nLockBit affiliates will enumerate system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. \n \nSystem Location Discovery: System Language Discovery\n\n| \n\n[T1614.001](<https://attack.mitre.org/versions/v13/techniques/T1614/001/>)\n\n| \n\nLockBit 3.0 will not infect machines with language settings that match a defined exclusion list. \n \n_Table 12: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Lateral Movement_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nLateral Movement\n\n| \n\n[TA0008](<https://attack.mitre.org/versions/v13/tactics/TA0008/>)\n\n| \n\nLockBit affiliates will laterally move across networks and access domain controllers. \n \nRemote Services: Remote Desktop Protocol\n\n| \n\n[T1021.001](<https://attack.mitre.org/versions/v13/techniques/T1021/001/>)\n\n| \n\nLockBit affiliates use Splashtop remote-desktop software to facilitate lateral movement. \n \nRemote Services: Server Message Block (SMB)/Admin Windows Shares\n\n| \n\n[T1021.002](<https://attack.mitre.org/versions/v13/techniques/T1021/002/>)\n\n| \n\nLockBit affiliates may use Cobalt Strike and target SMB shares for lateral movement. \n \n_Table 13: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Collection_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nArchive Collected Data: Archive via Utility\n\n| \n\n[T1560.001](<https://attack.mitre.org/versions/v13/techniques/T1560/001/>)\n\n| \n\nLockBit affiliates may use 7-zip to compress and/or encrypt collected data prior to exfiltration. \n \n_Table 14: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Command and Control_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nApplication Layer Protocol: File Transfer Protocols\n\n| \n\n[T1071.002](<https://attack.mitre.org/versions/v13/techniques/T1071/002/>)\n\n| \n\nLockBit affiliates may use FileZilla for C2. \n \nApplication Layer Protocol: Web Protocols\n\n| \n\n[T1071.001](<https://attack.mitre.org/versions/v13/techniques/T1071/001/>)\n\n| \n\nLockBit affiliates use ThunderShell as a remote access tool that communicates via HTTP requests. \n \nNon-Application Layer Protocol\n\n| \n\n[T1095](<https://attack.mitre.org/versions/v13/techniques/T1095/>)\n\n| \n\nLockBit affiliates use Ligolo to establish SOCKS5 or TCP tunnels from a reverse connection. \n \nProtocol Tunneling\n\n| \n\n[T1572](<https://attack.mitre.org/versions/v13/techniques/T1572/>)\n\n| \n\nLockBit affiliates use Plink to automate SSH actions on Windows. \n \nRemote Access Software | [T1219](<https://attack.mitre.org/versions/v13/techniques/T1219/>) | LockBit 3.0 actors use AnyDesk, Atera RMM, ScreenConnect or TeamViewer for C2. \n \n_Table 15: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Exfiltration_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nExfiltration\n\n| \n\n[TA0010](<https://attack.mitre.org/versions/v13/tactics/TA0010/>)\n\n| \n\nLockBit affiliates use StealBit, a custom exfiltration tool first used with LockBit 2.0, to steal data from a target network. \n \nExfiltration Over Web Service\n\n| \n\n[T1567](<https://attack.mitre.org/versions/v13/techniques/T1567/>)\n\n| \n\nLockBit affiliates use publicly available file sharing services to exfiltrate a target\u2019s data. \n \nExfiltration Over Web Service: Exfiltration to Cloud Storage\n\n| \n\n[T1567.002](<https://attack.mitre.org/versions/v13/techniques/T1567/002/>)\n\n| \n\nLockBit affiliates use (1) Rclone, an open-source command line cloud storage manager or FreeFileSync to exfiltrate and (2) MEGA, a publicly available file sharing service for data exfiltration. \n \n_Table 16: LockBit Affiliates\u2019 ATT&CK Techniques for Enterprise \u2013 Impact_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \nData Destruction | [T1485](<https://attack.mitre.org/versions/v13/techniques/T1485/>) | LockBit 3.0 deletes log files and empties the recycle bin. \nData Encrypted for Impact | [T1486](<https://attack.mitre.org/versions/v13/techniques/T1486/>) | \n\nLockBit 3.0 encrypts data on target systems to interrupt availability to system and network resources.\n\nLockBit affiliates can encrypt Windows and Linux devices, as well as VMware instances. \n \nDefacement: Internal Defacement\n\n| \n\n[T1491.001](<https://attack.mitre.org/versions/v13/techniques/T1491/001/>)\n\n| \n\nLockBit 3.0 changes the host system\u2019s wallpaper and icons to the LockBit 3.0 wallpaper and icons, respectively. \n \nInhibit System Recovery\n\n| \n\n[T1490](<https://attack.mitre.org/versions/v13/techniques/T1490/>)\n\n| \n\nLockBit 3.0 deletes volume shadow copies residing on disk. \n \nService Stop\n\n| \n\n[T1489](<https://attack.mitre.org/versions/v13/techniques/T1489/>)\n\n| \n\nLockBit 3.0 terminates processes and services. \n \n### Mitigations\n\nThe authoring organizations recommend implementing the mitigations listed below to improve their cybersecurity posture to better defend against LockBit\u2019s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA\u2019s [Cross-Sector Cybersecurity Performance Goals](<https://www.cisa.gov/cross-sector-cybersecurity-performance-goals>) for more information on the CPGs, including additional recommended baseline protections.\n\nThe listed mitigations are ordered by MITRE ATT&CK tactic. Mitigations that apply to multiple MITRE ATT&CK tactics are listed under the tactic that occurs earliest in an incident\u2019s lifecycle. For example, account use polices are mitigations for initial access, persistence, privilege escalation, and credential access but would be listed under initial access mitigations.\n\n#### Initial Access\n\n * **Consider implementing sandboxed browsers** to protect systems from malware originating from web browsing. Sandboxed browsers isolate the host machine from malicious code.\n * **Require all accounts** with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with [NIST standards](<https://pages.nist.gov/800-63-3/>) for developing and managing password policies [[CPG 2.L](<https://www.cisa.gov/resources-tools/resources/cpg-report>)]. \n * Enforce use of longer passwords consisting of at least 15 characters in length [[CPG 2.B, 2.C](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * Store passwords in a salted and hashed format using industry-recognized password hashing algorithms.\n * Prevent use of commonly used or known-compromised passwords [[CPG 2.C](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * Implement multiple failed login attempt account lockouts [[CPG 2.G](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * Disable password \u201chints.\u201d\n * Refrain from requiring password changes more frequently than once per year. \n**Note:** NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password \u201cpatterns\u201d cyber criminals can easily decipher.\n * Require administrator credentials to install software [[CPG 2.Q](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * **Implement filters at the email gateway** to filter out emails with known malicious indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall [[CPG 2.M](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * **Install a web application firewall** and configure with appropriate rules to protect enterprise assets.\n * **Segment networks** to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between\u2014and access to\u2014various subnetworks and by restricting adversary lateral movement. Isolate web-facing applications to further minimize the spread of ransomware across a network [[CPG 2.F](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * **Follow the least-privilege best practice** by requiring administrators to use administrative accounts for managing systems and use simple user accounts for non-administrative tasks [[CPG 2.E](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * **Enforce the management of and audit user accounts with administrative privileges**. Configure access controls according to the principle of least privilege [[CPG 2.E](<https://www.cisa.gov/resources-tools/resources/cpg-report>)]. \n * **Implement time-based access for accounts set at the admin level and higher.** For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.\n * **Keep all operating systems, software, and firmware up to date.** Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Public-facing applications must be patched in a timely manner as vulnerabilities can often be exploited directly by the threat actor. By closely monitoring the threat landscape, threat actors often take advantage of vulnerabilities before systems are patched. Organizations should patch vulnerable software and hardware systems within 24 to 48 hours from when a vulnerability is disclosed. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) in internet-facing systems [[CPG 1.E](<https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf>)].\n * **Restrict service accounts from remotely accessing other systems. **Configure group policy to Deny log on locally, Deny log on through Terminal Services, and Deny access to this computer from the network for all service accounts to limit the ability for compromised service accounts to be used for lateral movement.\n * **Block direct internet access for administration interfaces** (e.g., application protocol interface (API)) and for remote access.\n * **Require phishing-resistant multifactor authentication** (MFA) for all services to the extent possible, particularly for webmail, virtual private networks, and privileged accounts that access critical systems [[CPG 2.H](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * **Consolidate, monitor, and defend internet gateways.**\n * **Install, regularly update, and enable real-time detection for antivirus software** on all hosts.\n * **Raise awareness for phishing threats in your organization.** Phishing is one of the primary infection vectors in ransomware campaigns, and all employees should receive practical training on the risks associated with the regular use of email. With the rise of sophisticated phishing methods, such as using stolen email communication or artificial intelligence (AI) systems such as ChatGPT, the distinction between legitimate and malicious emails becomes more complex. This particularly applies to employees from corporate divisions that have to deal with a high volume of external email communication (e.g., staff recruitment) [[CPG 2.I, 2.J](<https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf>)].\n * **Consider adding an external email warning banner** for emails sent to or** **received from outside of your organization [CPG 2.M].\n * **Review internet-facing services and disable any services that are no longer a business** **requirement** to be exposed or restrict access to only those users with an explicit requirement to access services, such as SSL, VPN, or RDP. If internet-facing services must be used, control access by only allowing access from an admin IP range [[CPG 2.X](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * **Review domain controllers, servers, workstations, and active directories** for new and/or unrecognized accounts.\n * **Regularly verify the security level of the Active Directory domain **by checking for misconfigurations.\n\n#### Execution\n\n * **Develop and regularly update comprehensive network diagram(s)** that describes systems and data flows within your organization\u2019s network(s) [[CPG 2.P](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * **Control and restrict network connections** accordingly with a network flow matrix.\n * **Enable enhanced PowerShell logging **[[CPG 2.T, 2.U](<https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf>)]. \n * PowerShell logs contain valuable data, including historical OS, registry interaction, and possibility of a threat actor\u2019s PowerShell use.\n * Ensure PowerShell instances are configured to use the latest version, and have module, script block, and transcription logging enabled (enhanced logging).\n * The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. It is recommended to turn on these two Windows Event Logs with a retention period of at least 180 days. These logs should be checked on a regular basis to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to as large as reasonably practical.\n * **Configure the Windows Registry to require UAC approval for any PsExec operations** requiring administrator privileges to reduce the risk of lateral movement by PsExec.\n\n#### Privilege Escalation\n\n * **Disable command-line and scripting activities and permissions.** Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [[CPG 2.N](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * **Enable Credential Guard** to protect your Windows system credentials. This is enabled by default on Windows 11 Enterprise 22H2 and Windows 11 Education 22H2. Credential Guard prevents credential dumping techniques of the Local Security Authority (LSA) secrets. Be aware that enabling this security control has some downsides. In particular, you can no longer use New Technology Local Area Network (LAN) Manager (NTLM) classic authentication single sign-on, Kerberos unconstrained delegation, as well as Data Encryption Standard (DES) encryption.\n * **Implement Local Administrator Password Solution (LAPS) **where possible if your OS is older than Windows Server 2019 and Windows 10 as these versions do not have LAPS built in. **NOTE: **The authoring organizations recommend organizations upgrade to Windows Server 2019 and Windows 10 or greater.\n\n#### Defense Evasion\n\n * **Apply local security policies to control application execution** (e.g., Software Restriction Policies (SRP), AppLocker, Windows Defender Application Control (WDAC)) with a strict allowlist.\n * **Establish an application allowlist** of approved software applications and binaries that are allowed to be executed on a system. This measure prevents unwanted software to be run. Usually, application allowlist software can also be used to define blocklists so that the execution of certain programs can be blocked, for example cmd.exe or PowerShell.exe [[CPG 2.Q](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n\n#### Credential Access\n\n * **Restrict NTLM uses** with security policies and firewalling.\n\n#### Discovery\n\n * **Disable unused** **ports**. Disable ports that are not being used for business purposes (e.g., RDP-TCP Port 3389). Close unused RDP ports.\n\n#### Lateral Movement\n\n * **Identify Active Directory control paths** and eliminate the most critical among them according to the business needs and assets.\n * **Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware** with a networking monitoring tool**.** To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network [[CPG 1.E](<https://www.cisa.gov/resources-tools/resources/cpg-report>)]. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.\n\n#### Command and Control\n\n * **Implement a tiering model **by creating trust zones dedicated to an organization\u2019s most sensitive assets.\n * **VPN access should not be considered as a trusted network zone.** Organizations should instead consider moving to zero trust architectures.\n\n#### Exfiltration\n\n * **Block connections to known malicious systems** by using a Transport Layer Security (TLS) Proxy. Malware often uses TLS to communicate with the infrastructure of the threat actor. By using feeds for known malicious systems, the establishment of a connection to a C2 server can be prevented.\n * **Use web filtering or a Cloud Access Security Broker (CASB)** to restrict or monitor access to public-file sharing services that may be used to exfiltrate data from a network.\n\n#### Impact\n\n * **Implement a recovery plan** to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [[CPG 2.R](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n * **Maintain offline backups of data**, and regularly maintain backup and restoration (daily or weekly at the minimum). By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data [[CPG 2.R](<https://www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf>)]. ACSC recommends organizations follow the 3-2-1 backup strategy in which organizations have three copies of data (one copy of production data and two backup copies) on two different media, such as disk and tape, with one copy kept off-site for disaster recovery.\n * **Ensure all backup data is encrypted, immutable** (i.e., cannot be altered or deleted), and covers the entire organization\u2019s data infrastructure [[CPG 2.K, 2.R](<https://www.cisa.gov/resources-tools/resources/cpg-report>)].\n\n#### Implement Mitigations for Defense-in-Depth\n\nImplementing multiple mitigations within a defense-in-depth approach can help protect against ransomware, such as LockBit. CERT NZ explains [How ransomware happens and how to stop it](<https://www.cert.govt.nz/it-specialists/guides/how-ransomware-happens-and-how-to-stop-it/>) by applying mitigations, or critical controls, to provide a stronger defense to detect, prevent, and respond to ransomware before an organization\u2019s data is encrypted. By understanding the most common attack vectors, organizations can identify gaps in network defenses and implement the mitigations noted in this advisory to harden organizations against ransomware attacks. In Figure 3, a ransomware attack is broken into three phases:\n\n * **Initial Access** where the cyber actor is looking for a way into a network.\n * **Consolidation and Preparation** when the actor is attempting to gain access to all devices.\n * **Impact on Target** where the actor is able to steal and encrypt data and then demand ransom.\n\nFigure 3 shows the mitigations/critical controls, as various colored hexagons, working together to stop a ransomware attacker from accessing a network to steal and encrypt data. In the Initial Access phase, mitigations working together to deny an attacker network access include securing internet-exposed services, patching devices, implementing MFA, disabling macros, employing application allowlisting, and using logging and alerting. In the Consolidation and Preparation phase, mitigations working together to keep an attacker from accessing network devices are patching devices, using network segmentation, enforcing the principle of least privilege, implementing MFA, and using logging and alerting. Finally, in the Impact on Target phase, mitigations working together to deny or degrade an attacker\u2019s ability to steal and/or encrypt data includes using logging and alerting, using and maintaining backups, and employing application allowlisting.\n\n![Figure 3 shows the mitigations/critical controls, as various colored hexagons, working together to stop a ransomware attacker from accessing a network to steal and encrypt data. ](/sites/default/files/styles/large/public/2023-06/aa23-165a%20figure%203A.png?itok=4rXQf6Vn)\n\n![](image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAo8AAADACAYAAABlAYnrAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAC5CSURBVHhe7d1/zBXZedjxoZEcy002zsqRLbLBGFC0m0pJlVorB8G2IhGgJK21EWkAJxJVZVKo1KqrFagSbeQWxwGhrZqokOA/ihQbSIKysutEgBKUAiIRcq3GUuOtBRhjsrXl7dpexxvblUX5DvOwD8dz7537633vfe/3I43ue+fHmTNz73nmmXPmwqp791WSJElSB3+neZUkSZIGMnmUJElSZyaPkiRJ6szkUZIkSZ191w9mXn/1bvOXJEmSFt1bHn+i+euB1uSxXEmSFo2xUJLaY6HD1pIkSerM5FGSJEmdmTxKkiSps+knj6+80vwhSQvsb77Q/CFJ8216yeOX7yeNH/tvVfWf/8uDV95L0qIhafz0C1X1Z//swatJpKQ5N/lfW5MkXvvzqvrkp5oZybt/sqo2/lRV/dDbmhmSNJvGjoUkibf+oKru/HEzI1nzs1W17her6vt+pJkhSbOpLRZOLnnslzSWTCIlzbiRY2G/pLFkEilpxk0neRwmaSyZREqaUUPHwmGSxpJJpKQZNdnkcZyksWQSKWnGdI6F4ySNJZNISTNmMsnjJJPGkkmkpBkxMBZOMmksmURKmhGTSR7/3QeaP6boP/5a84ckLY+BsfATP9P8MUU//yfNH5K0PNpiof9IuCRJkjozedRcu3XrVrVq1arq7NmzzZzZsH379mrDhg3NO2lxXL16tW6TvEpamRYieTx69GgdzCRpkUUsLCduwiSpK3se+6D3iGkWEfC5EGg2nT9/vrpx40bzTpotPOoe07Zt26r169c3SyRpMJNHSVpghw4dql8dZpbU1UImj/FMTjwvF1P05MX8Cxcu1FMsz0M7PM8W85ly4OX5u5iXlw/ab0aPZ14nnumLsnHw4MH67y7P1vUqD7wve1iZt3///vpvXpny8TDlY0Z5XG3rUE4sa6t33pYpn3OUw24vv/xys6S3/FnFMYXymMo6cV7i+GM5f7fVnXXjPLatU9a9fE4z15OpPHd5mb3OmqZB7QKDvs9ZLiNiWNm2mZe/17ynHtH2chmhrGfZZiRNx0L3PDJUc/PmzXro5syZM3UyRvBZt27dw+EcphjeYT4IUnv37n04n203b978XYGLebHOpk2bmrm99xsIkFEHpitXrlS7du2qg+7OnTvreThy5Ej996Dh0X7lgfckyfGeYE0djx8/Xr/HiRMnqj179jwsg31zfHEBoP5sE3ViivMS5XJhoJxYfvjw4YcXi0g82SaWUxZlxj4oh3NFfVnOOaT8fkjmOP4oE3GuKY/t47NgYt3yAkWdwXLO9e7du+ttys+bc8g5asNxUve8Lz6DMOg7RZ327dv3cPmlS5e+6+IrjYJ2SDuLGMV3Lrd1JhAXwqDvc8Z3m/JHeYyDNrB27dpH6hE3aHz/WZ5jRq/2J2myFjp5JAmJhJCkDNeuXatfeyFoEggPHDjQzHmwLfNOnz7dzHmA8tv02y8JDQE5J24EdZLYU6dONXO661Ie70lMCP5cOEiWyn2VwT+O/9y5c/UrFyDKLM9Lv3qzPNY/duxYvW6cD5T7oBzWiYsc55BjGwbnIbZnuI4ENT4LMI8yc2LIsZfnr/y8I0HO9c+40Jb7iovhMN+pwDOVuSxpGCR0MXHTQ/sNfL/LRG/r1q2P3Kz0+z5n3PTQZkdJHME+crugntS3143TqPuRNByfeUy4WN++fbt5147lJBc5+DK1JTGrV69u/uov7/fOnTv1a1k+AbMfgmm5DQlQ1/IiOeJOnoAdCVY/ud4E7bZkhnkR0OMiwP6j9yBQf+pU1jNj+ZYtW5p33ZAMRrnRyxn4zLgI5v1x/KWyJxL0El68eLF5V1WXL1+uE/A2caFbs2ZN/Vrq8p3ioklSz/xIVKVRRU8dEzez3DjmnkW+Y/m7yHcv2vGg73OItsSNzqQ88cSDf6iYx1WILXHTSx17JZSSJs/kcQQkTTn4xpR7p8bVVn6/IEwgLdfPCWC5jCmXlwMvQ6LTwn5JitoSOnooyjoy5Z6HYXEOKCMeD2CfuVeRRLncH9Og5HnHjh31cURZXFwZzh7VoO8UPZG8p75eLDVJfNdJwuLxDNok37F4PISp141RP7Q52kh5ozhJtA/qR+ygDbXd6EmaPJPHPtp60nj+JvcITVrczQ9KDAiUXXQtj14HAjAXDBK7Lr1bnAfOBwjabftgXhnQI9HlgnTy5MmH8wYNOeWeztDlBzOI5IsyYii4rbyuqC/ni8cNSCApq1fCGd+j6AUuDfOdIpHmOBDD+dIk0Sb4bo/6fQ70EkY8yTeJufdwWHfv3q1fy1EdboTZV76hkzQ9Jo8DEPgyepxQ3k3zfhJBK56Z4xmjjOSuTOi69BB2KY9XjpO7+OiFoOchIyjnJDCGuOJ88KB6mXRywWBe/FMg5Tli2DfKjB+h5KEz5KSUoWJ6R6IM5rcNM2f00AXWzwlvlJfr3Jbs9sIxk/ySjFJWP5xTej7jWBB1G/SdKusUxz9o2FDqgu8T7SB6F2kftNv4rtI+olcy9Ps+Z8QTestZN9pZJKX5ed62bcF2OfEkLpHYksBSXo4X8dx418eFJI3O5LGPGDIksEVwI2jR80NwjflMJBK97tSHFT1LuXwCeiSC4McjUYcy6Sj1K4/gT0AmwEePQhx3LpeeNZ67i+25mJCIxTaUFc9OxToEftaJ80K5JHuxHDF0zjqsS7mxnInjjH3Q68ZFK8qgTnFsvTB0FmWxPtvHMDivLM91Zp2uD91zzFHnSAB74djZN+XHvtg3Bn2nWE5yGvM5fj6v/H2QhpG/Z/F9inZPu4hhYJbHD8uyft/nUrRb2lkkm8SK3NZ5T1kl9stNcqxHvSJmRPyKZcQbyol4IWl6Vt2/aD1y9X391bvVWx5/MKzQ6suv3L/F+/Oq+uSnmhkT9O6frKqNP1VVP/S2ZoZmAXf39BJ2TaqklWBgLPybL1TVrT+oqjt/3MyYoDU/e/+u4her6vt+pJmxeEgISR7jZk/S8miLhcP3PJLYvfcfV9W/+pcPkr1JoBzKo1wTR0nzgMTux5+rqn/0Xx8ke5NAOZRHuQucOEqabaMPW08iiTRplDTvJpFEmjRKmiPDD1v3MsxwtsPTkmbcyLFwmOFsh6clzbi2WDi55DH0SyJNGiXNibFjYb8k0qRR0pxYmuQx5CTSpFHSnJlYLMxJpEmjpDmztMljeOV+Evk2k0ZJ82XisZAk0qRR0pxpi4XT/3ceTRwlycRR0orhPxIuSZKkzkweJUmS1JnJoyRJkjpr/cGMJEmShKX/tbUkzSFjoSQt16+tJUmStGKYPEqSJKkzk0dJkiR1Nv3k8dtfbP6QpMX2ub/+avOXJM2v6SWPJI1f+khV3f61B68mkZIWFEnjf/id/149+2/O1q8mkZLm2eR/bU2S+JU/qaqvXWlmJD+wuap+8Geq6k3vaGZI0myaxK+tSRJ/9xN/Wf3hn36mmfOGX/jpp6pf+fmfqN71w29t5kjS7GmLhZNLHvsljSWTSEkzbpzksV/SWDKJlDTLppM8DpM0lkwiJc2oUZLHYZLGkkmkpFk02eRxnKSxZBIpacYMkzyOkzSWTCIlzZLJJI+TTBpLJpGSZkSX5HGSSWPJJFLSLJhM8vjZX23+mKIf/Z3mD0laHl2Sx7//T3+7+Wt6/ufv/4vmL0laem2x0H8kXJIkSZ2ZPE7Zhg0bqv379zfv2m3fvr1eT5JWmlWrVlVHjx6t/75169Yj76fl7Nmz9X6uXr3azFk+1CHXpXw/LXEOOOfgnOf3o/BapbAQyWM0mjzZACQtMmIgsZAkQ5KGsVA9jzzeGRMInMPo0os4ivPnz1c3btxo3knSdNHrdfPmzWrbtm3VqVOnmrnTt27dujr+HjhwoJkzvra4vHPnzno/mzZtauaIc8454TMYpFfvqNcqhYUdto6A6V23pEVz+vTpat++fdWePXuqCxcujDWUKWnxLGzyuHr16vr1zp079Su4e41hbaZ4LifuwrhTP3HixMPlIZ7jiYnnQkp56LwcMme/eR7r8j72G1N5F1jWt9d6kpQRx3bv3l330OHcuXP1ayAGEcfK2JZvtiM+gXgV6wwanWGdiK2BfcX2TDmZHSUux7IyFuZ6MpX1YDnz8j5zbO6lLHeUGJy3Z8rnmvLL89r2/CF1Z9s25TOQyPWO8nndvHlz/Tev5bK8T/bH+zjfMZXHz3Z5ea/1ND8WNnl8+eWX69c1a9bUr3y5165d+3BY+8qVK9XBgwfrLzdDH8xbv359fbce64CGyPwjR448nM+wQG74BDbEcoJdNMZeWIdegdiG/UaDBo2WcmP5mTNn6vls51CNpF4iNkWcYOj65MmT9d8ZPZLEthxjdu3a9V0XfJIARnJYJxK5MinrhySIodDYD7E3JyujxOU21JNEJ9ajrpRVxmLm5X0OiteUGcfPxLUgx+pBIkHPx8Bxcq7jPO7du/fhdSTE8HFOBi9dulSX00Ukn7FPcF6PHz9e7x+8sox5vXitWkwLmzzy5SboxJ03jSM/hxNf6rt379avvRw7dqwuJ29LWVEuaEx5Oe8vXrzYvOstP1tCLwEicJdBIvZ3/fr1+lWS2pDo5NjBhZ8LeZkUgot9IMYQ6xjyzkgwIl5y40zZbcloG/ZJkpqfu6Qsnq3DqHG5FElYlAvqSqJXJmXDxmvidE6CNm7cWL/mpK6fuIbkBI3y8nmMMuMz4nXr1q31FDGf/XEun3nmmfr9sNh/Po5heK1aPAuVPEZXedzl5S88yqET5GHtNjTY3I3fBXe1BOthxDB7BM0tW7Y8EvSiN+Hpp5+uXyWp1JZgxMW8TArbEOsGJUXDxLeIZxHf2owSl0u3b9+uE7RSjDz1O6Yux5PrF71uMbo1SK9rSN4vSR31v3btWv2eVz5DpsuXL9fzIhnLHRf9HDp0qP4uUOdheooH8Vq1GBYqeYxuc6Z8lwcaL8lkXmceRMBiiIMegC6/pJO0mOLZRuJFxA4mlD1ws2DW4zKJH+ePzoioXwz5ThpD19ETySvJF1N8biSRuYdvEBJS6sswMkP1HEdb7/OkxHfNa9XKsLDD1iXu8A4fPty8a9d2d0gDKHswlwLBg0YfAYtp1CEHSYuBuJETnZgi4cnParch1g266Pfq5WvzxBMP/suzXr10o8blUq/ew+jBHDWRiXo///zz9esoel1DyvPI0DXHQILHK9sxsQ7zGFofZciankq+A5QTvc/9eoKH5bVqZTJ5bNBw8nM3DJW0KZ994fkOGnLu9ufh6kFBeFwEzLL3gGnQkJKkxRRJRzyTlsXFPIZAAzElEOPatmeYNnqseKUnjF6yLmI4lucuA2VE/B01Lpd27NhRv+YfvrAfetx47nFUkWTlX6sP82MZtF1DuH5wHnPiHOeKefzIKfDcI/Moo+uQNfJny3WD7UmysxgmH4fXqpXJ5LFB8InnP5h4ToOGmjHUTQNjedzt0qC5a49u/2gUwzTiUXDHWfYgEATLOksS6FUiPvTq9SGelEPXxLaIa8Q43pfbM4+EiXV4JQ7lH5wMEr1usR/KiMeKRo3LJeIlMZLjy/uhR2yYupYoNw/7MvF+GJxP6p/LiKHd8jpCosj54DwEehuZN8yQNahn7I9zyvZxLjguPseo0zjPRHqtWplW3f8gH3mI5PVX71ZvefzBUEKrb3+xqr7yJ1X1tSk81/ED9+/YfvBnqupN72hmqA13zAS+MpDHfAIRDVbS6AbGwvs+99dfrX73E39Z/eGffqaZMzm/8NNPVb/y8z9RveuH39rMWTokCyQOxeXhEb3ikBS8Vq0MbbFw+J5HEru3/3JVrf3Ag2RvEiiH8ijXxHGgGCophxQYuuBuzsYoLQ0Su3//q/+wevE/7ayTvUmgHMqj3OVIHNXdK6tWVd+5nwDh9Q99qH7Pq+8fvH/yfoL4r+//zbUqL+da9YHHH68eu3+9ev03fqNeX3OGnsfsG//3C81fHX3r/9y798XfvXfvf+8dfmI7ttfQ7t/J0SXwyLRt27ZmqaRxDR0L77t19yv3PvDbf3bvJ37xxNAT27H9LDhy5EgdU/qJGMTrovrGBz9472tbt9771sc/fu/L98/F67/1W762vP7z+1N+PfbUU/Xr337kI/e+8p733Pvb48ebM6pZ1BYLx08ewzBJpEmjpBk3ciy8b5gkcpaSRg3v6/v314nQN3791+v3vPq++/v/96lP3Xv9N3+z/luzqS0WDv/M4yD9non0mUZJc2LsWHhfv2cil/OZRknqqi0WTj55DDmJNGmUNGcmFgvvy0mkSaOkebK0yWMgiTRplDRnJh4L7yOJNGmUNE/aYuH0/51HE0dJqpk4SloJ/EfCJUmS1JnJoyRJkjprfeZRkiRJwtL/YEaS5pCxUJKW6wczkiRJWjFMHiVJktSZyaMkSZI6M3mUpCXy+W9/p/lLkubX1JPH1z7/9eYvSVpMJI0f+uI3ql+69bX61SRS0jyb2q+tSRr/6vRnqxsf+1y14b3vqn5s949Wj73z+5ulkjTbJhELSRJPv/rN6mNf/VYz5w3vfev3Vrsff3P1zjd9TzNHkmZPWyycePKYk8aSSaSkeTFOLOyXNJZMIiXNsqkmj/2SxpJJpKRZN0osHCZpLJlESppFU0keh0kaSyaRkmbVMLFwnKSxZBIpaZZMNHkcJ2ksmURKmjVdYuEkk8aSSaSkWTCR5HGSSWPJJFLSrOiSPL7npVebv6bnL558vPlLkpZeWywc+p/q+fgvXZhK4gjKpXxJkiTNJv+RcEnSkjl69Gi1atWq6tatW82c+bNhw4Zq//79zbvhsS1lTBPneJw6Sv0sRPIYwWpQwNq+fXu9Tm7Ueds8Mb8U27ctk6TlFvFMksaxUD2P69evr44dO9a8exRJ5YULF+p12vBoaJ4OHDjQLHkgtt+2bVt18uTJZq4kKSN2EkPXrVvXzNE4et0QcI6PHz/evJMma6GSx71791YnTpxo3j2KpJLEcevWrc2c4Zw7d65OHA8dOlTdvHmzunr1arNEkiRp5Vio5HHHjh31a9uwMknl4cOHm3fDo7dxz5491aZNm+ok9PTp080SSZof8WhOTGfPnm2WPMCNcbkOU36+rm15PA5EebyPR4jy+7x+ud9Yr5z6PSZUrpsfW2I76lQeT3njXy4v69Wm3KbL843l8fEYVEYZ1Dkej+KVeQcPHqyXx3ZRP5blzyS2Z16s21Yv5sXyPEnZQiWPDJPs27fvu4aVI/js3Lmzfh0WgYLexqeffrp+T+9lrx5OSZpFkbwRI+PxnCtXrlS7du16GCNZZ/PmzdWZM2ceroMjR448HCIl+chlMCLDdOPGjXp5L9x0xzaUx34j2SPG8p76sJx4C+pRPkIUOBbWizKpUzmyxHJu+vM6HF+I46U+sU6MLvVCXXOZTOj34xXOL8eXt+F8lQkkieKWLVvq5efPn6/XoW6I7fpdx9h+7dq1D9flOHK9IiGN5ZyP+FykbKGSR+zevbtuMDTwQDIZDbCXfAfGlLenl5HgGM/wsA90uUOVpFkQj+7k5+QYSSGBiBvu69ev1685QWH5pUuX6r9JtoivEQNBIsXz4IPkhCxGiWJ/165dq+tGfUCsJeZevny5ft+GhCc/V/nMM8+0Jn05qY16R3zncSTkBJX1qUsv1LFMlElaIxFuQ1JHIpwxEsZ5y9txzL2S5S74rPL2vL948WLzrqr3x+cV4nrZr+5aTAuXPMawcgxREyRoHBGseok7sZgiiIFeRu4GQ+zj1KlTzRxJmm0kCG3DmPRURdIVoyv5xjjHP5I1Yl9+bIc4SNIzjEj67ty5U79u3LixrkMkddSVRIeEsBfWyTf89OzF/F5Wr15dv969e7d+JSketu4oh6A5R2VCGaI+1C9vE/XNcjI8CfmzBcear1t8jnyek96v5t/CJY/ghzNxR0cSSYMZtXFEEOXOMTd8GmR51yhJK0FOdMreLJAsxXKSJoZYJ4EhZMokoWG0qNcQLUlmrBM3/GXP3rTEEHQMsTNxjgbJjwLkaakTN65b8dn1S3q12BYyeYxAxzANDYVnWEYVd9Vlg4+7uRj2kKRZRpLSlijcvn27TsQQ/6pEjnV5mDtGcvLySSQf9ICRgOVy+w3fRs/hOEO86HVOcm9difPFOcqjU/1Echi9rMNas2ZN89d46Ojgelh+flKbhUweQSDiroqg2LWRl6Kx5WdEAgGBsuNZIEmaZfF8W/w4BoysECfjMR8SldwzFVNsE8O+5fLyhx/DYng192bG1Ou58ieeePD/8MZyYnXbMPAgbeekbWg/o66coxh1inPYD9cjRq9iWB78Pcx5y9uOIpJYrlv5HA86Xi2mhU0e48FohrBHFb2KvYZO8vC4JM2KnBwwkeBwE02ilB/BieHXiHGRlOWeqdiGMiIByUO2TPTe9fu18SAkrSQ1ucz4JXhb0sSxMGQdw+tsO8qwNeWwXT4ng57hpLeT5ZGEMbI16AeZ9N6yTgzLM9Ep0WW4n8+G/cW24ySRcZ7yeSZ5HDf518qz6v6X45F+6ddfvVu95fEHAaLNR94z/WHYX/6L/j9ekaRpGxQL8flvf6c6/eo3q4999VvNnMl571u/t9r9+Jurd77pe5o5y49Egl8Ol/9zCfO5WWbIll/vlkO9JI7cRI/67CNJEclVOQzNfJKdXjfw6o7eVZLkIiWo5/Nr+0k8fqD51BYLh+55/Ce/t63a8N53Ne8mi3IpX5LmAYndv33H361+b90P1MneJFAO5VHuLCWOIEnM/7QL6HGk95FfRMevd/NoC38zbJv/RYph0SNWPgIUQ8nxC3CNJ56dLHsuSShH/Z/XtHIN3fMYXvv816u/Ov3Z6sbHPtfMGR1J44/t/tHqsXd+fzNHkpZX11iYjdMTOYs9jW1IIEkQM97HkDW9jOUzfpPoHaSXsVT2kmk80fuYtfX4arG0xcKRk8cwThJp0ihpVo2SPIZhksh5SRolLaapJI9hmCTSpFHSrBsneQz9kkiTRknzYKrJY+iXRJo0SpoXk0geQ04iTRolzZMlSR5DTiJNGiXNm0kmj4Ek0qRR0jxZ0uQxkESaNEqaN9NIHiVp3rTFwqn/I+EmjpIkSSvHwv4PM5IkSRqeyaMkSZI6a33mUZIkScKS/2BGkuaRsVCSlukHM5IkSVo5TB4lSZLUmcmjJC2R29+83fwlSfNraZLH219t/pCkxUPS+MHPf7Da8b921K8mkZLm2XR/MEPS+NFPV9WLL1XVs09W1ft+vKrWvrVZKEmzaxKxkCTxo1/6aPXiKy82c97w7Nuerd739vdVa9+8tpkjSbOnLRZOJ3nMSWPJJFLSHBgnFvZLGksmkZJm2fSTx35JY8kkUtIMGyUWDpM0lkwiJc2i6SWPwySNJZNISTNomFg4TtJYMomUNEsmnzyOkzSWTCIlzZAusXCSSWPJJFLSLJhc8jjJpLFkEilpBnSJhe/+H+9u/pqeT/6DTzZ/SdLSa4uFo/1TPTt+fzqJIyiX8iVJkjRz/EfCJUmS1JnJ4xzbvn17PWk6OLcbNmxo3kmLZdWqVdX+/fubd+M5evRoXV4/V69erdfhVdJsW4jkMQJXW/A6e/ZsPf/WrVvNHElamXIszBPzJamrhet5nESQ9A55NtFLMkpPYa/P8/z589WNGzead9LKwe8kY7p582Z18ODB72o7LDt+/HjzTpLesFDJ45EjR+ogaS+jJD2wbt26OoFkmtQwtaSVbaGSxwMHDtSvx44dq1/7yUM6TJFwElw3b95c/80ry5jX9kxPDInnHi3KYR7LAnf8zIup7B1lOfN4Bo/lvZ5zjDrksrPoYYup7GnjOPLysh5xPOUU60U9czlR16gbU1vvYL99xzmjvvlcsU3g/YkTJ+oLYCyP44vt8xQoo+3zBK9lXdvOQRbLy332+kykWUACuW/fvroNBb77uY0Nih95GVPEzGyUdpHXZ2orNxA3qHdZV7Yp913Wn2PNy3MMCnl5jg1sS6zLcS6UdWEqjyFiO1Ov+C7NkoUbtqb3kQBZBo4QAebMmTMPh3XYZv369fUyhnGuXLlSr8trDO3s2LGjnpeD4eXLl6tt27ZV165da+ZU1fXr1+vXnTt31q/siyAU+4ohpBy0wbwtW7bU6zCcWiJosQ71jrIz6k5ylI9rz549zdIHwYt1ynpEAOV87dq16+ExsxyUF0k52Gbt2rUP17lw4UJ9jJcuXXqk7Hx8g/YdqP+pU6fqdagHn2Ocb+Zx8eNzinI2bdpUl5vnMfGZRIDu9Xm2oT75HDCxT46P/WR5n3x/2K5cR5olzzzzTP3aFhv57vaLH7QB2m0so11s3bq1WfqG3C4oi3YxaizuhXpQt9iG9s42TFFH6hc3jSAeRdxioo0Tg3LdqAvbxTp79+59JEYR63KcA/GpPG9xDFE2++bxmFhOnPdmU7Nu4ZJHEh0a7uHDh5s5j6JXkmCTE7BIjs6dO1e/tuHOnXJJGMPFixerQ4cO1QElkPxQPiLw5GSQciLBzdgmJ2kZgYZAR8BrSxx7ief5CGIEvpw0RU/EyZMn6/ckwBwfCRlYTp3y8YJtop6xDlM+Rtbh3KDLvgMBOPbPa3m+21BWBPJAcB7lWUbOMZ9N1AFR7/K7wUUqxI1F3DhIK0FuQ7Qx2logEc1tIOS2SKyiDZ8+fbqZ86hRYzFy3SLJpT5Rx927d9evkcDRjnN8jTZ+9+7d+jVidY5TrF/G5PLGnvhPLCuPod9xs3yYOC4th4VLHkHiSMLSdnfHHW30luWpC+5EIymiHHoUCUKUF/g7gtnt27frIFJas2ZN/ZrvrnNgziiPu/ecWLWJhIx1OZ5cdgRI6pKPOSewGzdurINvBNs4T9FbMaou++6F85uPoxfqnMsmCWy7sPUT+4nPJqPufJa9xGd3586d+lWaZatXr27+ekO/+AHe5zbGejG/n35tmPmjxuJR5KHj2E+02V6xOmtbTpyhR7OUj/v555+v12Of5YiTNKsWMnnkro47Wu4K27AshhDyVN5lluhhigSLO2N6uEB5JKqReE3yrpKyI6hH+b1w18xxsA2BjgCWUffymMseOoZgCHJsTy/cpI6ly75H0WvYSNKjohe/141qr/hB3Il4EG2M9jYJo8biYXEsxJu8j6XC+WZ/jBxx00x8ddhas24hk0eQOJKwMIyc0ZAHJS1td+ZgW4IoQ7wMVUcvFUkkgZn5BMPAHSl1KMXdbq8gXiKoU25+hqcfhlYIVJHoPvHEg/+z8uWXX65f2zDEQpKag+skAniXfXfVdofPueQz6Zfk9vo8s/gs2noPOY9t+5bmCYkLbXyQMn7E6MEo8YBY2yvOdYnFk8Kx9HqUCb1i9SDEnrZRibbjZuSIuEosL69L0qxZ2OSRhkqgzEPK4FkYgkQ5fNA2vJJ/CBMYuiZxpNynn366nseQL8PZPMOXHzKPZ+HyvgjG8WzdMOJZm7I3MXAnm/cTdSdx4lwQ5Mrkk+d84lkfgmfcFedp3DvkLvseBp9d/pxI4OMihzi/bdo+z4zvC9vm8uOHN5PuCZGWCt9n2jLtMD/Tl/WLH3EDGLGA8mLYusR+Au2bthnPH5aGicXj4thzwhbtOrTF6i4xiusBcTPiDyiD42K4GuXxcO3o2nEgLZeFTR7RFihJZmjYZaJEYIkGzSvJHYkEy3IAIVGk8ROMYv0okyn3gLGcO828rxhiHSUZiX2UwRbsNy4STNSd3oOoI3fC3PHGcibumKMeJGEcU+55ZPsuw+WDDNp3V6xPHZkog+PluEn6OK/Mi/Ob9fs8M74vrBflM1F3zoUW07m/d6569m3PNu8mi3Ipfxri+8vE95k20a+Xr1/8IL7RLuJ5yCivRBtnm7IMtm/TJRZPCjf3+flKRos4jsD+yrrQGTAoRrGccxHxh4kyiBlxDBxPjimcp15JvDQrVt3/Ej9y5Xv91bvVWx5/cCfZ0+2vVtVHP11VL77UzJigZ5+sqvf9eFWtfWszQ7OAoMYFogyWzCc49hsWluZRp1jYuP3N29VHv/TR6sVXXmzmjI6k8X1vf1+19s0+CiFp+bXFwtGSxzDJJNKkcaYxtMKU/ykKeujoPeCOfNI9AdJyGyoWNsZJIk0aJc2iySePYZwk0qRxbtDLWCq+PtKKMVIsbAyTRJo0Sppl00sewzBJpEmjpBk2Vixs9EsiTRolzYPpJ4+hXxJp0ihpDkwkFjZyEmnSKGmeLF3yGHISadIoaY5MNBY2SCJNGiXNk6VPHgNJpEmjpDkylVgoSXOmLRYuzb/zaOIoSZK0Iiz0PxIuSZKk4Zg8SpIkqTOTR0mSJHXW+oMZSZIkCcvza2tJmjPGQklazl9bS5IkaUUweZSkJfLSSx3+61ZJmnFLkjy+9tprzV+StHhIGvfu3Vs99dRT9atJpKR5NtXkkaTx+vXr1R/90R/VryaRkhZJTho//OEP1/N4NYmUNM+m8oMZkkSC4s2bN5s5b1i/fn315JNPVo899lgzR5JmzzixkPj3wgsvPEwY+3n/+99fPffcc3VclKRZ0xYLJ5o89ksaSyaRkmbZKLFwmKSxZBIpaRZNLXkcJmksmURKmkXDxMJxksaSSaSkWTLx5HGcpLFkEilplnSJhZNMGksmkZJmwcSSx0kmjSWTSEmzoEssXLVqVfPX9BQhWpKWVFssHOnX1vx6ehqJIyiX8iVJkjR7/EfCJUmS1JnJoyRJkjozeRzg6NGj9XNNt27dauaMb8OGDdX27dubd91EPZbC1atX630xtdWTc8Gys2fPNnNWBo5p//79zbvByvX5XIfZXtLSWqmxS1pqC5E8RuKVJy70ardnz55q37599YP658+fb+ZKmnfGQkmTsFA9jyRDMYHAOciBAwfq9detW9fMGd+NGzdmNinjzpwfLT3zzDPNnNlAD+iwvbXD4nM+fvx4826wYdeXZkXEQSZ0iYWSFBZ22PrUqVP1q8MXkhaZsVDSsBY2eVy9enX9eufOnfqV4RyGbwigMZxDL1y8j2ce8/tYj6kt8ObleWio7EXjb/af980U++ylrAPTIOWwVa4Xy/h3NrFr1656edtx9UJZuWyenczKfZfPB7YdfxzjhQsX6ikvK8Wzmsh1KffDPPYV68Ry3rf9nbE+x4Fe62Qsj3rkbUN5zG3rDTpv0jjKWIhB39u8nHaQEc9iWcS5aJs5JkTbLssu21VZlxw7wfKIobFOKNvOyy+/3CxpF/UsY2vEQeoW88p6l225rCfvqWtZp1J5vIP207ZevzLi2OJYy+VSFwubPEYQWbNmTf0KhmsPHTr0cDin31A1SVasd+TIkTrZygkNDTKeG2Tau3dv3wZ68ODBugcg1mfbSOTa0PBZfuXKlUe2Yb+9EFDYD8cZ20QwBEP08e93njlzpl6+c+fO+v0glMExRrlsv3nz5ocXC4799u3bD5eznxMnTjwMyqzHOYzjYTn15TPg/bZt2+optu/32VCXOJexn/Lcs6/Dhw/X67QNPXMsbJfFsezYsaN+HYSLBd+JqDN14fxHXdqOGZw7PgtwDk6ePPmwDCbqxXxpEspYyHdr7dq1D79vfD/53ua2zHcwltOO4jvNtjyWE8u2bNlSt/FNmzbV8er06dP1erh+/Xrdpi9dutTMeeOxmd27d9fvaUN5X0yUXyas3FhSTqwD9ku9c/siJnVBXVmf7SK+E1ciZtBG8zlhXzl+M1GnMu5wLDkOsp+cZA46911ixqC4EzgXUU5sK3W1sMkjDYeGWyZHFy9ebP7qLxotIpkgGCIaaU5KaJz9GihBND8H+fzzz9evkVyVCGIkiwTl0G8bggmBiyCTE6+oY6/9dMHxci7z8XFe88WCZfl8UAeW596OjOWjPhdKQIzzQjmcJxKwjHn9EuP4TPN54Vj4nPolroEgz8WjPOZcl2vXrtXnINeV8i9fvly/j88shhUDFzPmS5NQxkK+s7ktx/fz7t279WuJ7XrFNuZHuVu3bn0kvvI952addhLOnTtXv7LPaEO054z2QPyNhCqU8YL1aE+5feW43Q/7jHYesYDYGccSr7Rh8L7cP/smUcyYl2MCN6n5+Aed+0Exo0vcCcSRKEca1kIlj9w5xkRj4g62FAFjGLFNJEIEDBr4OMoyS9SdBCIfU799Ru/CE088+l8MDdpPFxwvQTnXhakM1NxVl8sjuBLECIJcyFg2SdzJl3VhXj+clxyUwYWPX6J3EcGezyQfc076Nm7cWNcrLoIkiwT++LFSfGZxTmKiF0EaR/4+tcVCeq/yOogYEckN83OvGbiBjVhQ9o7Tm8gyvuegPUW7jzZA7yH1QbShGFYP8T4ns22xj7ZEz+dS4SY6nzP2H8faS/T25vX6nftBMaNL3Al51E0a1kIlj9GNz5TvzOYVQTYfU0xxV7yUCFZtdYnzTEAkgOVlZcDnzj3mE/DKC9NSI1GMoEuwJmgPe27ZJh8zU3mhjuSQ46Y3oNxHDC2VkzSq/D0qYyFDwnxH8zol5vHdJnHhuxujLdx0sYzvbNzcRu89iSLfcXoXaU8x9EyCFyMUlBdD1vOERJmbutzeSYqH1eXcY1DM6BJ3pHEs7LD1NLX1dA0r7kR73R0SZAbd1WZtd+sYtJ8uuhwvgYsg1wXrMkSU79yjh3QUo/YER0DmQsdwUfSIdBE9vP0e0OeCWd4A5CGrXp+ZNE20ZR6LGSQSRb7D5ZAoiSLLSKDyYxcMXdO7SHuKNk1vGr2Q0ZsWQ6m92lCvUZQSbb4cNu7XHsdBnOI8jBOnMOjcD4oZXeKONAkmj1MQz8jkYRvuzOPuvA2JUu5pi2179XTRK8Y2ZZncjbYhqBHIedg6I5gTZHvtp4s43rKnkPdxQSDZzRcYji8nnOX5ieHiHIw53i64K4/98koPCM8WjYJATcCm7sP0iEQvC3XJ8nGSdEfvTJ6ipyZ/ZvlGgeXlkKCWx2c+85nq/e9/f/NusiiX8pca39uc8PVr1yDxi17E8qaWNpvbMG2IeSSQMdRKW4mkifYWog2Vj4rQpmgXkWT2Ej96i7pSr7I9TgrHGKMUoI13jVfZoHM/KGZ0iTvSJIyUPP7cz/1c/QWdBsql/HlGICEY5kZO8pHvEEsEQ4ZvYn0CD3eVvZDsMTTEUElsw5QTshLDwgTnvD7BftzhDI6XulLnXDZBPwI8+6ZusQwcc+DccI5iOecuH0sMreXte+G8EDxZj1d6PPud+3642MVFYdDFqsR55Rijzkz0hERd6O3l+557Eag7yWJc8OIzY70og4vLSnjsYiV48skn6+/tJJPISBopl/KXGslgbsvEpRzv+e5F+2JC/FiE72b+rvL9z9/VaEOU//TTT9d/g/WYV96g0YaIUVEeE+0h9tcP7Yx1o67R1qaBY8zHnZ/dHMagc98lZgyKO9IkrLr/5XukNb3+6t3qLY/3Hw4Ir732WvXSSy/1TVi6okEQKB977LFmzuKIu8suAVG9ETy5UBBMh030lgNBvS2xZX7+ZaeWxzCxMBAPX3jhherDH/5wM6c7ksbnnntuWRJGzQdjhpZDWywca9iaRI+7x3F6ItmO7SlnERNHLS6++/RQZDG0lHtlND9G6Ylc7p5GzQ9jhmbFWD2PpWF6Ihe5p7Fkz+NkzFvPI+gxKBVNUstknFgY+vVE2tOoURgztNTaYuFEk8fQL4k0aZQ0DyYRC0NOIk0aJc2TJUseQ04iTRolzZNJxsJAPDRplDRPljx5DCSRJo2S5sk0YqEkzZu2WLgk/86jiaMkSdLK4D8SLkmSpM5MHiVJktSZyaMkSZI6M3mUJElSZ62/tpYkSZIw8J/qkSRJknpx2FqSJEkdVdX/B7rV6TTnlK9QAAAAAElFTkSuQmCC) Critical Controls Key\n\n![Figure 3: Stopping Ransomware Using Layered Mitigations](/sites/default/files/styles/large/public/2023-06/aa23-165a%20figure%203B.png?itok=FSqUBFFp)\n\n_Figure 3: Stopping Ransomware Using Layered Mitigations_\n\n### Validate Security Controls\n\nIn addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.\n\nTo get started:\n\n 1. Select an ATT&CK technique described in this advisory (see Tables 5-16).\n 2. Align your security technologies against the technique.\n 3. Test your technologies against the technique.\n 4. Analyze your detection and prevention technologies performance.\n 5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\n 6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.\n\nThe authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.\n\n### Resources\n\n * ACSC: \n * See [2023-03: ACSC Ransomware Profile \u2013 LockBit 3.0](<https://www.cyber.gov.au/about-us/advisories/2023-03-acsc-ransomware-profile-lockbit-3.0>) for additional information.\n * CISA: \n * [Stopransomware.gov](<https://www.stopransomware.gov/>) is a whole-of-government approach that gives one central location for ransomware resources and alerts.\n * Information on no-cost cyber hygiene services is available at [Cyber Hygiene Services](<https://www.cisa.gov/cyber-hygiene-services>) and [Ransomware Readiness Assessment](<https://github.com/cisagov/cset/releases/tag/v10.3.0.0>).\n * CISA, NSA, FBI, and MS-ISAC: \n * See the [#StopRansomware Guide](<https://www.cisa.gov/resources-tools/resources/stopransomware-guide>) developed through the Joint Ransomware Task Force (JRTF) to provide a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks.\n * FBI and CISA: \n * See [Alert AA23-075A - #StopRansomware: LockBit 3.0](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a>) for information on IOCs and TTPs identified through FBI investigations as recently as March 2023.\n * MS-ISAC: \n * See the [Center for Internet Security (CIS) Critical Security Controls (CIS Controls)](<https://www.cisecurity.org/controls>) <https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0>for information on strengthening an organization\u2019s cybersecurity posture through implementing a prescriptive, prioritized, and simplified set of best.\n * See the [CIS Community Defense Model 2.0 (CDM 2.0)](<https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0>) for the effectiveness of the [CIS Controls](<https://www.cisecurity.org/controls>) against the most prevalent types of attacks and how [CDM 2.0](<https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0>) can be used to design, prioritize, implement, and improve an organization\u2019s cybersecurity program.\n * See [Blueprint for Ransomware Defense](<https://securityandtechnology.org/wp-content/uploads/2022/08/IST-Blueprint-for-Ransomware-Defense.pdf>) for a clear, actionable framework for ransomware mitigation, response, and recovery built around the CIS Controls.\n * NCSC-UK \n * See guidance on [Mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>) for information on defending organizations against malware or ransomware attacks.\n * BSI: \n * See [BSI\u2019s Ransomware \u2013 Facts and Defense Strategies](<https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Ransomware-Angriffe/ransomware-angriffe_node.html>) for a comprehensive collection of resources on ransomware prevention, detection, and reaction. Note: These resources are in German.\n * CCCS: \n * See CCCS\u2019s [Ransomware playbook (ITSM.00.099)](<https://www.cyber.gc.ca/en/guidance/ransomware-playbook-itsm00099>) for information on ransomware prevention and response.\n * See CCCS\u2019s [Top 10 IT security actions](<https://www.cyber.gc.ca/en/guidance/top-10-it-security-actions>) based on analysis of cyber threat trends to help minimize intrusions or the impacts of a successful cyber intrusion.\n * CERT NZ: \n * See CERT NZ\u2019s [Security awareness building](<https://www.cert.govt.nz/it-specialists/critical-controls/security-awareness-building/>) and [Creating an effective security awareness program](<https://www.cert.govt.nz/it-specialists/critical-controls/security-awareness-building/creating-an-effective-security-awareness-program/>) to assist organization\u2019s in providing adequate security awareness and training to personnel while creating a positive security culture.\n * Businesses can find information on developing an incident response plan, creating a contact list, and communicating ransomware incidents at CERT NZ\u2019s [Creating an incident response plan](<https://www.cert.govt.nz/business/guides/incident-response-plan/>).\n * NCSC NZ: \n * For guidance on ransomware for public service agencies, see NCSC NZ\u2019s [Ransomware: Your organization should be both protected and prepared](<https://www.ncsc.govt.nz/news/ransomware-advice/>).\n\n### Reporting\n\nThe authoring organizations do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the authoring organizations urge you to promptly report ransomware incidents to your country\u2019s respective authorities.\n\n * Australia: Australian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to [cyber.gov.au](<https://www.cyber.gov.au/report-and-recover/report>).\n * Canada: Canadian victims of ransomware are encouraged to consider reporting cyber incidents to law enforcement (e.g., local police or the [Canadian Anti-Fraud Centre](<https://www.antifraudcentre-centreantifraude.ca/report-signalez-eng.htm#a1a>)) as well as to the Canadian Centre for Cyber Security online via [My Cyber Portal](<https://www.cyber.gc.ca/en/incident-management>).\n * France: \n * Individuals and small organizations can seek assistance with Cybermalveillance \u2013 <https://www.cybermalveillance.gouv.fr/>_._\n * Larger organizations, as well as public and regulated entities, can request assistance from CERT-FR via [cert-fr@ssi.gouv.fr](<mailto:cert-fr@ssi.gouv.fr>).\n * Germany: German victims of ransomware are encouraged to consider reporting cyber incidents to law enforcement (e.g., local police or the [Central Contact Point for Cybercrime](<https://www.polizei.de/Polizei/DE/Einrichtungen/ZAC/zac_node.html>) as well as to the Federal Office for Information Security (BSI) via the [Reporting and Information Portal](<https://mip2.bsi.bund.de/meldungen/meldung-ohne-registrierung-erstellen/>).\n * New Zealand: New Zealand organizations and businesses can report security incidents to the NCSC at [incidents@ncsc.govt.nz](<mailto:incidents@ncsc.govt.nz>) or call 04 498 7654, or to CERT NZ through <https://www.cert.govt/nz/it-specialists/report-an-incident/> or to ir@ops.cert.govt.nz.\n * United States: \n * Report ransomware incidents to a [local FBI Field Office](<https://www.fbi.gov/contact-us/field-offices>) or CISA\u2019s 24/7 Operations Center at [Report@cisa.dhs.gov](<mailto:report@cisa.dhs.gov>), [cisa.gov/report](<https://www.cisa.gov/report>), or (888) 282-0870. When available, please include the information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n * For SLTTs, email [soc@msisac.org](<mailto:soc@msisac.org>) or call (866) 787-4722.\n * United Kingdom: UK organizations should [report](<https://www.gov.uk/guidance/where-to-report-a-cyber-incident>) any suspected compromises to NCSC.\n\n### Disclaimer\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. The authoring organizations do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring organizations.\n\n### References\n\n[1] [LockBit, BlackCat, and Royal Dominate the Ransomware Scene](<https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-blackcat-and-royal-dominate-the-ransomware-scene-ransomware-in-q4-2022>)\n\n[2] [Ransomware Diaries: Volume 1](<https://analyst1.com/ransomware-diaries-volume-1/>)\n\n[3] [What is LockBit ransomware and how does it operate?](<https://www.theguardian.com/business/2023/jan/13/what-is-lockbit-ransomware-and-how-does-it-operate-malware-royal-mail>)\n\n[4] [Ransomware Spotlight: LockBit](<https://documents.trendmicro.com/images/TEx/articles/LockBit-Infographic-ZgjRJ0Y.jpg>)\n\n[5] [Analysis and Impact of LockBit Ransomware\u2019s First Linux and VMware ESXi Variant](<https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html>)\n\n[6] [A first look at the builder for LockBit 3.0 Black](<https://www.malwarebytes.com/blog/news/2022/09/lockbit-builder-leaked-by-disgruntled-developer>)\n\n[7] [LockBit ransomware gang releases LockBit Green version](<https://cybernews.com/security/lockbit-ransomware-gang-releases-lockbit-green-version/>)\n\n[8] [LockBit Ransomware Now Targeting Apple macOS Devices](<https://thehackernews.com/2023/04/lockbit-ransomware-now-targeting-apple.html>)\n\n[9] [Apple\u2019s Macs Have Long Escaped Ransomware. That May be Changing](<https://www.wired.com/story/apple-mac-lockbit-ransomware-samples/>)\n\n[10] [Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada](<https://www.cbc.ca/news/politics/cse-lockbit-threat-1.6734996>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-06-14T12:00:00", "type": "ics", "title": "Understanding Ransomware Threat Actors: LockBit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-0708", "CVE-2020-1472", "CVE-2021-22986", "CVE-2021-44228", "CVE-2022-42475", "CVE-2022-47966", "CVE-2023-0669", "CVE-2023-27350"], "modified": "2023-06-14T12:00:00", "id": "AA23-165A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:28:38", "description": "### Summary\n\n_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\n**Note:** the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Infrastructure Security Agency (CISA) will update this advisory as new information is available.\n\nThis joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI). \n\nCISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability\u2014[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\u2014in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. \n\nThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\n\nCISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.\n\nSome common tactics, techniques, and procedures (TTPs) used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>). While these exploits have been observed recently, this activity is ongoing and still unfolding.\n\nAfter gaining initial access, the actors exploit [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors and is not limited to SLTT entities.\n\nCISA recommends network staff and administrators review internet-facing infrastructure for these and similar vulnerabilities that have or could be exploited to a similar effect, including Juniper [CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>), Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) (this list is not considered exhaustive).\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Initial Access\n\nAPT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (_Exploit Public-Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)], _External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>).\n\nAlthough not observed in this campaign, other vulnerabilities, listed below, could be used to gain network access (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive). As a best practice, it is critical to patch all known vulnerabilities within internet-facing infrastructure.\n\n * Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * MobileIron [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)\n * Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)\n * F5 BIG-IP [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n#### Fortinet FortiOS SSL VPN CVE-2018-13379\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests.[[1](<https://www.fortiguard.com/psirt/FG-IR-18-384>)]\n\n### MobileIron Core & Connector Vulnerability CVE-2020-15505\n\n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) is a remote code execution vulnerability in MobileIron Core & Connector versions 10.3 and earlier.[[2](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)] This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.\n\n### Privilege Escalation\n\nPost initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]).\n\n#### Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472\n\n[CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory.[[3](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)] This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (_Valid Accounts: Domain Accounts_ [[T1078.002](<https://attack.mitre.org/versions/v7/techniques/T1078/002/>)]). Malicious actors can leverage this vulnerability to compromise other devices on the network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]).\n\n### Persistence\n\nOnce system access has been achieved, the APT actors use abuse of legitimate credentials (_Valid Accounts _[[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]) to log in via VPN or remote access services _(External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to maintain persistence.\n\n### Mitigations\n\nOrganizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an \u201cassume breach\u201d mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.\n\n### Keep Systems Up to Date\n\nPatch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report.\n\n_Table 1: Patch information for CVEs_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) | \n\n * FortiOS 6.0: 6.0.0 to 6.0.4\n * FortiOS 5.6: 5.6.3 to 5.6.7\n * FortiOS 5.4: 5.4.6 to 5.4.12\n| \n\n * [Fortinet Security Advisory: FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 ](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) | \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) | \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) | \n\n * MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 \n * Sentry versions 9.7.2 and earlier, and 9.8.0; \n * Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier\n| \n\n * [MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>) \n[CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>) | \n\n * Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1\n| \n\n * [Juniper Security Advisory JSA11021](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021>) \n[CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) | \n\n * PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL)\n| \n\n * [Palo Alto Networks Security Advisory for CVE-2020-2021](<https://security.paloaltonetworks.com/CVE-2020-2021>) \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n### Comprehensive Account Resets\n\nIf there is an observation of [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure-hosted AD instances.\n\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.\n\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.\n\n 1. Create a temporary administrator account, and use this account only for all administrative actions\n 2. Reset the Kerberos Ticket Granting Ticket (`krbtgt`) password [[4](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)]; this must be completed before any additional actions (a second reset will take place in step 5)\n 3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)\n 4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned): \n\n 1. User accounts (forced reset with no legacy password reuse)\n 2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])\n 3. Service accounts\n 4. Directory Services Restore Mode (DSRM) account\n 5. Domain Controller machine account\n 6. Application passwords\n 5. Reset the `krbtgt` password again\n 6. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 7. Reboot domain controllers\n 8. Reboot all endpoints\n\nThe following accounts should be reset:\n\n * AD Kerberos Authentication Master (2x)\n * All Active Directory Accounts\n * All Active Directory Admin Accounts\n * All Active Directory Service Accounts\n * All Active Directory User Accounts\n * DSRM Account on Domain Controllers\n * Non-AD Privileged Application Accounts\n * Non-AD Unprivileged Application Accounts\n * Non-Windows Privileged Accounts\n * Non-Windows User Accounts\n * Windows Computer Accounts\n * Windows Local Admin\n\n### CVE-2020-1472\n\nTo secure your organization\u2019s Netlogon channel connections:\n\n * **Update all Domain Controllers and Read Only Domain Controllers**. On August 11, 2020, Microsoft released [software updates](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).\n * **Monitor for new events, and address non-compliant devices** that are using vulnerable Netlogon secure channel connections.\n * **Block public access to potentially vulnerable ports**, such as 445 (Server Message Block [SMB]) and 135 (Remote Procedure Call [RPC]).\n\nTo protect your organization against this CVE, follow [advice from Microsoft](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>), including:\n\n * Update your domain controllers with an update released August 11, 2020, or later.\n * Find which devices are making vulnerable connections by monitoring event logs.\n * Address non-compliant devices making vulnerable connections.\n * Enable enforcement mode to address [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in your environment.\n\n### VPN Vulnerabilities\n\nImplement the following recommendations to secure your organization\u2019s VPNs:\n\n * **Update VPNs, network infrastructure devices, and devices **being used to remote into work environments with the latest software patches and security configurations. See CISA Tips [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) and [Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>). Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report.\n * **Implement multi-factor authentication (MFA) on all VPN connections to increase security**. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and [Supplementing Passwords](<https://us-cert.cisa.gov/ncas/tips/ST05-012>) for more information.\n\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\n\n * **Audit **configuration and patch management programs.\n * **Monitor** network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., Secure Shell [SSH], SMB, RDP).\n * **Implement **MFA, especially for privileged accounts.\n * **Use **separate administrative accounts on separate administration workstations.\n * **Keep **[software up to date](<https://us-cert.cisa.gov/ncas/tips/ST04-006>). Enable automatic updates, if available. \n\n### How to uncover and mitigate malicious activity\n\n * **Collect and remove** for further analysis: \n * Relevant artifacts, logs, and data.\n * **Implement **mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.\n * **Consider **soliciting incident response support from a third-party IT security organization to: \n * Provide subject matter expertise and technical support to the incident response.\n * Ensure that the actor is eradicated from the network.\n * Avoid residual issues that could result in follow-up compromises once the incident is closed.\n\n### Resources\n\n * [CISA VPN-Related Guidance](<https://www.cisa.gov/vpn-related-guidance>)\n * CISA Infographic: [Risk Vulnerability And Assessment (RVA) Mapped to the MITRE ATT&CK FRAMEWORK](<https://www.cisa.gov/sites/default/files/publications/Risk%20and%20Vulnerability%20Assessment%20%28RVA%29%20Mapped%20to%20the%20MITRE%20ATT%26amp%3BCK%20Framework%20Infographic_v6-100620_%20508.pdf>)\n * National Security Agency InfoSheet: [Configuring IPsec Virtual Private Networks](<https://media.defense.gov/2020/Jul/02/2002355501/-1/-1/0/CONFIGURING_IPSEC_VIRTUAL_PRIVATE_NETWORKS_2020_07_01_FINAL_RELEASE.PDF>)\n * CISA Joint Advisory: [AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>)\n * CISA Activity Alert: [AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>)\n * CISA Activity Alert: [AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n * CISA Activity Alert: [AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)\n * **Cybersecurity Alerts and Advisories**: Subscriptions to [CISA Alerts](<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>) and [MS-ISAC Advisories](<https://learn.cisecurity.org/ms-isac-subscription>)\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat.\n\nFor any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:\n\n * CISA (888-282-0870 or [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>)), or\n * The FBI through the FBI Cyber Division (855-292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>)) or a [local field office](<https://www.fbi.gov/contact-us/field-offices/field-offices>)\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Fortinet Advisory: FG-IR-18-384 ](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n\n[[2] MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)\n\n[[3] Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n\n[[4] Microsoft: AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)\n\n### Revisions\n\nOctober 9, 2020: Initial Version|October 11, 2020: Updated Summary|October 12, 2020: Added Additional Links\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-1631", "CVE-2020-2021", "CVE-2020-5902", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-10-24T12:00:00", "id": "AA20-283A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T06:47:11", "description": "### Summary\n\nThis joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency ([CISA](<https://www.cisa.gov/>)), National Security Agency ([NSA](<https://www.nsa.gov/Cybersecurity/>)), Federal Bureau of Investigation ([FBI](<https://www.fbi.gov/investigate/cyber>)), Australian Cyber Security Centre ([ACSC](<https://www.cyber.gov.au/>)), Canadian Centre for Cyber Security ([CCCS](<https://www.cyber.gc.ca/en/>)), New Zealand National Cyber Security Centre ([NZ NCSC](<https://www.gcsb.govt.nz/>)), and United Kingdom\u2019s National Cyber Security Centre ([NCSC-UK](<https://www.ncsc.gov.uk/>)). This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nU.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets. \n\nThe cybersecurity authorities encourage organizations to apply the recommendations in the Mitigations section of this CSA. These mitigations include applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber actors.\n\nDownload the Joint Cybersecurity Advisory: 2021 top Routinely Exploited Vulnerabilities (pdf, 777kb).\n\n### Technical Details\n\n#### **Key Findings**\n\nGlobally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability\u2019s disclosure, likely facilitating exploitation by a broader range of malicious actors.\n\nTo a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities\u2014some of which were also [routinely exploited in 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) or earlier. The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.\n\n#### **Top 15 Routinely Exploited Vulnerabilities**\n\nTable 1 shows the top 15 vulnerabilities U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities observed malicious actors routinely exploiting in 2021, which include:\n\n * **CVE-2021-44228.** This vulnerability, known as Log4Shell, affects Apache\u2019s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Log4j is incorporated into thousands of products worldwide. This vulnerability was disclosed in December 2021; the rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch.\n * **CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065.** These vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., \u201cvulnerability chaining\u201d) allows an unauthenticated cyber actor to execute arbitrary code on vulnerable Exchange Servers, which, in turn, enables the actor to gain persistent access to files and mailboxes on the servers, as well as to credentials stored on the servers. Successful exploitation may additionally enable the cyber actor to compromise trust and identity in a vulnerable network.\n * **CVE-2021-34523, CVE-2021-34473, CVE-2021-31207.** These vulnerabilities, known as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft\u2019s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers. \n * **CVE-2021-26084.** This vulnerability, affecting Atlassian Confluence Server and Data Center, could enable an unauthenticated actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a POC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.\n\nThree of the top 15 routinely exploited vulnerabilities were also [routinely exploited in 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>): CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors.\n\n_Table 1: Top 15 Routinely Exploited Vulnerabilities in 2021_\n\nCVE\n\n| \n\nVulnerability Name\n\n| \n\nVendor and Product\n\n| \n\nType \n \n---|---|---|--- \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nLog4Shell\n\n| \n\nApache Log4j\n\n| \n\nRemote code execution (RCE) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)\n\n| \n\n| \n\nZoho ManageEngine AD SelfService Plus\n\n| \n\nRCE \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n| \n\nProxyShell\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nElevation of privilege \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n\n| \n\nProxyShell\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n\n| \n\nProxyShell\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nSecurity feature bypass \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)\n\n| \n\n| \n\nAtlassian Confluence Server and Data Center\n\n| \n\nArbitrary code execution \n \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)\n\n| \n\n| \n\nVMware vSphere Client\n\n| \n\nRCE \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\n\n| \n\nZeroLogon\n\n| \n\nMicrosoft Netlogon Remote Protocol (MS-NRPC)\n\n| \n\nElevation of privilege \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\n| \n\nPulse Secure Pulse Connect Secure\n\n| \n\nArbitrary file reading \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n\n| \n\n| \n\nFortinet FortiOS and FortiProxy\n\n| \n\nPath traversal \n \n#### **Additional Routinely Exploited Vulnerabilities**\n\nIn addition to the 15 vulnerabilities listed in table 1, U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities identified vulnerabilities, listed in table 2, that were also routinely exploited by malicious cyber actors in 2021. \n\nThese vulnerabilities include multiple vulnerabilities affecting internet-facing systems, including Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure. Three of these vulnerabilities were also [routinely exploited in 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>): CVE-2019-19781, CVE-2019-18935, and CVE-2017-11882.\n\n_Table 2: Additional Routinely Exploited Vulnerabilities in 2021_\n\nCVE\n\n| \n\nVendor and Product\n\n| \n\nType \n \n---|---|--- \n \n[CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>)\n\n| \n\nSitecore XP\n\n| \n\nRCE \n \n[CVE-2021-35464](<https://nvd.nist.gov/vuln/detail/CVE-2021-35464>)\n\n| \n\nForgeRock OpenAM server\n\n| \n\nRCE \n \n[CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n\n| \n\nAccellion FTA\n\n| \n\nOS command execution \n \n[CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>)\n\n| \n\nAccellion FTA\n\n| \n\nServer-side request forgery \n \n[CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>)\n\n| \n\nAccellion FTA\n\n| \n\nOS command execution \n \n[CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>)\n\n| \n\nAccellion FTA\n\n| \n\nSQL injection \n \n[CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n\n| \n\nVMware vCenter Server\n\n| \n\nRCE \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038>)\n\n| \n\nSonicWall Secure Mobile Access (SMA)\n\n| \n\nRCE \n \n[CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>)\n\n| \n\nMicrosoft MSHTML\n\n| \n\nRCE \n \n[CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>)\n\n| \n\nMicrosoft Windows Print Spooler\n\n| \n\nRCE \n \n[CVE-2021-3156](<https://nvd.nist.gov/vuln/detail/CVE-2021-3156>)\n\n| \n\nSudo\n\n| \n\nPrivilege escalation \n \n[CVE-2021-27852](<https://nvd.nist.gov/vuln/detail/CVE-2021-27852>)\n\n| \n\nCheckbox Survey\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>)\n\n| \n\nPulse Secure Pulse Connect Secure\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016>)\n\n| \n\nSonicWall SSLVPN SMA100\n\n| \n\nImproper SQL command neutralization, allowing for credential access \n \n[CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>)\n\n| \n\nWindows Print Spooler\n\n| \n\nRCE \n \n[CVE-2020-2509](<https://nvd.nist.gov/vuln/detail/CVE-2020-2509>)\n\n| \n\nQNAP QTS and QuTS hero\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\nCitrix Application Delivery Controller (ADC) and Gateway\n\n| \n\nArbitrary code execution \n \n[CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>)\n\n| \n\nProgress Telerik UI for ASP.NET AJAX\n\n| \n\nCode execution \n \n[CVE-2018-0171](<https://nvd.nist.gov/vuln/detail/CVE-2018-0171>)\n\n| \n\nCisco IOS Software and IOS XE Software\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)\n\n| \n\nMicrosoft Office\n\n| \n\nRCE \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>)\n\n| \n\nMicrosoft Office\n\n| \n\nRCE \n \n### Mitigations\n\n#### **Vulnerability and Configuration Management**\n\n * Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. \n * If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.\n * Use a centralized patch management system.\n * Replace end-of-life software, i.e., software that is no longer supported by the vendor. For example, Accellion FTA was retired in April 2021.\n * Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications\u2014such as webmail, file storage, file sharing, and chat and other employee collaboration tools\u2014for their customers. However, as MSPs and CSPs expand their client organization's attack surface and may introduce unanticipated risks, organizations should proactively collaborate with their MSPs and CSPs to jointly reduce that risk. For more information and guidance, see the following resources. \n * CISA Insights [Risk Considerations for Managed Service Provider Customers](<https://cisa.gov/sites/default/files/publications/cisa-insights_risk-considerations-for-msp-customers_508.pdf>)\n * CISA Insights [Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses](<https://cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>)\n * ACSC advice on [How to Manage Your Security When Engaging a Managed Service Provider](<https://www.cyber.gov.au/acsc/view-all-content/publications/how-manage-your-security-when-engaging-managed-service-provider>)\n\n#### **Identity and Access Management**\n\n * Enforce multifactor authentication (MFA) for all users, without exception.\n * Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords. \n * Regularly review, validate, or remove privileged accounts (annually at a minimum).\n * Configure access control under the concept of least privilege principle. \n * Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (non-administrative privileges).\n\n**Note:** see [CISA Capacity Enhancement Guide \u2013 Implementing Strong Authentication](<https://cisa.gov/sites/default/files/publications/CISA_CEG_Implementing_Strong_Authentication_508_1.pdf>) and ACSC guidance on [Implementing Multi-Factor Authentication](<https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-multi-factor-authentication>) for more information on hardening authentication systems.\n\n#### **Protective Controls and Architecture **\n\n * Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices. \n * Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.\n * Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.\n * Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).\n * Segment networks to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks. \n * Continuously monitor the attack surface and investigate abnormal activity that may indicate lateral movement of a threat actor or malware. \n * Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure your EDR, SIEM, vulnerability scanner etc., are reporting the same number of assets.\n * Monitor the environment for potentially unwanted programs.\n * Reduce third-party applications and unique system/application builds; provide exceptions only if required to support business critical functions.\n * Implement application allowlisting. \n\n### **Resources**\n\n * For the top vulnerabilities exploited in 2020, see joint CSA [Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>)\n * For the top exploited vulnerabilities 2016 through 2019, see joint CSA [Top 10 Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa20-133a>). \n * See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.\n\n### **Disclaimer**\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. CISA, the FBI, NSA, ACSC, CCCS, NZ NCSC, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### **Purpose **\n\nThis document was developed by U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### **References**\n\n[1] [CISA\u2019s Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>)\n\n### **Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities**\n\nCVE\n\n| \n\nVendor\n\n| \n\nAffected Products\n\n| \n\nPatch Information\n\n| \n\nResources \n \n---|---|---|---|--- \n \n[CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>)\n\n| \n\nSitecore\n\n| \n\nSitecore XP 7.5.0 - Sitecore XP 7.5.2\n\nSitecore XP 8.0.0 - Sitecore XP 8.2.7\n\n| \n\n[Sitecore Security Bulletin SC2021-003-499266](<https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776#HistoryOfUpdates>)\n\n| \n\nACSC Alert [Active Exploitation of vulnerable Sitecore Experience Platform Content Management Systems](<https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerable-sitecore-experience-platform-content-management-systems>) \n \n[CVE-2021-35464](<https://nvd.nist.gov/vuln/detail/CVE-2021-35464>)\n\n| \n\nForgeRock \n\n| \n\nAccess Management (AM) 5.x, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3\n\nOpenAM 9.x, 10.x, 11.x, 12.x and 13.x\n\n| \n\n[ForgeRock AM Security Advisory #202104](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>)\n\n| \n\nACSC Advisory [Active exploitation of ForgeRock Access Manager / OpenAM servers](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2021-004-active-exploitation-forgerock-access-manager-openam-servers>)\n\nCCCS [ForgeRock Security Advisory](<https://www.cyber.gc.ca/en/alerts/forgerock-security-advisory>) \n \n[CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n\n| \n\nAccellion \n\n| \n\nFTA 9_12_370 and earlier\n\n| \n\n[Accellion Press Release: Update to Recent FTA Security Incident](<https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/>)\n\n| \n\nJoint CSA [Exploitation of Accellion File Transfer Appliance](<https://www.cisa.gov/uscert/ncas/alerts/aa21-055a>)\n\nACSC Alert [Potential Accellion File Transfer Appliance compromise](<https://www.cyber.gov.au/acsc/view-all-content/alerts/potential-accellion-file-transfer-appliance-compromise>) \n \n[CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>)\n\n| \n\nFTA 9_12_411 and earlier \n \n[CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>)\n\n| \n\nFTA versions 9_12_411 and earlier \n \n[CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>)\n\n| \n\nFTA 9_12_370 and earlier\n\n| \n \n[CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n\n| \n\nVMware \n\n| \n\nvCenter Server 7.0, 6.7, 6.5\n\nCloud Foundation (vCenter Server) 4.x and 3.x\n\n| \n\n[VMware Advisory VMSA-2021-0010](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>)\n\n| \n\nCCCS [VMware Security Advisory](<https://www.cyber.gc.ca/en/alerts/vmware-security-advisory-41>) \n \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)\n\n| \n\nVMware\n\n| \n\nvCenter Server 7.0, 6.7, 6.5\n\nCloud Foundation (vCenter Server) 4.x and 3.x\n\n| \n\n[VMware Advisory VMSA-2021-0002](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>)\n\n| \n\nACSC Alert [VMware vCenter Server plugin remote code execution vulnerability](<https://www.cyber.gov.au/acsc/view-all-content/alerts/vmware-vcenter-server-plugin-remote-code-execution-vulnerability-cve-2021-21972>)\n\nCCCS [VMware Security Advisory](<https://www.cyber.gc.ca/en/alerts/vmware-security-advisory-35>)\n\nCCCS Alert [APT Actors Target U.S. and Allied Networks - Update 1](<https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi>) \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038>)\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv\n\n| \n\n[SonicWall Security Advisory SNWLID-2021-0026](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>)\n\n| \n\nACSC Alert [Remote code execution vulnerability present in SonicWall SMA 100 series appliances](<https://www.cyber.gov.au/acsc/view-all-content/alerts/remote-code-execution-vulnerability-present-sonicwall-sma-100-series-appliances>)\n\nCCCS [SonicWall Security Advisory](<https://www.cyber.gc.ca/en/alerts/sonicwall-security-advisory-4>) \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nApache\n\n| \n\nLog4j, all versions from 2.0-beta9 to 2.14.1\n\nFor other affected vendors and products, see [CISA's GitHub repository](<https://github.com/cisagov/log4j-affected-db>).\n\n| \n\n[Log4j: Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html>)\n\nFor additional information, see joint CSA: [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-356a>)\n\n| \n\nCISA webpage [Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>)\n\nCCCS [Active exploitation of Apache Log4j vulnerability - Update 7](<https://www.cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability>) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)\n\n| \n\nZoho ManageEngine \n\n| \n\nADSelfService Plus version 6113 and prior\n\n| \n\n[Zoho ManageEngine: ADSelfService Plus 6114 Security Fix Release ](<https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release>)\n\n| \n\nJoint CSA [APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus](<https://www.cisa.gov/uscert/ncas/alerts/aa21-259a>)\n\nCCCS [Zoho Security Advisory](<https://www.cyber.gc.ca/en/alerts/zoho-security-advisory>) \n \n[CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Windows products; see [Microsoft Security Update Guide: MSHTML Remote Code Execution Vulnerability, CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>)\n\n| \n\n[Microsoft Security Update Guide: MSHTML Remote Code Execution Vulnerability, CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>)\n\n| \n \n[CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Windows products; see [Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>)\n\n| \n\n[Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>)\n\n| \n\nJoint CSA [Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>)\n\nCCCS [Alert Windows Print Spooler Vulnerability Remains Unpatched \u2013 Update 3](<https://www.cyber.gc.ca/en/alerts/windows-print-spooler-vulnerability-remains-unpatched>) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n| \n\nMicrosoft \n\n| \n\nMicrosoft Exchange Server 2013 Cumulative Update 23\n\nMicrosoft Exchange Server 2016 Cumulative Updates 19 and 20\n\nMicrosoft Exchange Server 2019 Cumulative Updates 8 and 9\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>)\n\n| \n\nJoint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>)\n\nACSC Alert [Microsoft Exchange ProxyShell Targeting in Australia](<https://www.cyber.gov.au/acsc/view-all-content/alerts/microsoft-exchange-proxyshell-targeting-australia>) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Exchange Server versions; see: [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>) \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Exchange Server versions; see [Microsoft Update Guide: Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>)\n\n| \n\n[Microsoft Update Guide: Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>) \n \n[CVE-2021-3156](<https://nvd.nist.gov/vuln/detail/CVE-2021-3156>)\n\n| \n\nSudo\n\n| \n\nSudo before 1.9.5p2\n\n| \n\n[Sudo Stable Release 1.9.5p2](<https://www.sudo.ws/releases/stable/#1.9.5p2>)\n\n| \n \n[CVE-2021-27852](<https://nvd.nist.gov/vuln/detail/CVE-2021-27852>)\n\n| \n\nCheckbox Survey\n\n| \n\nCheckbox Survey versions prior to 7\n\n| \n\n| \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nMultiple versions; see: [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065>)\n\n| \n\nCISA Alert: [Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-062a>)\n\nACSC Advisory [Active exploitation of Vulnerable Microsoft Exchange servers](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2021-002-active-exploitation-vulnerable-microsoft-exchange-servers>)\n\nCCCS Alert [Active Exploitation of Microsoft Exchange Vulnerabilities - Update 4](<https://www.cyber.gc.ca/en/alerts/active-exploitation-microsoft-exchange-vulnerabilities>) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858>) \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>) \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855>) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)\n\n| \n\nJira Atlassian \n\n| \n\nConfluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n| \n\n[Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940>)\n\n| \n\nACSC Alert [Remote code execution vulnerability present in certain versions of Atlassian Confluence](<https://www.cyber.gov.au/acsc/view-all-content/alerts/remote-code-execution-vulnerability-present-certain-versions-atlassian-confluence>)\n\nCCCS [Atlassian Security Advisory](<https://www.cyber.gc.ca/en/alerts/atlassian-security-advisory>) \n \n[CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>)\n\n| \n\nPulse Secure \n\n| \n\nPCS 9.0R3/9.1R1 and Higher\n\n| \n\n[Pulse Secure SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>)\n\n| \n\nCCCS Alert [Active Exploitation of Pulse Connect Secure Vulnerabilities - Update 1](<https://www.cyber.gc.ca/en/alerts/active-exploitation-pulse-connect-secure-vulnerabilities>) \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016>)\n\n| \n\nSonicWall \n\n| \n\nSMA 100 devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v)\n\n| \n\n[SonicWall Security Advisory SNWLID-2021-0001](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001>)\n\n| \n \n[CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>)\n\n| \n\nMicrosoft\n\n| \n\nMultiple Windows products; see [Microsoft Security Update Guide Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-1675](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>)\n\n| \n\n[Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-1675](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>)\n\n| \n\nCCCS [Alert Windows Print Spooler Vulnerability Remains Unpatched \u2013 Update 3](<https://www.cyber.gc.ca/en/alerts/windows-print-spooler-vulnerability-remains-unpatched>) \n \n[CVE-2020-2509](<https://nvd.nist.gov/vuln/detail/CVE-2020-2509>)\n\n| \n\nQNAP \n\n| \n\nQTS, multiple versions; see [QNAP: Command Injection Vulnerability in QTS and QuTS hero](<https://www.qnap.com/en/security-advisory/qsa-21-05>)\n\nQuTS hero h4.5.1.1491 build 20201119 and later\n\n| \n\n[QNAP: Command Injection Vulnerability in QTS and QuTS hero](<https://www.qnap.com/en/security-advisory/qsa-21-05>)\n\n| \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\n\n| \n\nMicrosoft \n\n| \n\nWindows Server, multiple versions; see [Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>)\n\n| \n\n[Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>)\n\n| \n\nACSC Alert [Netlogon elevation of privilege vulnerability (CVE-2020-1472)](<https://www.cyber.gov.au/acsc/view-all-content/alerts/netlogon-elevation-privilege-vulnerability-cve-2020-1472>)\n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nCCCS Alert [Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1](<https://www.cyber.gc.ca/en/alerts/microsoft-netlogon-elevation-privilege-vulnerability-cve-2020-1472>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Validation Key Remote Code Execution Vulnerability, CVE-2020-0688](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Validation Key Remote Code Execution Vulnerability, CVE-2020-0688](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>)\n\n| \n\nCISA Alert [Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/uscert/ncas/alerts/aa20-258a>)\n\nJoint CSA [Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology](<https://www.cisa.gov/uscert/ncas/alerts/aa22-047a>)\n\nCCCS Alert [Microsoft Exchange Validation Key Remote Code Execution Vulnerability](<https://www.cyber.gc.ca/en/alerts/microsoft-exchange-validation-key-remote-code-execution-vulnerability>) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\nCitrix \n\n| \n\nADC and Gateway version 13.0 all supported builds before 13.0.47.24\n\nNetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12\n\nSD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b\n\n| \n\n[Citrix Security Bulletin CTX267027](<https://support.citrix.com/article/CTX267027>)\n\n| \n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nCISA Alert [Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/uscert/ncas/alerts/aa20-258a>)\n\nCCCS Alert [Detecting Compromises relating to Citrix CVE-2019-19781](<https://www.cyber.gc.ca/en/alerts/detecting-compromises-relating-citrix-cve-2019-19781-0>) \n \n[CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>)\n\n| \n\nProgress Telerik \n\n| \n\nUI for ASP.NET AJAX through 2019.3.1023\n\n| \n\n[Telerik UI for ASP.NET AJAX Allows JavaScriptSerializer Deserialization](<https://docs.telerik.com/devtools/aspnet-ajax/knowledge-base/common-allows-javascriptserializer-deserialization>)\n\n| \n\nACSC Alert [Active exploitation of vulnerability in Microsoft Internet Information Services](<https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerability-microsoft-internet-information-services>) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\nPulse Secure \n\n| \n\nPulse Connect Secure 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\n\n| \n\n[Pulse Secure: SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n| \n\nCISA Alert [Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.cisa.gov/uscert/ncas/alerts/aa20-010a>)\n\nCISA Alert [Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/uscert/ncas/alerts/aa20-258a>)\n\nACSC Advisory [Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software](<https://www.cyber.gov.au/acsc/view-all-content/advisories/2019-129-recommendations-mitigate-vulnerability-pulse-connect-secure-vpn-software>)\n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nCCCS [Alert APT Actors Target U.S. and Allied Networks - Update 1](<https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi>) \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n\n| \n\nFortinet\n\n| \n\nFortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6\n\n| \n\n[Fortinet FortiGuard Labs: FG-IR-20-233](<https://www.fortiguard.com/psirt/FG-IR-20-233>)\n\n| \n\nJoint CSA [Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology](<https://www.cisa.gov/uscert/ncas/alerts/aa22-047a>)\n\nJoint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>)\n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nACSC Alert [APT exploitation of Fortinet Vulnerabilities](<https://www.cyber.gov.au/acsc/view-all-content/alerts/apt-exploitation-fortinet-vulnerabilities>)\n\nCCCS Alert [Exploitation of Fortinet FortiOS vulnerabilities (CISA, FBI) - Update 1](<https://www.cyber.gc.ca/en/alerts/exploitation-fortinet-fortios-vulnerabilities-cisa-fbi>) \n \n[CVE-2018-0171](<https://nvd.nist.gov/vuln/detail/CVE-2018-0171>)\n\n| \n\nCisco \n\n| \n\nSee [Cisco Security Advisory: cisco-sa-20180328-smi2](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2#fixed>)\n\n| \n\n[Cisco Security Advisory: cisco-sa-20180328-smi2](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2#fixed>)\n\n| \n\nCCCS [Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature](<https://www.cyber.gc.ca/en/alerts/action-required-secure-cisco-ios-and-ios-xe-smart-install-feature>) \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)\n\n| \n\nMicrosoft \n\n| \n\nOffice, multiple versions; see [Microsoft Security Update Guide: Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882>)\n\n| \n\nCCCS Alert [Microsoft Office Security Update](<https://www.cyber.gc.ca/en/alerts/microsoft-office-security-update>) \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple products; see [Microsoft Security Update Guide: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows, CVE-2017-0199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows, CVE-2017-0199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199>)\n\n| \n\nCCCS [Microsoft Security Updates](<https://www.cyber.gc.ca/en/alerts/microsoft-security-updates>) \n \n### Contact Information\n\n**U.S. organizations: **all organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at [report@cisa.gov ](<mailto:report@cisa.gov>)or (888) 282-0870 and/or to the FBI via your [local FBI field office](<https://www.fbi.gov/contact-us/field-offices>) or the FBI\u2019s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact [Cybersecurity_Requests@nsa.gov](<mailto:Cybersecurity_Requests@nsa.gov>). **Australian organizations:** visit [cyber.gov.au](<https://www.cyber.gov.au/>) or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. **Canadian organizations:** report incidents by emailing CCCS at [contact@cyber.gc.ca](<mailto:contact@cyber.gc.ca>). **New Zealand organizations:** report cyber security incidents to [incidents@ncsc.govt.nz](<mailto:incidents@ncsc.govt.nz>) or call 04 498 7654. **United Kingdom organizations:** report a significant cyber security incident: [ncsc.gov.uk/report-an-incident](<https://www.ncsc.gov.uk/section/about-this-website/contact-us>) (monitored 24 hours) or, for urgent assistance, call 03000 200 973.\n\n### Revisions\n\nApril 27, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-28T12:00:00", "type": "ics", "title": "2021 Top Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-0171", "CVE-2018-13379", "CVE-2019-11510", "CVE-2019-18935", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-2509", "CVE-2021-1675", "CVE-2021-20016", "CVE-2021-20038", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-27852", "CVE-2021-31207", "CVE-2021-3156", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35464", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-04-28T12:00:00", "id": "AA22-117A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T06:56:14", "description": "### Summary\n\n_**Actions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber Posture.** \n\u2022 Patch all systems. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)._ \n\u2022 Implement [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>). \n\u2022 _Use antivirus software._ \n_\u2022 Develop internal contact lists and surge support._\n\n___**Note:** this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, version 10. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v9/techniques/enterprise/>) for all referenced threat actor tactics and techniques.___\n\nThis joint Cybersecurity Advisory (CSA)\u2014authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)\u2014is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats.\n\nCISA, the FBI, and NSA encourage the cybersecurity community\u2014especially critical infrastructure network defenders\u2014to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.\n\n 1. **Be prepared**. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.\n 2. **Enhance your organization\u2019s cyber posture**. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.\n 3. **Increase organizational vigilance**. Stay current on reporting on this threat. [Subscribe](<https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?qsp=CODE_RED>) to CISA\u2019s [mailing list and feeds](<https://www.cisa.gov/uscert/mailing-lists-and-feeds>) to receive notifications when CISA releases information about a security topic or threat.\n\nCISA, the FBI, and NSA encourage critical infrastructure organization leaders to review CISA Insights: [Preparing for and Mitigating Cyber Threats](<https://cisa.gov/sites/default/files/publications/CISA_INSIGHTS-Preparing_For_and_Mitigating_Potential_Cyber_Threats-508C.pdf>) for information on reducing cyber threats to their organization.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nHistorically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics\u2014including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security\u2014to gain initial access to target networks. Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) FortiGate VPNs\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) Cisco router\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) Oracle WebLogic Server\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) Kibana\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) Zimbra software\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) Exim Simple Mail Transfer Protocol\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) Pulse Secure\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) Citrix\n * [CVE-2020-0688 ](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)Microsoft Exchange\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) VMWare (note: this was a zero-day at time.)\n * [CVE-2020-5902 ](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)F5 Big-IP\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) Oracle WebLogic\n * [CVE-2021-26855 ](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\nRussian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments\u2014including cloud environments\u2014by using legitimate credentials.\n\nIn some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware. See the following advisories and alerts for information on historical Russian state-sponsored cyber-intrusion campaigns and customized malware that have targeted ICS:\n\n * ICS Advisory [ICS Focused Malware \u2013 Havex](<https://us-cert.cisa.gov/ics/advisories/ICSA-14-178-01>)\n * ICS Alert [Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-281-01B>)\n * ICS Alert [Cyber-Attack Against Ukrainian Critical Infrastructure](<https://us-cert.cisa.gov/ics/alerts/IR-ALERT-H-16-056-01>)\n * Technical Alert [CrashOverride Malware](<https://us-cert.cisa.gov/ncas/alerts/TA17-163A>)\n * CISA MAR [HatMan: Safety System Targeted Malware (Update B)](<https://us-cert.cisa.gov/ics/MAR-17-352-01-HatMan-Safety-System-Targeted-Malware-Update-B>)\n * CISA ICS Advisory [Schneider Electric Triconex Tricon (Update B)](<https://us-cert.cisa.gov/ics/advisories/ICSA-18-107-02>)\n\nRussian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors. High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal actions includes:\n\n * **Russian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments and aviation networks, September 2020, through at least December 2020.** Russian state-sponsored APT actors targeted dozens of SLTT government and aviation networks. The actors successfully compromised networks and exfiltrated data from multiple victims.\n * **Russian state-sponsored APT actors\u2019 global Energy Sector intrusion campaign, 2011 to 2018. **These Russian state-sponsored APT actors conducted a multi-stage intrusion campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.\n * **Russian state-sponsored APT actors\u2019 campaign against Ukrainian critical infrastructure, 2015 and 2016.** Russian state-sponsored APT actors conducted a cyberattack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. The actors deployed [BlackEnergy](<https://attack.mitre.org/versions/v10/software/S0089>) malware to steal user credentials and used its destructive malware component, KillDisk, to make infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed [CrashOverride ](<https://attack.mitre.org/versions/v10/software/S0604>)malware specifically designed to attack power grids.\n\nFor more information on recent and historical Russian state-sponsored malicious cyber activity, see the referenced products below or [cisa.gov/Russia](<https://www.cisa.gov/uscert/russia>).\n\n * Joint FBI-DHS-CISA CSA [Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders](<https://us-cert.cisa.gov/ncas/alerts/aa21-116a>)\n * Joint NSA-FBI-CISA CSA [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)\n * Joint FBI-CISA CSA [Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://www.cisa.gov/uscert/ncas/alerts/aa20-296a>)\n * Joint CISA-FBI CSA [APT Actors Chaining Vulnerabilities against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n * CISA\u2019s webpage [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * CISA Alert [Russian Government Cyber Activity Targeting Energy Sector and Other Critical Infrastructure Sectors](<https://us-cert.cisa.gov/ncas/alerts/TA18-074A>)\n * CISA ICS Alert: [Cyber-Attack Against Ukrainian Critical Infrastructure](<https://us-cert.cisa.gov/ics/alerts/ir-alert-h-16-056-01>)\n\nTable 1 provides common, publicly known TTPs employed by Russian state-sponsored APT actors, which map to the MITRE ATT&CK for Enterprise framework, version 10. **Note:** these lists are not intended to be all inclusive. Russian state-sponsored actors have modified their TTPs before based on public reporting.[[1](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>)] Therefore, CISA, the FBI, and NSA anticipate the Russian state-sponsored actors may modify their TTPs as they deem necessary to reduce their risk of detection. \n\n_Table 1: Common Tactics and Techniques Employed by Russian State-Sponsored APT Actors_\n\nTactic | **Technique** | **Procedure** \n---|---|--- \n \nReconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]\n\n| \n\nActive Scanning: Vulnerability Scanning [[T1595.002](<https://attack.mitre.org/versions/v10/techniques/T1595/002/>)] \n \nRussian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. \n \nPhishing for Information [[T1598](<https://attack.mitre.org/versions/v10/techniques/T1598>)]\n\n| \n\nRussian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. \n \nResource Development [[TA0042]](<https://attack.mitre.org/versions/v10/tactics/TA0042/>)\n\n| \n\nDevelop Capabilities: Malware [[T1587.001](<https://attack.mitre.org/versions/v10/techniques/T1587/001>)]\n\n| \n\nRussian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. \n \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]\n\n| \n\nExploit Public Facing Applications [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]\n\n| \n\nRussian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. \n \nSupply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v10/techniques/T1195/002>)]\n\n| \n\nRussian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. \n \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]\n\n| \n\nCommand and Scripting Interpreter: PowerShell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)] and Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)]\n\n| \n\nRussian state-sponsored APT actors have used `cmd.exe` to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. \n \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]\n\n| \n\nValid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]\n\n| \n\nRussian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. \n \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006>)]\n\n| \n\nBrute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001>)] and Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v10/techniques/T1110/003>)]\n\n| \n\nRussian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. \n \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]\n\n| \n\nRussian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database `ntds.dit`. \n \nSteal or Forge Kerberos Tickets: Kerberoasting [[T1558.003](<https://attack.mitre.org/versions/v10/techniques/T1558/003/>)]\n\n| \n\nRussian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. \n \nCredentials from Password Stores [[T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>)]\n\n| \n\nRussian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. \n \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v10/techniques/T1212>)]\n\n| \n\nRussian state-sponsored APT actors have exploited Windows Netlogon vulnerability [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) to obtain access to Windows Active Directory servers. \n \nUnsecured Credentials: Private Keys [[T1552.004](<https://attack.mitre.org/versions/v10/techniques/T1552/004>)]\n\n| \n\nRussian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. \n \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]\n\n| \n\nProxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)]\n\n| \n\nRussian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic. \n \nFor additional enterprise TTPs used by Russian state-sponsored APT actors, see the ATT&CK for Enterprise pages on [APT29](<https://attack.mitre.org/versions/v10/groups/G0016>), [APT28](<https://attack.mitre.org/versions/v10/groups/G0007>), and the [Sandworm Team](<https://attack.mitre.org/versions/v10/groups/G0034>), respectively. For information on ICS TTPs see the [ATT&CK for ICS](<https://collaborate.mitre.org/attackics/index.php/Main_Page>) pages on the [Sandworm Team](<https://collaborate.mitre.org/attackics/index.php/Group/G0007>), [BlackEnergy 3 ](<https://collaborate.mitre.org/attackics/index.php/software/S0004>)malware, [CrashOveride](<https://collaborate.mitre.org/attackics/index.php/software/S0001>) malware, BlackEnergy\u2019s [KillDisk](<https://collaborate.mitre.org/attackics/index.php/software/S0016>) component, and [NotPetya](<https://collaborate.mitre.org/attackics/index.php/software/S0006>) malware.\n\n### Detection\n\nGiven Russian state-sponsored APT actors demonstrated capability to maintain persistent, long-term access in compromised enterprise and cloud environments, CISA, the FBI, and NSA encourage all critical infrastructure organizations to:\n\n * **Implement robust log collection and retention.** Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior described in this advisory. Depending on the environment, examples include: \n * Native tools such as M365\u2019s Sentinel. \n * Third-party tools, such as Sparrow, Hawk, or CrowdStrike's Azure Reporting Tool (CRT), to review Microsoft cloud environments and to detect unusual activity, service principals, and application activity. **Note:** for guidance on using these and other detection tools, refer to CISA Alert [Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>).\n * **Look for behavioral evidence or network and host-based artifacts **from known Russian state-sponsored TTPs. See table 1 for commonly observed TTPs. \n * To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for multiple, failed authentication attempts across multiple accounts.\n * To detect use of compromised credentials in combination with a VPS, follow the below steps: \n * Look for suspicious \u201cimpossible logins,\u201d such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user\u2019s geographic location.\n * Look for one IP used for multiple accounts, excluding expected logins.\n * Look for \u201cimpossible travel.\u201d Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). **Note:** implementing this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting into networks.\n * Look for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the `ntds.dit` file from a domain controller. \n * Look for suspicious privileged account use after resetting passwords or applying user account mitigations. \n * Look for unusual activity in typically dormant accounts.\n * Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.\n * For organizations with OT/ICS systems: \n * Take note of unexpected equipment behavior; for example, unexpected reboots of digital controllers and other OT hardware and software. \n * Record delays or disruptions in communication with field equipment or other OT devices. Determine if system parts or components are lagging or unresponsive.\n\n### Incident Response\n\nOrganizations detecting potential APT activity in their IT or OT networks should:\n\n 1. Immediately isolate affected systems. \n 2. Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.\n 3. Collect and review relevant logs, data, and artifacts.\n 4. Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.\n 5. Report incidents to [CISA](<https://www.cisa.gov/uscert/report>) and/or the FBI via your [local FBI field office](<http://www.fbi.gov/contact-us/field>) or the FBI\u2019s 24/7 CyWatch at (855) 292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>).\n\n**Note:** for OT assets, organizations should have a resilience plan that addresses how to operate if you lose access to\u2014or control of\u2014the IT and/or OT environment. Refer to the Mitigations section for more information.\n\nSee the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA, the FBI, and NSA encourage critical infrastructure owners and operators to see CISA\u2019s [Federal Government Cybersecurity Incident and Vulnerability Response Playbooks](<https://cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf>). Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail each step for both incident and vulnerability response. \n\n**Note: **organizations should document incident response procedures in a cyber incident response plan, which organizations should create and exercise (as noted in the Mitigations section). \n\n### Mitigations\n\nCISA, the FBI, and NSA encourage all organizations to implement the following recommendations to increase their cyber resilience against this threat.\n\n### Be Prepared\n\n#### _Confirm Reporting Processes and Minimize Coverage Gaps_\n\n * Develop internal contact lists. Assign main points of contact for a suspected incident as well as roles and responsibilities and ensure personnel know how and when to report an incident.\n * Minimize gaps in IT/OT security personnel availability by identifying surge support for responding to an incident. Malicious cyber actors are [known to target organizations on weekends and holidays](<https://us-cert.cisa.gov/ncas/alerts/aa21-243a>) when there are gaps in organizational cybersecurity\u2014critical infrastructure organizations should proactively protect themselves by minimizing gaps in coverage.\n * Ensure IT/OT security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any identified IOCs and TTPs for immediate response. (See table 1 for commonly observed TTPs).\n\n#### _Create, Maintain, and Exercise a Cyber Incident Response, Resilience Plan, and Continuity of Operations Plan_\n\n * Create, maintain, and exercise a cyber incident response and continuity of operations plan.\n * Ensure personnel are familiar with the key steps they need to take during an incident and are positioned to act in a calm and unified manner. Key questions: \n * Do personnel have the access they need?\n * Do they know the processes?\n * For OT assets/networks, \n * Identify a resilience plan that addresses how to operate if you lose access to\u2014or control of\u2014the IT and/or OT environment. \n * Identify OT and IT network interdependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if the connections create risk to the safe and reliable operation of OT processes. Regularly test contingency plans, such as manual controls, so that safety critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if the IT network is compromised.\n * Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline.\n * Implement data backup procedures on both the IT and OT networks. Backup procedures should be conducted on a frequent, regular basis. Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware.\n * In addition to backing up data, develop recovery documents that include configuration settings for common devices and critical OT equipment. This can enable more efficient recovery following an incident.\n\n### Enhance your Organization\u2019s Cyber Posture\n\nCISA, the FBI, and NSA recommend organizations apply the best practices below for identity and access management, protective controls and architecture, and vulnerability and configuration management.\n\n#### _Identity and Access Management_\n\n * Require multi-factor authentication for all users, without exception.\n * Require accounts to have strong passwords and do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access.\n * Secure credentials. Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials. \n * Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored.\n * Disable the storage of clear text passwords in LSASS memory.\n * Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.\n * Implement Credential Guard for Windows 10 and Server 2016 (Refer to [Microsoft: Manage Windows Defender Credential Guard](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage>) for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).\n * Minimize the Active Directory attack surface to reduce malicious ticket-granting activity. Malicious activity such as \u201cKerberoasting\u201d takes advantage of Kerberos\u2019 TGS and can be used to obtain hashed credentials that attackers attempt to crack.\n * Set a [strong](<https://www.us-cert.cisa.gov/ncas/tips/ST04-002>) password policy for service accounts.\n * Audit Domain Controllers to log successful Kerberos TGS requests and ensure the events are monitored for anomalous activity. \n * Secure accounts.\n * Enforce the principle of least privilege. Administrator accounts should have the minimum permission they need to do their tasks.\n * Ensure there are unique and distinct administrative accounts for each set of administrative tasks.\n * Create non-privileged accounts for privileged users and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).\n\n#### _Protective Controls and Architecture_\n\n * Identify, detect, and investigate abnormal activity that may indicate lateral movement by a threat actor or malware. Use network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.\n * Enable strong spam filters. \n * Enable strong spam filters to prevent phishing emails from reaching end users.\n * Filter emails containing executable files to prevent them from reaching end users.\n * Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments.\n\n**Note:** CISA, the FBI, and NSA also recommend, as a longer-term effort, that critical infrastructure organizations implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent lateral movement by controlling traffic flows between\u2014and access to\u2014various subnetworks.\n\n * Appropriately implement network segmentation between IT and OT networks. Network segmentation limits the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks.\n * Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit ICS protocols from traversing the IT network.\n\n#### _Vulnerability and Configuration Management_\n\n * Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. \n * Consider using a centralized patch management system. For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program. \n * Consider signing up for CISA\u2019s [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>), including vulnerability scanning, to help reduce exposure to threats. CISA\u2019s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IP addresses for accessible services and vulnerabilities.\n * Use industry recommended antivirus programs. \n * Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures.\n * Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.\n * Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses.\n * Disable all unnecessary ports and protocols \n * Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.\n * Turn off or disable any unnecessary services (e.g., PowerShell) or functionality within devices.\n * Ensure OT hardware is in read-only mode.\n\n### Increase Organizational Vigilance\n\n * Regularly review reporting on this threat. Consider signing up for CISA notifications to receive timely information on current security issues, vulnerabilities, and high-impact activity.\n\n### Resources\n\n * For more information on Russian state-sponsored malicious cyber activity, refer to [cisa.gov/Russia.](<https://www.us-cert.cisa.gov/russia>)\n * Refer to CISA Analysis Report [Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-013a>) for steps for guidance on strengthening your organizations cloud security practices.\n * Leaders of small businesses and small and local government agencies should see [CISA\u2019s Cyber Essentials](<https://www.cisa.gov/cyber-essentials>) for guidance on developing an actionable understanding of implementing organizational cybersecurity practices.\n * Critical infrastructure owners and operators with OT/ICS networks, should review the following resources for additional information: \n * NSA and CISA joint CSA NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems\n * CISA factsheet Rising Ransomware Threat to Operational Technology Assets for additional recommendations.\n\n### Rewards for Justice Program\n\nIf you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State\u2019s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which DOS is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact +1-202-702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details refer to [rewardsforjustice.net/malicious_cyber_activity.](<https://www.rewardsforjustice.net/malicious_cyber_activity.html>)\n\n### Caveats\n\nThe information you have accessed or received is being provided \u201cas is\u201d for informational purposes only. CISA, the FBI, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or NSA.\n\n### References\n\n[[1] Joint NCSC-CISA UK Advisory: Further TTPs Associated with SVR Cyber Actors](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>)\n\n### Revisions\n\nJanuary 11, 2022: Initial Version|January 25, 2022: Updated broken link|February 28, 2022: Updated broken link\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-01T12:00:00", "type": "ics", "title": "Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-03-01T12:00:00", "id": "AA22-011A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-25T10:40:26", "description": "### **SUMMARY**\n\nThe following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):\n\n * United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)\n * Australia: Australian Signals Directorate\u2019s Australian Cyber Security Centre (ACSC)\n * Canada: Canadian Centre for Cyber Security (CCCS)\n * New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)\n * United Kingdom: National Cyber Security Centre (NCSC-UK)\n\nThis advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.\n\nThe authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory\u2014including the following\u2014to reduce the risk of compromise by malicious cyber actors.\n\n * **Vendors, designers, and developers**: Implement [secure-by-design and -default principles and tactics](<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default> \"Security-by-Design and -Default\" ) to reduce the prevalence of vulnerabilities in your software. \n * **Follow the Secure Software Development Framework (SSDF)**, also known as [SP 800-218](<https://csrc.nist.gov/publications/detail/sp/800-218/final> \"NIST SP 800-218\" ), and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.\n * **Prioritize secure-by-default configurations**, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.\n * **Ensure that published CVEs include the proper CWE field** identifying the root cause of the vulnerability.\n * **End-user organizations**: \n * **Apply timely patches to systems**. **Note**: First check for signs of compromise if CVEs identified in this CSA have not been patched.\n * Implement a centralized patch management system.\n * **Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers**.\n * **Ask your software providers to discuss their secure by design program** and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.\n\nDownload the PDF version of this report:\n\nAA23-215A PDF (PDF, 980.90 KB )\n\n### **TECHNICAL DETAILS**\n\n#### **Key Findings**\n\nIn 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.\n\nMalicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure\u2014the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).\n\nMalicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets\u2019 networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.\n\n#### **Top Routinely Exploited Vulnerabilities**\n\nTable 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )**. **This vulnerability, affecting Fortinet SSL VPNs, was also [routinely exploited in 2020](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a> \"Top Routinely Exploited Vulnerabilities\" ) and [2021](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a> \"2021 Top Routinely Exploited Vulnerabilities\" ). The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )**, **[**CVE-2021-31207**](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )**, **[**CVE-2021-34523**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )**.** These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft\u2019s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.\n * [**CVE-2021-40539**](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )**.** This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability [began in late 2021](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a> \"APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus\" ) and [continued throughout 2022](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF> \"Top CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors\" ).\n * [**CVE-2021-26084**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )**.** This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.\n * [**CVE-2021- 44228**](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )**.** This vulnerability, known as Log4Shell, affects Apache\u2019s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[[1](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance>)] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.\n * [**CVE-2022-22954**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" ), [**CVE-2022-22960**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )**.** These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution**. **Exploitation of CVE-2022-22954 and CVE-2022-22960 [began in early 2022](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b> \"Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control\" ) and attempts continued throughout the remainder of the year.\n * [**CVE-2022-1388**](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )**.** This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication** **on F5 BIG-IP application delivery and security software**.**\n * [**CVE-2022-30190**](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )**.** This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.\n * [**CVE-2022-26134**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" ). This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability ([CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )), which cyber actors also exploited in 2022.\n_Table 1: Top 12 Routinely Exploited Vulnerabilities in 2022_\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Product**\n\n| \n\n**Type**\n\n| \n\n**CWE** \n \n---|---|---|---|--- \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS and FortiProxy\n\n| \n\nSSL VPN credential exposure\n\n| \n\n[CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-918 Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \$SSRF\$\" ) \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nSecurity Feature Bypass\n\n| \n\n[CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nElevation of Privilege\n\n| \n\n[CWE-287 Improper Authentication](<https://cwe.mitre.org/data/definitions/287.html> \"CWE-287: Improper Authentication\" ) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )\n\n| \n\nZoho ManageEngine\n\n| \n\nADSelfService Plus\n\n| \n\nRCE/\n\nAuthentication Bypass\n\n| \n\n[CWE-287 Improper Authentication](<https://cwe.mitre.org/data/definitions/287.html> \"CWE-287: Improper Authentication\" ) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center\n\n| \n\nArbitrary code execution\n\n| \n\n[CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \$'Injection'\$\" ) \n \n[CVE-2021- 44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )\n\n(Log4Shell)\n\n| \n\nApache\n\n| \n\nLog4j2\n\n| \n\nRCE\n\n| \n\n[CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \$'Expression Language Injection'\$\" )\n\n[CWE-20 Improper Input Validation](<https://cwe.mitre.org/data/definitions/20.html> \"CWE-20: Improper Input Validation\" )\n\n[CWE-400 Uncontrolled Resource Consumption](<https://cwe.mitre.org/data/definitions/400.html> \"CWE-400: Uncontrolled Resource Consumption\" )\n\n[CWE-502 Deserialization of Untrusted Data](<https://cwe.mitre.org/data/definitions/502.html> \"CWE-502: Deserialization of Untrusted Data\" ) \n \n[CVE-2022-22954](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access and Identity Manager\n\n| \n\nRCE\n\n| \n\n[CWE-94 Improper Control of Generation of Code ('Code Injection')](<https://cwe.mitre.org/data/definitions/94.html> \"CWE-94: Improper Control of Generation of Code \$'Code Injection'\$\" ) \n \n[CVE-2022-22960](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, Identity Manager, and vRealize Automation\n\n| \n\nImproper Privilege Management\n\n| \n\n[CWE-269 Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2022-1388](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )\n\n| \n\nF5 Networks\n\n| \n\nBIG-IP\n\n| \n\nMissing Authentication Vulnerability\n\n| \n\n[CWE-306 Missing Authentication for Critical Function](<https://cwe.mitre.org/data/definitions/306.html> \"CWE-306: Missing Authentication for Critical Function\" ) \n \n[CVE-2022-30190](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center\n\n| \n\nRCE\n\n| \n\n[CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \$'Injection'\$\" ) \n \n#### **Additional Routinely Exploited Vulnerabilities**\n\nIn addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities\u2014listed in Table 2\u2014that were also routinely exploited by malicious cyber actors in 2022.\n\n_Table 2: Additional Routinely Exploited Vulnerabilities in 2022_\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Product**\n\n| \n\n**Type**\n\n| \n\n**CWE** \n \n---|---|---|---|--- \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199> \"CVE-2017-0199\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nArbitrary Code Execution\n\n| \n\nNone Listed \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \"CVE-2017-11882\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nArbitrary Code Execution\n\n| \n\n[CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](<https://cwe.mitre.org/data/definitions/119.html> \"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer\" ) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510> \"CVE-2019-11510\" )\n\n| \n\nIvanti\n\n| \n\nPulse Secure Pulse Connect Secure\n\n| \n\nArbitrary File Reading\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708> \"CVE-2019-0708\" )\n\n| \n\nMicrosoft\n\n| \n\nRemote Desktop Services\n\n| \n\nRCE\n\n| \n\n[CWE-416: Use After Free](<https://cwe.mitre.org/data/definitions/416.html> \"CWE-416: Use After Free\" ) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781> \"CVE-2019-19781\" )\n\n| \n\nCitrix\n\n| \n\nApplication Delivery Controller and Gateway\n\n| \n\nArbitrary Code Execution\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902> \"CVE-2020-5902\" )\n\n| \n\nF5 Networks\n\n| \n\nBIG-IP\n\n| \n\nRCE\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472> \"CVE-2020-1472\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nPrivilege Escalation\n\n| \n\n[CWE-330: Use of Insufficiently Random Values](<https://cwe.mitre.org/data/definitions/330.html> \"CWE-330: Use of Insufficiently Random Values\" ) \n \n[CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882> \"CVE-2020-14882\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2020-14883](<https://nvd.nist.gov/vuln/detail/CVE-2020-14883> \"CVE-2020-14883\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016> \"CVE-2021-20016\" )\n\n| \n\nSonicWALL\n\n| \n\nSSLVPN SMA100\n\n| \n\nSQL Injection\n\n| \n\n[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](<https://cwe.mitre.org/data/definitions/89.html> \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command \$'SQL Injection'\$\" ) \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855> \"CVE-2021-26855\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-918: Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \$SSRF\$\" ) \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065> \"CVE-2021-27065\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858> \"CVE-2021-26858\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857> \"CVE-2021-26857\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-502: Deserialization of Untrusted Data](<https://cwe.mitre.org/data/definitions/502.html> \"CWE-502: Deserialization of Untrusted Data\" ) \n \n[CVE-2021-20021](<https://nvd.nist.gov/vuln/detail/CVE-2021-20021> \"CVE-2021-20021\" )\n\n| \n\nSonicWALL\n\n| \n\nEmail Security\n\n| \n\nPrivilege Escalation Exploit Chain\n\n| \n\n[CWE-269: Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438> \"CVE-2021-40438\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer-Side Request Forgery\n\n| \n\n[CWE-918: Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \$SSRF\$\" ) \n \n[CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \"CVE-2021-41773\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer Path Traversal\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"\u00a0CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013> \"CVE-2021-42013\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer Path Traversal\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038> \"CVE-2021-20038\" )\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series Appliances\n\n| \n\nStack-based Buffer Overflow\n\n| \n\n[CWE-787: Out-of-bounds Write](<https://cwe.mitre.org/data/definitions/787.html> \"CWE-787: Out-of-bounds Write\" )\n\n[CWE-121: Stack-based Buffer Overflow](<http://cwe.mitre.org/data/definitions/121.html> \"CWE-121: Stack-based Buffer Overflow\" ) \n \n[CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046> \"CVE-2021-45046\" )\n\n| \n\nApache\n\n| \n\nLog4j\n\n| \n\nRCE\n\n| \n\n[CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \$'Expression Language Injection'\$\" ) \n \n[CVE-2022-42475](<https://nvd.nist.gov/vuln/detail/CVE-2022-42475> \"CVE-2022-42475\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS\n\n| \n\nHeap-based Buffer Overflow\n\n| \n\n[CWE-787: Out-of-bounds Write](<https://cwe.mitre.org/data/definitions/787.html> \"CWE-787: Out-of-bounds Write\" ) \n \n[CVE-2022-24682](<https://nvd.nist.gov/vuln/detail/CVE-2022-24682> \"CVE-2022-24682\" )\n\n| \n\nZimbra\n\n| \n\nCollaboration Suite\n\n| \n\n\u2018Cross-site Scripting\u2019\n\n| \n\n[CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](<https://cwe.mitre.org/data/definitions/79.html> \"CWE-79: Improper Neutralization of Input During Web Page Generation \$'Cross-site Scripting'\$\" ) \n \n[CVE-2022-22536](<https://nvd.nist.gov/vuln/detail/CVE-2022-22536> \"CVE-2022-22536\" )\n\n| \n\nSAP\n\n| \n\nInternet Communication Manager (ICM)\n\n| \n\nHTTP Request Smuggling\n\n| \n\n[CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')](<https://cwe.mitre.org/data/definitions/444.html> \"CWE-444: Inconsistent Interpretation of HTTP Requests \$'HTTP Request/Response Smuggling'\$\" ) \n \n[CVE-2022-22963](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963> \"CVE-2022-22963\" )\n\n| \n\nVMware Tanzu\n\n| \n\nSpring Cloud\n\n| \n\nRCE\n\n| \n\n[CWE-94: Improper Control of Generation of Code ('Code Injection')](<https://cwe.mitre.org/data/definitions/94.html> \"CWE-94: Improper Control of Generation of Code \$'Code Injection'\$\" )\n\n[CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \$'Expression Language Injection'\$\" ) \n \n[CVE-2022-29464](<https://nvd.nist.gov/vuln/detail/CVE-2022-29464> \"CVE-2022-29464\" )\n\n| \n\nWSO2\n\n| \n\nMultiple Products\n\n| \n\nRCE\n\n| \n\n[CWE-434: Unrestricted Upload of File with Dangerous Type](<https://cwe.mitre.org/data/definitions/434.html> \"CWE-434: Unrestricted Upload of File with Dangerous Type\" ) \n \n[CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924> \"CVE-2022-27924\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite\n\n| \n\nCommand Injection\n\n| \n\n[CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \$'Injection'\$\" ) \n \n[CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047> \"CVE-2022-22047\" )\n\n| \n\nMicrosoft\n\n| \n\nWindows CSRSS\n\n| \n\nElevation of Privilege\n\n| \n\n[CWE-269: Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2022-27593](<https://nvd.nist.gov/vuln/detail/CVE-2022-27593> \"CVE-2022-27593\" )\n\n| \n\nQNAP\n\n| \n\nQNAP NAS\n\n| \n\nExternally Controlled Reference\n\n| \n\n[CWE-610: Externally Controlled Reference to a Resource in Another Sphere](<https://cwe.mitre.org/data/definitions/610.html> \"CWE-610: Externally Controlled Reference to a Resource in Another Sphere\" ) \n \n[CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082> \"CVE-2022-41082\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nPrivilege Escalation\n\n| \n\nNone Listed \n \n[CVE-2022-40684](<https://nvd.nist.gov/vuln/detail/CVE-2022-40684> \"CVE-2022-40684\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS, FortiProxy, FortiSwitchManager\n\n| \n\nAuthentication Bypass\n\n| \n\n[CWE-306: Missing Authentication for Critical Function](<https://cwe.mitre.org/data/definitions/306.html> \"CWE-306: Missing Authentication for Critical Function\" ) \n \n### **MITIGATIONS**\n\n#### **Vendors and Developers**\n\nThe authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:\n\n * **Identify repeatedly exploited classes of vulnerability. **Perform an analysis of both CVEs and known exploited vulnerabilities to understand which classes of vulnerability are identified more than others. Implement appropriate mitigations to eliminate those classes of vulnerability. For example, if a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries, and prohibit other forms of queries.\n * **Ensure business leaders are responsible for security. **Business leaders should ensure that proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.\n * **Follow the SSDF** ([SP 800-218](<https://csrc.nist.gov/publications/detail/sp/800-218/final> \"NIST SP 800-218\" )_)_ and implement secure design practices into each stage of the SDLC. Pay attention to: \n * Prioritizing the use of memory safe languages wherever possible [[SSDF PW 6.1](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Exercising due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [[SSDF PW 4.1](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Setting up secure development team practices; this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language specific security concerns [[SSDF PW.5.1, PW.7.1, PW.7.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Establishing a [vulnerability disclosure program](<https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/vulnerability-disclosure-programs-explained> \"Vulnerability Disclosure Programs Explained\" ) to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [[SSDF RV.1.3](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )]. As part of this, establish processes to determine root causes of discovered vulnerabilities.\n * Using static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [[SSDF PW.7.2, PW.8.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Configuring production-ready products to have to most secure settings as default and providing guidance on the risks of changing each setting [[SSDF PW.9.1, PW9.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )]\n * **Prioritize secure-by-default configurations** such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge.\n * **Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability **to enable industry-wide analysis of software security and design flaws.\n\nFor more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide [Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default](<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default> \"Security-by-Design and -Default\" ).\n\n#### **End-User Organizations**\n\nThe authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors\u2019 activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA\u2019s [Cross-Sector Cybersecurity Performance Goals](<https://www.cisa.gov/cross-sector-cybersecurity-performance-goals> \"Cross-Sector Cybersecurity Performance Goals\" ) for more information on CPGs, including additional recommended baseline protections.\n\n#### **_Vulnerability and Configuration Management_**\n\n * **Update software, operating systems, applications, and firmware on IT network assets in a timely manner** [CPG 1.E]. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> \"Known Exploited Vulnerabilities Catalog\" ), especially those CVEs identified in this CSA, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. \n * If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.\n * Replace end-of-life software (i.e., software no longer supported by the vendor).\n * **Routinely perform automated asset discovery** across the entire estate to identify and catalogue all the systems, services, hardware and software.\n * **Implement a robust patch management process **and centralized patch management system that establishes prioritization of patch applications [CPG 1.A]. \n * Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications\u2014such as webmail, file storage, file sharing, and chat and other employee collaboration tools\u2014for their customers. However, MSPs and CSPs can expand their customer\u2019s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources. \n * CISA Insights Risk Considerations for Managed Service Provider Customers\n * CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses\n * ACSC advice on [How to Manage Your Security When Engaging a Managed Service Provider](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/managed-services/how-manage-your-security-when-engaging-managed-service-provider> \"How to Manage Your Security When Engaging a Managed Service Provider\" )\n * **Document secure baseline configurations for all IT/OT components**, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].\n * **Perform regular secure system backups** and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].\n * **Maintain an updated cybersecurity incident response plan** that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].\n\n#### **_Identity and Access Management_**\n\n * **Enforce phishing-resistant multifactor authentication (MFA) for all users**, without exception. [CPG 2.H].\n * **Enforce MFA on all VPN connections**. If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].\n * **Regularly review, validate, or remove privileged accounts** (annually at a minimum) [CPG 2.D, 2.E].\n * **Configure access control under the principle of least privilege** [CPG 2.Q]. \n * Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (using non-administrative privileges where feasible). \n**Note:** See CISA\u2019s Capacity Enhancement Guide \u2013 Implementing Strong Authentication and ACSC\u2019s guidance on [Implementing Multi-Factor Authentication](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-multi-factor-authentication> \"Implementing Multi-Factor Authentication\" ) for more information on authentication system hardening.\n\n#### **_Protective Controls and Architecture_**\n\n * **Properly configure and secure internet-facing network devices**, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2X]. \n * Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.\n * Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.\n * Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).\n * **Implement Zero Trust Network Architecture (ZTNA)** to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X]. **Note:** See the Department of Defense\u2019s [Zero Trust Reference Architecture](<https://dodcio.defense.gov/Portals/0/Documents/Library/\$U\$ZT_RA_v2.0\$U\$_Sep22.pdf> \"Department of Defense \$DoD\$ Zero Trust Reference Architecture\" ) for additional information on Zero Trust.\n * **Continuously monitor the attack surface** and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T]. \n * Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanner, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].\n * Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].\n * Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified approved versions [CPG 2.Q].\n * Use a network protocol analyzer to examine captured data, including packet-level data.\n\n#### **_Supply Chain Security_**\n\n * **Reduce third-party applications and unique system/application builds**\u2014provide exceptions only if required to support business critical functions [CPG 2.Q].\n * Ensure contracts require vendors and/or third-party service providers to: \n * Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].\n * Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].\n * **Ask your software providers to discuss their secure by design program** and to provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.\n\n### **RESOURCES**\n\n * For information on the top vulnerabilities routinely exploited in 2016 through 2019, 2020, and 2021, see: \n * Joint CSA [Top 10 Routinely Exploited Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a> \"Top 10 Routinely Exploited Vulnerabilities\" )\n * Joint CSA [Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a> \"Top Routinely Exploited Vulnerabilities\" )\n * Joint CSA [2021 Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a> \"2021 Top Routinely Exploited Vulnerabilities\" )\n * See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.\n * See ACSC\u2019s [Essential Eight mitigation strategies](<https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model> \"Essential Eight Maturity Model\" ) for additional mitigations.\n * See ACSC\u2019s [Cyber Supply Chain Risk Management](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/cyber-supply-chain-risk-management> \"Cyber Supply Chain Risk Management\" ) for additional considerations and advice.\n\n### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### **PURPOSE**\n\nThis document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### **REFERENCES**\n\n[1] [Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance> \"Apache Log4j Vulnerability Guidance\" )\n\n### **VERSION HISTORY**\n\nAugust 3, 2023: Initial version.\n\n### **APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED VULNERABILITIES**\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Affected Products and Versions**\n\n| \n\n**Patch Information**\n\n| \n\n**Resources** \n \n---|---|---|---|--- \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199> \"CVE-2017-0199\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199> \"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows\" )\n\n| \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \"CVE-2017-11882\" )\n\n| \n\nMicrosoft\n\n| \n\nOffice, Multiple Versions\n\n| \n\n[Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882> \"Microsoft Office Memory Corruption Vulnerability\" )\n\n| \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6\n\n| \n\n[FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests](<https://www.fortiguard.com/psirt/FG-IR-20-233> \"FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests\" )\n\n| \n\nJoint CSAs:\n\n[Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a> \"Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities\" )\n\n[Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a> \"Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology\" )\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" ) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510> \"CVE-2019-11510\" )\n\n| \n\nIvanti\n\n| \n\nPulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12\n\n| \n\n[SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://forums.ivanti.com/s/article/SA44101?language=en_US> \"SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX\" )\n\n| \n\nCISA Alerts:\n\n[Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a> \"Continued Exploitation of Pulse Secure VPN Vulnerability\" )\n\n[Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a> \"Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity\" )\n\nACSC Advisory:\n\n[2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software](<https://www.cyber.gov.au/about-us/advisories/2019-129-recommendations-mitigate-vulnerability-pulse-connect-secure-vpn-software> \"2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software\" )\n\nJoint CSA:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n_CCCS Alert:_\n\n[APT Actors Target U.S. and Allied Networks - Update 1](<https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi> \"Alert - APT Actors Target U.S. and Allied Networks - update 1\" ) \n \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708> \"CVE-2019-0708\" )\n\n| \n\nMicrosoft\n\n| \n\nRemote Desktop Services\n\n| \n\n[Remote Desktop Services Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708> \"Remote Desktop Services Remote Code Execution Vulnerability\" )\n\n| \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781> \"CVE-2019-19781\" )\n\n| \n\nCitrix\n\n| \n\nADC and Gateway version 13.0 all supported builds before 13.0.47.24\n\nNetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12\n\nSD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b\n\n| \n\n[CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance](<https://support.citrix.com/article/CTX267027/cve201919781-vulnerability-in-citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance> \"CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance\" )\n\n| \n\nJoint CSAs:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n[Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a> \"Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity\" )\n\n_CCCS Alert:_\n\n[Detecting Compromises relating to Citrix CVE-2019-19781](<https://www.cyber.gc.ca/en/alerts/detecting-compromises-relating-citrix-cve-2019-19781-0> \"Alert - Detecting Compromises relating to Citrix CVE-2019-19781\" ) \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902> \"CVE-2020-5902\" )\n\n| \n\nF5\n\n| \n\nBIG IP versions 15.1.0, 15.0.0 to 15.0.1, 14.1.0 to 14.1.2, 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.6.1 to 11.6.5\n\n| \n\n[K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://my.f5.com/manage/s/article/K52145254> \"K52145254: TMUI RCE vulnerability CVE-2020-5902\" )\n\n| \n\nCISA Alert:\n\n[Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a> \"Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902\" ) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472> \"CVE-2020-1472\" )\n\n| \n\nMicrosoft\n\n| \n\nWindows Server, Multiple Versions\n\n| \n\n[Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472> \"Netlogon Elevation of Privilege Vulnerability\" )\n\n| \n\nACSC Advisory:\n\n[2020-016: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)](<https://www.cyber.gov.au/about-us/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472> \"Advisory 2020-016: \"Zerologon\" - Netlogon Elevation of Privilege Vulnerability \$CVE-2020-1472\$\" )\n\nJoint CSA:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n_CCCS Alert:_\n\n[Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1](<https://www.cyber.gc.ca/en/alerts/microsoft-netlogon-elevation-privilege-vulnerability-cve-2020-1472> \"Alert - Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - update 1\" ) \n \n[CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882> \"CVE-2020-14882\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n\n| \n\n[Oracle Critical Patch Update Advisory - October 2020](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html> \"Oracle Critical Patch Update Advisory - October 2020\" )\n\n| \n \n[CVE-2020-14883](<https://nvd.nist.gov/vuln/detail/CVE-2020-14883> \"CVE-2020-14883\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n\n| \n\n[Oracle Critical Patch Update Advisory - October 2020](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html> \"Oracle Critical Patch Update Advisory - October 2020\" )\n\n| \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016> \"CVE-2021-20016\" )\n\n| \n\nSonicWALL\n\n| \n\nSSLVPN SMA100, Build Version 10.x\n\n| \n\n[Confirmed Zero-day vulnerability in the SonicWall SMA100 build version 10.x](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001> \"CONFIRMED ZERO-DAY VULNERABILITY IN THE SONICWALL SMA100 BUILD VERSION 10.X\" )\n\n| \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855> \"CVE-2021-26855\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>) | Microsoft | Exchange Server, Multiple Versions | [Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>) | \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a>) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858> \"CVE-2021-26858\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065> \"CVE-2021-27065\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-20021](<https://nvd.nist.gov/vuln/detail/CVE-2021-20021> \"CVE-2021-20021\" )\n\n| \n\nSonicWALL\n\n| \n\nEmail Security version 10.0.9.x Email Security\n\n| \n\n[SonicWall Email Security pre-authentication administrative account creation vulnerability](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007> \"SONICWALL EMAIL SECURITY PRE-AUTHENTICATION ADMINISTRATIVE ACCOUNT CREATION VULNERABILITY\" )\n\n| \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207> \"Microsoft Exchange Server Security Feature Bypass Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities](<https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities> \"Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities\" )\n\nACSC Alert:\n\n[Microsoft Exchange ProxyShell Targeting in Australia](<https://www.cyber.gov.au/about-us/alerts/microsoft-exchange-proxyshell-targeting-australia> \"Microsoft Exchange ProxyShell Targeting in Australia\" ) \n \n[CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1\n\n| \n\n[Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html> \"Confluence Security Advisory 2022-06-02\" )\n\n| \n\nCISA Alert:\n\n[CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog](<https://www.cisa.gov/news-events/alerts/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog> \"CISA Adds One Known Exploited Vulnerability \$CVE-2022-26134\$ to Catalog\u202f\u202f\" )\n\nACSC Alert:\n\n[Remote code execution vulnerability present in Atlassian Confluence Server and Data Center](<https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-certain-versions-atlassian-confluence> \"Remote code execution vulnerability present in Atlassian Confluence Server and Data Center\" ) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Version\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nJoint CSA:\n\n[Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a> \"Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities\" ) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )\n\n| \n\nMicrosoft\n\n| \n\nMicrosoft Exchange Server 2013 Cumulative Update 23\n\nMicrosoft Exchange Server 2016 Cumulative Updates 19 and 20\n\nMicrosoft Exchange Server 2019 Cumulative Updates 8 and 9\n\n| \n\n[Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523> \"Microsoft Exchange Server Elevation of Privilege Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities](<https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities> \"Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities\" ) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )\n\n| \n\nJira Atlassian\n\n| \n\nConfluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n| \n\n[Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940> \"Confluence Server Webwork OGNL injection - CVE-2021-26084\" )\n\n| \n\nCISA Alert:\n\n[Atlassian Releases Security Updates for Confluence Server and Data Center](<https://www.cisa.gov/news-events/alerts/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data-center> \"Atlassian Releases Security Updates for Confluence Server and Data Center\" ) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )\n\n| \n\nZoho ManageEngineCorp.\n\n| \n\nManageEngine ADSelfService Plus builds up to 6113\n\n| \n\n[Security advisory - ADSelfService Plus authentication bypass vulnerability](<https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html> \"Security advisory - ADSelfService Plus authentication bypass vulnerability\" )\n\n| \n\nACSC Alert:\n\n[Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors](<https://www.cyber.gov.au/about-us/alerts/critical-vulnerability-manageengine-adselfservice-plus-exploited-cyber-actors> \"Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors\" ) \n \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438> \"CVE-2021-40438\" )\n\n| \n\nApache\n\n| \n\nHTTP Server 2.4.48\n\n| | \n \n[CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \"CVE-2021-41773\" )\n\n| \n\nApache\n\n| \n\nApache HTTP Server 2.4.49\n\n| \n\n[Apache HTTP Server 2.4 vulnerabilities](<https://httpd.apache.org/security/vulnerabilities_24.html> \"Apache HTTP Server 2.4 vulnerabilities\" )\n\n| \n \n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013> \"CVE-2021-42013\" )\n\n| \n\nApache\n\n| \n\nApache HTTP Server 2.4.50\n\n| \n\n[Apache HTTP Server 2.4 vulnerabilities](<https://httpd.apache.org/security/vulnerabilities_24.html> \"Apache HTTP Server 2.4 vulnerabilities\" )\n\n| \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038> \"CVE-2021-20038\" )\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24svSMA 100 series appliances\n\n| \n\n[SonicWall patches multiple SMA100 affected vulnerabilities](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026> \"SONICWALL PATCHES MULTIPLE SMA100 AFFECTED VULNERABILITIES\" )\n\n| \n\nACSC Alert:\n\n[Remote code execution vulnerability present in SonicWall SMA 100 series appliances](<https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-sonicwall-sma-100-series-appliances>)\n\n_CCCS Alert:_\n\n[SonicWall Security Advisory](<https://www.cyber.gc.ca/en/alerts/sonicwall-security-advisory-4> \"SonicWall security advisory\" ) \n \n[CVE-2021- 44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )\n\n| \n\nApache\n\n| \n\nLog4j, all versions from 2.0-beta9 to 2.14.1\n\n[For other affected vendors and products, see CISA's GitHub repository.](<https://github.com/cisagov/log4j-affected-db>)\n\n| \n\n[Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html> \"Apache Log4j Security Vulnerabilities\" )\n\nFor additional information, see joint CSA: [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a> \"Mitigating Log4Shell and Other Log4j-Related Vulnerabilities\" )\n\n| \n\nCISA webpage:\n\n[Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance> \"Apache Log4j Vulnerability Guidance\" )\n\n_CCCS Alert:_\n\n[Active exploitation of Apache Log4j vulnerability - Update 7](<https://www.cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability> \"Alert - Active exploitation of Apache Log4j vulnerability - update 7\" )\n\nACSC Advisory:\n\n[2021-007: Log4j vulnerability \u2013 advice and mitigations](<https://www.cyber.gov.au/about-us/advisories/2021-007-log4j-vulnerability-advice-and-mitigations> \"2021-007: Log4j vulnerability \u2013 advice and mitigations\" )\n\nACSC Publication:\n\n[Log4j: What Boards and Directors Need to Know](<https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/log4j-what-boards-and-directors-need-know> \"Log4j: What Boards and Directors Need to Know\" ) \n \n[CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046> \"CVE-2021-45046\" )\n\n| \n\nApache\n\n| \n\nLog4j 2.15.0Log4j\n\n| \n\n[Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html> \"Apache Log4j Security Vulnerabilities\" )\n\n| \n \n[CVE-2022-42475](<https://nvd.nist.gov/vuln/detail/CVE-2022-42475> \"CVE-2022-42475\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and\n\nFortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier\n\n| \n\n[FortiOS - heap-based buffer overflow in sslvpnd](<https://www.fortiguard.com/psirt/FG-IR-22-398> \"FortiOS - heap-based buffer overflow in sslvpnd\" )\n\n| \n \n[CVE-2022-24682](<https://nvd.nist.gov/vuln/detail/CVE-2022-24682> \"CVE-2022-24682\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1) Collaboration Suite\n\n| \n\n[Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30> \"Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release\" )\n\n| \n \n[CVE-2022-22536 ](<https://nvd.nist.gov/vuln/detail/CVE-2022-22536> \"CVE-2022-22536\" )\n\n| \n\nSAP\n\n| \n\nNetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher Internet Communication Manager (ICM)\n\n| \n\n[Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher](<https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/> \"Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher\" )\n\n| \n\nCISA Alert:\n\n[Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)](<https://www.cisa.gov/news-events/alerts/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing> \"Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager \$ICM\$\" ) \n \n[CVE-2022-22963](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963> \"CVE-2022-22963\" )\n\n| \n\nVMware Tanzumware Tanzu\n\n| \n\nSpring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions\n\n| \n\n[CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression](<https://spring.io/security/cve-2022-22963> \"CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression\" )\n\n| \n \n[CVE-2022-22954](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n\nIdentity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3\n\nvRealize Automation (vIDM), 8.x, 7.6\n\nVMware Cloud Foundation (vIDM), 4.x\n\nvRealize Suite Lifecycle Manager (vIDM), 8.xWorkspace\n\nONE Access and Identity Manager\n\n| \n\n[VMware Advisory VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html> \"VMSA-2022-0011\" )\n\n| \n \n[CVE-2022-22960](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n\nIdentity Manager (vIDM) and vRealize Automation3.3.6, 3.3.5, 3.3.4, 3.3.3\n\nvRealize Automation (vIDM), 8.x, 7.6\n\nVMware Cloud Foundation (vIDM), 4.x\n\nVMware Cloud Foundation (vRA), 3.x\n\nvRealize Suite Lifecycle Manager (vIDM), 8.x\n\n| \n\n[VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html> \"VMSA-2022-0011\" )\n\n| \n \n[CVE-2022-29464](<https://nvd.nist.gov/vuln/detail/CVE-2022-29464> \"CVE-2022-29464\" )\n\n| \n\nAtlassianWSO2\n\n| \n\nWSO2 API Manager 2.2.0 and above through 4.0.0\n\nWSO2 Identity Server 5.2.0 and above through 5.11.0 \n\nWSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0\n\nWSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0\n\nWSO2 Enterprise Integrator 6.2.0 and above through 6.6.0\n\n| \n\n[WSO2 Documentation - Spaces](<https://wso2docs.atlassian.net/wiki/spaces> \"Spaces\" )\n\n| \n \n[CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924> \"CVE-2022-27924\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite, 8.8.15 and 9.0\n\n| \n\n[Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.1#Security_Fixes> \"Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release\" )\n\n| \n \n[CVE-2022-1388](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )\n\n| \n\nF5 Networks\n\n| \n\nF5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and All 12.1.x and 11.6.x versions\n\n| \n\n[K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388](<https://my.f5.com/manage/s/article/K23605346> \"K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388\" )\n\n| \n\nJoint CSA:\n\n[Threat Actors Exploiting F5 BIG-IP CVE-2022-1388](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138a> \"Threat Actors Exploiting F5 BIG-IP CVE-2022-1388\" ) \n \n[CVE-2022-30190](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| | \n\nCISA Alert:\n\n[Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability](<https://www.cisa.gov/news-events/alerts/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability> \"Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability\" ) \n \n[CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047> \"CVE-2022-22047\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability, CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047> \"Windows Client Server Run-time Subsystem \$CSRSS\$ Elevation of Privilege Vulnerability\" )\n\n| \n \n[CVE-2022-27593](<https://nvd.nist.gov/vuln/detail/CVE-2022-27593> \"CVE-2022-27593\" )\n\n| \n\nQNAP\n\n| \n\nCertain QNAP NAS running Photo Station with internet exposure Ausustor Network Attached Storage\n\n| \n\n[DeadBolt Ransomware](<https://www.qnap.com/en/security-advisory/qsa-22-24> \"DeadBolt Ransomware\" )\n\n| \n \n[CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082> \"CVE-2022-41082\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server 2016 Cumulative Update 23, 2019 Cumulative Update 12, 2019 Cumulative Update 11, 2016 Cumulative Update 22, and 2013 Cumulative Update 23\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nACSC Alert:\n\n[Vulnerability Alert \u2013 2 new Vulnerabilities associated with Microsoft Exchange.](<https://www.cyber.gov.au/about-us/alerts/vulnerability-alert-2-new-vulnerabilities-associated-microsoft-exchange> \"Vulnerability Alert \u2013 2 new Vulnerabilities associated with Microsoft Exchange.\" ) \n \n[CVE-2022-40684](<https://nvd.nist.gov/vuln/detail/CVE-2022-40684> \"CVE-2022-40684\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0\n\n| \n\n[FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface](<https://www.fortiguard.com/psirt/FG-IR-22-377> \"FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface\" )\n\n| \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-03T12:00:00", "type": "ics", "title": "2022 Top Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-13379", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-5902", "CVE-2021-20016", "CVE-2021-20021", "CVE-2021-20038", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40438", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-44228", "CVE-2021-45046", "CVE-2022-1388", "CVE-2022-22047", "CVE-2022-22536", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22963", "CVE-2022-24682", "CVE-2022-26134", "CVE-2022-27593", "CVE-2022-27924", "CVE-2022-29464", "CVE-2022-30190", "CVE-2022-40684", "CVE-2022-41082", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2023-08-03T12:00:00", "id": "AA23-215A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:13", "description": "[![Fortinet FortiWeb WAF](https://thehackernews.com/images/-iRDFz4kb2_c/YRyAnCXcgbI/AAAAAAAADjw/9zUdSCDaZ3wAdT6A32p1ugpUnmn7m6WagCLcBGAsYHQ/s728-e1000/Fortinet-zero-day.jpg)](<https://thehackernews.com/images/-iRDFz4kb2_c/YRyAnCXcgbI/AAAAAAAADjw/9zUdSCDaZ3wAdT6A32p1ugpUnmn7m6WagCLcBGAsYHQ/s0/Fortinet-zero-day.jpg>)\n\nDetails have emerged about a new unpatched security vulnerability in Fortinet's web application firewall (WAF) appliances that could be abused by a remote, authenticated attacker to execute malicious commands on the system.\n\n\"An OS command injection vulnerability in FortiWeb's management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page,\" cybersecurity firm Rapid7 [said](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>) in an advisory published Tuesday. \"This vulnerability appears to be related to [CVE-2021-22123](<https://nvd.nist.gov/vuln/detail/CVE-2021-22123>), which was addressed in [FG-IR-20-120](<https://www.fortiguard.com/psirt/FG-IR-20-120>).\"\n\nRapid7 said it discovered and reported the issue in June 2021. Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1.\n\nThe command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system. Successful exploitation of the vulnerability can allow authenticated attackers to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.\n\n\"An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,\" Rapid7's Tod Beardsley said. \"They might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ.\"\n\nRapid7 also warns that while authentication is a prerequisite for achieving arbitrary command execution, the exploit could be chained with an authentication bypass flaw, such as [CVE-2020-29015](<https://nvd.nist.gov/vuln/detail/CVE-2020-29015>). In the interim, users are advised to block access to the FortiWeb device's management interface from untrusted networks, including taking steps to prevent direct exposure to the internet.\n\nAlthough there is no evidence that the new security issue has been exploited in the wild, it's worth noting that unpatched Fortinet servers have been a lucrative target for financially motivated and state-sponsored threat actors alike.\n\nEarlier this April, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://www.ic3.gov/Media/News/2021/210402.pdf>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) to compromise systems belonging to government and commercial entities.\n\nIn the same month, Russian cybersecurity company Kaspersky [revealed](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) that threat actors exploited the CVE-2018-13379 vulnerability in FortiGate VPN servers to gain access to enterprise networks in European countries to deploy the Cring ransomware.\n\n**_Update: _**Fortinet shared the following statement with The Hacker News:\n\n\u201cThe security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of our 90-day Responsible disclosure window. We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window. We are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week.\u201d\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-18T03:41:00", "type": "thn", "title": "Unpatched Remote Hacking Flaw Disclosed in Fortinet's FortiWeb WAF", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-19T06:50:20", "id": "THN:FCBB400B24C7B24CD6B5136FA8BE38D3", "href": "https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-09-16T04:03:41", "description": "[![Iranian Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjUqmffIx48KtQdHxTXb4TQfvElel4yvoLc_Uq-nF3atp_DnKXEvX_r4s4FR-V9kItxokvkUgH3L-QP1uH3JrII_VtRNnXYXU3EYxwsreIbOgCkHKHN4AbWxtUPY5tKaH8u6YvYBd2oA_JReHSU1gNdaKY11tzzrlCHhUSTJzZr4yGRgnN-fUCAb2Mv/s728-e1000/iranian-hackers.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjUqmffIx48KtQdHxTXb4TQfvElel4yvoLc_Uq-nF3atp_DnKXEvX_r4s4FR-V9kItxokvkUgH3L-QP1uH3JrII_VtRNnXYXU3EYxwsreIbOgCkHKHN4AbWxtUPY5tKaH8u6YvYBd2oA_JReHSU1gNdaKY11tzzrlCHhUSTJzZr4yGRgnN-fUCAb2Mv/s728-e100/iranian-hackers.jpg>)\n\nThe U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020.\n\nThe agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked under the names APT35, Charming Kitten, Nemesis Kitten, Phosphorus, and TunnelVision.\n\n\"This group has launched extensive campaigns against organizations and officials across the globe, particularly targeting U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications,\" the Treasury [said](<https://home.treasury.gov/news/press-releases/jy0948>).\n\nThe Nemesis Kitten actor, which is also known as [Cobalt Mirage](<https://thehackernews.com/2022/05/iranian-hackers-leveraging-bitlocker.html>), [DEV-0270](<https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html>), and [UNC2448](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>), has come under the scanner in recent months for its pattern of ransomware attacks for opportunistic revenue generation using Microsoft's built-in BitLocker tool to encrypt files on compromised devices.\n\nMicrosoft and Secureworks have characterized DEV-0270 as a subgroup of [Phosphorus](<https://thehackernews.com/2022/09/iranian-hackers-target-high-value.html>) (aka Cobalt Illusion), with ties to another actor referred to as [TunnelVision](<https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html>). The Windows maker also assessed with low confidence that \"some of DEV-0270's ransomware attacks are a form of moonlighting for personal or company-specific revenue generation.\"\n\nWhat's more, independent analyses from the two cybersecurity firms as well as Google-owned [Mandiant](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>) has revealed the group's connections to two companies Najee Technology (which functions under the aliases Secnerd and Lifeweb) and Afkar System, both of which have been subjected to U.S. sanctions.\n\nIt's worth noting that Najee Technology and Afkar System's connections to the Iranian intelligence agency were first flagged by an anonymous anti-Iranian regime entity called [Lab Dookhtegan](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>) [earlier](<https://mobile.twitter.com/LabDookhtegan2/status/1520355269695442945>) this [year](<https://mobile.twitter.com/LabDookhtegan2/status/1539960629867401218>).\n\n\"The model of Iranian government intelligence functions using contractors blurs the lines between the actions tasked by the government and the actions that the private company takes on its own initiative,\" Secureworks said in a [new report](<https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors>) detailing the activities of Cobalt Mirage.\n\nWhile exact links between the two companies and IRGC remain unclear, the method of private Iranian firms acting as fronts or providing support for intelligence operations is well established over the years, including that of [ITSecTeam (ITSEC), Mersad](<https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged>), [Emennet Pasargad](<https://thehackernews.com/2021/11/us-charged-2-iranians-hackers-for.html>), and [Rana Intelligence Computing Company](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>).\n\nOn top of that, the Secureworks probe into a June 2022 Cobalt Mirage incident showed that a PDF file containing the ransom note was created on December 17, 2021, by an \"Ahmad Khatibi\" and timestamped at UTC+03:30 time zone, which corresponds to the Iran Standard Time. Khatibi, incidentally, happens to be the CEO and owner of the Iranian company Afkar System.\n\nAhmad Khatibi Aghda is also part of the 10 individuals sanctioned by the U.S., alongside Mansour Ahmadi, the CEO of Najee Technology, and other employees of the two enterprises who are said to be complicit in targeting various networks globally by leveraging well-known security flaws to gain initial access to further follow-on attacks.\n\nSome of the [exploited flaws](<https://www.cisa.gov/uscert/ncas/alerts/aa22-257a>), according to a [joint cybersecurity advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/14/iranian-islamic-revolutionary-guard-corps-affiliated-cyber-actors>) released by Australia, Canada, the U.K., and the U.S., as part of the IRGC-affiliated actor activity are as follows -\n\n * Fortinet FortiOS path traversal vulnerability ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>))\n * Fortinet FortiOS default configuration vulnerability ([CVE-2019-5591](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * Fortinet FortiOS SSL VPN 2FA bypass vulnerability ([CVE-2020-12812](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), and\n * [Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>) (CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105)\n\n\"Khatibi is among the cyber actors who gained unauthorized access to victim networks to encrypt the network with BitLocker and demand a ransom for the decryption keys,\" the U.S. government said, in addition to adding him to the FBI's [Most Wanted list](<https://www.fbi.gov/wanted/cyber/ahmad-khatibi-aghda>).\n\n\"He leased network infrastructure used in furtherance of this malicious cyber group's activities, he participated in compromising victims' networks, and he engaged in ransom negotiations with victims.\"\n\nCoinciding with the sanctions, the Justice Department separately [indicted](<https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style>) Ahmadi, Khatibi, and a third Iranian national named Amir Hossein Nickaein Ravari for engaging in a criminal extortion scheme to inflict damage and losses to victims located in the U.S., Israel, and Iran.\n\nAll three individuals have been charged with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi has also been charged with one more count of intentionally damaging a protected computer.\n\nThat's not all. The U.S. State Department has also [announced monetary rewards](<https://www.state.gov/sanctioning-iranians-for-malicious-cyber-acts/>) of up to $10 million for any information about [Mansour, Khatibi, and Nikaeen](<https://rewardsforjustice.net/index/?jsf=jet-engine:rewards-grid&tax=cyber:3266>) and their whereabouts.\n\n\"These defendants may have been hacking and extorting victims \u2013 including critical infrastructure providers \u2013 for their personal gain, but the charges reflect how criminals can flourish in the safe haven that the Government of Iran has created and is responsible for,\" Assistant Attorney General Matthew Olsen said.\n\nThe development comes close on the heels of [sanctions](<https://thehackernews.com/2022/09/us-imposes-new-sanctions-on-iran-over.html>) imposed by the U.S. against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-15T06:49:00", "type": "thn", "title": "U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-09-16T03:17:57", "id": "THN:802C6445DD27FFC7978D22CC3182AD58", "href": "https://thehackernews.com/2022/09/us-charges-3-iranian-hackers-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:32", "description": "[![VMware Horizon Log4j](https://thehackernews.com/new-images/img/a/AVvXsEgcW-6sY33kcH0dmBIKaK9mpaBaPRVIHpXHjT6Hgy_cMiHxlaNJfxuW1eMvQDiHyvzDLYVJGlJVA2b_pyL6m02QdpItx8VmJbN4PgH539vr05iJNN2nhAyDflMWDr-NbNmKaPQvhSn59trm4goPShyfhF5aIO8nNOTMAMBWoNZZ5zvA73ryI_wfVzbT=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgcW-6sY33kcH0dmBIKaK9mpaBaPRVIHpXHjT6Hgy_cMiHxlaNJfxuW1eMvQDiHyvzDLYVJGlJVA2b_pyL6m02QdpItx8VmJbN4PgH539vr05iJNN2nhAyDflMWDr-NbNmKaPQvhSn59trm4goPShyfhF5aIO8nNOTMAMBWoNZZ5zvA73ryI_wfVzbT>)\n\nA \"potentially destructive actor\" aligned with the government of Iran is actively exploiting the well-known [Log4j vulnerability](<https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html>) to infect unpatched VMware Horizon servers with ransomware.\n\nCybersecurity firm SentinelOne dubbed the group \"**TunnelVision**\" owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker [Phosphorus](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>) as well as Charming Kitten and Nemesis Kitten.\n\n\"TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions,\" SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky [said](<https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/>) in a report, with the intrusions detected in the Middle East and the U.S.\n\nAlso observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw ([CVE-2018-13379](<https://thehackernews.com/2022/02/us-says-russian-hackers-stealing.html>)) and the Microsoft Exchange [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) vulnerability to gain initial access into the target networks for post-exploitation.\n\n\"TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement,\" the researchers said.\n\nThe PowerShell commands are used as a launchpad to download tools like Ngrok and run further commands by means of reverse shells that are employed to drop a PowerShell backdoor that's capable of gathering credentials and executing reconnaissance commands.\n\nSentinelOne also said it identified similarities in the mechanism used to execute the reverse web shell with another PowerShell-based implant called [PowerLess](<https://thehackernews.com/2022/02/iranian-hackers-using-new-powershell.html>) that was disclosed by Cybereason researchers earlier this month.\n\nAll through the activity, the threat actor is said to have utilized a GitHub repository known as \"VmWareHorizon\" under the username \"protections20\" to host the malicious payloads.\n\nThe cybersecurity company said it's associating the attacks to a separate Iranian cluster not because they are unrelated, but owing to the fact that \"there is at present insufficient data to treat them as identical to any of the aforementioned attributions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-18T07:40:00", "type": "thn", "title": "Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-02-18T07:40:44", "id": "THN:F25FAD25E15EBBE4934883ABF480294D", "href": "https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-04T09:56:20", "description": "[![Microsoft](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg6QgmIugjApGsSp_v-DgmrWh7TAwmgc2-q7he3aZA3LmwS3p9FJchpB4duBUG7J8wctZHQGDUg2jvObX6Lto5BZUAMDX2xH7JG8EDRyjRmSLmiaQl8rgHeOaQhlEL7oZDJgxSQOX8XlQiMQHLt36bKZAAJU2uaq2rKhruJOh9LNq60PhKcZc8Lj6Dn/s728-e1000/hackers.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg6QgmIugjApGsSp_v-DgmrWh7TAwmgc2-q7he3aZA3LmwS3p9FJchpB4duBUG7J8wctZHQGDUg2jvObX6Lto5BZUAMDX2xH7JG8EDRyjRmSLmiaQl8rgHeOaQhlEL7oZDJgxSQOX8XlQiMQHLt36bKZAAJU2uaq2rKhruJOh9LNq60PhKcZc8Lj6Dn/s728-e100/hackers.jpg>)\n\nMicrosoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.\n\nIn addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created by Polonium andd that it notified affected organizations.\n\n\"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques,\" MSTIC [assessed](<https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/>) with \"moderate confidence.\"\n\nThe adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.\n\nTargets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what's a case of a supply chain attack.\n\nIn a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.\n\nAttack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 with its victims using malicious tools dubbed CreepyDrive and CreepyBox.\n\n\"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run,\" the researchers said.\n\nThis is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason [disclosed](<https://thehackernews.com/2021/10/iranian-hackers-abuse-dropbox-in.html>) an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.\n\nAdditionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called [MuddyWater](<https://thehackernews.com/2022/01/us-cyber-command-links-muddywater.html>) (aka Mercury), which has been characterized by the U.S. Cyber Command as a \"subordinate element\" within MOIS.\n\nThe victim overlaps lend credence to earlier reports that MuddyWater is a \"[conglomerate](<https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html>)\" of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).\n\nTo counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T09:19:00", "type": "thn", "title": "Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-06-04T08:43:20", "id": "THN:8BA951AD00E17C72D6321234DBF80D19", "href": "https://thehackernews.com/2022/06/microsoft-blocks-iran-linked-lebanese.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-09T08:35:28", "description": "[![](https://thehackernews.com/images/-05Y4azfOtHY/YTmz5X6CzVI/AAAAAAAADwU/FmcJruB5qJM-D9XZtYFV-FPRYfwHpYpHwCLcBGAsYHQ/s0/vpng.jpg)](<https://thehackernews.com/images/-05Y4azfOtHY/YTmz5X6CzVI/AAAAAAAADwU/FmcJruB5qJM-D9XZtYFV-FPRYfwHpYpHwCLcBGAsYHQ/s0/vpng.jpg>)\n\nNetwork security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices.\n\n\"These credentials were obtained from systems that remained unpatched against [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>) at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable,\" the company [said](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) in a statement on Wednesday.\n\nThe disclosure comes after the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called [RAMP](<https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/>) that launched in July 2021 as well as on Groove ransomware's data leak site, with Advanced Intel [noting](<https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings>) that the \"breach list contains raw access to the top companies\" spanning across 74 countries, including India, Taiwan, Italy, France, and Israel. \"2,959 out of 22,500 victims are U.S. entities,\" the researchers said.\n\n[![](https://thehackernews.com/images/-HU-9TZrc8Wo/YTm0pyWYXXI/AAAAAAAADwc/12l08TWEhOUM6FKznJkQu0G8qDlpbkrcACLcBGAsYHQ/s0/leak.jpg)](<https://thehackernews.com/images/-HU-9TZrc8Wo/YTm0pyWYXXI/AAAAAAAADwc/12l08TWEhOUM6FKznJkQu0G8qDlpbkrcACLcBGAsYHQ/s0/leak.jpg>)\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) relates to a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext. \n\nAlthough the bug was rectified in May 2019, the security weakness has been [repeatedly](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>) [exploited](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) by [multiple](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>) [adversaries](<https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html>) to deploy an array of [malicious payloads](<https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html>) on unpatched devices, prompting Fortinet to issue a series of advisories in [August 2019](<https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability>), [July 2020](<https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws>), [April 2021](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>), and again in [June 2021](<https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity>), urging customers to upgrade affected appliances.\n\n[![](https://thehackernews.com/images/-qUrCccGMLeI/YTm0raORfPI/AAAAAAAADwg/R5dmT1pkUKwnRGYKr_SGB-GiTdIvnz1GACLcBGAsYHQ/s0/stats.jpg)](<https://thehackernews.com/images/-qUrCccGMLeI/YTm0raORfPI/AAAAAAAADwg/R5dmT1pkUKwnRGYKr_SGB-GiTdIvnz1GACLcBGAsYHQ/s0/stats.jpg>)\n\nCVE-2018-13379 also emerged as one of the [top most exploited flaws](<https://thehackernews.com/2021/07/top-30-critical-security.html>) in 2020, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.\n\nIn light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above followed by initiating an organization-wide password reset, warning that \"you may remain vulnerable post-upgrade if your users' credentials were previously compromised.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T07:16:00", "type": "thn", "title": "Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T07:33:52", "id": "THN:8483C1B45A5D7BF5D501DE72F5898935", "href": "https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[![data-wiper-ransomware](https://thehackernews.com/images/-cKikIN2o4zA/YK5pX-ibrqI/AAAAAAAACpU/sp4zF_WZEkMPqmuvXXvmNfX9jnVnVLdkwCLcBGAsYHQ/s728-e1000/data-wiper-ransomware.jpg)](<https://thehackernews.com/images/-cKikIN2o4zA/YK5pX-ibrqI/AAAAAAAACpU/sp4zF_WZEkMPqmuvXXvmNfX9jnVnVLdkwCLcBGAsYHQ/s0/data-wiper-ransomware.jpg>)\n\nResearchers on Tuesday disclosed a new espionage campaign that resorts to destructive data-wiping attacks targeting Israeli entities at least since December 2020 that camouflage the malicious activity as ransomware extortions.\n\nCybersecurity firm SentinelOne attributed the attacks to a nation-state actor affiliated with Iran it tracks under the moniker \"Agrius.\"\n\n\"An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets,\" the researchers [said](<https://assets.sentinelone.com/sentinellabs/evol-agrius>). \"The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups.\"\n\nThe group's modus operandi involves deploying a custom .NET malware called Apostle that has evolved to become a fully functional ransomware, supplanting its prior wiper capabilities, while some of the attacks have been carried out using a second wiper named DEADWOOD (aka Detbosit) after a logic flaw in early versions of Apostle prevented data from being erased.\n\nIn addition, the Agrius actors drop a .NET implant called IPsec Helper that can be used to exfiltrate data or deploy additional malware. What's more, the threat actor's tactics have also witnessed a shift from espionage to demanding ransoms from its victims to recover access to encrypted data, only to have them actually destroyed in a wiping attack.\n\n[![data-wiper-ransomware](https://thehackernews.com/images/-bw6vJJdJmK8/YK5m41wm5XI/AAAAAAAACpM/hW2cbdRji0Qr191iBSXgSHzTAfh_i9ERwCLcBGAsYHQ/s728-e1000/vpn.jpg)](<https://thehackernews.com/images/-bw6vJJdJmK8/YK5m41wm5XI/AAAAAAAACpM/hW2cbdRji0Qr191iBSXgSHzTAfh_i9ERwCLcBGAsYHQ/s0/vpn.jpg>)\n\nBesides using ProtonVPN for anonymization, the Agrius attack cycle leverages 1-day vulnerabilities in web-based applications, including [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), to gain an initial foothold and subsequently deliver ASPXSpy web shells to maintain remote access to compromised systems and run arbitrary commands.\n\nIf anything, the research adds to evidence that state-sponsored actors with ties to the Iranian government are increasingly looking at ransomware operations as a subterfuge technique to mimic other financially motivated cybercriminal ransomware groups.\n\nRecently leaked documents by Lab Dookhtegan revealed an initiative called \"[Project Signal](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>)'' that linked Iran's Islamic Revolutionary Guard Corps to a ransomware operation through a contracting company.\n\n\"While being disruptive and effective, ransomware activities provide deniability, allowing states to send a message without taking direct blame,\" the researchers said. \"Similar strategies have been used with devastating effect by [other nation-state sponsored actors](<https://thehackernews.com/2017/06/petya-ransomware-decryption-key.html>).\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T15:30:00", "type": "thn", "title": "Data Wiper Malware Disguised As Ransomware Targets Israeli Entities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-06-07T05:01:48", "id": "THN:EAEDDF531EB90375B350E1580DE3DD02", "href": "https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:38:22", "description": "[![](https://thehackernews.com/images/-wqhJpW-QhTc/YG79n_lop2I/AAAAAAAACNY/ZnMOyKz8e6Adj5Hy8a5WXa_-MbqnDgRLwCLcBGAsYHQ/s0/cyberattack.jpg)](<https://thehackernews.com/images/-wqhJpW-QhTc/YG79n_lop2I/AAAAAAAACNY/ZnMOyKz8e6Adj5Hy8a5WXa_-MbqnDgRLwCLcBGAsYHQ/s0/cyberattack.jpg>)\n\nUnpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called \"Cring\" inside corporate networks.\n\nAt least one of the hacking incidents led to the temporary shutdown of a production site, said cybersecurity firm Kaspersky in a report published on Wednesday, without publicly naming the victim.\n\nThe attacks happened in the first quarter of 2021, between January and March.\n\n\"Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,\" [said](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT.\n\nThe disclosure comes days after the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) of advanced persistent threat (APT) actors actively scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379, among others.\n\n\"APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks,\" the agency said.\n\n[![](https://thehackernews.com/images/-5QwYhR-6pQ0/YG794Oq_4BI/AAAAAAAACNg/cbtbheKh0Z4gm3R1vdQ6cdPUmQT6WjUNwCLcBGAsYHQ/s0/hack.jpg)](<https://thehackernews.com/images/-5QwYhR-6pQ0/YG794Oq_4BI/AAAAAAAACNg/cbtbheKh0Z4gm3R1vdQ6cdPUmQT6WjUNwCLcBGAsYHQ/s0/hack.jpg>)\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) concerns a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.\n\nAlthough patches for the vulnerability were released in [May 2019](<https://www.fortiguard.com/psirt/FG-IR-18-384>), Fortinet said last November that it identified a \"[large number](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2018-13379>)\" of VPN appliances that remained unpatched, while also cautioning that IP addresses of those internet-facing vulnerable devices were being sold on the dark web.\n\nIn a statement shared with The Hacker News, Fortinet said it had urged customers to upgrade their appliances \"on multiple occasions in [August 2019](<https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability>), [July 2020](<https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws>), and again in [April 2021](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>)\" following the May 2019 fix. \"If customers have not done so, we urge them to immediately implement the upgrade and mitigations,\" the company said.\n\nThe attacks aimed at European businesses were no different, according to Kaspersky's incident response, which found that the deployment of Cring ransomware involved the exploitation of CVE-2018-13379 to gain access to the target networks.\n\n\"Some time prior to the main phase of the operation, the attackers performed test connections to the VPN Gateway, apparently in order to make sure that the stolen user credentials for the VPN were still valid,\" Kaspersky researchers said.\n\nUpon gaining access, the adversaries are said to have used the Mimikatz utility to siphon account credentials of Windows users who had previously logged in to the compromised system, then utilizing them to break into the domain administrator account, move laterally across the network, and eventually deploy the Cring ransomware on each machine remotely using the Cobalt Strike framework.\n\n[Cring](<https://malpedia.caad.fkie.fraunhofer.de/details/win.cring>), a nascent strain that was first observed in January 2021 by telecom provider Swisscom, encrypts specific files on the devices using strong encryption algorithms after removing traces of all backup files and terminating Microsoft Office and Oracle Database processes. Following successful encryption, it drops a ransom note demanding payment of two bitcoins.\n\n[![](https://thehackernews.com/images/-zg8HygZ73Eo/YG7-LtYB1JI/AAAAAAAACNo/wj8rvRY9io4E_QWg643XIdI94kejG4D5gCLcBGAsYHQ/s0/cybersecurity.jpg)](<https://thehackernews.com/images/-zg8HygZ73Eo/YG7-LtYB1JI/AAAAAAAACNo/wj8rvRY9io4E_QWg643XIdI94kejG4D5gCLcBGAsYHQ/s0/cybersecurity.jpg>)\n\nWhat's more, the threat actor was careful to hide their activity by disguising the malicious PowerShell scripts under the name \"kaspersky\" to evade detection and ensured that the server hosting the ransomware payload only responded to requests coming in from European countries.\n\n\"An analysis of the attackers' activity demonstrates that, based on the results of the reconnaissance performed on the attacked organization's network, they chose to encrypt those servers which the attackers believed would cause the greatest damage to the enterprise's operations if lost,\" Kopeytsev [said](<https://usa.kaspersky.com/about/press-releases/2021_na-cring-ransomware-infects-industrial-targets-through-vulnerability-in-vpn-servers>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-08T13:12:00", "type": "thn", "title": "Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-04-13T05:39:44", "id": "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "href": "https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-10-12T16:30:00", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhe-JObfxreJe3voT0gU0S71E013xl9EJTptEvFiIYrrr0cMALdF9FZR1Rc20JN7zmeC4ZC5In7OgjeASatCBiVJAMoaOPzikA75p2359zbFIla4cniv7wHpmaLMdvm4vDQ1qBrj6xaxkI0kesF0zlPgDbBpWlIDP7pInkBzVTb9UE9n5Gq14Dnjpq2/s728-e100/firewall.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhe-JObfxreJe3voT0gU0S71E013xl9EJTptEvFiIYrrr0cMALdF9FZR1Rc20JN7zmeC4ZC5In7OgjeASatCBiVJAMoaOPzikA75p2359zbFIla4cniv7wHpmaLMdvm4vDQ1qBrj6xaxkI0kesF0zlPgDbBpWlIDP7pInkBzVTb9UE9n5Gq14Dnjpq2/s728-e100/firewall.jpg>)\n\nFortinet on Monday revealed that the newly patched critical security vulnerability impacting its firewall and proxy products is being actively exploited in the wild.\n\nTracked as [CVE-2022-40684](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) (CVSS score: 9.6), the flaw relates to an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorized operations on the administrative interface via specially crafted HTTP(S) requests.\n\n\"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'\" the company [noted](<https://www.fortiguard.com/psirt/FG-IR-22-377>) in an advisory.\n\nThe list of impacted devices is below -\n\n * FortiOS version 7.2.0 through 7.2.1\n * FortiOS version 7.0.0 through 7.0.6\n * FortiProxy version 7.2.0\n * FortiProxy version 7.0.0 through 7.0.6\n * FortiSwitchManager version 7.2.0, and\n * FortiSwitchManager version 7.0.0\n\nUpdates have been released by the security company in FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1.\n\nThe disclosure comes days after Fortinet [sent](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) \"confidential advance customer communications\" to its customers, urging them to apply patches to mitigate potential attacks exploiting the flaw.\n\nIf updating to the latest version isn't an option, it's recommended that users disable the HTTP/HTTPS administrative interface, or alternatively limit IP addresses that can access the administrative interface.\n\n**_Update:_** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/10/11/cisa-has-added-one-known-exploited-vulnerability-catalog>) the Fortinet flaw to its Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) catalog, requiring federal agencies to apply patches by November 1, 2022.\n\nDetails and proof-of-concept (PoC) code for the vulnerability are [expected to become publicly available](<https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/>) in the coming days, in a move that could enable other threat actors to adopt the exploit to their toolset and mount their own attacks.\n\n\"Vulnerabilities affecting devices on the edge of corporate networks are among the most sought after by threat actors because it leads to breaching the perimeter, and CVE-2022-40684 allows exactly this,\" Zach Hanley, chief attack engineer at Horizon3.ai, said.\n\n\"Past Fortinet vulnerabilities, like [CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>), have remained some of the [top exploited vulnerabilities](<https://thehackernews.com/2021/07/top-30-critical-security.html>) over the years and this one will likely be no different.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T06:21:00", "type": "thn", "title": "Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2022-40684"], "modified": "2022-10-12T13:16:52", "id": "THN:63560DA43FB5804E3B258BC62E210EC4", "href": "https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-10-15T04:05:18", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiHjIXiW2zuHYHOZQbJKZD4p4uzwJHQdTAWhDUrxnxbxqVorwddxJ6Glgo6ERl_J1sIvlUI3AI6uug4KNSzj7-i_k6bmiZJO4-l33F5VRyfcJmN6tJHyz9cKIzx_FfcSyhR9ddrcoCcb5Gk5FgGjBg56GhIjX6JM3s3HkJJ7D0YkFii0-2B4IILpOZS/s728-e100/hack.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiHjIXiW2zuHYHOZQbJKZD4p4uzwJHQdTAWhDUrxnxbxqVorwddxJ6Glgo6ERl_J1sIvlUI3AI6uug4KNSzj7-i_k6bmiZJO4-l33F5VRyfcJmN6tJHyz9cKIzx_FfcSyhR9ddrcoCcb5Gk5FgGjBg56GhIjX6JM3s3HkJJ7D0YkFii0-2B4IILpOZS/s728-e100/hack.jpg>)\n\nA proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches.\n\n\"FortiOS exposes a management web portal that allows a user to configure the system,\" Horizon3.ai researcher James Horseman [said](<https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/>). \"Additionally, a user can SSH into the system which exposes a locked down CLI interface.\"\n\nThe issue, tracked as [CVE-2022-40684](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) (CVSS score: 9.6), concerns an [authentication bypass](<https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/>) vulnerability that could allow a remote attacker to perform malicious operations on the administrative interface via specially crafted HTTP(S) requests.\n\nA successful exploitation of the shortcoming is tantamount to granting complete access \"to do just about anything\" on the affected system, including altering network configurations, adding malicious users, and intercepting network traffic.\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRUF5zXRq0j7JtozHreYQFvBZmHZaK79k53nzd5BkO7GRapjoRFkekYnIkcLCXVxw9mkLJS3UHKjGxK35wSa1VoHFc0Zf6y_GWxV0-TUy9uwKyXDgo3Jfsu6LvlLgEj49ayxN49j9vIbADLJYnPG5XgMHOvHquE-zMEAI94s02hvVLk4tDyYrLSqz4/s728-e100/poc.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRUF5zXRq0j7JtozHreYQFvBZmHZaK79k53nzd5BkO7GRapjoRFkekYnIkcLCXVxw9mkLJS3UHKjGxK35wSa1VoHFc0Zf6y_GWxV0-TUy9uwKyXDgo3Jfsu6LvlLgEj49ayxN49j9vIbADLJYnPG5XgMHOvHquE-zMEAI94s02hvVLk4tDyYrLSqz4/s728-e100/poc.jpg>)\n\nThat said, the cybersecurity firm said that there are two essential prerequisites when making such a request -\n\n * Using the Forwarded header, an attacker is able to set the client_ip to \"127.0.0.1\"\n * The \"trusted access\" authentication check verifies that the client_ip is \"127.0.0.1\" and the User-Agent is \"Report Runner\" both of which are under attacker control\n\nThe release of the PoC comes as Fortinet [cautioned](<https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html>) that it's already aware of an instance of active exploitation of the flaw in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory urging federal agencies to patch the issue by November 1, 2022.\n\nThreat intelligence firm GreyNoise has [detected](<https://viz.greynoise.io/tag/fortios-authentication-bypass-attempt?days=30>) 12 unique IP addresses weaponizing CVE-2022-40684 as of October 13, 2022, with a majority of them [located](<https://viz.greynoise.io/query/?gnql=cve%3ACVE-2022-40684>) in Germany, followed by the U.S., Brazil, China, and France.\n\nWordPress security company WordFence also said it [identified](<https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/>) probing attempts from 21 different IP addresses to \"determine whether a Fortinet appliance is in place,\" while also observing HTTP requests matching the PoC to add an SSH key to the admin user.\n\n**_Update:_** Amid a [huge uptick](<https://viz.greynoise.io/tag/fortios-authentication-bypass-attempt?days=30>) in vulnerability scans for the authentication bypass vulnerability, Fortinet on Friday released another advisory urging customers to upgrade affected appliances to the latest version as soon as possible.\n\n\"After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of POC code, there is active exploitation of this vulnerability,\" the company [said](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684>).\n\nIssues in Fortinet devices have been previously targeted by attackers to gain an initial foothold onto target networks. [CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>), which has remained one of the most weaponized flaws in recent years, prompted the firm to issue [three follow-up alerts](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>) in August 2019, July 2020, and again in April 2021.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-14T03:35:00", "type": "thn", "title": "PoC Exploit Released for Critical Fortinet Auth Bypass Bug Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2022-40684"], "modified": "2022-10-15T02:56:36", "id": "THN:3474CD6C25ADD60FF37EDC1774311111", "href": "https://thehackernews.com/2022/10/poc-exploit-released-for-critical.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:39:27", "description": "[![Hive Ransomware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgG4LpJKxqUO2-qxnPcHk7kZshWlpcUJf4apWnuuu8g9A2r0wcvybcwpf7lOoNA63j4bRBhFvjSOcGs6VNIFsmjXTIplZEkjAFtBn3cM6NGJ0rIS2GGGAKNgL2WQIm_-fjXlryklUzygBckkBMBoeHlXhheLR9onLzGHVYPSgJnrJE7GbCsqTLo57hD/s728-e1000/hive-ransomware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgG4LpJKxqUO2-qxnPcHk7kZshWlpcUJf4apWnuuu8g9A2r0wcvybcwpf7lOoNA63j4bRBhFvjSOcGs6VNIFsmjXTIplZEkjAFtBn3cM6NGJ0rIS2GGGAKNgL2WQIm_-fjXlryklUzygBckkBMBoeHlXhheLR9onLzGHVYPSgJnrJE7GbCsqTLo57hD/s728-e100/hive-ransomware.jpg>)\n\nA recent Hive ransomware attack carried out by an affiliate involved the exploitation of \"ProxyShell\" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network.\n\n\"The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise,\" Varonis security researcher, Nadav Ovadia, [said](<https://www.varonis.com/blog/hive-ransomware-analysis>) in a post-mortem analysis of the incident. \n\nHive, which was [first observed](<https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html>) in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks.\n\n[ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) \u2014 tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 \u2014 involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker the ability to execute arbitrary code on affected servers.\n\nThe issues were addressed by Microsoft as part of its Patch Tuesday updates for April and May 2021.\n\nIn this case, successful exploitation of the flaws allowed the adversary to deploy web shells on the compromised server, using them to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain admin account, and perform lateral movement.\n\n[![Hive Ransomware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbU5YaGjiHhZvFPL5Fqh7rHbVldX6X-unk-Mq6dP0icasfzkogYQnkRDy9ZUNWr3oca2oh6FGdjSzMm5uyXe1DLzwsty4H8hXGZia0azIu3Q24ZyBwemMQXMvu5dpzZQn-9MUl_WWAG5opQBaoXlyg6Esg2eBVWtdYcBrz5l7yZPDtCD1v9nzKF-D8/s728-e1000/hive.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbU5YaGjiHhZvFPL5Fqh7rHbVldX6X-unk-Mq6dP0icasfzkogYQnkRDy9ZUNWr3oca2oh6FGdjSzMm5uyXe1DLzwsty4H8hXGZia0azIu3Q24ZyBwemMQXMvu5dpzZQn-9MUl_WWAG5opQBaoXlyg6Esg2eBVWtdYcBrz5l7yZPDtCD1v9nzKF-D8/s728-e100/hive.jpg>)\n\nThe web shells used in the attack are said to have been sourced from a [public git repository](<https://github.com/ThePacketBender/webshells>) and given filenames containing a random mix of characters to evade detection, Ovadia said. Also executed was an additional obfuscated PowerShell script that's part of the Cobalt Strike framework.\n\nFrom there, the threat actor moved to scan the network for valuable files, before proceeding to deploy the Golang ransomware executable (named \"Windows.exe\") to complete the encryption process and display the ransom note to the victim.\n\nOther operations carried out by the malware include deleting shadow copies, turning off security products, and clearing Windows event logs to avoid detection, prevent recovery, and ensure that the encryption happens without any hiccup.\n\nIf anything, the findings are yet another indicator that patching for known vulnerabilities is key to thwarting cyberattacks and other nefarious activities.\n\n\"Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits,\" Ovadia said. \"It may potentially harm an organization's reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T10:00:00", "type": "thn", "title": "New Incident Report Reveals How Hive Ransomware Targets Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-21T10:00:58", "id": "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "href": "https://thehackernews.com/2022/04/new-incident-report-reveals-how-hive.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T03:29:54", "description": "[![Software Vulnerabilities](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhNJNYKsz0zRz-CzaUqAm2MRgt6hyl7sq05Q-XnbDm2VwMedx339MqSyZOAKaZNIywGOU7b4usV_c7PkobISvqG4n1OWRAK6MowARD4h2L_HH0soDHDxo-HLg5bT1n0PRyLyda5DamIal3W2BOTcPpLYlDUc8cUHZ5tqR_YBCcyTEpn2SBhSPC2m-r/s728-e1000/flaws.gif)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhNJNYKsz0zRz-CzaUqAm2MRgt6hyl7sq05Q-XnbDm2VwMedx339MqSyZOAKaZNIywGOU7b4usV_c7PkobISvqG4n1OWRAK6MowARD4h2L_HH0soDHDxo-HLg5bT1n0PRyLyda5DamIal3W2BOTcPpLYlDUc8cUHZ5tqR_YBCcyTEpn2SBhSPC2m-r/s728-e100/flaws.gif>)\n\n[Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>), [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>), [ProxyLogon](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>), [ZeroLogon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>), and flaws in [Zoho ManageEngine AD SelfService Plus](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>), [Atlassian Confluence](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), and [VMware vSphere Client](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>) emerged as some of the top exploited security vulnerabilities in 2021.\n\nThat's according to a \"[Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>)\" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.\n\nOther frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server ([CVE-2020-0688](<https://thehackernews.com/2021/07/top-30-critical-security.html>)), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>)), and a path traversal defect in Fortinet FortiOS and FortiProxy ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)).\n\n[![Most Exploited Software Vulnerabilities](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjV_5FJTAhnIsR8JgqL9uQg0ZFxcNG_CjB_UQkbmLMHp3ywOvVYK21BPlGIrlFOkrpjXKZTudyfgIFVbvdoCqezanw_M902zAF_j0D0iiMlBFYA9xgTU3PqsuazBsluMEFz04W5fr6wR3IcoNmrMSzQaRgR5ai54nGTQjKTBNImgKDAlUP3blp4-t8a/s728-e1000/cisa.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjV_5FJTAhnIsR8JgqL9uQg0ZFxcNG_CjB_UQkbmLMHp3ywOvVYK21BPlGIrlFOkrpjXKZTudyfgIFVbvdoCqezanw_M902zAF_j0D0iiMlBFYA9xgTU3PqsuazBsluMEFz04W5fr6wR3IcoNmrMSzQaRgR5ai54nGTQjKTBNImgKDAlUP3blp4-t8a/s728-e100/cisa.jpg>)\n\nNine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.\n\n\"Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,\" the agencies said in a joint advisory.\n\n\"For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors.\"\n\nTo mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-28T05:41:00", "type": "thn", "title": "U.S. Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688"], "modified": "2022-05-09T02:55:12", "id": "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "href": "https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:33", "description": "[![Russian Hackers](https://thehackernews.com/new-images/img/a/AVvXsEgfHxH3Dt4VXRfmdH7Z5AIzdTH11h4caDd4ap4XoxMEluunQIHIKcMfsOmGXHYfBm80iV7yauBv6comuqDI53yYZ-scRdempbDZFRKoVre0dwv8XB-HY7OuqI3zugrjX_AU4O94F-ikvT5ttBGEc9cGB3wRTB1Tkpo2jFZZ5dobK0ftUAK2GlxVr_sa=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgfHxH3Dt4VXRfmdH7Z5AIzdTH11h4caDd4ap4XoxMEluunQIHIKcMfsOmGXHYfBm80iV7yauBv6comuqDI53yYZ-scRdempbDZFRKoVre0dwv8XB-HY7OuqI3zugrjX_AU4O94F-ikvT5ttBGEc9cGB3wRTB1Tkpo2jFZZ5dobK0ftUAK2GlxVr_sa>)\n\nState-sponsored actors backed by the Russian government regularly targeted the networks of several U.S. cleared defense contractors (CDCs) to acquire proprietary documents and other confidential information pertaining to the country's defense and intelligence programs and capabilities.\n\nThe sustained espionage campaign is said to have commenced at least two years ago from January 2020, according to a [joint advisory](<https://www.cisa.gov/news/2022/02/16/new-cybersecurity-advisory-protecting-cleared-defense-contractor-networks-against>) published by the U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA).\n\n\"These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-047a>). \"The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology.\"\n\nCompromised entities include contractors that dabble in command, control, communications, and combat systems; surveillance and reconnaissance; weapons and missile development; vehicle and aircraft design; and software development, data analytics, and logistics.\n\nThe threat actors rely on \"common but effective\" tactics to breach target networks such as spear-phishing, credential harvesting, brute-force attacks, password spray techniques, and exploitation of known vulnerabilities in VPN devices, before moving laterally to establish persistence and exfiltrate data.\n\n[![](https://thehackernews.com/new-images/img/a/AVvXsEj72CV_TZddW8ZEFbbWJoksQeXFXLFFSgoy22sgxewm7OT-W5YDgBIqLdOhdUK4p3Z5AV32z7EtFYvCInbCCdVzX37Wzqx1TL_G6NeQuEKUOLVC6371dcORdcP2owx3pnjKJyUaGJCQ56o-mLZcUzXswT3hUvEKbXxZBzEmEt8nYAClgNN9xU4V4anK)](<https://thehackernews.com/new-images/img/a/AVvXsEj72CV_TZddW8ZEFbbWJoksQeXFXLFFSgoy22sgxewm7OT-W5YDgBIqLdOhdUK4p3Z5AV32z7EtFYvCInbCCdVzX37Wzqx1TL_G6NeQuEKUOLVC6371dcORdcP2owx3pnjKJyUaGJCQ56o-mLZcUzXswT3hUvEKbXxZBzEmEt8nYAClgNN9xU4V4anK>)\n\nSome of the [vulnerabilities](<https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html>) leveraged by the attackers for initial access and privilege escalation are as follows \u2013\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) \u2013 FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) \u2013 Microsoft Exchange validation key remote code execution vulnerability\n * [**CVE-2020-17144**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17144>) (CVSS score: 8.4) \u2013 Microsoft Exchange remote code execution vulnerability\n\nMany of the intrusions also involve gaining a foothold to enterprise and cloud networks, with the adversaries maintaining persistent access to the compromised Microsoft 365 environments for as long as six months to repeatedly harvest emails and data.\n\n\"As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access,\" the agencies explained. \"This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.\"\n\nAmong other malicious activities observed is the routine use of virtual private servers (VPSs) as an encrypted proxy and the use of legitimate credentials to exfiltrate emails from the victim's enterprise email system. The advisory, however, does not single out any Russian state actor by name.\n\n\"Over the last several years, Russian state-sponsored cyber actors have been persistent in targeting U.S. cleared defense contractors to get at sensitive information,\" [said](<https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2935170/nsa-fbi-cisa-release-advisory-on-protecting-cleared-defense-contractor-networks/>) Rob Joyce, director of NSA Cybersecurity. \"Armed with insights like these, we can better detect and defend important assets together.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-17T05:42:00", "type": "thn", "title": "U.S. Says Russian Hackers Stealing Sensitive Data from Defense Contractors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144"], "modified": "2022-02-17T13:01:50", "id": "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "href": "https://thehackernews.com/2022/02/us-says-russian-hackers-stealing.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEjiGzDP_Q8TgakrIFP6H8c0NlSHHH4ztdEtesv8G-AaS-LvfiauO6JgcrFpPKfplpRuqYssvepWzyhQaLMIPqPzyt00vE0kNEL3qEg1k1YRQpWZouKa_km8jD-kuKbNBXugV_MhYndYW41kM6o2z77T4oOGQlDGhGk-HA0tZfdol-RO_fCE6o7N54uW)](<https://thehackernews.com/new-images/img/a/AVvXsEjiGzDP_Q8TgakrIFP6H8c0NlSHHH4ztdEtesv8G-AaS-LvfiauO6JgcrFpPKfplpRuqYssvepWzyhQaLMIPqPzyt00vE0kNEL3qEg1k1YRQpWZouKa_km8jD-kuKbNBXugV_MhYndYW41kM6o2z77T4oOGQlDGhGk-HA0tZfdol-RO_fCE6o7N54uW>)\n\nThreat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems.\n\nThe findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE. First publicly [documented](<https://thehackernews.com/2021/10/hackers-using-squirrelwaffle-loader-to.html>) by Cisco Talos, the attacks are believed to have commenced in mid-September 2021 via laced Microsoft Office documents.\n\n\"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities,\" researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar [said](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) in a report published last week. \"To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits.\"\n\n[ProxyLogon](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) and [ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>) refer to a collection of flaws in Microsoft Exchange Servers that could enable a threat actor to elevate privileges and remotely execute arbitrary code, effectively granting the ability to take control of the vulnerable machines. While the ProxyLogon flaws were addressed in March, the ProxyShell bugs were patched in a series of updates released in May and July.\n\n[![](https://thehackernews.com/new-images/img/a/AVvXsEhYwBTFRq5MuslNIXJAtZNZ-q9Ik0Wyu_z6HVG8loZsBaeJR_tXRLvm18OZvIJYeeOyYp0DVHZdMg8sdqe9H3ePEot8dMGuNuC25YWuyp09kuYsm_qh2nU_3dlFK7X2kVXn-DYmtklqChAj_2BOpas4TFiWcbPR3PtoX5RKukcpGn0sd1S8Ubdqo1bu)](<https://thehackernews.com/new-images/img/a/AVvXsEhYwBTFRq5MuslNIXJAtZNZ-q9Ik0Wyu_z6HVG8loZsBaeJR_tXRLvm18OZvIJYeeOyYp0DVHZdMg8sdqe9H3ePEot8dMGuNuC25YWuyp09kuYsm_qh2nU_3dlFK7X2kVXn-DYmtklqChAj_2BOpas4TFiWcbPR3PtoX5RKukcpGn0sd1S8Ubdqo1bu>) \n--- \nDLL infection flow \n \nTrend Micro said it observed the use of public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) on three of the Exchange servers that were compromised in different intrusions, using the access to hijack legitimate email threads and send malicious spam messages as replies, thereby increasing the likelihood that unsuspecting recipients will open the emails.\n\n\"Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,\" the researchers said, adding the attackers behind the operation did not carry out lateral movement or install additional malware so as to stay under the radar and avoid triggering any alerts.\n\nThe attack chain involves rogue email messages containing a link that, when clicked, drops a Microsoft Excel or Word file. Opening the document, in turn, prompts the recipient to enable macros, ultimately leading to the download and execution of the SQUIRRELWAFFLE malware loader, which acts as a medium to fetch final-stage payloads such as Cobalt Strike and Qbot.\n\nThe development marks a new escalation in phishing campaigns where a threat actor has breached corporate Microsoft Exchange email servers to gain unauthorized access to their internal mail systems and distribute malicious emails in an attempt to infect users with malware.\n\n\"SQUIRRELWAFFLE campaigns should make users wary of the different tactics used to mask malicious emails and files,\" the researchers concluded. \"Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-22T11:47:00", "type": "thn", "title": "Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-23T07:33:36", "id": "THN:0D80EEB03C07D557AA62E071C7A7C619", "href": "https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[![ProxyShell Flaws](https://thehackernews.com/new-images/img/a/AVvXsEihM5iYK8V59Az6V_QU4QfgIeRF_0hGVdMPzkolUAVIW-fNuFPicRQP8GVCKVzA_FETzCTUZXWBI67kH6LRZTLGCO5eI9UumwAso17F_kIigeX8Y7Z41AMwAPgq1iysoZkTTX-VU5eO4nCRvjFq57tq6FcnFZd3DBb3A8kWOZ253GJWm-fH0WFE7Fna)](<https://thehackernews.com/new-images/img/a/AVvXsEihM5iYK8V59Az6V_QU4QfgIeRF_0hGVdMPzkolUAVIW-fNuFPicRQP8GVCKVzA_FETzCTUZXWBI67kH6LRZTLGCO5eI9UumwAso17F_kIigeX8Y7Z41AMwAPgq1iysoZkTTX-VU5eO4nCRvjFq57tq6FcnFZd3DBb3A8kWOZ253GJWm-fH0WFE7Fna>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of \"**ProxyShell**\" Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems.\n\nTracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates.\n\n\"An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>).\n\nThe development comes a little over a week after cybersecurity researchers sounded the alarm on [opportunistic scanning and exploitation](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) of unpatched Exchange servers by taking advantage of the ProxyShell attack chain.\n\n[![ProxyShell Flaws](https://thehackernews.com/new-images/img/a/AVvXsEi9pcvxkZCqcBcriArdPtNn0AWuIafJEeUPlEHsu4z-oKwZf3gzsprTbCyyBAmMBzU-gFoDqTD8zWP4vrlEdDv_w5I3I5iSFyAS8RZ2p_jjRO0sOXbKoN31TMsPPfb0BXXZt8m7aM2SAtTFrkZ3hdSN1FSLaynBoGiYDkl78s_i0T5Kva4eudH21Jzf)](<https://thehackernews.com/new-images/img/a/AVvXsEi9pcvxkZCqcBcriArdPtNn0AWuIafJEeUPlEHsu4z-oKwZf3gzsprTbCyyBAmMBzU-gFoDqTD8zWP4vrlEdDv_w5I3I5iSFyAS8RZ2p_jjRO0sOXbKoN31TMsPPfb0BXXZt8m7aM2SAtTFrkZ3hdSN1FSLaynBoGiYDkl78s_i0T5Kva4eudH21Jzf>) \n--- \nImage Source: [Huntress Labs](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) \n \nOriginally demonstrated at the [Pwn2Own hacking contest](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) in April this year, ProxyShell is part of a broader trio of exploit chains discovered by DEVCORE security researcher Orange Tsai that includes ProxyLogon and ProxyOracle, the latter of which concerns two remote code execution flaws that could be employed to recover a user's password in plaintext format.\n\n\"They're backdooring boxes with webshells that drop other webshells and also executables that periodically call out,\" researcher Kevin Beaumont [noted](<https://twitter.com/GossiTheDog/status/1425844380376735746>) last week.\n\nNow according to researchers from Huntress Labs, at least [five distinct styles of web shells](<https://www.huntress.com/blog/rapid